e8d2240c79
write private key to a backup dir when creating keys on yubikey
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
b7c38f0287
fixing tests
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
0fd1fa6ada
arbitrary slots working
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
da18f54699
import-root, list, and remove working with yubikey
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
be4c0669c1
move import/export to cryptoservice and add import to yubikey
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-11-12 01:09:31 -08:00
06990fd5a1
integreating with @cyli's improvements
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-30 10:15:52 -07:00
f73560d839
creating concrete types for the various key ciphers
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-28 16:02:55 -07:00
daa36b43b7
Merge pull request #242 from docker/unify-root-nonroot-keystore
...
Unify root nonroot keystore
2015-10-28 13:14:19 -07:00
2833a88292
adding gotuf to notary
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-27 16:36:06 -07:00
75b63b84cd
Add import/export to KeyStore interface so that the import_export code
...
makes use of this rather than mangle files manually to import/export
root keys. (Regular keys it just zips up the whole directory.)
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-27 16:19:14 -07:00
566bd3ce67
Combine the nonRootKeyStore with the rootKeyStore, and move the abstracting
...
over the root keys directory from non-root keys directory from keystoremanager
to keystore, since we're eliminating keystoremanager.
Maintain the two separate directories, though, because one can't tell whether
there is an old-style separate-directories structure, or if someone has a GUN
that starts with tuf_keys.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-27 12:33:46 -07:00
bcdd375ce5
Merge pull request #229 from cyli/tls-config-refactor
...
Factor out TLS configuration code for server and TLS
2015-10-26 09:33:41 -07:00
ed61974d10
Remove linking from the filestore
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-23 21:19:47 -07:00
61f9f84254
Use configuration option structures to set up client TLS and server TLS.
...
Test for if client cert is passed without a client key and vice versa.
Fail in ConfigureClientTLS if only one of client cert/key is passed.
Lint fixes.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-21 18:43:33 -07:00
e6460330bd
fixing camel casing of func
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-10-20 21:45:30 -07:00
208977b1ad
Add an extra test for ECDSAx509 keys
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-20 20:57:18 -07:00
ea7d621705
Add a utility function to return a public key ID from a certificate.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-20 19:38:39 -07:00
7356dfd273
Change ConfigServerTLS to take a client CA directory instead of certs
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-19 17:29:54 -07:00
e50cc2c9cd
Add test to ensure that x509filestore loads existing certs from the
...
directory without modifying/overwriting them.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-10-19 17:29:54 -07:00
ec3167eedb
Import and export symlinks in keystore
...
- Export symlinks by encoding them in the zip file.
- Detect symlinks in a zip file on import and create them on the local
filesystem.
- Add test coverage.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-08-03 15:03:31 -07:00
bd9d7c9c74
Move key database to signer package
...
The key database is not generally used but only used by the signing service.
Move the implementation to the signer package to be imported by the signer.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-30 16:22:47 -07:00
2ac1d44be1
Merge pull request #154 from docker/diogo-add-remove-cert
...
Added cli cert command, changed keylisting to be a map
2015-07-28 20:13:32 -07:00
27461ad9fb
Added cli cert command, changed keylisting to be a map, fixed key removal
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-28 18:14:29 -07:00
740e5b095d
Use the random reader passed as argument to GenerateED25519Key.
...
Rather than the global source.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-07-28 16:59:03 -07:00
3a1292a287
Avoid printing "Passphrases do not match" when passphrase is too short
...
Also, wrap the passphrase instructions paragraph at 80 columns, and
change the passphrase variable name in addKey to avoid a conflict with
the package name.
Fixes #146
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-28 14:41:27 -07:00
4546ded7e0
Adding support for passphrases from env
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-27 12:07:03 -07:00
b73a7a4cfa
Removing comments
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-27 09:55:18 -07:00
0fb0877c3c
Adding new jose dependency, fixing nits
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-26 20:32:47 -07:00
a2472a5a72
Addressed comments, changed to PBES2, added key rotation
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-26 09:18:08 -07:00
c7e421a501
Fixing unique key_id entry enforcement
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-24 12:36:17 -07:00
e568babc0a
Added one more test, and fixed delete bug
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-24 06:47:04 -07:00
e81fc405f6
Refactored keystore, created keydbstore and added tests
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-24 05:46:40 -07:00
11af29d8db
update tests to check for new types
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-23 01:54:14 -07:00
c5ffbd1055
Adding typed error for missing keys
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-23 00:09:35 -07:00
be1d365626
Changed debug key type
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-22 16:51:55 -07:00
304afb53d0
Add missing use of invalid passphrase error
...
