func TestEncryption(t *testing.T) { s := NewTestImportStore() privKey, err := utils.GenerateECDSAKey(rand.Reader) originalKey := privKey.Private() require.NoError(t, err) pemBytes, err := utils.EncryptPrivateKey(privKey, "", "", "") require.NoError(t, err) in := bytes.NewBuffer(pemBytes) _ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever) require.Len(t, s.data, 1) shouldBeEnc, ok := s.data[privKey.ID()] // we should have got a key imported to this location require.True(t, ok) // we should fail to parse it without the passphrase privKey, err = utils.ParsePEMPrivateKey(shouldBeEnc, "") require.Equal(t, err, errors.New("could not decrypt private key")) require.Nil(t, privKey) // we should succeed to parse it with the passphrase privKey, err = utils.ParsePEMPrivateKey(shouldBeEnc, cannedPassphrase) require.NoError(t, err) require.Equal(t, originalKey, privKey.Private()) }
// path and encrypted key should succeed, tests gun inference from path as well func TestEncryptedKeyImportSuccess(t *testing.T) { s := NewTestImportStore() privKey, err := utils.GenerateECDSAKey(rand.Reader) originalKey := privKey.Private() require.NoError(t, err) pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalSnapshotRole, "somegun", cannedPassphrase) require.NoError(t, err) b, _ := pem.Decode(pemBytes) b.Headers["path"] = privKey.ID() pemBytes = pem.EncodeToMemory(b) in := bytes.NewBuffer(pemBytes) _ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever) require.Len(t, s.data, 1) keyBytes := s.data[privKey.ID()] bFinal, bRest := pem.Decode(keyBytes) require.Equal(t, "somegun", bFinal.Headers["gun"]) require.Len(t, bRest, 0) // we should fail to parse it without the passphrase privKey, err = utils.ParsePEMPrivateKey(keyBytes, "") require.Equal(t, err, errors.New("could not decrypt private key")) require.Nil(t, privKey) // we should succeed to parse it with the passphrase privKey, err = utils.ParsePEMPrivateKey(keyBytes, cannedPassphrase) require.NoError(t, err) require.Equal(t, originalKey, privKey.Private()) }
// no path and encrypted key import should fail func TestEncryptedKeyImportFail(t *testing.T) { s := NewTestImportStore() privKey, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", cannedPassphrase) require.NoError(t, err) in := bytes.NewBuffer(pemBytes) _ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever) require.Len(t, s.data, 0) }
// AddKey stores the contents of a PEM-encoded private key as a PEM block func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error { var ( chosenPassphrase string giveup bool err error pemPrivKey []byte ) s.Lock() defer s.Unlock() if keyInfo.Role == data.CanonicalRootRole || data.IsDelegation(keyInfo.Role) || !data.ValidRole(keyInfo.Role) { keyInfo.Gun = "" } keyID := privKey.ID() for attempts := 0; ; attempts++ { chosenPassphrase, giveup, err = s.PassRetriever(keyID, keyInfo.Role, true, attempts) if err == nil { break } if giveup || attempts > 10 { return ErrAttemptsExceeded{} } } if chosenPassphrase != "" { pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase) } else { pemPrivKey, err = utils.KeyToPEM(privKey, keyInfo.Role, keyInfo.Gun) } if err != nil { return err } s.cachedKeys[keyID] = &cachedKey{alias: keyInfo.Role, key: privKey} err = s.store.Set(keyID, pemPrivKey) if err != nil { return err } s.keyInfoMap[privKey.ID()] = keyInfo return nil }
// ImportKeys expects an io.Reader containing one or more PEM blocks. // It reads PEM blocks one at a time until pem.Decode returns a nil // block. // Each block is written to the subpath indicated in the "path" PEM // header. If the file already exists, the file is truncated. Multiple // adjacent PEMs with the same "path" header are appended together. func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN string, passRet notary.PassRetriever) error { // importLogic.md contains a small flowchart I made to clear up my understand while writing the cases in this function // it is very rough, but it may help while reading this piece of code data, err := ioutil.ReadAll(from) if err != nil { return err } var ( writeTo string toWrite []byte ) for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) { handleLegacyPath(block) setFallbacks(block, fallbackGUN, fallbackRole) loc, err := checkValidity(block) if err != nil { // already logged in checkValidity continue } // the path header is not of any use once we've imported the key so strip it away delete(block.Headers, "path") // we are now all set for import but let's first encrypt the key blockBytes := pem.EncodeToMemory(block) // check if key is encrypted, note: if it is encrypted at this point, it will have had a path header if privKey, err := utils.ParsePEMPrivateKey(blockBytes, ""); err == nil { // Key is not encrypted- ask for a passphrase and encrypt this key var chosenPassphrase string for attempts := 0; ; attempts++ { var giveup bool chosenPassphrase, giveup, err = passRet(loc, block.Headers["role"], true, attempts) if err == nil { break } if giveup || attempts > 10 { return errors.New("maximum number of passphrase attempts exceeded") } } blockBytes, err = utils.EncryptPrivateKey(privKey, block.Headers["role"], block.Headers["gun"], chosenPassphrase) if err != nil { return errors.New("failed to encrypt key with given passphrase") } } if loc != writeTo { // next location is different from previous one. We've finished aggregating // data for the previous file. If we have data, write the previous file, // clear toWrite and set writeTo to the next path we're going to write if toWrite != nil { if err = importToStores(to, writeTo, toWrite); err != nil { return err } } // set up for aggregating next file's data toWrite = nil writeTo = loc } toWrite = append(toWrite, blockBytes...) } if toWrite != nil { // close out final iteration if there's data left return importToStores(to, writeTo, toWrite) } return nil }