// keysImportRoot imports a root key from a PEM file
func keysImportRoot(cmd *cobra.Command, args []string) {
if len(args) < 2 {
cmd.Usage()
fatalf("must specify key ID and input filename for import")
}
keyID := args[0]
importFilename := args[1]
if len(keyID) != idSize {
fatalf("please specify a valid root key ID")
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
importFile, err := os.Open(importFilename)
if err != nil {
fatalf("opening file for import: %v", err)
}
defer importFile.Close()
err = keyStoreManager.ImportRootKey(importFile, keyID)
if err != nil {
fatalf("error importing root key: %v", err)
}
}
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
passphraseRetriever passphrase.Retriever) (*NotaryRepository, error) {
keyStoreManager, err := keystoremanager.NewKeyStoreManager(baseDir, passphraseRetriever)
if err != nil {
return nil, err
}
cryptoService := cryptoservice.NewCryptoService(gun, keyStoreManager.NonRootKeyStore())
nRepo := &NotaryRepository{
gun: gun,
baseDir: baseDir,
baseURL: baseURL,
tufRepoPath: filepath.Join(baseDir, tufDir, filepath.FromSlash(gun)),
cryptoService: cryptoService,
roundTrip: rt,
KeyStoreManager: keyStoreManager,
}
fileStore, err := store.NewFilesystemStore(
nRepo.tufRepoPath,
"metadata",
"json",
"",
)
if err != nil {
return nil, err
}
nRepo.fileStore = fileStore
return nRepo, nil
}
func keysGenerateRootKey(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("must specify an Algorithm (RSA, ECDSA)")
}
algorithm := args[0]
allowedCiphers := map[string]bool{
"rsa": true,
"ecdsa": true,
}
if !allowedCiphers[strings.ToLower(algorithm)] {
fatalf("algorithm not allowed, possible values are: RSA, ECDSA")
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
keyID, err := keyStoreManager.GenRootKey(algorithm)
if err != nil {
fatalf("failed to create a new root key: %v", err)
}
fmt.Printf("Generated new %s key with keyID: %s\n", algorithm, keyID)
}
// keysImport imports keys from a ZIP file
func keysImport(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("must specify input filename for import")
}
importFilename := args[0]
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
zipReader, err := zip.OpenReader(importFilename)
if err != nil {
fatalf("opening file for import: %v", err)
}
defer zipReader.Close()
err = keyStoreManager.ImportKeysZip(zipReader.Reader)
if err != nil {
fatalf("error importing keys: %v", err)
}
}
func keysList(cmd *cobra.Command, args []string) {
if len(args) > 0 {
cmd.Usage()
os.Exit(1)
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
fmt.Println("")
fmt.Println("# Trusted Certificates:")
trustedCerts := keyStoreManager.TrustedCertificateStore().GetCertificates()
for _, c := range trustedCerts {
printCert(c)
}
fmt.Println("")
fmt.Println("# Root keys: ")
for _, k := range keyStoreManager.RootKeyStore().ListKeys() {
fmt.Println(k)
}
fmt.Println("")
fmt.Println("# Signing keys: ")
for _, k := range keyStoreManager.NonRootKeyStore().ListKeys() {
printKey(k)
}
}
// keysRemoveRootKey deletes a root private key based on ID
func keysRemoveRootKey(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("must specify the key ID of the root key to remove")
}
keyID := args[0]
if len(keyID) != 64 {
fatalf("please enter a valid root key ID")
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
// List all the keys about to be removed
fmt.Printf("Are you sure you want to remove the following key?\n%s\n (yes/no)\n", keyID)
// Ask for confirmation before removing keys
confirmed := askConfirm()
if !confirmed {
fatalf("aborting action.")
}
// Remove all the keys under the Global Unique Name
err = keyStoreManager.RootKeyStore().RemoveKey(keyID)
if err != nil {
fatalf("failed to remove root key with key ID: %s", keyID)
}
fmt.Printf("Root key %s removed\n", keyID)
}
// keysRemoveKey deletes a private key based on ID
func keysRemoveKey(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("must specify the key ID of the key to remove")
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
keyID := args[0]
// This is an invalid ID
if len(keyID) != idSize {
fatalf("invalid key ID provided: %s", keyID)
}
// List the key about to be removed
fmt.Println("Are you sure you want to remove the following key?")
fmt.Printf("%s\n(yes/no)\n", keyID)
// Ask for confirmation before removing the key, unless -y is passed
if !keyRemoveYes {
confirmed := askConfirm()
if !confirmed {
fatalf("aborting action.")
