Rename certificate stores to trustedCertificateStore and trustedCAStore

Add convenience methods to KeyStoreManager to add certs to both cert stores. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-15 18:10:53 -07:00 · 2015-07-15 18:10:53 -07:00 · 36a8f77129
parent 06e445c2ef
commit 36a8f77129
3 changed files with 31 additions and 20 deletions
--- a/client/client.go
+++ b/client/client.go
@ -111,7 +111,7 @@ func (r *NotaryRepository) Initialize(uCryptoService *cryptoservice.UnlockedCryp
 	if err != nil {
 		return err
 	}
-	r.KeyStoreManager.CertificateStore().AddCert(rootCert)
+	r.KeyStoreManager.AddTrustedCert(rootCert)

 	// The root key gets stored in the TUF metadata X509 encoded, linking
 	// the tuf root.json to our X509 PKI.
--- a/client/client_test.go
+++ b/client/client_test.go
@ -106,7 +106,7 @@ func testInitRepo(t *testing.T, rootType data.KeyAlgorithm) {

 	// Also expect a symlink from the key ID of the certificate key to this
 	// root key
-	certificates := repo.KeyStoreManager.CertificateStore().GetCertificates()
+	certificates := repo.KeyStoreManager.TrustedCertificateStore().GetCertificates()
 	assert.Len(t, certificates, 1, "unexpected number of certificates")

 	certID, err := trustmanager.FingerprintCert(certificates[0])
--- a/keystoremanager/keystoremanager.go
+++ b/keystoremanager/keystoremanager.go
@ -24,8 +24,8 @@ type KeyStoreManager struct {
 	rootKeyStore    *trustmanager.KeyFileStore
 	nonRootKeyStore *trustmanager.KeyFileStore

-	caStore          trustmanager.X509Store
-	certificateStore trustmanager.X509Store
+	trustedCAStore          trustmanager.X509Store
+	trustedCertificateStore trustmanager.X509Store
 }

 const (
@ -55,7 +55,7 @@ func NewKeyStoreManager(baseDir string) (*KeyStoreManager, error) {
 	trustPath := filepath.Join(baseDir, trustDir)

 	// Load all CAs that aren't expired and don't use SHA1
-	caStore, err := trustmanager.NewX509FilteredFileStore(trustPath, func(cert *x509.Certificate) bool {
+	trustedCAStore, err := trustmanager.NewX509FilteredFileStore(trustPath, func(cert *x509.Certificate) bool {
 		return cert.IsCA && cert.BasicConstraintsValid && cert.SubjectKeyId != nil &&
 			time.Now().Before(cert.NotAfter) &&
 			cert.SignatureAlgorithm != x509.SHA1WithRSA &&
@ -67,7 +67,7 @@ func NewKeyStoreManager(baseDir string) (*KeyStoreManager, error) {
 	}

 	// Load all individual (non-CA) certificates that aren't expired and don't use SHA1
-	certificateStore, err := trustmanager.NewX509FilteredFileStore(trustPath, func(cert *x509.Certificate) bool {
+	trustedCertificateStore, err := trustmanager.NewX509FilteredFileStore(trustPath, func(cert *x509.Certificate) bool {
 		return !cert.IsCA &&
 			time.Now().Before(cert.NotAfter) &&
 			cert.SignatureAlgorithm != x509.SHA1WithRSA &&
@ -79,10 +79,10 @@ func NewKeyStoreManager(baseDir string) (*KeyStoreManager, error) {
 	}

 	return &KeyStoreManager{
-		rootKeyStore:     rootKeyStore,
-		nonRootKeyStore:  nonRootKeyStore,
-		caStore:          caStore,
-		certificateStore: certificateStore,
+		rootKeyStore:            rootKeyStore,
+		nonRootKeyStore:         nonRootKeyStore,
+		trustedCAStore:          trustedCAStore,
+		trustedCertificateStore: trustedCertificateStore,
 	}, nil
 }

@ -98,15 +98,26 @@ func (km *KeyStoreManager) NonRootKeyStore() *trustmanager.KeyFileStore {
 	return km.nonRootKeyStore
 }

-// CertificateStore returns the certificate store being managed by this
-// KeyStoreManager
-func (km *KeyStoreManager) CertificateStore() trustmanager.X509Store {
-	return km.certificateStore
+// TrustedCertificateStore returns the trusted certificate store being managed
+// by this KeyStoreManager
+func (km *KeyStoreManager) TrustedCertificateStore() trustmanager.X509Store {
+	return km.trustedCertificateStore
 }

-// CAStore returns the CA store being managed by this KeyStoreManager
-func (km *KeyStoreManager) CAStore() trustmanager.X509Store {
-	return km.caStore
+// TrustedCAStore returns the CA store being managed by this KeyStoreManager
+func (km *KeyStoreManager) TrustedCAStore() trustmanager.X509Store {
+	return km.trustedCAStore
+}
+
+// AddTrustedCert adds a cert to the trusted certificate store (not the CA
+// store)
+func (km *KeyStoreManager) AddTrustedCert(cert *x509.Certificate) {
+	km.trustedCertificateStore.AddCert(cert)
+}
+
+// AddTrustedCACert adds a cert to the trusted CA certificate store
+func (km *KeyStoreManager) AddTrustedCACert(cert *x509.Certificate) {
+	km.trustedCAStore.AddCert(cert)
 }

 // GenRootKey generates a new root key protected by a given passphrase
@ -153,7 +164,7 @@ func (km *KeyStoreManager) GetRootCryptoService(rootKeyID, passphrase string) (*
 ValidateRoot iterates over every root key included in the TUF data and
 attempts to validate the certificate by first checking for an exact match on
 the certificate store, and subsequently trying to find a valid chain on the
-caStore.
+trustedCAStore.

 When this is being used with a notary repository, the dnsName parameter should
 be the GUN associated with the repository.
@ -209,7 +220,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
 		// Checking the CommonName is not required since ID is calculated over
 		// Cert.Raw. It's included to prevent breaking logic with changes of how the
 		// ID gets computed.
-		_, err = km.certificateStore.GetCertificateByKeyID(leafID)
+		_, err = km.trustedCertificateStore.GetCertificateByKeyID(leafID)
 		if err == nil && leafCert.Subject.CommonName == dnsName {
 			certs[keyID] = rootSigned.Keys[keyID]
 		}
@ -217,7 +228,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
 		// Check to see if this leafCertificate has a chain to one of the Root CAs
 		// of our CA Store.
 		certList := []*x509.Certificate{leafCert}
-		err = trustmanager.Verify(km.caStore, dnsName, certList)
+		err = trustmanager.Verify(km.trustedCAStore, dnsName, certList)
 		if err == nil {
 			certs[keyID] = rootSigned.Keys[keyID]
 		}