func TestEncryption(t *testing.T) {
s := NewTestImportStore()
privKey, err := utils.GenerateECDSAKey(rand.Reader)
originalKey := privKey.Private()
require.NoError(t, err)
pemBytes, err := utils.EncryptPrivateKey(privKey, "", "", "")
require.NoError(t, err)
in := bytes.NewBuffer(pemBytes)
_ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever)
require.Len(t, s.data, 1)
shouldBeEnc, ok := s.data[privKey.ID()]
// we should have got a key imported to this location
require.True(t, ok)
// we should fail to parse it without the passphrase
privKey, err = utils.ParsePEMPrivateKey(shouldBeEnc, "")
require.Equal(t, err, errors.New("could not decrypt private key"))
require.Nil(t, privKey)
// we should succeed to parse it with the passphrase
privKey, err = utils.ParsePEMPrivateKey(shouldBeEnc, cannedPassphrase)
require.NoError(t, err)
require.Equal(t, originalKey, privKey.Private())
}
// path and encrypted key should succeed, tests gun inference from path as well
func TestEncryptedKeyImportSuccess(t *testing.T) {
s := NewTestImportStore()
privKey, err := utils.GenerateECDSAKey(rand.Reader)
originalKey := privKey.Private()
require.NoError(t, err)
pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalSnapshotRole, "somegun", cannedPassphrase)
require.NoError(t, err)
b, _ := pem.Decode(pemBytes)
b.Headers["path"] = privKey.ID()
pemBytes = pem.EncodeToMemory(b)
in := bytes.NewBuffer(pemBytes)
_ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever)
require.Len(t, s.data, 1)
keyBytes := s.data[privKey.ID()]
bFinal, bRest := pem.Decode(keyBytes)
require.Equal(t, "somegun", bFinal.Headers["gun"])
require.Len(t, bRest, 0)
// we should fail to parse it without the passphrase
privKey, err = utils.ParsePEMPrivateKey(keyBytes, "")
require.Equal(t, err, errors.New("could not decrypt private key"))
require.Nil(t, privKey)
// we should succeed to parse it with the passphrase
privKey, err = utils.ParsePEMPrivateKey(keyBytes, cannedPassphrase)
require.NoError(t, err)
require.Equal(t, originalKey, privKey.Private())
}
// no path and encrypted key import should fail
func TestEncryptedKeyImportFail(t *testing.T) {
s := NewTestImportStore()
privKey, err := utils.GenerateECDSAKey(rand.Reader)
require.NoError(t, err)
pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", cannedPassphrase)
require.NoError(t, err)
in := bytes.NewBuffer(pemBytes)
_ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever)
require.Len(t, s.data, 0)
}
// AddKey stores the contents of a PEM-encoded private key as a PEM block
func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error {
var (
chosenPassphrase string
giveup bool
err error
pemPrivKey []byte
)
s.Lock()
defer s.Unlock()
if keyInfo.Role == data.CanonicalRootRole || data.IsDelegation(keyInfo.Role) || !data.ValidRole(keyInfo.Role) {
keyInfo.Gun = ""
}
keyID := privKey.ID()
for attempts := 0; ; attempts++ {
chosenPassphrase, giveup, err = s.PassRetriever(keyID, keyInfo.Role, true, attempts)
if err == nil {
break
}
if giveup || attempts > 10 {
return ErrAttemptsExceeded{}
}
}
if chosenPassphrase != "" {
pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase)
} else {
pemPrivKey, err = utils.KeyToPEM(privKey, keyInfo.Role, keyInfo.Gun)
}
if err != nil {
return err
}
s.cachedKeys[keyID] = &cachedKey{alias: keyInfo.Role, key: privKey}
err = s.store.Set(keyID, pemPrivKey)
if err != nil {
return err
}
s.keyInfoMap[privKey.ID()] = keyInfo
return nil
}
// ImportKeys expects an io.Reader containing one or more PEM blocks.
// It reads PEM blocks one at a time until pem.Decode returns a nil
// block.
// Each block is written to the subpath indicated in the "path" PEM
// header. If the file already exists, the file is truncated. Multiple
// adjacent PEMs with the same "path" header are appended together.
func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN string, passRet notary.PassRetriever) error {
// importLogic.md contains a small flowchart I made to clear up my understand while writing the cases in this function
// it is very rough, but it may help while reading this piece of code
data, err := ioutil.ReadAll(from)
if err != nil {
return err
}
var (
writeTo string
toWrite []byte
)
for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
handleLegacyPath(block)
setFallbacks(block, fallbackGUN, fallbackRole)
loc, err := checkValidity(block)
if err != nil {
// already logged in checkValidity
continue
}
// the path header is not of any use once we've imported the key so strip it away
delete(block.Headers, "path")
// we are now all set for import but let's first encrypt the key
blockBytes := pem.EncodeToMemory(block)
// check if key is encrypted, note: if it is encrypted at this point, it will have had a path header
if privKey, err := utils.ParsePEMPrivateKey(blockBytes, ""); err == nil {
// Key is not encrypted- ask for a passphrase and encrypt this key
var chosenPassphrase string
for attempts := 0; ; attempts++ {
var giveup bool
chosenPassphrase, giveup, err = passRet(loc, block.Headers["role"], true, attempts)
if err == nil {
break
}
if giveup || attempts > 10 {
return errors.New("maximum number of passphrase attempts exceeded")
}
}
blockBytes, err = utils.EncryptPrivateKey(privKey, block.Headers["role"], block.Headers["gun"], chosenPassphrase)
if err != nil {
return errors.New("failed to encrypt key with given passphrase")
}
}
if loc != writeTo {
// next location is different from previous one. We've finished aggregating
// data for the previous file. If we have data, write the previous file,
// clear toWrite and set writeTo to the next path we're going to write
if toWrite != nil {
if err = importToStores(to, writeTo, toWrite); err != nil {
return err
}
}
// set up for aggregating next file's data
toWrite = nil
writeTo = loc
}
toWrite = append(toWrite, blockBytes...)
}
if toWrite != nil { // close out final iteration if there's data left
return importToStores(to, writeTo, toWrite)
}
return nil
}
