rust-tuf should not deserialize metadata until it has been verified

It's possible that a parser bug could allow for a man-in-the-middle attacker to compromise a system. None have been found so far in serde_json, but other parsers have had bugs like this, see [CVE-2017-18349](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18349). We would like to modify rust-tuf to only deserialize metadata after it has been verified, either by hash or signature.

Unfortunately, there are a few challenges here.

* [POUF-1] embeds the signatures into the role metadata.
* The TUF-1.0.5 spec itself implies that metadata is parsed before validation in sections 5.3.1 and 5.4.1 in order to verify metadata versions before signatures. In https://github.com/theupdateframework/specification/pull/112, I've proposed moving this check to after signature verification.
* rust-tuf isn't careful on when deserialization happens.

We should address these to protect ourselves from these attacks.

[POUF-1]: https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

rust-tuf should not deserialize metadata until it has been verified #291

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

rust-tuf should not deserialize metadata until it has been verified #291

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions