docker/docs - docs - Gitea: Git with a cup of tea

Commit Graph

Author	SHA1	Message	Date
Ying Li	68962ce0f7	Merge pull request #281 from docker/better-pkcs11-logging Log whether a pkcs11 library was found and if it was loadable. This unfortunately prints out every time any operation is done on the Yubikey, producing a lot of log output, but perhaps that is better because an operation might fail at any given time. Output if no Yubikey: DEBU[0000] Failed to initialize PKCS11 environment: loaded library /usr/local/lib/libykcs11.dylib, but no HSM slots found If there is a Yubikey: DEBU[0000] Initialized PKCS11 library /usr/local/lib/libykcs11.dylib and started HSM session	2015-11-13 15:51:11 -08:00
Ying Li	f9bd60701f	Log whether a pkcs11 library was found and if it was loadable. Signed-off-by: Ying Li <ying.li@docker.com>	2015-11-13 02:53:39 -08:00
Ying Li	587906e6c6	More defensive coding around listing our keys in the yubikey. Signed-off-by: Ying Li <ying.li@docker.com>	2015-11-13 00:08:53 -08:00
Diogo Monica	d2f69fe5bc	Adding another path to search for ykcs libs Signed-off-by: Diogo Monica <diogo@docker.com>	2015-11-12 01:22:40 -08:00
Ying Li	87231d9a5d	Fix new bug where adding a duplicate key to a yubikey added to the backup. Added a test for this case as well - thanks @endophage! Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:58 -08:00
Ying Li	43f2d40e43	Make our CI pick up trustmanager/yubikey again Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:55 -08:00
Ying Li	6cf0643d7d	Roll back an add key to the yubikey if we can't back it up. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:46 -08:00
Ying Li	96bfaac05f	Add tests for verifying signatures before returning a signature. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:43 -08:00
Ying Li	4b7fefd5ef	Do not clean up a session if there is no session. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:35 -08:00
Ying Li	cee92fa363	Undo some changes from a bad stash pop that were unintentional. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:32 -08:00
Ying Li	38a5b5a342	Add FindObjectsFinalize to getNextEmptySlot. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:29 -08:00
Ying Li	10057562d8	Add fixes for Sign (do not continue if SignInit fails). Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:25 -08:00
Ying Li	73a26d59ac	Inject errors into pkcs11 in order to test that the yubikey code cleans up. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:22 -08:00
Ying Li	09c0f9d05b	Replace the pkcs11 library with interfaces for easier testing. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:17 -08:00
Ying Li	7108450a21	Add more unit tests for the YubiKeyStore. Including how it interacts with the backup key store, and with more assertions against a new YubiKeyStore so that we won't get false positives or negatives from the cache. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:13:14 -08:00
Diogo Mónica	b894d98392	Merge pull request #54 from docker/verify_hw_sigs add verification to yubikey signatures. Attempt to generate sig up to… Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)	2015-11-12 01:13:05 -08:00
David Lawrence	9b8645c39f	add verification to yubikey signatures. Attempt to generate sig up to 5 times, fail if all 5 are invalid Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:13:03 -08:00
David Lawrence	8628b57a96	private subdir should be added by keyfilestore, rather than all over the place Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:12:57 -08:00
Diogo Monica	0344dfc038	Making tests pass Signed-off-by: Diogo Monica <diogo@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)	2015-11-12 01:12:31 -08:00
David Lawrence	ee270b6a2b	fixing integrations tests for new list keys layout Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:12:21 -08:00
David Lawrence	5c064e204b	fixing lint/vet Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:12:21 -08:00
David Lawrence	6acc130e17	list shows where the key is stored Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:12:20 -08:00
David Lawrence	8ffbf116cc	only tell user to touch when mode is enabled Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:12:17 -08:00
David Lawrence	b0354762d1	make touch to sign message configurable Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:12:17 -08:00
David Lawrence	e0c5bb7b83	comment about token location ordering Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:11:55 -08:00
David Lawrence	d2ca58bbf4	use the slots on the yubikey in the following order: 9c, 9e, 9d, 9a Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:11:55 -08:00
