diff --git a/cmd/notary/cert.go b/cmd/notary/cert.go index e941dd4249..95ae44e03a 100644 --- a/cmd/notary/cert.go +++ b/cmd/notary/cert.go @@ -55,7 +55,7 @@ func certRemove(cmd *cobra.Command, args []string) { } parseConfig() - trustDir := mainViper.GetString("trustDir") + trustDir := mainViper.GetString("trust_dir") keysPath := filepath.Join(trustDir, notary.PrivDir) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) if err != nil { @@ -124,7 +124,7 @@ func certList(cmd *cobra.Command, args []string) { } parseConfig() - trustDir := mainViper.GetString("trustDir") + trustDir := mainViper.GetString("trust_dir") keysPath := filepath.Join(trustDir, notary.PrivDir) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) if err != nil { diff --git a/cmd/notary/integration_test.go b/cmd/notary/integration_test.go index f2c0c09e27..ce3166c561 100644 --- a/cmd/notary/integration_test.go +++ b/cmd/notary/integration_test.go @@ -25,23 +25,31 @@ import ( "github.com/docker/notary/trustmanager" "github.com/docker/notary/tuf/data" "github.com/spf13/cobra" + "github.com/spf13/viper" "github.com/stretchr/testify/assert" "golang.org/x/net/context" ) -var cmd = &cobra.Command{} var testPassphrase = "passphrase" // run a command and return the output as a string func runCommand(t *testing.T, tempDir string, args ...string) (string, error) { - b := new(bytes.Buffer) - cmd.SetArgs(append([]string{"-c", "/tmp/ignore.json", "-d", tempDir}, args...)) - cmd.SetOutput(b) - t.Logf("Running `notary %s`", strings.Join(args, " ")) + // Using a new viper and Command so we don't have state between command invocations + mainViper = viper.New() + cmd := &cobra.Command{} + setupCommand(cmd) + b := new(bytes.Buffer) + + // Create an empty config file so we don't load the default on ~/.notary/config.json + configFile := filepath.Join(tempDir, "config.json") + + cmd.SetArgs(append([]string{"-c", configFile, "-d", tempDir}, args...)) + cmd.SetOutput(b) retErr := cmd.Execute() output, err := ioutil.ReadAll(b) assert.NoError(t, err) + return string(output), retErr } @@ -71,8 +79,7 @@ func TestClientTufInteraction(t *testing.T) { cleanup := setUp(t) defer cleanup() - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) server := setupServer() @@ -122,7 +129,7 @@ func TestClientTufInteraction(t *testing.T) { assert.True(t, strings.Contains(string(output), target)) // verify repo - empty file - output, err = runCommand(t, tempDir, "verify", "gun", target) + output, err = runCommand(t, tempDir, "-s", server.URL, "verify", "gun", target) assert.NoError(t, err) // remove target @@ -224,8 +231,7 @@ func TestClientKeyGenerationRotation(t *testing.T) { cleanup := setUp(t) defer cleanup() - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) tempfiles := make([]string, 2) @@ -248,7 +254,7 @@ func TestClientKeyGenerationRotation(t *testing.T) { assertNumKeys(t, tempDir, 0, 0, true) // generate root key produces a single root key and no other keys - _, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey) + _, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey) assert.NoError(t, err) assertNumKeys(t, tempDir, 1, 0, true) @@ -305,8 +311,7 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) { dirs := make([]string, 3) for i := 0; i < 3; i++ { - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) dirs[i] = tempDir } @@ -381,12 +386,11 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) { // Generate a root key and export the root key only. Return the key ID // exported. func exportRoot(t *testing.T, exportTo string) string { - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) // generate root key produces a single root key and no other keys - _, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey) + _, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey) assert.NoError(t, err) oldRoot, _ := assertNumKeys(t, tempDir, 1, 0, true) @@ -410,8 +414,7 @@ func TestClientKeyImportExportRootOnly(t *testing.T) { cleanup := setUp(t) defer cleanup() - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) server := setupServer() @@ -481,15 +484,14 @@ func TestClientCertInteraction(t *testing.T) { cleanup := setUp(t) defer cleanup() - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) server := setupServer() defer server.Close() // -- tests -- - _, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun1") + _, err := runCommand(t, tempDir, "-s", server.URL, "init", "gun1") assert.NoError(t, err) _, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2") assert.NoError(t, err) @@ -516,8 +518,7 @@ func TestDefaultRootKeyGeneration(t *testing.T) { cleanup := setUp(t) defer cleanup() - tempDir, err := ioutil.TempDir("/tmp", "repo") - assert.NoError(t, err) + tempDir := tempDirWithConfig(t, "{}") defer os.RemoveAll(tempDir) // -- tests -- @@ -526,16 +527,23 @@ func TestDefaultRootKeyGeneration(t *testing.T) { assertNumKeys(t, tempDir, 0, 0, true) // generate root key with no algorithm produces a single ECDSA root key and no other keys - _, err = runCommand(t, tempDir, "key", "generate") + _, err := runCommand(t, tempDir, "key", "generate") assert.NoError(t, err) assertNumKeys(t, tempDir, 1, 0, true) } +func tempDirWithConfig(t *testing.T, config string) string { + tempDir, err := ioutil.TempDir("/tmp", "repo") + assert.NoError(t, err) + err = ioutil.WriteFile(filepath.Join(tempDir, "config.json"), []byte(config), 0644) + assert.NoError(t, err) + return tempDir +} + func TestMain(m *testing.M) { if testing.Short() { // skip os.Exit(0) } - setupCommand(cmd) os.Exit(m.Run()) } diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go index b8e179c180..8e014c52f5 100644 --- a/cmd/notary/keys.go +++ b/cmd/notary/keys.go @@ -97,7 +97,7 @@ func keysList(cmd *cobra.Command, args []string) { parseConfig() - stores := getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true) + stores := getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true) keys := make(map[trustmanager.KeyStore]map[string]string) for _, store := range stores { @@ -137,6 +137,11 @@ func keysList(cmd *cobra.Command, args []string) { } func keysGenerateRootKey(cmd *cobra.Command, args []string) { + if len(args) > 1 { + cmd.Usage() + fatalf("Please provide only one Algorithm as an argument to generate (rsa, ecdsa)") + } + parseConfig() // If no param is given to generate, generates an ecdsa key by default @@ -160,7 +165,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) { cs := cryptoservice.NewCryptoService( "", - getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., + getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)..., ) pubKey, err := cs.Create(data.CanonicalRootRole, algorithm) @@ -183,7 +188,7 @@ func keysExport(cmd *cobra.Command, args []string) { cs := cryptoservice.NewCryptoService( "", - getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., + getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)..., ) exportFile, err := os.Create(exportFilename) @@ -228,7 +233,7 @@ func keysExportRoot(cmd *cobra.Command, args []string) { cs := cryptoservice.NewCryptoService( "", - getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., + getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)..., ) exportFile, err := os.Create(exportFilename) @@ -263,7 +268,7 @@ func keysImport(cmd *cobra.Command, args []string) { cs := cryptoservice.NewCryptoService( "", - getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., + getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)..., ) zipReader, err := zip.OpenReader(importFilename) @@ -290,7 +295,7 @@ func keysImportRoot(cmd *cobra.Command, args []string) { cs := cryptoservice.NewCryptoService( "", - getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., + getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)..., ) importFilename := args[0] @@ -322,7 +327,7 @@ func keysRotate(cmd *cobra.Command, args []string) { parseConfig() gun := args[0] - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, remoteTrustServer, nil, retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, remoteTrustServer, nil, retriever) if err != nil { fatalf(err.Error()) } diff --git a/cmd/notary/main.go b/cmd/notary/main.go index c01fb0cae5..805ef928eb 100644 --- a/cmd/notary/main.go +++ b/cmd/notary/main.go @@ -53,7 +53,7 @@ func parseConfig() { } // By default our trust directory (where keys are stored) is in ~/.notary/ - mainViper.SetDefault("trustDir", filepath.Join(homeDir, filepath.Dir(configDir))) + mainViper.SetDefault("trust_dir", filepath.Join(homeDir, filepath.Dir(configDir))) // If