docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rebase works 

Signed-off-by: Diogo Monica <diogo@docker.com>
This commit is contained in:
Diogo Monica 2015-07-17 14:44:51 -07:00
parent 00f8f56942
commit f532550742
2 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
client/client_root_validation_test.go
View File

@ -64,13 +64,12 @@ func validateRootSuccessfully(t *testing.T, rootType data.KeyAlgorithm) {
// Initialize is supposed to have created new certificate for this repository // Initialize is supposed to have created new certificate for this repository
// Lets check for it and store it for later use // Lets check for it and store it for later use
allCerts := repo.KeyStoreManager.CertificateStore().GetCertificates() allCerts := repo.KeyStoreManager.TrustedCertificateStore().GetCertificates()
assert.Len(t, allCerts, 1) assert.Len(t, allCerts, 1)
// Now test ListTargets. In preparation, we need to expose some signed // Now test ListTargets. In preparation, we need to expose some signed
// metadata files on the internal HTTP server. // metadata files on the internal HTTP server.
var tempKey data.TUFKey
var tempKey data.PrivateKey
json.Unmarshal([]byte(timestampECDSAKeyJSON), &tempKey) json.Unmarshal([]byte(timestampECDSAKeyJSON), &tempKey)
repo.KeyStoreManager.NonRootKeyStore().AddKey(filepath.Join(filepath.FromSlash(gun), tempKey.ID()), &tempKey) repo.KeyStoreManager.NonRootKeyStore().AddKey(filepath.Join(filepath.FromSlash(gun), tempKey.ID()), &tempKey)
@ -112,14 +111,14 @@ func validateRootSuccessfully(t *testing.T, rootType data.KeyAlgorithm) {
// //
// Test TOFUS logic. We remove all certs and expect a new one to be added after ListTargets // Test TOFUS logic. We remove all certs and expect a new one to be added after ListTargets
// //
err = repo.KeyStoreManager.CertificateStore().RemoveAll() err = repo.KeyStoreManager.TrustedCertificateStore().RemoveAll()
assert.NoError(t, err) assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.CertificateStore().GetCertificates(), 0) assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 0)
// This list targets is expected to succeed and the certificate store to have the new certificate // This list targets is expected to succeed and the certificate store to have the new certificate
_, err = repo.ListTargets() _, err = repo.ListTargets()
assert.NoError(t, err) assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.CertificateStore().GetCertificates(), 1) assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 1)
// //
// Test certificate mismatch logic. We remove all certs, and a different cert to the // Test certificate mismatch logic. We remove all certs, and a different cert to the
@ -127,12 +126,12 @@ func validateRootSuccessfully(t *testing.T, rootType data.KeyAlgorithm) {
// //
// First, remove all certs // First, remove all certs
err = repo.KeyStoreManager.CertificateStore().RemoveAll() err = repo.KeyStoreManager.TrustedCertificateStore().RemoveAll()
assert.NoError(t, err) assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.CertificateStore().GetCertificates(), 0) assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 0)
// Add a previously generated certificate with CN=docker.com/notary // Add a previously generated certificate with CN=docker.com/notary
err = repo.KeyStoreManager.CertificateStore().AddCertFromFile("../fixtures/self-signed_docker.com-notary.crt") err = repo.KeyStoreManager.TrustedCertificateStore().AddCertFromFile("../fixtures/self-signed_docker.com-notary.crt")
assert.NoError(t, err) assert.NoError(t, err)
// This list targets is expected to fail, since there already exists a certificate // This list targets is expected to fail, since there already exists a certificate
@ -150,19 +149,19 @@ func validateRootSuccessfully(t *testing.T, rootType data.KeyAlgorithm) {
// //
// First, remove all certs and trusted CAs // First, remove all certs and trusted CAs
err = repo.KeyStoreManager.CertificateStore().RemoveAll() err = repo.KeyStoreManager.TrustedCertificateStore().RemoveAll()
assert.NoError(t, err) assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.CertificateStore().GetCertificates(), 0) assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 0)
err = repo.KeyStoreManager.CAStore().RemoveAll() err = repo.KeyStoreManager.TrustedCAStore().RemoveAll()
assert.NoError(t, err) assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.CAStore().GetCertificates(), 0) assert.Len(t, repo.KeyStoreManager.TrustedCAStore().GetCertificates(), 0)
// Add a trusted root-ca // Add a trusted root-ca
err = repo.KeyStoreManager.CAStore().AddCertFromFile("../fixtures/root-ca.crt") err = repo.KeyStoreManager.TrustedCAStore().AddCertFromFile("../fixtures/root-ca.crt")
assert.NoError(t, err) assert.NoError(t, err)
// Add a previously generated certificate with CN=secure.example.com // Add a previously generated certificate with CN=secure.example.com
err = repo.KeyStoreManager.CertificateStore().AddCertFromFile("../fixtures/self-signed_secure.example.com.crt") err = repo.KeyStoreManager.TrustedCertificateStore().AddCertFromFile("../fixtures/self-signed_secure.example.com.crt")
assert.NoError(t, err) assert.NoError(t, err)
// Create a manual rootSigner with a valid intermediate + leaf cert // Create a manual rootSigner with a valid intermediate + leaf cert

