docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Removing key import and gun from cryptoservice 

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2016-03-01 15:09:00 -08:00
parent 1aad807439
commit 9ecd899e25
44 changed files with 317 additions and 596 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
certs/certs_test.go
View File

@ -234,7 +234,7 @@ func filestoreWithTwoCerts(t *testing.T, gun, keyAlg string) (
fileKeyStore, err := trustmanager.NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err)
cryptoService := cryptoservice.NewCryptoService(gun, fileKeyStore)
cryptoService := cryptoservice.NewCryptoService(fileKeyStore)
// Create a store
trustPath := filepath.Join(tempBaseDir, notary.TrustedCertsDir)
@ -246,7 +246,7 @@ func filestoreWithTwoCerts(t *testing.T, gun, keyAlg string) (
certificates := make([]*x509.Certificate, 2)
for i := 0; i < 2; i++ {
pubKey, err := cryptoService.Create("root", keyAlg)
pubKey, err := cryptoService.Create("root", gun, keyAlg)
assert.NoError(t, err)
key, _, err := fileKeyStore.GetKey(pubKey.ID())

2
client/changelist/change_test.go
View File

@ -10,7 +10,7 @@ import (
func TestTufDelegation(t *testing.T) {
cs := signed.NewEd25519()
key, err := cs.Create("targets/new_name", data.ED25519Key)
key, err := cs.Create("targets/new_name", "gun", data.ED25519Key)
assert.NoError(t, err)
kl := data.KeyList{key}
td := TufDelegation{

6
client/client.go
View File

@ -104,7 +104,7 @@ func repositoryFromKeystores(baseDir, gun, baseURL string, rt http.RoundTripper,
return nil, err
}
cryptoService := cryptoservice.NewCryptoService(gun, keyStores...)
cryptoService := cryptoservice.NewCryptoService(keyStores...)
nRepo := &NotaryRepository{
gun: gun,
@ -234,7 +234,7 @@ func (r *NotaryRepository) Initialize(rootKeyID string, serverManagedRoles ...st
// make unnecessary network calls
for _, role := range locallyManagedKeys {
// This is currently hardcoding the keys to ECDSA.
key, err := r.CryptoService.Create(role, data.ECDSAKey)
key, err := r.CryptoService.Create(role, r.gun, data.ECDSAKey)
if err != nil {
return err
}
@ -903,7 +903,7 @@ func (r *NotaryRepository) RotateKey(role string, serverManagesKey bool) error {
pubKey, err = getRemoteKey(r.baseURL, r.gun, role, r.roundTrip)
errFmtMsg = "unable to rotate remote key: %s"
default:
pubKey, err = r.CryptoService.Create(role, data.ECDSAKey)
pubKey, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
errFmtMsg = "unable to generate key: %s"
}

50
client/client_test.go
View File

@ -139,8 +139,7 @@ func fullTestServer(t *testing.T) *httptest.Server {
l.Out = &b
ctx = ctxu.WithLogger(ctx, logrus.NewEntry(l))
cryptoService := cryptoservice.NewCryptoService(
"", trustmanager.NewKeyMemoryStore(passphraseRetriever))
cryptoService := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(passphraseRetriever))
return httptest.NewServer(server.RootHandler(nil, ctx, cryptoService, nil, nil))
}
@ -195,7 +194,7 @@ func createRepoAndKey(t *testing.T, rootType, tempBaseDir, gun, url string) (
tempBaseDir, gun, url, http.DefaultTransport, rec.retriever)
require.NoError(t, err, "error creating repo: %s", err)
rootPubKey, err := repo.CryptoService.Create("root", rootType)
rootPubKey, err := repo.CryptoService.Create("root", repo.gun, rootType)
require.NoError(t, err, "error generating root key: %s", err)
rec.requireCreated(t, []string{data.CanonicalRootRole},
@ -577,7 +576,7 @@ func testInitRepoAttemptsExceeded(t *testing.T, rootType string) {
retriever := passphrase.ConstantRetriever("password")
repo, err := NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, retriever)
require.NoError(t, err, "error creating repo: %s", err)
rootPubKey, err := repo.CryptoService.Create("root", rootType)
rootPubKey, err := repo.CryptoService.Create("root", repo.gun, rootType)
require.NoError(t, err, "error generating root key: %s", err)
retriever = passphrase.ConstantRetriever("incorrect password")
@ -615,7 +614,7 @@ func testInitRepoPasswordInvalid(t *testing.T, rootType string) {
retriever := passphrase.ConstantRetriever("password")
repo, err := NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, retriever)
require.NoError(t, err, "error creating repo: %s", err)
rootPubKey, err := repo.CryptoService.Create("root", rootType)
rootPubKey, err := repo.CryptoService.Create("root", repo.gun, rootType)
require.NoError(t, err, "error generating root key: %s", err)
// repo.CryptoServices FileKeyStore caches the unlocked private key, so to test
@ -1025,7 +1024,7 @@ func fakeServerData(t *testing.T, repo *NotaryRepository, mux *http.ServeMux,
timestampKey, ok := keys[data.CanonicalTimestampRole]
require.True(t, ok)
// Add timestamp key via the server's cryptoservice so it can sign
repo.CryptoService.AddKey(timestampKey, data.CanonicalTimestampRole)
repo.CryptoService.AddKey(data.CanonicalTimestampRole, repo.gun, timestampKey)
savedTUFRepo := repo.tufRepo // in case this is overwritten
@ -1232,7 +1231,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
currentTarget := addTarget(t, repo, "current", "../fixtures/intermediate-ca.crt")
// setup delegated targets/level1 role
k, err := repo.CryptoService.Create("targets/level1", rootType)
k, err := repo.CryptoService.Create("targets/level1", repo.gun, rootType)
require.NoError(t, err)
err = repo.tufRepo.UpdateDelegationKeys("targets/level1", []data.PublicKey{k}, []string{}, 1)
require.NoError(t, err)
@ -1242,7 +1241,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
otherTarget := addTarget(t, repo, "other", "../fixtures/root-ca.crt", "targets/level1")
// setup delegated targets/level2 role
k, err = repo.CryptoService.Create("targets/level2", rootType)
k, err = repo.CryptoService.Create("targets/level2", repo.gun, rootType)
require.NoError(t, err)
err = repo.tufRepo.UpdateDelegationKeys("targets/level2", []data.PublicKey{k}, []string{}, 1)
require.NoError(t, err)
@ -1274,7 +1273,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
// setup delegated targets/level1/level2 role separately, which can only modify paths prefixed with "level2"
// This is done separately due to target shadowing
k, err = repo.CryptoService.Create("targets/level1/level2", rootType)
k, err = repo.CryptoService.Create("targets/level1/level2", repo.gun, rootType)
require.NoError(t, err)
err = repo.tufRepo.UpdateDelegationKeys("targets/level1/level2", []data.PublicKey{k}, []string{}, 1)
require.NoError(t, err)
@ -1386,7 +1385,7 @@ func TestListTargetRestrictsDelegationPaths(t *testing.T) {
require.NoError(t, err, "error creating repository: %s", err)
// setup delegated targets/level1 role
k, err := repo.CryptoService.Create("targets/level1", data.ECDSAKey)
k, err := repo.CryptoService.Create("targets/level1", repo.gun, data.ECDSAKey)
require.NoError(t, err)
err = repo.tufRepo.UpdateDelegationKeys("targets/level1", []data.PublicKey{k}, []string{}, 1)
require.NoError(t, err)
@ -1653,7 +1652,7 @@ func TestPublishUninitializedRepo(t *testing.T) {
requireRepoHasExpectedMetadata(t, repo, data.CanonicalTargetsRole, false)
// now, initialize and republish in the same directory
rootPubKey, err := repo.CryptoService.Create("root", data.ECDSAKey)
rootPubKey, err := repo.CryptoService.Create("root", repo.gun, data.ECDSAKey)
require.NoError(t, err, "error generating root key: %s", err)
require.NoError(t, repo.Initialize(rootPubKey.ID()))
@ -1987,7 +1986,7 @@ type cannotCreateKeys struct {
signed.CryptoService
}
func (cs cannotCreateKeys) Create(_, _ string) (data.PublicKey, error) {
func (cs cannotCreateKeys) Create(_, _, _ string) (data.PublicKey, error) {
return nil, fmt.Errorf("Oh no I cannot create keys")
}
@ -2009,10 +2008,9 @@ func TestPublishSnapshotLocalKeysCreatedFirst(t *testing.T) {
tempBaseDir, gun, ts.URL, http.DefaultTransport, passphraseRetriever)
require.NoError(t, err, "error creating repo: %s", err)
cs := cryptoservice.NewCryptoService(gun,
trustmanager.NewKeyMemoryStore(passphraseRetriever))
cs := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(passphraseRetriever))
rootPubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
rootPubKey, err := cs.Create(data.CanonicalRootRole, gun, data.ECDSAKey)
require.NoError(t, err, "error generating root key: %s", err)
repo.CryptoService = cannotCreateKeys{CryptoService: cs}
@ -2024,7 +2022,7 @@ func TestPublishSnapshotLocalKeysCreatedFirst(t *testing.T) {
}
func createKey(t *testing.T, repo *NotaryRepository, role string, x509 bool) data.PublicKey {
key, err := repo.CryptoService.Create(role, data.ECDSAKey)
key, err := repo.CryptoService.Create(role, repo.gun, data.ECDSAKey)
require.NoError(t, err, "error creating key")
if x509 {
@ -2282,11 +2280,11 @@ func TestPublishTargetsDelegationSuccessNeedsToDownloadRoles(t *testing.T) {
defer os.RemoveAll(delgRepo.baseDir)
// create a key on the owner repo
aKey, err := ownerRepo.CryptoService.Create("targets/a", data.ECDSAKey)
aKey, err := ownerRepo.CryptoService.Create("targets/a", gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
// create a key on the delegated repo
bKey, err := delgRepo.CryptoService.Create("targets/a/b", data.ECDSAKey)
bKey, err := delgRepo.CryptoService.Create("targets/a/b", gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
// clear metadata and unencrypted private key cache
@ -2329,11 +2327,11 @@ func TestPublishTargetsDelegationFromTwoRepos(t *testing.T) {
defer os.RemoveAll(repo2.baseDir)
// create keys for each repo
key1, err := repo1.CryptoService.Create("targets/a", data.ECDSAKey)
key1, err := repo1.CryptoService.Create("targets/a", repo1.gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
// create a key on the delegated repo
key2, err := repo2.CryptoService.Create("targets/a", data.ECDSAKey)
key2, err := repo2.CryptoService.Create("targets/a", repo2.gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
// delegation includes both keys
@ -2403,7 +2401,7 @@ func TestPublishRemoveDelegationKeyFromDelegationRole(t *testing.T) {
defer os.RemoveAll(delgRepo.baseDir)
// create a key on the delegated repo
aKey, err := delgRepo.CryptoService.Create("targets/a", data.ECDSAKey)
aKey, err := delgRepo.CryptoService.Create("targets/a", delgRepo.gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
// owner creates delegation, adds the delegated key to it, and publishes it
@ -2418,7 +2416,7 @@ func TestPublishRemoveDelegationKeyFromDelegationRole(t *testing.T) {
// owner revokes delegation
// note there is no removekeyfromdelegation yet, so here's a hack to do so
newKey, err := ownerRepo.CryptoService.Create("targets/a", data.ECDSAKey)
newKey, err := ownerRepo.CryptoService.Create("targets/a", ownerRepo.gun, data.ECDSAKey)
require.NoError(t, err)
tdJSON, err := json.Marshal(&changelist.TufDelegation{
NewThreshold: 1,
@ -2461,7 +2459,7 @@ func TestPublishRemoveDelegation(t *testing.T) {
defer os.RemoveAll(delgRepo.baseDir)
// create a key on the delegated repo
aKey, err := delgRepo.CryptoService.Create("targets/a", data.ECDSAKey)
aKey, err := delgRepo.CryptoService.Create("targets/a", delgRepo.gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
// owner creates delegation, adds the delegated key to it, and publishes it
@ -2496,7 +2494,7 @@ func TestPublishSucceedsDespiteDelegationCorrupt(t *testing.T) {
repo, _ := initializeRepo(t, data.ECDSAKey, "docker.com/notary", ts.URL, false)
defer os.RemoveAll(repo.baseDir)
delgKey, err := repo.CryptoService.Create("targets/a", data.ECDSAKey)
delgKey, err := repo.CryptoService.Create("targets/a", repo.gun, data.ECDSAKey)
require.NoError(t, err, "error creating delegation key")
require.NoError(t,
@ -2932,7 +2930,7 @@ func TestFullAddDelegationChangefileApplicable(t *testing.T) {
rootPubKey := repo.CryptoService.GetKey(rootKeyID)
require.NotNil(t, rootPubKey)
key2, err := repo.CryptoService.Create("user", data.ECDSAKey)
key2, err := repo.CryptoService.Create("user", repo.gun, data.ECDSAKey)
require.NoError(t, err)
delegationName := "targets/a"
@ -2970,7 +2968,7 @@ func TestFullRemoveDelegationChangefileApplicable(t *testing.T) {
rootPubKey := repo.CryptoService.GetKey(rootKeyID)
require.NotNil(t, rootPubKey)
key2, err := repo.CryptoService.Create("user", data.ECDSAKey)
key2, err := repo.CryptoService.Create("user", repo.gun, data.ECDSAKey)
require.NoError(t, err)
key2CanonicalID, err := utils.CanonicalKeyID(key2)
require.NoError(t, err)

