mirror of https://github.com/docker/docs.git
Merge pull request #50 from docker/configurable-trust-dir-rebase
Configurable trust dir rebase Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
This commit is contained in:
Diogo Mónica
David Lawrence
commit
b9d0f15745
|
|
@ -53,9 +53,9 @@ func certRemove(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
fatalf("Must specify the cert ID or the GUN of the certificates to remove")
|
||||
}
|
||||
|
||||
parseConfig()
|
||||
|
||||
trustDir := mainViper.GetString("trust_dir")
|
||||
keysPath := filepath.Join(trustDir, notary.PrivDir)
|
||||
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
|
||||
if err != nil {
|
||||
|
|
@ -122,9 +122,9 @@ func certList(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
parseConfig()
|
||||
|
||||
trustDir := mainViper.GetString("trust_dir")
|
||||
keysPath := filepath.Join(trustDir, notary.PrivDir)
|
||||
fileKeyStore, err := trustmanager.NewKeyFileStore(keysPath, retriever)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -25,23 +25,31 @@ import (
|
|||
"github.com/docker/notary/trustmanager"
|
||||
"github.com/docker/notary/tuf/data"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/viper"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/net/context"
|
||||
)
|
||||
|
||||
var cmd = &cobra.Command{}
|
||||
var testPassphrase = "passphrase"
|
||||
|
||||
// run a command and return the output as a string
|
||||
func runCommand(t *testing.T, tempDir string, args ...string) (string, error) {
|
||||
b := new(bytes.Buffer)
|
||||
cmd.SetArgs(append([]string{"-c", "/tmp/ignore.json", "-d", tempDir}, args...))
|
||||
cmd.SetOutput(b)
|
||||
t.Logf("Running `notary %s`", strings.Join(args, " "))
|
||||
// Using a new viper and Command so we don't have state between command invocations
|
||||
mainViper = viper.New()
|
||||
cmd := &cobra.Command{}
|
||||
setupCommand(cmd)
|
||||
|
||||
b := new(bytes.Buffer)
|
||||
|
||||
// Create an empty config file so we don't load the default on ~/.notary/config.json
|
||||
configFile := filepath.Join(tempDir, "config.json")
|
||||
|
||||
cmd.SetArgs(append([]string{"-c", configFile, "-d", tempDir}, args...))
|
||||
cmd.SetOutput(b)
|
||||
retErr := cmd.Execute()
|
||||
output, err := ioutil.ReadAll(b)
|
||||
assert.NoError(t, err)
|
||||
|
||||
return string(output), retErr
|
||||
}
|
||||
|
||||
|
|
@ -71,8 +79,7 @@ func TestClientTufInteraction(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
server := setupServer()
|
||||
|
|
@ -122,7 +129,7 @@ func TestClientTufInteraction(t *testing.T) {
|
|||
assert.True(t, strings.Contains(string(output), target))
|
||||
|
||||
// verify repo - empty file
|
||||
output, err = runCommand(t, tempDir, "verify", "gun", target)
|
||||
output, err = runCommand(t, tempDir, "-s", server.URL, "verify", "gun", target)
|
||||
assert.NoError(t, err)
|
||||
|
||||
// remove target
|
||||
|
|
@ -224,8 +231,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
tempfiles := make([]string, 2)
|
||||
|
|
@ -248,7 +254,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
|
|||
assertNumKeys(t, tempDir, 0, 0, true)
|
||||
|
||||
// generate root key produces a single root key and no other keys
|
||||
_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
_, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
assert.NoError(t, err)
|
||||
assertNumKeys(t, tempDir, 1, 0, true)
|
||||
|
||||
|
|
@ -305,8 +311,7 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
|
|||
|
||||
dirs := make([]string, 3)
|
||||
for i := 0; i < 3; i++ {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
dirs[i] = tempDir
|
||||
}
|
||||
|
|
@ -381,12 +386,11 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
|
|||
// Generate a root key and export the root key only. Return the key ID
|
||||
// exported.