12
keystoremanager/keystoremanager.go
View File

@ -194,7 +194,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
// validKeys will store all the keys that were considered valid either by // validKeys will store all the keys that were considered valid either by
// direct certificate match, or CA chain path // direct certificate match, or CA chain path
validKeys := make(map[string]*data.PublicKey) validKeys := make(map[string]data.PublicKey)
// allCerts will keep a list of all leafCerts that were found, and is used // allCerts will keep a list of all leafCerts that were found, and is used
// to aid on root certificate rotation // to aid on root certificate rotation
@ -244,7 +244,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
allCerts[leafID] = leafCert allCerts[leafID] = leafCert
// Retrieve all the trusted certificates that match this dns Name // Retrieve all the trusted certificates that match this dns Name
certsForCN, err := km.certificateStore.GetCertificatesByCN(dnsName) certsForCN, err := km.trustedCertificateStore.GetCertificatesByCN(dnsName)
if err != nil { if err != nil {
// If the error that we get back is different than ErrNoCertificatesFound // If the error that we get back is different than ErrNoCertificatesFound
// we couldn't check if there are any certificates with this CN already // we couldn't check if there are any certificates with this CN already
@ -258,7 +258,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
// If there are no certificates with this CN, lets TOFUS! // If there are no certificates with this CN, lets TOFUS!
// Note that this logic should only exist in docker 1.8 // Note that this logic should only exist in docker 1.8
if len(certsForCN) == 0 { if len(certsForCN) == 0 {
km.certificateStore.AddCert(leafCert) km.trustedCertificateStore.AddCert(leafCert)
certsForCN = append(certsForCN, leafCert) certsForCN = append(certsForCN, leafCert)
logrus.Debugf("using TOFUS on %s with keyID: %s", dnsName, leafID) logrus.Debugf("using TOFUS on %s with keyID: %s", dnsName, leafID)
} }
@ -275,7 +275,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
// Check to see if this leafCertificate has a chain to one of the Root // Check to see if this leafCertificate has a chain to one of the Root
// CAs of our CA Store. // CAs of our CA Store.
err = trustmanager.Verify(km.caStore, dnsName, decodedCerts) err = trustmanager.Verify(km.trustedCAStore, dnsName, decodedCerts)
if err == nil { if err == nil {
validKeys[keyID] = rootSigned.Signed.Keys[keyID] validKeys[keyID] = rootSigned.Signed.Keys[keyID]
logrus.Debugf("found a CA path for %s with keyID: %s", dnsName, keyID) logrus.Debugf("found a CA path for %s with keyID: %s", dnsName, keyID)
@ -307,7 +307,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
} }
// Add the new root certificate to our certificate store // Add the new root certificate to our certificate store
err := km.certificateStore.AddCert(newRootKeyCert) err := km.trustedCertificateStore.AddCert(newRootKeyCert)
if err != nil { if err != nil {
// Ignore the error if the certificate already exists // Ignore the error if the certificate already exists
if _, ok := err.(*trustmanager.ErrCertExists); !ok { if _, ok := err.(*trustmanager.ErrCertExists); !ok {
@ -324,7 +324,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
// Iterate over all old valid certificates and remove them, essentially // Iterate over all old valid certificates and remove them, essentially
// finishing the rotation of the currently trusted root certificate // finishing the rotation of the currently trusted root certificate
for _, cert := range allCerts { for _, cert := range allCerts {
err := km.certificateStore.RemoveCert(cert) err := km.trustedCertificateStore.RemoveCert(cert)
if err != nil { if err != nil {
logrus.Debugf("error while removing old root certificate: %v", err) logrus.Debugf("error while removing old root certificate: %v", err)
return ErrRootRotationFail return ErrRootRotationFail