2
2
3
3
Last modified: ** 30 September 2020**
4
4
5
- Version: ** 1.0.9 **
5
+ Version: ** 1.0.10 **
6
6
7
7
We strive to make the specification easy to implement, so if you come across
8
8
any inconsistencies or experience any difficulty, do let us know by sending an
@@ -1191,19 +1191,25 @@ of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where
1191
1191
VERSION_NUMBER is the version number of the snapshot metadata file listed in
1192
1192
the timestamp metadata file.
1193
1193
1194
- * ** 5.3.1** . ** Check against timestamp metadata.** The hashes and version
1195
- number of the new snapshot metadata file MUST match the hashes, if any, and
1196
- version number listed in the trusted timestamp metadata. If hashes and
1197
- version do not match, discard the new snapshot metadata, abort the update
1198
- cycle, and report the failure.
1194
+ * ** 5.3.1** . ** Check against timestamp role's snapshot hash.** The hashes
1195
+ of the new snapshot metadata file MUST match the hashes, if any, listed in
1196
+ the trusted timestamp metadata. This is done, in part, to prevent a
1197
+ mix-and-match attack by man-in-the-middle attackers. If the hashes do not
1198
+ match, discard the new snapshot metadata, abort the update cycle, and report
1199
+ the failure.
1199
1200
1200
1201
* ** 5.3.2** . ** Check for an arbitrary software attack.** The new snapshot
1201
1202
metadata file MUST have been signed by a threshold of keys specified in the
1202
1203
trusted root metadata file. If the new snapshot metadata file is not signed
1203
1204
as required, discard it, abort the update cycle, and report the signature
1204
1205
failure.
1205
1206
1206
- * ** 5.3.3** . ** Check for a rollback attack.** The version number of the targets
1207
+ * ** 5.3.3** . ** Check against timestamp role's snapshot version.** The version
1208
+ number of the new snapshot metadata file MUST match the version number listed
1209
+ in the trusted timestamp metadata. If the versions do not match, discard the
1210
+ new snapshot metadata, abort the update cycle, and report the failure.
1211
+
1212
+ * ** 5.3.4** . ** Check for a rollback attack.** The version number of the targets
1207
1213
metadata file, and all delegated targets metadata files, if any, in the
1208
1214
trusted snapshot metadata file, if any, MUST be less than or equal to its
1209
1215
version number in the new snapshot metadata file. Furthermore, any targets
@@ -1212,13 +1218,14 @@ the timestamp metadata file.
1212
1218
these conditions are not met, discard the new snapshot metadata file, abort
1213
1219
the update cycle, and report the failure.
1214
1220
1215
- * ** 5.3.4 ** . ** Check for a freeze attack.** The latest known time MUST be
1221
+ * ** 5.3.5 ** . ** Check for a freeze attack.** The latest known time MUST be
1216
1222
lower than the expiration timestamp in the new snapshot metadata file. If
1217
1223
so, the new snapshot metadata file becomes the trusted snapshot metadata
1218
1224
file. If the new snapshot metadata file is expired, discard it, abort the
1219
1225
update cycle, and report the potential freeze attack.
1220
1226
1221
- * ** 5.3.5** . ** Persist snapshot metadata.** The client MUST write the file to
1227
+
1228
+ * ** 5.3.6** . ** Persist snapshot metadata.** The client MUST write the file to
1222
1229
non-volatile storage as FILENAME.EXT (e.g. snapshot.json).
1223
1230
1224
1231
** 5.4** . ** Download the top-level targets metadata file** , up to either the
@@ -1231,51 +1238,56 @@ of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where
1231
1238
VERSION_NUMBER is the version number of the targets metadata file listed in the
1232
1239
snapshot metadata file.
1233
1240
1234
- * ** 5.4.1** . ** Check against snapshot metadata .** The hashes and version
1235
- number of the new targets metadata file MUST match the hashes, if any, and
1236
- version number listed in the trusted snapshot metadata. This is done, in
1237
- part, to prevent a mix-and-match attack by man-in-the-middle attackers. If
1238
- the new targets metadata file does not match, discard it , abort the update
1239
- cycle, and report the failure.
