docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixing tests 

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
This commit is contained in:
David Lawrence 2015-11-05 16:05:09 -08:00
parent 0fd1fa6ada
commit b7c38f0287
12 changed files with 886 additions and 919 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
client/repo.go
View File

@ -7,6 +7,7 @@ import (
"net/http" "net/http"
"path/filepath" "path/filepath"
"github.com/docker/notary"
"github.com/docker/notary/cryptoservice" "github.com/docker/notary/cryptoservice"
"github.com/docker/notary/keystoremanager" "github.com/docker/notary/keystoremanager"
"github.com/docker/notary/passphrase" "github.com/docker/notary/passphrase"
@ -19,7 +20,7 @@ import (
// (usually ~/.docker/trust/). // (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper, func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
retriever passphrase.Retriever) (*NotaryRepository, error) { retriever passphrase.Retriever) (*NotaryRepository, error) {
keysPath := filepath.Join(baseDir, keystoremanager.PrivDir) keysPath := filepath.Join(baseDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create private key store in directory: %s", keysPath) return nil, fmt.Errorf("failed to create private key store in directory: %s", keysPath)

3
client/repo_pkcs11.go
View File

@ -7,6 +7,7 @@ import (
"net/http" "net/http"
"path/filepath" "path/filepath"
"github.com/docker/notary"
"github.com/docker/notary/cryptoservice" "github.com/docker/notary/cryptoservice"
"github.com/docker/notary/keystoremanager" "github.com/docker/notary/keystoremanager"
"github.com/docker/notary/passphrase" "github.com/docker/notary/passphrase"
@ -21,7 +22,7 @@ import (
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper, func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
retriever passphrase.Retriever) (*NotaryRepository, error) { retriever passphrase.Retriever) (*NotaryRepository, error) {
keysPath := filepath.Join(baseDir, keystoremanager.PrivDir) keysPath := filepath.Join(baseDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create private key store in directory: %s", keysPath) return nil, fmt.Errorf("failed to create private key store in directory: %s", keysPath)

5
cmd/notary/cert.go
View File

@ -8,6 +8,7 @@ import (
"path/filepath" "path/filepath"
"time" "time"
"github.com/docker/notary"
"github.com/docker/notary/keystoremanager" "github.com/docker/notary/keystoremanager"
"github.com/docker/notary/trustmanager" "github.com/docker/notary/trustmanager"
@ -56,7 +57,7 @@ func certRemove(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -125,7 +126,7 @@ func certList(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)

18
cmd/notary/keys.go
View File

@ -8,9 +8,9 @@ import (
"sort" "sort"
"strings" "strings"
"github.com/docker/notary"
notaryclient "github.com/docker/notary/client" notaryclient "github.com/docker/notary/client"
"github.com/docker/notary/cryptoservice" "github.com/docker/notary/cryptoservice"
"github.com/docker/notary/keystoremanager"
"github.com/docker/notary/passphrase" "github.com/docker/notary/passphrase"
"github.com/docker/notary/signer/api" "github.com/docker/notary/signer/api"
"github.com/docker/notary/trustmanager" "github.com/docker/notary/trustmanager"
@ -115,7 +115,7 @@ func keysRemoveKey(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -157,7 +157,7 @@ func keysList(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -213,7 +213,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -225,7 +225,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
fatalf("failed to create a new root key: %v", err) fatalf("failed to create a new root key: %v", err)
} }
fmt.Printf("Generated new %s key with keyID: %s\n", algorithm, pubKey.ID()) fmt.Printf("Generated new %s root key with keyID: %s\n", algorithm, pubKey.ID())
} }
// keysExport exports a collection of keys to a ZIP file // keysExport exports a collection of keys to a ZIP file
@ -239,7 +239,7 @@ func keysExport(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -284,7 +284,7 @@ func keysExportRoot(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -321,7 +321,7 @@ func keysImport(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)
@ -352,7 +352,7 @@ func keysImportRoot(cmd *cobra.Command, args []string) {
parseConfig() parseConfig()
keysPath := filepath.Join(trustDir, keystoremanager.PrivDir) keysPath := filepath.Join(trustDir, notary.PrivDir)
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever) fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
if err != nil { if err != nil {
fatalf("failed to create private key store in directory: %s", keysPath) fatalf("failed to create private key store in directory: %s", keysPath)

6
const.go Normal file
View File

@ -0,0 +1,6 @@
package notary
// application wide constants
const (
PrivDir = "private"
)

