Changed FingerprintCert to return string; renamed kID fingerprint everywhere in notary

Signed-off-by: Diogo Monica <diogo@docker.com>
2015-06-30 21:32:11 -07:00 · 2015-06-30 21:32:11 -07:00 · 1eb972a820
parent a0e63bcaeb
commit 1eb972a820
8 changed files with 37 additions and 35 deletions
--- a/cmd/notary/cli_crypto_service.go
+++ b/cmd/notary/cli_crypto_service.go
@ -51,9 +51,9 @@ func (ccs *cliCryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signa
 	hashed := sha256.Sum256(payload)

 	signatures := make([]data.Signature, 0, len(keyIDs))
-	for _, kID := range keyIDs {
+	for _, fingerprint := range keyIDs {
 		// Get the PrivateKey filename
-		privKeyFilename := filepath.Join(viper.GetString("privDir"), ccs.gun, kID+".key")
+		privKeyFilename := filepath.Join(viper.GetString("privDir"), ccs.gun, fingerprint+".key")
 		// Read PrivateKey from file
 		privPEMBytes, err := ioutil.ReadFile(privKeyFilename)
 		if err != nil {
@ -75,7 +75,7 @@ func (ccs *cliCryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signa

 		// Append signatures to result array
 		signatures = append(signatures, data.Signature{
-			KeyID:     kID,
+			KeyID:     fingerprint,
 			Method:    "RSASSA-PKCS1-V1_5-SIGN",
 			Signature: sig[:],
 		})
@ -109,10 +109,10 @@ func generateKeyAndCert(gun string) (crypto.PrivateKey, *x509.Certificate, error
 		return nil, nil, fmt.Errorf("failed to generate the certificate for key: %v", err)
 	}

-	kID := trustmanager.FingerprintCert(cert)
+	fingerprint := trustmanager.FingerprintCert(cert)
 	// The key is going to be stored in the private directory, using the GUN and
 	// the filename will be the TUF-compliant ID. The Store takes care of extensions.
-	privKeyFilename := filepath.Join(gun, string(kID))
+	privKeyFilename := filepath.Join(gun, fingerprint)
 	privKeyStore.Add(privKeyFilename, trustmanager.KeyToPEM(keyBytes))
 	return key, cert, nil
 }
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@ -67,7 +67,7 @@ func keysRemove(cmd *cobra.Command, args []string) {
 	gunOrID := args[0]

 	// Try to retrieve the ID from the CA store.
-	cert, err := caStore.GetCertificateBykID(gunOrID)
+	cert, err := caStore.GetCertificateByFingerprint(gunOrID)
 	if err == nil {
 		fmt.Printf("Removing: ")
 		printCert(cert)
@ -81,7 +81,7 @@ func keysRemove(cmd *cobra.Command, args []string) {
 	}

 	// Try to retrieve the ID from the Certificate store.
-	cert, err = certificateStore.GetCertificateBykID(gunOrID)
+	cert, err = certificateStore.GetCertificateByFingerprint(gunOrID)
 	if err == nil {
 		fmt.Printf("Removing: ")
 		printCert(cert)
@ -214,7 +214,7 @@ func keysGenerate(cmd *cobra.Command, args []string) {

 	certificateStore.AddCert(cert)
 	fingerprint := trustmanager.FingerprintCert(cert)
-	fmt.Println("Generated new keypair with ID: ", string(fingerprint))
+	fmt.Println("Generated new keypair with ID: ", fingerprint)
 }

 func newCertificate(gun, organization string) *x509.Certificate {
@ -244,8 +244,8 @@ func newCertificate(gun, organization string) *x509.Certificate {

 func printCert(cert *x509.Certificate) {
 	timeDifference := cert.NotAfter.Sub(time.Now())
-	subjectKeyID := trustmanager.FingerprintCert(cert)
-	fmt.Printf("%s %s (expires in: %v days)\n", cert.Subject.CommonName, string(subjectKeyID), math.Floor(timeDifference.Hours()/24))
+	fingerprint := trustmanager.FingerprintCert(cert)
+	fmt.Printf("%s %s (expires in: %v days)\n", cert.Subject.CommonName, fingerprint, math.Floor(timeDifference.Hours()/24))
 }

