fixing tests

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-05 16:05:09 -08:00 · 2015-11-05 16:05:09 -08:00 · b7c38f0287
parent 0fd1fa6ada
commit b7c38f0287
12 changed files with 886 additions and 919 deletions
--- a/client/repo.go
+++ b/client/repo.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"path/filepath"

+	"github.com/docker/notary"
 	"github.com/docker/notary/cryptoservice"
 	"github.com/docker/notary/keystoremanager"
 	"github.com/docker/notary/passphrase"
@ -19,7 +20,7 @@ import (
 // (usually ~/.docker/trust/).
 func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
 	retriever passphrase.Retriever) (*NotaryRepository, error) {
-	keysPath := filepath.Join(baseDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(baseDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create private key store in directory: %s", keysPath)
--- a/client/repo_pkcs11.go
+++ b/client/repo_pkcs11.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"path/filepath"

+	"github.com/docker/notary"
 	"github.com/docker/notary/cryptoservice"
 	"github.com/docker/notary/keystoremanager"
 	"github.com/docker/notary/passphrase"
@ -21,7 +22,7 @@ import (
 func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
 	retriever passphrase.Retriever) (*NotaryRepository, error) {

-	keysPath := filepath.Join(baseDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(baseDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create private key store in directory: %s", keysPath)
--- a/cmd/notary/cert.go
+++ b/cmd/notary/cert.go
@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"time"

+	"github.com/docker/notary"
 	"github.com/docker/notary/keystoremanager"
 	"github.com/docker/notary/trustmanager"

@ -56,7 +57,7 @@ func certRemove(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -125,7 +126,7 @@ func certList(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@ -8,9 +8,9 @@ import (
 	"sort"
 	"strings"

+	"github.com/docker/notary"
 	notaryclient "github.com/docker/notary/client"
 	"github.com/docker/notary/cryptoservice"
-	"github.com/docker/notary/keystoremanager"
 	"github.com/docker/notary/passphrase"
 	"github.com/docker/notary/signer/api"
 	"github.com/docker/notary/trustmanager"
@ -115,7 +115,7 @@ func keysRemoveKey(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -157,7 +157,7 @@ func keysList(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -213,7 +213,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -225,7 +225,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
 		fatalf("failed to create a new root key: %v", err)
 	}

-	fmt.Printf("Generated new %s key with keyID: %s\n", algorithm, pubKey.ID())
+	fmt.Printf("Generated new %s root key with keyID: %s\n", algorithm, pubKey.ID())
 }

 // keysExport exports a collection of keys to a ZIP file
@ -239,7 +239,7 @@ func keysExport(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -284,7 +284,7 @@ func keysExportRoot(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -321,7 +321,7 @@ func keysImport(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
@ -352,7 +352,7 @@ func keysImportRoot(cmd *cobra.Command, args []string) {

 	parseConfig()

-	keysPath := filepath.Join(trustDir, keystoremanager.PrivDir)
+	keysPath := filepath.Join(trustDir, notary.PrivDir)
 	fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
--- a/const.go
+++ b/const.go
@ -0,0 +1,6 @@
+package notary
+
+// application wide constants
+const (
+	PrivDir = "private"
+)
--- a/cryptoservice/crypto_service.go
+++ b/cryptoservice/crypto_service.go
@ -57,10 +57,10 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
 	if role == data.CanonicalRootRole {
 		keyPath = privKey.ID()
 	} else {
-		keyPath = filepath.Join(ccs.gun, privKey.ID())
+		keyPath = filepath.Join(cs.gun, privKey.ID())
 	}

-	for _, ks := range ccs.keyStores {
+	for _, ks := range cs.keyStores {
 		err = ks.AddKey(keyPath, role, privKey)
 		if err == nil {
 			return data.PublicKeyFromPrivate(privKey), nil
@ -77,11 +77,11 @@ func (cs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
 // without a GUN (in which case it's a root key).  If that fails, try to get
 // the key with the GUN (non-root key).
 // If that fails, then we don't have the key.
-func (ccs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, id string, err error) {
-	keyPaths := []string{keyID, filepath.Join(ccs.gun, keyID)}
-	for _, ks := range ccs.keyStores {
+func (cs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, role string, err error) {
+	keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}
+	for _, ks := range cs.keyStores {
 		for _, keyPath := range keyPaths {
-			k, id, err = ks.GetKey(keyPath)
+			k, role, err = ks.GetKey(keyPath)
 			if err != nil {
 				continue
 			}
@ -92,8 +92,8 @@ func (ccs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, id str
 }

 // GetKey returns a key by ID
-func (ccs *CryptoService) GetKey(keyID string) data.PublicKey {
-	privKey, _, err := ccs.GetPrivateKey(keyID)
+func (cs *CryptoService) GetKey(keyID string) data.PublicKey {
+	privKey, _, err := cs.GetPrivateKey(keyID)
 	if err != nil {
 		return nil
 	}
@ -101,9 +101,9 @@ func (ccs *CryptoService) GetKey(keyID string) data.PublicKey {
 }