Ying Li	397adb4291	Pad the ECDSA key that gets put into the Yubikey so it has 32 bytes. Apparently that is required by the template, and will error if it does not. Sometimes, ECDSA keys are generated which when encoded seems to only have 31 bytes. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:11:49 -08:00
Diogo Mónica	91b7d87a7b	Merge pull request #39 from docker/fix-import Do not back up a root key that is imported into Yubikey. Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)	2015-11-12 01:11:46 -08:00
Ying Li	0280a82ae0	Do not back up a root key that is imported into Yubikey. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:11:43 -08:00
Ying Li	9ae2c80309	Fix bug with finding new slots to put keys. Previously it was just overwritting one slot over and over. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:11:36 -08:00
Diogo Mónica	94b6269521	Merge pull request #38 from docker/fixing-alias-panic Fixed panic on listKeys with invalid keys, added tests Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)	2015-11-12 01:11:31 -08:00
Diogo Monica	baa92cefa3	Fixed panic on listKeys with invalid keys, added tests Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)	2015-11-12 01:11:27 -08:00
Ying Li	53114aabdc	Add a test to test adding multiple keys to a yubikey. If there are existing keys on the Yubikey, the YubiKeyStore should add a key to the next available slot. Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:11:21 -08:00
Ying Li	c82802b800	Move ecdsa_hardware_crypto_service to trustmanager/yubikeystore Signed-off-by: Ying Li <ying.li@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)	2015-11-12 01:10:56 -08:00
David Lawrence	e8d2240c79	write private key to a backup dir when creating keys on yubikey Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:09:31 -08:00
David Lawrence	b7c38f0287	fixing tests Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:09:31 -08:00
David Lawrence	0fd1fa6ada	arbitrary slots working Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:09:31 -08:00
David Lawrence	da18f54699	import-root, list, and remove working with yubikey Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:09:31 -08:00
David Lawrence	be4c0669c1	move import/export to cryptoservice and add import to yubikey Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-11-12 01:09:31 -08:00
David Lawrence	06990fd5a1	integreating with @cyli's improvements Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-30 10:15:52 -07:00
David Lawrence	f73560d839	creating concrete types for the various key ciphers Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-28 16:02:55 -07:00
David Lawrence	daa36b43b7	Merge pull request #242 from docker/unify-root-nonroot-keystore Unify root nonroot keystore	2015-10-28 13:14:19 -07:00
David Lawrence	2833a88292	adding gotuf to notary Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-27 16:36:06 -07:00
Ying Li	75b63b84cd	Add import/export to KeyStore interface so that the import_export code makes use of this rather than mangle files manually to import/export root keys. (Regular keys it just zips up the whole directory.) Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-27 16:19:14 -07:00
Ying Li	566bd3ce67	Combine the nonRootKeyStore with the rootKeyStore, and move the abstracting over the root keys directory from non-root keys directory from keystoremanager to keystore, since we're eliminating keystoremanager. Maintain the two separate directories, though, because one can't tell whether there is an old-style separate-directories structure, or if someone has a GUN that starts with tuf_keys. Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-27 12:33:46 -07:00
Ying Li	bcdd375ce5	Merge pull request #229 from cyli/tls-config-refactor Factor out TLS configuration code for server and TLS	2015-10-26 09:33:41 -07:00
Ying Li	ed61974d10	Remove linking from the filestore Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-23 21:19:47 -07:00
Ying Li	61f9f84254	Use configuration option structures to set up client TLS and server TLS. Test for if client cert is passed without a client key and vice versa. Fail in ConfigureClientTLS if only one of client cert/key is passed. Lint fixes. Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-21 18:43:33 -07:00
David Lawrence	e6460330bd	fixing camel casing of func Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)	2015-10-20 21:45:30 -07:00
Ying Li	208977b1ad	Add an extra test for ECDSAx509 keys Signed-off-by: Ying Li <ying.li@docker.com>	2015-10-20 20:57:18 -07:00

1 2 3 4

167 Commits