Add a flag to change the password of the root key when exporting it

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-28 15:08:41 -07:00 · 2015-07-28 15:08:41 -07:00 · c3cf6c4083
parent 3af03daa42
commit c3cf6c4083
3 changed files with 124 additions and 5 deletions
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@ -22,9 +22,10 @@ func init() {
 	cmdKey.AddCommand(cmdKeyRemoveRootKey)
 	cmdKey.AddCommand(cmdKeyGenerateRootKey)
-	cmdKeyExport.Flags().StringVarP(&keysExportGUN, "gun", "g", "", "Globally unique name to export keys for. A new password will be set for all the keys. Output format is a zip archive.")
+	cmdKeyExport.Flags().StringVarP(&keysExportGUN, "gun", "g", "", "Globally unique name to export keys for.")
 	cmdKey.AddCommand(cmdKeyExport)
 	cmdKey.AddCommand(cmdKeyExportRoot)
 	cmdKeyExportRoot.Flags().BoolVarP(&keysExportRootChangePassphrase, "change-passphrase", "c", false, "set a new passphrase for the key being exported")
 	cmdKey.AddCommand(cmdKeyImport)
 	cmdKey.AddCommand(cmdKeyImportRoot)
 }
@ -65,6 +66,8 @@ var cmdKeyExport = &cobra.Command{
 	Run:   keysExport,
 }
 var keysExportRootChangePassphrase bool
 var cmdKeyExportRoot = &cobra.Command{
 	Use:   "export-root [ keyID ] [ filename ]",
 	Short: "Exports given root key to a file.",
@ -249,7 +252,14 @@ func keysExportRoot(cmd *cobra.Command, args []string) {
 	if err != nil {
 		fatalf("error creating output file: %v", err)
 	}
-	err = keyStoreManager.ExportRootKey(exportFile, keyID)
+	if keysExportRootChangePassphrase {
 		// Must use a different passphrase retriever to avoid caching the
 		// unlocking passphrase and reusing that.
 		exportRetriever := passphrase.PromptRetriever()
 		err = keyStoreManager.ExportRootKeyReencrypt(exportFile, keyID, exportRetriever)
 	} else {
 		err = keyStoreManager.ExportRootKey(exportFile, keyID)
 	}
 	exportFile.Close()
 	if err != nil {
 		fatalf("error exporting root key: %v", err)
--- a/keystoremanager/import_export.go
+++ b/keystoremanager/import_export.go
@ -42,6 +42,39 @@ func (km *KeyStoreManager) ExportRootKey(dest io.Writer, keyID string) error {
 	return err
 }
 // ExportRootKeyReencrypt exports the specified root key to an io.Writer in
 // PEM format. The key is reencrypted with a new passphrase.
 func (km *KeyStoreManager) ExportRootKeyReencrypt(dest io.Writer, keyID string, newPassphraseRetriever passphrase.Retriever) error {
 	privateKey, alias, err := km.rootKeyStore.GetKey(keyID)
 	if err != nil {
 		return err
 	}
 	// Create temporary keystore to use as a staging area
 	tempBaseDir, err := ioutil.TempDir("", "notary-key-export-")
 	defer os.RemoveAll(tempBaseDir)
 	privRootKeysSubdir := filepath.Join(privDir, rootKeysSubdir)
 	tempRootKeysPath := filepath.Join(tempBaseDir, privRootKeysSubdir)
 	tempRootKeyStore, err := trustmanager.NewKeyFileStore(tempRootKeysPath, newPassphraseRetriever)
 	if err != nil {
 		return err
 	}
 	err = tempRootKeyStore.AddKey(keyID, alias, privateKey)
 	if err != nil {
 		return err
 	}
 	pemBytes, err := tempRootKeyStore.Get(keyID + "_" + alias)
 	if err != nil {
 		return err
 	}
 	_, err = dest.Write(pemBytes)
 	return err
 }
 // checkRootKeyIsEncrypted makes sure the root key is encrypted. We have
 // internal assumptions that depend on this.
