From 690fcb96da204e146701a03eeb31aa370ab0606d Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Tue, 2 Feb 2016 14:40:18 -0800
Subject: [PATCH] rework import key

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 cmd/notary/keys.go             | 29 ++++++++++++++++++++---------
 cryptoservice/import_export.go | 15 ++++++++++++---
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go
index 5afd827dd0..540b61e75e 100644
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@@ -88,10 +88,12 @@ type keyCommander struct {
 	getRetriever func() passphrase.Retriever
 
 	// these are for command line parsing - no need to set
-	keysExportChangePassphrase     bool
-	keysExportGUN                  string
-	rotateKeyRole                  string
-	rotateKeyServerManaged         bool
+	keysExportChangePassphrase bool
+	keysExportGUN              string
+	keysImportGUN              string
+	keysImportRole             string
+	rotateKeyRole              string
+	rotateKeyServerManaged     bool
 }
 
 func (k *keyCommander) GetCommand() *cobra.Command {
@@ -99,7 +101,12 @@ func (k *keyCommander) GetCommand() *cobra.Command {
 	cmd.AddCommand(cmdKeyListTemplate.ToCommand(k.keysList))
 	cmd.AddCommand(cmdKeyGenerateRootKeyTemplate.ToCommand(k.keysGenerateRootKey))
 	cmd.AddCommand(cmdKeysRestoreTemplate.ToCommand(k.keysRestore))
-	cmd.AddCommand(cmdKeyImportTemplate.ToCommand(k.keysImportRoot))
+	cmdKeysImport := cmdKeyImportTemplate.ToCommand(k.keysImport)
+	cmdKeysImport.Flags().StringVarP(
+		&k.keysExportGUN, "gun", "g", "", "Globally Unique Name to import key to")
+	cmdKeysImport.Flags().StringVarP(
+		&k.keysImportRole, "role", "r", data.CanonicalRootRole, "Role to import key to")
+	cmd.AddCommand(cmdKeysImport)
 
 	cmd.AddCommand(cmdKeyRemoveTemplate.ToCommand(k.keyRemove))
 	cmd.AddCommand(cmdKeyPasswdTemplate.ToCommand(k.keyPassphraseChange))
@@ -333,8 +340,8 @@ func (k *keyCommander) keysRestore(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-// keysImportRoot imports a root key from a PEM file
-func (k *keyCommander) keysImportRoot(cmd *cobra.Command, args []string) error {
+// keysImport imports a private key from a PEM file
+func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error {
 	if len(args) != 1 {
 		cmd.Usage()
 		return fmt.Errorf("Must specify input filename for import")
@@ -348,7 +355,6 @@ func (k *keyCommander) keysImportRoot(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	cs := cryptoservice.NewCryptoService("", ks...)
 
 	importFilename := args[0]
 
@@ -358,7 +364,12 @@ func (k *keyCommander) keysImportRoot(cmd *cobra.Command, args []string) error {
 	}
 	defer importFile.Close()
 
-	err = cs.ImportRootKey(importFile)
+	cs := cryptoservice.NewCryptoService(k.keysImportGUN, ks...)
+	if k.keysImportRole == data.CanonicalRootRole {
+		err = cs.ImportRootKey(importFile)
+	} else {
+		err = cs.ImportRoleKey(importFile, k.keysImportRole)
+	}
 
 	if err != nil {
 		return fmt.Errorf("Error importing root key: %v", err)
diff --git a/cryptoservice/import_export.go b/cryptoservice/import_export.go
index ff99dfc35f..e718a6e5b6 100644
--- a/cryptoservice/import_export.go
+++ b/cryptoservice/import_export.go
@@ -103,18 +103,27 @@ func (cs *CryptoService) ExportKeyReencrypt(dest io.Writer, keyID string, newPas
 // It prompts for the key's passphrase to verify the data and to determine
 // the key ID.
 func (cs *CryptoService) ImportRootKey(source io.Reader) error {
+	return cs.ImportRoleKey(source, data.CanonicalRootRole)
+}
+
+// ImportRoleKey imports a private key in PEM format key from an io.Reader
+// It prompts for the key's passphrase to verify the data and to determine
+// the key ID.
+func (cs *CryptoService) ImportRoleKey(source io.Reader, role string) error {
 	pemBytes, err := ioutil.ReadAll(source)
 	if err != nil {
 		return err
 	}
 
-	if err = checkRootKeyIsEncrypted(pemBytes); err != nil {
-		return err
+	if role == data.CanonicalRootRole {
+		if err = checkRootKeyIsEncrypted(pemBytes); err != nil {
+			return err
+		}
 	}
 
 	for _, ks := range cs.keyStores {
 		// don't redeclare err, we want the value carried out of the loop
-		if err = ks.ImportKey(pemBytes, data.CanonicalRootRole); err == nil {
+		if err = ks.ImportKey(pemBytes, role); err == nil {
 			return nil //bail on the first keystore we import to
 		}
 	}