diff --git a/Makefile b/Makefile index 513a48f117..51f123fda4 100644 --- a/Makefile +++ b/Makefile @@ -98,7 +98,7 @@ fmt: lint: @echo "+ $@" - @test -z "$$(golint -tags "${NOTARY_BUILDTAGS}" ./... | grep -v .pb. | grep -v vendor/ | tee /dev/stderr)" + @test -z "$(shell find . -type f -name "*.go" -not -path "./vendor/*" -not -name "*.pb.*" -exec golint {} \; | tee /dev/stderr)" # Requires that the following: # go get -u github.com/client9/misspell/cmd/misspell diff --git a/client/client_pkcs11_test.go b/client/client_pkcs11_test.go index 01439c97d0..24f9f8f9a7 100644 --- a/client/client_pkcs11_test.go +++ b/client/client_pkcs11_test.go @@ -7,10 +7,10 @@ import "github.com/docker/notary/trustmanager/yubikey" // clear out all keys func init() { yubikey.SetYubikeyKeyMode(0) - if !yubikey.YubikeyAccessible() { + if !yubikey.IsAccessible() { return } - store, err := yubikey.NewYubiKeyStore(nil, nil) + store, err := yubikey.NewYubiStore(nil, nil) if err == nil { for k := range store.ListKeys() { store.RemoveKey(k) diff --git a/client/repo_pkcs11.go b/client/repo_pkcs11.go index dd697ff4ec..60ae18f410 100644 --- a/client/repo_pkcs11.go +++ b/client/repo_pkcs11.go @@ -24,7 +24,7 @@ func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper, } keyStores := []trustmanager.KeyStore{fileKeyStore} - yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever) + yubiKeyStore, _ := yubikey.NewYubiStore(fileKeyStore, retriever) if yubiKeyStore != nil { keyStores = []trustmanager.KeyStore{yubiKeyStore, fileKeyStore} } diff --git a/cmd/notary/integration_pkcs11_test.go b/cmd/notary/integration_pkcs11_test.go index 6d1327f4ed..f116f1e890 100644 --- a/cmd/notary/integration_pkcs11_test.go +++ b/cmd/notary/integration_pkcs11_test.go @@ -26,7 +26,7 @@ func init() { } // best effort at removing keys here, so nil is fine - s, err := yubikey.NewYubiKeyStore(nil, _retriever) + s, err := yubikey.NewYubiStore(nil, _retriever) if err != nil { for k := range s.ListKeys() { s.RemoveKey(k) @@ -41,12 +41,12 @@ func init() { } } -var rootOnHardware = yubikey.YubikeyAccessible +var rootOnHardware = yubikey.IsAccessible // Per-test set up deletes all keys on the yubikey func setUp(t *testing.T) { //we're just removing keys here, so nil is fine - s, err := yubikey.NewYubiKeyStore(nil, _retriever) + s, err := yubikey.NewYubiStore(nil, _retriever) require.NoError(t, err) for k := range s.ListKeys() { err := s.RemoveKey(k) @@ -59,9 +59,9 @@ func setUp(t *testing.T) { // on disk func verifyRootKeyOnHardware(t *testing.T, rootKeyID string) { // do not bother verifying if there is no yubikey available - if yubikey.YubikeyAccessible() { + if yubikey.IsAccessible() { // //we're just getting keys here, so nil is fine - s, err := yubikey.NewYubiKeyStore(nil, _retriever) + s, err := yubikey.NewYubiStore(nil, _retriever) require.NoError(t, err) privKey, role, err := s.GetKey(rootKeyID) require.NoError(t, err) diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go index 102fb0fdc2..b55fff96f5 100644 --- a/cmd/notary/keys.go +++ b/cmd/notary/keys.go @@ -571,7 +571,7 @@ func (k *keyCommander) keyPassphraseChange(cmd *cobra.Command, args []string) er var addingKeyStore trustmanager.KeyStore switch foundKeyStore.Name() { case "yubikey": - addingKeyStore, err = getYubiKeyStore(nil, passChangeRetriever) + addingKeyStore, err = getYubiStore(nil, passChangeRetriever) keyInfo = trustmanager.KeyInfo{Role: data.CanonicalRootRole} default: addingKeyStore, err = trustmanager.NewKeyFileStore(config.GetString("trust_dir"), passChangeRetriever) @@ -609,9 +609,9 @@ func (k *keyCommander) getKeyStores( if withHardware { var yubiStore trustmanager.KeyStore if hardwareBackup { - yubiStore, err = getYubiKeyStore(fileKeyStore, retriever) + yubiStore, err = getYubiStore(fileKeyStore, retriever) } else { - yubiStore, err = getYubiKeyStore(nil, retriever) + yubiStore, err = getYubiStore(nil, retriever) } if err == nil && yubiStore != nil { // Note that the order is important, since we want to prioritize diff --git