2a3c301274
Update and rebase
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-04-26 17:04:48 -07:00
ca9fc99ba5
Goodbye Certstore
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-04-26 17:00:09 -07:00
8e30157a5c
trustmanager: Minor cosmetic source code fixes
...
Fixing a few things I noticed scrolling through the Notary 0.3.0-RC1
diff.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-04-26 10:29:39 -07:00
4f58eda1ec
removing unused functions in SimpleFileStore
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2016-04-19 15:46:56 -07:00
64ea94567b
refactoring some duplicate code in parsing x509 certs to keys
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2016-04-19 15:46:56 -07:00
31f02ec0f7
minor cleanup of filestore initialization
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2016-04-19 15:46:56 -07:00
26a95ef5a3
Handle cert bundles as key IDs
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-04-19 11:01:56 -07:00
c2f5753630
Update CA pinning logic to include intermediates, add positive test case
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-04-19 11:01:55 -07:00
cf4e726514
"make lint" wasn't actually linting every file in the repo. golint ./...
...
ignores buildtags, for instance, and somehow didn't pick up some code in
the signer.
This calls golint on every go file in the repo and also fixes some linting
issues, which involves renaming two yubikey functions to avoid stuttering.
Signed-off-by: Ying Li <ying.li@docker.com>
2016-04-12 22:28:32 -07:00
dcc41be3e1
Rename cert function, and also check if newCertMap is empty.
...
Also do not check for CKR_FUNCTION_FAILED for error translation
Signed-off-by: Ying Li <ying.li@docker.com>
2016-04-12 16:07:37 -07:00
229d64e0e0
Use ErrKeyNotFound in KeyStore.GetKey
...
3 out of 4 KeyStore implementations have already been returning this
type or a pointer to it; document this as a requirement, and modify
implementations to comply.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2016-04-12 14:33:46 -07:00
5d0b926b7f
Use require for certs and trustmanager
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-04-04 14:44:48 -07:00
c54183bc27
Add error case to keyInfo generation, test yubikey backup, fix rebase conflicts
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:35:34 -07:00
e1613cdcb2
Address review comments
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:31:07 -07:00
be66056edb
change API to specify keyID instead of name
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:31:07 -07:00
5984b88f14
configure backing up logic for yubikey
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:31:07 -07:00
1ed9c352d7
change ks.AddKey to be consistent with CryptoService
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:31:06 -07:00
9ecd899e25
Removing key import and gun from cryptoservice
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:31:03 -07:00
1aad807439
update role checks for empty gun
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:06:40 -07:00
7bd550a39a
import refactor
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:06:40 -07:00
c7bccd79e3
addressing review comments
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:06:39 -07:00
2a37590ea6
update interface and comments
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:06:37 -07:00
c41cee3e5d
simplify export logic with new keymap
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:04:04 -07:00
0f39dd7aa8
add GetKeyInfo test for memory store
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:04:04 -07:00
97e845e295
AddKey for cryptoservice
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:04:04 -07:00
23eb203a63
add key info api, use for passwd
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:03:14 -07:00
351b247aec
add tests for initial keystore state, and after removing and adding
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:03:11 -07:00
bbaef4faba
Flatten keystore by adding map, simple tests
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-18 11:00:50 -07:00
d69d0188a4
Move yubikey import role check to avoid excessive passphrase prompting
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-02-24 14:29:40 -08:00
0fdb2d1891
update positive tests
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-02-08 13:40:02 -08:00
c66584989e
add checks to CLI command for role and gun
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-02-08 13:38:42 -08:00
caa9581bcc
add tests, consts and fixup
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-02-08 13:38:42 -08:00
2964e8c6f4
add integration test for adding/listing/removing targets from roles
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-01-28 10:20:27 -08:00
83c5ed255b
Add check for RSA key len before adding
...
