add role into PEM headers

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-12-21 23:00:06 -08:00 · 2015-12-21 23:00:06 -08:00 · 6d5b8ff54a
parent 1f329868e8
commit 6d5b8ff54a
7 changed files with 37 additions and 22 deletions
--- a/cmd/notary/integration_test.go
+++ b/cmd/notary/integration_test.go
@ -465,7 +465,7 @@ func TestClientKeyImportExportRootOnly(t *testing.T) {
 		privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
 		assert.NoError(t, err)

-		pemBytes, err := trustmanager.EncryptPrivateKey(privKey, testPassphrase)
+		pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "root", testPassphrase)
 		assert.NoError(t, err)

 		nBytes, err := tempFile.Write(pemBytes)
--- a/cryptoservice/import_export_test.go
+++ b/cryptoservice/import_export_test.go
@ -328,7 +328,7 @@ func TestImportExportRootKey(t *testing.T) {
 	assert.NoError(t, err, "could not read key file")
 	privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase)
 	assert.NoError(t, err, "could not decrypt key file")
-	decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey)
+	decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey, "root")
 	assert.NoError(t, err, "could not convert key to PEM")

 	err = cs2.ImportRootKey(bytes.NewReader(decryptedPEMBytes))
--- a/trustmanager/keyfilestore.go
+++ b/trustmanager/keyfilestore.go
@ -333,7 +333,7 @@ func GetPasswdDecryptBytes(passphraseRetriever passphrase.Retriever, pemBytes []
 	return privKey, passwd, nil
 }

-func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*cachedKey, name, alias string, privKey data.PrivateKey) error {
+func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*cachedKey, name, role string, privKey data.PrivateKey) error {

 	var (
 		pemPrivKey []byte
@ -341,17 +341,17 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*
 	)

 	if passwd != "" {
-		pemPrivKey, err = EncryptPrivateKey(privKey, passwd)
+		pemPrivKey, err = EncryptPrivateKey(privKey, role, passwd)
 	} else {
-		pemPrivKey, err = KeyToPEM(privKey)
+		pemPrivKey, err = KeyToPEM(privKey, role)
 	}

 	if err != nil {
 		return err
 	}

-	cachedKeys[name] = &cachedKey{alias: alias, key: privKey}
-	return s.Add(filepath.Join(getSubdir(alias), name+"_"+alias), pemPrivKey)
+	cachedKeys[name] = &cachedKey{alias: role, key: privKey}
+	return s.Add(filepath.Join(getSubdir(role), name+"_"+role), pemPrivKey)
 }

 func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error {
--- a/trustmanager/keyfilestore_test.go
+++ b/trustmanager/keyfilestore_test.go
@ -55,6 +55,8 @@ func TestAddKey(t *testing.T) {

 func TestGet(t *testing.T) {
 	testData := []byte(`-----BEGIN RSA PRIVATE KEY-----
+role: root
+
 MIIEogIBAAKCAQEAyUIXjsrWRrvPa4Bzp3VJ6uOUGPay2fUpSV8XzNxZxIG/Opdr
 +k3EQi1im6WOqF3Y5AS1UjYRxNuRN+cAZeo3uS1pOTuoSupBXuchVw8s4hZJ5vXn
 TRmGb+xY7tZ1ZVgPfAZDib9sRSUsL/gC+aSyprAjG/YBdbF06qKbfOfsoCEYW1OQ
@ -109,7 +111,7 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0=
 	privKey, _, err := store.GetKey(testName)
 	assert.NoError(t, err, "failed to get key from store")

-	pemPrivKey, err := KeyToPEM(privKey)
+	pemPrivKey, err := KeyToPEM(privKey, testAlias)
 	assert.NoError(t, err, "failed to convert key to PEM")
 	assert.Equal(t, testData, pemPrivKey)
 }
@ -513,7 +515,7 @@ func assertExportKeySuccess(
 func assertImportKeySuccess(
 	t *testing.T, s KeyStore, expectedKey data.PrivateKey) {

-	pemBytes, err := EncryptPrivateKey(expectedKey, cannedPassphrase)
+	pemBytes, err := EncryptPrivateKey(expectedKey, "root", cannedPassphrase)
 	assert.NoError(t, err)

 	err = s.ImportKey(pemBytes, "root")
--- a/trustmanager/x509utils.go
+++ b/trustmanager/x509utils.go
@ -414,18 +414,26 @@ func blockType(k data.PrivateKey) (string, error) {
 }

 // KeyToPEM returns a PEM encoded key from a Private Key
-func KeyToPEM(privKey data.PrivateKey) ([]byte, error) {
+func KeyToPEM(privKey data.PrivateKey, role string) ([]byte, error) {
 	bt, err := blockType(privKey)
 	if err != nil {
 		return nil, err
 	}

