// AddGetKeyCryptoServiceInterfaceBehaviorTests tests expected behavior for
// adding keys in a signed.CryptoService and other read operations on the
// crypto service after keys are present
// 1. Adding a key succeeds
// 2. Getting the key should return the same key, without error
// 3. Removing the key succeeds
func AddGetKeyCryptoServiceInterfaceBehaviorTests(t *testing.T, cs signed.CryptoService, algo string) {
expectedRolesToKeys := make(map[string]string)
for i := 0; i < 2; i++ {
var (
addedPrivKey data.PrivateKey
err error
)
role := data.BaseRoles[i+1]
switch algo {
case data.RSAKey:
addedPrivKey, err = utils.GenerateRSAKey(rand.Reader, 2048)
case data.ECDSAKey:
addedPrivKey, err = utils.GenerateECDSAKey(rand.Reader)
case data.ED25519Key:
addedPrivKey, err = utils.GenerateED25519Key(rand.Reader)
default:
require.FailNow(t, "invalid algorithm %s", algo)
}
require.NoError(t, err)
require.NotNil(t, addedPrivKey)
require.NoError(t, cs.AddKey(role, "docker.io/notary", addedPrivKey))
expectedRolesToKeys[role] = addedPrivKey.ID()
}
testGetKey(t, cs, expectedRolesToKeys, algo)
}
func generateShortRSAKeyTestCert() (*x509.Certificate, string, error) {
// 1024 bits is too short
privKey, err := utils.GenerateRSAKey(rand.Reader, 1024)
if err != nil {
return nil, "", err
}
keyID := privKey.ID()
startTime := time.Now()
endTime := startTime.AddDate(10, 0, 0)
cert, err := cryptoservice.GenerateCertificate(privKey, "gun", startTime, endTime)
if err != nil {
return nil, "", err
}
return cert, keyID, nil
}
// Create is used to generate keys for targets, snapshots and timestamps
func (cs *CryptoService) Create(role, gun, algorithm string) (data.PublicKey, error) {
var privKey data.PrivateKey
var err error
switch algorithm {
case data.RSAKey:
privKey, err = utils.GenerateRSAKey(rand.Reader, notary.MinRSABitSize)
if err != nil {
return nil, fmt.Errorf("failed to generate RSA key: %v", err)
}
case data.ECDSAKey:
privKey, err = utils.GenerateECDSAKey(rand.Reader)
if err != nil {
return nil, fmt.Errorf("failed to generate EC key: %v", err)
}
case data.ED25519Key:
privKey, err = utils.GenerateED25519Key(rand.Reader)
if err != nil {
return nil, fmt.Errorf("failed to generate ED25519 key: %v", err)
}
default:
return nil, fmt.Errorf("private key type not supported for key generation: %s", algorithm)
}
logrus.Debugf("generated new %s key for role: %s and keyID: %s", algorithm, role, privKey.ID())
// Store the private key into our keystore
for _, ks := range cs.keyStores {
err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, privKey)
if err == nil {
return data.PublicKeyFromPrivate(privKey), nil
}
}
if err != nil {
return nil, fmt.Errorf("failed to add key to filestore: %v", err)
}
return nil, fmt.Errorf("keystores would not accept new private keys for unknown reasons")
}