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-22 04:08:14 -07:00
5eb296d276
Return invalid password when cannot retrieve passphrase
...
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-22 03:42:16 -07:00
cfe8255187
better error handling for invalid password
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-07-22 11:37:54 -07:00
b8b59dbc20
Fixed but with listDirectory and added tests
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 19:48:17 -07:00
c0b0593247
Merge pull request #104 from docker/increase-cert
...
Changing certificate expiration time to 10 years
2015-07-20 15:21:37 -07:00
d1761eba25
Changing certificate expiration time to 10 years
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 14:55:36 -07:00
f7ea67cfab
Rebased from master
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 13:46:01 -07:00
4dfe45d64e
Changing testify import
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 13:36:03 -07:00
42ded6231c
Converted tests to testify and EC generation
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 13:36:03 -07:00
1aced67471
Improvements to keystore caching
...
* RemoveKey must purge the cache entry
* Add mutexes to KeyFileStore and KeyMemoryStore so the cachedKeys map
is protected in the case that keystore operations happen from multiple
goroutines
* Change GetKey to return the alias along with the key. Remove
GetKeyAlias. This simplifies the code flows that retrieve the alias
(since they usually get the key and alias together).
* Fix tests affected by key caching
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-20 13:36:03 -07:00
1421f47258
keystore caching
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 13:34:11 -07:00
c35c1ea254
Move passphrase logic to its own package
...
The logic to retrieve passphrase is generic and may be used by directly by clients.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2015-07-20 13:02:05 -07:00
f3a7fdf211
Removing doubling of string in test
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 11:42:10 -07:00
6b23e7d249
review feedback
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 11:10:13 -07:00
f07876602f
add test for passphraseRetriever
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 11:00:24 -07:00
0642da80f1
review feedback
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 11:00:24 -07:00
38fe6bd45b
gofmt across the baord
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 11:00:24 -07:00
de6f65b7e7
many testing fixups to support key aliasing
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 11:00:22 -07:00
f239757dfd
keystore aliasing, take 2
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 10:58:20 -07:00
5df1eb21f3
keystore aliasing, take 1
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 10:58:20 -07:00
23b7e8c6af
Update keyfilestore to use passwordRetriever
...
Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 10:58:16 -07:00
3b261e8972
Removing comments
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-20 10:08:15 -07:00
1e9365a384
Addressed small nits
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-19 13:43:54 -07:00
cf9e6499e1
Addressing comments
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-19 01:45:43 -07:00
2eb77d3334
Removed organization from certificates and added tests for x509utils
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-18 21:48:53 -07:00
97a2d30d99
Fixed bug with RemoveCert
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-18 01:42:19 -07:00
e3591c0b10
Added new helper functions
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-18 01:40:32 -07:00
2b7682c323
Merge pull request #82 from docker/new-unit-tests
...
New unit tests
2015-07-17 18:24:35 -07:00
f5d1a1fbf5
Add test coverage for KeyMemoryStore (and by extension, MemoryFileStore)
...
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-17 16:45:36 -07:00
00f8f56942
Cosmetic code changes
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:33:06 -07:00
4c805611d0
Adding more error types and being extra careful with checks
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:33:06 -07:00
945691912a
Added error type to X509FileStore
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:33:05 -07:00
2c9a0d6331
Adding tests to RemoveAll in X509Stores
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:31:43 -07:00
3ec4f1d7f4
Adding RemoveKey and Test
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:31:43 -07:00
f5873eef8c
Adding RemoveAll to X509FileStore and correcting functions caller
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:31:43 -07:00
5a77976901
Rebasing from master
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:31:43 -07:00
58e6544d0a
Adding Cert retrieval by common name, and renaming KeyID to CertID
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:28:30 -07:00
0313aa5958
Adding parsing of multiple certificates, and leaf cert filtering methods
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-17 14:28:30 -07:00
d2ea9cc0d5
Updates to notary for gotuf's split of PublicKey and PrivateKey interfaces
...