 func printKey(keyPath string) {
--- a/cmd/notary/tuf.go
+++ b/cmd/notary/tuf.go
@ -496,10 +496,11 @@ func validateRoot(gun string, root *data.Signed) error {
 		return err
 	}
 	certs := make(map[string]*data.PublicKey)
-	for _, kID := range rootSigned.Roles["root"].KeyIDs {
+	for _, fingerprint := range rootSigned.Roles["root"].KeyIDs {
 		// TODO(dlaw): currently assuming only one cert contained in
 		// public key entry. Need to fix when we want to pass in chains.
 		k, _ := pem.Decode([]byte(rootSigned.Keys["kid"].Public()))
+
 		decodedCerts, err := x509.ParseCertificates(k.Bytes)
 		if err != nil {
 			continue
@ -508,15 +509,15 @@ func validateRoot(gun string, root *data.Signed) error {
 		// TODO(diogo): Assuming that first certificate is the leaf-cert. Need to
 		// iterate over all decodedCerts and find a non-CA one (should be the last).
 		leafCert := decodedCerts[0]
-		leafID := string(trustmanager.FingerprintCert(leafCert))
+		leafID := trustmanager.FingerprintCert(leafCert)

 		// Check to see if there is an exact match of this certificate.
 		// Checking the CommonName is not required since ID is calculated over
 		// Cert.Raw. It's included to prevent breaking logic with changes of how the
 		// ID gets computed.
-		_, err = certificateStore.GetCertificateBykID(leafID)
+		_, err = certificateStore.GetCertificateByFingerprint(leafID)
 		if err == nil && leafCert.Subject.CommonName == gun {
-			certs[kID] = rootSigned.Keys[kID]
+			certs[fingerprint] = rootSigned.Keys[fingerprint]
 		}

 		// Check to see if this leafCertificate has a chain to one of the Root CAs
@ -524,15 +525,12 @@ func validateRoot(gun string, root *data.Signed) error {
 		certList := []*x509.Certificate{leafCert}
 		err = trustmanager.Verify(caStore, gun, certList)
 		if err == nil {
-			certs[kID] = rootSigned.Keys[kID]
+			certs[fingerprint] = rootSigned.Keys[fingerprint]
 		}
 	}
 	_, err = signed.VerifyRoot(root, 0, certs, 1)
-	if err != nil {
-		// failed to validate the signatures against the certificates
-		return err
-	}
-	return nil
+
+	return err
 }

 func bootstrapRepo(gun string, repo *tuf.TufRepo) store.MetadataStore {
--- a/trustmanager/x509filestore.go
+++ b/trustmanager/x509filestore.go
@ -68,7 +68,7 @@ func (s X509FileStore) AddCert(cert *x509.Certificate) error {
 // addNamedCert allows adding a certificate while controling the filename it gets
 // stored under. If the file does not exist on disk, saves it.
 func (s X509FileStore) addNamedCert(cert *x509.Certificate) error {
-	fingerprint := FingerprintCert(cert)
+	fingerprint := fingerprintCert(cert)

 	// Validate if we already loaded this certificate before
 	if _, ok := s.fingerprintMap[fingerprint]; ok {
@ -103,7 +103,7 @@ func (s X509FileStore) RemoveCert(cert *x509.Certificate) error {
 		return errors.New("removing nil Certificate from X509Store")
 	}

-	fingerprint := FingerprintCert(cert)
+	fingerprint := fingerprintCert(cert)
 	delete(s.fingerprintMap, fingerprint)
 	filename := s.fileMap[fingerprint]
 	delete(s.fileMap, fingerprint)
@ -170,8 +170,8 @@ func (s X509FileStore) GetCertificatePool() *x509.CertPool {
 	return pool
 }

-// GetCertificateBykID returns the certificate that matches a certain kID or error
-func (s X509FileStore) GetCertificateBykID(hexkID string) (*x509.Certificate, error) {
+// GetCertificateByFingerprint returns the certificate that matches a certain kID or error
+func (s X509FileStore) GetCertificateByFingerprint(hexkID string) (*x509.Certificate, error) {
 	// If it does not look like a hex encoded sha256 hash, error
 	if len(hexkID) != 64 {
 		return nil, errors.New("invalid Subject Key Identifier")
@ -204,5 +204,5 @@ func (s X509FileStore) GetVerifyOptions(dnsName string) (x509.VerifyOptions, err
 }

 func fileName(cert *x509.Certificate) string {
-	return path.Join(cert.Subject.CommonName, string(FingerprintCert(cert)))
+	return path.Join(cert.Subject.CommonName, FingerprintCert(cert))
 }
--- a/trustmanager/x509memstore.go
+++ b/trustmanager/x509memstore.go
@ -47,7 +47,7 @@ func (s X509MemStore) AddCert(cert *x509.Certificate) error {
 		return errors.New("certificate failed validation")
 	}