24
cryptoservice/crypto_service.go
View File

@ -57,10 +57,10 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
if role == data.CanonicalRootRole { if role == data.CanonicalRootRole {
keyPath = privKey.ID() keyPath = privKey.ID()
} else { } else {
keyPath = filepath.Join(ccs.gun, privKey.ID()) keyPath = filepath.Join(cs.gun, privKey.ID())
} }
for _, ks := range ccs.keyStores { for _, ks := range cs.keyStores {
err = ks.AddKey(keyPath, role, privKey) err = ks.AddKey(keyPath, role, privKey)
if err == nil { if err == nil {
return data.PublicKeyFromPrivate(privKey), nil return data.PublicKeyFromPrivate(privKey), nil
@ -77,11 +77,11 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
// without a GUN (in which case it's a root key). If that fails, try to get // without a GUN (in which case it's a root key). If that fails, try to get
// the key with the GUN (non-root key). // the key with the GUN (non-root key).
// If that fails, then we don't have the key. // If that fails, then we don't have the key.
func (ccs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, id string, err error) { func (cs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, role string, err error) {
keyPaths := []string{keyID, filepath.Join(ccs.gun, keyID)} keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}
for _, ks := range ccs.keyStores { for _, ks := range cs.keyStores {
for _, keyPath := range keyPaths { for _, keyPath := range keyPaths {
k, id, err = ks.GetKey(keyPath) k, role, err = ks.GetKey(keyPath)
if err != nil { if err != nil {
continue continue
} }
@ -92,8 +92,8 @@ func (ccs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, id str
} }
// GetKey returns a key by ID // GetKey returns a key by ID
func (ccs *CryptoService) GetKey(keyID string) data.PublicKey { func (cs *CryptoService) GetKey(keyID string) data.PublicKey {
privKey, _, err := ccs.GetPrivateKey(keyID) privKey, _, err := cs.GetPrivateKey(keyID)
if err != nil { if err != nil {
return nil return nil
} }
@ -101,9 +101,9 @@ func (ccs *CryptoService) GetKey(keyID string) data.PublicKey {
} }
// RemoveKey deletes a key by ID // RemoveKey deletes a key by ID
func (ccs *CryptoService) RemoveKey(keyID string) (err error) { func (cs *CryptoService) RemoveKey(keyID string) (err error) {
keyPaths := []string{keyID, filepath.Join(ccs.gun, keyID)} keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}
for _, ks := range ccs.keyStores { for _, ks := range cs.keyStores {
for _, keyPath := range keyPaths { for _, keyPath := range keyPaths {
_, _, err = ks.GetKey(keyPath) _, _, err = ks.GetKey(keyPath)
if err != nil { if err != nil {
@ -124,7 +124,7 @@ func (cs *CryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature
for _, keyid := range keyIDs { for _, keyid := range keyIDs {
keyName := keyid keyName := keyid
privKey, _, err := ccs.GetPrivateKey(keyName) privKey, _, err := cs.GetPrivateKey(keyName)
if err != nil { if err != nil {
logrus.Debugf("error attempting to retrieve private key: %s, %v", keyid, err) logrus.Debugf("error attempting to retrieve private key: %s, %v", keyid, err)
continue continue