2
client/client_update_test.go
View File

@ -1296,7 +1296,7 @@ func testUpdateRemoteKeyRotated(t *testing.T, targetsRole string) {
require.NoError(t, err)
cs := signed.NewEd25519()
pubKey, err := cs.Create(targetsRole, data.ED25519Key)
pubKey, err := cs.Create(targetsRole, repo.gun, data.ED25519Key)
require.NoError(t, err)
// bump the version

32
client/helpers_test.go
View File

@ -186,7 +186,7 @@ func TestApplyTargetsDelegationCreateDelete(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -250,7 +250,7 @@ func TestApplyTargetsDelegationCreate2SharedKey(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create first delegation
@ -353,7 +353,7 @@ func TestApplyTargetsDelegationCreateEdit(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -379,7 +379,7 @@ func TestApplyTargetsDelegationCreateEdit(t *testing.T) {
require.NoError(t, err)
// edit delegation
newKey2, err := cs.Create("targets/level1", data.ED25519Key)
newKey2, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
kl = data.KeyList{newKey2}
@ -421,7 +421,7 @@ func TestApplyTargetsDelegationEditNonExisting(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -452,7 +452,7 @@ func TestApplyTargetsDelegationCreateAlreadyExisting(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -479,7 +479,7 @@ func TestApplyTargetsDelegationCreateAlreadyExisting(t *testing.T) {
// we have sufficient checks elsewhere we don't need to confirm that
// creating fresh works here via more requires.
extraKey, err := cs.Create("targets/level1", data.ED25519Key)
extraKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -514,7 +514,7 @@ func TestApplyTargetsDelegationAlreadyExistingMergePaths(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -570,7 +570,7 @@ func TestApplyTargetsDelegationInvalidRole(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -600,7 +600,7 @@ func TestApplyTargetsDelegationInvalidJSONContent(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -662,7 +662,7 @@ func TestApplyTargetsDelegationCreate2Deep(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -745,10 +745,10 @@ func TestApplyTargetsDelegationParentDoesntExist(t *testing.T) {
// make sure a key exists for the previous level, so it's not a missing
// key error, but we don't care about this key
_, err = cs.Create("targets/level1", data.ED25519Key)
_, err = cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
newKey, err := cs.Create("targets/level1/level2", data.ED25519Key)
newKey, err := cs.Create("targets/level1/level2", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// create delegation
@ -779,7 +779,7 @@ func TestApplyChangelistCreatesDelegation(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/level1", []data.PublicKey{newKey}, []string{}, 1)
@ -818,7 +818,7 @@ func TestApplyChangelistTargetsToMultipleRoles(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/level1", []data.PublicKey{newKey}, []string{}, 1)
@ -937,7 +937,7 @@ func TestChangeTargetMetaFailsIfPrefixError(t *testing.T) {
repo, cs, err := testutils.EmptyRepo("docker.com/notary")
require.NoError(t, err)
newKey, err := cs.Create("targets/level1", data.ED25519Key)
newKey, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/level1", []data.PublicKey{newKey}, []string{}, 1)

2
cmd/notary-signer/main.go
View File

@ -109,7 +109,7 @@ func setUpCryptoservices(configuration *viper.Viper, allowedBackends []string) (
keyStore = dbStore
}
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
cryptoServices := make(signer.CryptoServiceIndex)
cryptoServices[data.ED25519Key] = cryptoService
cryptoServices[data.ECDSAKey] = cryptoService

4
cmd/notary-signer/main_test.go
View File

@ -156,7 +156,7 @@ func TestSetupCryptoServicesDBStoreSuccess(t *testing.T) {
os.Setenv("NOTARY_SIGNER_TIMESTAMP", "password")
defer os.Unsetenv("NOTARY_SIGNER_TIMESTAMP")
_, err = ecService.Create("timestamp", data.ECDSAKey)
_, err = ecService.Create("timestamp", "", data.ECDSAKey)
assert.NoError(t, err)
db.Model(&gormKey).Count(&count)
assert.Equal(t, 1, count)
@ -182,7 +182,7 @@ func TestSetupCryptoServicesMemoryStore(t *testing.T) {
// since the keystores are not exposed by CryptoService, try creating
// and getting the key
pubKey, err := ecService.Create("", data.ECDSAKey)
pubKey, err := ecService.Create("", "", data.ECDSAKey)
assert.NoError(t, err)
privKey, _, err := ecService.GetPrivateKey(pubKey.ID())
assert.NoError(t, err)

36
cmd/notary/integration_test.go
View File

@ -69,8 +69,7 @@ func setupServerHandler(metaStore storage.MetaStore) http.Handler {
l.Out = &b
ctx = ctxu.WithLogger(ctx, logrus.NewEntry(l))
cryptoService := cryptoservice.NewCryptoService(
"", trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("pass")))
cryptoService := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("pass")))
return server.RootHandler(nil, ctx, cryptoService, nil, nil)
}
@ -1060,6 +1059,39 @@ func TestClientKeyImportExportRootOnly(t *testing.T) {
assertNumKeys(t, tempDir, 1, 2, !rootOnHardware())
assertSuccessfullyPublish(
t, tempDir, server.URL, "gun", target, tempFile.Name())
// Now assert that bad root keys give an error
// Try importing an unencrypted root key:
privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey, data.CanonicalRootRole)
decryptedKeyFile, err := ioutil.TempFile("", "decryptedPem")
assert.NoError(t, err)
// close later, because we might need to write to it
defer os.Remove(decryptedKeyFile.Name())
nBytes, err := decryptedKeyFile.Write(decryptedPEMBytes)
assert.NoError(t, err)
decryptedKeyFile.Close()
assert.Equal(t, len(decryptedPEMBytes), nBytes)
// import the key
_, err = runCommand(t, tempDir, "key", "import", decryptedKeyFile.Name())
assert.Error(t, err)
// Now try importing an invalid PEM as a root key
invalidPEMBytes := []byte("this is not PEM")
invalidPEMFile, err := ioutil.TempFile("", "invalidPem")
assert.NoError(t, err)
// close later, because we might need to write to it
defer os.Remove(invalidPEMFile.Name())
nBytes, err = invalidPEMFile.Write(invalidPEMBytes)
assert.NoError(t, err)
invalidPEMFile.Close()
assert.Equal(t, len(invalidPEMBytes), nBytes)
// import the key
_, err = runCommand(t, tempDir, "key", "import", invalidPEMFile.Name())
assert.Error(t, err)
}
// Helper method to get the subdirectory for TUF keys

34
cmd/notary/keys.go
View File

@ -187,9 +187,9 @@ func (k *keyCommander) keysGenerateRootKey(cmd *cobra.Command, args []string) er
if err != nil {
return err
}
cs := cryptoservice.NewCryptoService("", ks...)
cs := cryptoservice.NewCryptoService(ks...)
pubKey, err := cs.Create(data.CanonicalRootRole, algorithm)
pubKey, err := cs.Create(data.CanonicalRootRole, "", algorithm)
if err != nil {
return fmt.Errorf("Failed to create a new root key: %v", err)
}
@ -215,7 +215,7 @@ func (k *keyCommander) keysBackup(cmd *cobra.Command, args []string) error {
}
exportFilename := args[0]
cs := cryptoservice.NewCryptoService("", ks...)
cs := cryptoservice.NewCryptoService(ks...)
exportFile, err := os.Create(exportFilename)
if err != nil {
@ -263,7 +263,7 @@ func (k *keyCommander) keysExport(cmd *cobra.Command, args []string) error {
return err
}
cs := cryptoservice.NewCryptoService("", ks...)
cs := cryptoservice.NewCryptoService(ks...)
keyInfo, err := cs.GetKeyInfo(keyID)
if err != nil {
return fmt.Errorf("Could not retrieve info for key %s", keyID)
@ -306,7 +306,7 @@ func (k *keyCommander) keysRestore(cmd *cobra.Command, args []string) error {
if err != nil {
return err
}
cs := cryptoservice.NewCryptoService("", ks...)
cs := cryptoservice.NewCryptoService(ks...)
zipReader, err := zip.OpenReader(importFilename)
if err != nil {
@ -314,7 +314,7 @@ func (k *keyCommander) keysRestore(cmd *cobra.Command, args []string) error {
}
defer zipReader.Close()
err = cs.ImportKeysZip(zipReader.Reader)
err = cs.ImportKeysZip(zipReader.Reader, k.getRetriever())
if err != nil {
return fmt.Errorf("Error importing keys: %v", err)
@ -376,11 +376,25 @@ func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error {
return fmt.Errorf("Must specify GUN for %s key", importRole)
}
cs := cryptoservice.NewCryptoService(k.keysImportGUN, ks...)
err = cs.ImportRoleKey(pemBytes, importRole, k.getRetriever())
// Root keys must be encrypted
if importRole == data.CanonicalRootRole {
if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
return err
}
}
cs := cryptoservice.NewCryptoService(ks...)
// Convert to a data.PrivateKey, potentially decrypting the key
privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
if err != nil {
return fmt.Errorf("Error importing root key: %v", err)
privKey, _, err = trustmanager.GetPasswdDecryptBytes(k.getRetriever(), pemBytes, "", "imported "+importRole)
if err != nil {
return err
}
}
err = cs.AddKey(importRole, k.keysImportGUN, privKey)
if err != nil {
return fmt.Errorf("Error importing key: %v", err)
}
return nil
}
@ -536,7 +550,7 @@ func (k *keyCommander) keyPassphraseChange(cmd *cobra.Command, args []string) er
return fmt.Errorf("invalid key ID provided: %s", keyID)
}
cs := cryptoservice.NewCryptoService("", ks...)
cs := cryptoservice.NewCryptoService(ks...)
privKey, _, err := cs.GetPrivateKey(keyID)
if err != nil {
return fmt.Errorf("could not retrieve local key for key ID provided: %s", keyID)

5
cmd/notary/keys_test.go
View File

@ -326,15 +326,14 @@ func setUpRepo(t *testing.T, tempBaseDir, gun string, ret passphrase.Retriever)
l.Out = bytes.NewBuffer(nil)
ctx = ctxu.WithLogger(ctx, logrus.NewEntry(l))
cryptoService := cryptoservice.NewCryptoService(
"", trustmanager.NewKeyMemoryStore(ret))
cryptoService := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(ret))
ts := httptest.NewServer(server.RootHandler(nil, ctx, cryptoService, nil, nil))
repo, err := client.NewNotaryRepository(
tempBaseDir, gun, ts.URL, http.DefaultTransport, ret)
assert.NoError(t, err, "error creating repo: %s", err)
rootPubKey, err := repo.CryptoService.Create("root", data.ECDSAKey)
rootPubKey, err := repo.CryptoService.Create("root", "", data.ECDSAKey)
assert.NoError(t, err, "error generating root key: %s", err)
err = repo.Initialize(rootPubKey.ID())

2
cmd/notary/tuf.go
View File

@ -166,7 +166,7 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
var rootKeyID string
if len(rootKeyList) < 1 {
cmd.Println("No root keys found. Generating a new root key...")
rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)
rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
rootKeyID = rootPublicKey.ID()
if err != nil {
return err