}
}
// Choose the correct filestore to remove the key from
keyMap := keyStoreManager.KeyStore.ListKeys()
// Attempt to find the full GUN to the key in the map
// This is irrelevant for removing root keys, but does no harm
var keyWithGUN string
for k := range keyMap {
if filepath.Base(k) == keyID {
keyWithGUN = k
}
}
// If empty, we didn't find any matches
if keyWithGUN == "" {
fatalf("key with key ID: %s not found\n", keyID)
}
// Attempt to remove the key
err = keyStoreManager.KeyStore.RemoveKey(keyWithGUN)
if err != nil {
fatalf("failed to remove key with key ID: %s, %v", keyID, err)
}
}
func keysList(cmd *cobra.Command, args []string) {
if len(args) > 0 {
cmd.Usage()
os.Exit(1)
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
// Get a map of all the keys/roles
keysMap := keyStoreManager.KeyStore.ListKeys()
fmt.Println("")
fmt.Println("# Root keys: ")
for k, v := range keysMap {
if v == "root" {
fmt.Println(k)
}
}
fmt.Println("")
fmt.Println("# Signing keys: ")
// Get a list of all the keys
var sortedKeys []string
for k := range keysMap {
sortedKeys = append(sortedKeys, k)
}
// Sort the list of all the keys
sort.Strings(sortedKeys)
// Print a sorted list of the key/role
for _, k := range sortedKeys {
if keysMap[k] != "root" {
printKey(k, keysMap[k])
}
}
}
func certList(cmd *cobra.Command, args []string) {
if len(args) > 0 {
cmd.Usage()
os.Exit(1)
}
parseConfig()
trustDir := mainViper.GetString("trust_dir")
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir)
if err != nil {
fatalf("Failed to create a new truststore manager with directory: %s", trustDir)
}
cmd.Println("")
cmd.Println("# Trusted Certificates:")
trustedCerts := keyStoreManager.TrustedCertificateStore().GetCertificates()
for _, c := range trustedCerts {
printCert(cmd, c)
}
}
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper) (*NotaryRepository, error) {
keyStoreManager, err := keystoremanager.NewKeyStoreManager(baseDir)
if err != nil {
return nil, err
}
cryptoService := cryptoservice.NewCryptoService(gun, keyStoreManager.NonRootKeyStore(), "")
nRepo := &NotaryRepository{
gun: gun,
baseDir: baseDir,
baseURL: baseURL,
tufRepoPath: filepath.Join(baseDir, tufDir, filepath.FromSlash(gun)),
cryptoService: cryptoService,
roundTrip: rt,
KeyStoreManager: keyStoreManager,
}
return nRepo, nil
}
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
retriever passphrase.Retriever) (*NotaryRepository, error) {
fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
if err != nil {
return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
}
keyStoreManager, err := keystoremanager.NewKeyStoreManager(baseDir)
yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever)
var cryptoService signed.CryptoService
if yubiKeyStore == nil {
cryptoService = cryptoservice.NewCryptoService(gun, fileKeyStore)
} else {
cryptoService = cryptoservice.NewCryptoService(gun, yubiKeyStore, fileKeyStore)
}
nRepo := &NotaryRepository{
gun: gun,
baseDir: baseDir,
baseURL: baseURL,
tufRepoPath: filepath.Join(baseDir, tufDir, filepath.FromSlash(gun)),
CryptoService: cryptoService,
roundTrip: rt,
KeyStoreManager: keyStoreManager,
}
fileStore, err := store.NewFilesystemStore(
nRepo.tufRepoPath,
"metadata",
"json",
"",
)
if err != nil {
return nil, err
}
nRepo.fileStore = fileStore
return nRepo, nil
}
// keysExportRoot exports a root key by ID to a PEM file
func keysExportRoot(cmd *cobra.Command, args []string) {
if len(args) < 2 {
cmd.Usage()
fatalf("must specify key ID and output filename for export")
}
keyID := args[0]
exportFilename := args[1]
if len(keyID) != idSize {
fatalf("please specify a valid root key ID")
}
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
exportFile, err := os.Create(exportFilename)
if err != nil {
fatalf("error creating output file: %v", err)
}
if keysExportRootChangePassphrase {
// Must use a different passphrase retriever to avoid caching the
// unlocking passphrase and reusing that.