22
cryptoservice/import_export.go
View File

@ -11,7 +11,7 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/docker/notary/keystoremanager" "github.com/docker/notary"
"github.com/docker/notary/passphrase" "github.com/docker/notary/passphrase"
"github.com/docker/notary/trustmanager" "github.com/docker/notary/trustmanager"
) )
@ -72,7 +72,7 @@ func (cs *CryptoService) ExportRootKeyReencrypt(dest io.Writer, keyID string, ne
tempBaseDir, err := ioutil.TempDir("", "notary-key-export-") tempBaseDir, err := ioutil.TempDir("", "notary-key-export-")
defer os.RemoveAll(tempBaseDir) defer os.RemoveAll(tempBaseDir)
tempKeysPath := filepath.Join(tempBaseDir, keystoremanager.PrivDir) tempKeysPath := filepath.Join(tempBaseDir, notary.PrivDir)
tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, newPassphraseRetriever) tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, newPassphraseRetriever)
if err != nil { if err != nil {
return err return err
@ -127,7 +127,7 @@ func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever pa
defer os.RemoveAll(tempBaseDir) defer os.RemoveAll(tempBaseDir)
// Create temporary keystore to use as a staging area // Create temporary keystore to use as a staging area
tempKeysPath := filepath.Join(tempBaseDir, keystoremanager.PrivDir) tempKeysPath := filepath.Join(tempBaseDir, notary.PrivDir)
tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, newPassphraseRetriever) tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, newPassphraseRetriever)
if err != nil { if err != nil {
return err return err
@ -141,7 +141,7 @@ func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever pa
zipWriter := zip.NewWriter(dest) zipWriter := zip.NewWriter(dest)
if err := addKeysToArchive(zipWriter, tempKeyStore, keystoremanager.PrivDir); err != nil { if err := addKeysToArchive(zipWriter, tempKeyStore, notary.PrivDir); err != nil {
return err return err
} }
@ -176,13 +176,13 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
// Note that using / as a separator is okay here - the zip // Note that using / as a separator is okay here - the zip
// package guarantees that the separator will be / // package guarantees that the separator will be /
if strings.HasPrefix(fNameTrimmed, keystoremanager.PrivDir) { if strings.HasPrefix(fNameTrimmed, notary.PrivDir) {
if fNameTrimmed[len(fNameTrimmed)-5:] == "_root" { if fNameTrimmed[len(fNameTrimmed)-5:] == "_root" {
if err = checkRootKeyIsEncrypted(fileBytes); err != nil { if err = checkRootKeyIsEncrypted(fileBytes); err != nil {
return err return err
} }
} }
keyName := strings.TrimPrefix(fNameTrimmed, keystoremanager.PrivDir) keyName := strings.TrimPrefix(fNameTrimmed, notary.PrivDir)
newKeys[keyName] = fileBytes newKeys[keyName] = fileBytes
} else { } else {
// This path inside the zip archive doesn't look like a // This path inside the zip archive doesn't look like a
@ -194,9 +194,11 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
} }
for keyName, pemBytes := range newKeys { for keyName, pemBytes := range newKeys {
parts := strings.Split(keyName, "_") if keyName[len(keyName)-5:] == "_root" {
keyName = "root"
}
for _, ks := range cs.keyStores { for _, ks := range cs.keyStores {
if err := ks.ImportKey(pemBytes, parts[1]); err != nil { if err := ks.ImportKey(pemBytes, keyName); err != nil {
return err return err
} }
} }
@ -213,7 +215,7 @@ func (cs *CryptoService) ExportKeysByGUN(dest io.Writer, gun string, passphraseR
defer os.RemoveAll(tempBaseDir) defer os.RemoveAll(tempBaseDir)
// Create temporary keystore to use as a staging area // Create temporary keystore to use as a staging area
tempKeysPath := filepath.Join(tempBaseDir, keystoremanager.PrivDir) tempKeysPath := filepath.Join(tempBaseDir, notary.PrivDir)
tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, passphraseRetriever) tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, passphraseRetriever)
if err != nil { if err != nil {
return err return err
@ -231,7 +233,7 @@ func (cs *CryptoService) ExportKeysByGUN(dest io.Writer, gun string, passphraseR
return ErrNoKeysFoundForGUN return ErrNoKeysFoundForGUN
} }
if err := addKeysToArchive(zipWriter, tempKeyStore, keystoremanager.PrivDir); err != nil { if err := addKeysToArchive(zipWriter, tempKeyStore, notary.PrivDir); err != nil {
return err return err
} }