 // RemoveKey deletes a key by ID
-func (ccs *CryptoService) RemoveKey(keyID string) (err error) {
-	keyPaths := []string{keyID, filepath.Join(ccs.gun, keyID)}
-	for _, ks := range ccs.keyStores {
+func (cs *CryptoService) RemoveKey(keyID string) (err error) {
+	keyPaths := []string{keyID, filepath.Join(cs.gun, keyID)}
+	for _, ks := range cs.keyStores {
 		for _, keyPath := range keyPaths {
 			_, _, err = ks.GetKey(keyPath)
 			if err != nil {
@ -124,7 +124,7 @@ func (cs *CryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature
 	for _, keyid := range keyIDs {
 		keyName := keyid

-		privKey, _, err := ccs.GetPrivateKey(keyName)
+		privKey, _, err := cs.GetPrivateKey(keyName)
 		if err != nil {
 			logrus.Debugf("error attempting to retrieve private key: %s, %v", keyid, err)
 			continue
--- a/cryptoservice/import_export.go
+++ b/cryptoservice/import_export.go
@ -11,7 +11,7 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/docker/notary/keystoremanager"
+	"github.com/docker/notary"
 	"github.com/docker/notary/passphrase"
 	"github.com/docker/notary/trustmanager"
 )
@ -72,7 +72,7 @@ func (cs *CryptoService) ExportRootKeyReencrypt(dest io.Writer, keyID string, ne
 	tempBaseDir, err := ioutil.TempDir("", "notary-key-export-")
 	defer os.RemoveAll(tempBaseDir)

-	tempKeysPath := filepath.Join(tempBaseDir, keystoremanager.PrivDir)
+	tempKeysPath := filepath.Join(tempBaseDir, notary.PrivDir)
 	tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, newPassphraseRetriever)
 	if err != nil {
 		return err
@ -127,7 +127,7 @@ func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever pa
 	defer os.RemoveAll(tempBaseDir)

 	// Create temporary keystore to use as a staging area
-	tempKeysPath := filepath.Join(tempBaseDir, keystoremanager.PrivDir)
+	tempKeysPath := filepath.Join(tempBaseDir, notary.PrivDir)
 	tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, newPassphraseRetriever)
 	if err != nil {
 		return err
@ -141,7 +141,7 @@ func (cs *CryptoService) ExportAllKeys(dest io.Writer, newPassphraseRetriever pa

 	zipWriter := zip.NewWriter(dest)

-	if err := addKeysToArchive(zipWriter, tempKeyStore, keystoremanager.PrivDir); err != nil {
+	if err := addKeysToArchive(zipWriter, tempKeyStore, notary.PrivDir); err != nil {
 		return err
 	}

@ -176,13 +176,13 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {

 		// Note that using / as a separator is okay here - the zip
 		// package guarantees that the separator will be /
-		if strings.HasPrefix(fNameTrimmed, keystoremanager.PrivDir) {
+		if strings.HasPrefix(fNameTrimmed, notary.PrivDir) {
 			if fNameTrimmed[len(fNameTrimmed)-5:] == "_root" {
 				if err = checkRootKeyIsEncrypted(fileBytes); err != nil {
 					return err
 				}
 			}
-			keyName := strings.TrimPrefix(fNameTrimmed, keystoremanager.PrivDir)
+			keyName := strings.TrimPrefix(fNameTrimmed, notary.PrivDir)
 			newKeys[keyName] = fileBytes
 		} else {
 			// This path inside the zip archive doesn't look like a
@ -194,9 +194,11 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
 	}

 	for keyName, pemBytes := range newKeys {
-		parts := strings.Split(keyName, "_")
+		if keyName[len(keyName)-5:] == "_root" {
+			keyName = "root"
+		}
 		for _, ks := range cs.keyStores {
-			if err := ks.ImportKey(pemBytes, parts[1]); err != nil {
+			if err := ks.ImportKey(pemBytes, keyName); err != nil {
 				return err
 			}
 		}
@ -213,7 +215,7 @@ func (cs *CryptoService) ExportKeysByGUN(dest io.Writer, gun string, passphraseR
 	defer os.RemoveAll(tempBaseDir)

 	// Create temporary keystore to use as a staging area
-	tempKeysPath := filepath.Join(tempBaseDir, keystoremanager.PrivDir)
+	tempKeysPath := filepath.Join(tempBaseDir, notary.PrivDir)
 	tempKeyStore, err := trustmanager.NewKeyFileStore(tempKeysPath, passphraseRetriever)
 	if err != nil {
 		return err
@ -231,7 +233,7 @@ func (cs *CryptoService) ExportKeysByGUN(dest io.Writer, gun string, passphraseR
 		return ErrNoKeysFoundForGUN
 	}

