Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import root cert in addition to root key #813

Closed
wants to merge 2 commits into from
Closed

Import root cert in addition to root key #813

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
42f1e10
Support passing in root keys on repo initialization
ecordell Jun 23, 2016
f01a1bd
Import only one root key, and add ability to import root cert
Jun 24, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 51 additions & 4 deletions client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package client

import (
"bytes"
"crypto/rand"
"encoding/json"
"fmt"
"io/ioutil"
Expand Down Expand Up @@ -168,12 +169,50 @@ func rootCertKey(gun string, privKey data.PrivateKey) (data.PublicKey, error) {
return x509PublicKey, nil
}

// Initialize creates a new repository by using rootKey as the root Key for the
// Initialize creates a new repository by using rootKeyID to identify the root Key for the
// TUF repository. The server must be reachable (and is asked to generate a
// timestamp key and possibly other serverManagedRoles), but the created repository
// result is only stored on local disk, not published to the server. To do that,
// use r.Publish() eventually.
func (r *NotaryRepository) Initialize(rootKeyID string, serverManagedRoles ...string) error {
return r.InitializeWithCert(rootKeyID, (data.PublicKey)(nil), serverManagedRoles...)
}

func verifyPublicKeyMatchesPrivateKey(privKey data.PrivateKey, pubKey data.PublicKey) error {
// generate a random message
msgLength := 64
msg := make([]byte, msgLength)
_, err := rand.Read(msg)
if err != nil {
return fmt.Errorf("failed to generate random test message: %s", err)
}

// sign the message with the private key
signatureBytes, err := privKey.Sign(rand.Reader, msg, nil)
if err != nil {
return fmt.Errorf("Failed to sign test message:", err)
}

signature := data.Signature{
KeyID: privKey.ID(),
Method: privKey.SignatureAlgorithm(),
Signature: signatureBytes,
}

// verify the signature with the public key
if err := signed.VerifySignature(msg, signature, pubKey); err != nil {
return fmt.Errorf("Private Key did not match Public Key: %s", err)
}
return nil
}

// InitializeWithCert creates a new repository by using rootKeyID to identify the root Key for the
// TUF repository. If rootPublicKey is non-nil, it must match the private key identified by rootKeyID or an error is thrown
// The server must be reachable (and is asked to generate a
// timestamp key and possibly other serverManagedRoles), but the created repository
// result is only stored on local disk, not published to the server. To do that,
// use r.Publish() eventually.
func (r *NotaryRepository) InitializeWithCert(rootKeyID string, rootPublicKey data.PublicKey, serverManagedRoles ...string) error {
privKey, _, err := r.CryptoService.GetPrivateKey(rootKeyID)
if err != nil {
return err
Expand Down Expand Up @@ -206,9 +245,17 @@ func (r *NotaryRepository) Initialize(rootKeyID string, serverManagedRoles ...st
}
}

rootKey, err := rootCertKey(r.gun, privKey)
if err != nil {
return err
var rootKey data.PublicKey
if rootPublicKey == nil {
rootKey, err = rootCertKey(r.gun, privKey)
if err != nil {
return err
}
} else {
if err := verifyPublicKeyMatchesPrivateKey(privKey, rootPublicKey); err != nil {
return err
}
rootKey = rootPublicKey
}

var (
Expand Down
70 changes: 69 additions & 1 deletion cmd/notary/tuf.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bufio"
"encoding/hex"
"fmt"
"io/ioutil"
"net"
"net/http"
"net/url"
Expand All @@ -19,6 +20,8 @@ import (
"github.com/docker/go-connections/tlsconfig"
"github.com/docker/notary"
notaryclient "github.com/docker/notary/client"
"github.com/docker/notary/cryptoservice"
"github.com/docker/notary/trustmanager"
"github.com/docker/notary/trustpinning"
"github.com/docker/notary/tuf/data"
"github.com/docker/notary/utils"
Expand Down Expand Up @@ -90,13 +93,20 @@ type tufCommander struct {
sha256 string
sha512 string

rootCert string
rootKey string

input string
output string
quiet bool
}

func (t *tufCommander) AddToCommand(cmd *cobra.Command) {
cmd.AddCommand(cmdTUFInitTemplate.ToCommand(t.tufInit))
cmdTUFInit := cmdTUFInitTemplate.ToCommand(t.tufInit)
cmdTUFInit.Flags().StringVar(&t.rootCert, "rootcert", "", "Root cert to initialize the repository with. Must correspond to the private key specified in --rootkey")
cmdTUFInit.Flags().StringVar(&t.rootKey, "rootkey", "", "Root key to initialize the repository with.")
cmd.AddCommand(cmdTUFInit)

cmd.AddCommand(cmdTUFStatusTemplate.ToCommand(t.tufStatus))
cmd.AddCommand(cmdTUFPublishTemplate.ToCommand(t.tufPublish))
cmd.AddCommand(cmdTUFLookupTemplate.ToCommand(t.tufLookup))
Expand Down Expand Up @@ -246,6 +256,10 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
return fmt.Errorf("Must specify a GUN")
}

if t.rootCert != "" && t.rootKey == "" {
return fmt.Errorf("--rootCert specified without --rootKey being specified")
}

config, err := t.configGetter()
if err != nil {
return err
Expand All @@ -268,6 +282,60 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
return err
}

if t.rootKey != "" {
keyFile, err := os.Open(t.rootKey)
if err != nil {
return fmt.Errorf("Opening file for import: %v", err)
}
defer keyFile.Close()

pemBytes, err := ioutil.ReadAll(keyFile)
if err != nil {
return fmt.Errorf("Error reading input file: %v", err)
}
if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
return err
}

privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
if err != nil {
privKey, _, err = trustmanager.GetPasswdDecryptBytes(t.retriever, pemBytes, "", "imported root")
if err != nil {
return err
}
}
err = nRepo.CryptoService.AddKey(data.CanonicalRootRole, "", privKey)
if err != nil {
return fmt.Errorf("Error importing key: %v", err)
}

// if a key was explicitly passed in, we assume it should be added
// to the root role
if t.rootCert == "" {
if err = nRepo.Initialize(privKey.ID()); err != nil {
return err
}
} else {
// Load the user-specified root cert and initialize the repo with the cert and private key
// Read public key bytes from PEM file
pubKeyBytes, err := ioutil.ReadFile(t.rootCert)
if err != nil {
return fmt.Errorf("unable to read public key from file: %s", t.rootCert)
}

// Parse PEM bytes into type PublicKey
pubKey, err := trustmanager.ParsePEMPublicKey(pubKeyBytes)
if err != nil {
return fmt.Errorf("unable to parse valid public key certificate from PEM file %s: %v", t.rootCert, err)
}

if err = nRepo.InitializeWithCert(privKey.ID(), pubKey); err != nil {
return err
}
}
return nil
}

rootKeyList := nRepo.CryptoService.ListKeys(data.CanonicalRootRole)

var rootKeyID string
Expand Down