841
cryptoservice/import_export_test.go
View File

@ -1,447 +1,398 @@
package cryptoservice package cryptoservice
//import ( import (
// "archive/zip" "archive/zip"
// "bytes" "bytes"
// "fmt" "fmt"
// "io/ioutil" "io/ioutil"
// "net/http" "net/http"
// "net/http/httptest" "net/http/httptest"
// "os" "os"
// "path/filepath" "path/filepath"
// "strings" "strings"
// "testing" "testing"
//
// "github.com/docker/notary/client" "github.com/docker/notary/trustmanager"
// "github.com/docker/notary/keystoremanager" "github.com/docker/notary/tuf/data"
// "github.com/docker/notary/trustmanager" "github.com/stretchr/testify/assert"
// "github.com/docker/notary/tuf/data" )
// "github.com/stretchr/testify/assert"
//) const timestampECDSAKeyJSON = `
// {"keytype":"ecdsa","keyval":{"public":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw==","private":"MHcCAQEEIDqtcdzU7H3AbIPSQaxHl9+xYECt7NpK7B1+6ep5cv9CoAoGCCqGSM49AwEHoUQDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw=="}}`
//const timestampECDSAKeyJSON = `
//{"keytype":"ecdsa","keyval":{"public":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw==","private":"MHcCAQEEIDqtcdzU7H3AbIPSQaxHl9+xYECt7NpK7B1+6ep5cv9CoAoGCCqGSM49AwEHoUQDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw=="}}` func createTestServer(t *testing.T) (*httptest.Server, *http.ServeMux) {
// mux := http.NewServeMux()
//func createTestServer(t *testing.T) (*httptest.Server, *http.ServeMux) { // TUF will request /v2/docker.com/notary/_trust/tuf/timestamp.key
// mux := http.NewServeMux() // Return a canned timestamp.key
// // TUF will request /v2/docker.com/notary/_trust/tuf/timestamp.key mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.key", func(w http.ResponseWriter, r *http.Request) {
// // Return a canned timestamp.key // Also contains the private key, but for the purpose of this
// mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.key", func(w http.ResponseWriter, r *http.Request) { // test, we don't care
// // Also contains the private key, but for the purpose of this fmt.Fprint(w, timestampECDSAKeyJSON)
// // test, we don't care })
// fmt.Fprint(w, timestampECDSAKeyJSON)
// }) ts := httptest.NewServer(mux)
//
// ts := httptest.NewServer(mux) return ts, mux
// }
// return ts, mux
//} var oldPassphrase = "oldPassphrase"
// var exportPassphrase = "exportPassphrase"
//var oldPassphrase = "oldPassphrase" var oldPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return oldPassphrase, false, nil }
//var exportPassphrase = "exportPassphrase" var newPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return exportPassphrase, false, nil }
//var oldPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return oldPassphrase, false, nil }
//var newPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return exportPassphrase, false, nil } func TestImportExportZip(t *testing.T) {
// gun := "docker.com/notary"
//func TestImportExportZip(t *testing.T) {
// gun := "docker.com/notary" // Temporary directory where test files will be created
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// // Temporary directory where test files will be created defer os.RemoveAll(tempBaseDir)
// tempBaseDir, err := ioutil.TempDir("", "notary-test-") assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// defer os.RemoveAll(tempBaseDir)
// fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), newPassphraseRetriever)
// assert.NoError(t, err, "failed to create a temporary directory: %s", err) cs := NewCryptoService(gun, fileStore)
// pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
// ts, _ := createTestServer(t) assert.NoError(t, err)
// defer ts.Close()
// rootKeyID := pubKey.ID()
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err) tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
// tempZipFilePath := tempZipFile.Name()
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey) defer os.Remove(tempZipFilePath)
// assert.NoError(t, err, "error generating root key: %s", err)
// err = cs.ExportAllKeys(tempZipFile, newPassphraseRetriever)
// err = repo.Initialize(rootKeyID) tempZipFile.Close()
// assert.NoError(t, err, "error creating repository: %s", err) assert.NoError(t, err)
//
// tempZipFile, err := ioutil.TempFile("", "notary-test-export-") // Reopen the zip file for importing
// tempZipFilePath := tempZipFile.Name() zipReader, err := zip.OpenReader(tempZipFilePath)
// defer os.Remove(tempZipFilePath) assert.NoError(t, err, "could not open zip file")
//
// err = repo.KeyStoreManager.ExportAllKeys(tempZipFile, newPassphraseRetriever) // Map of files to expect in the zip file, with the passphrases
// tempZipFile.Close() passphraseByFile := make(map[string]string)
// assert.NoError(t, err)
// // Add non-root keys to the map. These should use the new passphrase
// // Reopen the zip file for importing // because the passwords were chosen by the newPassphraseRetriever.
// zipReader, err := zip.OpenReader(tempZipFilePath) privKeyMap := cs.ListAllKeys()
// assert.NoError(t, err, "could not open zip file") for privKeyName := range privKeyMap {
// _, alias, err := cs.GetPrivateKey(privKeyName)
// // Map of files to expect in the zip file, with the passphrases assert.NoError(t, err, "privKey %s has no alias", privKeyName)
// passphraseByFile := make(map[string]string)
// if alias == "root" {
// // Add non-root keys to the map. These should use the new passphrase continue
// // because the passwords were chosen by the newPassphraseRetriever. }
// privKeyMap := repo.KeyStoreManager.KeyStore.ListKeys() relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// for privKeyName := range privKeyMap { passphraseByFile[relKeyPath] = exportPassphrase
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName) }
// assert.NoError(t, err, "privKey %s has no alias", privKeyName)
// // Add root key to the map. This will use the export passphrase because it
// if alias == "root" { // will be reencrypted.
// continue relRootKey := filepath.Join("private", "root_keys", rootKeyID+"_root.key")
// } passphraseByFile[relRootKey] = exportPassphrase
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// passphraseByFile[relKeyPath] = exportPassphrase // Iterate through the files in the archive, checking that the files
// } // exist and are encrypted with the expected passphrase.
// for _, f := range zipReader.File {
// // Add root key to the map. This will use the export passphrase because it expectedPassphrase, present := passphraseByFile[f.Name]
// // will be reencrypted. if !present {
// relRootKey := filepath.Join("private", "root_keys", rootKeyID+"_root.key") t.Fatalf("unexpected file %s in zip file", f.Name)
// passphraseByFile[relRootKey] = exportPassphrase }
//
// // Iterate through the files in the archive, checking that the files delete(passphraseByFile, f.Name)
// // exist and are encrypted with the expected passphrase.