-	if err := addKeysToArchive(zipWriter, tempKeyStore, keystoremanager.PrivDir); err != nil {
+	if err := addKeysToArchive(zipWriter, tempKeyStore, notary.PrivDir); err != nil {
 		return err
 	}

--- a/cryptoservice/import_export_test.go
+++ b/cryptoservice/import_export_test.go
@ -1,447 +1,398 @@
 package cryptoservice

-//import (
-//	"archive/zip"
-//	"bytes"
-//	"fmt"
-//	"io/ioutil"
-//	"net/http"
-//	"net/http/httptest"
-//	"os"
-//	"path/filepath"
-//	"strings"
-//	"testing"
-//
-//	"github.com/docker/notary/client"
-//	"github.com/docker/notary/keystoremanager"
-//	"github.com/docker/notary/trustmanager"
-//	"github.com/docker/notary/tuf/data"
-//	"github.com/stretchr/testify/assert"
-//)
-//
-//const timestampECDSAKeyJSON = `
-//{"keytype":"ecdsa","keyval":{"public":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw==","private":"MHcCAQEEIDqtcdzU7H3AbIPSQaxHl9+xYECt7NpK7B1+6ep5cv9CoAoGCCqGSM49AwEHoUQDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw=="}}`
-//
-//func createTestServer(t *testing.T) (*httptest.Server, *http.ServeMux) {
-//	mux := http.NewServeMux()
-//	// TUF will request /v2/docker.com/notary/_trust/tuf/timestamp.key
-//	// Return a canned timestamp.key
-//	mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.key", func(w http.ResponseWriter, r *http.Request) {
-//		// Also contains the private key, but for the purpose of this
-//		// test, we don't care
-//		fmt.Fprint(w, timestampECDSAKeyJSON)
-//	})
-//
-//	ts := httptest.NewServer(mux)
-//
-//	return ts, mux
-//}
-//
-//var oldPassphrase = "oldPassphrase"
-//var exportPassphrase = "exportPassphrase"
-//var oldPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return oldPassphrase, false, nil }
-//var newPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return exportPassphrase, false, nil }
-//
-//func TestImportExportZip(t *testing.T) {
-//	gun := "docker.com/notary"
-//
-//	// Temporary directory where test files will be created
-//	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	ts, _ := createTestServer(t)
-//	defer ts.Close()
-//
-//	repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo.Initialize(rootKeyID)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
-//	tempZipFilePath := tempZipFile.Name()
-//	defer os.Remove(tempZipFilePath)
-//
-//	err = repo.KeyStoreManager.ExportAllKeys(tempZipFile, newPassphraseRetriever)
-//	tempZipFile.Close()
-//	assert.NoError(t, err)
-//
-//	// Reopen the zip file for importing
-//	zipReader, err := zip.OpenReader(tempZipFilePath)
-//	assert.NoError(t, err, "could not open zip file")
-//
-//	// Map of files to expect in the zip file, with the passphrases
-//	passphraseByFile := make(map[string]string)
-//
-//	// Add non-root keys to the map. These should use the new passphrase
-//	// because the passwords were chosen by the newPassphraseRetriever.
-//	privKeyMap := repo.KeyStoreManager.KeyStore.ListKeys()
-//	for privKeyName := range privKeyMap {
-//		_, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
-//		assert.NoError(t, err, "privKey %s has no alias", privKeyName)
-//
-//		if alias == "root" {
-//			continue
-//		}
-//		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
-//		passphraseByFile[relKeyPath] = exportPassphrase
-//	}
-//
-//	// Add root key to the map. This will use the export passphrase because it
-//	// will be reencrypted.
-//	relRootKey := filepath.Join("private", "root_keys", rootKeyID+"_root.key")
-//	passphraseByFile[relRootKey] = exportPassphrase
-//
-//	// Iterate through the files in the archive, checking that the files
-//	// exist and are encrypted with the expected passphrase.
-//	for _, f := range zipReader.File {
-//		expectedPassphrase, present := passphraseByFile[f.Name]
-//		if !present {
-//			t.Fatalf("unexpected file %s in zip file", f.Name)
-//		}
-//
-//		delete(passphraseByFile, f.Name)
-//
-//		rc, err := f.Open()
-//		assert.NoError(t, err, "could not open file inside zip archive")
-//
-//		pemBytes, err := ioutil.ReadAll(rc)
-//		assert.NoError(t, err, "could not read file from zip")
-//
-//		_, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
-//		assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
-//
-//		rc.Close()
-//	}
-//
-//	zipReader.Close()
-//
-//	// Are there any keys that didn't make it to the zip?
-//	for fileNotFound := range passphraseByFile {
-//		t.Fatalf("%s not found in zip", fileNotFound)
-//	}
-//
-//	// Create new repo to test import
-//	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir2)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo2.Initialize(rootKeyID2)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	// Reopen the zip file for importing
-//	zipReader, err = zip.OpenReader(tempZipFilePath)
-//	assert.NoError(t, err, "could not open zip file")
-//
-//	// Now try with a valid passphrase. This time it should succeed.
-//	err = repo2.KeyStoreManager.ImportKeysZip(zipReader.Reader)
-//	assert.NoError(t, err)
-//	zipReader.Close()
-//
-//	// Look for keys in private. The filenames should match the key IDs
-//	// in the repo's private key store.
-//	for privKeyName := range privKeyMap {
-//		_, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
-//		assert.NoError(t, err, "privKey %s has no alias", privKeyName)
-//
-//		if alias == "root" {