13
cryptoservice/crypto_service.go
View File

@ -16,17 +16,16 @@ const (
// CryptoService implements Sign and Create, holding a specific GUN and keystore to
// operate on
type CryptoService struct {
gun string
keyStores []trustmanager.KeyStore
}
// NewCryptoService returns an instance of CryptoService
func NewCryptoService(gun string, keyStores ...trustmanager.KeyStore) *CryptoService {
return &CryptoService{gun: gun, keyStores: keyStores}
func NewCryptoService(keyStores ...trustmanager.KeyStore) *CryptoService {
return &CryptoService{keyStores: keyStores}
}
// Create is used to generate keys for targets, snapshots and timestamps
func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error) {
func (cs *CryptoService) Create(role, gun, algorithm string) (data.PublicKey, error) {
var privKey data.PrivateKey
var err error
@ -53,7 +52,7 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
// Store the private key into our keystore
for _, ks := range cs.keyStores {
err = ks.AddKey(privKey, trustmanager.KeyInfo{Role: role, Gun: cs.gun})
err = ks.AddKey(privKey, trustmanager.KeyInfo{Role: role, Gun: gun})
if err == nil {
return data.PublicKeyFromPrivate(privKey), nil
}
@ -111,7 +110,7 @@ func (cs *CryptoService) RemoveKey(keyID string) (err error) {
// AddKey adds a private key to a specified role.
// The GUN is inferred from the cryptoservice itself for non-root roles
func (cs *CryptoService) AddKey(key data.PrivateKey, role string) (err error) {
func (cs *CryptoService) AddKey(role, gun string, key data.PrivateKey) (err error) {
// First check if this key already exists in any of our keystores
for _, ks := range cs.keyStores {
if keyInfo, err := ks.GetKeyInfo(key.ID()); err == nil {
@ -125,7 +124,7 @@ func (cs *CryptoService) AddKey(key data.PrivateKey, role string) (err error) {
// If the key didn't exist in any of our keystores, add and return on the first successful keystore
for _, ks := range cs.keyStores {
// Try to add to this keystore, return if successful
if err = ks.AddKey(key, trustmanager.KeyInfo{Role: role, Gun: cs.gun}); err == nil {
if err = ks.AddKey(key, trustmanager.KeyInfo{Role: role, Gun: gun}); err == nil {
return nil
}
}

36
cryptoservice/crypto_service_test.go
View File

@ -32,7 +32,7 @@ type CryptoServiceTester struct {
}
func (c CryptoServiceTester) cryptoServiceFactory() *CryptoService {
return NewCryptoService(c.gun, trustmanager.NewKeyMemoryStore(passphraseRetriever))
return NewCryptoService(trustmanager.NewKeyMemoryStore(passphraseRetriever))
}
// asserts that created key exists
@ -40,7 +40,7 @@ func (c CryptoServiceTester) TestCreateAndGetKey(t *testing.T) {
cryptoService := c.cryptoServiceFactory()
// Test Create
tufKey, err := cryptoService.Create(c.role, c.keyAlgo)
tufKey, err := cryptoService.Create(c.role, c.gun, c.keyAlgo)
assert.NoError(t, err, c.errorMsg("error creating key"))
// Test GetKey
@ -66,13 +66,13 @@ func (c CryptoServiceTester) TestCreateAndGetWhenMultipleKeystores(t *testing.T)
trustmanager.NewKeyMemoryStore(passphraseRetriever))
// Test Create
tufKey, err := cryptoService.Create(c.role, c.keyAlgo)
tufKey, err := cryptoService.Create(c.role, c.gun, c.keyAlgo)
assert.NoError(t, err, c.errorMsg("error creating key"))
// Only the first keystore should have the key
keyPath := tufKey.ID()
if c.role != data.CanonicalRootRole && cryptoService.gun != "" {
keyPath = filepath.Join(cryptoService.gun, keyPath)
if c.role != data.CanonicalRootRole && c.gun != "" {
keyPath = filepath.Join(c.gun, keyPath)
}
_, _, err = cryptoService.keyStores[0].GetKey(keyPath)
assert.NoError(t, err, c.errorMsg(
@ -106,7 +106,7 @@ func (c CryptoServiceTester) TestSignWithKey(t *testing.T) {
cryptoService := c.cryptoServiceFactory()
content := []byte("this is a secret")
tufKey, err := cryptoService.Create(c.role, c.keyAlgo)
tufKey, err := cryptoService.Create(c.role, c.gun, c.keyAlgo)
assert.NoError(t, err, c.errorMsg("error creating key"))
// Test Sign
@ -171,15 +171,15 @@ func (c CryptoServiceTester) TestGetPrivateKeyPasswordInvalid(t *testing.T) {
retriever := passphrase.ConstantRetriever("password")
store, err := trustmanager.NewKeyFileStore(tempBaseDir, retriever)
assert.NoError(t, err)
cryptoService := NewCryptoService(c.gun, store)
pubKey, err := cryptoService.Create(c.role, c.keyAlgo)
cryptoService := NewCryptoService(store)
pubKey, err := cryptoService.Create(c.role, c.gun, c.keyAlgo)
assert.NoError(t, err, "error generating key: %s", err)
// cryptoService's FileKeyStore caches the unlocked private key, so to test
// private key unlocking we need a new instance.
store, err = trustmanager.NewKeyFileStore(tempBaseDir, giveUpPassphraseRetriever)
assert.NoError(t, err)
cryptoService = NewCryptoService(c.gun, store)
cryptoService = NewCryptoService(store)
_, _, err = cryptoService.GetPrivateKey(pubKey.ID())
assert.EqualError(t, err, trustmanager.ErrPasswordInvalid{}.Error())
@ -195,8 +195,8 @@ func (c CryptoServiceTester) TestGetPrivateKeyAttemptsExceeded(t *testing.T) {
retriever := passphrase.ConstantRetriever("password")
store, err := trustmanager.NewKeyFileStore(tempBaseDir, retriever)
assert.NoError(t, err)
cryptoService := NewCryptoService(c.gun, store)
pubKey, err := cryptoService.Create(c.role, c.keyAlgo)
cryptoService := NewCryptoService(store)
pubKey, err := cryptoService.Create(c.role, c.gun, c.keyAlgo)
assert.NoError(t, err, "error generating key: %s", err)
// trustmanager.KeyFileStore and trustmanager.KeyMemoryStore both cache the unlocked
@ -206,7 +206,7 @@ func (c CryptoServiceTester) TestGetPrivateKeyAttemptsExceeded(t *testing.T) {
retriever = passphrase.ConstantRetriever("incorrect password")
store, err = trustmanager.NewKeyFileStore(tempBaseDir, retriever)
assert.NoError(t, err)
cryptoService = NewCryptoService(c.gun, store)
cryptoService = NewCryptoService(store)
_, _, err = cryptoService.GetPrivateKey(pubKey.ID())
assert.EqualError(t, err, trustmanager.ErrAttemptsExceeded{}.Error())
@ -216,7 +216,7 @@ func (c CryptoServiceTester) TestGetPrivateKeyAttemptsExceeded(t *testing.T) {
func (c CryptoServiceTester) TestRemoveCreatedKey(t *testing.T) {
cryptoService := c.cryptoServiceFactory()
tufKey, err := cryptoService.Create(c.role, c.keyAlgo)
tufKey, err := cryptoService.Create(c.role, c.gun, c.keyAlgo)
assert.NoError(t, err, c.errorMsg("error creating key"))
assert.NotNil(t, cryptoService.GetKey(tufKey.ID()))
@ -311,7 +311,7 @@ func (c CryptoServiceTester) TestAddKey(t *testing.T) {
assert.NoError(t, err)
// Add the key to the targets role
assert.NoError(t, cryptoService.AddKey(privKey, data.CanonicalTargetsRole))
assert.NoError(t, cryptoService.AddKey(data.CanonicalTargetsRole, c.gun, privKey))
// Check that we added the key and its info to only the first keystore
retrievedKey, retrievedRole, err := cryptoService.keyStores[0].GetKey(privKey.ID())
@ -322,7 +322,7 @@ func (c CryptoServiceTester) TestAddKey(t *testing.T) {
retrievedKeyInfo, err := cryptoService.keyStores[0].GetKeyInfo(privKey.ID())
assert.NoError(t, err)
assert.Equal(t, data.CanonicalTargetsRole, retrievedKeyInfo.Role)
assert.Equal(t, cryptoService.gun, retrievedKeyInfo.Gun)
assert.Equal(t, c.gun, retrievedKeyInfo.Gun)
// The key should not exist in the second keystore
_, _, err = cryptoService.keyStores[1].GetKey(privKey.ID())
@ -338,13 +338,13 @@ func (c CryptoServiceTester) TestAddKey(t *testing.T) {
retrievedKeyInfo, err = cryptoService.GetKeyInfo(privKey.ID())
assert.NoError(t, err)
assert.Equal(t, data.CanonicalTargetsRole, retrievedKeyInfo.Role)
assert.Equal(t, cryptoService.gun, retrievedKeyInfo.Gun)
assert.Equal(t, c.gun, retrievedKeyInfo.Gun)
// Add the same key to the targets role, since the info is the same we should have no error
assert.NoError(t, cryptoService.AddKey(privKey, data.CanonicalTargetsRole))
assert.NoError(t, cryptoService.AddKey(data.CanonicalTargetsRole, c.gun, privKey))
// Try to add the same key to the snapshot role, which should error due to the role mismatch
assert.Error(t, cryptoService.AddKey(privKey, data.CanonicalSnapshotRole))
assert.Error(t, cryptoService.AddKey(data.CanonicalSnapshotRole, c.gun, privKey))
}
// Prints out an error message with information about the key algorithm,

52
cryptoservice/import_export.go
View File

@ -13,7 +13,6 @@ import (
"github.com/docker/notary/passphrase"
"github.com/docker/notary/trustmanager"
"github.com/docker/notary/tuf/data"
)
const zipMadeByUNIX = 3 << 8
@ -101,29 +100,6 @@ func (cs *CryptoService) ExportKeyReencrypt(dest io.Writer, keyID string, newPas
return nil
}
// ImportRoleKey imports a private key in PEM format key from a byte array
// It prompts for the key's passphrase to verify the data and to determine
// the key ID.
func (cs *CryptoService) ImportRoleKey(pemBytes []byte, role string, newPassphraseRetriever passphrase.Retriever) error {
var err error
keyGun := cs.gun
if role == data.CanonicalRootRole {
keyGun = ""
if err = checkRootKeyIsEncrypted(pemBytes); err != nil {
return err
}
}
for _, ks := range cs.keyStores {
// don't redeclare err, we want the value carried out of the loop
if err = ks.ImportKey(pemBytes, role, keyGun); err == nil {
return nil //bail on the first keystore we import to
}
}
return err
}
// ExportAllKeys exports all keys to an io.Writer in zip format.
// newPassphraseRetriever will be used to obtain passphrases to use to encrypt the existing keys.
func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever passphrase.Retriever) error {
@ -156,7 +132,7 @@ func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever pa
// ImportKeysZip imports keys from a zip file provided as an zip.Reader. The
// keys in the root_keys directory are left encrypted, but the other keys are
// decrypted with the specified passphrase.
func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader, retriever passphrase.Retriever) error {
// Temporarily store the keys in maps, so we can bail early if there's
// an error (for example, wrong passphrase), without leaving the key
// store in an inconsistent state
@ -179,7 +155,7 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
// Note that using / as a separator is okay here - the zip
// package guarantees that the separator will be /
if fNameTrimmed[len(fNameTrimmed)-5:] == "_root" {
if err = checkRootKeyIsEncrypted(fileBytes); err != nil {
if err = CheckRootKeyIsEncrypted(fileBytes); err != nil {
return err
}
}
@ -187,20 +163,18 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
}
for keyName, pemBytes := range newKeys {
// Get the key role information as well as its data.PrivateKey representation
_, keyInfo := trustmanager.KeyInfoFromPEM(pemBytes, keyName)
// try to import the key to all key stores. As long as one of them
// succeeds, consider it a success
var tmpErr error
for _, ks := range cs.keyStores {
if err := ks.ImportKey(pemBytes, keyInfo.Role, keyInfo.Gun); err != nil {
tmpErr = err
} else {
tmpErr = nil
break
privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
if err != nil {
privKey, _, err = trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", "imported "+keyInfo.Role)
if err != nil {
return err
}
}
if tmpErr != nil {
return tmpErr
// Add the key to our cryptoservice, will add to the first successful keystore
if err = cs.AddKey(keyInfo.Role, keyInfo.Gun, privKey); err != nil {
return err
}
}
@ -320,9 +294,9 @@ func addKeysToArchive(zipWriter *zip.Writer, newKeyStore *trustmanager.KeyFileSt
return nil
}
// checkRootKeyIsEncrypted makes sure the root key is encrypted. We have
// CheckRootKeyIsEncrypted makes sure the root key is encrypted. We have
// internal assumptions that depend on this.
func checkRootKeyIsEncrypted(pemBytes []byte) error {
func CheckRootKeyIsEncrypted(pemBytes []byte) error {
block, _ := pem.Decode(pemBytes)
if block == nil {
return ErrNoValidPrivateKey

