docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Making tests pass 

Signed-off-by: Diogo Monica <diogo@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
This commit is contained in:
Diogo Monica 2015-11-10 22:48:30 -08:00 committed by David Lawrence
parent 5b7480f599
commit 0344dfc038
6 changed files with 103 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/notary/cert.go
View File

@ -55,7 +55,7 @@ func certRemove(cmd *cobra.Command, args []string) {
} }
parseConfig() parseConfig()
trustDir := mainViper.GetString("trustDir") trustDir := mainViper.GetString("trust_dir")
keysPath := filepath.Join(trustDir, notary.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
@ -124,7 +124,7 @@ func certList(cmd *cobra.Command, args []string) {
} }
parseConfig() parseConfig()
trustDir := mainViper.GetString("trustDir") trustDir := mainViper.GetString("trust_dir")
keysPath := filepath.Join(trustDir, notary.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {

58
cmd/notary/integration_test.go
View File

@ -25,23 +25,31 @@ import (
"github.com/docker/notary/trustmanager" "github.com/docker/notary/trustmanager"
"github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/data"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"github.com/spf13/viper"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"golang.org/x/net/context" "golang.org/x/net/context"
) )
var cmd = &cobra.Command{}
var testPassphrase = "passphrase" var testPassphrase = "passphrase"
// run a command and return the output as a string // run a command and return the output as a string
func runCommand(t *testing.T, tempDir string, args ...string) (string, error) { func runCommand(t *testing.T, tempDir string, args ...string) (string, error) {
b := new(bytes.Buffer) // Using a new viper and Command so we don't have state between command invocations
cmd.SetArgs(append([]string{"-c", "/tmp/ignore.json", "-d", tempDir}, args...)) mainViper = viper.New()
cmd.SetOutput(b) cmd := &cobra.Command{}
t.Logf("Running `notary %s`", strings.Join(args, " ")) setupCommand(cmd)
b := new(bytes.Buffer)
// Create an empty config file so we don't load the default on ~/.notary/config.json
configFile := filepath.Join(tempDir, "config.json")
cmd.SetArgs(append([]string{"-c", configFile, "-d", tempDir}, args...))
cmd.SetOutput(b)
retErr := cmd.Execute() retErr := cmd.Execute()
output, err := ioutil.ReadAll(b) output, err := ioutil.ReadAll(b)
assert.NoError(t, err) assert.NoError(t, err)
return string(output), retErr return string(output), retErr
} }
@ -71,8 +79,7 @@ func TestClientTufInteraction(t *testing.T) {
cleanup := setUp(t) cleanup := setUp(t)
defer cleanup() defer cleanup()
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
server := setupServer() server := setupServer()
@ -122,7 +129,7 @@ func TestClientTufInteraction(t *testing.T) {
assert.True(t, strings.Contains(string(output), target)) assert.True(t, strings.Contains(string(output), target))
// verify repo - empty file // verify repo - empty file
output, err = runCommand(t, tempDir, "verify", "gun", target) output, err = runCommand(t, tempDir, "-s", server.URL, "verify", "gun", target)
assert.NoError(t, err) assert.NoError(t, err)
// remove target // remove target
@ -224,8 +231,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
cleanup := setUp(t) cleanup := setUp(t)
defer cleanup() defer cleanup()
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
tempfiles := make([]string, 2) tempfiles := make([]string, 2)
@ -248,7 +254,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
assertNumKeys(t, tempDir, 0, 0, true) assertNumKeys(t, tempDir, 0, 0, true)
// generate root key produces a single root key and no other keys // generate root key produces a single root key and no other keys
_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey) _, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
assert.NoError(t, err) assert.NoError(t, err)
assertNumKeys(t, tempDir, 1, 0, true) assertNumKeys(t, tempDir, 1, 0, true)
@ -305,8 +311,7 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
dirs := make([]string, 3) dirs := make([]string, 3)
for i := 0; i < 3; i++ { for i := 0; i < 3; i++ {
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
dirs[i] = tempDir dirs[i] = tempDir
} }
@ -381,12 +386,11 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
// Generate a root key and export the root key only. Return the key ID // Generate a root key and export the root key only. Return the key ID
// exported. // exported.
func exportRoot(t *testing.T, exportTo string) string { func exportRoot(t *testing.T, exportTo string) string {
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
// generate root key produces a single root key and no other keys // generate root key produces a single root key and no other keys
_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey) _, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
assert.NoError(t, err) assert.NoError(t, err)
oldRoot, _ := assertNumKeys(t, tempDir, 1, 0, true) oldRoot, _ := assertNumKeys(t, tempDir, 1, 0, true)
@ -410,8 +414,7 @@ func TestClientKeyImportExportRootOnly(t *testing.T) {
cleanup := setUp(t) cleanup := setUp(t)
defer cleanup() defer cleanup()
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
server := setupServer() server := setupServer()
@ -481,15 +484,14 @@ func TestClientCertInteraction(t *testing.T) {
cleanup := setUp(t) cleanup := setUp(t)
defer cleanup() defer cleanup()
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
server := setupServer() server := setupServer()
defer server.Close() defer server.Close()
// -- tests -- // -- tests --
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun1") _, err := runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
assert.NoError(t, err) assert.NoError(t, err)
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2") _, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2")
assert.NoError(t, err) assert.NoError(t, err)
@ -516,8 +518,7 @@ func TestDefaultRootKeyGeneration(t *testing.T) {
cleanup := setUp(t) cleanup := setUp(t)
defer cleanup() defer cleanup()
tempDir, err := ioutil.TempDir("/tmp", "repo") tempDir := tempDirWithConfig(t, "{}")
assert.NoError(t, err)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
// -- tests -- // -- tests --
@ -526,16 +527,23 @@ func TestDefaultRootKeyGeneration(t *testing.T) {
assertNumKeys(t, tempDir, 0, 0, true) assertNumKeys(t, tempDir, 0, 0, true)
// generate root key with no algorithm produces a single ECDSA root key and no other keys // generate root key with no algorithm produces a single ECDSA root key and no other keys
_, err = runCommand(t, tempDir, "key", "generate") _, err := runCommand(t, tempDir, "key", "generate")
assert.NoError(t, err) assert.NoError(t, err)
assertNumKeys(t, tempDir, 1, 0, true) assertNumKeys(t, tempDir, 1, 0, true)
} }
func tempDirWithConfig(t *testing.T, config string) string {
tempDir, err := ioutil.TempDir("/tmp", "repo")
assert.NoError(t, err)
err = ioutil.WriteFile(filepath.Join(tempDir, "config.json"), []byte(config), 0644)
assert.NoError(t, err)
return tempDir
}
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
if testing.Short() { if testing.Short() {
// skip // skip
os.Exit(0) os.Exit(0)
} }
setupCommand(cmd)
os.Exit(m.Run()) os.Exit(m.Run())
} }