-//			continue
-//		}
-//		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
-//		privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
-//		_, err = os.Stat(privKeyFileName)
-//		assert.NoError(t, err, "missing private key: %s", privKeyName)
-//	}
-//
-//	// Look for keys in root_keys
-//	// There should be a file named after the key ID of the root key we
-//	// passed in.
-//	rootKeyFilename := rootKeyID + "_root.key"
-//	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
-//	assert.NoError(t, err, "missing root key")
-//}
-//
-//func TestImportExportGUN(t *testing.T) {
-//	gun := "docker.com/notary"
-//
-//	// Temporary directory where test files will be created
-//	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	ts, _ := createTestServer(t)
-//	defer ts.Close()
-//
-//	repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo.Initialize(rootKeyID)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
-//	tempZipFilePath := tempZipFile.Name()
-//	defer os.Remove(tempZipFilePath)
-//
-//	err = repo.KeyStoreManager.ExportKeysByGUN(tempZipFile, gun, newPassphraseRetriever)
-//	assert.NoError(t, err)
-//
-//	// With an invalid GUN, this should return an error
-//	err = repo.KeyStoreManager.ExportKeysByGUN(tempZipFile, "does.not.exist/in/repository", newPassphraseRetriever)
-//	assert.EqualError(t, err, keystoremanager.ErrNoKeysFoundForGUN.Error())
-//
-//	tempZipFile.Close()
-//
-//	// Reopen the zip file for importing
-//	zipReader, err := zip.OpenReader(tempZipFilePath)
-//	assert.NoError(t, err, "could not open zip file")
-//
-//	// Map of files to expect in the zip file, with the passphrases
-//	passphraseByFile := make(map[string]string)
-//
-//	// Add keys non-root keys to the map. These should use the new passphrase
-//	// because they were formerly unencrypted.
-//	privKeyMap := repo.KeyStoreManager.KeyStore.ListKeys()
-//	for privKeyName := range privKeyMap {
-//		_, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
-//		if err != nil {
-//			t.Fatalf("privKey %s has no alias", privKeyName)
-//		}
-//		if alias == "root" {
-//			continue
-//		}
-//		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
-//
-//		passphraseByFile[relKeyPath] = exportPassphrase
-//	}
-//
-//	// Iterate through the files in the archive, checking that the files
-//	// exist and are encrypted with the expected passphrase.
-//	for _, f := range zipReader.File {
-//
-//		expectedPassphrase, present := passphraseByFile[f.Name]
-//		if !present {
-//			t.Fatalf("unexpected file %s in zip file", f.Name)
-//		}
-//
-//		delete(passphraseByFile, f.Name)
-//
-//		rc, err := f.Open()
-//		assert.NoError(t, err, "could not open file inside zip archive")
-//
-//		pemBytes, err := ioutil.ReadAll(rc)
-//		assert.NoError(t, err, "could not read file from zip")
-//
-//		_, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
-//		assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
-//
-//		rc.Close()
-//	}
-//
-//	zipReader.Close()
-//
-//	// Are there any keys that didn't make it to the zip?
-//	for fileNotFound := range passphraseByFile {
-//		t.Fatalf("%s not found in zip", fileNotFound)
-//	}
-//
-//	// Create new repo to test import
-//	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir2)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo2.Initialize(rootKeyID2)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	// Reopen the zip file for importing
-//	zipReader, err = zip.OpenReader(tempZipFilePath)
-//	assert.NoError(t, err, "could not open zip file")
-//
-//	// Now try with a valid passphrase. This time it should succeed.
-//	err = repo2.KeyStoreManager.ImportKeysZip(zipReader.Reader)
-//	assert.NoError(t, err)
-//	zipReader.Close()
-//
-//	// Look for keys in private. The filenames should match the key IDs
-//	// in the repo's private key store.
-//	for privKeyName := range privKeyMap {
-//		_, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
-//		if err != nil {
-//			t.Fatalf("privKey %s has no alias", privKeyName)
-//		}
-//		if alias == "root" {
-//			continue
-//		}
-//		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
-//		privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
-//		_, err = os.Stat(privKeyFileName)
-//	}
-//}
-//
-//func TestImportExportRootKey(t *testing.T) {
-//	gun := "docker.com/notary"
-//
-//	// Temporary directory where test files will be created
-//	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	ts, _ := createTestServer(t)
-//	defer ts.Close()
-//
-//	repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo.Initialize(rootKeyID)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
-//	tempKeyFilePath := tempKeyFile.Name()
-//	defer os.Remove(tempKeyFilePath)
-//
-//	err = repo.KeyStoreManager.ExportRootKey(tempKeyFile, rootKeyID)
-//	assert.NoError(t, err)
-//	tempKeyFile.Close()
-//
-//	// Create new repo to test import
-//	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir2)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo2.Initialize(rootKeyID2)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	keyReader, err := os.Open(tempKeyFilePath)
-//	assert.NoError(t, err, "could not open key file")
-//
-//	err = repo2.KeyStoreManager.ImportRootKey(keyReader)
-//	assert.NoError(t, err)
-//	keyReader.Close()
-//
