python-tuf/tuf
Martin Vrachev a30425c20d Introduce the idea of trusted/untrusted snapshot
If you do the following steps:
1. call Updater.refresh() and load, verify and cache all metadata files
2. modify timestamp snapshot meta information:
(One or more of hashes or length for snapshot changes here)
3. call Updater.refresh() again
4. root and timestamp will be updated to their latest versions
5. local snapshot will be loaded, but hashes/length will be different
than the ones in timestamp.snapshot_meta and that will prevent loading
6. remote snapshot is loaded and verification starts
then when executing step 6 the rollback checks will not be done because
the old snapshot was not loaded on step 5.

In order to resolve this issue, we are introducing the idea of trusted and
untrusted snapshot.
Trusted snapshot is the locally available cached version. This version has
been verified at least once meaning hashes and length were already checked
against timestamp.snapshot_meta hashes and length.
That's why we can allow loading a trusted snapshot version even if there is a
mismatch between the current timestamp.snapshot_meta hashes/length and
hashes/length inside the trusted snapshot.
Untrusted snapshot is the one downloaded from the web. It hasn't been verified
before and that's why we mandate that timestamp.snapshot_meta hashes and length
should match the hashes and legth calculated on this untrusted version of
snapshot.

As the TrustedMetadataSet doesn't have information which snapshot is trusted or
not, so possibly the best solution is to add a new argument "trusted"
to update_snapshot.
Even though this is ugly as the rest of the update functions doesn't
have such an argument, it seems the best solution as it seems to work
in all cases:
- when loading a local snapshot, we know the data has at some point been
trusted (signatures have been checked): it doesn't need to match hashes
now
- if there is no local snapshot and we're updating from remote, the
remote data must match meta hashes in timestamp
- if there is a local snapshot and we're updating from remote, the remote
data must match meta hashes in timestamp

Lastly, I want to point out that  hash checks for metadata files are not
essential to TUF security guarantees: they are just an additional layer of
security that allows us to avoid even parsing json that could be malicious -
we already know the malicious metadata would be stopped at metadata
verification after the parsing.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-13 10:40:28 +03:00
..
api Metadata API: Stop annotating __init__() return value 2021-09-23 17:57:19 +03:00
client Add 'ecdsa' to the list of supported key types 2021-06-17 11:48:30 +03:00
ngclient Introduce the idea of trusted/untrusted snapshot 2021-10-13 10:40:28 +03:00
scripts updated docs and comments 2021-07-14 10:37:08 +03:00
__init__.py Prepare v0.18.1 2021-09-06 13:55:54 +01:00
ATTACKS.md Update links to account for repository rename 2021-09-01 11:15:33 +01:00
developer_tool.py Address Pylint new unspecified-encoding warning 2021-08-23 16:48:40 +03:00
download.py Remove future module #1297 2021-04-11 11:37:45 +02:00
exceptions.py Make SlowRetrievalError parameter optional 2021-08-27 11:54:45 +03:00
formats.py updated docs and comments 2021-07-14 10:37:08 +03:00
keydb.py Remove some uses of "global" 2021-09-17 19:15:06 +03:00
log.py Fix pylint warnings 2021-09-17 18:51:51 +03:00
mirrors.py Remove future module #1297 2021-04-11 11:37:45 +02:00
README-developer-tools.md Adopt sslib keygen interface encryption changes 2020-11-11 10:27:56 +01:00
README.md Link to CLI.md from getting started and readme docs 2018-02-06 17:00:24 -05:00
repository_lib.py Add 'ecdsa' to the list of supported key types 2021-06-17 11:48:30 +03:00
repository_tool.py Update links to account for repository rename 2021-09-01 11:15:33 +01:00
requests_fetcher.py Remove use of six 2021-04-09 14:07:44 +03:00
roledb.py Remove some uses of "global" 2021-09-17 19:15:06 +03:00
settings.py Remove future module #1297 2021-04-11 11:37:45 +02:00
sig.py Remove future module #1297 2021-04-11 11:37:45 +02:00
unittest_toolbox.py Address Pylint new unspecified-encoding warning 2021-08-23 16:48:40 +03:00