* RemoveKey must purge the cache entry
* Add mutexes to KeyFileStore and KeyMemoryStore so the cachedKeys map
is protected in the case that keystore operations happen from multiple
goroutines
* Change GetKey to return the alias along with the key. Remove
GetKeyAlias. This simplifies the code flows that retrieve the alias
(since they usually get the key and alias together).
* Fix tests affected by key caching
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
The logic to retrieve passphrase is generic and may be used by directly by clients.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This subdirectory is at the same level as root_keys. It avoids having
rootKeyStore and nonRootKeyStore overlap. Previously, the base directory
for rootKeyStore was .../private/root_keys and the base directory for
nonRootKeyStore was .../private.
This commit also removes deduplicating logic in ExportAllKeys, which is
no longer needed now that the stores don't overlap.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Add unit test coverage that makes this check fail. Also add unit test
coverage for making sure trying to import something that isn't PEM fails
in the expected way.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This function reads a zip file and populates the keystores with the keys
in the zip file. Root keys are left encrypted, and non-root keys are
decrypted before being added to the keystore.
The unit test first exports a repo's keys to a zip file, then imports it
into another repo. It checks that all the correct keys exist in the new
repo after the import operation.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This allows all keys to be exported to a zip file. Keys that were
already encrypted are kept as-is, and keys that weren't encrypted are
encrypted with the specified passphrase.
Also add a unit test that creates the zip file and checks the expected
keys all exist, and are all encrypted with the expected passphrase.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Move GenRootKey and GetRootCryptoService to KeyStoreManager, now that
they don't depend on client-specific types.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Refactor validateRoot into KeyStoreManager. It now takes the DNS name as
a parameter. When KeyStoreManager is used with a NotaryRepository, the
DNS name should be the GUN of the repository.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This structure encapsulates what used to be "rootKeyStore" and
"privKeyStore". These are being moved out of NotaryRepository, so that
operations like listing keys, importing keys, and exporting keys aren't
tied to a NotaryRepository structure.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Diogo Monica
Aaron Lehmann
Derek McGowan
Nathan McCauley
David Lawrence