// CreateKey creates a new key inside the cryptoservice for the given role and gun, // returning the public key. If the role is a root role, create an x509 key. func CreateKey(cs signed.CryptoService, gun, role, keyAlgorithm string) (data.PublicKey, error) { key, err := cs.Create(role, gun, keyAlgorithm) if err != nil { return nil, err } if role == data.CanonicalRootRole { start := time.Now().AddDate(0, 0, -1) privKey, _, err := cs.GetPrivateKey(key.ID()) if err != nil { return nil, err } cert, err := cryptoservice.GenerateCertificate( privKey, gun, start, start.AddDate(1, 0, 0), ) if err != nil { return nil, err } // Keep the x509 key type consistent with the key's algorithm switch keyAlgorithm { case data.RSAKey: key = data.NewRSAx509PublicKey(trustmanager.CertToPEM(cert)) case data.ECDSAKey: key = data.NewECDSAx509PublicKey(trustmanager.CertToPEM(cert)) default: // This should be impossible because of the Create() call above, but just in case return nil, fmt.Errorf("invalid key algorithm type") } } return key, nil }
// CopyKeys copies keys of a particular role to a new cryptoservice, and returns that cryptoservice func CopyKeys(t *testing.T, from signed.CryptoService, roles ...string) signed.CryptoService { memKeyStore := trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("pass")) for _, role := range roles { for _, keyID := range from.ListKeys(role) { key, _, err := from.GetPrivateKey(keyID) require.NoError(t, err) memKeyStore.AddKey(trustmanager.KeyInfo{Role: role}, key) } } return cryptoservice.NewCryptoService(memKeyStore) }
// EmptyCryptoServiceInterfaceBehaviorTests tests expected behavior for // an empty signed.CryptoService: // 1. Getting the public key of a key that doesn't exist should fail // 2. Listing an empty cryptoservice returns no keys // 3. Removing a non-existent key succeeds (no-op) func EmptyCryptoServiceInterfaceBehaviorTests(t *testing.T, empty signed.CryptoService) { for _, role := range append(data.BaseRoles, "targets/delegation", "invalid") { keys := empty.ListKeys(role) require.Len(t, keys, 0) } keys := empty.ListAllKeys() require.Len(t, keys, 0) require.NoError(t, empty.RemoveKey("nonexistent")) require.Nil(t, empty.GetKey("nonexistent")) k, role, err := empty.GetPrivateKey("nonexistent") require.Error(t, err) require.Nil(t, k) require.Equal(t, "", role) }
func testGetKey(t *testing.T, cs signed.CryptoService, expectedRolesToKeys map[string]string, algo string) { for role, keyID := range expectedRolesToKeys { pubKey := cs.GetKey(keyID) require.NotNil(t, pubKey) require.Equal(t, keyID, pubKey.ID()) require.Equal(t, algo, pubKey.Algorithm()) privKey, gotRole, err := cs.GetPrivateKey(keyID) require.NoError(t, err) require.NotNil(t, privKey) require.Equal(t, keyID, privKey.ID()) require.Equal(t, algo, privKey.Algorithm()) require.Equal(t, role, gotRole) require.NoError(t, cs.RemoveKey(keyID)) require.Nil(t, cs.GetKey(keyID)) } }
func createKey(cs signed.CryptoService, gun, role string) (data.PublicKey, error) { key, err := cs.Create(role, data.ECDSAKey) if err != nil { return nil, err } if role == data.CanonicalRootRole { start := time.Now().AddDate(0, 0, -1) privKey, _, err := cs.GetPrivateKey(key.ID()) if err != nil { return nil, err } cert, err := cryptoservice.GenerateCertificate( privKey, gun, start, start.AddDate(1, 0, 0), ) if err != nil { return nil, err } key = data.NewECDSAx509PublicKey(trustmanager.CertToPEM(cert)) } return key, nil }