mirror of https://github.com/docker/docs.git
Making tests pass
Signed-off-by: Diogo Monica <diogo@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
This commit is contained in:
Diogo Monica
David Lawrence
parent
5b7480f599
commit
0344dfc038
|
|
@ -55,7 +55,7 @@ func certRemove(cmd *cobra.Command, args []string) {
|
|||
}
|
||||
parseConfig()
|
||||
|
||||
trustDir := mainViper.GetString("trustDir")
|
||||
trustDir := mainViper.GetString("trust_dir")
|
||||
keysPath := filepath.Join(trustDir, notary.PrivDir)
|
||||
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
|
||||
if err != nil {
|
||||
|
|
@ -124,7 +124,7 @@ func certList(cmd *cobra.Command, args []string) {
|
|||
}
|
||||
parseConfig()
|
||||
|
||||
trustDir := mainViper.GetString("trustDir")
|
||||
trustDir := mainViper.GetString("trust_dir")
|
||||
keysPath := filepath.Join(trustDir, notary.PrivDir)
|
||||
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -25,23 +25,31 @@ import (
|
|||
"github.com/docker/notary/trustmanager"
|
||||
"github.com/docker/notary/tuf/data"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/viper"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/net/context"
|
||||
)
|
||||
|
||||
var cmd = &cobra.Command{}
|
||||
var testPassphrase = "passphrase"
|
||||
|
||||
// run a command and return the output as a string
|
||||
func runCommand(t *testing.T, tempDir string, args ...string) (string, error) {
|
||||
b := new(bytes.Buffer)
|
||||
cmd.SetArgs(append([]string{"-c", "/tmp/ignore.json", "-d", tempDir}, args...))
|
||||
cmd.SetOutput(b)
|
||||
t.Logf("Running `notary %s`", strings.Join(args, " "))
|
||||
// Using a new viper and Command so we don't have state between command invocations
|
||||
mainViper = viper.New()
|
||||
cmd := &cobra.Command{}
|
||||
setupCommand(cmd)
|
||||
|
||||
b := new(bytes.Buffer)
|
||||
|
||||
// Create an empty config file so we don't load the default on ~/.notary/config.json
|
||||
configFile := filepath.Join(tempDir, "config.json")
|
||||
|
||||
cmd.SetArgs(append([]string{"-c", configFile, "-d", tempDir}, args...))
|
||||
cmd.SetOutput(b)
|
||||
retErr := cmd.Execute()
|
||||
output, err := ioutil.ReadAll(b)
|
||||
assert.NoError(t, err)
|
||||
|
||||
return string(output), retErr
|
||||
}
|
||||
|
||||
|
|
@ -71,8 +79,7 @@ func TestClientTufInteraction(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
server := setupServer()
|
||||
|
|
@ -122,7 +129,7 @@ func TestClientTufInteraction(t *testing.T) {
|
|||
assert.True(t, strings.Contains(string(output), target))
|
||||
|
||||
// verify repo - empty file
|
||||
output, err = runCommand(t, tempDir, "verify", "gun", target)
|
||||
output, err = runCommand(t, tempDir, "-s", server.URL, "verify", "gun", target)
|
||||
assert.NoError(t, err)
|
||||
|
||||
// remove target
|
||||
|
|
@ -224,8 +231,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
tempfiles := make([]string, 2)
|
||||
|
|
@ -248,7 +254,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
|
|||
assertNumKeys(t, tempDir, 0, 0, true)
|
||||
|
||||
// generate root key produces a single root key and no other keys
|
||||
_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
_, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
assert.NoError(t, err)
|
||||
assertNumKeys(t, tempDir, 1, 0, true)
|
||||
|
||||
|
|
@ -305,8 +311,7 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
|
|||
|
||||
dirs := make([]string, 3)
|
||||
for i := 0; i < 3; i++ {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
dirs[i] = tempDir
|
||||
}
|
||||
|
|
@ -381,12 +386,11 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
|
|||
// Generate a root key and export the root key only. Return the key ID
|
||||
// exported.