// for _, f := range zipReader.File { rc, err := f.Open()
// expectedPassphrase, present := passphraseByFile[f.Name] assert.NoError(t, err, "could not open file inside zip archive")
// if !present {
// t.Fatalf("unexpected file %s in zip file", f.Name) pemBytes, err := ioutil.ReadAll(rc)
// } assert.NoError(t, err, "could not read file from zip")
//
// delete(passphraseByFile, f.Name) _, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
// assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
// rc, err := f.Open()
// assert.NoError(t, err, "could not open file inside zip archive") rc.Close()
// }
// pemBytes, err := ioutil.ReadAll(rc)
// assert.NoError(t, err, "could not read file from zip") zipReader.Close()
//
// _, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase) // Are there any keys that didn't make it to the zip?
// assert.NoError(t, err, "PEM not encrypted with the expected passphrase") for fileNotFound := range passphraseByFile {
// t.Fatalf("%s not found in zip", fileNotFound)
// rc.Close() }
// }
// // Create new repo to test import
// zipReader.Close() tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
// // Are there any keys that didn't make it to the zip? assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// for fileNotFound := range passphraseByFile {
// t.Fatalf("%s not found in zip", fileNotFound) fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), newPassphraseRetriever)
// } assert.NoError(t, err)
// cs2 := NewCryptoService(gun, fileStore2)
// // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-") // Reopen the zip file for importing
// defer os.RemoveAll(tempBaseDir2) zipReader, err = zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "could not open zip file")
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// // Now try with a valid passphrase. This time it should succeed.
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever) err = cs2.ImportKeysZip(zipReader.Reader)
// assert.NoError(t, err, "error creating repo: %s", err) assert.NoError(t, err)
// zipReader.Close()
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err) // Look for keys in private. The filenames should match the key IDs
// // in the repo's private key store.
// err = repo2.Initialize(rootKeyID2) for privKeyName := range privKeyMap {
// assert.NoError(t, err, "error creating repository: %s", err) _, alias, err := cs2.GetPrivateKey(privKeyName)
// assert.NoError(t, err, "privKey %s has no alias", privKeyName)
// // Reopen the zip file for importing
// zipReader, err = zip.OpenReader(tempZipFilePath) if alias == "root" {
// assert.NoError(t, err, "could not open zip file") continue
// }
// // Now try with a valid passphrase. This time it should succeed. relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// err = repo2.KeyStoreManager.ImportKeysZip(zipReader.Reader) privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
// assert.NoError(t, err) _, err = os.Stat(privKeyFileName)
// zipReader.Close() assert.NoError(t, err, "missing private key for role %s: %s", alias, privKeyName)
// }
// // Look for keys in private. The filenames should match the key IDs
// // in the repo's private key store. // Look for keys in root_keys
// for privKeyName := range privKeyMap { // There should be a file named after the key ID of the root key we
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName) // passed in.
// assert.NoError(t, err, "privKey %s has no alias", privKeyName) rootKeyFilename := rootKeyID + "_root.key"
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// if alias == "root" { assert.NoError(t, err, "missing root key")
// continue }
// }
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key") func TestImportExportGUN(t *testing.T) {
// privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath) gun := "docker.com/notary"
// _, err = os.Stat(privKeyFileName)
// assert.NoError(t, err, "missing private key: %s", privKeyName) // Temporary directory where test files will be created
// } tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir)
// // Look for keys in root_keys assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// // There should be a file named after the key ID of the root key we
// // passed in. fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), newPassphraseRetriever)
// rootKeyFilename := rootKeyID + "_root.key" cs := NewCryptoService(gun, fileStore)
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) _, err = cs.Create(data.CanonicalRootRole, data.ECDSAKey)
// assert.NoError(t, err, "missing root key") _, err = cs.Create(data.CanonicalTargetsRole, data.ECDSAKey)
//} _, err = cs.Create(data.CanonicalSnapshotRole, data.ECDSAKey)
// assert.NoError(t, err)
//func TestImportExportGUN(t *testing.T) {
// gun := "docker.com/notary" tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
// tempZipFilePath := tempZipFile.Name()
// // Temporary directory where test files will be created defer os.Remove(tempZipFilePath)
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir) err = cs.ExportKeysByGUN(tempZipFile, gun, newPassphraseRetriever)
// assert.NoError(t, err)
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// // With an invalid GUN, this should return an error
// ts, _ := createTestServer(t) err = cs.ExportKeysByGUN(tempZipFile, "does.not.exist/in/repository", newPassphraseRetriever)
// defer ts.Close() assert.EqualError(t, err, ErrNoKeysFoundForGUN.Error())
//
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever) tempZipFile.Close()
// assert.NoError(t, err, "error creating repo: %s", err)
// // Reopen the zip file for importing
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey) zipReader, err := zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "error generating root key: %s", err) assert.NoError(t, err, "could not open zip file")
//
// err = repo.Initialize(rootKeyID) // Map of files to expect in the zip file, with the passphrases
// assert.NoError(t, err, "error creating repository: %s", err) passphraseByFile := make(map[string]string)
//
// tempZipFile, err := ioutil.TempFile("", "notary-test-export-") // Add keys non-root keys to the map. These should use the new passphrase
// tempZipFilePath := tempZipFile.Name() // because they were formerly unencrypted.
// defer os.Remove(tempZipFilePath) privKeyMap := cs.ListAllKeys()
// for privKeyName := range privKeyMap {
// err = repo.KeyStoreManager.ExportKeysByGUN(tempZipFile, gun, newPassphraseRetriever) _, alias, err := cs.GetPrivateKey(privKeyName)
// assert.NoError(t, err) if err != nil {
// t.Fatalf("privKey %s has no alias", privKeyName)
// // With an invalid GUN, this should return an error }
// err = repo.KeyStoreManager.ExportKeysByGUN(tempZipFile, "does.not.exist/in/repository", newPassphraseRetriever) if alias == "root" {
