Merge pull request #75 from DarikshaAnsari/patch-update

Changed deprecated keys and used cryptosigner

README.md

@@ -106,7 +106,7 @@ directory and perform the step.
 
 ```shell
 cd ../functionary_bob
-in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git
+in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git
 ```
 
 Here is what happens behind the scenes:
@@ -124,7 +124,7 @@ So first Bob records the state of the files he will modify:
 
 ```shell
 # In functionary_bob directory
-in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py
+in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py
 ```
 
 Then Bob uses an editor of his choice to update the version number in `demo-project/foo.py`, e.g.:
@@ -137,7 +137,7 @@ And finally he records the state of files after the modification and produces
 a link metadata file called `update-version.[Bob's keyid].link`.
 ```shell
 # In functionary_bob directory
-in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py
+in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py
 ```
 
 Bob has done his work and can send over the sources to Carl, who will create
@@ -154,7 +154,7 @@ to change to Carl's directory and create a package of the software project
 
 ```shell
 cd ../functionary_carl
-in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
+in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
 ```
 
 This will create another step link metadata file, called `package.[Carl's keyid].link`.
@@ -167,15 +167,15 @@ our software package `demo-project.tar.gz` and the related metadata files `root.
 `clone.[Bob's keyid].link`, `update-version.[Bob's keyid].link` and `package.[Carl's keyid].link`:
 ```shell
 cd ..
-cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
+cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
 ```
 And now run verification on behalf of the client:
 ```shell
 cd final_product
 # Fetch Alice's public key from a trusted source to verify the layout signature
 # Note: The functionary public keys are fetched from the layout
 cp ../owner_alice/alice.pub .
-in-toto-verify --layout root.layout --layout-key alice.pub
+in-toto-verify --layout root.layout --verification-keys alice.pub
 ```
 This command will verify that
  1. the layout has not expired,
@@ -208,19 +208,19 @@ Carl thought that this is the genuine code he got from Bob and
 unwittingly packages the tampered version of foo.py
 
 ```shell
-in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
+in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
 ```
 and ships everything out as final product to the client:
 ```shell
 cd ..
-cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
+cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
 ```
 
 ### Verifying the malicious product
 
 ```shell
 cd final_product
-in-toto-verify --layout root.layout --layout-key alice.pub
+in-toto-verify --layout root.layout --verification-keys alice.pub
 ```
 This time, in-toto will detect that the product `foo.py` from Bob's `update-version`
 step was not used as material in Carl's `package` step (the verified hashes

owner_alice/create_layout.py

@@ -1,16 +1,19 @@
-from securesystemslib import interface
-from securesystemslib.signer import SSlibSigner
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from securesystemslib.signer import CryptoSigner
 from in_toto.models.layout import Layout
 from in_toto.models.metadata import Envelope
-
+# https://github.com/in-toto/in-toto/issues/663
+from in_toto.models._signer import load_public_key_from_file
 def main():
   # Load Alice's private key to later sign the layout
-  key_alice = interface.import_rsa_privatekey_from_file("alice")
-  signer_alice = SSlibSigner(key_alice)
+  with open("alice", "rb") as f:
+    key_alice = load_pem_private_key(f.read(), None)
+
+  signer_alice = CryptoSigner(key_alice)
   # Fetch and load Bob's and Carl's public keys
   # to specify that they are authorized to perform certain step in the layout
-  key_bob = interface.import_rsa_publickey_from_file("../functionary_bob/bob.pub")
-  key_carl = interface.import_rsa_publickey_from_file("../functionary_carl/carl.pub")
+  key_bob  = load_public_key_from_file("../functionary_bob/bob.pub")
+  key_carl  = load_public_key_from_file("../functionary_carl/carl.pub")  
 
   layout = Layout.read({
       "_type": "layout",

requirements.txt

@@ -1 +1,2 @@
 in-toto==2.3.0
+cryptography==42.0.7

run_demo.py

@@ -33,7 +33,7 @@ def supply_chain():
                     " --verbose"
                     " --use-dsse"
                     " --step-name clone --products demo-project/foo.py"
-                    " --key bob -- git clone https://github.com/in-toto/demo-project.git")
+                    " --signing-key bob -- git clone https://github.com/in-toto/demo-project.git")
   print(clone_cmd)
   subprocess.call(shlex.split(clone_cmd))
 
@@ -43,7 +43,7 @@ def supply_chain():
                     " --verbose"
                     " --use-dsse"
                     " --step-name update-version"
-                    " --key bob"
+                    " --signing-key bob"
                     " --materials demo-project/foo.py")
 
   print(update_version_start_cmd)
@@ -58,7 +58,7 @@ def supply_chain():
                     " --verbose"
                     " --use-dsse"
                     " --step-name update-version"
-                    " --key bob"
+                    " --signing-key bob"
                     " --products demo-project/foo.py")
 
   print(update_version_stop_cmd)
@@ -73,7 +73,7 @@ def supply_chain():
                  " --use-dsse"
                  " --step-name package --materials demo-project/foo.py"
                  " --products demo-project.tar.gz"
-                 " --key carl --record-streams"
+                 " --signing-key carl --record-streams"
                  " -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project")
   print(package_cmd)
   subprocess.call(shlex.split(package_cmd))
@@ -82,9 +82,9 @@ def supply_chain():
   prompt_key("Create final product")
   os.chdir("..")
   copyfile("owner_alice/root.layout", "final_product/root.layout")
-  copyfile("functionary_bob/clone.776a00e2.link", "final_product/clone.776a00e2.link")
-  copyfile("functionary_bob/update-version.776a00e2.link", "final_product/update-version.776a00e2.link")
-  copyfile("functionary_carl/package.2f89b927.link", "final_product/package.2f89b927.link")
+  copyfile("functionary_bob/clone.210dcc50.link", "final_product/clone.210dcc50.link")
+  copyfile("functionary_bob/update-version.210dcc50.link", "final_product/update-version.210dcc50.link")
+  copyfile("functionary_carl/package.be06db20.link", "final_product/package.be06db20.link")
   copyfile("functionary_carl/demo-project.tar.gz", "final_product/demo-project.tar.gz")
 