-//	// Look for repo's root key in repo2
-//	// There should be a file named after the key ID of the root key we
-//	// imported.
-//	rootKeyFilename := rootKeyID + "_root.key"
-//	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
-//	assert.NoError(t, err, "missing root key")
-//
-//	// Try to import a decrypted version of the root key and make sure it
-//	// doesn't succeed
-//	pemBytes, err := ioutil.ReadFile(tempKeyFilePath)
-//	assert.NoError(t, err, "could not read key file")
-//	privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase)
-//	assert.NoError(t, err, "could not decrypt key file")
-//	decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey)
-//	assert.NoError(t, err, "could not convert key to PEM")
-//
-//	err = repo2.KeyStoreManager.ImportRootKey(bytes.NewReader(decryptedPEMBytes))
-//	assert.EqualError(t, err, keystoremanager.ErrRootKeyNotEncrypted.Error())
-//
-//	// Try to import garbage and make sure it doesn't succeed
-//	err = repo2.KeyStoreManager.ImportRootKey(strings.NewReader("this is not PEM"))
-//	assert.EqualError(t, err, keystoremanager.ErrNoValidPrivateKey.Error())
-//
-//	// Should be able to unlock the root key with the old password
-//	key, alias, err := repo2.KeyStoreManager.KeyStore.GetKey(rootKeyID)
-//	assert.NoError(t, err, "could not unlock root key")
-//	assert.Equal(t, "root", alias)
-//	assert.Equal(t, rootKeyID, key.ID())
-//}
-//
-//func TestImportExportRootKeyReencrypt(t *testing.T) {
-//	gun := "docker.com/notary"
-//
-//	// Temporary directory where test files will be created
-//	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	ts, _ := createTestServer(t)
-//	defer ts.Close()
-//
-//	repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo.Initialize(rootKeyID)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
-//	tempKeyFilePath := tempKeyFile.Name()
-//	defer os.Remove(tempKeyFilePath)
-//
-//	err = repo.KeyStoreManager.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
-//	assert.NoError(t, err)
-//	tempKeyFile.Close()
-//
-//	// Create new repo to test import
-//	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
-//	defer os.RemoveAll(tempBaseDir2)
-//
-//	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
-//
-//	repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
-//	assert.NoError(t, err, "error creating repo: %s", err)
-//
-//	rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
-//	assert.NoError(t, err, "error generating root key: %s", err)
-//
-//	err = repo2.Initialize(rootKeyID2)
-//	assert.NoError(t, err, "error creating repository: %s", err)
-//
-//	keyReader, err := os.Open(tempKeyFilePath)
-//	assert.NoError(t, err, "could not open key file")
-//
-//	err = repo2.KeyStoreManager.ImportRootKey(keyReader)
-//	assert.NoError(t, err)
-//	keyReader.Close()
-//
-//	// Look for repo's root key in repo2
-//	// There should be a file named after the key ID of the root key we
-//	// imported.
-//	rootKeyFilename := rootKeyID + "_root.key"
-//	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
-//	assert.NoError(t, err, "missing root key")
-//
-//	// Should be able to unlock the root key with the new password
-//	key, alias, err := repo2.KeyStoreManager.KeyStore.GetKey(rootKeyID)
-//	assert.NoError(t, err, "could not unlock root key")
-//	assert.Equal(t, "root", alias)
-//	assert.Equal(t, rootKeyID, key.ID())
-//}
+import (
+	"archive/zip"
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/notary/trustmanager"
+	"github.com/docker/notary/tuf/data"
+	"github.com/stretchr/testify/assert"
+)
+
+const timestampECDSAKeyJSON = `
+{"keytype":"ecdsa","keyval":{"public":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw==","private":"MHcCAQEEIDqtcdzU7H3AbIPSQaxHl9+xYECt7NpK7B1+6ep5cv9CoAoGCCqGSM49AwEHoUQDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw=="}}`
+
+func createTestServer(t *testing.T) (*httptest.Server, *http.ServeMux) {
+	mux := http.NewServeMux()
+	// TUF will request /v2/docker.com/notary/_trust/tuf/timestamp.key
+	// Return a canned timestamp.key
+	mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.key", func(w http.ResponseWriter, r *http.Request) {
+		// Also contains the private key, but for the purpose of this
+		// test, we don't care
+		fmt.Fprint(w, timestampECDSAKeyJSON)
+	})
+
+	ts := httptest.NewServer(mux)
+
+	return ts, mux
+}
+
+var oldPassphrase = "oldPassphrase"
+var exportPassphrase = "exportPassphrase"
+var oldPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return oldPassphrase, false, nil }
+var newPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return exportPassphrase, false, nil }
+
+func TestImportExportZip(t *testing.T) {
+	gun := "docker.com/notary"
+
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), newPassphraseRetriever)
+	cs := NewCryptoService(gun, fileStore)
+	pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
+	assert.NoError(t, err)
+
+	rootKeyID := pubKey.ID()
+
+	tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
+	tempZipFilePath := tempZipFile.Name()
+	defer os.Remove(tempZipFilePath)
+
+	err = cs.ExportAllKeys(tempZipFile, newPassphraseRetriever)
+	tempZipFile.Close()
+	assert.NoError(t, err)
+
+	// Reopen the zip file for importing
+	zipReader, err := zip.OpenReader(tempZipFilePath)