19
cmd/notary/keys.go
View File

@ -97,7 +97,7 @@ func keysList(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
stores := getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true) stores := getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)
keys := make(map[trustmanager.KeyStore]map[string]string) keys := make(map[trustmanager.KeyStore]map[string]string)
for _, store := range stores { for _, store := range stores {
@ -137,6 +137,11 @@ func keysList(cmd *cobra.Command, args []string) {
} }
func keysGenerateRootKey(cmd *cobra.Command, args []string) { func keysGenerateRootKey(cmd *cobra.Command, args []string) {
if len(args) > 1 {
cmd.Usage()
fatalf("Please provide only one Algorithm as an argument to generate (rsa, ecdsa)")
}
parseConfig() parseConfig()
// If no param is given to generate, generates an ecdsa key by default // If no param is given to generate, generates an ecdsa key by default
@ -160,7 +165,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
cs := cryptoservice.NewCryptoService( cs := cryptoservice.NewCryptoService(
"", "",
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
) )
pubKey, err := cs.Create(data.CanonicalRootRole, algorithm) pubKey, err := cs.Create(data.CanonicalRootRole, algorithm)
@ -183,7 +188,7 @@ func keysExport(cmd *cobra.Command, args []string) {
cs := cryptoservice.NewCryptoService( cs := cryptoservice.NewCryptoService(
"", "",
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
) )
exportFile, err := os.Create(exportFilename) exportFile, err := os.Create(exportFilename)
@ -228,7 +233,7 @@ func keysExportRoot(cmd *cobra.Command, args []string) {
cs := cryptoservice.NewCryptoService( cs := cryptoservice.NewCryptoService(
"", "",
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
) )
exportFile, err := os.Create(exportFilename) exportFile, err := os.Create(exportFilename)
@ -263,7 +268,7 @@ func keysImport(cmd *cobra.Command, args []string) {
cs := cryptoservice.NewCryptoService( cs := cryptoservice.NewCryptoService(
"", "",
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
) )
zipReader, err := zip.OpenReader(importFilename) zipReader, err := zip.OpenReader(importFilename)
@ -290,7 +295,7 @@ func keysImportRoot(cmd *cobra.Command, args []string) {
cs := cryptoservice.NewCryptoService( cs := cryptoservice.NewCryptoService(
"", "",
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)..., getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
) )
importFilename := args[0] importFilename := args[0]
@ -322,7 +327,7 @@ func keysRotate(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
gun := args[0] gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, remoteTrustServer, nil, retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, remoteTrustServer, nil, retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }