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-01-26 23:27:06 -08:00
138d6cea09
Add, remove, and list delegation command. TUF changelist action change
...
for deletions (force vs. individual items)
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-01-18 16:24:45 -08:00
fdc0f04268
Keep code style consistent
...
GetLeafCerts and GetIntermediaCerts are similiar and a consistent
implementation will be more friendly to those people who wants to read
the code.
Signed-off-by: Hu Keping <hukeping@huawei.com>
2016-01-18 19:58:02 +08:00
877d47bb5c
Add tests to ensure you can just drop a key in tuf_key and use it for signing.
...
This is important for user keys, which do not necessarily need to be under a GUN,
and may have a role other than one of the canonical roles (e.g. "user" role).
Signed-off-by: Ying Li <ying.li@docker.com>
2016-01-15 18:54:41 -08:00
48ecd8d2cb
some cleanup of certs code
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2016-01-15 11:30:32 -08:00
f1067998f6
added /usr/lib64 to search paths
...
Signed-off-by: Udo Seidel <udoseidel@gmx.de>
2016-01-07 11:56:22 +01:00
0465365fb6
Return an error if unable to encrypt a key as a valid PEM file
...
Also address review comments and fix semantic conflict after rebase.
Signed-off-by: Ying Li <ying.li@docker.com>
2015-12-23 09:44:51 -08:00
2bf5d4b09a
test for legacy keys and some bugfixes for same
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-12-23 09:41:03 -08:00
f2ec72b5b6
aliases removed from file names
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-12-23 09:41:03 -08:00
6d5b8ff54a
add role into PEM headers
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-12-23 09:41:03 -08:00
1f329868e8
making filestores consistent so you can Get, Remove, etc... the paths returned by ListFiles
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-12-23 09:41:03 -08:00
8f7fddd5d5
breaking up low level storage into logical files
...
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
2015-12-23 09:41:03 -08:00
06e58c1d11
Tighten TestNewCertificate tests
...
Using the just added facility to generate a certificate as of a specific
time, tighten TestNewCertificate to use equality comparisons.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2015-12-09 20:02:10 +01:00
bd6d937f43
Fix computation of certificate expiration
...
Instead of 3650 days, actually use 10 years (i.e. take into account leap
days).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2015-12-09 20:02:10 +01:00
3c6335c572
Explicitly supply validity times to certificate generation
...
Add explicit startTime and endTime parameters to
cryptoservice.GenerateCertificate and trustmanager.NewCertificate.
trustmanager.NewCertificate as a low-level data manipulation function
should not be hard-coding policy (10-year expiration); that policy
belongs to its callers, or one more level higher to callers of
cryptoservice.GenerateCertificate.
These places hard-coding policy now also have an explict comment to
that effect.
In addition to conceptual cleanliness, this will allow writing tests
of certificate expiry by generating appropriate expired or nearly-expired
certificates.
Tests which don't care about the policy much will continue to use the
just added cryptoservice.GenerateTestingCertificate.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2015-12-09 20:02:10 +01:00
68962ce0f7
Merge pull request #281 from docker/better-pkcs11-logging
...
Log whether a pkcs11 library was found and if it was loadable.
This unfortunately prints out every time any operation is done on the Yubikey, producing a lot of log output, but perhaps that is better because an operation might fail at any given time.
Output if no Yubikey:
DEBU[0000] Failed to initialize PKCS11 environment: loaded library /usr/local/lib/libykcs11.dylib, but no HSM slots found
If there is a Yubikey:
DEBU[0000] Initialized PKCS11 library /usr/local/lib/libykcs11.dylib and started HSM session
2015-11-13 15:51:11 -08:00
f9bd60701f
Log whether a pkcs11 library was found and if it was loadable.
...
Signed-off-by: Ying Li <ying.li@docker.com>
2015-11-13 02:53:39 -08:00
Riyaz Faizullabhoy
Aaron Lehmann
David Lawrence
Ying Li
Miloslav Trmač
HuKeping
Udo Seidel
Ying Li