-	fingerprint := FingerprintCert(cert)
+	fingerprint := fingerprintCert(cert)

 	s.fingerprintMap[fingerprint] = cert
 	name := string(cert.RawSubject)
@ -62,7 +62,7 @@ func (s X509MemStore) RemoveCert(cert *x509.Certificate) error {
 		return errors.New("removing nil Certificate to X509Store")
 	}

-	fingerprint := FingerprintCert(cert)
+	fingerprint := fingerprintCert(cert)
 	delete(s.fingerprintMap, fingerprint)
 	name := string(cert.RawSubject)

@ -139,8 +139,8 @@ func (s X509MemStore) GetCertificatePool() *x509.CertPool {
 	return pool
 }

-// GetCertificateBykID returns the certificate that matches a certain kID or error
-func (s X509MemStore) GetCertificateBykID(hexkID string) (*x509.Certificate, error) {
+// GetCertificateByFingerprint returns the certificate that matches a certain kID or error
+func (s X509MemStore) GetCertificateByFingerprint(hexkID string) (*x509.Certificate, error) {
 	// If it does not look like a hex encoded sha256 hash, error
 	if len(hexkID) != 64 {
 		return nil, errors.New("invalid Subject Key Identifier")
--- a/trustmanager/x509memstore_test.go
+++ b/trustmanager/x509memstore_test.go
@ -106,20 +106,20 @@ func TestRemoveCert(t *testing.T) {
 	}
 }

-func TestInexistentGetCertificateBykID(t *testing.T) {
+func TestInexistentGetCertificateByFingerprint(t *testing.T) {
 	store := NewX509MemStore()
 	err := store.AddCertFromFile("../fixtures/notary/root-ca.crt")
 	if err != nil {
 		t.Fatalf("failed to load certificate from file: %v", err)
 	}

-	_, err = store.GetCertificateBykID("4d06afd30b8bed131d2a84c97d00b37f422021598bfae34285ce98e77b708b5a")
+	_, err = store.GetCertificateByFingerprint("4d06afd30b8bed131d2a84c97d00b37f422021598bfae34285ce98e77b708b5a")
 	if err == nil {
 		t.Fatalf("no error returned for inexistent certificate")
 	}
 }

-func TestGetCertificateBykID(t *testing.T) {
+func TestGetCertificateByFingerprint(t *testing.T) {
 	b, err := ioutil.ReadFile("../fixtures/notary/root-ca.crt")
 	if err != nil {
 		t.Fatalf("couldn't load fixture: %v", err)
@ -141,7 +141,7 @@ func TestGetCertificateBykID(t *testing.T) {
 	certFingerprint := FingerprintCert(cert)

 	// Tries to retrieve cert by Subject Key IDs
-	_, err = store.GetCertificateBykID(string(certFingerprint))
+	_, err = store.GetCertificateByFingerprint(certFingerprint)
 	if err != nil {
 		t.Fatalf("expected certificate in store: %s", certFingerprint)
 	}
--- a/trustmanager/x509store.go
+++ b/trustmanager/x509store.go
@ -14,7 +14,7 @@ type X509Store interface {
 	AddCertFromPEM(pemCerts []byte) error
 	AddCertFromFile(filename string) error
 	RemoveCert(cert *x509.Certificate) error
-	GetCertificateBykID(hexkID string) (*x509.Certificate, error)
+	GetCertificateByFingerprint(fingerprint string) (*x509.Certificate, error)
 	GetCertificates() []*x509.Certificate
 	GetCertificatePool() *x509.CertPool
 	GetVerifyOptions(dnsName string) (x509.VerifyOptions, error)
--- a/trustmanager/x509utils.go
+++ b/trustmanager/x509utils.go
@ -83,7 +83,11 @@ func loadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) {
 	return nil, errors.New("no certificates found in PEM data")
 }

-func FingerprintCert(cert *x509.Certificate) CertID {
+func FingerprintCert(cert *x509.Certificate) string {
+	return string(fingerprintCert(cert))
+}
+
+func fingerprintCert(cert *x509.Certificate) CertID {
 	block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
 	pemdata := string(pem.EncodeToMemory(&block))