a/cmd/notary/keys_nonpkcs11.go b/cmd/notary/keys_nonpkcs11.go index bcb75b0a06..c6121d71ee 100644 --- a/cmd/notary/keys_nonpkcs11.go +++ b/cmd/notary/keys_nonpkcs11.go @@ -9,6 +9,6 @@ import ( "github.com/docker/notary/trustmanager" ) -func getYubiKeyStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) { +func getYubiStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) { return nil, errors.New("Not built with hardware support") } diff --git a/cmd/notary/keys_pkcs11.go b/cmd/notary/keys_pkcs11.go index 97b7af416d..937638c5c1 100644 --- a/cmd/notary/keys_pkcs11.go +++ b/cmd/notary/keys_pkcs11.go @@ -8,6 +8,6 @@ import ( "github.com/docker/notary/trustmanager/yubikey" ) -func getYubiKeyStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) { - return yubikey.NewYubiKeyStore(fileKeyStore, ret) +func getYubiStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) { + return yubikey.NewYubiStore(fileKeyStore, ret) } diff --git a/signer/api/api_test.go b/signer/api/api_test.go index 07a4e86e19..3f2d54266a 100644 --- a/signer/api/api_test.go +++ b/signer/api/api_test.go @@ -46,8 +46,8 @@ func TestDeleteKeyHandlerReturns404WithNonexistentKey(t *testing.T) { fakeID := "c62e6d68851cef1f7e55a9d56e3b0c05f3359f16838cad43600f0554e7d3b54d" keyID := &pb.KeyID{ID: fakeID} - requestJson, _ := json.Marshal(keyID) - reader = strings.NewReader(string(requestJson)) + requestJSON, _ := json.Marshal(keyID) + reader = strings.NewReader(string(requestJSON)) request, err := http.NewRequest("POST", deleteKeyBaseURL, reader) require.Nil(t, err) @@ -66,8 +66,8 @@ func TestDeleteKeyHandler(t *testing.T) { tufKey, _ := cryptoService.Create("", "", data.ED25519Key) require.NotNil(t, tufKey) - requestJson, _ := json.Marshal(&pb.KeyID{ID: tufKey.ID()}) - reader = strings.NewReader(string(requestJson)) + requestJSON, _ := json.Marshal(&pb.KeyID{ID: tufKey.ID()}) + reader = strings.NewReader(string(requestJSON)) request, err := http.NewRequest("POST", deleteKeyBaseURL, reader) require.Nil(t, err) @@ -156,9 +156,9 @@ func TestSoftwareSignHandler(t *testing.T) { require.Nil(t, err) sigRequest := &pb.SignatureRequest{KeyID: &pb.KeyID{ID: tufKey.ID()}, Content: make([]byte, 10)} - requestJson, _ := json.Marshal(sigRequest) + requestJSON, _ := json.Marshal(sigRequest) - reader = strings.NewReader(string(requestJson)) + reader = strings.NewReader(string(requestJSON)) request, err := http.NewRequest("POST", signBaseURL, reader) @@ -184,8 +184,8 @@ func TestSoftwareSignWithInvalidRequestHandler(t *testing.T) { cryptoService := cryptoservice.NewCryptoService(keyStore) setup(signer.CryptoServiceIndex{data.ED25519Key: cryptoService, data.RSAKey: cryptoService, data.ECDSAKey: cryptoService}) - requestJson := "{\"blob\":\"7d16f1d0b95310a7bc557747fc4f20fcd41c1c5095ae42f189df0717e7d7f4a0a2b55debce630f43c4ac099769c612965e3fda3cd4c0078ee6a460f14fa19307\"}" - reader = strings.NewReader(requestJson) + requestJSON := "{\"blob\":\"7d16f1d0b95310a7bc557747fc4f20fcd41c1c5095ae42f189df0717e7d7f4a0a2b55debce630f43c4ac099769c612965e3fda3cd4c0078ee6a460f14fa19307\"}" + reader = strings.NewReader(requestJSON) request, err := http.NewRequest("POST", signBaseURL, reader) @@ -213,9 +213,9 @@ func TestSignHandlerReturns404WithNonexistentKey(t *testing.T) { cryptoService.Create("", "", data.ED25519Key) sigRequest := &pb.SignatureRequest{KeyID: &pb.KeyID{ID: fakeID}, Content: make([]byte, 10)} - requestJson, _ := json.Marshal(sigRequest) + requestJSON, _ := json.Marshal(sigRequest) - reader = strings.NewReader(string(requestJson)) + reader = strings.NewReader(string(requestJSON)) request, err := http.NewRequest("POST", signBaseURL, reader) require.Nil(t, err) diff --git a/trustmanager/yubikey/yubikeystore.go b/trustmanager/yubikey/yubikeystore.go index 2e8300b396..3bb594b7d2 100644 --- a/trustmanager/yubikey/yubikeystore.go +++ b/trustmanager/yubikey/yubikeystore.go @@ -25,14 +25,22 @@ import ( ) const ( - USER_PIN = "123456" - SO_USER_PIN = "010203040506070801020304050607080102030405060708" - numSlots = 4 // number of slots in