Added cliCryptoService

2015-06-17 16:05:16 -07:00 · 2015-06-17 16:05:16 -07:00 · 712ff83945
parent ff169897b6
commit 712ff83945
6 changed files with 184 additions and 79 deletions
--- a/cmd/notary/cli_crypto_service.go
+++ b/cmd/notary/cli_crypto_service.go
@ -0,0 +1,130 @@
 package main
 import (
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"github.com/docker/vetinari/trustmanager"
 	"github.com/endophage/gotuf/data"
 	"github.com/spf13/viper"
 )
 type cliCryptoService struct {
 	privateKeys map[string]*data.PrivateKey
 	gun         string
 }
 func NewCryptoService(gun string) *cliCryptoService {
 	return &cliCryptoService{privateKeys: make(map[string]*data.PrivateKey), gun: gun}
 }
 // Create is used to generate keys for targets, snapshots and timestamps
 func (ccs *cliCryptoService) Create() (*data.PublicKey, error) {
 	_, cert, err := generateKeyAndCert(ccs.gun)
 	if err != nil {
 		return nil, err
 	}
 	return data.NewPublicKey("RSA", string(cert)), nil
 }
 // Sign returns the signatures for data with the given keyIDs
 func (ccs *cliCryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature, error) {
 	// Create hasher and hash data
 	hash := crypto.SHA256
 	hashed := sha256.Sum256(payload)
 	signatures := make([]data.Signature, 0, len(keyIDs))
 	for _, kID := range keyIDs {
 		// Get the PrivateKey filename
 		privKeyFilename := filepath.Join(viper.GetString("privDir"), ccs.gun, kID+".key")
 		// Read PrivateKey from file
 		privPEMBytes, err := ioutil.ReadFile(privKeyFilename)
 		if err != nil {
 			continue
 		}
 		// Parse PrivateKey
 		privKeyBytes, _ := pem.Decode(privPEMBytes)
 		privKey, err := x509.ParsePKCS1PrivateKey(privKeyBytes.Bytes)
 		if err != nil {
 			return nil, err
 		}
 		// Sign the data
 		sig, err := rsa.SignPKCS1v15(rand.Reader, privKey, hash, hashed[:])
 		if err != nil {
 			return nil, err
 		}
 		// Append signatures to result array
 		signatures = append(signatures, data.Signature{
 			KeyID:     kID,
 			Method:    "RSASSA-PKCS1-V1_5-SIGN",
 			Signature: sig[:],
 		})
 	}
 	return signatures, nil
 }
 //TODO (diogo): Add support for EC P384
 func generateKeyAndCert(gun string) (crypto.PrivateKey, []byte, error) {
 	// Generates a new RSA key
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not generate private key: %v", err)
 	}
 	keyBytes := x509.MarshalPKCS1PrivateKey(key)
 	// Creates a new Certificate template. We need the certificate to calculate the
 	// TUF-compliant keyID
 	//TODO (diogo): We're hardcoding the Organization to be the GUN. Probably want to
 	// change it
 	template := newCertificate(gun, gun)
 	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to generate the certificate for key: %v", err)
 	}
 	// Encode the new certificate into PEM
 	cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	// Create new TUF Key so we can compute the TUF-compliant ID
 	tufKey := data.NewTUFKey("RSA", string(cert), "")
 	// The key is going to be stored in the private directory, using the GUN and
 	// the filename will be the TUF-compliant ID
 	privKeyFilename := filepath.Join(viper.GetString("privDir"), gun, tufKey.ID()+".key")
 	// If GUN is in the form of 'foo/bar' ensures that private key is stored in the
 	// adequate sub-directory
 	err = trustmanager.CreateDirectory(privKeyFilename)
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not create directory for private key: %v", err)
 	}
 	// Opens a FD to the file with the correct permissions
 	keyOut, err := os.OpenFile(privKeyFilename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return nil, nil, fmt.Errorf("could not write privatekey: %v", err)
 	}
 	defer keyOut.Close()
 	// Encodes the private key as PEM and writes it
 	err = pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyBytes})
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to encode key: %v", err)
 	}
 	return key, cert, nil
 }
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@ -1,24 +1,19 @@
 package main
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
 	"math"
 	"math/big"
 	"net/url"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/docker/vetinari/trustmanager"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 var subjectKeyID string
@ -99,7 +94,7 @@ func keysTrust(cmd *cobra.Command, args []string) {
 		fatalf("not enough arguments provided")
 	}
-	qualifiedDN := args[0]
+	gun := args[0]
 	certLocationStr := args[1]
 	// Verify if argument is a valid URL
 	url, err := url.Parse(certLocationStr)
@ -109,9 +104,9 @@ func keysTrust(cmd *cobra.Command, args []string) {
 		if err != nil {
 			fatalf("error retreiving certificate from url (%s): %v", certLocationStr, err)
 		}
-		err = cert.VerifyHostname(qualifiedDN)
+		err = cert.VerifyHostname(gun)
 		if err != nil {
-			fatalf("certificate does not match the Qualified Docker Name: %v", err)