19
cmd/notary/main.go
View File

@ -53,7 +53,7 @@ func parseConfig() {
} }
// By default our trust directory (where keys are stored) is in ~/.notary/ // By default our trust directory (where keys are stored) is in ~/.notary/
mainViper.SetDefault("trustDir", filepath.Join(homeDir, filepath.Dir(configDir))) mainViper.SetDefault("trust_dir", filepath.Join(homeDir, filepath.Dir(configDir)))
// If there was a commandline configFile set, we parse that. // If there was a commandline configFile set, we parse that.
// If there wasn't we attempt to find it on the default location ~/.notary/config // If there wasn't we attempt to find it on the default location ~/.notary/config
@ -73,26 +73,27 @@ func parseConfig() {
// Find and read the config file // Find and read the config file
err = mainViper.ReadInConfig() err = mainViper.ReadInConfig()
if err != nil { if err != nil {
logrus.Debugf("configuration file not found, using defaults") logrus.Debugf("Configuration file not found, using defaults")
// Ignore if the configuration file doesn't exist, we can use the defaults // If we were passed in a configFile via -c, bail if it doesn't exist,
if !os.IsNotExist(err) { // otherwise ignore it: we can use the defaults
fatalf("Fatal error config file: %v", err) if configFile != "" || !os.IsNotExist(err) {
fatalf("error opening config file %v", err)
} }
} }
// At this point we either have the default value or the one set by the config. // At this point we either have the default value or the one set by the config.
// Either way, the command-line flag has precedence and overwrives the value // Either way, the command-line flag has precedence and overwrives the value
if trustDir != "" { if trustDir != "" {
mainViper.Set("trustDir", trustDir) mainViper.Set("trust_dir", trustDir)
} }
// Expands all the possible ~/ that have been given, either through -d or config // Expands all the possible ~/ that have been given, either through -d or config
// If there is no error, user it, if not, attempt to use whatever the user gave us // If there is no error, user it, if not, attempt to use whatever the user gave us
expandedTrustDir, err := homedir.Expand(mainViper.GetString("trustDir")) expandedTrustDir, err := homedir.Expand(mainViper.GetString("trust_dir"))
if err == nil { if err == nil {
mainViper.Set("trustDir", expandedTrustDir) mainViper.Set("trust_dir", expandedTrustDir)
} }
logrus.Debugf("using the following trust directory: %s", mainViper.GetString("trustDir")) logrus.Debugf("Using the following trust directory: %s", mainViper.GetString("trust_dir"))
} }
func setupCommand(notaryCmd *cobra.Command) { func setupCommand(notaryCmd *cobra.Command) {