the yubikey + // UserPin is the user pin of a yubikey (in PIV parlance, is the PIN) + UserPin = "123456" + // SOUserPin is the "Security Officer" user pin - this is the PIV management + // (MGM) key, which is different than the admin pin of the Yubikey PGP interface + // (which in PIV parlance is the PUK, and defaults to 12345678) + SOUserPin = "010203040506070801020304050607080102030405060708" + numSlots = 4 // number of slots in the yubikey - KeymodeNone = 0 - KeymodeTouch = 1 // touch enabled - KeymodePinOnce = 2 // require pin entry once - KeymodePinAlways = 4 // require pin entry all the time + // KeymodeNone means that no touch or PIN is required to sign with the yubikey + KeymodeNone = 0 + // KeymodeTouch means that only touch is required to sign with the yubikey + KeymodeTouch = 1 + // KeymodePinOnce means that the pin entry is required once the first time to sign with the yubikey + KeymodePinOnce = 2 + // KeymodePinAlways means that pin entry is required every time to sign with the yubikey + KeymodePinAlways = 4 // the key size, when importing a key into yubikey, MUST be 32 bytes ecdsaPrivateKeySize = 32 @@ -95,6 +103,8 @@ func init() { } } +// ErrBackupFailed is returned when a YubiStore fails to back up a key that +// is added type ErrBackupFailed struct { err string } @@ -127,10 +137,13 @@ type YubiPrivateKey struct { libLoader pkcs11LibLoader } -type YubikeySigner struct { +// YubiKeySigner wraps a YubiPrivateKey and implements the crypto.Signer interface +type yubikeySigner struct { YubiPrivateKey } +// NewYubiPrivateKey returns a YubiPrivateKey, which implements the data.PrivateKey +// interface except that the private material is inacessible func NewYubiPrivateKey(slot []byte, pubKey data.ECDSAPublicKey, passRetriever passphrase.Retriever) *YubiPrivateKey { @@ -142,7 +155,8 @@ func NewYubiPrivateKey(slot []byte, pubKey data.ECDSAPublicKey, } } -func (ys *YubikeySigner) Public() crypto.PublicKey { +// Public is a required method of the crypto.Signer interface +func (ys *yubikeySigner) Public() crypto.PublicKey { publicKey, err := x509.ParsePKIXPublicKey(ys.YubiPrivateKey.Public()) if err != nil { return nil @@ -158,7 +172,7 @@ func (y *YubiPrivateKey) setLibLoader(loader pkcs11LibLoader) { // CryptoSigner returns a crypto.Signer tha wraps the YubiPrivateKey. Needed for // Certificate generation only func (y *YubiPrivateKey) CryptoSigner() crypto.Signer { - return &YubikeySigner{YubiPrivateKey: *y} + return &yubikeySigner{YubiPrivateKey: *y} } // Private is not implemented in hardware keys @@ -168,10 +182,14 @@ func (y *YubiPrivateKey) Private() []byte { return nil } +// SignatureAlgorithm returns which algorithm this key uses to sign - currently +// hardcoded to ECDSA func (y YubiPrivateKey) SignatureAlgorithm() data.SigAlgorithm { return data.ECDSASignature } +// Sign is a required method of the crypto.Signer interface and the data.PrivateKey +// interface func (y *YubiPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) { ctx, session, err := SetupHSMEnv(pkcs11Lib, y.libLoader) if err != nil { @@ -215,7 +233,7 @@ func addECDSAKey( ) error { logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID()) - err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN) + err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SOUserPin) if err != nil { return err } @@ -328,7 +346,7 @@ func getECDSAKey(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byt // Sign returns a signature for a given signature request func sign(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever passphrase.Retriever, payload []byte) ([]byte, error) { - err := login(ctx, session, passRetriever, pkcs11.CKU_USER, USER_PIN) + err := login(ctx, session, passRetriever, pkcs11.CKU_USER, UserPin) if err != nil { return nil, fmt.Errorf("error logging in: %v", err) } @@ -387,7 +405,7 @@ func sign(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, pass } func yubiRemoveKey(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever passphrase.Retriever, keyID string) error { - err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN) + err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SOUserPin) if err != nil { return err } @@ -595,20 +613,20 @@ func getNextEmptySlot(ctx IPKCS11Ctx, session pkcs11.SessionHandle) ([]byte, err return nil, errors.New("Yubikey has no available slots.") } -// YubiKeyStore is a KeyStore for private keys inside a Yubikey -type YubiKeyStore struct { +// YubiStore is a KeyStore for private keys inside a Yubikey +type YubiStore struct { passRetriever passphrase.Retriever keys map[string]yubiSlot backupStore trustmanager.KeyStore libLoader pkcs11LibLoader } -// NewYubiKeyStore returns a YubiKeyStore, given a backup key store to write any +// NewYubiStore returns a YubiStore, given a backup key store to write any // generated keys to (usually a KeyFileStore) -func NewYubiKeyStore(backupStore trustmanager.KeyStore, passphraseRetriever passphrase.Retriever) ( - *YubiKeyStore, error) { +func NewYubiStore(backupStore trustmanager.KeyStore, passphraseRetriever passphrase.Retriever) ( + *YubiStore, error) { - s := &YubiKeyStore{ + s := &YubiStore{ passRetriever: passphraseRetriever, keys: make(map[string]yubiSlot), backupStore: backupStore, @@ -620,15 +638,16 @@ func NewYubiKeyStore(backupStore trustmanager.KeyStore, passphraseRetriever pass // Name returns a user friendly name for the location this store // keeps its data -func (s YubiKeyStore) Name() string { +func (s YubiStore) Name() string { return "yubikey" } -func (s *YubiKeyStore) setLibLoader(loader pkcs11LibLoader) { +func (s *YubiStore) setLibLoader(loader pkcs11LibLoader) { s.libLoader = loader } -func (s *YubiKeyStore) ListKeys() map[string]trustmanager.KeyInfo { +// ListKeys returns a list of keys in the yubikey store +func (s *YubiStore) ListKeys() map[string]trustmanager.KeyInfo { if len(s.keys) > 0 { return buildKeyMap(s.keys) } @@ -650,7 +669,7 @@ func (s *YubiKeyStore) ListKeys() map[string]trustmanager.KeyInfo { } // AddKey puts a key inside the Yubikey, as well as writing it to the backup store -func (s *YubiKeyStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error { +func (s *YubiStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error { added, err := s.addKey(privKey.ID(), keyInfo.Role, privKey) if err != nil { return err @@ -667,7 +686,7 @@ func (s *YubiKeyStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.Private // Only add if we haven't seen the key already. Return whether the key was // added. -func (s *YubiKeyStore) addKey(keyID, role string, privKey data.PrivateKey) ( +func (s *YubiStore) addKey(keyID, role string, privKey data.PrivateKey) ( bool, error) { // We only allow adding root keys for now @@ -713,7 +732,7 @@ func (s *YubiKeyStore) addKey(keyID, role string, privKey data.PrivateKey) ( // GetKey retrieves a key from the Yubikey only (it does not look inside the // backup store) -func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) { +func (s *YubiStore) GetKey(keyID string) (data.PrivateKey, string, error) { ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader) if err != nil { logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) @@ -748,7 +767,7 @@ func (s *YubiKeyStore) GetKey(keyID string) (data.PrivateKey, string, error) { // RemoveKey deletes a key from the Yubikey only (it does not remove it from the // backup store) -func (s *YubiKeyStore) RemoveKey(keyID string) error { +func (s *YubiStore) RemoveKey(keyID string) error { ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader) if err != nil { logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) @@ -771,13 +790,13 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error { } // ExportKey doesn't work, because you can't export data from a Yubikey -func (s *YubiKeyStore) ExportKey(keyID string) ([]byte, error) { - logrus.Debugf("Attempting to export: %s key inside of YubiKeyStore", keyID) +func (s *YubiStore) ExportKey(keyID string) ([]byte, error) { + logrus.Debugf("Attempting to export: %s key inside of YubiStore", keyID) return nil, errors.New("Keys cannot be exported from a Yubikey.") } -// Not yet implemented -func (s *YubiKeyStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) { +// GetKeyInfo is not yet implemented +func (s *YubiStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) { return trustmanager.KeyInfo{}, fmt.Errorf("Not yet implemented") } @@ -802,7 +821,7 @@ func SetupHSMEnv(libraryPath string, libLoader pkcs11LibLoader) ( IPKCS11Ctx, pkcs11.SessionHandle, error) { if libraryPath == "" { - return nil, 0, errHSMNotPresent{err: "no library found."