+	assert.NoError(t, err, "could not open zip file")
+
+	// Map of files to expect in the zip file, with the passphrases
+	passphraseByFile := make(map[string]string)
+
+	// Add non-root keys to the map. These should use the new passphrase
+	// because the passwords were chosen by the newPassphraseRetriever.
+	privKeyMap := cs.ListAllKeys()
+	for privKeyName := range privKeyMap {
+		_, alias, err := cs.GetPrivateKey(privKeyName)
+		assert.NoError(t, err, "privKey %s has no alias", privKeyName)
+
+		if alias == "root" {
+			continue
+		}
+		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
+		passphraseByFile[relKeyPath] = exportPassphrase
+	}
+
+	// Add root key to the map. This will use the export passphrase because it
+	// will be reencrypted.
+	relRootKey := filepath.Join("private", "root_keys", rootKeyID+"_root.key")
+	passphraseByFile[relRootKey] = exportPassphrase
+
+	// Iterate through the files in the archive, checking that the files
+	// exist and are encrypted with the expected passphrase.
+	for _, f := range zipReader.File {
+		expectedPassphrase, present := passphraseByFile[f.Name]
+		if !present {
+			t.Fatalf("unexpected file %s in zip file", f.Name)
+		}
+
+		delete(passphraseByFile, f.Name)
+
+		rc, err := f.Open()
+		assert.NoError(t, err, "could not open file inside zip archive")
+
+		pemBytes, err := ioutil.ReadAll(rc)
+		assert.NoError(t, err, "could not read file from zip")
+
+		_, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
+		assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
+
+		rc.Close()
+	}
+
+	zipReader.Close()
+
+	// Are there any keys that didn't make it to the zip?
+	for fileNotFound := range passphraseByFile {
+		t.Fatalf("%s not found in zip", fileNotFound)
+	}
+
+	// Create new repo to test import
+	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir2)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), newPassphraseRetriever)
+	assert.NoError(t, err)
+	cs2 := NewCryptoService(gun, fileStore2)
+
+	// Reopen the zip file for importing
+	zipReader, err = zip.OpenReader(tempZipFilePath)
+	assert.NoError(t, err, "could not open zip file")
+
+	// Now try with a valid passphrase. This time it should succeed.
+	err = cs2.ImportKeysZip(zipReader.Reader)
+	assert.NoError(t, err)
+	zipReader.Close()
+
+	// Look for keys in private. The filenames should match the key IDs
+	// in the repo's private key store.
+	for privKeyName := range privKeyMap {
+		_, alias, err := cs2.GetPrivateKey(privKeyName)
+		assert.NoError(t, err, "privKey %s has no alias", privKeyName)
+
+		if alias == "root" {
+			continue
+		}
+		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
+		privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
+		_, err = os.Stat(privKeyFileName)
+		assert.NoError(t, err, "missing private key for role %s: %s", alias, privKeyName)
+	}
+
+	// Look for keys in root_keys
+	// There should be a file named after the key ID of the root key we
+	// passed in.
+	rootKeyFilename := rootKeyID + "_root.key"
+	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
+	assert.NoError(t, err, "missing root key")
+}
+
+func TestImportExportGUN(t *testing.T) {
+	gun := "docker.com/notary"
+
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), newPassphraseRetriever)
+	cs := NewCryptoService(gun, fileStore)
+	_, err = cs.Create(data.CanonicalRootRole, data.ECDSAKey)
+	_, err = cs.Create(data.CanonicalTargetsRole, data.ECDSAKey)
+	_, err = cs.Create(data.CanonicalSnapshotRole, data.ECDSAKey)
+	assert.NoError(t, err)
+
+	tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
+	tempZipFilePath := tempZipFile.Name()
+	defer os.Remove(tempZipFilePath)
+
+	err = cs.ExportKeysByGUN(tempZipFile, gun, newPassphraseRetriever)
+	assert.NoError(t, err)
+
+	// With an invalid GUN, this should return an error
+	err = cs.ExportKeysByGUN(tempZipFile, "does.not.exist/in/repository", newPassphraseRetriever)
+	assert.EqualError(t, err, ErrNoKeysFoundForGUN.Error())
+
+	tempZipFile.Close()
+
+	// Reopen the zip file for importing
+	zipReader, err := zip.OpenReader(tempZipFilePath)
+	assert.NoError(t, err, "could not open zip file")
+
+	// Map of files to expect in the zip file, with the passphrases
+	passphraseByFile := make(map[string]string)
+
+	// Add keys non-root keys to the map. These should use the new passphrase
+	// because they were formerly unencrypted.
+	privKeyMap := cs.ListAllKeys()
+	for privKeyName := range privKeyMap {
+		_, alias, err := cs.GetPrivateKey(privKeyName)
+		if err != nil {
+			t.Fatalf("privKey %s has no alias", privKeyName)
+		}
+		if alias == "root" {
+			continue
+		}
+		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
+
+		passphraseByFile[relKeyPath] = exportPassphrase
+	}
+
+	// Iterate through the files in the archive, checking that the files
+	// exist and are encrypted with the expected passphrase.
+	for _, f := range zipReader.File {
+
+		expectedPassphrase, present := passphraseByFile[f.Name]
+		if !present {
+			t.Fatalf("unexpected file %s in zip file", f.Name)
+		}
+
+		delete(passphraseByFile, f.Name)
+
+		rc, err := f.Open()
+		assert.NoError(t, err, "could not open file inside zip archive")
+
+		pemBytes, err := ioutil.ReadAll(rc)
+		assert.NoError(t, err, "could not read file from zip")
+
+		_, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