|
||||
func exportRoot(t *testing.T, exportTo string) string {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
// generate root key produces a single root key and no other keys
|
||||
_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
_, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
assert.NoError(t, err)
|
||||
oldRoot, _ := assertNumKeys(t, tempDir, 1, 0, true)
|
||||
|
||||
|
|
@ -410,8 +414,7 @@ func TestClientKeyImportExportRootOnly(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
server := setupServer()
|
||||
|
|
@ -481,15 +484,14 @@ func TestClientCertInteraction(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
server := setupServer()
|
||||
defer server.Close()
|
||||
|
||||
// -- tests --
|
||||
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
|
||||
_, err := runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
|
||||
assert.NoError(t, err)
|
||||
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2")
|
||||
assert.NoError(t, err)
|
||||
|
|
@ -516,8 +518,7 @@ func TestDefaultRootKeyGeneration(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
// -- tests --
|
||||
|
|
@ -526,16 +527,23 @@ func TestDefaultRootKeyGeneration(t *testing.T) {
|
|||
assertNumKeys(t, tempDir, 0, 0, true)
|
||||
|
||||
// generate root key with no algorithm produces a single ECDSA root key and no other keys
|
||||
_, err = runCommand(t, tempDir, "key", "generate")
|
||||
_, err := runCommand(t, tempDir, "key", "generate")
|
||||
assert.NoError(t, err)
|
||||
assertNumKeys(t, tempDir, 1, 0, true)
|
||||
}
|
||||
|
||||
func tempDirWithConfig(t *testing.T, config string) string {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
err = ioutil.WriteFile(filepath.Join(tempDir, "config.json"), []byte(config), 0644)
|
||||
assert.NoError(t, err)
|
||||
return tempDir
|
||||
}
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
if testing.Short() {
|
||||
// skip
|
||||
os.Exit(0)
|
||||
}
|
||||
setupCommand(cmd)
|
||||
os.Exit(m.Run())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ func keysList(cmd *cobra.Command, args []string) {
|
|||
|
||||
parseConfig()
|
||||
|
||||
stores := getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)
|
||||
stores := getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)
|
||||
|
||||
keys := make(map[trustmanager.KeyStore]map[string]string)
|
||||
for _, store := range stores {
|
||||
|
|
@ -137,6 +137,11 @@ func keysList(cmd *cobra.Command, args []string) {
|
|||
}
|
||||
|
||||
func keysGenerateRootKey(cmd *cobra.Command, args []string) {
|
||||
if len(args) > 1 {
|
||||
cmd.Usage()
|
||||
fatalf("Please provide only one Algorithm as an argument to generate (rsa, ecdsa)")
|
||||
}
|
||||
|
||||
parseConfig()
|
||||
|
||||
// If no param is given to generate, generates an ecdsa key by default
|
||||
|
|
@ -160,7 +165,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
pubKey, err := cs.Create(data.CanonicalRootRole, algorithm)
|
||||
|
|
@ -183,7 +188,7 @@ func keysExport(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
exportFile, err := os.Create(exportFilename)
|
||||
|
|
@ -228,7 +233,7 @@ func keysExportRoot(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
exportFile, err := os.Create(exportFilename)
|
||||
|
|
@ -263,7 +268,7 @@ func keysImport(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
zipReader, err := zip.OpenReader(importFilename)
|
||||
|
|
@ -290,7 +295,7 @@ func keysImportRoot(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, mainViper.GetString("trustDir"), retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
importFilename := args[0]
|
||||
|
|
@ -322,7 +327,7 @@ func keysRotate(cmd *cobra.Command, args []string) {
|
|||
parseConfig()
|
||||
|
||||
gun := args[0]
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, remoteTrustServer, nil, retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, remoteTrustServer, nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ func parseConfig() {
|
|||
}
|
||||
|
||||
// By default our trust directory (where keys are stored) is in ~/.notary/
|
||||
mainViper.SetDefault("trustDir", filepath.Join(homeDir, filepath.Dir(configDir)))
|
||||
mainViper.SetDefault("trust_dir", filepath.Join(homeDir, filepath.Dir(configDir)))
|
||||
|
||||
// If there was a commandline configFile set, we parse that.
|
||||
// If there wasn't we attempt to find it on the default location ~/.notary/config
|
||||
|
|
@ -73,26 +73,27 @@ func parseConfig() {
|
|||
// Find and read the config file
|
||||
err = mainViper.ReadInConfig()
|
||||
if err != nil {
|
||||
logrus.Debugf("configuration file not found, using defaults")
|
||||
// Ignore if the configuration file doesn't exist, we can use the defaults
|
||||
if !os.IsNotExist(err) {
|
||||
fatalf("Fatal error config file: %v", err)
|
||||
logrus.Debugf("Configuration file not found, using defaults")
|
||||
// If we were passed in a configFile via -c, bail if it doesn't exist,
|
||||
// otherwise ignore it: we can use the defaults
|
||||
if configFile != "" || !os.IsNotExist(err) {
|
||||
fatalf("error opening config file %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// At this point we either have the default value or the one set by the config.