} + return nil, 0, errHSMNotPresent{err: "no library found"} } p := libLoader(libraryPath) @@ -842,8 +861,8 @@ func SetupHSMEnv(libraryPath string, libLoader pkcs11LibLoader) ( return p, session, nil } -// YubikeyAccessible returns true if a Yubikey can be accessed -func YubikeyAccessible() bool { +// IsAccessible returns true if a Yubikey can be accessed +func IsAccessible() bool { if pkcs11Lib == "" { return false } diff --git a/trustmanager/yubikey/yubikeystore_test.go b/trustmanager/yubikey/yubikeystore_test.go index 269803caba..e4885fc194 100644 --- a/trustmanager/yubikey/yubikeystore_test.go +++ b/trustmanager/yubikey/yubikeystore_test.go @@ -21,7 +21,7 @@ var ret = passphrase.ConstantRetriever("passphrase") // create a new store for clearing out keys, because we don't want to pollute // any cache func clearAllKeys(t *testing.T) { - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) for k := range store.ListKeys() { @@ -78,7 +78,7 @@ func addMaxKeys(t *testing.T, store trustmanager.KeyStore) []string { // We can add keys enough times to fill up all the slots in the Yubikey. // They are backed up, and we can then list them and get the keys. func TestYubiAddKeysAndRetrieve(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -90,13 +90,13 @@ func TestYubiAddKeysAndRetrieve(t *testing.T) { // create 4 keys on the original store backup := trustmanager.NewKeyMemoryStore(ret) - store, err := NewYubiKeyStore(backup, ret) + store, err := NewYubiStore(backup, ret) require.NoError(t, err) keys := addMaxKeys(t, store) // create a new store, since we want to be sure the original store's cache // is not masking any issues - cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + cleanStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) // All 4 keys should be in the original store, in the clean store (which @@ -118,7 +118,7 @@ func TestYubiAddKeysAndRetrieve(t *testing.T) { // Test that we can successfully keys enough times to fill up all the slots in the Yubikey, even without a backup store func TestYubiAddKeysWithoutBackup(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -129,13 +129,13 @@ func TestYubiAddKeysWithoutBackup(t *testing.T) { }() // create 4 keys on the original store - store, err := NewYubiKeyStore(nil, ret) + store, err := NewYubiStore(nil, ret) require.NoError(t, err) keys := addMaxKeys(t, store) // create a new store, since we want to be sure the original store's cache // is not masking any issues - cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + cleanStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) // All 4 keys should be in the original store, in the clean store (which @@ -157,7 +157,7 @@ func TestYubiAddKeysWithoutBackup(t *testing.T) { // We can't add a key if there are no more slots func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -169,7 +169,7 @@ func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) { // create 4 keys on the original store backup := trustmanager.NewKeyMemoryStore(ret) - store, err := NewYubiKeyStore(backup, ret) + store, err := NewYubiStore(backup, ret) require.NoError(t, err) addMaxKeys(t, store) @@ -179,7 +179,7 @@ func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) { // create a new store, since we want to be sure the original store's cache // is not masking any issues - cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + cleanStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) // The key should not be in the original