You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This adds the data formats and hash requiements for
snapshot merkle trees used in the reference implementation.
Signed-off-by: Marina Moore <[email protected]>
Copy file name to clipboardExpand all lines: POUFs/reference-POUF/pouf1.md
+21Lines changed: 21 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -22,6 +22,8 @@ This POUF uses a subset of the JSON object format, with floating-point numbers o
22
22
23
23
In this POUF, metadata files are hosted on the repository using HTTP. The filenames for these files are ROLE.json where ROLE is the associated role name (root, targets, snapshot, or timestamp). A client downloads these files by HTTP post request. The location of the repository is preloaded onto the clients.
24
24
25
+
Snapshot Merkle trees in this implementation will use sha256 to compute the hash of each node.
26
+
25
27
## Message Handler Table
26
28
27
29
This table lists the message handlers supported by the reference implementation.
@@ -336,6 +338,7 @@ The timestamp file is signed by a timestamp key. It indicates the
336
338
"spec_version" : SPEC_VERSION,
337
339
"version" : VERSION,
338
340
"expires" : EXPIRES,
341
+
("merkle_root": ROOT_HASH),
339
342
"meta" : METAFILES
340
343
}
341
344
@@ -361,6 +364,8 @@ The timestamp file is signed by a timestamp key. It indicates the
361
364
HASH is the hexdigest of the cryptographic function computed on the
362
365
snapshot.json metadata file.
363
366
367
+
ROOT_HASH is the hash of the Merkle tree's root node.
368
+
364
369
### mirrors.json
365
370
The mirrors.json file is signed by the mirrors role. It indicates which
366
371
mirrors are active and believed to be mirroring specific parts of the
@@ -401,6 +406,22 @@ This behavior can be modified by the client code that uses the framework to,
401
406
for example, randomly select from the listed mirrors.
402
407
403
408
409
+
### Snapshot Merkle metadata
410
+
411
+
Snapsot Merkle metadata is not signed. It lists version information for a metadata file, and a path through the Merkle tree to verify this information.
412
+
413
+
```
414
+
{ “leaf_contents”: {METAFILES},
415
+
“merkle_path”: {INDEX:HASH}
416
+
“path_directions”:{INDEX:DIR}
417
+
}
418
+
```
419
+
420
+
Where `METAFILES` is the version information as defined for snapshot metadata,
421
+
`INDEX` provides the ordering of nodes, `HASH` is the sha256 hash of the sibling node,
422
+
and `DIR` is a `1` or `0` that indicates whether the given node is a left or right sibling.
423
+
424
+
404
425
# Security Audit
405
426
This profile was included in TUF security audits available at https://theupdateframework.github.io/audits.html.
0 commit comments