docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move verifier and update logs down to debug level 

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2016-01-26 23:02:54 -08:00
parent 7eb86f7a64
commit ceca4c233e
2 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tuf/client/client.go
View File

@ -54,7 +54,7 @@ func (c *Client) Update() error {
if err != nil { if err != nil {
logrus.Debug("Error occurred. Root will be downloaded and another update attempted") logrus.Debug("Error occurred. Root will be downloaded and another update attempted")
if err := c.downloadRoot(); err != nil { if err := c.downloadRoot(); err != nil {
logrus.Error("Client Update (Root):", err) logrus.Debug("Client Update (Root):", err)
return err return err
} }
// If we error again, we now have the latest root and just want to fail // If we error again, we now have the latest root and just want to fail
@ -68,12 +68,12 @@ func (c *Client) Update() error {
func (c *Client) update() error { func (c *Client) update() error {
err := c.downloadTimestamp() err := c.downloadTimestamp()
if err != nil { if err != nil {
logrus.Errorf("Client Update (Timestamp): %s", err.Error()) logrus.Debugf("Client Update (Timestamp): %s", err.Error())
return err return err
} }
err = c.downloadSnapshot() err = c.downloadSnapshot()
if err != nil { if err != nil {
logrus.Errorf("Client Update (Snapshot): %s", err.Error()) logrus.Debugf("Client Update (Snapshot): %s", err.Error())
return err return err
} }
err = c.checkRoot() err = c.checkRoot()
@ -86,7 +86,7 @@ func (c *Client) update() error {
// will always need top level targets at a minimum // will always need top level targets at a minimum
err = c.downloadTargets("targets") err = c.downloadTargets("targets")
if err != nil { if err != nil {
logrus.Errorf("Client Update (Targets): %s", err.Error()) logrus.Debugf("Client Update (Targets): %s", err.Error())
return err return err
} }
return nil return nil