exportRetriever := passphrase.PromptRetriever()
err = keyStoreManager.ExportRootKeyReencrypt(exportFile, keyID, exportRetriever)
} else {
err = keyStoreManager.ExportRootKey(exportFile, keyID)
}
exportFile.Close()
if err != nil {
os.Remove(exportFilename)
fatalf("error exporting root key: %v", err)
}
}
// keysExport exports a collection of keys to a ZIP file
func keysExport(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("must specify output filename for export")
}
exportFilename := args[0]
parseConfig()
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
if err != nil {
fatalf("failed to create a new truststore manager with directory: %s", trustDir)
}
exportFile, err := os.Create(exportFilename)
if err != nil {
fatalf("error creating output file: %v", err)
}
// Must use a different passphrase retriever to avoid caching the
// unlocking passphrase and reusing that.
exportRetriever := passphrase.PromptRetriever()
if keysExportGUN != "" {
err = keyStoreManager.ExportKeysByGUN(exportFile, keysExportGUN, exportRetriever)
} else {
err = keyStoreManager.ExportAllKeys(exportFile, exportRetriever)
}
exportFile.Close()
if err != nil {
os.Remove(exportFilename)
fatalf("error exporting keys: %v", err)
}
}
// certRemove deletes a certificate given a cert ID or a gun
func certRemove(cmd *cobra.Command, args []string) {
// If the user hasn't provided -g with a gun, or a cert ID, show usage
// If the user provided -g and a cert ID, also show usage
if (len(args) < 1 && certRemoveGUN == "") || (len(args) > 0 && certRemoveGUN != "") {
cmd.Usage()
fatalf("Must specify the cert ID or the GUN of the certificates to remove")
}
parseConfig()
trustDir := mainViper.GetString("trust_dir")
keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir)
if err != nil {
fatalf("Failed to create a new truststore manager with directory: %s", trustDir)
}
var certsToRemove []*x509.Certificate
// If there is no GUN, we expect a cert ID
if certRemoveGUN == "" {
certID := args[0]
// This is an invalid ID
if len(certID) != idSize {
fatalf("Invalid certificate ID provided: %s", certID)
}
// Attempt to find this certificates
cert, err := keyStoreManager.TrustedCertificateStore().GetCertificateByCertID(certID)
if err != nil {
fatalf("Unable to retrieve certificate with cert ID: %s", certID)
}
certsToRemove = append(certsToRemove, cert)
} else {
// We got the -g flag, it's a GUN
certs, err := keyStoreManager.TrustedCertificateStore().GetCertificatesByCN(certRemoveGUN)
if err != nil {
fatalf("%v", err)
}
certsToRemove = append(certsToRemove, certs...)
}
// List all the keys about to be removed
cmd.Printf("The following certificates will be removed:\n\n")
for _, cert := range certsToRemove {
// This error can't occur because we're getting certs off of an
// x509 store that indexes by ID.
certID, _ := trustmanager.FingerprintCert(cert)
cmd.Printf("%s - %s\n", cert.Subject.CommonName, certID)
}
cmd.Println("\nAre you sure you want to remove these certificates? (yes/no)")
// Ask for confirmation before removing certificates, unless -y is provided
if !certRemoveYes {
confirmed := askConfirm()
if !confirmed {
fatalf("Aborting action.")
}
}
// Remove all the certs
for _, cert := range certsToRemove {
err = keyStoreManager.TrustedCertificateStore().RemoveCert(cert)
if err != nil {
fatalf("Failed to remove root certificate for %s", cert.Subject.CommonName)
}
}
}