GetLeafCerts and GetIntermediaCerts are similiar and a consistent
implementation will be more friendly to those people who wants to read
the code.
Signed-off-by: Hu Keping <hukeping@huawei.com>
This is important for user keys, which do not necessarily need to be under a GUN,
and may have a role other than one of the canonical roles (e.g. "user" role).
Signed-off-by: Ying Li <ying.li@docker.com>
Using the just added facility to generate a certificate as of a specific
time, tighten TestNewCertificate to use equality comparisons.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add explicit startTime and endTime parameters to
cryptoservice.GenerateCertificate and trustmanager.NewCertificate.
trustmanager.NewCertificate as a low-level data manipulation function
should not be hard-coding policy (10-year expiration); that policy
belongs to its callers, or one more level higher to callers of
cryptoservice.GenerateCertificate.
These places hard-coding policy now also have an explict comment to
that effect.
In addition to conceptual cleanliness, this will allow writing tests
of certificate expiry by generating appropriate expired or nearly-expired
certificates.
Tests which don't care about the policy much will continue to use the
just added cryptoservice.GenerateTestingCertificate.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Log whether a pkcs11 library was found and if it was loadable.
This unfortunately prints out every time any operation is done on the Yubikey, producing a lot of log output, but perhaps that is better because an operation might fail at any given time.
Output if no Yubikey:
DEBU[0000] Failed to initialize PKCS11 environment: loaded library /usr/local/lib/libykcs11.dylib, but no HSM slots found
If there is a Yubikey:
DEBU[0000] Initialized PKCS11 library /usr/local/lib/libykcs11.dylib and started HSM session
Added a test for this case as well - thanks @endophage!
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Including how it interacts with the backup key store, and with more
assertions against a new YubiKeyStore so that we won't get false
positives or negatives from the cache.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
add verification to yubikey signatures. Attempt to generate sig up to…
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
Apparently that is required by the template, and will error if it
does not. Sometimes, ECDSA keys are generated which when encoded
seems to only have 31 bytes.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Do not back up a root key that is imported into Yubikey.
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Previously it was just overwritting one slot over and over.
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Fixed panic on listKeys with invalid keys, added tests
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
Riyaz Faizullabhoy
HuKeping
Ying Li
David Lawrence
Udo Seidel
Miloslav Trmač
Ying Li
Diogo Monica
Diogo Mónica