44
tuf/signed/verifiers.go
View File

@ -60,7 +60,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
} }
var sigBytes [ed25519.SignatureSize]byte var sigBytes [ed25519.SignatureSize]byte
if len(sig) != ed25519.SignatureSize { if len(sig) != ed25519.SignatureSize {
logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
return ErrInvalid return ErrInvalid
} }
copy(sigBytes[:], sig) copy(sigBytes[:], sig)
@ -78,7 +78,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
} }
if !ed25519.Verify(&keyBytes, msg, &sigBytes) { if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
logrus.Infof("failed ed25519 verification") logrus.Debugf("failed ed25519 verification")
return ErrInvalid return ErrInvalid
} }
return nil return nil
@ -87,23 +87,23 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
func verifyPSS(key interface{}, digest, sig []byte) error { func verifyPSS(key interface{}, digest, sig []byte) error {
rsaPub, ok := key.(*rsa.PublicKey) rsaPub, ok := key.(*rsa.PublicKey)
if !ok { if !ok {
logrus.Infof("value was not an RSA public key") logrus.Debugf("value was not an RSA public key")
return ErrInvalid return ErrInvalid
} }
if rsaPub.N.BitLen() < minRSAKeySizeBit { if rsaPub.N.BitLen() < minRSAKeySizeBit {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
} }
if len(sig) < minRSAKeySizeByte { if len(sig) < minRSAKeySizeByte {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
return ErrInvalid return ErrInvalid
} }
opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256} opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil { if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
logrus.Infof("failed RSAPSS verification: %s", err) logrus.Debugf("failed RSAPSS verification: %s", err)
return ErrInvalid return ErrInvalid
} }
return nil return nil
@ -117,12 +117,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
case data.RSAx509Key: case data.RSAx509Key:
pemCert, _ := pem.Decode([]byte(key.Public())) pemCert, _ := pem.Decode([]byte(key.Public()))
if pemCert == nil { if pemCert == nil {
logrus.Infof("failed to decode PEM-encoded x509 certificate") logrus.Debugf("failed to decode PEM-encoded x509 certificate")
return nil, ErrInvalid return nil, ErrInvalid
} }
cert, err := x509.ParseCertificate(pemCert.Bytes) cert, err := x509.ParseCertificate(pemCert.Bytes)
if err != nil { if err != nil {
logrus.Infof("failed to parse x509 certificate: %s\n", err) logrus.Debugf("failed to parse x509 certificate: %s\n", err)
return nil, ErrInvalid return nil, ErrInvalid
} }
pubKey = cert.PublicKey pubKey = cert.PublicKey
@ -130,12 +130,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
var err error var err error
pubKey, err = x509.ParsePKIXPublicKey(key.Public()) pubKey, err = x509.ParsePKIXPublicKey(key.Public())
if err != nil { if err != nil {
logrus.Infof("failed to parse public key: %s\n", err) logrus.Debugf("failed to parse public key: %s\n", err)
return nil, ErrInvalid return nil, ErrInvalid
} }
default: default:
// only accept RSA keys // only accept RSA keys
logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm) logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm)
return nil, ErrInvalidKeyType{} return nil, ErrInvalidKeyType{}
} }
@ -172,17 +172,17 @@ func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte)
rsaPub, ok := pubKey.(*rsa.PublicKey) rsaPub, ok := pubKey.(*rsa.PublicKey)
if !ok { if !ok {
logrus.Infof("value was not an RSA public key") logrus.Debugf("value was not an RSA public key")
return ErrInvalid return ErrInvalid
} }
if rsaPub.N.BitLen() < minRSAKeySizeBit { if rsaPub.N.BitLen() < minRSAKeySizeBit {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
} }
if len(sig) < minRSAKeySizeByte { if len(sig) < minRSAKeySizeByte {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
return ErrInvalid return ErrInvalid
} }
@ -207,13 +207,13 @@ func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte)
k, _ := pem.Decode([]byte(key.Public())) k, _ := pem.Decode([]byte(key.Public()))
if k == nil { if k == nil {
logrus.Infof("failed to decode PEM-encoded x509 certificate") logrus.Debugf("failed to decode PEM-encoded x509 certificate")
return ErrInvalid return ErrInvalid
} }
pub, err := x509.ParsePKIXPublicKey(k.Bytes) pub, err := x509.ParsePKIXPublicKey(k.Bytes)
if err != nil { if err != nil {
logrus.Infof("failed to parse public key: %s\n", err) logrus.Debugf("failed to parse public key: %s\n", err)
return ErrInvalid return ErrInvalid
} }
@ -232,13 +232,13 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
case data.ECDSAx509Key: case data.ECDSAx509Key:
pemCert, _ := pem.Decode([]byte(key.Public())) pemCert, _ := pem.Decode([]byte(key.Public()))
if pemCert == nil { if pemCert == nil {
logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
logrus.Debugf("certificate bytes: %s", string(key.Public())) logrus.Debugf("certificate bytes: %s", string(key.Public()))
return ErrInvalid return ErrInvalid
} }
cert, err := x509.ParseCertificate(pemCert.Bytes) cert, err := x509.ParseCertificate(pemCert.Bytes)
if err != nil { if err != nil {
logrus.Infof("failed to parse x509 certificate: %s\n", err) logrus.Debugf("failed to parse x509 certificate: %s\n", err)
return ErrInvalid return ErrInvalid
} }
pubKey = cert.PublicKey pubKey = cert.PublicKey
@ -246,25 +246,25 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
var err error var err error
pubKey, err = x509.ParsePKIXPublicKey(key.Public()) pubKey, err = x509.ParsePKIXPublicKey(key.Public())
if err != nil { if err != nil {
logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
return ErrInvalid return ErrInvalid
} }
default: default:
// only accept ECDSA keys. // only accept ECDSA keys.
logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm) logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm)
return ErrInvalidKeyType{} return ErrInvalidKeyType{}
} }
ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey) ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
if !ok { if !ok {
logrus.Infof("value isn't an ECDSA public key") logrus.Debugf("value isn't an ECDSA public key")
return ErrInvalid return ErrInvalid
} }
sigLength := len(sig) sigLength := len(sig)
expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3) expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)
if sigLength != expectedOctetLength { if sigLength != expectedOctetLength {
logrus.Infof("signature had an unexpected length") logrus.Debugf("signature had an unexpected length")
return ErrInvalid return ErrInvalid
} }
@ -275,7 +275,7 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
digest := sha256.Sum256(msg) digest := sha256.Sum256(msg)
if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) { if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {
logrus.Infof("failed ECDSA signature validation") logrus.Debugf("failed ECDSA signature validation")
return ErrInvalid return ErrInvalid
} }