|
||||
func exportRoot(t *testing.T, exportTo string) string {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
// generate root key produces a single root key and no other keys
|
||||
_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
_, err := runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
|
||||
assert.NoError(t, err)
|
||||
oldRoot, _ := assertNumKeys(t, tempDir, 1, 0, true)
|
||||
|
||||
|
|
@ -410,8 +414,7 @@ func TestClientKeyImportExportRootOnly(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
server := setupServer()
|
||||
|
|
@ -481,15 +484,14 @@ func TestClientCertInteraction(t *testing.T) {
|
|||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
server := setupServer()
|
||||
defer server.Close()
|
||||
|
||||
// -- tests --
|
||||
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
|
||||
_, err := runCommand(t, tempDir, "-s", server.URL, "init", "gun1")
|
||||
assert.NoError(t, err)
|
||||
_, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2")
|
||||
assert.NoError(t, err)
|
||||
|
|
@ -510,11 +512,38 @@ func TestClientCertInteraction(t *testing.T) {
|
|||
assertNumCerts(t, tempDir, 0)
|
||||
}
|
||||
|
||||
// Tests default root key generation
|
||||
func TestDefaultRootKeyGeneration(t *testing.T) {
|
||||
// -- setup --
|
||||
cleanup := setUp(t)
|
||||
defer cleanup()
|
||||
|
||||
tempDir := tempDirWithConfig(t, "{}")
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
// -- tests --
|
||||
|
||||
// starts out with no keys
|
||||
assertNumKeys(t, tempDir, 0, 0, true)
|
||||
|
||||
// generate root key with no algorithm produces a single ECDSA root key and no other keys
|
||||
_, err := runCommand(t, tempDir, "key", "generate")
|
||||
assert.NoError(t, err)
|
||||
assertNumKeys(t, tempDir, 1, 0, true)
|
||||
}
|
||||
|
||||
func tempDirWithConfig(t *testing.T, config string) string {
|
||||
tempDir, err := ioutil.TempDir("/tmp", "repo")
|
||||
assert.NoError(t, err)
|
||||
err = ioutil.WriteFile(filepath.Join(tempDir, "config.json"), []byte(config), 0644)
|
||||
assert.NoError(t, err)
|
||||
return tempDir
|
||||
}
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
if testing.Short() {
|
||||
// skip
|
||||
os.Exit(0)
|
||||
}
|
||||
setupCommand(cmd)
|
||||
os.Exit(m.Run())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ func keysList(cmd *cobra.Command, args []string) {
|
|||
|
||||
parseConfig()
|
||||
|
||||
stores := getKeyStores(cmd, trustDir, retriever, true)
|
||||
stores := getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)
|
||||
|
||||
keys := make(map[trustmanager.KeyStore]map[string]string)
|
||||
for _, store := range stores {
|
||||
|
|
@ -137,15 +137,26 @@ func keysList(cmd *cobra.Command, args []string) {
|
|||
}
|
||||
|
||||
func keysGenerateRootKey(cmd *cobra.Command, args []string) {
|
||||
if len(args) < 1 {
|
||||
// We require one or no arguments (since we have a default value), but if the
|
||||
// user passes in more than one argument, we error out.
|
||||
if len(args) > 1 {
|
||||
cmd.Usage()
|
||||
fatalf("Must specify an Algorithm (RSA, ECDSA)")
|
||||
fatalf("Please provide only one Algorithm as an argument to generate (rsa, ecdsa)")
|
||||
}
|
||||
|
||||
parseConfig()
|
||||
|
||||
// If no param is given to generate, generates an ecdsa key by default
|
||||
algorithm := data.ECDSAKey
|
||||
|
||||
// If we were provided an argument lets attempt to use it as an algorithm
|
||||
if len(args) > 0 {
|
||||
algorithm = args[0]
|
||||
}
|
||||
|
||||
algorithm := args[0]
|
||||
allowedCiphers := map[string]bool{
|
||||
"rsa": true,
|
||||
"ecdsa": true,
|
||||
data.ECDSAKey: true,
|
||||
data.RSAKey: true,
|
||||
}
|
||||
|
||||
if !allowedCiphers[strings.ToLower(algorithm)] {
|
||||
|
|
@ -156,7 +167,7 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, trustDir, retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
pubKey, err := cs.Create(data.CanonicalRootRole, algorithm)
|
||||
|
|
@ -174,13 +185,12 @@ func keysExport(cmd *cobra.Command, args []string) {
|
|||
fatalf("Must specify output filename for export")
|
||||
}
|
||||
|
||||