there was a commandline configFile set, we parse that. // If there wasn't we attempt to find it on the default location ~/.notary/config @@ -73,26 +73,27 @@ func parseConfig() { // Find and read the config file err = mainViper.ReadInConfig() if err != nil { - logrus.Debugf("configuration file not found, using defaults") - // Ignore if the configuration file doesn't exist, we can use the defaults - if !os.IsNotExist(err) { - fatalf("Fatal error config file: %v", err) + logrus.Debugf("Configuration file not found, using defaults") + // If we were passed in a configFile via -c, bail if it doesn't exist, + // otherwise ignore it: we can use the defaults + if configFile != "" || !os.IsNotExist(err) { + fatalf("error opening config file %v", err) } } // At this point we either have the default value or the one set by the config. // Either way, the command-line flag has precedence and overwrives the value if trustDir != "" { - mainViper.Set("trustDir", trustDir) + mainViper.Set("trust_dir", trustDir) } // Expands all the possible ~/ that have been given, either through -d or config // If there is no error, user it, if not, attempt to use whatever the user gave us - expandedTrustDir, err := homedir.Expand(mainViper.GetString("trustDir")) + expandedTrustDir, err := homedir.Expand(mainViper.GetString("trust_dir")) if err == nil { - mainViper.Set("trustDir", expandedTrustDir) + mainViper.Set("trust_dir", expandedTrustDir) } - logrus.Debugf("using the following trust directory: %s", mainViper.GetString("trustDir")) + logrus.Debugf("Using the following trust directory: %s", mainViper.GetString("trust_dir")) } func setupCommand(notaryCmd *cobra.Command) { diff --git a/cmd/notary/tuf.go b/cmd/notary/tuf.go index 299bb18f77..f311c2b565 100644 --- a/cmd/notary/tuf.go +++ b/cmd/notary/tuf.go @@ -94,7 +94,7 @@ func tufAdd(cmd *cobra.Command, args []string) { // no online operations are performed by add so the transport argument // should be nil - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever) if err != nil { fatalf(err.Error()) } @@ -121,7 +121,7 @@ func tufInit(cmd *cobra.Command, args []string) { parseConfig() gun := args[0] - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever) if err != nil { fatalf(err.Error()) } @@ -157,7 +157,7 @@ func tufList(cmd *cobra.Command, args []string) { parseConfig() gun := args[0] - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) if err != nil { fatalf(err.Error()) } @@ -184,7 +184,7 @@ func tufLookup(cmd *cobra.Command, args []string) { gun := args[0] targetName := args[1] - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) if err != nil { fatalf(err.Error()) } @@ -206,7 +206,7 @@ func tufStatus(cmd *cobra.Command, args []string) { parseConfig() gun := args[0] - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever) if err != nil { fatalf(err.Error()) } @@ -240,7 +240,7 @@ func tufPublish(cmd *cobra.Command, args []string) { cmd.Println("Pushing changes to", gun) - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever) if err != nil { fatalf(err.Error()) } @@ -263,7 +263,7 @@ func tufRemove(cmd *cobra.Command, args []string) { // no online operation are performed by remove so the transport argument // should be nil. - repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever) + repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever) if err != nil { fatalf(err.Error()) } @@ -291,7 +291,7 @@ func verify(cmd *cobra.Command, args []string) { gun := args[0] targetName := args[1] - nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) + nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) if err != nil { fatalf(err.Error()) } diff --git a/trustmanager/yubikeystore.go b/trustmanager/yubikeystore.go index 52f106a718..ac51db00b8 100644 --- a/trustmanager/yubikeystore.go +++ b/trustmanager/yubikeystore.go @@ -185,9 +185,8 @@ func addECDSAKey( role string, backupStore KeyStore, ) error { - logrus.Debugf("Got into add key with key: %s\n", privKey.ID()) + logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID()) - // TODO(diogo): Figure out CKU_SO with yubikey err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN) if err != nil { return err @@ -201,7 +200,6 @@ func addECDSAKey( } ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes()) - logrus.Debugf("Getting D bytes: %v\n", ecdsaPrivKeyD) template, err := NewCertificate(role) if err != nil { @@ -262,16 +260,16 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by } if err := ctx.FindObjectsInit(session, findTemplate); err != nil { - logrus.Debugf("Failed to init: %s\n", err.Error()) + logrus.Debugf("Failed to init: %s", err.Error()) return nil, "", err } - obj, b, err := ctx.FindObjects(session, 1) + obj, _, err := ctx.FindObjects(session, 1) if err != nil { - logrus.Debugf("Failed to find: %s %v\n", err.Error(), b) + logrus.Debugf("Failed to find objects: %v", err) return nil, "", err } if err := ctx.FindObjectsFinal(session); err != nil { - logrus.Debugf("Failed to finalize: %s\n", err.Error()) + logrus.Debugf("Failed to finalize: %s", err.Error()) return nil, "", err } if len(obj) != 1 { @@ -282,7 +280,7 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by // Retrieve the public-key material to be able to create a new HSMRSAKey attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate) if err != nil { - logrus.Debugf("Failed to get Attribute for: %v\n", obj[0]) + logrus.Debugf("Failed to get Attribute for: %v", obj[0]) return nil, "", err } @@ -302,8 +300,6 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by return nil, "", err } - // TODO(diogo): Actually get the right alias from the certificate instead of - // alwars returning data.CanonicalRootRole return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil } @@ -324,13 +320,16 @@ func sign(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, pas } if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil { + logrus.Debugf("Failed to init find objects: %s", err.Error()) return nil, err } obj, _, err := ctx.FindObjects(session, 1) if err != nil { + logrus.Debugf("Failed to find objects: %v", err) return nil, err } if err = ctx.FindObjectsFinal(session); err != nil { + logrus.Debugf("Failed to finalize find objects: %s", err.Error()) return nil, err } if len(obj) != 1 { @@ -374,27 +373,27 @@ func yubiRemoveKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID [] } if err := ctx.FindObjectsInit(session, template); err != nil { - logrus.Printf("Failed to init: %s\n", err.Error()) + logrus.Debugf("Failed to init find objects: %s", err.Error()) return err } obj, b, err := ctx.FindObjects(session, 1) if err != nil { - logrus.Printf("Failed to find: %s %v\n", err.Error(), b) + logrus.Debugf("Failed to find objects: %s %v", err.Error(), b) return err } if err := ctx.FindObjectsFinal(session); err != nil { - logrus.Printf("Failed to finalize: %s\n", err.Error()) + logrus.Debugf("Failed to finalize find objects: %s", err.Error()) return err } if len(obj) != 1 { - logrus.Printf("should have found one object") + logrus.Debugf("should have found exactly one object") return err } // Delete the certificate err = ctx.DestroyObject(session, obj[0]) if err != nil { - logrus.Printf("Failed to delete cert") + logrus.Debugf("Failed to delete cert") return err } return nil @@ -414,7 +413,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin } if err = ctx.FindObjectsInit(session, findTemplate); err != nil { - logrus.Debugf("Failed to init: %s\n", err.Error()) + logrus.Debugf("Failed to init: %s", err.Error()) return } objs, b, err := ctx.FindObjects(session, numSlots) @@ -430,13 +429,13 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin objs = append(objs, o...) } if err != nil { - logrus.Debugf("Failed to find: %s %v\n", err.Error(), b) + logrus.Debugf("Failed to find: %s %v", err.Error(), b) if len(objs) == 0 { return nil, err } } if err = ctx.FindObjectsFinal(session); err != nil { - logrus.Debugf("Failed to finalize: %s\n", err.Error()) + logrus.Debugf("Failed to finalize: %s", err.Error()) return } if len(objs) == 0 { @@ -451,7 +450,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin // Retrieve the public-key material to be able to create a new HSMRSAKey attr, err := ctx.GetAttributeValue(session, obj, attrTemplate) if err != nil { - logrus.Debugf("Failed to get Attribute for: %v\n", obj) + logrus.Debugf("Failed to get Attribute for: %v", obj) continue } @@ -502,7 +501,7 