+			fatalf("certificate does not match the Global Unique Name: %v", err)
 		}
 		err = caStore.AddCert(cert)
 		if err != nil {
@ -156,33 +151,17 @@ func keysGenerate(cmd *cobra.Command, args []string) {
 	}
 	// (diogo): Validate GUNs
-	qualifiedDN := args[0]
+	gun := args[0]
-	key, err := generateKey(qualifiedDN)
+	_, cert, err := generateKeyAndCert(gun)
 	if err != nil {
 		fatalf("could not generate key: %v", err)
 	}
-	template := newCertificate(qualifiedDN, qualifiedDN)
+	caStore.AddCertFromPEM(cert)
 	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.(crypto.Signer).Public(), key)
 	if err != nil {
 		fatalf("failed to generate certificate: %s", err)
 	}
 	certName := filepath.Join(viper.GetString("privDir"), qualifiedDN+".crt")
 	certOut, err := os.Create(certName)
 	if err != nil {
 		fatalf("failed to save certificate: %s", err)
 	}
 	defer certOut.Close()
 	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
 	if err != nil {
 		fatalf("failed to save certificate: %s", err)
 	}
 }
-func newCertificate(qualifiedDN, organization string) *x509.Certificate {
+func newCertificate(gun, organization string) *x509.Certificate {
 	notBefore := time.Now()
 	notAfter := notBefore.Add(time.Hour * 24 * 365 * 2)
@ -196,7 +175,7 @@ func newCertificate(qualifiedDN, organization string) *x509.Certificate {
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{organization},
-			CommonName:   qualifiedDN,
+			CommonName:   gun,
 		},
 		NotBefore: notBefore,
 		NotAfter:  notAfter,
@ -207,33 +186,6 @@ func newCertificate(qualifiedDN, organization string) *x509.Certificate {
 	}
 }
 func generateKey(qualifiedDN string) (crypto.PrivateKey, error) {
 	curve := elliptic.P384()
 	key, err := ecdsa.GenerateKey(curve, rand.Reader)
 	if err != nil {
 		return nil, fmt.Errorf("could not generate private key: %v", err)
 	}
 	keyBytes, err := x509.MarshalECPrivateKey(key)
 	if err != nil {
 		return nil, fmt.Errorf("could not marshal private key: %v", err)
 	}
 	keyName := filepath.Join(viper.GetString("privDir"), qualifiedDN+".key")
 	keyOut, err := os.OpenFile(keyName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return nil, fmt.Errorf("could not write privatekey: %v", err)
 	}
 	defer keyOut.Close()
 	err = pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes})
 	if err != nil {
 		return nil, fmt.Errorf("failed to encode key: %v", err)
 	}
 	return key, nil
 }
 func printCert(cert *x509.Certificate) {
 	timeDifference := cert.NotAfter.Sub(time.Now())
 	subjectKeyID := trustmanager.FingerprintCert(cert)
--- a/cmd/notary/main.go
+++ b/cmd/notary/main.go
@ -15,9 +15,11 @@ import (
 )
 const configFileName string = "config"
 // Default paths should end with a '/' so directory creation works correctly
 const configPath string = ".docker/trust/"
-const caDir string = ".docker/trust/certificate_authorities/"
+const trustDir string = configPath + "repository_certificates/"
-const privDir string = ".docker/trust/private/"
+const privDir string = configPath + "private/"
 var caStore trustmanager.X509Store
 var privStore trustmanager.X509Store
@ -45,26 +47,32 @@ func init() {
 	if err != nil {
 		// Ignore if the configuration file doesn't exist, we can use the defaults
 		if !os.IsNotExist(err) {
-			panic(fmt.Errorf("Fatal error config file: %s \n", err))
+			fatalf("fatal error config file: %v", err)
 		}
 	}
 	// Set up the defaults for our config
-	viper.SetDefault("caDir", path.Join(homeDir, path.Dir(caDir)))
+	viper.SetDefault("trustDir", path.Join(homeDir, path.Dir(trustDir)))
 	viper.SetDefault("privDir", path.Join(homeDir, path.Dir(privDir)))
 	// Get the final value for the CA directory
-	finalcaDir := viper.GetString("caDir")
+	finalTrustDir := viper.GetString("trustDir")
 	finalPrivDir := viper.GetString("privDir")
 	// Ensure the existence of the CAs directory
-	createDirectory(finalcaDir)
+	err = trustmanager.CreateDirectory(finalTrustDir)
-	createDirectory(finalPrivDir)
+	if err != nil {
 		fatalf("could not create directory: %v", err)
 	}
 	err = trustmanager.CreateDirectory(finalPrivDir)
 	if err != nil {
 		fatalf("could not create directory: %v", err)
 	}
 	// Load all CAs that aren't expired and don't use SHA1
 	// We could easily add "return cert.IsCA && cert.BasicConstraintsValid" in order
 	// to have only valid CA certificates being loaded
-	caStore = trustmanager.NewX509FilteredFileStore(finalcaDir, func(cert *x509.Certificate) bool {
+	caStore = trustmanager.NewX509FilteredFileStore(finalTrustDir, func(cert *x509.Certificate) bool {
 		return time.Now().Before(cert.NotAfter) &&
 			cert.SignatureAlgorithm != x509.SHA1WithRSA &&
 			cert.SignatureAlgorithm != x509.DSAWithSHA1 &&
@ -95,9 +103,3 @@ func fatalf(format string, args ...interface{}) {
 	fmt.Printf("* fatal: "+format+"\n", args...)