|
||||
// Either way, the command-line flag has precedence and overwrives the value
|
||||
if trustDir != "" {
|
||||
mainViper.Set("trustDir", trustDir)
|
||||
mainViper.Set("trust_dir", trustDir)
|
||||
}
|
||||
|
||||
// Expands all the possible ~/ that have been given, either through -d or config
|
||||
// If there is no error, user it, if not, attempt to use whatever the user gave us
|
||||
expandedTrustDir, err := homedir.Expand(mainViper.GetString("trustDir"))
|
||||
expandedTrustDir, err := homedir.Expand(mainViper.GetString("trust_dir"))
|
||||
if err == nil {
|
||||
mainViper.Set("trustDir", expandedTrustDir)
|
||||
mainViper.Set("trust_dir", expandedTrustDir)
|
||||
}
|
||||
logrus.Debugf("using the following trust directory: %s", mainViper.GetString("trustDir"))
|
||||
logrus.Debugf("Using the following trust directory: %s", mainViper.GetString("trust_dir"))
|
||||
}
|
||||
|
||||
func setupCommand(notaryCmd *cobra.Command) {
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ func tufAdd(cmd *cobra.Command, args []string) {
|
|||
|
||||
// no online operations are performed by add so the transport argument
|
||||
// should be nil
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -121,7 +121,7 @@ func tufInit(cmd *cobra.Command, args []string) {
|
|||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -157,7 +157,7 @@ func tufList(cmd *cobra.Command, args []string) {
|
|||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -184,7 +184,7 @@ func tufLookup(cmd *cobra.Command, args []string) {
|
|||
gun := args[0]
|
||||
targetName := args[1]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -206,7 +206,7 @@ func tufStatus(cmd *cobra.Command, args []string) {
|
|||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -240,7 +240,7 @@ func tufPublish(cmd *cobra.Command, args []string) {
|
|||
|
||||
cmd.Println("Pushing changes to", gun)
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -263,7 +263,7 @@ func tufRemove(cmd *cobra.Command, args []string) {
|
|||
|
||||
// no online operation are performed by remove so the transport argument
|
||||
// should be nil.
|
||||
repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -291,7 +291,7 @@ func verify(cmd *cobra.Command, args []string) {
|
|||
|
||||
gun := args[0]
|
||||
targetName := args[1]
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trustDir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -185,9 +185,8 @@ func addECDSAKey(
|
|||
role string,
|
||||
backupStore KeyStore,
|
||||
) error {
|
||||
logrus.Debugf("Got into add key with key: %s\n", privKey.ID())
|
||||
logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID())
|
||||
|
||||
// TODO(diogo): Figure out CKU_SO with yubikey
|
||||
err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -201,7 +200,6 @@ func addECDSAKey(
|
|||
}
|
||||
|
||||
ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes())
|
||||
logrus.Debugf("Getting D bytes: %v\n", ecdsaPrivKeyD)
|
||||
|
||||
template, err := NewCertificate(role)
|
||||
if err != nil {
|
||||
|
|
@ -262,16 +260,16 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init: %s", err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
obj, b, err := ctx.FindObjects(session, 1)
|
||||
obj, _, err := ctx.FindObjects(session, 1)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find objects: %v", err)
|
||||
return nil, "", err
|
||||
}
|
||||
if err := ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Debugf("Failed to finalize: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to finalize: %s", err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
if len(obj) != 1 {
|
||||
|
|
@ -282,7 +280,7 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
|
|||
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
||||
attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get Attribute for: %v\n", obj[0])
|
||||
logrus.Debugf("Failed to get Attribute for: %v", obj[0])
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
|
|
@ -302,8 +300,6 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
|
|||
return nil, "", err
|
||||
}
|
||||
|
||||
// TODO(diogo): Actually get the right alias from the certificate instead of
|
||||
// alwars returning data.CanonicalRootRole
|
||||
return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil
|
||||
}
|
||||
|
||||
|
|
@ -324,13 +320,16 @@ func sign(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, pas
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init find objects: %s", err.Error())
|
||||
return nil, err
|
||||
}
|
||||
obj, _, err := ctx.FindObjects(session, 1)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find objects: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
if err = ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Debugf("Failed to finalize find objects: %s", err.Error())
|
||||
return nil, err
|
||||
}
|
||||
if len(obj) != 1 {
|
||||
|
|
@ -374,27 +373,27 @@ func yubiRemoveKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, template); err != nil {
|
||||
logrus.Printf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init find objects: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
obj, b, err := ctx.FindObjects(session, 1)
|
||||
if err != nil {
|
||||
logrus.Printf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find objects: %s %v", err.Error(), b)
|
||||
return err
|
||||
}
|
||||
if err := ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Printf("Failed to finalize: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to finalize find objects: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
if len(obj) != 1 {
|
||||
logrus.Printf("should have found one object")
|
||||
logrus.Debugf("should have found exactly one object")
|
||||
return err
|
||||
}
|
||||
|
||||
// Delete the certificate
|
||||
err = ctx.DestroyObject(session, obj[0])
|
||||
if err != nil {
|
||||
logrus.Printf("Failed to delete cert")
|
||||
logrus.Debugf("Failed to delete cert")
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
|
@ -414,7 +413,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
|
|||
}
|
||||
|
||||
if err = ctx.FindObjectsInit(session, findTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init: %s", err.Error())
|
||||
return
|
||||
}
|
||||
objs, b, err := ctx.FindObjects(session, numSlots)
|
||||
|
|
@ -430,13 +429,13 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
|
|||
objs = append(objs, o...)