16
cmd/notary/tuf.go
View File

@ -94,7 +94,7 @@ func tufAdd(cmd *cobra.Command, args []string) {
// no online operations are performed by add so the transport argument // no online operations are performed by add so the transport argument
// should be nil // should be nil
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -121,7 +121,7 @@ func tufInit(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
gun := args[0] gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -157,7 +157,7 @@ func tufList(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
gun := args[0] gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -184,7 +184,7 @@ func tufLookup(cmd *cobra.Command, args []string) {
gun := args[0] gun := args[0]
targetName := args[1] targetName := args[1]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -206,7 +206,7 @@ func tufStatus(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
gun := args[0] gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -240,7 +240,7 @@ func tufPublish(cmd *cobra.Command, args []string) {
cmd.Println("Pushing changes to", gun) cmd.Println("Pushing changes to", gun)
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -263,7 +263,7 @@ func tufRemove(cmd *cobra.Command, args []string) {
// no online operation are performed by remove so the transport argument // no online operation are performed by remove so the transport argument
// should be nil. // should be nil.
repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever) repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }
@ -291,7 +291,7 @@ func verify(cmd *cobra.Command, args []string) {
gun := args[0] gun := args[0]
targetName := args[1] targetName := args[1]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever) nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
if err != nil { if err != nil {
fatalf(err.Error()) fatalf(err.Error())
} }

