docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,157 Commits 25 Branches 28 Tags 827 MiB
Commit Graph

174 Commits

Author SHA1 Message Date
David Lawrence f2ec72b5b6 aliases removed from file names 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence 6d5b8ff54a add role into PEM headers 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence 1f329868e8 making filestores consistent so you can Get, Remove, etc... the paths returned by ListFiles 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence 8f7fddd5d5 breaking up low level storage into logical files 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
Miloslav Trmač 06e58c1d11 Tighten TestNewCertificate tests 
Using the just added facility to generate a certificate as of a specific
time, tighten TestNewCertificate to use equality comparisons.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-12-09 20:02:10 +01:00
Miloslav Trmač bd6d937f43 Fix computation of certificate expiration 
Instead of 3650 days, actually use 10 years (i.e. take into account leap
days).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-12-09 20:02:10 +01:00
Miloslav Trmač 3c6335c572 Explicitly supply validity times to certificate generation 
Add explicit startTime and endTime parameters to
cryptoservice.GenerateCertificate and trustmanager.NewCertificate.

trustmanager.NewCertificate as a low-level data manipulation function
should not be hard-coding policy (10-year expiration); that policy
belongs to its callers, or one more level higher to callers of
cryptoservice.GenerateCertificate.

These places hard-coding policy now also have an explict comment to
that effect.

In addition to conceptual cleanliness, this will allow writing tests
of certificate expiry by generating appropriate expired or nearly-expired
certificates.

Tests which don't care about the policy much will continue to use the
just added cryptoservice.GenerateTestingCertificate.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-12-09 20:02:10 +01:00
Ying Li 68962ce0f7 Merge pull request #281 from docker/better-pkcs11-logging 
Log whether a pkcs11 library was found and if it was loadable.

This unfortunately prints out every time any operation is done on the Yubikey, producing a lot of log output, but perhaps that is better because an operation might fail at any given time.

Output if no Yubikey:
DEBU[0000] Failed to initialize PKCS11 environment: loaded library /usr/local/lib/libykcs11.dylib, but no HSM slots found 

If there is a Yubikey:
DEBU[0000] Initialized PKCS11 library /usr/local/lib/libykcs11.dylib and started HSM session
 2015-11-13 15:51:11 -08:00
Ying Li f9bd60701f Log whether a pkcs11 library was found and if it was loadable. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-11-13 02:53:39 -08:00
Ying Li 587906e6c6 More defensive coding around listing our keys in the yubikey. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-11-13 00:08:53 -08:00
Diogo Monica d2f69fe5bc Adding another path to search for ykcs libs 
Signed-off-by: Diogo Monica <diogo@docker.com>
 2015-11-12 01:22:40 -08:00
Ying Li 87231d9a5d Fix new bug where adding a duplicate key to a yubikey added to the backup. 
Added a test for this case as well - thanks @endophage!

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:58 -08:00
Ying Li 43f2d40e43 Make our CI pick up trustmanager/yubikey again 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:55 -08:00
Ying Li 6cf0643d7d Roll back an add key to the yubikey if we can't back it up. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:46 -08:00
Ying Li 96bfaac05f Add tests for verifying signatures before returning a signature. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:43 -08:00
Ying Li 4b7fefd5ef Do not clean up a session if there is no session. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:35 -08:00
Ying Li cee92fa363 Undo some changes from a bad stash pop that were unintentional. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:32 -08:00
Ying Li 38a5b5a342 Add FindObjectsFinalize to getNextEmptySlot. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:29 -08:00
Ying Li 10057562d8 Add fixes for Sign (do not continue if SignInit fails). 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:25 -08:00
Ying Li 73a26d59ac Inject errors into pkcs11 in order to test that the yubikey code cleans up. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:22 -08:00
Ying Li 09c0f9d05b Replace the pkcs11 library with interfaces for easier testing. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:17 -08:00
Ying Li 7108450a21 Add more unit tests for the YubiKeyStore. 
Including how it interacts with the backup key store, and with more
assertions against a new YubiKeyStore so that we won't get false
positives or negatives from the cache.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:14 -08:00
Diogo Mónica b894d98392 Merge pull request #54 from docker/verify_hw_sigs 
add verification to yubikey signatures. Attempt to generate sig up to…

Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:13:05 -08:00
David Lawrence 9b8645c39f add verification to yubikey signatures. Attempt to generate sig up to 5 times, fail if all 5 are invalid 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:13:03 -08:00
David Lawrence 8628b57a96 private subdir should be added by keyfilestore, rather than all over the place 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:57 -08:00
Diogo Monica 0344dfc038 Making tests pass 
Signed-off-by: Diogo Monica <diogo@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
 2015-11-12 01:12:31 -08:00
David Lawrence ee270b6a2b fixing integrations tests for new list keys layout 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:21 -08:00
David Lawrence 5c064e204b fixing lint/vet 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:21 -08:00
David Lawrence 6acc130e17 list shows where the key is stored 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:20 -08:00
David Lawrence 8ffbf116cc only tell user to touch when mode is enabled 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:17 -08:00
David Lawrence b0354762d1 make touch to sign message configurable 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:17 -08:00
David Lawrence e0c5bb7b83 comment about token location ordering 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:11:55 -08:00
David Lawrence d2ca58bbf4 use the slots on the yubikey in the following order: 9c, 9e, 9d, 9a 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:11:55 -08:00
Ying Li 397adb4291 Pad the ECDSA key that gets put into the Yubikey so it has 32 bytes. 
Apparently that is required by the template, and will error if it
does not. Sometimes, ECDSA keys are generated which when encoded
seems to only have 31 bytes.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:49 -08:00
Diogo Mónica 91b7d87a7b Merge pull request #39 from docker/fix-import 
Do not back up a root key that is imported into Yubikey.

Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:11:46 -08:00
Ying Li 0280a82ae0 Do not back up a root key that is imported into Yubikey. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:43 -08:00
Ying Li 9ae2c80309 Fix bug with finding new slots to put keys. 
Previously it was just overwritting one slot over and over.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:36 -08:00
Diogo Mónica 94b6269521 Merge pull request #38 from docker/fixing-alias-panic 
Fixed panic on listKeys with invalid keys, added tests

Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:11:31 -08:00
Diogo Monica baa92cefa3 Fixed panic on listKeys with invalid keys, added tests 
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
 2015-11-12 01:11:27 -08:00
Ying Li 53114aabdc Add a test to test adding multiple keys to a yubikey. 
If there are existing keys on the Yubikey, the YubiKeyStore should add
a key to the next available slot.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:21 -08:00
Ying Li c82802b800 Move ecdsa_hardware_crypto_service to trustmanager/yubikeystore 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:10:56 -08:00
David Lawrence e8d2240c79 write private key to a backup dir when creating keys on yubikey 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence b7c38f0287 fixing tests 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence 0fd1fa6ada arbitrary slots working 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence da18f54699 import-root, list, and remove working with yubikey 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence be4c0669c1 move import/export to cryptoservice and add import to yubikey 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence 06990fd5a1 integreating with @cyli's improvements 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-10-30 10:15:52 -07:00
David Lawrence f73560d839 creating concrete types for the various key ciphers 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-10-28 16:02:55 -07:00
David Lawrence daa36b43b7 Merge pull request #242 from docker/unify-root-nonroot-keystore 
Unify root nonroot keystore
 2015-10-28 13:14:19 -07:00
David Lawrence 2833a88292 adding gotuf to notary 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-10-27 16:36:06 -07:00