func (safs *signAddFindSuite) TestFindFindsTrustedAccountKeys(c *C) {
pk1 := asserts.OpenPGPPrivateKey(testPrivKey1)
pubKey1Encoded, err := asserts.EncodePublicKey(pk1.PublicKey())
c.Assert(err, IsNil)
now := time.Now().UTC()
headers := map[string]string{
"authority-id": "canonical",
"account-id": "acc-id1",
"public-key-id": pk1.PublicKey().ID(),
"public-key-fingerprint": pk1.PublicKey().Fingerprint(),
"since": now.Format(time.RFC3339),
"until": now.AddDate(1, 0, 0).Format(time.RFC3339),
}
accKey, err := safs.signingDB.Sign(asserts.AccountKeyType, headers, []byte(pubKey1Encoded), safs.signingKeyID)
c.Assert(err, IsNil)
err = safs.db.Add(accKey)
c.Assert(err, IsNil)
// find the trusted key as well
tKey, err := safs.db.Find(asserts.AccountKeyType, map[string]string{
"account-id": "canonical",
"public-key-id": safs.signingKeyID,
})
c.Assert(err, IsNil)
c.Assert(tKey.(*asserts.AccountKey).AccountID(), Equals, "canonical")
c.Assert(tKey.(*asserts.AccountKey).PublicKeyID(), Equals, safs.signingKeyID)
// find trusted and untrusted
accKeys, err := safs.db.FindMany(asserts.AccountKeyType, nil)
c.Assert(err, IsNil)
c.Check(accKeys, HasLen, 2)
}
func (dss *deviceSerialSuite) SetUpSuite(c *C) {
dss.ts = time.Now().Truncate(time.Second).UTC()
dss.tsLine = "timestamp: " + dss.ts.Format(time.RFC3339) + "\n"
dss.deviceKey = asserts.OpenPGPPrivateKey(testPrivKey2)
encodedPubKey, err := asserts.EncodePublicKey(dss.deviceKey.PublicKey())
c.Assert(err, IsNil)
dss.encodedDevKey = string(encodedPubKey)
}
func makeSignAndCheckDbWithAccountKey(c *C, accountID string) (signingKeyID string, accSignDB, checkDB *asserts.Database) {
trustedKey := testPrivKey0
cfg1 := &asserts.DatabaseConfig{
KeypairManager: asserts.NewMemoryKeypairManager(),
}
accSignDB, err := asserts.OpenDatabase(cfg1)
c.Assert(err, IsNil)
pk1 := asserts.OpenPGPPrivateKey(testPrivKey1)
err = accSignDB.ImportKey(accountID, asserts.OpenPGPPrivateKey(testPrivKey1))
c.Assert(err, IsNil)
accFingerp := pk1.PublicKey().Fingerprint()
accKeyID := pk1.PublicKey().ID()
pubKey, err := accSignDB.PublicKey(accountID, accKeyID)
c.Assert(err, IsNil)
pubKeyEncoded, err := asserts.EncodePublicKey(pubKey)
c.Assert(err, IsNil)
accPubKeyBody := string(pubKeyEncoded)
headers := map[string]string{
"authority-id": "canonical",
"account-id": accountID,
"public-key-id": accKeyID,
"public-key-fingerprint": accFingerp,
"since": "2015-11-20T15:04:00Z",
"until": "2500-11-20T15:04:00Z",
}
accKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, []byte(accPubKeyBody), asserts.OpenPGPPrivateKey(trustedKey))
c.Assert(err, IsNil)
topDir := filepath.Join(c.MkDir(), "asserts-db")
bs, err := asserts.OpenFSBackstore(topDir)
c.Assert(err, IsNil)
cfg := &asserts.DatabaseConfig{
Backstore: bs,
KeypairManager: asserts.NewMemoryKeypairManager(),
TrustedKeys: []*asserts.AccountKey{asserts.BootstrapAccountKeyForTest("canonical", &trustedKey.PublicKey)},
}
checkDB, err = asserts.OpenDatabase(cfg)
c.Assert(err, IsNil)
err = checkDB.Add(accKey)
c.Assert(err, IsNil)
return accKeyID, accSignDB, checkDB
}
func (x *accountKey) Execute(args []string) error {
accID := x.Positional.AccountID
if accID == "" {
return fmt.Errorf("missing account-id")
}
years := int(x.Positional.Years)
if years == 0 {
return fmt.Errorf("missing validity-years")
}
authID := x.Positional.AuthorityID
if authID == "" {
fmt.Fprintln(os.Stderr, "no authority-id: assume self-signed")
authID = accID
}
authKey, err := findPublicKey(db, authID)
if err != nil {
return err
}
accKey, err := findPublicKey(db, accID)
if err != nil {
return err
}
nowish := time.Now().Truncate(time.Hour).UTC()
until := nowish.AddDate(years, 0, 0)
pubKeyBody, err := asserts.EncodePublicKey(accKey)
if err != nil {
return err
}
headers := map[string]string{
"authority-id": strings.Split(authID, "/")[0],
"account-id": strings.Split(accID, "/")[0],
"public-key-fingerprint": accKey.Fingerprint(),
