// Attempt to read an encrypted root key from a file, and return it as a data.PrivateKey
func readRootKey(rootKeyFile string, retriever notary.PassRetriever) (data.PrivateKey, error) {
keyFile, err := os.Open(rootKeyFile)
if err != nil {
return nil, fmt.Errorf("Opening file to import as a root key: %v", err)
}
defer keyFile.Close()
pemBytes, err := ioutil.ReadAll(keyFile)
if err != nil {
return nil, fmt.Errorf("Error reading input root key file: %v", err)
}
if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
return nil, err
}
privKey, _, err := trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", data.CanonicalRootRole)
if err != nil {
return nil, err
}
return privKey, nil
}
func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
rt, err := getTransport(config, gun, readWrite)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever, trustPin)
if err != nil {
return err
}
var rootKeyList []string
if t.rootKey != "" {
keyFile, err := os.Open(t.rootKey)
if err != nil {
return fmt.Errorf("Opening file for import: %v", err)
}
defer keyFile.Close()
pemBytes, err := ioutil.ReadAll(keyFile)
if err != nil {
return fmt.Errorf("Error reading input file: %v", err)
}
if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
return err
}
privKey, _, err := trustmanager.GetPasswdDecryptBytes(t.retriever, pemBytes, "", data.CanonicalRootRole)
if err != nil {
return err
}
err = nRepo.CryptoService.AddKey(data.CanonicalRootRole, "", privKey)
if err != nil {
return fmt.Errorf("Error importing key: %v", err)
}
rootKeyList = []string{data.PublicKeyFromPrivate(privKey).ID()}
} else {
rootKeyList = nRepo.CryptoService.ListKeys(data.CanonicalRootRole)
}
var rootKeyID string
if len(rootKeyList) < 1 {
cmd.Println("No root keys found. Generating a new root key...")
rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
rootKeyID = rootPublicKey.ID()
if err != nil {
return err
}
} else {
// Choses the first root key available, which is initialization specific
// but should return the HW one first.
rootKeyID = rootKeyList[0]
cmd.Printf("Root key found, using: %s\n", rootKeyID)
}
if err = nRepo.Initialize([]string{rootKeyID}); err != nil {
return err
}
return nil
}
// keysImport imports a private key from a PEM file for a role
func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error {
if len(args) != 1 {
cmd.Usage()
return fmt.Errorf("Must specify input filename for import")
}
config, err := k.configGetter()
if err != nil {
return err
}
ks, err := k.getKeyStores(config, true, false)
if err != nil {
return err
}
importFilename := args[0]
importFile, err := os.Open(importFilename)
if err != nil {
return fmt.Errorf("Opening file for import: %v", err)
}
defer importFile.Close()
pemBytes, err := ioutil.ReadAll(importFile)
if err != nil {
return fmt.Errorf("Error reading input file: %v", err)
}
pemRole := trustmanager.ReadRoleFromPEM(pemBytes)
// If the PEM key doesn't have a role in it, we must have --role set
if pemRole == "" && k.keysImportRole == "" {
return fmt.Errorf("Could not infer role, and no role was specified for key")
}
// If both PEM role and a --role are provided and they don't match, error
if pemRole != "" && k.keysImportRole != "" && pemRole != k.keysImportRole {
return fmt.Errorf("Specified role %s does not match role %s in PEM headers", k.keysImportRole, pemRole)
}
// Determine which role to add to between PEM headers and --role flag:
var importRole string
if k.keysImportRole != "" {
importRole = k.keysImportRole
} else {
importRole = pemRole
}
// If we're importing to targets or snapshot, we need a GUN
if (importRole == data.CanonicalTargetsRole || importRole == data.CanonicalSnapshotRole) && k.keysImportGUN == "" {
return fmt.Errorf("Must specify GUN for %s key", importRole)
}
// Root keys must be encrypted
if importRole == data.CanonicalRootRole {
if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
return err
}
}
cs := cryptoservice.NewCryptoService(ks...)
// Convert to a data.PrivateKey, potentially decrypting the key
privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
if err != nil {
privKey, _, err = trustmanager.GetPasswdDecryptBytes(k.getRetriever(), pemBytes, "", "imported "+importRole)
if err != nil {
return err
}
}
err = cs.AddKey(importRole, k.keysImportGUN, privKey)
if err != nil {
return fmt.Errorf("Error importing key: %v", err)
}
return nil
}
