Ejemplo n.º 1
0
// Per-test set up that returns a cleanup function.  This set up:
// - changes the passphrase retriever to always produce a constant passphrase
// - disables touch on yubikeys
// - deletes all keys on the yubikey
func setUp(t *testing.T) func() {
	oldRetriever := retriever

	var fake = func(k, a string, c bool, n int) (string, bool, error) {
		if k == "Yubikey" {
			return oldRetriever(k, a, c, n)
		}
		return testPassphrase, false, nil
	}

	retriever = fake
	getRetriever = func() passphrase.Retriever { return fake }
	yubikey.SetYubikeyKeyMode(yubikey.KeymodeNone)

	// //we're just removing keys here, so nil is fine
	s, err := yubikey.NewYubiKeyStore(nil, retriever)
	assert.NoError(t, err)
	for k := range s.ListKeys() {
		err := s.RemoveKey(k)
		assert.NoError(t, err)
	}

	return func() {
		retriever = oldRetriever
		getRetriever = getPassphraseRetriever
		yubikey.SetYubikeyKeyMode(yubikey.KeymodeTouch | yubikey.KeymodePinOnce)
	}
}
func init() {
	yubikey.SetYubikeyKeyMode(yubikey.KeymodeNone)

	regRetriver := passphrase.PromptRetriever()
	_retriever := func(k, a string, c bool, n int) (string, bool, error) {
		if k == "Yubikey" {
			return regRetriver(k, a, c, n)
		}
		return testPassphrase, false, nil
	}

	// best effort at removing keys here, so nil is fine
	s, err := yubikey.NewYubiKeyStore(nil, _retriever)
	if err != nil {
		for k := range s.ListKeys() {
			s.RemoveKey(k)
		}
	}

	NewNotaryCommand = func() *cobra.Command {
		commander := &notaryCommander{
			getRetriever: func() passphrase.Retriever { return _retriever },
		}
		return commander.GetCommand()
	}
}
// Per-test set up deletes all keys on the yubikey
func setUp(t *testing.T) {
	//we're just removing keys here, so nil is fine
	s, err := yubikey.NewYubiKeyStore(nil, _retriever)
	assert.NoError(t, err)
	for k := range s.ListKeys() {
		err := s.RemoveKey(k)
		assert.NoError(t, err)
	}
}
Ejemplo n.º 4
0
// ensures that the root is actually on the yubikey - this makes sure the
// commands are hooked up to interact with the yubikey, rather than right files
// on disk
func verifyRootKeyOnHardware(t *testing.T, rootKeyID string) {
	// do not bother verifying if there is no yubikey available
	if yubikey.YubikeyAccessible() {
		// //we're just getting keys here, so nil is fine
		s, err := yubikey.NewYubiKeyStore(nil, retriever)
		assert.NoError(t, err)
		privKey, role, err := s.GetKey(rootKeyID)
		assert.NoError(t, err)
		assert.NotNil(t, privKey)
		assert.Equal(t, data.CanonicalRootRole, role)
	}
}
Ejemplo n.º 5
0
// clear out all keys
func init() {
	yubikey.SetYubikeyKeyMode(0)
	if !yubikey.YubikeyAccessible() {
		return
	}
	store, err := yubikey.NewYubiKeyStore(nil, nil)
	if err == nil {
		for k := range store.ListKeys() {
			store.RemoveKey(k)
		}
	}
}
Ejemplo n.º 6
0
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
	retriever passphrase.Retriever) (
	*NotaryRepository, error) {

	fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
	if err != nil {
		return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
	}

	keyStores := []trustmanager.KeyStore{fileKeyStore}
	yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever)
	if yubiKeyStore != nil {
		keyStores = []trustmanager.KeyStore{yubiKeyStore, fileKeyStore}
	}

	return repositoryFromKeystores(baseDir, gun, baseURL, rt, keyStores)
}
Ejemplo n.º 7
0
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
	retriever passphrase.Retriever) (*NotaryRepository, error) {

	fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
	if err != nil {
		return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
	}

	keyStoreManager, err := keystoremanager.NewKeyStoreManager(baseDir)
	yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever)
	var cryptoService signed.CryptoService
	if yubiKeyStore == nil {
		cryptoService = cryptoservice.NewCryptoService(gun, fileKeyStore)
	} else {
		cryptoService = cryptoservice.NewCryptoService(gun, yubiKeyStore, fileKeyStore)
	}

	nRepo := &NotaryRepository{
		gun:             gun,
		baseDir:         baseDir,
		baseURL:         baseURL,
		tufRepoPath:     filepath.Join(baseDir, tufDir, filepath.FromSlash(gun)),
		CryptoService:   cryptoService,
		roundTrip:       rt,
		KeyStoreManager: keyStoreManager,
	}

	fileStore, err := store.NewFilesystemStore(
		nRepo.tufRepoPath,
		"metadata",
		"json",
		"",
	)
	if err != nil {
		return nil, err
	}
	nRepo.fileStore = fileStore

	return nRepo, nil
}
Ejemplo n.º 8
0
func getYubiKeyStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) {
	return yubikey.NewYubiKeyStore(fileKeyStore, ret)
}