20
cryptoservice/import_export_compatibility_test.go
View File

@ -17,7 +17,7 @@ import (
// Zips up the keys in the old repo, and assert that we can import it and use
// said keys. The 0.1 exported format is just a zip file of all the keys
func TestImport0Dot1Zip(t *testing.T) {
ks, ret, gun := get0Dot1(t)
ks, ret, _ := get0Dot1(t)
zipFile, err := ioutil.TempFile("", "notary-test-zipFile")
defer os.RemoveAll(zipFile.Name())
@ -41,13 +41,13 @@ func TestImport0Dot1Zip(t *testing.T) {
ks, err = trustmanager.NewKeyFileStore(tempDir, ret)
assert.NoError(t, err)
cs := NewCryptoService(gun, ks)
cs := NewCryptoService(ks)
zipReader, err := zip.OpenReader(zipFile.Name())
assert.NoError(t, err)
defer zipReader.Close()
assert.NoError(t, cs.ImportKeysZip(zipReader.Reader))
assert.NoError(t, cs.ImportKeysZip(zipReader.Reader, passphrase.ConstantRetriever("randompass")))
assertHasKeys(t, cs, origKeys)
}
@ -94,11 +94,11 @@ func importExportedZip(t *testing.T, original *CryptoService,
if gun != "" {
err = original.ExportKeysByGUN(zipFile, gun, ret)
assert.NoError(t, err)
cs = NewCryptoService(gun, ks)
cs = NewCryptoService(ks)
} else {
err = original.ExportAllKeys(zipFile, ret)
assert.NoError(t, err)
cs = NewCryptoService(original.gun, ks)
cs = NewCryptoService(ks)
}
zipFile.Close()
@ -107,13 +107,13 @@ func importExportedZip(t *testing.T, original *CryptoService,
assert.NoError(t, err)
defer zipReader.Close()
assert.NoError(t, cs.ImportKeysZip(zipReader.Reader))
assert.NoError(t, cs.ImportKeysZip(zipReader.Reader, passphrase.ConstantRetriever("randompass")))
return cs, tempBaseDir
}
func TestImportExport0Dot1AllKeys(t *testing.T) {
ks, ret, gun := get0Dot1(t)
cs := NewCryptoService(gun, ks)
ks, ret, _ := get0Dot1(t)
cs := NewCryptoService(ks)
newCS, tempDir := importExportedZip(t, cs, ret, "")
defer os.RemoveAll(tempDir)
@ -140,11 +140,11 @@ func TestImportExport0Dot1GUNKeys(t *testing.T) {
otherKS, err := trustmanager.NewKeyFileStore(tempDir, ret)
assert.NoError(t, err)
cs := NewCryptoService("some/other/gun", otherKS, ks)
cs := NewCryptoService(otherKS, ks)
// create a keys that is not of the same GUN, and be sure it's in this
// CryptoService
otherPubKey, err := cs.Create(data.CanonicalTargetsRole, data.ECDSAKey)
otherPubKey, err := cs.Create(data.CanonicalTargetsRole, "some/other/gun", data.ECDSAKey)
assert.NoError(t, err)
k, _, err := cs.GetPrivateKey(otherPubKey.ID())

102
cryptoservice/import_export_test.go
View File

@ -2,14 +2,12 @@ package cryptoservice
import (
"archive/zip"
"bytes"
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"strings"
"testing"
"github.com/docker/notary"
@ -50,8 +48,8 @@ func TestImportExportZip(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore, err := trustmanager.NewKeyFileStore(tempBaseDir, newPassphraseRetriever)
cs := NewCryptoService(gun, fileStore)
pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
cs := NewCryptoService(fileStore)
pubKey, err := cs.Create(data.CanonicalRootRole, gun, data.ECDSAKey)
assert.NoError(t, err)
rootKeyID := pubKey.ID()
@ -122,14 +120,14 @@ func TestImportExportZip(t *testing.T) {
fileStore2, err := trustmanager.NewKeyFileStore(tempBaseDir2, newPassphraseRetriever)
assert.NoError(t, err)
cs2 := NewCryptoService(gun, fileStore2)
cs2 := NewCryptoService(fileStore2)
// Reopen the zip file for importing
zipReader, err = zip.OpenReader(tempZipFilePath)
assert.NoError(t, err, "could not open zip file")
// Now try with a valid passphrase. This time it should succeed.
err = cs2.ImportKeysZip(zipReader.Reader)
err = cs2.ImportKeysZip(zipReader.Reader, newPassphraseRetriever)
assert.NoError(t, err)
zipReader.Close()
@ -165,10 +163,10 @@ func TestImportExportGUN(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore, err := trustmanager.NewKeyFileStore(tempBaseDir, newPassphraseRetriever)
cs := NewCryptoService(gun, fileStore)
_, err = cs.Create(data.CanonicalRootRole, data.ECDSAKey)
_, err = cs.Create(data.CanonicalTargetsRole, data.ECDSAKey)
_, err = cs.Create(data.CanonicalSnapshotRole, data.ECDSAKey)
cs := NewCryptoService(fileStore)
_, err = cs.Create(data.CanonicalRootRole, gun, data.ECDSAKey)
_, err = cs.Create(data.CanonicalTargetsRole, gun, data.ECDSAKey)
_, err = cs.Create(data.CanonicalSnapshotRole, gun, data.ECDSAKey)
assert.NoError(t, err)
tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
@ -237,14 +235,14 @@ func TestImportExportGUN(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore2, err := trustmanager.NewKeyFileStore(tempBaseDir2, newPassphraseRetriever)
cs2 := NewCryptoService(gun, fileStore2)
cs2 := NewCryptoService(fileStore2)
// Reopen the zip file for importing
zipReader, err = zip.OpenReader(tempZipFilePath)
assert.NoError(t, err, "could not open zip file")
// Now try with a valid passphrase. This time it should succeed.
err = cs2.ImportKeysZip(zipReader.Reader)
err = cs2.ImportKeysZip(zipReader.Reader, newPassphraseRetriever)
assert.NoError(t, err)
zipReader.Close()
@ -266,7 +264,7 @@ func TestImportExportGUN(t *testing.T) {
}
}
func TestImportExportRootKey(t *testing.T) {
func TestExportRootKey(t *testing.T) {
gun := "docker.com/notary"
// Temporary directory where test files will be created
@ -275,8 +273,8 @@ func TestImportExportRootKey(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore, err := trustmanager.NewKeyFileStore(tempBaseDir, oldPassphraseRetriever)
cs := NewCryptoService(gun, fileStore)
pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
cs := NewCryptoService(fileStore)
pubKey, err := cs.Create(data.CanonicalRootRole, gun, data.ECDSAKey)
assert.NoError(t, err)
rootKeyID := pubKey.ID()
@ -295,7 +293,7 @@ func TestImportExportRootKey(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore2, err := trustmanager.NewKeyFileStore(tempBaseDir2, oldPassphraseRetriever)
cs2 := NewCryptoService(gun, fileStore2)
cs2 := NewCryptoService(fileStore2)
keyReader, err := os.Open(tempKeyFilePath)
assert.NoError(t, err, "could not open key file")
@ -303,7 +301,11 @@ func TestImportExportRootKey(t *testing.T) {
pemImportBytes, err := ioutil.ReadAll(keyReader)
keyReader.Close()
assert.NoError(t, err)
err = cs2.ImportRoleKey(pemImportBytes, data.CanonicalRootRole, nil)
// Convert to a data.PrivateKey, potentially decrypting the key, and add it to the cryptoservice
privKey, _, err := trustmanager.GetPasswdDecryptBytes(oldPassphraseRetriever, pemImportBytes, "", "imported "+data.CanonicalRootRole)
assert.NoError(t, err)
err = cs2.AddKey(data.CanonicalRootRole, gun, privKey)
assert.NoError(t, err)
// Look for repo's root key in repo2
@ -312,35 +314,9 @@ func TestImportExportRootKey(t *testing.T) {
rootKeyFilename := rootKeyID + ".key"
_, err = os.Stat(filepath.Join(tempBaseDir2, notary.PrivDir, notary.RootKeysSubdir, rootKeyFilename))
assert.NoError(t, err, "missing root key")
// Try to import a decrypted version of the root key and make sure it
// doesn't succeed
pemBytes, err := ioutil.ReadFile(tempKeyFilePath)
assert.NoError(t, err, "could not read key file")
privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase)
assert.NoError(t, err, "could not decrypt key file")
decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey, "root")
assert.NoError(t, err, "could not convert key to PEM")
pemImportBytes, err = ioutil.ReadAll(bytes.NewReader(decryptedPEMBytes))
assert.NoError(t, err)
err = cs2.ImportRoleKey(pemImportBytes, data.CanonicalRootRole, nil)
assert.EqualError(t, err, ErrRootKeyNotEncrypted.Error())
// Try to import garbage and make sure it doesn't succeed
pemImportBytes, err = ioutil.ReadAll(strings.NewReader("this is not PEM"))
assert.NoError(t, err)
err = cs2.ImportRoleKey(pemImportBytes, data.CanonicalRootRole, nil)
assert.EqualError(t, err, ErrNoValidPrivateKey.Error())
// Should be able to unlock the root key with the old password
key, alias, err := cs2.GetPrivateKey(rootKeyID)
assert.NoError(t, err, "could not unlock root key")
assert.Equal(t, data.CanonicalRootRole, alias)
assert.Equal(t, rootKeyID, key.ID())
}
func TestImportExportRootKeyReencrypt(t *testing.T) {
func TestExportRootKeyReencrypt(t *testing.T) {
gun := "docker.com/notary"
// Temporary directory where test files will be created
@ -349,8 +325,8 @@ func TestImportExportRootKeyReencrypt(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore, err := trustmanager.NewKeyFileStore(tempBaseDir, oldPassphraseRetriever)
cs := NewCryptoService(gun, fileStore)
pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
cs := NewCryptoService(fileStore)
pubKey, err := cs.Create(data.CanonicalRootRole, gun, data.ECDSAKey)
assert.NoError(t, err)
rootKeyID := pubKey.ID()
@ -369,7 +345,7 @@ func TestImportExportRootKeyReencrypt(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore2, err := trustmanager.NewKeyFileStore(tempBaseDir2, newPassphraseRetriever)
cs2 := NewCryptoService(gun, fileStore2)
cs2 := NewCryptoService(fileStore2)
keyReader, err := os.Open(tempKeyFilePath)
assert.NoError(t, err, "could not open key file")
@ -377,7 +353,11 @@ func TestImportExportRootKeyReencrypt(t *testing.T) {
pemImportBytes, err := ioutil.ReadAll(keyReader)
keyReader.Close()
assert.NoError(t, err)
err = cs2.ImportRoleKey(pemImportBytes, data.CanonicalRootRole, nil)
// Convert to a data.PrivateKey, potentially decrypting the key, and add it to the cryptoservice
privKey, _, err := trustmanager.GetPasswdDecryptBytes(newPassphraseRetriever, pemImportBytes, "", "imported "+data.CanonicalRootRole)
assert.NoError(t, err)
err = cs2.AddKey(data.CanonicalRootRole, gun, privKey)
assert.NoError(t, err)
// Look for repo's root key in repo2
@ -394,7 +374,7 @@ func TestImportExportRootKeyReencrypt(t *testing.T) {
assert.Equal(t, rootKeyID, key.ID())
}
func TestImportExportNonRootKey(t *testing.T) {
func TestExportNonRootKey(t *testing.T) {
gun := "docker.com/notary"
// Temporary directory where test files will be created
@ -403,8 +383,8 @@ func TestImportExportNonRootKey(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore, err := trustmanager.NewKeyFileStore(tempBaseDir, oldPassphraseRetriever)
cs := NewCryptoService(gun, fileStore)
pubKey, err := cs.Create(data.CanonicalTargetsRole, data.ECDSAKey)
cs := NewCryptoService(fileStore)
pubKey, err := cs.Create(data.CanonicalTargetsRole, gun, data.ECDSAKey)
assert.NoError(t, err)
targetsKeyID := pubKey.ID()
@ -423,7 +403,7 @@ func TestImportExportNonRootKey(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore2, err := trustmanager.NewKeyFileStore(tempBaseDir2, oldPassphraseRetriever)
cs2 := NewCryptoService(gun, fileStore2)
cs2 := NewCryptoService(fileStore2)
keyReader, err := os.Open(tempKeyFilePath)
assert.NoError(t, err, "could not open key file")
@ -431,7 +411,10 @@ func TestImportExportNonRootKey(t *testing.T) {
pemBytes, err := ioutil.ReadAll(keyReader)
assert.NoError(t, err, "could not read key file")
err = cs2.ImportRoleKey(pemBytes, data.CanonicalTargetsRole, oldPassphraseRetriever)
// Convert to a data.PrivateKey, potentially decrypting the key, and add it to the cryptoservice
privKey, _, err := trustmanager.GetPasswdDecryptBytes(oldPassphraseRetriever, pemBytes, "", "imported "+data.CanonicalTargetsRole)
assert.NoError(t, err)
err = cs2.AddKey(data.CanonicalTargetsRole, gun, privKey)
assert.NoError(t, err)
keyReader.Close()
@ -449,7 +432,7 @@ func TestImportExportNonRootKey(t *testing.T) {
assert.Equal(t, targetsKeyID, key.ID())
}
func TestImportExportNonRootKeyReencrypt(t *testing.T) {
func TestExportNonRootKeyReencrypt(t *testing.T) {
gun := "docker.com/notary"
// Temporary directory where test files will be created
@ -458,8 +441,8 @@ func TestImportExportNonRootKeyReencrypt(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore, err := trustmanager.NewKeyFileStore(tempBaseDir, oldPassphraseRetriever)
cs := NewCryptoService(gun, fileStore)
pubKey, err := cs.Create(data.CanonicalSnapshotRole, data.ECDSAKey)
cs := NewCryptoService(fileStore)
pubKey, err := cs.Create(data.CanonicalSnapshotRole, gun, data.ECDSAKey)
assert.NoError(t, err)
snapshotKeyID := pubKey.ID()
@ -478,7 +461,7 @@ func TestImportExportNonRootKeyReencrypt(t *testing.T) {
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
fileStore2, err := trustmanager.NewKeyFileStore(tempBaseDir2, newPassphraseRetriever)
cs2 := NewCryptoService(gun, fileStore2)
cs2 := NewCryptoService(fileStore2)
keyReader, err := os.Open(tempKeyFilePath)
assert.NoError(t, err, "could not open key file")
@ -486,7 +469,10 @@ func TestImportExportNonRootKeyReencrypt(t *testing.T) {
pemBytes, err := ioutil.ReadAll(keyReader)
assert.NoError(t, err, "could not read key file")
err = cs2.ImportRoleKey(pemBytes, data.CanonicalSnapshotRole, newPassphraseRetriever)
// Convert to a data.PrivateKey, potentially decrypting the key, and add it to the cryptoservice
privKey, _, err := trustmanager.GetPasswdDecryptBytes(newPassphraseRetriever, pemBytes, "", "imported "+data.CanonicalSnapshotRole)
assert.NoError(t, err)
err = cs2.AddKey(data.CanonicalSnapshotRole, gun, privKey)
assert.NoError(t, err)
keyReader.Close()