 	os.Exit(1)
 }
 func createDirectory(dir string) {
 	if err := os.MkdirAll(dir, 0700); err != nil {
 		fatalf("cannot create directory: %v", err)
 	}
 }
--- a/cmd/notary/tuf.go
+++ b/cmd/notary/tuf.go
@ -48,35 +48,35 @@ var cmdTufAdd = &cobra.Command{
 var cmdTufRemove = &cobra.Command{
 	Use:   "remove [ GUN ] <target>",
 	Short: "Removes a target from the TUF repo.",
-	Long:  "removes a target from the local TUF repo identified by a Qualified Docker Name.",
+	Long:  "removes a target from the local TUF repo identified by a Global Unique Name.",
 	Run:   tufRemove,
 }
 var cmdTufInit = &cobra.Command{
 	Use:   "init [ GUN ]",
 	Short: "initializes the local TUF repository.",
-	Long:  "creates locally the initial set of TUF metadata for the Qualified Docker Name.",
+	Long:  "creates locally the initial set of TUF metadata for the Global Unique Name.",
 	Run:   tufInit,
 }
 var cmdTufList = &cobra.Command{
 	Use:   "list [ GUN ]",
 	Short: "Lists all targets in a TUF repository.",
-	Long:  "lists all the targets in the TUF repository identified by the Qualified Docker Name.",
+	Long:  "lists all the targets in the TUF repository identified by the Global Unique Name.",
 	Run:   tufList,
 }
 var cmdTufLookup = &cobra.Command{
 	Use:   "lookup [ GUN ] <target name>",
 	Short: "Looks up a specific TUF target in a repository.",
-	Long:  "looks up a TUF target in a repository given a Qualified Docker Name.",
+	Long:  "looks up a TUF target in a repository given a Global Unique Name.",
 	Run:   tufLookup,
 }
 var cmdTufPush = &cobra.Command{
 	Use:   "push [ GUN ]",
 	Short: "initializes the local TUF repository.",
-	Long:  "creates locally the initial set of TUF metadata for the Qualified Docker Name.",
+	Long:  "creates locally the initial set of TUF metadata for the Global Unique Name.",
 	Run:   tufPush,
 }
@ -161,6 +161,7 @@ func tufInit(cmd *cobra.Command, args []string) {
 	}
 	gun := args[0]
 	// cryptoService := NewCryptoService(gun)
 	kdb := keys.NewDB()
 	repo := tuf.NewTufRepo(kdb, nil)
--- a/trustmanager/X509FileStore.go
+++ b/trustmanager/X509FileStore.go
@ -57,8 +57,14 @@ func (s X509FileStore) AddCert(cert *x509.Certificate) error {
 		return errors.New("adding nil Certificate to X509Store")
 	}
-	fingerprint := FingerprintCert(cert)
+	var filename string
-	filename := path.Join(s.baseDir, string(fingerprint)+certExtension)
+	if cert.Subject.CommonName != "" {
 		filename = path.Join(s.baseDir, cert.Subject.CommonName+certExtension)
 	} else {
 		fingerprint := FingerprintCert(cert)
 		filename = path.Join(s.baseDir, string(fingerprint)+certExtension)
 	}
 	if err := s.addNamedCert(cert, filename); err != nil {
 		return err
 	}
--- a/trustmanager/X509Utils.go
+++ b/trustmanager/X509Utils.go
@ -10,6 +10,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
 	"path"
 	"path/filepath"
 )
@ -54,7 +55,12 @@ func saveCertificate(cert *x509.Certificate, filename string) error {
 	block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
 	pemdata := string(pem.EncodeToMemory(&block))
-	err := ioutil.WriteFile(filename, []byte(pemdata), 0600)
+	err := CreateDirectory(filename)
 	if err != nil {
 		return err
 	}
 	err = ioutil.WriteFile(filename, []byte(pemdata), 0600)
 	if err != nil {
 		return err
 	}
@ -124,3 +130,11 @@ func loadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) {
 	return nil, errors.New("no certificates found in PEM data")
 }
 func CreateDirectory(dir string) error {
 	cleanDir := filepath.Dir(dir)
 	if err := os.MkdirAll(cleanDir, 0700); err != nil {
 		return fmt.Errorf("cannot create directory: %v", err)
 	}
 	return nil
 }