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er } if err := ctx.FindObjectsInit(session, findTemplate); err != nil { - logrus.Debugf("Failed to init: %s\n", err.Error()) + logrus.Debugf("Failed to init: %s", err.Error()) return nil, err } objs, b, err := ctx.FindObjects(session, numSlots) @@ -521,14 +520,13 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er } taken := make(map[int]bool) if err != nil { - logrus.Debugf("Failed to find: %s %v\n", err.Error(), b) + logrus.Debugf("Failed to find: %s %v", err.Error(), b) return nil, err } for _, obj := range objs { // Retrieve the slot ID attr, err := ctx.GetAttributeValue(session, obj, attrTemplate) if err != nil { - logrus.Debugf("Failed to get Attribute for: %v\n", obj) continue } @@ -592,14 +590,17 @@ func (s *YubiKeyStore) ListKeys() map[string]string { } ctx, session, err := SetupHSMEnv(pkcs11Lib) if err != nil { + logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) return nil } defer cleanup(ctx, session) keys, err := yubiListKeys(ctx, session) if err != nil { + logrus.Debugf("Failed to list key from the yubikey: %s", err.Error()) return nil } s.keys = keys + return buildKeyMap(keys) } @@ -612,11 +613,12 @@ func (s *YubiKeyStore) addKey( keyID, role string, privKey data.PrivateKey, backup bool) error { // We only allow adding root keys for now if role != data.CanonicalRootRole { - return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s\n", role, keyID) + return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s", role, keyID) } ctx, session, err := SetupHSMEnv(pkcs11Lib) if err != nil { + logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) return err } defer cleanup(ctx, session) @@ -630,9 +632,10 @@ func (s *YubiKeyStore) addKey( slot, err := getNextEmptySlot(ctx, session) if err != nil { + logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error()) return err } - logrus.Debugf("Using yubikey slot %v", slot) + logrus.Debugf("Attempting to store key using yubikey slot %v", slot) backupStore := s.backupStore if !backup { @@ -648,6 +651,8 @@ func (s *YubiKeyStore) addKey( } return nil } + logrus.Debugf("Failed to add key to yubikey: %v", err) + return err } @@ -656,6 +661,7 @@ func (s *YubiKeyStore) addKey( func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) { ctx, session, err := SetupHSMEnv(pkcs11Lib) if err != nil { + logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) return nil, "", err } defer cleanup(ctx, session) @@ -667,11 +673,12 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) { pubKey, alias, err := getECDSAKey(ctx, session, key.slotID) if err != nil { + logrus.Debugf("Failed to get key from slot %s: %s", key.slotID, err.Error()) return nil, "", err } // Check to see if we're returning the intended keyID if pubKey.ID() != keyID { - return nil, "", fmt.Errorf("expected root key: %s, but found: %s\n", keyID, pubKey.ID()) + return nil, "", fmt.Errorf("expected root key: %s, but found: %s", keyID, pubKey.ID()) } privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever) if privKey == nil { @@ -686,6 +693,7 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) { func (s *YubiKeyStore) RemoveKey(keyID string) error { ctx, session, err := SetupHSMEnv(pkcs11Lib) if err != nil { + logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) return nil } defer cleanup(ctx, session) @@ -696,7 +704,10 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error { err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID) if err == nil { delete(s.keys, keyID) + } else { + logrus.Debugf("Failed to remove from the yubikey KeyID %s: %v", keyID, err) } + return err } @@ -712,6 +723,7 @@ func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyPath string) error { privKey, _, err := GetPasswdDecryptBytes( s.passRetriever, pemBytes, "", "imported root") if err != nil { + logrus.Debugf("Failed to get and retrieve a key from: %s", keyPath) return err } if keyPath != data.CanonicalRootRole { @@ -738,7 +750,7 @@ func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle, error) } if err := p.Initialize(); err != nil { - return nil, 0, fmt.Errorf("Initialize error %s\n", err.Error()) + return nil, 0, fmt.Errorf("Initialize error %s", err.Error()) } slots, err := p.GetSlotList(true)