10
server/handlers/validation_test.go
View File

@ -171,7 +171,7 @@ func TestValidateRootRotation(t *testing.T) {
oldRootRole := repo.Root.Signed.Roles["root"]
oldRootKey := repo.Root.Signed.Keys[oldRootRole.KeyIDs[0]]
rootKey, err := crypto.Create("root", data.ED25519Key)
rootKey, err := crypto.Create("root", "", data.ED25519Key)
assert.NoError(t, err)
rootRole, err := data.NewRole("root", 1, []string{rootKey.ID()}, nil)
assert.NoError(t, err)
@ -856,7 +856,7 @@ func TestValidateTargetsLoadParent(t *testing.T) {
assert.NoError(t, err)
store := storage.NewMemStorage()
k, err := cs.Create("targets/level1", data.ED25519Key)
k, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
assert.NoError(t, err)
err = baseRepo.UpdateDelegationKeys("targets/level1", []data.PublicKey{k}, []string{}, 1)
@ -907,7 +907,7 @@ func TestValidateTargetsParentInUpdate(t *testing.T) {
assert.NoError(t, err)
store := storage.NewMemStorage()
k, err := cs.Create("targets/level1", data.ED25519Key)
k, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
assert.NoError(t, err)
err = baseRepo.UpdateDelegationKeys("targets/level1", []data.PublicKey{k}, []string{}, 1)
@ -965,7 +965,7 @@ func TestValidateTargetsParentNotFound(t *testing.T) {
assert.NoError(t, err)
store := storage.NewMemStorage()
k, err := cs.Create("targets/level1", data.ED25519Key)
k, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
assert.NoError(t, err)
err = baseRepo.UpdateDelegationKeys("targets/level1", []data.PublicKey{k}, []string{}, 1)
@ -1003,7 +1003,7 @@ func TestValidateTargetsRoleNotInParent(t *testing.T) {
assert.NoError(t, err)
store := storage.NewMemStorage()
level1Key, err := cs.Create("targets/level1", data.ED25519Key)
level1Key, err := cs.Create("targets/level1", "docker.com/notary", data.ED25519Key)
assert.NoError(t, err)
r, err := data.NewRole("targets/level1", 1, []string{level1Key.ID()}, []string{""})

2
server/snapshot/snapshot.go
View File

@ -21,7 +21,7 @@ func GetOrCreateSnapshotKey(gun string, store storage.KeyStore, crypto signed.Cr
}
if _, ok := err.(*storage.ErrNoKey); ok {
key, err := crypto.Create("snapshot", createAlgorithm)
key, err := crypto.Create("snapshot", gun, createAlgorithm)
if err != nil {
return nil, err
}

4
server/snapshot/snapshot_test.go
View File

@ -52,7 +52,7 @@ func TestGetSnapshotKeyCreate(t *testing.T) {
func TestGetSnapshotKeyExisting(t *testing.T) {
store := storage.NewMemStorage()
crypto := signed.NewEd25519()
key, err := crypto.Create(data.CanonicalSnapshotRole, data.ED25519Key)
key, err := crypto.Create(data.CanonicalSnapshotRole, "gun", data.ED25519Key)
assert.NoError(t, err)
store.SetKey("gun", data.CanonicalSnapshotRole, data.ED25519Key, key.Public())
@ -95,7 +95,7 @@ func (ks keyStore) SetKey(gun, role, algorithm string, public []byte) error {
// first insert.
func TestGetSnapshotKeyExistsOnSet(t *testing.T) {
crypto := signed.NewEd25519()
key, err := crypto.Create(data.CanonicalSnapshotRole, data.ED25519Key)
key, err := crypto.Create(data.CanonicalSnapshotRole, "gun", data.ED25519Key)
assert.NoError(t, err)
store := &keyStore{k: key}

2
server/timestamp/timestamp.go
View File

@ -24,7 +24,7 @@ func GetOrCreateTimestampKey(gun string, store storage.MetaStore, crypto signed.
}
if _, ok := err.(*storage.ErrNoKey); ok {
key, err := crypto.Create("timestamp", createAlgorithm)
key, err := crypto.Create("timestamp", gun, createAlgorithm)
if err != nil {
return nil, err
}

2
signer/api/api.go
View File

@ -84,7 +84,7 @@ func CreateKey(cryptoServices signer.CryptoServiceIndex) http.Handler {
return
}
tufKey, err := cryptoService.Create("", vars["Algorithm"])
tufKey, err := cryptoService.Create("", "", vars["Algorithm"])
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
w.Write([]byte(err.Error()))

26
signer/api/api_test.go
View File

@ -40,7 +40,7 @@ func setup(cryptoServices signer.CryptoServiceIndex) {
func TestDeleteKeyHandlerReturns404WithNonexistentKey(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
fakeID := "c62e6d68851cef1f7e55a9d56e3b0c05f3359f16838cad43600f0554e7d3b54d"
@ -60,10 +60,10 @@ func TestDeleteKeyHandlerReturns404WithNonexistentKey(t *testing.T) {
func TestDeleteKeyHandler(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
tufKey, _ := cryptoService.Create("", data.ED25519Key)
tufKey, _ := cryptoService.Create("", "", data.ED25519Key)
assert.NotNil(t, tufKey)
requestJson, _ := json.Marshal(&pb.KeyID{ID: tufKey.ID()})
@ -80,10 +80,10 @@ func TestDeleteKeyHandler(t *testing.T) {
func TestKeyInfoHandler(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
tufKey, _ := cryptoService.Create("", data.ED25519Key)
tufKey, _ := cryptoService.Create("", "", data.ED25519Key)
assert.NotNil(t, tufKey)
keyInfoURL := fmt.Sprintf("%s/%s", keyInfoBaseURL, tufKey.ID())
@ -109,7 +109,7 @@ func TestKeyInfoHandlerReturns404WithNonexistentKey(t *testing.T) {
// We associate both key types with this signing service to bypass the
// ID -> keyType logic in the tests
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
fakeID := "c62e6d68851cef1f7e55a9d56e3b0c05f3359f16838cad43600f0554e7d3b54d"
@ -126,7 +126,7 @@ func TestKeyInfoHandlerReturns404WithNonexistentKey(t *testing.T) {
func TestSoftwareCreateKeyHandler(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
createKeyURL := fmt.Sprintf("%s/%s", createKeyBaseURL, data.ED25519Key)
@ -149,10 +149,10 @@ func TestSoftwareCreateKeyHandler(t *testing.T) {
func TestSoftwareSignHandler(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
tufKey, err := cryptoService.Create("", data.ED25519Key)
tufKey, err := cryptoService.Create("", "", data.ED25519Key)
assert.Nil(t, err)
sigRequest := &pb.SignatureRequest{KeyID: &pb.KeyID{ID: tufKey.ID()}, Content: make([]byte, 10)}
@ -181,7 +181,7 @@ func TestSoftwareSignHandler(t *testing.T) {
func TestSoftwareSignWithInvalidRequestHandler(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
requestJson := "{\"blob\":\"7d16f1d0b95310a7bc557747fc4f20fcd41c1c5095ae42f189df0717e7d7f4a0a2b55debce630f43c4ac099769c612965e3fda3cd4c0078ee6a460f14fa19307\"}"
@ -205,12 +205,12 @@ func TestSoftwareSignWithInvalidRequestHandler(t *testing.T) {
func TestSignHandlerReturns404WithNonexistentKey(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
fakeID := "c62e6d68851cef1f7e55a9d56e3b0c05f3359f16838cad43600f0554e7d3b54d"
cryptoService.Create("", data.ED25519Key)
cryptoService.Create("", "", data.ED25519Key)
sigRequest := &pb.SignatureRequest{KeyID: &pb.KeyID{ID: fakeID}, Content: make([]byte, 10)}
requestJson, _ := json.Marshal(sigRequest)
@ -228,7 +228,7 @@ func TestSignHandlerReturns404WithNonexistentKey(t *testing.T) {
func TestCreateKeyHandlerWithInvalidAlgorithm(t *testing.T) {
keyStore := trustmanager.NewKeyMemoryStore(passphraseRetriever)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService})
// The `rbtree-algorithm` is expected as not supported

2
signer/api/rpc_api.go
View File

@ -40,7 +40,7 @@ func (s *KeyManagementServer) CreateKey(ctx context.Context, algorithm *pb.Algor
return nil, fmt.Errorf("algorithm %s not supported for create key", algorithm.Algorithm)
}
tufKey, err := service.Create("", keyAlgo)
tufKey, err := service.Create("", "", keyAlgo)
if err != nil {
logger.Error("CreateKey: failed to create key: ", err)
return nil, grpc.Errorf(codes.Internal, "Key creation failed")