 func checkRootKeyIsEncrypted(pemBytes []byte) error {
@ -81,12 +114,12 @@ func (km *KeyStoreManager) ImportRootKey(source io.Reader, keyID string) error {
 func moveKeys(oldKeyStore, newKeyStore *trustmanager.KeyFileStore) error {
 	// List all files but no symlinks
 	for _, f := range oldKeyStore.ListKeys() {
-		pemBytes, alias, err := oldKeyStore.GetKey(f)
+		privateKey, alias, err := oldKeyStore.GetKey(f)
 		if err != nil {
 			return err
 		}
-		err = newKeyStore.AddKey(f, alias, pemBytes)
+		err = newKeyStore.AddKey(f, alias, privateKey)
 		if err != nil {
 			return err
--- a/keystoremanager/import_export_test.go
+++ b/keystoremanager/import_export_test.go
@ -350,7 +350,6 @@ func TestImportExportRootKey(t *testing.T) {
 	err = repo2.Initialize(rootCryptoService2)
 	assert.NoError(t, err, "error creating repository: %s", err)
 	// Check the contents of the zip file
 	keyReader, err := os.Open(tempKeyFilePath)
 	assert.NoError(t, err, "could not open key file")
@ -380,4 +379,81 @@ func TestImportExportRootKey(t *testing.T) {
 	// Try to import garbage and make sure it doesn't succeed
 	err = repo2.KeyStoreManager.ImportRootKey(strings.NewReader("this is not PEM"), rootKeyID)
 	assert.EqualError(t, err, keystoremanager.ErrNoValidPrivateKey.Error())
 	// Should be able to unlock the root key with the old password
 	key, alias, err := repo2.KeyStoreManager.RootKeyStore().GetKey(rootKeyID)
 	assert.NoError(t, err, "could not unlock root key")
 	assert.Equal(t, "root", alias)
 	assert.Equal(t, rootKeyID, key.ID())
 }
 func TestImportExportRootKeyReencrypt(t *testing.T) {
 	gun := "docker.com/notary"
 	// Temporary directory where test files will be created
 	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
 	defer os.RemoveAll(tempBaseDir)
 	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
 	ts, _ := createTestServer(t)
 	defer ts.Close()
 	repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
 	assert.NoError(t, err, "error creating repo: %s", err)
 	rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey.String())
 	assert.NoError(t, err, "error generating root key: %s", err)
 	rootCryptoService, err := repo.KeyStoreManager.GetRootCryptoService(rootKeyID)
 	assert.NoError(t, err, "error retrieving root key: %s", err)
 	err = repo.Initialize(rootCryptoService)
 	assert.NoError(t, err, "error creating repository: %s", err)
 	tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
 	tempKeyFilePath := tempKeyFile.Name()
 	defer os.Remove(tempKeyFilePath)
 	err = repo.KeyStoreManager.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
 	assert.NoError(t, err)
 	tempKeyFile.Close()
 	// Create new repo to test import
 	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
 	defer os.RemoveAll(tempBaseDir2)
 	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
 	repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
 	assert.NoError(t, err, "error creating repo: %s", err)
 	rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey.String())
 	assert.NoError(t, err, "error generating root key: %s", err)
 	rootCryptoService2, err := repo2.KeyStoreManager.GetRootCryptoService(rootKeyID2)
 	assert.NoError(t, err, "error retrieving root key: %s", err)
 	err = repo2.Initialize(rootCryptoService2)
 	assert.NoError(t, err, "error creating repository: %s", err)
 	keyReader, err := os.Open(tempKeyFilePath)
 	assert.NoError(t, err, "could not open key file")
 	err = repo2.KeyStoreManager.ImportRootKey(keyReader, rootKeyID)
 	assert.NoError(t, err)
 	keyReader.Close()
 	// Look for repo's root key in repo2
 	// There should be a file named after the key ID of the root key we
 	// imported.
 	rootKeyFilename := rootKeyID + "_root.key"
 	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
 	assert.NoError(t, err, "missing root key")
 	// Should be able to unlock the root key with the new password
 	key, alias, err := repo2.KeyStoreManager.RootKeyStore().GetKey(rootKeyID)
 	assert.NoError(t, err, "could not unlock root key")
 	assert.Equal(t, "root", alias)
 	assert.Equal(t, rootKeyID, key.ID())
 }