Functions should now take data.PublicKey or data.PrivateKey instead of
data.Key.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-17 11:35:22 -07:00
88e7346782
Merge pull request #71 from docker/unify-cryptoservice
...
Unify cryptoservice
2015-07-17 11:10:59 -07:00
125d72fd77
Big refactor to make signer use cryptoservices
...
- Add MemoryFileStore, a partial FileStore implementation that doesn't
persist on disk.
- Create a KeyStore interface that allows pluggable key store types. Use
this interface in the cryptoservice implementation.
- Add KeyMemoryStore, which uses MemoryFileStore to provide a KeyStore.
- Add GetKey and DeleteKey functions to cryptoservice.CryptoService.
- Refactor the hardware RSA signing service as a CryptoService.
- Replace custom ed25519 code with cryptoservice.CryptoService.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-17 09:33:19 -07:00
f5c1d8dbc9
Add ED25519 support to cryptoservice and x509utils
...
Add unit tests for cryptoservice that do sign and verify for all three
supported algorithms.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-16 18:44:44 -07:00
0ed6072a4a
Merge pull request #67 from docker/adding-certs
...
Adding new certificates
2015-07-15 22:35:54 -07:00
3d58e6b810
Added tests for x509Filestore
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-15 19:57:48 -07:00
d743dfac6e
Fixed config files and trust manager tests to point at new fixtures
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-15 19:46:57 -07:00
76d81563b3
Simplifying AddCertFromPEM to use help functions
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-15 19:44:37 -07:00
20633e3e12
Make FileStore only allow operations on files inside the store
...
Paths that abuse .. shouldn't be able to escape from the filestore. This
is especially important when importing keys from zip files that could
have "creative" paths encoded in the zip.
Add test coverage for this protection.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-15 17:14:56 -07:00
878a8a083d
Add ExportAllKeys function
...
This allows all keys to be exported to a zip file. Keys that were
already encrypted are kept as-is, and keys that weren't encrypted are
encrypted with the specified passphrase.
Also add a unit test that creates the zip file and checks the expected
keys all exist, and are all encrypted with the expected passphrase.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-07-15 17:14:49 -07:00
765a2cf661
Refactor crypto service
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-13 13:53:47 -07:00
1f5d935cc8
Fixing lint
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-12 22:51:27 -07:00
1a054d7741
Small nits
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-12 22:21:29 -07:00
ba94fdd19d
Signature/key types are now used correcty and are represented by constants.
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-12 22:21:29 -07:00
085c613527
Refactored fingerprint cert and added better debugging
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-12 22:21:29 -07:00
39482c2397
Working ECDSA implementation
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-12 22:21:29 -07:00
43d0ec8a75
Initial ECDSA trustmanager methods
...
Signed-off-by: Diogo Monica <diogo@docker.com>
Splitting CryptoService into ECDSA and RSA cryptoservices
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Working ECDSA support
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-12 22:21:29 -07:00
1ae9cf057e
Removing dangling temp test directories
2015-07-09 21:03:54 -07:00
06a28c89ee
Added root key creation if non-existing to notary
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-09 18:56:06 -07:00
682e7ea00b
Fixing lint
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-09 17:58:55 -07:00
d7999b6cdc
Fixing stat and error checking for x509filestore
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-09 17:58:47 -07:00
8c6de46aca
Added list keys that ignores symlinks
2015-07-09 17:58:10 -07:00
4635bed2db
Major refactor of keys
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-09 17:58:10 -07:00
4f6b2da44d
Add TestValidateRootKey, validates presence of x509 cert in root.json
2015-07-09 17:58:09 -07:00
f9f11e5781
Starting the key refactor; rename UnlockedRootKey
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-09 17:58:09 -07:00
e7462dcdad
Write test for FileStore's Link method
...
Also remove debugging print statements from the Link method.
2015-07-09 17:58:09 -07:00
f4e1d3e932
Changing hardlink to symlink
...
Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-09 17:58:09 -07:00
David Lawrence