// assert.EqualError(t, err, keystoremanager.ErrNoKeysFoundForGUN.Error()) continue
// }
// tempZipFile.Close() relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
//
// // Reopen the zip file for importing passphraseByFile[relKeyPath] = exportPassphrase
// zipReader, err := zip.OpenReader(tempZipFilePath) }
// assert.NoError(t, err, "could not open zip file")
// // Iterate through the files in the archive, checking that the files
// // Map of files to expect in the zip file, with the passphrases // exist and are encrypted with the expected passphrase.
// passphraseByFile := make(map[string]string) for _, f := range zipReader.File {
//
// // Add keys non-root keys to the map. These should use the new passphrase expectedPassphrase, present := passphraseByFile[f.Name]
// // because they were formerly unencrypted. if !present {
// privKeyMap := repo.KeyStoreManager.KeyStore.ListKeys() t.Fatalf("unexpected file %s in zip file", f.Name)
// for privKeyName := range privKeyMap { }
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
// if err != nil { delete(passphraseByFile, f.Name)
// t.Fatalf("privKey %s has no alias", privKeyName)
// } rc, err := f.Open()
// if alias == "root" { assert.NoError(t, err, "could not open file inside zip archive")
// continue
// } pemBytes, err := ioutil.ReadAll(rc)
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key") assert.NoError(t, err, "could not read file from zip")
//
// passphraseByFile[relKeyPath] = exportPassphrase _, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
// } assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
//
// // Iterate through the files in the archive, checking that the files rc.Close()
// // exist and are encrypted with the expected passphrase. }
// for _, f := range zipReader.File {
// zipReader.Close()
// expectedPassphrase, present := passphraseByFile[f.Name]
// if !present { // Are there any keys that didn't make it to the zip?
// t.Fatalf("unexpected file %s in zip file", f.Name) for fileNotFound := range passphraseByFile {
// } t.Fatalf("%s not found in zip", fileNotFound)
// }
// delete(passphraseByFile, f.Name)
// // Create new repo to test import
// rc, err := f.Open() tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// assert.NoError(t, err, "could not open file inside zip archive") defer os.RemoveAll(tempBaseDir2)
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// pemBytes, err := ioutil.ReadAll(rc)
// assert.NoError(t, err, "could not read file from zip") fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), newPassphraseRetriever)
// cs2 := NewCryptoService(gun, fileStore2)
// _, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
// assert.NoError(t, err, "PEM not encrypted with the expected passphrase") // Reopen the zip file for importing
// zipReader, err = zip.OpenReader(tempZipFilePath)
// rc.Close() assert.NoError(t, err, "could not open zip file")
// }
// // Now try with a valid passphrase. This time it should succeed.
// zipReader.Close() err = cs2.ImportKeysZip(zipReader.Reader)
// assert.NoError(t, err)
// // Are there any keys that didn't make it to the zip? zipReader.Close()
// for fileNotFound := range passphraseByFile {
// t.Fatalf("%s not found in zip", fileNotFound) // Look for keys in private. The filenames should match the key IDs
// } // in the repo's private key store.
// for privKeyName, role := range privKeyMap {
// // Create new repo to test import if role == "root" {
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-") continue
// defer os.RemoveAll(tempBaseDir2) }
// _, alias, err := cs2.GetPrivateKey(privKeyName)
// assert.NoError(t, err, "failed to create a temporary directory: %s", err) if err != nil {
// t.Fatalf("privKey %s has no alias", privKeyName)
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever) }
// assert.NoError(t, err, "error creating repo: %s", err) if alias == "root" {
// continue
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey) }
// assert.NoError(t, err, "error generating root key: %s", err) relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
// err = repo2.Initialize(rootKeyID2) _, err = os.Stat(privKeyFileName)
// assert.NoError(t, err, "error creating repository: %s", err) assert.NoError(t, err)
// }
// // Reopen the zip file for importing }
// zipReader, err = zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "could not open zip file") func TestImportExportRootKey(t *testing.T) {
// gun := "docker.com/notary"
// // Now try with a valid passphrase. This time it should succeed.
// err = repo2.KeyStoreManager.ImportKeysZip(zipReader.Reader) // Temporary directory where test files will be created
// assert.NoError(t, err) tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// zipReader.Close() defer os.RemoveAll(tempBaseDir)
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// // Look for keys in private. The filenames should match the key IDs
// // in the repo's private key store. fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), oldPassphraseRetriever)
// for privKeyName := range privKeyMap { cs := NewCryptoService(gun, fileStore)
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName) pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
// if err != nil { assert.NoError(t, err)
// t.Fatalf("privKey %s has no alias", privKeyName)
// } rootKeyID := pubKey.ID()
// if alias == "root" {
// continue tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
// } tempKeyFilePath := tempKeyFile.Name()
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key") defer os.Remove(tempKeyFilePath)
// privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
// _, err = os.Stat(privKeyFileName) err = cs.ExportRootKey(tempKeyFile, rootKeyID)
// } assert.NoError(t, err)
//} tempKeyFile.Close()
//
//func TestImportExportRootKey(t *testing.T) { // Create new repo to test import
// gun := "docker.com/notary" tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
// // Temporary directory where test files will be created assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir) fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), oldPassphraseRetriever)
// cs2 := NewCryptoService(gun, fileStore2)
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// keyReader, err := os.Open(tempKeyFilePath)
// ts, _ := createTestServer(t) assert.NoError(t, err, "could not open key file")
// defer ts.Close()
// err = cs2.ImportRootKey(keyReader)
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever) assert.NoError(t, err)
// assert.NoError(t, err, "error creating repo: %s", err) keyReader.Close()
//
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey) // Look for repo's root key in repo2
// assert.NoError(t, err, "error generating root key: %s", err) // There should be a file named after the key ID of the root key we
// // imported.