+		assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
+
+		rc.Close()
+	}
+
+	zipReader.Close()
+
+	// Are there any keys that didn't make it to the zip?
+	for fileNotFound := range passphraseByFile {
+		t.Fatalf("%s not found in zip", fileNotFound)
+	}
+
+	// Create new repo to test import
+	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir2)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), newPassphraseRetriever)
+	cs2 := NewCryptoService(gun, fileStore2)
+
+	// Reopen the zip file for importing
+	zipReader, err = zip.OpenReader(tempZipFilePath)
+	assert.NoError(t, err, "could not open zip file")
+
+	// Now try with a valid passphrase. This time it should succeed.
+	err = cs2.ImportKeysZip(zipReader.Reader)
+	assert.NoError(t, err)
+	zipReader.Close()
+
+	// Look for keys in private. The filenames should match the key IDs
+	// in the repo's private key store.
+	for privKeyName, role := range privKeyMap {
+		if role == "root" {
+			continue
+		}
+		_, alias, err := cs2.GetPrivateKey(privKeyName)
+		if err != nil {
+			t.Fatalf("privKey %s has no alias", privKeyName)
+		}
+		if alias == "root" {
+			continue
+		}
+		relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
+		privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
+		_, err = os.Stat(privKeyFileName)
+		assert.NoError(t, err)
+	}
+}
+
+func TestImportExportRootKey(t *testing.T) {
+	gun := "docker.com/notary"
+
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), oldPassphraseRetriever)
+	cs := NewCryptoService(gun, fileStore)
+	pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
+	assert.NoError(t, err)
+
+	rootKeyID := pubKey.ID()
+
+	tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
+	tempKeyFilePath := tempKeyFile.Name()
+	defer os.Remove(tempKeyFilePath)
+
+	err = cs.ExportRootKey(tempKeyFile, rootKeyID)
+	assert.NoError(t, err)
+	tempKeyFile.Close()
+
+	// Create new repo to test import
+	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir2)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), oldPassphraseRetriever)
+	cs2 := NewCryptoService(gun, fileStore2)
+
+	keyReader, err := os.Open(tempKeyFilePath)
+	assert.NoError(t, err, "could not open key file")
+
+	err = cs2.ImportRootKey(keyReader)
+	assert.NoError(t, err)
+	keyReader.Close()
+
+	// Look for repo's root key in repo2
+	// There should be a file named after the key ID of the root key we
+	// imported.
+	rootKeyFilename := rootKeyID + "_root.key"
+	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
+	assert.NoError(t, err, "missing root key")
+
+	// Try to import a decrypted version of the root key and make sure it
+	// doesn't succeed
+	pemBytes, err := ioutil.ReadFile(tempKeyFilePath)
+	assert.NoError(t, err, "could not read key file")
+	privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase)
+	assert.NoError(t, err, "could not decrypt key file")
+	decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey)
+	assert.NoError(t, err, "could not convert key to PEM")
+
+	err = cs2.ImportRootKey(bytes.NewReader(decryptedPEMBytes))
+	assert.EqualError(t, err, ErrRootKeyNotEncrypted.Error())
+
+	// Try to import garbage and make sure it doesn't succeed
+	err = cs2.ImportRootKey(strings.NewReader("this is not PEM"))
+	assert.EqualError(t, err, ErrNoValidPrivateKey.Error())
+
+	// Should be able to unlock the root key with the old password
+	key, alias, err := cs2.GetPrivateKey(rootKeyID)
+	assert.NoError(t, err, "could not unlock root key")
+	assert.Equal(t, "root", alias)
+	assert.Equal(t, rootKeyID, key.ID())
+}
+
+func TestImportExportRootKeyReencrypt(t *testing.T) {
+	gun := "docker.com/notary"
+
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir, "private"), oldPassphraseRetriever)
+	cs := NewCryptoService(gun, fileStore)
+	pubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
+	assert.NoError(t, err)
+
+	rootKeyID := pubKey.ID()
+
+	tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
+	tempKeyFilePath := tempKeyFile.Name()
+	defer os.Remove(tempKeyFilePath)
+
+	err = cs.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
+	assert.NoError(t, err)
+	tempKeyFile.Close()
+
+	// Create new repo to test import
+	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir2)
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	fileStore2, err := trustmanager.NewKeyFileStore(filepath.Join(tempBaseDir2, "private"), newPassphraseRetriever)
+	cs2 := NewCryptoService(gun, fileStore2)
+
+	keyReader, err := os.Open(tempKeyFilePath)
+	assert.NoError(t, err, "could not open key file")
+
+	err = cs2.ImportRootKey(keyReader)
+	assert.NoError(t, err)
+	keyReader.Close()
+
+	// Look for repo's root key in repo2
+	// There should be a file named after the key ID of the root key we
+	// imported.
+	rootKeyFilename := rootKeyID + "_root.key"
+	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
+	assert.NoError(t, err, "missing root key")
+
+	// Should be able to unlock the root key with the new password
+	key, alias, err := cs2.GetPrivateKey(rootKeyID)
+	assert.NoError(t, err, "could not unlock root key")
+	assert.Equal(t, "root", alias)
+	assert.Equal(t, rootKeyID, key.ID())
+}
--- a/keystoremanager/keystoremanager.go
+++ b/keystoremanager/keystoremanager.go
@ -24,9 +24,7 @@ type KeyStoreManager struct {
 }