2
signer/api/rpc_api_test.go
View File

@ -35,7 +35,7 @@ var (
func init() {
pr = func(string, string, bool, int) (string, bool, error) { return "passphrase", false, nil }
keyStore := trustmanager.NewKeyMemoryStore(pr)
cryptoService := cryptoservice.NewCryptoService("", keyStore)
cryptoService := cryptoservice.NewCryptoService(keyStore)
cryptoServices := signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService}
void = &pb.Void{}

4
signer/client/signer_trust.go
View File

@ -128,7 +128,7 @@ func NewNotarySigner(hostname string, port string, tlsConfig *tls.Config) *Notar
}
// Create creates a remote key and returns the PublicKey associated with the remote private key
func (trust *NotarySigner) Create(role, algorithm string) (data.PublicKey, error) {
func (trust *NotarySigner) Create(role, algorithm, gun string) (data.PublicKey, error) {
publicKey, err := trust.kmClient.CreateKey(context.Background(), &pb.Algorithm{Algorithm: algorithm})
if err != nil {
return nil, err
@ -138,7 +138,7 @@ func (trust *NotarySigner) Create(role, algorithm string) (data.PublicKey, error
}
// AddKey adds a key
func (trust *NotarySigner) AddKey(k data.PrivateKey, role string) error {
func (trust *NotarySigner) AddKey(role, gun string, k data.PrivateKey) error {
return errors.New("Adding a key to NotarySigner is not supported")
}

2
signer/client/signer_trust_test.go
View File

@ -169,7 +169,7 @@ func (c *StubClientFromServers) CheckHealth(ctx context.Context, v *pb.Void,
}
func setUpSigner(t *testing.T, store trustmanager.KeyStore) NotarySigner {
cryptoService := cryptoservice.NewCryptoService("", store)
cryptoService := cryptoservice.NewCryptoService(store)
cryptoServices := signer.CryptoServiceIndex{
data.ED25519Key: cryptoService,
data.RSAKey: cryptoService,

5
signer/keydbstore/keydbstore.go
View File

@ -219,11 +219,6 @@ func (s *KeyDBStore) ExportKey(name string) ([]byte, error) {
return nil, errors.New("Exporting from a KeyDBStore is not supported.")
}
// ImportKey is currently unimplemented and will always return an error
func (s *KeyDBStore) ImportKey(pemBytes []byte, role, gun string) error {
return errors.New("Importing into a KeyDBStore is not supported")
}
// HealthCheck verifies that DB exists and is query-able
func (s *KeyDBStore) HealthCheck() error {
dbPrivateKey := GormPrivateKey{}

49
trustmanager/keyfilestore.go
View File

@ -206,20 +206,6 @@ func (s *KeyFileStore) ExportKey(name string) ([]byte, error) {
return keyBytes, nil
}
// ImportKey imports the private key in the encrypted bytes into the keystore
// with the given key ID, role, and gun.
func (s *KeyFileStore) ImportKey(pemBytes []byte, role, gun string) error {
if role == data.CanonicalRootRole || data.IsDelegation(role) || !data.ValidRole(role) {
gun = ""
}
keyID, err := importKey(s, s.Retriever, s.cachedKeys, role, gun, pemBytes)
if err != nil {
return err
}
s.keyInfoMap[keyID] = KeyInfo{Role: role, Gun: gun}
return nil
}
// NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory
func NewKeyMemoryStore(passphraseRetriever passphrase.Retriever) *KeyMemoryStore {
memStore := NewMemoryFileStore()
@ -316,20 +302,6 @@ func (s *KeyMemoryStore) ExportKey(name string) ([]byte, error) {
return keyBytes, nil
}
// ImportKey imports the private key in the encrypted bytes into the keystore
// with the given key ID and alias.
func (s *KeyMemoryStore) ImportKey(pemBytes []byte, role, gun string) error {
if role == data.CanonicalRootRole || data.IsDelegation(role) || !data.ValidRole(role) {
gun = ""
}
keyID, err := importKey(s, s.Retriever, s.cachedKeys, role, gun, pemBytes)
if err != nil {
return err
}
s.keyInfoMap[keyID] = KeyInfo{Role: role, Gun: gun}
return nil
}
// KeyInfoFromPEM attempts to get a keyID and KeyInfo from the filename and PEM bytes of a key
func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo) {
keyID, role, gun := inferKeyInfoFromKeyPath(filename)
@ -530,24 +502,3 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*
cachedKeys[name] = &cachedKey{alias: role, key: privKey}
return s.Add(filepath.Join(getSubdir(role), name), pemPrivKey)
}
func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, role, gun string, pemBytes []byte) (string, error) {
// See if the key is encrypted. If its encrypted we'll fail to parse the private key on this first check
privKey, err := ParsePEMPrivateKey(pemBytes, "")
if err != nil {
var password string
privKey, password, err = GetPasswdDecryptBytes(passphraseRetriever, pemBytes, "", "imported "+role)
if err != nil {
return "", err
}
if role == data.CanonicalRootRole {
return privKey.ID(), encryptAndAddKey(s, password, cachedKeys, privKey.ID(), role, privKey)
}
}
pemBytesWithRole, err := KeyToPEM(privKey, role)
if err != nil {
return privKey.ID(), err
}
s.Add(filepath.Join(getSubdir(role), gun, privKey.ID()), pemBytesWithRole)
return privKey.ID(), nil
}

50
trustmanager/keyfilestore_test.go
View File

@ -719,37 +719,6 @@ func TestKeyMemoryStoreExportNonExistantFailure(t *testing.T) {
assert.Error(t, err)
}
// Importing a key is successful
func TestKeyFileStoreImportSuccess(t *testing.T) {
// Generate a new Private Key
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
assert.NoError(t, err)
defer os.RemoveAll(tempBaseDir)
// Create our FileStore
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
assert.NoError(t, err)
assertImportKeySuccess(t, store, privKey)
}
// Importing a key is successful
func TestKeyMemoryStoreImportSuccess(t *testing.T) {
// Generate a new Private Key
privKey, err := GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
// Create our MemoryStore
store := NewKeyMemoryStore(passphraseRetriever)
assert.NoError(t, err)
assertImportKeySuccess(t, store, privKey)
}
// Given a keystore and expected key that is in the store, export the key
// and assert that the exported key is the same and encrypted with the right
// password.
@ -764,22 +733,3 @@ func assertExportKeySuccess(
assert.Equal(t, expectedKey.Private(), reparsedKey.Private())
assert.Equal(t, expectedKey.Public(), reparsedKey.Public())
}
// Given a keystore and expected key, generate an encrypted PEM of the key
// and assert that the then imported key is the same and encrypted with the
// right password.
func assertImportKeySuccess(
t *testing.T, s KeyStore, expectedKey data.PrivateKey) {
pemBytes, err := EncryptPrivateKey(expectedKey, data.CanonicalRootRole, cannedPassphrase)
assert.NoError(t, err)
err = s.ImportKey(pemBytes, data.CanonicalRootRole, "")
assert.NoError(t, err)
reimportedKey, reimportedAlias, err := s.GetKey(expectedKey.ID())
assert.NoError(t, err)
assert.Equal(t, "root", reimportedAlias)
assert.Equal(t, expectedKey.Private(), reimportedKey.Private())
assert.Equal(t, expectedKey.Public(), reimportedKey.Public())
}

1
trustmanager/keystore.go
View File

@ -48,7 +48,6 @@ type KeyStore interface {
ListKeys() map[string]KeyInfo
RemoveKey(name string) error
ExportKey(name string) ([]byte, error)
ImportKey(pemBytes []byte, role, gun string) error
Name() string
}

2
trustmanager/x509utils.go
View File

@ -517,7 +517,7 @@ func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, er
// ReadRoleFromPEM returns the value from the role PEM header, if it exists
func ReadRoleFromPEM(pemBytes []byte) string {
pemBlock, _ := pem.Decode(pemBytes)
if pemBlock.Headers == nil {
if pemBlock == nil || pemBlock.Headers == nil {
return ""
}
role, ok := pemBlock.Headers["role"]

16
trustmanager/yubikey/yubikeystore.go
View File

@ -762,22 +762,6 @@ func (s *YubiKeyStore) ExportKey(keyID string) ([]byte, error) {
return nil, errors.New("Keys cannot be exported from a Yubikey.")
}
// ImportKey imports only root keys into a Yubikey, ignoring the specified gun
func (s *YubiKeyStore) ImportKey(pemBytes []byte, role, gun string) error {
logrus.Debugf("Attempting to import: %s key inside of YubiKeyStore", role)
if role != data.CanonicalRootRole {
return fmt.Errorf("yubikey only supports storing root keys")
}
privKey, _, err := trustmanager.GetPasswdDecryptBytes(
s.passRetriever, pemBytes, "", "imported root")
if err != nil {
logrus.Debugf("Failed to get and retrieve a key from: %s", role)
return err
}
_, err = s.addKey(privKey.ID(), role, privKey)
return err
}
// Not yet implemented
func (s *YubiKeyStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) {
return trustmanager.KeyInfo{}, fmt.Errorf("Not yet implemented")

171
trustmanager/yubikey/yubikeystore_test.go
View File

@ -319,116 +319,6 @@ func TestYubiRemoveKey(t *testing.T) {
}
}
// ImportKey imports a key as root without adding it to the backup store
func TestYubiImportNewKey(t *testing.T) {
if !YubikeyAccessible() {
t.Skip("Must have Yubikey access.")
}
clearAllKeys(t)
SetYubikeyKeyMode(KeymodeNone)
defer func() {
SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce)
}()
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
// generate key and import it
privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
pemBytes, err := trustmanager.EncryptPrivateKey(privKey, data.CanonicalRootRole, "passphrase")
assert.NoError(t, err)
err = store.ImportKey(pemBytes, data.CanonicalRootRole, "")
assert.NoError(t, err)
// key is not in backup store
_, _, err = backup.GetKey(privKey.ID())
assert.Error(t, err)
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
for _, store := range []*YubiKeyStore{store, cleanStore} {
gottenKey, role, err := store.GetKey(privKey.ID())
assert.NoError(t, err)
assert.Equal(t, data.CanonicalRootRole, role)
assert.Equal(t, privKey.Public(), gottenKey.Public())
}
}
// Importing an existing key succeeds, but doesn't actually add the key, nor
// does it write it to backup.
func TestYubiImportExistingKey(t *testing.T) {
if !YubikeyAccessible() {
t.Skip("Must have Yubikey access.")
}
clearAllKeys(t)
SetYubikeyKeyMode(KeymodeNone)
defer func() {
SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce)
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
key, err := testAddKey(t, store)
backup := trustmanager.NewKeyMemoryStore(ret)
newStore, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
// for sanity, ensure that the key is already in the Yubikey
k, _, err := newStore.GetKey(key.ID())
assert.NoError(t, err)
assert.NotNil(t, k)
// import the key, which should have already been added to the yubikey
pemBytes, err := trustmanager.EncryptPrivateKey(key, data.CanonicalRootRole, "passphrase")
assert.NoError(t, err)
err = newStore.ImportKey(pemBytes, data.CanonicalRootRole, "")
assert.NoError(t, err)
// key is not in backup store
_, _, err = backup.GetKey(key.ID())
assert.Error(t, err)
}
// Importing a key not as root fails, and it is not added to the backup store
func TestYubiImportNonRootKey(t *testing.T) {
if !YubikeyAccessible() {
t.Skip("Must have Yubikey access.")
}
clearAllKeys(t)
SetYubikeyKeyMode(KeymodeNone)
defer func() {
SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce)
}()
backup := trustmanager.NewKeyMemoryStore(ret)
store, err := NewYubiKeyStore(backup, ret)
assert.NoError(t, err)
// generate key and import it
privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
pemBytes, err := trustmanager.EncryptPrivateKey(privKey, data.CanonicalRootRole, "passphrase")
assert.NoError(t, err)
err = store.ImportKey(pemBytes, data.CanonicalTargetsRole, "")
assert.Error(t, err)
// key is not in backup store
_, _, err = backup.GetKey(privKey.ID())
assert.Error(t, err)
}
// One cannot export from hardware - it will not export from the backup
func TestYubiExportKeyFails(t *testing.T) {
if !YubikeyAccessible() {
@ -673,67 +563,6 @@ func TestYubiGetKeyCleansUpOnError(t *testing.T) {
), true)
}
func TestYubiImportKeyCleansUpOnError(t *testing.T) {
if !YubikeyAccessible() {
t.Skip("Must have Yubikey access.")
}
clearAllKeys(t)
SetYubikeyKeyMode(KeymodeNone)
defer func() {
SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce)
}()
store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
privKey, err := trustmanager.GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
pemBytes, err := trustmanager.EncryptPrivateKey(privKey, data.CanonicalRootRole, "passphrase")
assert.NoError(t, err)
var _importkey = func() error { return store.ImportKey(pemBytes, data.CanonicalRootRole, "") }
testYubiFunctionCleansUpOnLoginError(t, store, _importkey)
// all the PKCS11 functions ImportKey depends on that aren't the login/logout
testYubiFunctionCleansUpOnSpecifiedErrors(t, store, _importkey,
append(
setupErrors,
"FindObjectsInit",
"FindObjects",
"FindObjectsFinal",
"CreateObject",
), true)
// given that everything should have errored, there should be no keys on
// the yubikey
assert.Len(t, cleanListKeys(t), 0)
// Logout should not cause a function failure - it s a cleanup failure,
// which shouldn't break anything, and it should clean up after itself.
// The key should be added to both stores
testYubiFunctionCleansUpOnSpecifiedErrors(t, store, _importkey,
[]string{"Logout"}, false)
listedKeys := cleanListKeys(t)
assert.Len(t, listedKeys, 1)
// Currently, if GetAttributeValue fails, the function succeeds, because if
// we can't get the attribute value of an object, we don't know what slot
// it's in, we assume its occupied slot is free (hence this failure will
// cause the previous key to be overwritten). This behavior may need to
// be revisited.
for k := range listedKeys {
err := store.RemoveKey(k)
assert.NoError(t, err)
}
testYubiFunctionCleansUpOnSpecifiedErrors(t, store, _importkey,
[]string{"GetAttributeValue"}, false)
assert.Len(t, cleanListKeys(t), 1)
}
func TestYubiRemoveKeyCleansUpOnError(t *testing.T) {
if !YubikeyAccessible() {
t.Skip("Must have Yubikey access.")