64
trustmanager/yubikeystore.go
View File

@ -185,9 +185,8 @@ func addECDSAKey(
role string, role string,
backupStore KeyStore, backupStore KeyStore,
) error { ) error {
logrus.Debugf("Got into add key with key: %s\n", privKey.ID()) logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID())
// TODO(diogo): Figure out CKU_SO with yubikey
err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN) err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN)
if err != nil { if err != nil {
return err return err
@ -201,7 +200,6 @@ func addECDSAKey(
} }
ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes()) ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes())
logrus.Debugf("Getting D bytes: %v\n", ecdsaPrivKeyD)
template, err := NewCertificate(role) template, err := NewCertificate(role)
if err != nil { if err != nil {
@ -262,16 +260,16 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
} }
if err := ctx.FindObjectsInit(session, findTemplate); err != nil { if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
logrus.Debugf("Failed to init: %s\n", err.Error()) logrus.Debugf("Failed to init: %s", err.Error())
return nil, "", err return nil, "", err
} }
obj, b, err := ctx.FindObjects(session, 1) obj, _, err := ctx.FindObjects(session, 1)
if err != nil { if err != nil {
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b) logrus.Debugf("Failed to find objects: %v", err)
return nil, "", err return nil, "", err
} }
if err := ctx.FindObjectsFinal(session); err != nil { if err := ctx.FindObjectsFinal(session); err != nil {
logrus.Debugf("Failed to finalize: %s\n", err.Error()) logrus.Debugf("Failed to finalize: %s", err.Error())
return nil, "", err return nil, "", err
} }
if len(obj) != 1 { if len(obj) != 1 {
@ -282,7 +280,7 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
// Retrieve the public-key material to be able to create a new HSMRSAKey // Retrieve the public-key material to be able to create a new HSMRSAKey
attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate) attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate)
if err != nil { if err != nil {
logrus.Debugf("Failed to get Attribute for: %v\n", obj[0]) logrus.Debugf("Failed to get Attribute for: %v", obj[0])
return nil, "", err return nil, "", err
} }
@ -302,8 +300,6 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
return nil, "", err return nil, "", err
} }
// TODO(diogo): Actually get the right alias from the certificate instead of
// alwars returning data.CanonicalRootRole
return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil
} }
@ -324,13 +320,16 @@ func sign(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, pas
} }
if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil { if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil {
logrus.Debugf("Failed to init find objects: %s", err.Error())
return nil, err return nil, err
} }
obj, _, err := ctx.FindObjects(session, 1) obj, _, err := ctx.FindObjects(session, 1)
if err != nil { if err != nil {
logrus.Debugf("Failed to find objects: %v", err)
return nil, err return nil, err
} }
if err = ctx.FindObjectsFinal(session); err != nil { if err = ctx.FindObjectsFinal(session); err != nil {
logrus.Debugf("Failed to finalize find objects: %s", err.Error())
return nil, err return nil, err
} }
if len(obj) != 1 { if len(obj) != 1 {
@ -374,27 +373,27 @@ func yubiRemoveKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []
} }
if err := ctx.FindObjectsInit(session, template); err != nil { if err := ctx.FindObjectsInit(session, template); err != nil {
logrus.Printf("Failed to init: %s\n", err.Error()) logrus.Debugf("Failed to init find objects: %s", err.Error())
return err return err
} }
obj, b, err := ctx.FindObjects(session, 1) obj, b, err := ctx.FindObjects(session, 1)
if err != nil { if err != nil {
logrus.Printf("Failed to find: %s %v\n", err.Error(), b) logrus.Debugf("Failed to find objects: %s %v", err.Error(), b)
return err return err
} }
if err := ctx.FindObjectsFinal(session); err != nil { if err := ctx.FindObjectsFinal(session); err != nil {
logrus.Printf("Failed to finalize: %s\n", err.Error()) logrus.Debugf("Failed to finalize find objects: %s", err.Error())
return err return err
} }
if len(obj) != 1 { if len(obj) != 1 {
logrus.Printf("should have found one object") logrus.Debugf("should have found exactly one object")
return err return err
} }
// Delete the certificate // Delete the certificate
err = ctx.DestroyObject(session, obj[0]) err = ctx.DestroyObject(session, obj[0])
if err != nil { if err != nil {
logrus.Printf("Failed to delete cert") logrus.Debugf("Failed to delete cert")
return err return err
} }
return nil return nil
@ -414,7 +413,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
} }
if err = ctx.FindObjectsInit(session, findTemplate); err != nil { if err = ctx.FindObjectsInit(session, findTemplate); err != nil {
logrus.Debugf("Failed to init: %s\n", err.Error()) logrus.Debugf("Failed to init: %s", err.Error())
return return
} }
objs, b, err := ctx.FindObjects(session, numSlots) objs, b, err := ctx.FindObjects(session, numSlots)
@ -430,13 +429,13 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
objs = append(objs, o...) objs = append(objs, o...)
} }
if err != nil { if err != nil {
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b) logrus.Debugf("Failed to find: %s %v", err.Error(), b)
if len(objs) == 0 { if len(objs) == 0 {
return nil, err return nil, err
} }
} }
if err = ctx.FindObjectsFinal(session); err != nil { if err = ctx.FindObjectsFinal(session); err != nil {
logrus.Debugf("Failed to finalize: %s\n", err.Error()) logrus.Debugf("Failed to finalize: %s", err.Error())
return return
} }
if len(objs) == 0 { if len(objs) == 0 {
@ -451,7 +450,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
// Retrieve the public-key material to be able to create a new HSMRSAKey // Retrieve the public-key material to be able to create a new HSMRSAKey
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate) attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
if err != nil { if err != nil {