exportFilename := args[0]
|
||||
|
||||
parseConfig()
|
||||
exportFilename := args[0]
|
||||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, trustDir, retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
exportFile, err := os.Create(exportFilename)
|
||||
|
|
@ -212,6 +222,8 @@ func keysExportRoot(cmd *cobra.Command, args []string) {
|
|||
fatalf("Must specify key ID and output filename for export")
|
||||
}
|
||||
|
||||
parseConfig()
|
||||
|
||||
keyID := args[0]
|
||||
exportFilename := args[1]
|
||||
|
||||
|
|
@ -223,7 +235,7 @@ func keysExportRoot(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, trustDir, retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
exportFile, err := os.Create(exportFilename)
|
||||
|
|
@ -258,7 +270,7 @@ func keysImport(cmd *cobra.Command, args []string) {
|
|||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, trustDir, retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
zipReader, err := zip.OpenReader(importFilename)
|
||||
|
|
@ -281,15 +293,15 @@ func keysImportRoot(cmd *cobra.Command, args []string) {
|
|||
fatalf("Must specify input filename for import")
|
||||
}
|
||||
|
||||
importFilename := args[0]
|
||||
|
||||
parseConfig()
|
||||
|
||||
cs := cryptoservice.NewCryptoService(
|
||||
"",
|
||||
getKeyStores(cmd, trustDir, retriever, true)...,
|
||||
getKeyStores(cmd, mainViper.GetString("trust_dir"), retriever, true)...,
|
||||
)
|
||||
|
||||
importFilename := args[0]
|
||||
|
||||
importFile, err := os.Open(importFilename)
|
||||
if err != nil {
|
||||
fatalf("Opening file for import: %v", err)
|
||||
|
|
@ -317,7 +329,7 @@ func keysRotate(cmd *cobra.Command, args []string) {
|
|||
parseConfig()
|
||||
|
||||
gun := args[0]
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, remoteTrustServer, nil, retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, remoteTrustServer, nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ func parseConfig() {
|
|||
logrus.SetOutput(os.Stderr)
|
||||
}
|
||||
|
||||
if trustDir == "" {
|
||||
// Get home directory for current user
|
||||
homeDir, err := homedir.Dir()
|
||||
if err != nil {
|
||||
|
|
@ -52,12 +51,9 @@ func parseConfig() {
|
|||
if homeDir == "" {
|
||||
fatalf("Cannot get current user home directory")
|
||||
}
|
||||
trustDir = filepath.Join(homeDir, filepath.Dir(configDir))
|
||||
|
||||
logrus.Debugf("no trust directory provided, using default: %s", trustDir)
|
||||
} else {
|
||||
logrus.Debugf("trust directory provided: %s", trustDir)
|
||||
}
|
||||
// By default our trust directory (where keys are stored) is in ~/.notary/
|
||||
mainViper.SetDefault("trust_dir", filepath.Join(homeDir, filepath.Dir(configDir)))
|
||||
|
||||
// If there was a commandline configFile set, we parse that.
|
||||
// If there wasn't we attempt to find it on the default location ~/.notary/config
|
||||
|
|
@ -66,7 +62,7 @@ func parseConfig() {
|
|||
configFileName = strings.TrimSuffix(filepath.Base(configFile), filepath.Ext(configFile))
|
||||
configPath = filepath.Dir(configFile)
|
||||
} else {
|
||||
configPath = trustDir
|
||||
configPath = filepath.Join(homeDir, filepath.Dir(configDir))
|
||||
}
|
||||
|
||||
// Setup the configuration details into viper
|
||||
|
|
@ -75,14 +71,29 @@ func parseConfig() {
|
|||
mainViper.AddConfigPath(configPath)
|
||||
|
||||
// Find and read the config file
|
||||
err := mainViper.ReadInConfig()
|
||||
err = mainViper.ReadInConfig()
|
||||
if err != nil {
|
||||
logrus.Debugf("configuration file not found, using defaults")
|
||||
// Ignore if the configuration file doesn't exist, we can use the defaults
|
||||
if !os.IsNotExist(err) {
|
||||
fatalf("Fatal error config file: %v", err)
|
||||
logrus.Debugf("Configuration file not found, using defaults")
|
||||
// If we were passed in a configFile via -c, bail if it doesn't exist,
|
||||
// otherwise ignore it: we can use the defaults
|
||||
if configFile != "" || !os.IsNotExist(err) {
|
||||
fatalf("error opening config file %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// At this point we either have the default value or the one set by the config.