 
@@ -94,7 +94,7 @@ def supply_chain():
   verify_cmd = ("in-toto-verify"
                 " --verbose"
                 " --layout root.layout"
-                " --layout-key alice.pub")
+                " --verification-keys alice.pub")
   print(verify_cmd)
   retval = subprocess.call(shlex.split(verify_cmd))
   print("Return value: " + str(retval))
@@ -115,7 +115,7 @@ def supply_chain():
                  " --use-dsse"
                  " --step-name package --materials demo-project/foo.py"
                  " --products demo-project.tar.gz"
-                 " --key carl --record-streams"
+                 " --signing-key carl --record-streams"
                  " -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project")
   print(package_cmd)
   subprocess.call(shlex.split(package_cmd))
@@ -124,9 +124,9 @@ def supply_chain():
   prompt_key("Create final product")
   os.chdir("..")
   copyfile("owner_alice/root.layout", "final_product/root.layout")
-  copyfile("functionary_bob/clone.776a00e2.link", "final_product/clone.776a00e2.link")
-  copyfile("functionary_bob/update-version.776a00e2.link", "final_product/update-version.776a00e2.link")
-  copyfile("functionary_carl/package.2f89b927.link", "final_product/package.2f89b927.link")
+  copyfile("functionary_bob/clone.210dcc50.link", "final_product/clone.210dcc50.link")
+  copyfile("functionary_bob/update-version.210dcc50.link", "final_product/update-version.210dcc50.link")
+  copyfile("functionary_carl/package.be06db20.link", "final_product/package.be06db20.link")
   copyfile("functionary_carl/demo-project.tar.gz", "final_product/demo-project.tar.gz")
 
 
@@ -136,7 +136,7 @@ def supply_chain():
   verify_cmd = ("in-toto-verify"
                 " --verbose"
                 " --layout root.layout"
-                " --layout-key alice.pub")
+                " --verification-keys alice.pub")
 
   print(verify_cmd)
   retval = subprocess.call(shlex.split(verify_cmd))
@@ -154,17 +154,17 @@ def main():
   if args.clean:
     files_to_delete = [
       "owner_alice/root.layout",
-      "functionary_bob/clone.776a00e2.link",
-      "functionary_bob/update-version.776a00e2.link",
+      "functionary_bob/clone.210dcc50.link",
+      "functionary_bob/update-version.210dcc50.link",
       "functionary_bob/demo-project",
-      "functionary_carl/package.2f89b927.link",
+      "functionary_carl/package.be06db20.link",
       "functionary_carl/demo-project.tar.gz",
       "functionary_carl/demo-project",
       "final_product/alice.pub",
       "final_product/demo-project.tar.gz",
-      "final_product/package.2f89b927.link",
-      "final_product/clone.776a00e2.link",
-      "final_product/update-version.776a00e2.link",
+      "final_product/package.be06db20.link",
+      "final_product/clone.210dcc50.link",
+      "final_product/update-version.210dcc50.link",
       "final_product/untar.link",
       "final_product/root.layout",
       "final_product/demo-project",

run_demo_md.py

@@ -40,35 +40,28 @@
 + python create_layout.py
 Created demo in-toto layout as "root.layout".
 + cd ../functionary_bob
-+ in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git
-'-k', '--key' is deprecated, use '--signing-key' instead.
-+ in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py
-'-k', '--key' is deprecated, use '--signing-key' instead.
++ in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git
++ in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py
 + sed -i.bak s/v0/v1/ demo-project/foo.py
 + rm demo-project/foo.py.bak
-+ in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py
-'-k', '--key' is deprecated, use '--signing-key' instead.
++ in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py
 + cp -r demo-project ../functionary_carl/
 + cd ../functionary_carl
-+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
-'-k', '--key' is deprecated, use '--signing-key' instead.
++ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
 + cd ..
-+ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
++ cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
 + cd final_product
 + cp ../owner_alice/alice.pub .
-+ in-toto-verify --layout root.layout --layout-key alice.pub
-'-k', '--layout-keys' is deprecated, use '--verification-keys' instead.
++ in-toto-verify --layout root.layout --verification-keys alice.pub
 + echo 0
 0
 + cd ../functionary_carl
 + echo something evil
-+ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
-'-k', '--key' is deprecated, use '--signing-key' instead.
++ in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude .git -zcvf demo-project.tar.gz demo-project
 + cd ..
-+ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/update-version.776a00e2.link functionary_carl/package.2f89b927.link functionary_carl/demo-project.tar.gz final_product/
++ cp owner_alice/root.layout functionary_bob/clone.210dcc50.link functionary_bob/update-version.210dcc50.link functionary_carl/package.be06db20.link functionary_carl/demo-project.tar.gz final_product/
 + cd final_product
-+ in-toto-verify --layout root.layout --layout-key alice.pub
-'-k', '--layout-keys' is deprecated, use '--verification-keys' instead.
++ in-toto-verify --layout root.layout --verification-keys alice.pub
 (in-toto-verify) RuleVerificationError: 'DISALLOW *' matched the following artifacts: ['demo-project/foo.py']
 Full trace for 'expected_materials' of item 'package':
 Available materials (used for queue):