da18f54699
import-root, list, and remove working with yubikey
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
be4c0669c1
move import/export to cryptoservice and add import to yubikey
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
5f21ebd185
Add pkcs11 build tags
...
Add build tags and a check in Makefile to be sure you do not import
pkcs11 lib somewhere where it should not be. This will ensure docker
import and integration will continue to work.
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)
2015-11-12 01:07:00 -08:00
07f0065152
ask for pin when signing
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:06:38 -08:00
21138e6bad
Working version of Notary and Yubikey
...
Signed-off-by: Diogo Monica <diogo@docker.com>
Remove symlinks from notary-client repo creation
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Diogo Monica <diogo@docker.com>
WIP
Signed-off-by: Diogo Monica <diogo@docker.com>
working yubikey integration
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
Fixing small colon bug
Signed-off-by: Diogo Monica <diogo@docker.com>
Added things. Ship it.
Signed-off-by: Diogo Monica <diogo@docker.com>
Bringing ecdsahwcryptosigner to 2015
Signed-off-by: Diogo Monica <diogo@docker.com>
Working version of notary and yubikey
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-11-12 01:06:09 -08:00
fd0775e1dc
Merge pull request #257 from mtrmac/fix-export-root
...
Fix (notary key export-root)
2015-11-01 10:31:29 +00:00
62dc66e936
Remove key ID from (notary key import-root)
...
PR #242 has started requiring a passphrase for the imported key, and
recomputes the key ID, making the command-line argument redundant. So,
remove it from the command line and from the KeyStoreManager API.
Also updates the comment for KeyStoreManager.ImportRootKey, and changes
(notary key import-root) to refuse unexpected arguments instead of
silently ignoring them.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2015-10-30 20:40:03 +01:00
93c28ccb1b
Fix (notary key export-root)
...
-c was recently taken over by --configFile; using it for
--change-passphrase as well results in
panic: shorthand redefinition
So, move --change-passphrase to -p.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2015-10-30 20:39:20 +01:00
b9a4175ea9
Update the client NotaryRepository to initialize with a root key ID
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-29 15:11:15 -07:00
aa5b621968
Fix import error after rebase
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 15:44:33 -07:00
adda5776cb
Use ListenAndServeTLS with blank args, since ListenAndServe doesn't actually set up TLS
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 15:42:36 -07:00
126691ac9e
Update the notary server and signer configs to make use of client authentication.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 15:42:33 -07:00
34aecae033
Split out parsing the client TLS in notary-server.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 15:40:41 -07:00
04a78e720f
Factor out and test TLS configuration in notary-server.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 15:39:52 -07:00
bbf941d198
Allow client CAs to be provided to notary-signer.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 15:39:52 -07:00
daa36b43b7
Merge pull request #242 from docker/unify-root-nonroot-keystore
...
Unify root nonroot keystore
2015-10-28 13:14:19 -07:00
6150c931dd
Make a keysMap rather than just declaring
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-28 12:47:42 -07:00
fa70a79ed7
go fmt was complaining about import order after my sed replacement
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-27 17:22:08 -07:00
2833a88292
adding gotuf to notary
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-27 16:36:06 -07:00
566bd3ce67
Combine the nonRootKeyStore with the rootKeyStore, and move the abstracting
...
over the root keys directory from non-root keys directory from keystoremanager
to keystore, since we're eliminating keystoremanager.
Maintain the two separate directories, though, because one can't tell whether
there is an old-style separate-directories structure, or if someone has a GUN
that starts with tuf_keys.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-27 12:33:46 -07:00
61f9f84254
Use configuration option structures to set up client TLS and server TLS.
...
Test for if client cert is passed without a client key and vice versa.
Fail in ConfigureClientTLS if only one of client cert/key is passed.
Lint fixes.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-21 18:43:33 -07:00
412e0facc8
Explicitly check the skip tls verify boolean in notary client
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-21 10:38:48 -07:00
fc389b7bc3
Use tls client config utility in notary as well.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-19 17:31:18 -07:00
8d96cf0c1f
Use ConfigureServerTLS for notary-server and notary-signer
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-19 17:29:54 -07:00
a5e64ecf03
Do not use the viper singleton instance everywhere
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-19 11:50:04 -07:00
6db76a873e
Small cleanup as per review comments
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-16 14:48:05 -07:00
81380e0862
Even simpler - cancel the GRPC call using the context object passed
...
to the GRPC clients - thanks @endophage!
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-16 09:46:08 -07:00
a49406de42
Log an error if the notary server cannot reach the signer or otherwise
...
if the signer is in trouble, but do not fail the health check, since
the server can operate for a while without the signer (the server will
have degraded performance, but is not down)
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-15 10:48:10 -07:00
bca919c65f
Making an RPC call would hang forever if the connection to the GRPC server dies
...
(it just retries to connect, and the RPC call would just block until it does), so change up
how this works by timing out the health check.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-14 18:03:19 -07:00
cd5015592a
Fix the key names for the server health checks
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-14 14:52:31 -07:00
60271f3014
Enable the signer RPC health check calls to return the last checked health
...
status from the health package.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-14 14:49:39 -07:00
30330f43e2
Register trust health checks and DB health check with the notary server.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-14 13:23:38 -07:00
6b98278282
Merge pull request #215 from cyli/server-uses-gorm
...
Use gorm for storing notary-server information
2015-10-14 13:09:37 -07:00
b18e890e1c
Changing the default config to point to notary-server
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-10-12 18:21:39 -07:00
70fe89f69c
Adding check for relative VS full path
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-10-12 18:15:38 -07:00
8299e01b0a
Fixed comments, changed default config
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-10-12 17:14:23 -07:00
aeb96f27a2
Adding client-side root-ca server and config
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-10-12 17:13:39 -07:00
7fa991c3ff
Gormizes the server database and make it SQL-DB agnostic.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-12 16:45:41 -07:00
98cde51f18
working basic key rotation for targets and snapshot key. Command is 'notary key rotate [GUN]'
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-09 20:35:06 -07:00
ac54370fb0
cleanup after discussing with Diogo
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-09 19:40:36 -07:00
009400650e
minor tweaks to key rotation
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-09 19:24:08 -07:00
959d0267ac
command skeletons in place, changelist actions implemented
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-09 19:24:08 -07:00
83f96997d3
changelist management of key rotation
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-09 19:23:47 -07:00
7bee606f43
Add support for 'notary status' command to show details about unpublished changes
...
Signed-off-by: Ryan Cox <ryan.a.cox@gmail.com>
2015-10-08 22:07:36 -07:00
53467fd417
Merge pull request #85 from docker/simple_test_script
...
add a simple test script, eventually this can grow to be our CI script
2015-10-08 16:58:44 -07:00
d092f78f05
Merge pull request #205 from cyli/signer-healthcheck
...
Adding a DB check to the signer health check
2015-10-08 16:53:57 -07:00
a70605a9e6
Shorten health check name and remove redundant logging
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-08 15:42:14 -07:00
815675eea9
After upgrading grpc, update how the server is set up with TLS for the signer
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-07 20:52:48 -07:00
75516a1e84
Add the CheckHealth implementations to the RPC servers, go fmt some other files
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-07 20:51:53 -07:00
a67ed67bdc
Add a health check function for the key DB store that verifies we can access the required table
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-07 16:31:24 -07:00
David Lawrence
Jessica Frazelle
Diogo Monica
Diogo Mónica
Miloslav Trmač
Ying Li
David Lawrence
Ying Li
Ryan Cox