1241
+ * ** 5.4.1** . ** Check against snapshot role's targets hash .** The hashes
1242
+ of the new targets metadata file MUST match the hashes, if any, listed in the
1243
+ trusted snapshot metadata. This is done, in part, to prevent a mix-and-match
1244
+ attack by man-in-the-middle attackers. If the new targets metadata file does
1245
+ not match, discard the new target metadata , abort the update cycle, and
1246
+ report the failure.
1240
1247
1241
1248
* ** 5.4.2** . ** Check for an arbitrary software attack.** The new targets
1242
1249
metadata file MUST have been signed by a threshold of keys specified in the
1243
1250
trusted root metadata file. If the new targets metadata file is not signed
1244
1251
as required, discard it, abort the update cycle, and report the failure.
1245
1252
1246
- * ** 5.4.3** . ** Check for a freeze attack.** The latest known time MUST be
1253
+ * ** 5.4.3** . ** Check against snapshot role's targets version.** The version
1254
+ number of the new targets metadata file MUST match the version number listed
1255
+ in the trusted snapshot metadata. If the versions do not match, discard it,
1256
+ abort the update cycle, and report the failure.
1257
+
1258
+ * ** 5.4.4** . ** Check for a freeze attack.** The latest known time MUST be
1247
1259
lower than the expiration timestamp in the new targets metadata file. If so,
1248
1260
the new targets metadata file becomes the trusted targets metadata file. If
1249
1261
the new targets metadata file is expired, discard it, abort the update cycle,
1250
1262
and report the potential freeze attack.
1251
1263
1252
- * ** 5.4.4 ** . ** Persist targets metadata.** The client MUST write the file to
1264
+ * ** 5.4.5 ** . ** Persist targets metadata.** The client MUST write the file to
1253
1265
non-volatile storage as FILENAME.EXT (e.g. targets.json).
1254
1266
1255
- * ** 5.4.5 ** . ** Perform a pre-order depth-first search for metadata about the
1267
+ * ** 5.4.6 ** . ** Perform a pre-order depth-first search for metadata about the
1256
1268
desired target, beginning with the top-level targets role.** Note: If
1257
- any metadata requested in steps 5.4.5 .1 - 5.4.5 .2 cannot be downloaded nor
1269
+ any metadata requested in steps 5.4.6 .1 - 5.4.6 .2 cannot be downloaded nor
1258
1270
validated, end the search and report that the target cannot be found.
1259
1271
1260
- * ** 5.4.5 .1** . If this role has been visited before, then skip this role
1272
+ * ** 5.4.6 .1** . If this role has been visited before, then skip this role
1261
1273
(so that cycles in the delegation graph are avoided). Otherwise, if an
1262
1274
application-specific maximum number of roles have been visited, then go to
1263
1275
step 5.5 (so that attackers cannot cause the client to waste excessive
1264
1276
bandwidth or time). Otherwise, if this role contains metadata about the
1265
1277
desired target, then go to step 5.5.
1266
1278
1267
- * ** 5.4.5 .2** . Otherwise, recursively search the list of delegations in
1279
+ * ** 5.4.6 .2** . Otherwise, recursively search the list of delegations in
1268
1280
order of appearance.
1269
1281
1270
- * ** 5.4.5 .2.1** . If the current delegation is a multi-role delegation,
1282
+ * ** 5.4.6 .2.1** . If the current delegation is a multi-role delegation,
1271
1283
recursively visit each role, and check that each has signed exactly the
1272
1284
same non-custom metadata (i.e., length and hashes) about the target (or
1273
1285
the lack of any such metadata).
1274
1286
1275
- * ** 5.4.5 .2.2** . If the current delegation is a terminating delegation,
1287
+ * ** 5.4.6 .2.2** . If the current delegation is a terminating delegation,
1276
1288
then jump to step 5.5.
1277
1289
1278
- * ** 5.4.5 .2.3** . Otherwise, if the current delegation is a
1290
+ * ** 5.4.6 .2.3** . Otherwise, if the current delegation is a
1279
1291
non-terminating delegation, continue processing the next delegation, if
1280
1292
any. Stop the search, and jump to step 5.5 as soon as a delegation
1281
1293
returns a result.
0 commit comments