예제 #1
0
파일: tuf.go 프로젝트: endophage/notary
// Attempt to read an encrypted root key from a file, and return it as a data.PrivateKey
func readRootKey(rootKeyFile string, retriever notary.PassRetriever) (data.PrivateKey, error) {
	keyFile, err := os.Open(rootKeyFile)
	if err != nil {
		return nil, fmt.Errorf("Opening file to import as a root key: %v", err)
	}
	defer keyFile.Close()

	pemBytes, err := ioutil.ReadAll(keyFile)
	if err != nil {
		return nil, fmt.Errorf("Error reading input root key file: %v", err)
	}
	if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
		return nil, err
	}

	privKey, _, err := trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", data.CanonicalRootRole)
	if err != nil {
		return nil, err
	}

	return privKey, nil
}
예제 #2
0
파일: tuf.go 프로젝트: mbentley/notary
func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
	if len(args) < 1 {
		cmd.Usage()
		return fmt.Errorf("Must specify a GUN")
	}

	config, err := t.configGetter()
	if err != nil {
		return err
	}
	gun := args[0]

	rt, err := getTransport(config, gun, readWrite)
	if err != nil {
		return err
	}

	trustPin, err := getTrustPinning(config)
	if err != nil {
		return err
	}

	nRepo, err := notaryclient.NewNotaryRepository(
		config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever, trustPin)
	if err != nil {
		return err
	}

	var rootKeyList []string

	if t.rootKey != "" {
		keyFile, err := os.Open(t.rootKey)
		if err != nil {
			return fmt.Errorf("Opening file for import: %v", err)
		}
		defer keyFile.Close()

		pemBytes, err := ioutil.ReadAll(keyFile)
		if err != nil {
			return fmt.Errorf("Error reading input file: %v", err)
		}
		if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
			return err
		}

		privKey, _, err := trustmanager.GetPasswdDecryptBytes(t.retriever, pemBytes, "", data.CanonicalRootRole)
		if err != nil {
			return err
		}

		err = nRepo.CryptoService.AddKey(data.CanonicalRootRole, "", privKey)
		if err != nil {
			return fmt.Errorf("Error importing key: %v", err)
		}
		rootKeyList = []string{data.PublicKeyFromPrivate(privKey).ID()}
	} else {
		rootKeyList = nRepo.CryptoService.ListKeys(data.CanonicalRootRole)
	}

	var rootKeyID string
	if len(rootKeyList) < 1 {
		cmd.Println("No root keys found. Generating a new root key...")
		rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
		rootKeyID = rootPublicKey.ID()
		if err != nil {
			return err
		}
	} else {
		// Choses the first root key available, which is initialization specific
		// but should return the HW one first.
		rootKeyID = rootKeyList[0]
		cmd.Printf("Root key found, using: %s\n", rootKeyID)
	}

	if err = nRepo.Initialize([]string{rootKeyID}); err != nil {
		return err
	}
	return nil
}
예제 #3
0
파일: keys.go 프로젝트: mbentley/notary
// keysImport imports a private key from a PEM file for a role
func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error {
	if len(args) != 1 {
		cmd.Usage()
		return fmt.Errorf("Must specify input filename for import")
	}

	config, err := k.configGetter()
	if err != nil {
		return err
	}
	ks, err := k.getKeyStores(config, true, false)
	if err != nil {
		return err
	}

	importFilename := args[0]

	importFile, err := os.Open(importFilename)
	if err != nil {
		return fmt.Errorf("Opening file for import: %v", err)
	}
	defer importFile.Close()

	pemBytes, err := ioutil.ReadAll(importFile)
	if err != nil {
		return fmt.Errorf("Error reading input file: %v", err)
	}

	pemRole := trustmanager.ReadRoleFromPEM(pemBytes)

	// If the PEM key doesn't have a role in it, we must have --role set
	if pemRole == "" && k.keysImportRole == "" {
		return fmt.Errorf("Could not infer role, and no role was specified for key")
	}

	// If both  PEM role and a --role are provided and they don't match, error
	if pemRole != "" && k.keysImportRole != "" && pemRole != k.keysImportRole {
		return fmt.Errorf("Specified role %s does not match role %s in PEM headers", k.keysImportRole, pemRole)
	}

	// Determine which role to add to between PEM headers and --role flag:
	var importRole string
	if k.keysImportRole != "" {
		importRole = k.keysImportRole
	} else {
		importRole = pemRole
	}

	// If we're importing to targets or snapshot, we need a GUN
	if (importRole == data.CanonicalTargetsRole || importRole == data.CanonicalSnapshotRole) && k.keysImportGUN == "" {
		return fmt.Errorf("Must specify GUN for %s key", importRole)
	}

	// Root keys must be encrypted
	if importRole == data.CanonicalRootRole {
		if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil {
			return err
		}
	}

	cs := cryptoservice.NewCryptoService(ks...)
	// Convert to a data.PrivateKey, potentially decrypting the key
	privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
	if err != nil {
		privKey, _, err = trustmanager.GetPasswdDecryptBytes(k.getRetriever(), pemBytes, "", "imported "+importRole)
		if err != nil {
			return err
		}
	}
	err = cs.AddKey(importRole, k.keysImportGUN, privKey)
	if err != nil {
		return fmt.Errorf("Error importing key: %v", err)
	}
	return nil
}