diff --git a/cmd/notary/integration_test.go b/cmd/notary/integration_test.go index 1318459a92..261c33d512 100644 --- a/cmd/notary/integration_test.go +++ b/cmd/notary/integration_test.go @@ -20,6 +20,7 @@ import ( "github.com/Sirupsen/logrus" ctxu "github.com/docker/distribution/context" + "github.com/docker/notary" "github.com/docker/notary/cryptoservice" "github.com/docker/notary/passphrase" "github.com/docker/notary/server" @@ -1069,6 +1070,21 @@ func TestClientKeyImportExportRootOnly(t *testing.T) { t, tempDir, server.URL, "gun", target, tempFile.Name()) } +// Helper method to get the subdirectory for TUF keys +func getKeySubdir(role, gun string) string { + subdir := notary.PrivDir + switch role { + case data.CanonicalRootRole: + return filepath.Join(subdir, notary.RootKeysSubdir) + case data.CanonicalTargetsRole: + return filepath.Join(subdir, notary.NonRootKeysSubdir, gun) + case data.CanonicalSnapshotRole: + return filepath.Join(subdir, notary.NonRootKeysSubdir, gun) + default: + return filepath.Join(subdir, notary.NonRootKeysSubdir) + } +} + // Tests importing and exporting keys for all different roles and GUNs func TestClientKeyImportExportAllRoles(t *testing.T) { // -- setup -- @@ -1080,222 +1096,76 @@ func TestClientKeyImportExportAllRoles(t *testing.T) { server := setupServer() defer server.Close() - tempFile, err := ioutil.TempFile("", "pemfile") - assert.NoError(t, err) - // close later, because we might need to write to it - defer os.Remove(tempFile.Name()) - - privKey1, err := trustmanager.GenerateECDSAKey(rand.Reader) - assert.NoError(t, err) - - privKey2, err := trustmanager.GenerateECDSAKey(rand.Reader) - assert.NoError(t, err) - - privKey3, err := trustmanager.GenerateECDSAKey(rand.Reader) - assert.NoError(t, err) - - privKey4, err := trustmanager.GenerateECDSAKey(rand.Reader) - assert.NoError(t, err) - // -- tests -- - _, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun") + _, err := runCommand(t, tempDir, "-s", server.URL, "init", "gun") assert.NoError(t, err) - rootPemBytes, err := trustmanager.EncryptPrivateKey(privKey1, "root", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), rootPemBytes, 0644) + testRoles := append(data.BaseRoles, "targets/releases") + // Test importing and exporting keys to all base roles and delegation role + for _, role := range testRoles { + // Do this while importing keys that have the PEM header role set or have --role set on import + for _, setKeyRole := range []bool{true, false} { + // Make a new key for this role + privKey, err := trustmanager.GenerateECDSAKey(rand.Reader) + assert.NoError(t, err) - // Import from root, specified in PEM - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name()) - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "root_keys", privKey1.ID()+".key")) - assert.Nil(t, err) + // Make a tempfile for importing + tempFile, err := ioutil.TempFile("", "pemfile") + assert.NoError(t, err) - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey1.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the root key file in the repo - exportedBytes, err := ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "private", "root_keys", privKey1.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) + // Specify the role in the PEM header + pemBytes, err := trustmanager.EncryptPrivateKey(privKey, role, testPassphrase) + assert.NoError(t, err) + ioutil.WriteFile(tempFile.Name(), pemBytes, 0644) - targetsPemBytes, err := trustmanager.EncryptPrivateKey(privKey2, "targets", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), targetsPemBytes, 0644) + // If we need to set the key role with the --role flag, do so on import + if setKeyRole { + // If it's targets/snapshot we must specify the GUN + if role == data.CanonicalTargetsRole || role == data.CanonicalSnapshotRole { + _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--gun", "gun", "--role", role) + } else { + _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--role", role) + } + } else { + // If it's targets/snapshot we must specify the GUN + if role == data.CanonicalTargetsRole || role == data.CanonicalSnapshotRole { + _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--gun", "gun") + } else { + _, err = runCommand(t, tempDir, "key", "import", tempFile.Name()) + } + } + assert.NoError(t, err) - // Import from snapshot, specified in PEM. Must supply GUN - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--gun", "gun") - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey2.ID()+".key")) - assert.Nil(t, err) + // Test that we imported correctly + keySubdir := getKeySubdir(role, "gun") + _, err = os.Stat(filepath.Join(tempDir, keySubdir, privKey.ID()+".key")) + assert.Nil(t, err) - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey2.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the targets key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey2.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) + // Remove the input file so we can test exporting + assert.NoError(t, os.Remove(tempFile.Name())) - snapshotPemBytes, err := trustmanager.EncryptPrivateKey(privKey3, "snapshot", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), snapshotPemBytes, 0644) + // Make a tempfile for exporting to + tempFile, err = ioutil.TempFile("", "pemfile") + assert.NoError(t, err) - // Import from snapshot, specified in PEM. Must supply GUN - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--gun", "gun") - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey3.ID()+".key")) - assert.Nil(t, err) + // Ensure exporting this key by ID gets the same key + _, err = runCommand(t, tempDir, "key", "export", privKey.ID(), tempFile.Name()) + assert.NoError(t, err) + // Compare the bytes of the exported file and the root key file in the repo + exportedBytes, err := ioutil.ReadFile(tempFile.Name()) + assert.NoError(t, err) + repoBytes, err := ioutil.ReadFile(filepath.Join(tempDir, keySubdir, privKey.ID()+".key")) + assert.NoError(t, err) + assert.Equal(t, repoBytes, exportedBytes) - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey3.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the snapshot key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey3.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) + // Ensure exporting this key and changing the passphrase works + _, err = runCommand(t, tempDir, "key", "export", privKey.ID(), tempFile.Name(), "-p") + assert.NoError(t, err) - delegationPemBytes, err := trustmanager.EncryptPrivateKey(privKey4, "targets/releases", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), delegationPemBytes, 0644) - - // Import from delegation key, specified in PEM. No GUN needed - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name()) - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "tuf_keys", privKey4.ID()+".key")) - assert.Nil(t, err) - - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey4.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the delegation key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", privKey4.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) - - rootPemBytes, err = trustmanager.EncryptPrivateKey(privKey1, "", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), rootPemBytes, 0644) - - // Import from root, specified in flag only - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--role", "root") - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "root_keys", privKey1.ID()+".key")) - assert.NoError(t, err) - - // Assert the PEM role header is "root" - pemBytes, err := ioutil.ReadFile(filepath.Join(tempDir, "private", "root_keys", privKey1.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, "root", trustmanager.ReadRoleFromPEM(pemBytes)) - - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey1.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the root key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "root_keys", privKey1.