|
||||
// Either way, the command-line flag has precedence and overwrites the value
|
||||
if trustDir != "" {
|
||||
mainViper.Set("trust_dir", trustDir)
|
||||
}
|
||||
|
||||
// Expands all the possible ~/ that have been given, either through -d or config
|
||||
// If there is no error, use it, if not, attempt to use whatever the user gave us
|
||||
expandedTrustDir, err := homedir.Expand(mainViper.GetString("trust_dir"))
|
||||
if err == nil {
|
||||
mainViper.Set("trust_dir", expandedTrustDir)
|
||||
}
|
||||
logrus.Debugf("Using the following trust directory: %s", mainViper.GetString("trust_dir"))
|
||||
}
|
||||
|
||||
func setupCommand(notaryCmd *cobra.Command) {
|
||||
|
|
@ -97,7 +108,7 @@ func setupCommand(notaryCmd *cobra.Command) {
|
|||
|
||||
notaryCmd.AddCommand(versionCmd)
|
||||
|
||||
notaryCmd.PersistentFlags().StringVarP(&trustDir, "trustdir", "d", "", "Directory where the trust data is persisted to")
|
||||
notaryCmd.PersistentFlags().StringVarP(&trustDir, "trustDir", "d", "", "Directory where the trust data is persisted to")
|
||||
notaryCmd.PersistentFlags().StringVarP(&configFile, "configFile", "c", "", "Path to the configuration file to use")
|
||||
notaryCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Verbose output")
|
||||
notaryCmd.PersistentFlags().StringVarP(&remoteTrustServer, "server", "s", "", "Remote trust server location")
|
||||
|
|
|
|||
|
|
@ -86,15 +86,15 @@ func tufAdd(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
fatalf("Must specify a GUN, target, and path to target data")
|
||||
}
|
||||
parseConfig()
|
||||
|
||||
gun := args[0]
|
||||
targetName := args[1]
|
||||
targetPath := args[2]
|
||||
|
||||
parseConfig()
|
||||
// no online operations are performed by add so the transport argument
|
||||
// should be nil
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), nil, retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -118,10 +118,10 @@ func tufInit(cmd *cobra.Command, args []string) {
|
|||
fatalf("Must specify a GUN")
|
||||
}
|
||||
|
||||
gun := args[0]
|
||||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -154,10 +154,10 @@ func tufList(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
fatalf("Must specify a GUN")
|
||||
}
|
||||
gun := args[0]
|
||||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -179,11 +179,12 @@ func tufLookup(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
fatalf("Must specify a GUN and target")
|
||||
}
|
||||
gun := args[0]
|
||||
targetName := args[1]
|
||||
parseConfig()
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
gun := args[0]
|
||||
targetName := args[1]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -202,10 +203,10 @@ func tufStatus(cmd *cobra.Command, args []string) {
|
|||
fatalf("Must specify a GUN")
|
||||
}
|
||||
|
||||
gun := args[0]
|
||||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), nil, retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -234,12 +235,12 @@ func tufPublish(cmd *cobra.Command, args []string) {
|
|||
fatalf("Must specify a GUN")
|
||||
}
|
||||
|
||||
gun := args[0]
|
||||
parseConfig()
|
||||
gun := args[0]
|
||||
|
||||
cmd.Println("Pushing changes to", gun)
|
||||
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -255,13 +256,14 @@ func tufRemove(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
fatalf("Must specify a GUN and target")
|
||||
}
|
||||
parseConfig()
|
||||
|
||||
gun := args[0]
|
||||
targetName := args[1]
|
||||
parseConfig()
|
||||
|
||||
// no online operation are performed by remove so the transport argument
|
||||
// should be nil.
