Create private keys with file permissions 0o600

Update generate_and_write_{rsa, ed25519, ecdsa}_keypair functions to create private keys with read and write permissions for the user only (0o600). Update util.persist_temp_file() with an optional permissions parameter. Signed-off-by: Teodora Sechkova <[email protected]>
secure-systems-lab · Jun 5, 2020 · 2795301 · 2795301
1 parent fd6a451
commit 2795301
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/securesystemslib/interface.py b/securesystemslib/interface.py
@@ -69,6 +69,8 @@
 # Supported key types.
 SUPPORTED_KEY_TYPES = ['rsa', 'ed25519']
 
+# Private keys are created with read and write permissions for the user only
+PRIVATE_KEY_MODE = 0o600
 
 
 def _prompt(message, result_type=str):
@@ -235,7 +237,8 @@ def generate_and_write_rsa_keypair(filepath=None, bits=DEFAULT_RSA_KEY_BITS,
   # extension.
   file_object = tempfile.TemporaryFile()
   file_object.write(private.encode('utf-8'))
-  securesystemslib.util.persist_temp_file(file_object, filepath)
+  securesystemslib.util.persist_temp_file(file_object, filepath,
+      permissions=PRIVATE_KEY_MODE)
 
   return filepath
 
@@ -548,7 +551,8 @@ def generate_and_write_ed25519_keypair(filepath=None, password=None):
   # Raise 'securesystemslib.exceptions.CryptoError' if 'ed25519_key' cannot be
   # encrypted.
   file_object.write(ed25519_key.encode('utf-8'))
-  securesystemslib.util.persist_temp_file(file_object, filepath)
+  securesystemslib.util.persist_temp_file(file_object, filepath,
+      permissions=PRIVATE_KEY_MODE)
 
   return filepath
 
@@ -803,7 +807,8 @@ def generate_and_write_ecdsa_keypair(filepath=None, password=None):
   # encrypted.
   encrypted_key = securesystemslib.keys.encrypt_key(ecdsa_key, password)
   file_object.write(encrypted_key.encode('utf-8'))
-  securesystemslib.util.persist_temp_file(file_object, filepath)
+  securesystemslib.util.persist_temp_file(file_object, filepath,
+      permissions=PRIVATE_KEY_MODE)
 
   return filepath
 

diff --git a/securesystemslib/util.py b/securesystemslib/util.py
@@ -103,7 +103,7 @@ def get_file_details(filepath, hash_algorithms=['sha256'],
 
 
 def persist_temp_file(temp_file, persist_path, storage_backend=None,
-    should_close=True):
+    should_close=True, permissions=None):
   """
   <Purpose>
     Copies 'temp_file' (a file like object) to a newly created non-temp file at
@@ -126,6 +126,10 @@ def persist_temp_file(temp_file, persist_path, storage_backend=None,
       A boolean indicating whether the file should be closed after it has been
       persisted. Default is True, the file is closed.
 
+    permissions:
+      Custom file permissions for the newly created file. If None, the default
+      OS permissions apply.
+
   <Exceptions>
     None.
 
@@ -136,7 +140,7 @@ def persist_temp_file(temp_file, persist_path, storage_backend=None,
   if storage_backend is None:
     storage_backend = securesystemslib.storage.FilesystemBackend()
 
-  storage_backend.put(temp_file, persist_path)
+  storage_backend.put(temp_file, persist_path, permissions)
 
   if should_close:
     temp_file.close()