logrus.Debugf("Failed to get Attribute for: %v\n", obj) logrus.Debugf("Failed to get Attribute for: %v", obj)
continue continue
} }
@ -502,7 +501,7 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er
} }
if err := ctx.FindObjectsInit(session, findTemplate); err != nil { if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
logrus.Debugf("Failed to init: %s\n", err.Error()) logrus.Debugf("Failed to init: %s", err.Error())
return nil, err return nil, err
} }
objs, b, err := ctx.FindObjects(session, numSlots) objs, b, err := ctx.FindObjects(session, numSlots)
@ -521,14 +520,13 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er
} }
taken := make(map[int]bool) taken := make(map[int]bool)
if err != nil { if err != nil {
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b) logrus.Debugf("Failed to find: %s %v", err.Error(), b)
return nil, err return nil, err
} }
for _, obj := range objs { for _, obj := range objs {
// Retrieve the slot ID // Retrieve the slot ID
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate) attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
if err != nil { if err != nil {
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
continue continue
} }
@ -592,14 +590,17 @@ func (s *YubiKeyStore) ListKeys() map[string]string {
} }
ctx, session, err := SetupHSMEnv(pkcs11Lib) ctx, session, err := SetupHSMEnv(pkcs11Lib)
if err != nil { if err != nil {
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
return nil return nil
} }
defer cleanup(ctx, session) defer cleanup(ctx, session)
keys, err := yubiListKeys(ctx, session) keys, err := yubiListKeys(ctx, session)
if err != nil { if err != nil {
logrus.Debugf("Failed to list key from the yubikey: %s", err.Error())
return nil return nil
} }
s.keys = keys s.keys = keys
return buildKeyMap(keys) return buildKeyMap(keys)
} }
@ -612,11 +613,12 @@ func (s *YubiKeyStore) addKey(
keyID, role string, privKey data.PrivateKey, backup bool) error { keyID, role string, privKey data.PrivateKey, backup bool) error {
// We only allow adding root keys for now // We only allow adding root keys for now
if role != data.CanonicalRootRole { if role != data.CanonicalRootRole {
return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s\n", role, keyID) return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s", role, keyID)
} }
ctx, session, err := SetupHSMEnv(pkcs11Lib) ctx, session, err := SetupHSMEnv(pkcs11Lib)
if err != nil { if err != nil {
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
return err return err
} }
defer cleanup(ctx, session) defer cleanup(ctx, session)
@ -630,9 +632,10 @@ func (s *YubiKeyStore) addKey(
slot, err := getNextEmptySlot(ctx, session) slot, err := getNextEmptySlot(ctx, session)
if err != nil { if err != nil {
logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error())
return err return err
} }
logrus.Debugf("Using yubikey slot %v", slot) logrus.Debugf("Attempting to store key using yubikey slot %v", slot)
backupStore := s.backupStore backupStore := s.backupStore
if !backup { if !backup {
@ -648,6 +651,8 @@ func (s *YubiKeyStore) addKey(
} }
return nil return nil
} }
logrus.Debugf("Failed to add key to yubikey: %v", err)
return err return err
} }
@ -656,6 +661,7 @@ func (s *YubiKeyStore) addKey(
func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) { func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
ctx, session, err := SetupHSMEnv(pkcs11Lib) ctx, session, err := SetupHSMEnv(pkcs11Lib)
if err != nil { if err != nil {
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
return nil, "", err return nil, "", err
} }
defer cleanup(ctx, session) defer cleanup(ctx, session)
@ -667,11 +673,12 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
pubKey, alias, err := getECDSAKey(ctx, session, key.slotID) pubKey, alias, err := getECDSAKey(ctx, session, key.slotID)
if err != nil { if err != nil {
logrus.Debugf("Failed to get key from slot %s: %s", key.slotID, err.Error())
return nil, "", err return nil, "", err
} }
// Check to see if we're returning the intended keyID // Check to see if we're returning the intended keyID
if pubKey.ID() != keyID { if pubKey.ID() != keyID {
return nil, "", fmt.Errorf("expected root key: %s, but found: %s\n", keyID, pubKey.ID()) return nil, "", fmt.Errorf("expected root key: %s, but found: %s", keyID, pubKey.ID())
} }
privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever) privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever)
if privKey == nil { if privKey == nil {
@ -686,6 +693,7 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
func (s *YubiKeyStore) RemoveKey(keyID string) error { func (s *YubiKeyStore) RemoveKey(keyID string) error {
ctx, session, err := SetupHSMEnv(pkcs11Lib) ctx, session, err := SetupHSMEnv(pkcs11Lib)
if err != nil { if err != nil {
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
return nil return nil
} }
defer cleanup(ctx, session) defer cleanup(ctx, session)
@ -696,7 +704,10 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error {
err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID) err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID)
if err == nil { if err == nil {
delete(s.keys, keyID) delete(s.keys, keyID)
} else {
logrus.Debugf("Failed to remove from the yubikey KeyID %s: %v", keyID, err)
} }
return err return err
} }
@ -712,6 +723,7 @@ func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyPath string) error {
privKey, _, err := GetPasswdDecryptBytes( privKey, _, err := GetPasswdDecryptBytes(
s.passRetriever, pemBytes, "", "imported root") s.passRetriever, pemBytes, "", "imported root")
if err != nil { if err != nil {
logrus.Debugf("Failed to get and retrieve a key from: %s", keyPath)
return err return err
} }
if keyPath != data.CanonicalRootRole { if keyPath != data.CanonicalRootRole {
@ -738,7 +750,7 @@ func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle, error)
} }
if err := p.Initialize(); err != nil { if err := p.Initialize(); err != nil {
return nil, 0, fmt.Errorf("Initialize error %s\n", err.Error()) return nil, 0, fmt.Errorf("Initialize error %s", err.Error())
} }
slots, err := p.GetSlotList(true) slots, err := p.GetSlotList(true)