// err = repo.Initialize(rootKeyID) rootKeyFilename := rootKeyID + "_root.key"
// assert.NoError(t, err, "error creating repository: %s", err) _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// assert.NoError(t, err, "missing root key")
// tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
// tempKeyFilePath := tempKeyFile.Name() // Try to import a decrypted version of the root key and make sure it
// defer os.Remove(tempKeyFilePath) // doesn't succeed
// pemBytes, err := ioutil.ReadFile(tempKeyFilePath)
// err = repo.KeyStoreManager.ExportRootKey(tempKeyFile, rootKeyID) assert.NoError(t, err, "could not read key file")
// assert.NoError(t, err) privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase)
// tempKeyFile.Close() assert.NoError(t, err, "could not decrypt key file")
// decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey)
// // Create new repo to test import assert.NoError(t, err, "could not convert key to PEM")
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2) err = cs2.ImportRootKey(bytes.NewReader(decryptedPEMBytes))
// assert.EqualError(t, err, ErrRootKeyNotEncrypted.Error())
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// // Try to import garbage and make sure it doesn't succeed
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever) err = cs2.ImportRootKey(strings.NewReader("this is not PEM"))
// assert.NoError(t, err, "error creating repo: %s", err) assert.EqualError(t, err, ErrNoValidPrivateKey.Error())
//
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey) // Should be able to unlock the root key with the old password
// assert.NoError(t, err, "error generating root key: %s", err) key, alias, err := cs2.GetPrivateKey(rootKeyID)
// assert.NoError(t, err, "could not unlock root key")
// err = repo2.Initialize(rootKeyID2) assert.Equal(t, "root", alias)
// assert.NoError(t, err, "error creating repository: %s", err) assert.Equal(t, rootKeyID, key.ID())
// }
// keyReader, err := os.Open(tempKeyFilePath)
// assert.NoError(t, err, "could not open key file") func TestImportExportRootKeyReencrypt(t *testing.T) {
// gun := "docker.com/notary"
// err = repo2.KeyStoreManager.ImportRootKey(keyReader)
// assert.NoError(t, err) // Temporary directory where test files will be created
// keyReader.Close() tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir)
// // Look for repo's root key in repo2 assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// // There should be a file named after the key ID of the root key we
// // imported. fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), oldPassphraseRetriever)
// rootKeyFilename := rootKeyID + "_root.key" cs := NewCryptoService(gun, fileStore)
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
// assert.NoError(t, err, "missing root key") assert.NoError(t, err)
//
// // Try to import a decrypted version of the root key and make sure it rootKeyID := pubKey.ID()
// // doesn't succeed
// pemBytes, err := ioutil.ReadFile(tempKeyFilePath) tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
// assert.NoError(t, err, "could not read key file") tempKeyFilePath := tempKeyFile.Name()
// privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase) defer os.Remove(tempKeyFilePath)
// assert.NoError(t, err, "could not decrypt key file")
// decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey) err = cs.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
// assert.NoError(t, err, "could not convert key to PEM") assert.NoError(t, err)
// tempKeyFile.Close()
// err = repo2.KeyStoreManager.ImportRootKey(bytes.NewReader(decryptedPEMBytes))
// assert.EqualError(t, err, keystoremanager.ErrRootKeyNotEncrypted.Error()) // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// // Try to import garbage and make sure it doesn't succeed defer os.RemoveAll(tempBaseDir2)
// err = repo2.KeyStoreManager.ImportRootKey(strings.NewReader("this is not PEM")) assert.NoError(t, err, "failed to create a temporary directory: %s", err)
// assert.EqualError(t, err, keystoremanager.ErrNoValidPrivateKey.Error())
// fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), newPassphraseRetriever)
// // Should be able to unlock the root key with the old password cs2 := NewCryptoService(gun, fileStore2)
// key, alias, err := repo2.KeyStoreManager.KeyStore.GetKey(rootKeyID)
// assert.NoError(t, err, "could not unlock root key") keyReader, err := os.Open(tempKeyFilePath)
// assert.Equal(t, "root", alias) assert.NoError(t, err, "could not open key file")
// assert.Equal(t, rootKeyID, key.ID())
//} err = cs2.ImportRootKey(keyReader)
// assert.NoError(t, err)
//func TestImportExportRootKeyReencrypt(t *testing.T) { keyReader.Close()
// gun := "docker.com/notary"
// // Look for repo's root key in repo2
// // Temporary directory where test files will be created // There should be a file named after the key ID of the root key we
// tempBaseDir, err := ioutil.TempDir("", "notary-test-") // imported.
// defer os.RemoveAll(tempBaseDir) rootKeyFilename := rootKeyID + "_root.key"
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// assert.NoError(t, err, "failed to create a temporary directory: %s", err) assert.NoError(t, err, "missing root key")
//
// ts, _ := createTestServer(t) // Should be able to unlock the root key with the new password
// defer ts.Close() key, alias, err := cs2.GetPrivateKey(rootKeyID)
// assert.NoError(t, err, "could not unlock root key")
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever) assert.Equal(t, "root", alias)
// assert.NoError(t, err, "error creating repo: %s", err) assert.Equal(t, rootKeyID, key.ID())
// }
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo.Initialize(rootKeyID)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
// tempKeyFilePath := tempKeyFile.Name()
// defer os.Remove(tempKeyFilePath)
//
// err = repo.KeyStoreManager.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
// assert.NoError(t, err)
// tempKeyFile.Close()
//
// // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo2.Initialize(rootKeyID2)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// keyReader, err := os.Open(tempKeyFilePath)
// assert.NoError(t, err, "could not open key file")
//
// err = repo2.KeyStoreManager.ImportRootKey(keyReader)
// assert.NoError(t, err)
// keyReader.Close()
//
// // Look for repo's root key in repo2
// // There should be a file named after the key ID of the root key we
// // imported.
// rootKeyFilename := rootKeyID + "_root.key"
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// assert.NoError(t, err, "missing root key")
//
// // Should be able to unlock the root key with the new password
// key, alias, err := repo2.KeyStoreManager.KeyStore.GetKey(rootKeyID)
// assert.NoError(t, err, "could not unlock root key")
// assert.Equal(t, "root", alias)
// assert.Equal(t, rootKeyID, key.ID())
//}