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) - - // Ensure exporting this key and changing the passphrase works - _, err = runCommand(t, tempDir, "key", "export", privKey1.ID(), tempFile.Name(), "-p") - assert.NoError(t, err) - - targetsPemBytes, err = trustmanager.EncryptPrivateKey(privKey2, "", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), targetsPemBytes, 0644) - - // Import from snapshot, specified in flag. Must supply GUN - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--gun", "gun", "--role", "targets") - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey2.ID()+".key")) - assert.NoError(t, err) - - // Assert the PEM role header is "targets" - pemBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey2.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, "targets", trustmanager.ReadRoleFromPEM(pemBytes)) - - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey2.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the targets key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey2.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) - - // Ensure exporting this key and changing the passphrase works - _, err = runCommand(t, tempDir, "key", "export", privKey2.ID(), tempFile.Name(), "-p") - assert.NoError(t, err) - - snapshotPemBytes, err = trustmanager.EncryptPrivateKey(privKey3, "", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), snapshotPemBytes, 0644) - - // Import from snapshot, specified in flags. Must supply GUN - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--gun", "gun", "--role", "snapshot") - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey3.ID()+".key")) - assert.NoError(t, err) - - // Assert the PEM role header is "snapshot" - pemBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey3.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, "snapshot", trustmanager.ReadRoleFromPEM(pemBytes)) - - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey3.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the snapshot key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", "gun", privKey3.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) - - // Ensure exporting this key and changing the passphrase works - _, err = runCommand(t, tempDir, "key", "export", privKey3.ID(), tempFile.Name(), "-p") - assert.NoError(t, err) - - delegationPemBytes, err = trustmanager.EncryptPrivateKey(privKey4, "", testPassphrase) - assert.NoError(t, err) - ioutil.WriteFile(tempFile.Name(), delegationPemBytes, 0644) - - // Import from delegation key, specified in flag. No GUN needed - _, err = runCommand(t, tempDir, "key", "import", tempFile.Name(), "--role", "targets/delegation") - assert.NoError(t, err) - _, err = os.Stat(filepath.Join(tempDir, "private", "tuf_keys", privKey4.ID()+".key")) - assert.NoError(t, err) - - // Assert the PEM role header is "targets/delegation" - pemBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", privKey4.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, "targets/delegation", trustmanager.ReadRoleFromPEM(pemBytes)) - - // Ensure exporting this key by ID gets the same key - _, err = runCommand(t, tempDir, "key", "export", privKey4.ID(), tempFile.Name()) - assert.NoError(t, err) - // Compare the bytes of the exported file and the delegation key file in the repo - exportedBytes, err = ioutil.ReadFile(tempFile.Name()) - assert.NoError(t, err) - repoBytes, err = ioutil.ReadFile(filepath.Join(tempDir, "private", "tuf_keys", privKey4.ID()+".key")) - assert.NoError(t, err) - assert.Equal(t, repoBytes, exportedBytes) - - // Ensure exporting this key and changing the passphrase works - _, err = runCommand(t, tempDir, "key", "export", privKey4.ID(), tempFile.Name(), "-p") - assert.NoError(t, err) + // Remove the export file for cleanup + assert.NoError(t, os.Remove(tempFile.Name())) + } + } } func assertNumCerts(t *testing.T, tempDir string, expectedNum int) []string { diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go index e3cb49b0a9..0e991fb297 100644 --- a/cmd/notary/keys.go +++ b/cmd/notary/keys.go @@ -275,11 +275,12 @@ func (k *keyCommander) keysExport(cmd *cobra.Command, args []string) error { for keypath, role := range store.ListKeys() { if filepath.Base(keypath) == keyID { keyRole = role - if role != data.CanonicalRootRole { - dirPath := filepath.Dir(keypath) - if dirPath != "." { // no gun - keyGun = dirPath - } + if role == data.CanonicalRootRole { + continue + } + dirPath := filepath.Dir(keypath) + if dirPath != "." { // no gun + keyGun = dirPath } break } @@ -372,20 +373,6 @@ func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error { pemRole := trustmanager.ReadRoleFromPEM(pemBytes) - // Rewind after reading the first time - _, err = importFile.Seek(0, 0) - if err != nil { - return fmt.Errorf("Error reading input file: %v", err) - } - - if pemRole != "" && !data.ValidRole(pemRole) { - return fmt.Errorf("Invalid role specified for key: %s", pemRole) - } - - if k.keysImportRole != "" && !data.ValidRole(k.keysImportRole) { - return fmt.Errorf("Invalid role specified for key: %s", k.keysImportRole) - } - // If the PEM key doesn't have a role in it, we must have --role set if pemRole == "" && k.keysImportRole == "" { return fmt.Errorf("Could not infer role, and no role was specified for key") @@ -410,11 +397,7 @@ func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error { } cs := cryptoservice.NewCryptoService(k.keysImportGUN, ks...) - if importRole == data.CanonicalRootRole { - err = cs.ImportRootKey(importFile) - } else { - err = cs.ImportRoleKey(importFile, importRole, k.getRetriever()) - } + err = cs.ImportRoleKey(pemBytes, importRole, k.getRetriever()) if err != nil { return fmt.Errorf("Error importing root key: %v", err) diff --git a/cmd/notary/keys_test.go b/cmd/notary/keys_test.go index db64174f2c..bbb7bfb696 100644 --- a/cmd/notary/keys_test.go +++ b/cmd/notary/keys_test.go @@ -434,33 +434,6 @@ func TestChangeKeyPassphraseNonexistentID(t *testing.T) { assert.Contains(t, err.Error(), "could not retrieve local key for key ID provided") } -func TestKeyImportInvalidFlagRole(t *testing.T) { - k := &keyCommander{ - configGetter: func() (*viper.Viper, error) { return viper.New(), nil }, - getRetriever: func() passphrase.Retriever { return passphrase.ConstantRetriever("pass") }, - keysImportRole: "invalid", - } - tempFileName := generateTempTestKeyFile(t, "") - defer os.Remove(tempFileName) - - err := k.keysImport(&cobra.Command{}, []string{tempFileName}) - assert.Error(t, err) - assert.Contains(t, err.Error(), "Invalid role specified for key:") -} - -func TestKeyImportInvalidPEMRole(t *testing.T) { - k := &keyCommander{ - configGetter: func() (*viper.Viper, error) { return viper.New(), nil }, - getRetriever: func() passphrase.Retriever { return passphrase.ConstantRetriever("pass") }, - } - tempFileName := generateTempTestKeyFile(t, "invalid") - defer os.Remove(tempFileName) - - err := k.keysImport(&cobra.Command{}, []string{tempFileName}) - assert.Error(t, err) - assert.Contains(t, err.Error(), "Invalid role specified for key:") -} - func TestKeyImportMismatchingRoles(t *testing.T) { k := &keyCommander{ configGetter: func() (*viper.Viper, error) { return viper.New(), nil }, diff --git a/cryptoservice/import_export.go b/cryptoservice/import_export.go index 3442d66baa..c4b19944a4 100644 --- a/cryptoservice/import_export.go +++ b/cryptoservice/import_export.go @@ -104,19 +104,19 @@ func (cs *CryptoService) ExportKeyReencrypt(dest io.Writer, keyID string, newPas // It prompts for the key's passphrase to verify the data and to determine // the key ID. func (cs *CryptoService) ImportRootKey(source io.Reader) error { - return cs.ImportRoleKey(source, data.CanonicalRootRole, nil) -} - -// ImportRoleKey imports a private key in PEM format key from an io.Reader -// It prompts for the key's passphrase to verify the data and to determine -// the key ID. -func (cs *CryptoService) ImportRoleKey(source io.Reader, role string, newPassphraseRetriever passphrase.Retriever) error { pemBytes, err := ioutil.ReadAll(source) - if err != nil { return err } + return cs.ImportRoleKey(pemBytes, data.CanonicalRootRole, nil) +} + +// ImportRoleKey imports a private key in PEM format key from a byte array +// It prompts for the key's passphrase to verify the data and to determine +// the key ID. +func (cs *CryptoService) ImportRoleKey(pemBytes []byte, role string, newPassphraseRetriever passphrase.Retriever) error { var alias string + var err error if role == data.CanonicalRootRole { alias = role if err = checkRootKeyIsEncrypted(pemBytes); err != nil { diff --git a/cryptoservice/import_export_test.go b/cryptoservice/import_export_test.go index 159d0bf400..0262de16ae 100644 --- a/cryptoservice/import_export_test.go +++ b/cryptoservice/import_export_test.go @@ -77,7 +77,7 @@ func TestImportExportZip(t *testing.T) { _, alias, err := cs.GetPrivateKey(privKeyName) assert.NoError(t, err, "privKey %s has no alias", privKeyName) - if alias == "root" { + if alias == data.CanonicalRootRole { continue } relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") @@ -138,7 +138,7 @@ func TestImportExportZip(t *testing.T) { _, alias, err := cs2.GetPrivateKey(privKeyName) assert.NoError(t, err, "privKey %s has no alias", privKeyName) - if alias == "root" { + if alias == data.CanonicalRootRole { continue } relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") @@ -196,7 +196,7 @@ func TestImportExportGUN(t *testing.T) { for privKeyName := range privKeyMap { _, alias, err := cs.GetPrivateKey(privKeyName) assert.NoError(t, err, "privKey %s has no alias", privKeyName) - if alias == "root" { + if alias == data.CanonicalRootRole { continue } relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") @@ -250,12 +250,12 @@ func TestImportExportGUN(t *testing.T) { // Look for keys in private. The filenames should match the key IDs // in the repo's private key store. for privKeyName, role := range privKeyMap { - if role == "root" { + if role == data.CanonicalRootRole { continue } _, alias, err := cs2.GetPrivateKey(privKeyName) assert.NoError(t, err, "privKey %s has no alias", privKeyName) - if alias == "root" { + if alias == data.CanonicalRootRole { continue } relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") @@ -329,7 +329,7 @@ func TestImportExportRootKey(t *testing.T) { // Should be able to unlock the root key with the old password key, alias, err := cs2.GetPrivateKey(rootKeyID) assert.NoError(t, err, "could not unlock root key") - assert.Equal(t, "root", alias) + assert.Equal(t, data.CanonicalRootRole, alias) assert.Equal(t, rootKeyID, key.ID()) } @@ -381,7 +381,7 @@ func TestImportExportRootKeyReencrypt(t *testing.T) { // Should be able to unlock the root key with the new password key, alias, err := cs2.GetPrivateKey(rootKeyID) assert.NoError(t, err, "could not unlock root key") - assert.Equal(t, "root", alias) + assert.Equal(t, data.CanonicalRootRole, alias) assert.Equal(t, rootKeyID, key.ID()) } @@ -419,7 +419,10 @@ func TestImportExportNonRootKey(t *testing.T) { keyReader, err := os.Open(tempKeyFilePath) assert.NoError(t, err, "could not open key file") - err = cs2.ImportRoleKey(keyReader, data.CanonicalTargetsRole, oldPassphraseRetriever) + pemBytes, err := ioutil.ReadAll(keyReader) + assert.NoError(t, err, "could not read key file") + + err = cs2.ImportRoleKey(pemBytes, data.CanonicalTargetsRole, oldPassphraseRetriever) assert.NoError(t, err) keyReader.Close() @@ -433,7 +436,7 @@ func TestImportExportNonRootKey(t *testing.T) { // Check that the key is the same key, alias, err := cs2.GetPrivateKey(targetsKeyID) assert.NoError(t, err, "could not unlock targets key") - assert.Equal(t, "targets", alias) + assert.Equal(t, data.CanonicalTargetsRole, alias) assert.Equal(t, targetsKeyID, key.ID()) } @@ -471,7 +474,10 @@ func TestImportExportNonRootKeyReencrypt(t *testing.T) { keyReader, err := os.Open(tempKeyFilePath) assert.NoError(t, err, "could not open key file") - err = cs2.ImportRoleKey(keyReader, "snapshot", newPassphraseRetriever) + pemBytes, err := ioutil.ReadAll(keyReader) + assert.NoError(t, err, "could not read key file") + + err = cs2.ImportRoleKey(pemBytes, data.CanonicalSnapshotRole, newPassphraseRetriever) assert.NoError(t, err) keyReader.Close() @@ -485,6 +491,6 @@ func TestImportExportNonRootKeyReencrypt(t *testing.T) { // Should be able to unlock the root key with the new password key, alias, err := cs2.GetPrivateKey(snapshotKeyID) assert.NoError(t, err, "could not unlock snapshot key") - assert.Equal(t, "snapshot", alias) + assert.Equal(t, data.CanonicalSnapshotRole, alias) assert.Equal(t, snapshotKeyID, key.ID()) }