|
||||
repo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), nil, retriever)
|
||||
repo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), nil, retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
@ -278,6 +280,7 @@ func verify(cmd *cobra.Command, args []string) {
|
|||
cmd.Usage()
|
||||
fatalf("Must specify a GUN and target")
|
||||
}
|
||||
|
||||
parseConfig()
|
||||
|
||||
// Reads all of the data on STDIN
|
||||
|
|
@ -288,7 +291,7 @@ func verify(cmd *cobra.Command, args []string) {
|
|||
|
||||
gun := args[0]
|
||||
targetName := args[1]
|
||||
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
|
||||
if err != nil {
|
||||
fatalf(err.Error())
|
||||
}
|
||||
|
|
|
|||
|
|
@ -185,9 +185,8 @@ func addECDSAKey(
|
|||
role string,
|
||||
backupStore KeyStore,
|
||||
) error {
|
||||
logrus.Debugf("Got into add key with key: %s\n", privKey.ID())
|
||||
logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID())
|
||||
|
||||
// TODO(diogo): Figure out CKU_SO with yubikey
|
||||
err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -201,7 +200,6 @@ func addECDSAKey(
|
|||
}
|
||||
|
||||
ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes())
|
||||
logrus.Debugf("Getting D bytes: %v\n", ecdsaPrivKeyD)
|
||||
|
||||
template, err := NewCertificate(role)
|
||||
if err != nil {
|
||||
|
|
@ -262,16 +260,16 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init: %s", err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
obj, b, err := ctx.FindObjects(session, 1)
|
||||
obj, _, err := ctx.FindObjects(session, 1)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find objects: %v", err)
|
||||
return nil, "", err
|
||||
}
|
||||
if err := ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Debugf("Failed to finalize: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to finalize: %s", err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
if len(obj) != 1 {
|
||||
|
|
@ -282,7 +280,7 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
|
|||
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
||||
attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get Attribute for: %v\n", obj[0])
|
||||
logrus.Debugf("Failed to get Attribute for: %v", obj[0])
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
|
|
@ -302,8 +300,6 @@ func getECDSAKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []by
|
|||
return nil, "", err
|
||||
}
|
||||
|
||||
// TODO(diogo): Actually get the right alias from the certificate instead of
|
||||
// alwars returning data.CanonicalRootRole
|
||||
return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil
|
||||
}
|
||||
|
||||
|
|
@ -324,13 +320,16 @@ func sign(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, pas
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init find objects: %s", err.Error())
|
||||
return nil, err
|
||||
}
|
||||
obj, _, err := ctx.FindObjects(session, 1)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find objects: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
if err = ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Debugf("Failed to finalize find objects: %s", err.Error())
|
||||
return nil, err
|
||||
}
|
||||
if len(obj) != 1 {
|
||||
|
|
@ -374,27 +373,27 @@ func yubiRemoveKey(ctx *pkcs11.Ctx, session pkcs11.SessionHandle, pkcs11KeyID []
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, template); err != nil {
|
||||
logrus.Printf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init find objects: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
obj, b, err := ctx.FindObjects(session, 1)
|
||||
if err != nil {
|
||||
logrus.Printf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find objects: %s %v", err.Error(), b)
|
||||
return err
|
||||
}
|
||||
if err := ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Printf("Failed to finalize: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to finalize find objects: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
if len(obj) != 1 {
|
||||
logrus.Printf("should have found one object")
|
||||
logrus.Debugf("should have found exactly one object")
|
||||
return err
|
||||
}
|
||||
|
||||
// Delete the certificate
|
||||
err = ctx.DestroyObject(session, obj[0])
|
||||
if err != nil {
|
||||
logrus.Printf("Failed to delete cert")
|
||||
logrus.Debugf("Failed to delete cert")
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
|
@ -414,7 +413,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
|
|||
}
|
||||
|
||||
if err = ctx.FindObjectsInit(session, findTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init: %s", err.Error())
|
||||
return
|
||||
}
|
||||
objs, b, err := ctx.FindObjects(session, numSlots)
|
||||
|
|
@ -430,13 +429,13 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
|
|||
objs = append(objs, o...)