14
tuf/client/client_test.go
View File

@ -26,7 +26,7 @@ func TestRotation(t *testing.T) {
cache := store.NewMemoryStore(nil)
// Generate initial root key and role and add to key DB
rootKey, err := signer.Create("root", data.ED25519Key)
rootKey, err := signer.Create("root", "", data.ED25519Key)
require.NoError(t, err, "Error creating root key")
rootRole, err := data.NewRole("root", 1, []string{rootKey.ID()}, nil)
require.NoError(t, err, "Error creating root role")
@ -40,7 +40,7 @@ func TestRotation(t *testing.T) {
repo.Root = originalRoot
// Generate new key and role.
replacementKey, err := signer.Create("root", data.ED25519Key)
replacementKey, err := signer.Create("root", "", data.ED25519Key)
require.NoError(t, err, "Error creating replacement root key")
replacementRole, err := data.NewRole("root", 1, []string{replacementKey.ID()}, nil)
require.NoError(t, err, "Error creating replacement root role")
@ -88,7 +88,7 @@ func TestRotationNewSigMissing(t *testing.T) {
cache := store.NewMemoryStore(nil)
// Generate initial root key and role and add to key DB
rootKey, err := signer.Create("root", data.ED25519Key)
rootKey, err := signer.Create("root", "", data.ED25519Key)
require.NoError(t, err, "Error creating root key")
rootRole, err := data.NewRole("root", 1, []string{rootKey.ID()}, nil)
require.NoError(t, err, "Error creating root role")
@ -102,7 +102,7 @@ func TestRotationNewSigMissing(t *testing.T) {
repo.Root = originalRoot
// Generate new key and role.
replacementKey, err := signer.Create("root", data.ED25519Key)
replacementKey, err := signer.Create("root", "", data.ED25519Key)
require.NoError(t, err, "Error creating replacement root key")
replacementRole, err := data.NewRole("root", 1, []string{replacementKey.ID()}, nil)
require.NoError(t, err, "Error creating replacement root role")
@ -151,7 +151,7 @@ func TestRotationOldSigMissing(t *testing.T) {
cache := store.NewMemoryStore(nil)
// Generate initial root key and role and add to key DB
rootKey, err := signer.Create("root", data.ED25519Key)
rootKey, err := signer.Create("root", "", data.ED25519Key)
require.NoError(t, err, "Error creating root key")
rootRole, err := data.NewRole("root", 1, []string{rootKey.ID()}, nil)
require.NoError(t, err, "Error creating root role")
@ -165,7 +165,7 @@ func TestRotationOldSigMissing(t *testing.T) {
repo.Root = originalRoot
// Generate new key and role.
replacementKey, err := signer.Create("root", data.ED25519Key)
replacementKey, err := signer.Create("root", "", data.ED25519Key)
require.NoError(t, err, "Error creating replacement root key")
replacementRole, err := data.NewRole("root", 1, []string{replacementKey.ID()}, nil)
require.NoError(t, err, "Error creating replacement root role")
@ -415,7 +415,7 @@ func TestDownloadTargetsDeepHappy(t *testing.T) {
for _, r := range delegations {
// create role
k, err := cs.Create(r, data.ED25519Key)
k, err := cs.Create(r, "docker.com/notary", data.ED25519Key)
require.NoError(t, err)
// add role to repo

4
tuf/signed/ed25519.go
View File

@ -27,7 +27,7 @@ func NewEd25519() *Ed25519 {
}
// AddKey allows you to add a private key
func (e *Ed25519) AddKey(k data.PrivateKey, role string) error {
func (e *Ed25519) AddKey(role, gun string, k data.PrivateKey) error {
e.addKey(role, k)
return nil
}
@ -67,7 +67,7 @@ func (e *Ed25519) ListAllKeys() map[string]string {
}
// Create generates a new key and returns the public part
func (e *Ed25519) Create(role, algorithm string) (data.PublicKey, error) {
func (e *Ed25519) Create(role, gun, algorithm string) (data.PublicKey, error) {
if algorithm != data.ED25519Key {
return nil, errors.New("only ED25519 supported by this cryptoservice")
}

4
tuf/signed/ed25519_test.go
View File

@ -10,10 +10,10 @@ import (
// ListKeys only returns the keys for that role
func TestListKeys(t *testing.T) {
c := NewEd25519()
tskey, err := c.Create(data.CanonicalTimestampRole, data.ED25519Key)
tskey, err := c.Create(data.CanonicalTimestampRole, "", data.ED25519Key)
require.NoError(t, err)
_, err = c.Create(data.CanonicalRootRole, data.ED25519Key)
_, err = c.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
tsKeys := c.ListKeys(data.CanonicalTimestampRole)

8
tuf/signed/interface.go
View File

@ -10,12 +10,10 @@ import (
type KeyService interface {
// Create issues a new key pair and is responsible for loading
// the private key into the appropriate signing service.
// The role isn't currently used for anything, but it's here to support
// future features
Create(role, algorithm string) (data.PublicKey, error)
Create(role, gun, algorithm string) (data.PublicKey, error)
// AddKey adds a private key to the specified role
AddKey(key data.PrivateKey, role string) error
// AddKey adds a private key to the specified role and gun
AddKey(role, gun string, key data.PrivateKey) error
// GetKey retrieves the public key if present, otherwise it returns nil
GetKey(keyID string) data.PublicKey

39
tuf/signed/sign_test.go
View File

@ -20,7 +20,12 @@ type FailingCryptoService struct {
testKey data.PrivateKey
}
func (mts *FailingCryptoService) Create(_, _ string) (data.PublicKey, error) {
func (mts *FailingCryptoService) Sign(keyIDs []string, _ []byte) ([]data.Signature, error) {
sigs := make([]data.Signature, 0, len(keyIDs))
return sigs, nil
}
func (mts *FailingCryptoService) Create(_, _, _ string) (data.PublicKey, error) {
return mts.testKey, nil
}
@ -28,7 +33,7 @@ func (mts *FailingCryptoService) ListKeys(role string) []string {
return []string{mts.testKey.ID()}
}
func (mts *FailingCryptoService) AddKey(key data.PrivateKey, role string) error {
func (mts *FailingCryptoService) AddKey(role, gun string, key data.PrivateKey) error {
return nil
}
@ -63,11 +68,19 @@ type MockCryptoService struct {
testKey data.PrivateKey
}
func (mts *MockCryptoService) Create(_ string, _ string) (data.PublicKey, error) {
func (mts *MockCryptoService) Sign(keyIDs []string, _ []byte) ([]data.Signature, error) {
sigs := make([]data.Signature, 0, len(keyIDs))
for _, keyID := range keyIDs {
sigs = append(sigs, data.Signature{KeyID: keyID})
}
return sigs, nil
}
func (mts *MockCryptoService) Create(_, _, _ string) (data.PublicKey, error) {
return mts.testKey, nil
}
func (mts *MockCryptoService) AddKey(key data.PrivateKey, role string) error {
func (mts *MockCryptoService) AddKey(role, gun string, key data.PrivateKey) error {
return nil
}
@ -125,14 +138,14 @@ func (mts *StrictMockCryptoService) ListAllKeys() map[string]string {
}
}
func (mts *StrictMockCryptoService) AddKey(key data.PrivateKey, role string) error {
func (mts *StrictMockCryptoService) AddKey(role, gun string, key data.PrivateKey) error {
return nil
}
// Test signing and ensure the expected signature is added
func TestBasicSign(t *testing.T) {
cs := NewEd25519()
key, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
testData := data.Signed{}
@ -152,7 +165,7 @@ func TestBasicSign(t *testing.T) {
// with the same key ID
func TestReSign(t *testing.T) {
cs := NewEd25519()
key, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
testData := data.Signed{}
@ -174,7 +187,7 @@ func TestMultiSign(t *testing.T) {
cs := NewEd25519()
testData := data.Signed{}
key1, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key1, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
Sign(cs, &testData, key1)
@ -184,7 +197,7 @@ func TestMultiSign(t *testing.T) {
// that the signature for key1 is left intact and the signature
// for key2 is added
cs = NewEd25519()
key2, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key2, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
Sign(
@ -252,14 +265,14 @@ func TestSignRemovesValidSigByInvalidKey(t *testing.T) {
cs := NewEd25519()
testData := data.Signed{}
key1, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key1, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
Sign(cs, &testData, key1)
require.Len(t, testData.Signatures, 1)
require.Equal(t, key1.ID(), testData.Signatures[0].KeyID)
key2, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key2, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
// should remove key1 sig even though it's valid. It no longer appears
@ -278,7 +291,7 @@ func TestSignRemovesInvalidSig(t *testing.T) {
cs := NewEd25519()
testData := data.Signed{}
key1, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key1, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
Sign(cs, &testData, key1)
@ -287,7 +300,7 @@ func TestSignRemovesInvalidSig(t *testing.T) {
// we need cs to "forget" key1 so we can't sign with it
cs = NewEd25519()
key2, err := cs.Create(data.CanonicalRootRole, data.ED25519Key)
key2, err := cs.Create(data.CanonicalRootRole, "", data.ED25519Key)
require.NoError(t, err)
// modify test data to invalidate key1 sig

