docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add error case to keyInfo generation, test yubikey backup, fix rebase conflicts 

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2016-03-10 11:54:44 -08:00
parent e1613cdcb2
commit c54183bc27
4 changed files with 57 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/notary/keys.go
View File

@ -302,7 +302,7 @@ func (k *keyCommander) keysRestore(cmd *cobra.Command, args []string) error {
if err != nil { if err != nil {
return err return err
} }
ks, err := k.getKeyStores(config, true, true) ks, err := k.getKeyStores(config, true, false)
if err != nil { if err != nil {
return err return err
} }

5
cryptoservice/import_export.go
View File

@ -164,7 +164,10 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader, retriever passphras
for keyName, pemBytes := range newKeys { for keyName, pemBytes := range newKeys {
// Get the key role information as well as its data.PrivateKey representation // Get the key role information as well as its data.PrivateKey representation
_, keyInfo := trustmanager.KeyInfoFromPEM(pemBytes, keyName) _, keyInfo, err := trustmanager.KeyInfoFromPEM(pemBytes, keyName)
if err != nil {
return err
}
privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "") privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
if err != nil { if err != nil {
privKey, _, err = trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", "imported "+keyInfo.Role) privKey, _, err = trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", "imported "+keyInfo.Role)

26
trustmanager/keyfilestore.go
View File

@ -70,7 +70,11 @@ func generateKeyInfoMap(s LimitedFileStore) map[string]KeyInfo {
logrus.Error(err) logrus.Error(err)
continue continue
} }
keyID, keyInfo := KeyInfoFromPEM(d, keyPath) keyID, keyInfo, err := KeyInfoFromPEM(d, keyPath)
if err != nil {
logrus.Error(err)
continue
}
keyInfoMap[keyID] = keyInfo keyInfoMap[keyID] = keyInfo
} }
return keyInfoMap return keyInfoMap
@ -184,12 +188,7 @@ func (s *KeyFileStore) RemoveKey(keyID string) error {
return err return err
} }
// Remove this key from our keyInfo map if we removed from our filesystem // Remove this key from our keyInfo map if we removed from our filesystem
if _, ok := s.keyInfoMap[keyID]; ok { delete(s.keyInfoMap, filepath.Base(keyID))
delete(s.keyInfoMap, keyID)
} else {
// This might be of the form GUN/ID - try to delete without the gun
delete(s.keyInfoMap, filepath.Base(keyID))
}
return nil return nil
} }
@ -296,17 +295,18 @@ func (s *KeyMemoryStore) ExportKey(keyID string) ([]byte, error) {
} }
// KeyInfoFromPEM attempts to get a keyID and KeyInfo from the filename and PEM bytes of a key // KeyInfoFromPEM attempts to get a keyID and KeyInfo from the filename and PEM bytes of a key
func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo) { func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo, error) {
keyID, role, gun := inferKeyInfoFromKeyPath(filename) keyID, role, gun := inferKeyInfoFromKeyPath(filename)
if role == "" { if role == "" {
block, _ := pem.Decode(pemBytes) block, _ := pem.Decode(pemBytes)
if block != nil { if block == nil {
if keyRole, ok := block.Headers["role"]; ok { return "", KeyInfo{}, fmt.Errorf("could not decode PEM block for key %s", filename)
role = keyRole }
} if keyRole, ok := block.Headers["role"]; ok {
role = keyRole
} }
} }
return keyID, KeyInfo{Gun: gun, Role: role} return keyID, KeyInfo{Gun: gun, Role: role}, nil
} }
func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, name, role string, privKey data.PrivateKey) error { func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, name, role string, privKey data.PrivateKey) error {

39
trustmanager/yubikey/yubikeystore_test.go
View File

@ -116,6 +116,45 @@ func TestYubiAddKeysAndRetrieve(t *testing.T) {
} }
} }
// Test that we can successfully keys enough times to fill up all the slots in the Yubikey, even without a backup store
func TestYubiAddKeysWithoutBackup(t *testing.T) {
if !YubikeyAccessible() {
t.Skip("Must have Yubikey access.")
}
clearAllKeys(t)
SetYubikeyKeyMode(KeymodeNone)
defer func() {
SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce)
}()
// create 4 keys on the original store
store, err := NewYubiKeyStore(nil, ret)
assert.NoError(t, err)
keys := addMaxKeys(t, store)
// create a new store, since we want to be sure the original store's cache
// is not masking any issues
cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret)
assert.NoError(t, err)
// All 4 keys should be in the original store, in the clean store (which
// makes sure the keys are actually on the Yubikey and not on the original
// store's cache)
for _, store := range []trustmanager.KeyStore{store, cleanStore} {
listedKeys := store.ListKeys()
assert.Len(t, listedKeys, numSlots)
for _, k := range keys {
r, ok := listedKeys[k]
assert.True(t, ok)
assert.Equal(t, data.CanonicalRootRole, r.Role)
_, _, err := store.GetKey(k)
assert.NoError(t, err)
}
}
}
// We can't add a key if there are no more slots // We can't add a key if there are no more slots
func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) { func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) {
if !YubikeyAccessible() { if !YubikeyAccessible() {