-	return pem.EncodeToMemory(&pem.Block{Type: bt, Bytes: privKey.Private()}), nil
+	block := &pem.Block{
+		Type: bt,
+		Headers: map[string]string{
+			"role": role,
+		},
+		Bytes: privKey.Private(),
+	}
+
+	return pem.EncodeToMemory(block), nil
 }

 // EncryptPrivateKey returns an encrypted PEM key given a Privatekey
 // and a passphrase
-func EncryptPrivateKey(key data.PrivateKey, passphrase string) ([]byte, error) {
+func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, error) {
 	bt, err := blockType(key)
 	if err != nil {
 		return nil, err
@ -443,6 +451,11 @@ func EncryptPrivateKey(key data.PrivateKey, passphrase string) ([]byte, error) {
 		return nil, err
 	}

+	if encryptedPEMBlock.Headers == nil {
+		encryptedPEMBlock.Headers = make(map[string]string)
+	}
+	encryptedPEMBlock.Headers["role"] = role
+
 	return pem.EncodeToMemory(encryptedPEMBlock), nil
 }

--- a/trustmanager/x509utils_test.go
+++ b/trustmanager/x509utils_test.go
@ -69,15 +69,15 @@ func TestKeyOperations(t *testing.T) {
 	rsaKey, err := GenerateRSAKey(rand.Reader, 512)

 	// Encode our ED private key
-	edPEM, err := KeyToPEM(edKey)
+	edPEM, err := KeyToPEM(edKey, "root")
 	assert.NoError(t, err)

 	// Encode our EC private key
-	ecPEM, err := KeyToPEM(ecKey)
+	ecPEM, err := KeyToPEM(ecKey, "root")
 	assert.NoError(t, err)

 	// Encode our RSA private key
-	rsaPEM, err := KeyToPEM(rsaKey)
+	rsaPEM, err := KeyToPEM(rsaKey, "root")
 	assert.NoError(t, err)

 	// Check to see if ED key it is encoded
@ -108,15 +108,15 @@ func TestKeyOperations(t *testing.T) {
 	assert.Equal(t, rsaKey.Private(), decodedRSAKey.Private())

 	// Encrypt our ED Key
-	encryptedEDKey, err := EncryptPrivateKey(edKey, "ponies")
+	encryptedEDKey, err := EncryptPrivateKey(edKey, "root", "ponies")
 	assert.NoError(t, err)

 	// Encrypt our EC Key
-	encryptedECKey, err := EncryptPrivateKey(ecKey, "ponies")
+	encryptedECKey, err := EncryptPrivateKey(ecKey, "root", "ponies")
 	assert.NoError(t, err)

 	// Encrypt our RSA Key
-	encryptedRSAKey, err := EncryptPrivateKey(rsaKey, "ponies")
+	encryptedRSAKey, err := EncryptPrivateKey(rsaKey, "root", "ponies")
 	assert.NoError(t, err)

 	// Check to see if ED key it is encrypted
--- a/trustmanager/yubikey/yubikeystore_test.go
+++ b/trustmanager/yubikey/yubikeystore_test.go
@ -339,7 +339,7 @@ func TestYubiImportNewKey(t *testing.T) {
 	privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
 	assert.NoError(t, err)

-	pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "passphrase")
+	pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "root", "passphrase")
 	assert.NoError(t, err)

 	err = store.ImportKey(pemBytes, "root")
@ -388,7 +388,7 @@ func TestYubiImportExistingKey(t *testing.T) {
 	assert.NotNil(t, k)

 	// import the key, which should have already been added to the yubikey
-	pemBytes, err := trustmanager.EncryptPrivateKey(key, "passphrase")
+	pemBytes, err := trustmanager.EncryptPrivateKey(key, "root", "passphrase")
 	assert.NoError(t, err)
 	err = newStore.ImportKey(pemBytes, "root")
 	assert.NoError(t, err)
@ -418,7 +418,7 @@ func TestYubiImportNonRootKey(t *testing.T) {
 	privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
 	assert.NoError(t, err)

-	pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "passphrase")
+	pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "root", "passphrase")
 	assert.NoError(t, err)

 	err = store.ImportKey(pemBytes, privKey.ID())
@ -690,7 +690,7 @@ func TestYubiImportKeyCleansUpOnError(t *testing.T) {
 	privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
 	assert.NoError(t, err)

-	pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "passphrase")
+	pemBytes, err := trustmanager.EncryptPrivateKey(privKey, "root", "passphrase")
 	assert.NoError(t, err)

 	var _importkey = func() error { return store.ImportKey(pemBytes, "root") }