some cleanup of certs code

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2016-01-05 16:33:51 -08:00 · 2016-01-05 16:33:51 -08:00 · 48ecd8d2cb
parent 503a2cfe3c
commit 48ecd8d2cb
4 changed files with 40 additions and 23 deletions
--- a/certs/certmanager.go
+++ b/certs/certmanager.go
@ -51,25 +51,19 @@ func NewManager(baseDir string) (*Manager, error) {
 	trustPath := filepath.Join(baseDir, trustDir)

 	// Load all CAs that aren't expired and don't use SHA1
-	trustedCAStore, err := trustmanager.NewX509FilteredFileStore(trustPath, func(cert *x509.Certificate) bool {
-		return cert.IsCA && cert.BasicConstraintsValid && cert.SubjectKeyId != nil &&
-			time.Now().Before(cert.NotAfter) &&
-			cert.SignatureAlgorithm != x509.SHA1WithRSA &&
-			cert.SignatureAlgorithm != x509.DSAWithSHA1 &&
-			cert.SignatureAlgorithm != x509.ECDSAWithSHA1
-	})
+	trustedCAStore, err := trustmanager.NewX509FilteredFileStore(
+		trustPath,
+		trustmanager.FilterCertsExpiredSha1,
+	)
 	if err != nil {
 		return nil, err
 	}

 	// Load all individual (non-CA) certificates that aren't expired and don't use SHA1
-	trustedCertificateStore, err := trustmanager.NewX509FilteredFileStore(trustPath, func(cert *x509.Certificate) bool {
-		return !cert.IsCA &&
-			time.Now().Before(cert.NotAfter) &&
-			cert.SignatureAlgorithm != x509.SHA1WithRSA &&
-			cert.SignatureAlgorithm != x509.DSAWithSHA1 &&
-			cert.SignatureAlgorithm != x509.ECDSAWithSHA1
-	})
+	trustedCertificateStore, err := trustmanager.NewX509FilteredFileStore(
+		trustPath,
+		trustmanager.FilterCertsExpiredSha1,
+	)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/notary/cert.go
+++ b/cmd/notary/cert.go
@ -3,8 +3,9 @@ package main
 import (
 	"crypto/x509"
 	"os"
+	"path/filepath"

-	"github.com/docker/notary/certs"
+	"github.com/docker/notary"
 	"github.com/docker/notary/trustmanager"

 	"github.com/spf13/cobra"
@ -52,7 +53,12 @@ func certRemove(cmd *cobra.Command, args []string) {
 	parseConfig()

 	trustDir := mainViper.GetString("trust_dir")
-	certManager, err := certs.NewManager(trustDir)
+	trustPath := filepath.Join(trustDir, notary.TrustedCertsDir)
+	// Load all individual (non-CA) certificates that aren't expired and don't use SHA1
+	trustedCertificateStore, err := trustmanager.NewX509FilteredFileStore(
+		trustPath,
+		trustmanager.FilterCertsExpiredSha1,
+	)
 	if err != nil {
 		fatalf("Failed to create a new truststore manager with directory: %s", trustDir)
 	}
@ -67,14 +73,14 @@ func certRemove(cmd *cobra.Command, args []string) {
 			fatalf("Invalid certificate ID provided: %s", certID)
 		}
 		// Attempt to find this certificates
-		cert, err := certManager.TrustedCertificateStore().GetCertificateByCertID(certID)
+		cert, err := trustedCertificateStore.GetCertificateByCertID(certID)
 		if err != nil {
 			fatalf("Unable to retrieve certificate with cert ID: %s", certID)
 		}
 		certsToRemove = append(certsToRemove, cert)
 	} else {
 		// We got the -g flag, it's a GUN
-		toRemove, err := certManager.TrustedCertificateStore().GetCertificatesByCN(
+		toRemove, err := trustedCertificateStore.GetCertificatesByCN(
 			certRemoveGUN)
 		if err != nil {
 			fatalf("%v", err)
@ -102,7 +108,7 @@ func certRemove(cmd *cobra.Command, args []string) {

 	// Remove all the certs
 	for _, cert := range certsToRemove {
-		err = certManager.TrustedCertificateStore().RemoveCert(cert)
+		err = trustedCertificateStore.RemoveCert(cert)
 		if err != nil {
 			fatalf("Failed to remove root certificate for %s", cert.Subject.CommonName)
 		}
@ -117,12 +123,17 @@ func certList(cmd *cobra.Command, args []string) {
 	parseConfig()

 	trustDir := mainViper.GetString("trust_dir")
-	certManager, err := certs.NewManager(trustDir)
+	trustPath := filepath.Join(trustDir, notary.TrustedCertsDir)
+	// Load all individual (non-CA) certificates that aren't expired and don't use SHA1
+	trustedCertificateStore, err := trustmanager.NewX509FilteredFileStore(
+		trustPath,
+		trustmanager.FilterCertsExpiredSha1,
+	)
 	if err != nil {
 		fatalf("Failed to create a new truststore manager with directory: %s", trustDir)
 	}

-	trustedCerts := certManager.TrustedCertificateStore().GetCertificates()
+	trustedCerts := trustedCertificateStore.GetCertificates()

 	cmd.Println("")
 	prettyPrintCerts(trustedCerts, cmd.Out())
--- a/const.go
+++ b/const.go
@ -2,6 +2,7 @@ package notary

 // application wide constants
 const (
-	PrivKeyPerms = 0700
-	PubCertPerms = 0755
+	PrivKeyPerms    = 0700
+	PubCertPerms    = 0755
+	TrustedCertsDir = "trusted_certificates"
 )
--- a/trustmanager/x509utils.go
+++ b/trustmanager/x509utils.go
@ -532,3 +532,14 @@ func X509PublicKeyID(certPubKey data.PublicKey) (string, error) {

 	return key.ID(), nil
 }
+
+// FilterCertsExpiredSha1 can be used as the filter function to cert store
+// initializers to filter out all expired or SHA-1 certificate that we
+// shouldn't load.
+func FilterCertsExpiredSha1(cert *x509.Certificate) bool {
+	return !cert.IsCA &&
+		time.Now().Before(cert.NotAfter) &&
+		cert.SignatureAlgorithm != x509.SHA1WithRSA &&
+		cert.SignatureAlgorithm != x509.DSAWithSHA1 &&
+		cert.SignatureAlgorithm != x509.ECDSAWithSHA1
+}