store, in the new clean store, or @@ -197,7 +197,7 @@ func TestYubiAddKeyFailureIfNoMoreSlots(t *testing.T) { // If some random key in the middle was removed, adding a key will work (keys // do not have to be deleted/added in order) func TestYubiAddKeyCanAddToMiddleSlot(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -209,7 +209,7 @@ func TestYubiAddKeyCanAddToMiddleSlot(t *testing.T) { // create 4 keys on the original store backup := trustmanager.NewKeyMemoryStore(ret) - store, err := NewYubiKeyStore(backup, ret) + store, err := NewYubiStore(backup, ret) require.NoError(t, err) keys := addMaxKeys(t, store) @@ -223,7 +223,7 @@ func TestYubiAddKeyCanAddToMiddleSlot(t *testing.T) { // create a new store, since we want to be sure the original store's cache // is not masking any issues - cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + cleanStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) // The new key should be in the original store, in the new clean store, and @@ -262,7 +262,7 @@ func (s *nonworkingBackup) AddKey(keyInfo trustmanager.KeyInfo, privKey data.Pri // be removed from the Yubikey too because otherwise there is no way for // the user to later get a backup of the key. func TestYubiAddKeyRollsBackIfCannotBackup(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -275,7 +275,7 @@ func TestYubiAddKeyRollsBackIfCannotBackup(t *testing.T) { backup := &nonworkingBackup{ KeyMemoryStore: *trustmanager.NewKeyMemoryStore(ret), } - store, err := NewYubiKeyStore(backup, ret) + store, err := NewYubiStore(backup, ret) require.NoError(t, err) _, err = testAddKey(t, store) @@ -289,7 +289,7 @@ func TestYubiAddKeyRollsBackIfCannotBackup(t *testing.T) { // If, when adding a key to the Yubikey, and it already exists, we succeed // without adding it to the backup store. func TestYubiAddDuplicateKeySucceedsButDoesNotBackup(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -299,14 +299,14 @@ func TestYubiAddDuplicateKeySucceedsButDoesNotBackup(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - origStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + origStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, origStore) require.NoError(t, err) backup := trustmanager.NewKeyMemoryStore(ret) - cleanStore, err := NewYubiKeyStore(backup, ret) + cleanStore, err := NewYubiStore(backup, ret) require.NoError(t, err) require.Len(t, cleanStore.ListKeys(), 1) @@ -321,7 +321,7 @@ func TestYubiAddDuplicateKeySucceedsButDoesNotBackup(t *testing.T) { // RemoveKey removes a key from the yubikey, but not from the backup store. func TestYubiRemoveKey(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -332,7 +332,7 @@ func TestYubiRemoveKey(t *testing.T) { }() backup := trustmanager.NewKeyMemoryStore(ret) - store, err := NewYubiKeyStore(backup, ret) + store, err := NewYubiStore(backup, ret) require.NoError(t, err) key, err := testAddKey(t, store) @@ -348,11 +348,11 @@ func TestYubiRemoveKey(t *testing.T) { // create a new store, since we want to be sure the original store's cache // is not masking any issues - cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + cleanStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) // key is not in either the original store or the clean store - for _, store := range []*YubiKeyStore{store, cleanStore} { + for _, store := range []*YubiStore{store, cleanStore} { _, _, err := store.GetKey(key.ID()) require.Error(t, err) } @@ -360,7 +360,7 @@ func TestYubiRemoveKey(t *testing.T) { // One cannot export from hardware - it will not export from the backup func TestYubiExportKeyFails(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -370,7 +370,7 @@ func TestYubiExportKeyFails(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, store) @@ -384,7 +384,7 @@ func TestYubiExportKeyFails(t *testing.T) { // If there are keys in the backup store but no keys in the Yubikey, // listing and getting cannot access the keys in the backup store func TestYubiListAndGetKeysIgnoresBackup(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -398,7 +398,7 @@ func TestYubiListAndGetKeysIgnoresBackup(t *testing.T) { key, err := testAddKey(t, backup) require.NoError(t, err) - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.Len(t, store.ListKeys(), 0) _, _, err = store.GetKey(key.ID()) require.Error(t, err) @@ -408,7 +408,7 @@ func TestYubiListAndGetKeysIgnoresBackup(t *testing.T) { // specifically that you cannot get the private bytes out. Assume we can // sign something. func TestYubiKeyAndSign(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -418,7 +418,7 @@ func TestYubiKeyAndSign(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) ecdsaPrivateKey, err := testAddKey(t, store) @@ -449,7 +449,7 @@ var setupErrors = []string{"Initialize", "GetSlotList", "OpenSession"} // Create a new store, so that we avoid any cache issues, and list keys func cleanListKeys(t *testing.T) map[string]trustmanager.KeyInfo { - cleanStore, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + cleanStore, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) return cleanStore.ListKeys() } @@ -507,7 +507,7 @@ func testYubiFunctionCleansUpOnSpecifiedErrors(t *testing.T, } func TestYubiAddKeyCleansUpOnError(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -518,7 +518,7 @@ func TestYubiAddKeyCleansUpOnError(t *testing.T) { }() backup := trustmanager.NewKeyMemoryStore(ret) - store, err := NewYubiKeyStore(backup, ret) + store, err := NewYubiStore(backup, ret) require.NoError(t, err) var _addkey = func() error { @@ -571,7 +571,7 @@ func TestYubiAddKeyCleansUpOnError(t *testing.T) { } func TestYubiGetKeyCleansUpOnError(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -581,7 +581,7 @@ func TestYubiGetKeyCleansUpOnError(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, store) require.NoError(t, err) @@ -603,7 +603,7 @@ func TestYubiGetKeyCleansUpOnError(t *testing.T) { } func TestYubiRemoveKeyCleansUpOnError(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -613,7 +613,7 @@ func TestYubiRemoveKeyCleansUpOnError(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, store) require.NoError(t, err) @@ -646,7 +646,7 @@ func TestYubiRemoveKeyCleansUpOnError(t *testing.T) { } func TestYubiListKeyCleansUpOnError(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -656,9 +656,9 @@ func TestYubiListKeyCleansUpOnError(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - // Do not call NewYubiKeyStore, because it list keys immediately to + // Do not call NewYubiStore, because it list keys immediately to // build the cache. - store := &YubiKeyStore{ + store := &YubiStore{ passRetriever: ret, keys: make(map[string]yubiSlot), backupStore: trustmanager.NewKeyMemoryStore(ret), @@ -685,7 +685,7 @@ func TestYubiListKeyCleansUpOnError(t *testing.T) { // export key fails anyway, don't bother testing func TestYubiSignCleansUpOnError(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -695,7 +695,7 @@ func TestYubiSignCleansUpOnError(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, store) @@ -732,7 +732,7 @@ func TestYubiSignCleansUpOnError(t *testing.T) { // If Sign gives us an invalid signature, we retry until successful up to // a maximum of 5 times. func TestYubiRetrySignUntilSuccess(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -742,7 +742,7 @@ func TestYubiRetrySignUntilSuccess(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, store) @@ -777,7 +777,7 @@ func TestYubiRetrySignUntilSuccess(t *testing.T) { // If Sign gives us an invalid signature, we retry until up to a maximum of 5 // times, and if it's still invalid, fail. func TestYubiRetrySignUntilFail(t *testing.T) { - if !YubikeyAccessible() { + if !IsAccessible() { t.Skip("Must have Yubikey access.") } clearAllKeys(t) @@ -787,7 +787,7 @@ func TestYubiRetrySignUntilFail(t *testing.T) { SetYubikeyKeyMode(KeymodeTouch | KeymodePinOnce) }() - store, err := NewYubiKeyStore(trustmanager.NewKeyMemoryStore(ret), ret) + store, err := NewYubiStore(trustmanager.NewKeyMemoryStore(ret), ret) require.NoError(t, err) key, err := testAddKey(t, store)