"public-key-id": accKey.ID(),
"since": nowish.Format(time.RFC3339),
"until": until.Format(time.RFC3339),
}
assertion, err := db.Sign(asserts.AccountKeyType, headers, pubKeyBody, authKey.ID())
if err != nil {
return err
}
os.Stdout.Write(asserts.Encode(assertion))
return nil
}
func (safs *signAddFindSuite) TestDontLetAddConfusinglyAssertionClashingWithTrustedOnes(c *C) {
// trusted
pubKey0, err := safs.signingDB.PublicKey("canonical", safs.signingKeyID)
c.Assert(err, IsNil)
pubKey0Encoded, err := asserts.EncodePublicKey(pubKey0)
c.Assert(err, IsNil)
now := time.Now().UTC()
headers := map[string]string{
"authority-id": "canonical",
"account-id": "canonical",
"public-key-id": safs.signingKeyID,
"public-key-fingerprint": pubKey0.Fingerprint(),
"since": now.Format(time.RFC3339),
"until": now.AddDate(1, 0, 0).Format(time.RFC3339),
}
tKey, err := safs.signingDB.Sign(asserts.AccountKeyType, headers, []byte(pubKey0Encoded), safs.signingKeyID)
c.Assert(err, IsNil)
err = safs.db.Add(tKey)
c.Check(err, ErrorMatches, `cannot add "account-key" assertion with primary key clashing with a trusted assertion: .*`)
}
func (dbs *databaseSuite) TestPublicKey(c *C) {
pk := asserts.OpenPGPPrivateKey(testPrivKey1)
fingerp := pk.PublicKey().Fingerprint()
keyid := pk.PublicKey().ID()
err := dbs.db.ImportKey("account0", pk)
c.Assert(err, IsNil)
pubk, err := dbs.db.PublicKey("account0", keyid)
c.Assert(err, IsNil)
c.Check(pubk.Fingerprint(), Equals, fingerp)
// usual pattern is to then encode it
encoded, err := asserts.EncodePublicKey(pubk)
c.Assert(err, IsNil)
c.Check(bytes.HasPrefix(encoded, []byte("openpgp ")), Equals, true)
data, err := base64.StdEncoding.DecodeString(string(encoded[len("openpgp "):]))
c.Assert(err, IsNil)
pkt, err := packet.Read(bytes.NewBuffer(data))
c.Assert(err, IsNil)
pubKey, ok := pkt.(*packet.PublicKey)
c.Assert(ok, Equals, true)
c.Assert(pubKey.Fingerprint, DeepEquals, testPrivKey1.PublicKey.Fingerprint)
}
func (sdbs *sysDBSuite) SetUpTest(c *C) {
tmpdir := c.MkDir()
pk := asserts.OpenPGPPrivateKey(testPrivKey0)
trustedPubKey := pk.PublicKey()
trustedPubKeyEncoded, err := asserts.EncodePublicKey(trustedPubKey)
c.Assert(err, IsNil)
// self-signed
headers := map[string]string{
"authority-id": "canonical",
"account-id": "canonical",
"public-key-id": trustedPubKey.ID(),
"public-key-fingerprint": trustedPubKey.Fingerprint(),
"since": "2015-11-20T15:04:00Z",
"until": "2500-11-20T15:04:00Z",
}
trustedAccKey, err := asserts.AssembleAndSignInTest(asserts.AccountKeyType, headers, trustedPubKeyEncoded, pk)
c.Assert(err, IsNil)
fakeRoot := filepath.Join(tmpdir, "root")
err = os.Mkdir(fakeRoot, os.ModePerm)
c.Assert(err, IsNil)
dirs.SetRootDir(fakeRoot)
err = os.MkdirAll(filepath.Dir(dirs.SnapTrustedAccountKey), os.ModePerm)
c.Assert(err, IsNil)
err = ioutil.WriteFile(dirs.SnapTrustedAccountKey, asserts.Encode(trustedAccKey), os.ModePerm)
c.Assert(err, IsNil)
headers = map[string]string{
"authority-id": "canonical",
"primary-key": "0",
}
sdbs.probeAssert, err = asserts.AssembleAndSignInTest(asserts.TestOnlyType, headers, nil, pk)
c.Assert(err, IsNil)
}
func (aks *accountKeySuite) SetUpSuite(c *C) {
cfg1 := &asserts.DatabaseConfig{
KeypairManager: asserts.NewMemoryKeypairManager(),
}
accDb, err := asserts.OpenDatabase(cfg1)
c.Assert(err, IsNil)
pk := asserts.OpenPGPPrivateKey(testPrivKey1)
err = accDb.ImportKey("acc-id1", pk)
c.Assert(err, IsNil)
aks.fp = pk.PublicKey().Fingerprint()
aks.keyid = pk.PublicKey().ID()
pubKey, err := accDb.PublicKey("acc-id1", aks.keyid)
c.Assert(err, IsNil)
pubKeyEncoded, err := asserts.EncodePublicKey(pubKey)
c.Assert(err, IsNil)
aks.pubKeyBody = string(pubKeyEncoded)
aks.since, err = time.Parse(time.RFC822, "16 Nov 15 15:04 UTC")
c.Assert(err, IsNil)
aks.until = aks.since.AddDate(1, 0, 0)
aks.sinceLine = "since: " + aks.since.Format(time.RFC3339) + "\n"
aks.untilLine = "until: " + aks.until.Format(time.RFC3339) + "\n"
}