2
keystoremanager/keystoremanager.go
View File

@ -25,8 +25,6 @@ type KeyStoreManager struct {
const ( const (
trustDir = "trusted_certificates" trustDir = "trusted_certificates"
// PrivDir is the name of the private directory
PrivDir = "private"
rsaRootKeySize = 4096 // Used for new root keys rsaRootKeySize = 4096 // Used for new root keys
) )

867
keystoremanager/keystoremanager_test.go
View File

File diff suppressed because one or more lines are too long

3
signer/api/ecdsa_hardware_crypto_service.go
View File

@ -504,7 +504,8 @@ func (s *YubiKeyStore) AddKey(keyID, role string, privKey data.PrivateKey) error
if k, ok := s.keys[keyID]; ok { if k, ok := s.keys[keyID]; ok {
if k.role == role { if k.role == role {
// already have the key and it's associated with the correct role
return nil
} }
} }

9
trustmanager/keyfilestore.go
View File

@ -329,12 +329,17 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*
func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error { func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error {
if alias != data.CanonicalRootRole {
return s.Add(alias, pemBytes)
}
privKey, passphrase, err := GetPasswdDecryptBytes(passphraseRetriever, pemBytes, "imported", alias) privKey, passphrase, err := GetPasswdDecryptBytes(passphraseRetriever, pemBytes, "imported", alias)
if err != nil { if err != nil {
return err return err
} }
return encryptAndAddKey( var name string
s, passphrase, cachedKeys, privKey.ID(), alias, privKey) name = privKey.ID()
return encryptAndAddKey(s, passphrase, cachedKeys, name, alias, privKey)
} }