 const (
-	trustDir = "trusted_certificates"
-	// PrivDir is the name of the private directory
-	PrivDir        = "private"
+	trustDir       = "trusted_certificates"
 	rsaRootKeySize = 4096 // Used for new root keys
 )

--- a/keystoremanager/keystoremanager_test.go
+++ b/keystoremanager/keystoremanager_test.go
--- a/signer/api/ecdsa_hardware_crypto_service.go
+++ b/signer/api/ecdsa_hardware_crypto_service.go
@ -504,7 +504,8 @@ func (s *YubiKeyStore) AddKey(keyID, role string, privKey data.PrivateKey) error

 	if k, ok := s.keys[keyID]; ok {
 		if k.role == role {
-
+			// already have the key and it's associated with the correct role
+			return nil
 		}
 	}

--- a/trustmanager/keyfilestore.go
+++ b/trustmanager/keyfilestore.go
@ -329,12 +329,17 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*

 func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error {

+	if alias != data.CanonicalRootRole {
+		return s.Add(alias, pemBytes)
+	}
+
 	privKey, passphrase, err := GetPasswdDecryptBytes(passphraseRetriever, pemBytes, "imported", alias)

 	if err != nil {
 		return err
 	}

-	return encryptAndAddKey(
-		s, passphrase, cachedKeys, privKey.ID(), alias, privKey)
+	var name string
+	name = privKey.ID()
+	return encryptAndAddKey(s, passphrase, cachedKeys, name, alias, privKey)
 }