|
||||
}
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find: %s %v", err.Error(), b)
|
||||
if len(objs) == 0 {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if err = ctx.FindObjectsFinal(session); err != nil {
|
||||
logrus.Debugf("Failed to finalize: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to finalize: %s", err.Error())
|
||||
return
|
||||
}
|
||||
if len(objs) == 0 {
|
||||
|
|
@ -451,7 +450,7 @@ func yubiListKeys(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) (keys map[strin
|
|||
// Retrieve the public-key material to be able to create a new HSMRSAKey
|
||||
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
|
||||
logrus.Debugf("Failed to get Attribute for: %v", obj)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
@ -502,7 +501,7 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er
|
|||
}
|
||||
|
||||
if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
|
||||
logrus.Debugf("Failed to init: %s\n", err.Error())
|
||||
logrus.Debugf("Failed to init: %s", err.Error())
|
||||
return nil, err
|
||||
}
|
||||
objs, b, err := ctx.FindObjects(session, numSlots)
|
||||
|
|
@ -521,14 +520,13 @@ func getNextEmptySlot(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) ([]byte, er
|
|||
}
|
||||
taken := make(map[int]bool)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to find: %s %v\n", err.Error(), b)
|
||||
logrus.Debugf("Failed to find: %s %v", err.Error(), b)
|
||||
return nil, err
|
||||
}
|
||||
for _, obj := range objs {
|
||||
// Retrieve the slot ID
|
||||
attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get Attribute for: %v\n", obj)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
@ -592,14 +590,17 @@ func (s *YubiKeyStore) ListKeys() map[string]string {
|
|||
}
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return nil
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
keys, err := yubiListKeys(ctx, session)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to list key from the yubikey: %s", err.Error())
|
||||
return nil
|
||||
}
|
||||
s.keys = keys
|
||||
|
||||
return buildKeyMap(keys)
|
||||
}
|
||||
|
||||
|
|
@ -612,11 +613,12 @@ func (s *YubiKeyStore) addKey(
|
|||
keyID, role string, privKey data.PrivateKey, backup bool) error {
|
||||
// We only allow adding root keys for now
|
||||
if role != data.CanonicalRootRole {
|
||||
return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s\n", role, keyID)
|
||||
return fmt.Errorf("yubikey only supports storing root keys, got %s for key: %s", role, keyID)
|
||||
}
|
||||
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
|
|
@ -630,9 +632,10 @@ func (s *YubiKeyStore) addKey(
|
|||
|
||||
slot, err := getNextEmptySlot(ctx, session)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
logrus.Debugf("Using yubikey slot %v", slot)
|
||||
logrus.Debugf("Attempting to store key using yubikey slot %v", slot)
|
||||
|
||||
backupStore := s.backupStore
|
||||
if !backup {
|
||||
|
|
@ -648,6 +651,8 @@ func (s *YubiKeyStore) addKey(
|
|||
}
|
||||
return nil
|
||||
}
|
||||
logrus.Debugf("Failed to add key to yubikey: %v", err)
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
@ -656,6 +661,7 @@ func (s *YubiKeyStore) addKey(
|
|||
func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
|
|
@ -667,11 +673,12 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
|||
|
||||
pubKey, alias, err := getECDSAKey(ctx, session, key.slotID)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get key from slot %s: %s", key.slotID, err.Error())
|
||||
return nil, "", err
|
||||
}
|
||||
// Check to see if we're returning the intended keyID
|
||||
if pubKey.ID() != keyID {
|
||||
return nil, "", fmt.Errorf("expected root key: %s, but found: %s\n", keyID, pubKey.ID())
|
||||
return nil, "", fmt.Errorf("expected root key: %s, but found: %s", keyID, pubKey.ID())
|
||||
}
|
||||
privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever)
|
||||
if privKey == nil {
|
||||
|
|
@ -686,6 +693,7 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) {
|
|||
func (s *YubiKeyStore) RemoveKey(keyID string) error {
|
||||
ctx, session, err := SetupHSMEnv(pkcs11Lib)
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error())
|
||||
return nil
|
||||
}
|
||||
defer cleanup(ctx, session)
|
||||
|
|
@ -696,7 +704,10 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error {
|
|||
err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID)
|
||||
if err == nil {
|
||||
delete(s.keys, keyID)
|
||||
} else {
|
||||
logrus.Debugf("Failed to remove from the yubikey KeyID %s: %v", keyID, err)
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
@ -712,6 +723,7 @@ func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyPath string) error {
|
|||
privKey, _, err := GetPasswdDecryptBytes(
|
||||
s.passRetriever, pemBytes, "", "imported root")
|
||||
if err != nil {
|
||||
logrus.Debugf("Failed to get and retrieve a key from: %s", keyPath)
|
||||
return err
|
||||
}
|
||||
if keyPath != data.CanonicalRootRole {
|
||||
|
|
@ -738,7 +750,7 @@ func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle, error)
|
|||
}
|
||||
|
||||
if err := p.Initialize(); err != nil {
|
||||
return nil, 0, fmt.Errorf("Initialize error %s\n", err.Error())
|
||||
return nil, 0, fmt.Errorf("Initialize error %s", err.Error())
|
||||
}
|
||||
|
||||
slots, err := p.GetSlotList(true)
|
||||
|
|
|
|||
Loading…
Reference in New Issue