16
tuf/signed/verify_test.go
View File

@ -13,7 +13,7 @@ import (
func TestRoleNoKeys(t *testing.T) {
cs := NewEd25519()
k, err := cs.Create("root", data.ED25519Key)
k, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
require.NoError(t, err)
roleWithKeys := data.BaseRole{Name: "root", Keys: data.Keys{}, Threshold: 1}
@ -30,7 +30,7 @@ func TestRoleNoKeys(t *testing.T) {
func TestNotEnoughSigs(t *testing.T) {
cs := NewEd25519()
k, err := cs.Create("root", data.ED25519Key)
k, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
require.NoError(t, err)
roleWithKeys := data.BaseRole{Name: "root", Keys: data.Keys{k.ID(): k}, Threshold: 2}
@ -47,9 +47,9 @@ func TestNotEnoughSigs(t *testing.T) {
func TestMoreThanEnoughSigs(t *testing.T) {
cs := NewEd25519()
k1, err := cs.Create("root", data.ED25519Key)
k1, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
k2, err := cs.Create("root", data.ED25519Key)
k2, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
roleWithKeys := data.BaseRole{Name: "root", Keys: data.Keys{k1.ID(): k1, k2.ID(): k2}, Threshold: 1}
@ -66,7 +66,7 @@ func TestMoreThanEnoughSigs(t *testing.T) {
func TestDuplicateSigs(t *testing.T) {
cs := NewEd25519()
k, err := cs.Create("root", data.ED25519Key)
k, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
roleWithKeys := data.BaseRole{Name: "root", Keys: data.Keys{k.ID(): k}, Threshold: 2}
@ -83,9 +83,9 @@ func TestDuplicateSigs(t *testing.T) {
func TestUnknownKeyBelowThreshold(t *testing.T) {
cs := NewEd25519()
k, err := cs.Create("root", data.ED25519Key)
k, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
unknown, err := cs.Create("root", data.ED25519Key)
unknown, err := cs.Create("root", "", data.ED25519Key)
require.NoError(t, err)
roleWithKeys := data.BaseRole{Name: "root", Keys: data.Keys{k.ID(): k}, Threshold: 2}
@ -162,7 +162,7 @@ func Test(t *testing.T) {
run.typ = data.TUFTypes[run.role]
}
if run.s == nil {
k, _ := cryptoService.Create("root", data.ED25519Key)
k, _ := cryptoService.Create("root", "", data.ED25519Key)
run.roleData = data.BaseRole{Name: "root", Keys: data.Keys{k.ID(): k}, Threshold: 1}
meta := &data.SignedCommon{Type: run.typ, Version: run.ver, Expires: *run.exp}

5
tuf/testutils/repo.go
View File

@ -18,7 +18,7 @@ import (
)
func createKey(cs signed.CryptoService, gun, role string) (data.PublicKey, error) {
key, err := cs.Create(role, data.ECDSAKey)
key, err := cs.Create(role, gun, data.ECDSAKey)
if err != nil {
return nil, err
}
@ -43,8 +43,7 @@ func createKey(cs signed.CryptoService, gun, role string) (data.PublicKey, error
// and initializes a repo with no targets. Delegations are only created
// if delegation roles are passed in.
func EmptyRepo(gun string, delegationRoles ...string) (*tuf.Repo, signed.CryptoService, error) {
cs := cryptoservice.NewCryptoService(
gun, trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("")))
cs := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("")))
r := tuf.NewRepo(cs)
baseRoles := map[string]data.BaseRole{}

3
tuf/testutils/swizzler.go
View File

@ -268,8 +268,7 @@ func (m *MetadataSwizzler) SignMetadataWithInvalidKey(role string) error {
}
// create an invalid key, but not in the existing CryptoService
cs := cryptoservice.NewCryptoService(
m.Gun, trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("")))
cs := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("")))
key, err := createKey(cs, m.Gun, role)
if err != nil {
return err

4
tuf/testutils/swizzler_test.go
View File

@ -681,7 +681,7 @@ func TestSwizzlerRotateKeyBaseRole(t *testing.T) {
theRole := data.CanonicalSnapshotRole
cs := signed.NewEd25519()
pubKey, err := cs.Create(theRole, data.ED25519Key)
pubKey, err := cs.Create(theRole, f.Gun, data.ED25519Key)
assert.NoError(t, err)
assert.NoError(t, f.RotateKey(theRole, pubKey))
@ -713,7 +713,7 @@ func TestSwizzlerRotateKeyDelegationRole(t *testing.T) {
theRole := "targets/a/b"
cs := signed.NewEd25519()
pubKey, err := cs.Create(theRole, data.ED25519Key)
pubKey, err := cs.Create(theRole, f.Gun, data.ED25519Key)
assert.NoError(t, err)
assert.NoError(t, f.RotateKey(theRole, pubKey))

64
tuf/tuf_test.go
View File

@ -14,14 +14,16 @@ import (
"github.com/stretchr/testify/assert"
)
var testGUN = "gun"
func initRepo(t *testing.T, cryptoService signed.CryptoService) *Repo {
rootKey, err := cryptoService.Create("root", data.ED25519Key)
rootKey, err := cryptoService.Create("root", testGUN, data.ED25519Key)
assert.NoError(t, err)
targetsKey, err := cryptoService.Create("targets", data.ED25519Key)
targetsKey, err := cryptoService.Create("targets", testGUN, data.ED25519Key)
assert.NoError(t, err)
snapshotKey, err := cryptoService.Create("snapshot", data.ED25519Key)
snapshotKey, err := cryptoService.Create("snapshot", testGUN, data.ED25519Key)
assert.NoError(t, err)
timestampKey, err := cryptoService.Create("timestamp", data.ED25519Key)
timestampKey, err := cryptoService.Create("timestamp", testGUN, data.ED25519Key)
assert.NoError(t, err)
rootRole := data.NewBaseRole(
@ -107,7 +109,7 @@ func TestUpdateDelegations(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -126,7 +128,7 @@ func TestUpdateDelegations(t *testing.T) {
assert.Len(t, keyIDs, 1)
assert.Equal(t, testKey.ID(), keyIDs[0])
testDeepKey, err := ed25519.Create("targets/test/deep", data.ED25519Key)
testDeepKey, err := ed25519.Create("targets/test/deep", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test/deep", []data.PublicKey{testDeepKey}, []string{}, 1)
assert.NoError(t, err)
@ -153,7 +155,7 @@ func TestUpdateDelegationsParentMissing(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testDeepKey, err := ed25519.Create("targets/test/deep", data.ED25519Key)
testDeepKey, err := ed25519.Create("targets/test/deep", testGUN, data.ED25519Key)
err = repo.UpdateDelegationKeys("targets/test/deep", []data.PublicKey{testDeepKey}, []string{}, 1)
assert.Error(t, err)
assert.IsType(t, data.ErrInvalidRole{}, err)
@ -176,7 +178,7 @@ func TestUpdateDelegationsMissingParentKey(t *testing.T) {
// remove the target key (all keys)
repo.cryptoService = signed.NewEd25519()
roleKey, err := ed25519.Create("Invalid Role", data.ED25519Key)
roleKey, err := ed25519.Create("Invalid Role", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/role", []data.PublicKey{roleKey}, []string{}, 1)
@ -192,7 +194,7 @@ func TestUpdateDelegationsInvalidRole(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
roleKey, err := ed25519.Create("Invalid Role", data.ED25519Key)
roleKey, err := ed25519.Create("Invalid Role", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("root", []data.PublicKey{roleKey}, []string{}, 1)
@ -214,7 +216,7 @@ func TestUpdateDelegationsRoleThatIsMissingDelegationKey(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
roleKey, err := ed25519.Create("Invalid Role", data.ED25519Key)
roleKey, err := ed25519.Create("Invalid Role", testGUN, data.ED25519Key)
assert.NoError(t, err)
// key should get added to role as part of updating the delegation
@ -241,7 +243,7 @@ func TestUpdateDelegationsNotEnoughKeys(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
roleKey, err := ed25519.Create("Invalid Role", data.ED25519Key)
roleKey, err := ed25519.Create("Invalid Role", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/role", []data.PublicKey{roleKey}, []string{}, 2)
@ -257,7 +259,7 @@ func TestUpdateDelegationsAddKeyToRole(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -272,7 +274,7 @@ func TestUpdateDelegationsAddKeyToRole(t *testing.T) {
assert.Len(t, keyIDs, 1)
assert.Equal(t, testKey.ID(), keyIDs[0])
testKey2, err := ed25519.Create("targets/test", data.ED25519Key)
testKey2, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey2}, []string{}, 1)
@ -294,7 +296,7 @@ func TestDeleteDelegations(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -334,7 +336,7 @@ func TestDeleteDelegationsRoleNotExistBecauseNoParentMeta(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
@ -415,7 +417,7 @@ func TestDeleteDelegationsMissingParentSigningKey(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -460,7 +462,7 @@ func TestDeleteDelegationsMidSliceRole(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -493,7 +495,7 @@ func TestGetDelegationRoleAndMetadataExistDelegationExists(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("meh", data.ED25519Key)
testKey, err := ed25519.Create("meh", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/level1", []data.PublicKey{testKey}, []string{}, 1)
@ -521,7 +523,7 @@ func TestGetDelegationRoleAndMetadataExistDelegationDoesntExists(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("meh", data.ED25519Key)
testKey, err := ed25519.Create("meh", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/level1", []data.PublicKey{testKey}, []string{}, 1)
@ -542,7 +544,7 @@ func TestGetDelegationRoleAndMetadataDoesntExists(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("meh", data.ED25519Key)
testKey, err := ed25519.Create("meh", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/level1", []data.PublicKey{testKey}, []string{}, 1)
@ -607,7 +609,7 @@ func TestAddTargetsRoleExistsAndMetadataDoesntExist(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -660,7 +662,7 @@ func TestAddTargetsNoSigningKeys(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -682,7 +684,7 @@ func TestRemoveExistingAndNonexistingTargets(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -734,7 +736,7 @@ func TestRemoveTargetsNoSigningKeys(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey, err := ed25519.Create("targets/test", data.ED25519Key)
testKey, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey}, []string{}, 1)
assert.NoError(t, err)
@ -765,7 +767,7 @@ func TestAddBaseKeysToRoot(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
key, err := ed25519.Create(role, data.ED25519Key)
key, err := ed25519.Create(role, testGUN, data.ED25519Key)
assert.NoError(t, err)
assert.Len(t, repo.Root.Signed.Roles[role].KeyIDs, 1)
@ -833,7 +835,7 @@ func TestGetDelegationValidRoles(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey1, err := ed25519.Create("targets/test", data.ED25519Key)
testKey1, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey1}, []string{}, 1)
@ -849,7 +851,7 @@ func TestGetDelegationValidRoles(t *testing.T) {
assert.Equal(t, []string{"path", "anotherpath"}, delgRole.Paths)
assert.Equal(t, testKey1, delgRole.Keys[testKey1.ID()])
testKey2, err := ed25519.Create("targets/a", data.ED25519Key)
testKey2, err := ed25519.Create("targets/a", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/a", []data.PublicKey{testKey2}, []string{}, 1)
assert.NoError(t, err)
@ -864,7 +866,7 @@ func TestGetDelegationValidRoles(t *testing.T) {
assert.Equal(t, []string{""}, delgRole.Paths)
assert.Equal(t, testKey2, delgRole.Keys[testKey2.ID()])
testKey3, err := ed25519.Create("targets/test/b", data.ED25519Key)
testKey3, err := ed25519.Create("targets/test/b", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test/b", []data.PublicKey{testKey3}, []string{}, 1)
assert.NoError(t, err)
@ -879,7 +881,7 @@ func TestGetDelegationValidRoles(t *testing.T) {
assert.Equal(t, []string{"path/subpath", "anotherpath"}, delgRole.Paths)
assert.Equal(t, testKey3, delgRole.Keys[testKey3.ID()])
testKey4, err := ed25519.Create("targets/test/c", data.ED25519Key)
testKey4, err := ed25519.Create("targets/test/c", testGUN, data.ED25519Key)
assert.NoError(t, err)
// Try adding empty paths, ensure this is valid
err = repo.UpdateDelegationKeys("targets/test/c", []data.PublicKey{testKey4}, []string{}, 1)
@ -909,7 +911,7 @@ func TestGetDelegationRolesInvalidPaths(t *testing.T) {
ed25519 := signed.NewEd25519()
repo := initRepo(t, ed25519)
testKey1, err := ed25519.Create("targets/test", data.ED25519Key)
testKey1, err := ed25519.Create("targets/test", testGUN, data.ED25519Key)
assert.NoError(t, err)
err = repo.UpdateDelegationKeys("targets/test", []data.PublicKey{testKey1}, []string{}, 1)
@ -917,7 +919,7 @@ func TestGetDelegationRolesInvalidPaths(t *testing.T) {
err = repo.UpdateDelegationPaths("targets/test", []string{"path", "anotherpath"}, []string{}, false)
assert.NoError(t, err)
testKey2, err := ed25519.Create("targets/test/b", data.ED25519Key)
testKey2, err := ed25519.Create("targets/test/b", testGUN, data.ED25519Key)
assert.NoError(t, err)
// Now we add a delegation with a path that is not prefixed by its parent delegation, the invalid path can't be added so there is an error
err = repo.UpdateDelegationKeys("targets/test/b", []data.PublicKey{testKey2}, []string{}, 1)