|
||||
}
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find: %s %v", err.Error(), b)
|
||||
if len(objs) == 0 {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if err = ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Debugf("Failed to finalize: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to finalize: %s", err.Error())
|
||||
return
|
||||
}
|
||||
if len(objs) == 0 {
|
||||
|
|
@ -451,7 +450,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
|
|||
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
||||
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
|
||||
logrus.Debugf("Failed to get Attribute for: %v", obj)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
@ -502,7 +501,7 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init: %s", err.Error())
|
||||
return nil, err
|
||||
}
|
||||
objs, b, err := ctx.FindObjects(session, numSlots)
|
||||
|
|
@ -521,14 +520,13 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er
|
|||
}
|
||||
taken := make(map[int]bool)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find: %s %v", err.Error(), b)
|
||||
return nil, err
|
||||
}
|
||||
for _, obj := range objs {
|
||||
// Retrieve the slot ID
|
||||
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
@ -592,14 +590,17 @@ func (s *YubiKeyStore) ListKeys() map[string]string {
|
|||
}
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return nil
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
keys, err := yubiListKeys(ctx, session)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to list key from the yubikey: %s", err.Error())
|
||||
return nil
|
||||
}
|
||||
s.keys = keys
|
||||
|
||||
return buildKeyMap(keys)
|
||||
}
|
||||
|
||||
|
|
@ -612,11 +613,12 @@ func (s *YubiKeyStore) addKey(
|
|||
keyID, role string, privKey data.PrivateKey, backup bool) error {
|
||||
// We only allow adding root keys for now
|
||||
if role != data.CanonicalRootRole {
|
||||
return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s\n", role, keyID)
|
||||
return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s", role, keyID)
|
||||
}
|
||||
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
|
|
@ -630,9 +632,10 @@ func (s *YubiKeyStore) addKey(
|
|||
|
||||
slot, err := getNextEmptySlot(ctx, session)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
logrus.Debugf("Using yubikey slot %v", slot)
|
||||
logrus.Debugf("Attempting to store key using yubikey slot %v", slot)
|
||||
|
||||
backupStore := s.backupStore
|
||||
if !backup {
|
||||
|
|
@ -648,6 +651,8 @@ func (s *YubiKeyStore) addKey(
|
|||
}
|
||||
return nil
|
||||
}
|
||||
logrus.Debugf("Failed to add key to yubikey: %v", err)
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
@ -656,6 +661,7 @@ func (s *YubiKeyStore) addKey(
|
|||
func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
|
|
@ -667,11 +673,12 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
|||
|
||||
pubKey, alias, err := getECDSAKey(ctx, session, key.slotID)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get key from slot %s: %s", key.slotID, err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
// Check to see if we're returning the intended keyID
|
||||
if pubKey.ID() != keyID {
|
||||
return nil, "", fmt.Errorf("expected root key: %s, but found: %s\n", keyID, pubKey.ID())
|
||||
return nil, "", fmt.Errorf("expected root key: %s, but found: %s", keyID, pubKey.ID())
|
||||
}
|
||||
privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever)
|
||||
if privKey == nil {
|
||||
|
|
@ -686,6 +693,7 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
|||
func (s *YubiKeyStore) RemoveKey(keyID string) error {
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return nil
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
|
|
@ -696,7 +704,10 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error {
|
|||
err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID)
|
||||
if err == nil {
|
||||
delete(s.keys, keyID)
|
||||
} else {
|
||||
logrus.Debugf("Failed to remove from the yubikey KeyID %s: %v", keyID, err)
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
@ -712,6 +723,7 @@ func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyPath string) error {
|
|||
privKey, _, err := GetPasswdDecryptBytes(
|
||||
s.passRetriever, pemBytes, "", "imported root")
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get and retrieve a key from: %s", keyPath)
|
||||
return err
|
||||
}
|
||||
if keyPath != data.CanonicalRootRole {
|
||||
|
|
@ -738,7 +750,7 @@ func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle, error)
|
|||
}
|
||||
|
||||
if err := p.Initialize(); err != nil {
|
||||
return nil, 0, fmt.Errorf("Initialize error %s\n", err.Error())
|
||||
return nil, 0, fmt.Errorf("Initialize error %s", err.Error())
|
||||
}
|
||||
|
||||
slots, err := p.GetSlotList(true)
|
||||
|
|
|
|||
Loading…
Reference in New Issue