// Attempt to read an encrypted root key from a file, and return it as a data.PrivateKey func readRootKey(rootKeyFile string, retriever notary.PassRetriever) (data.PrivateKey, error) { keyFile, err := os.Open(rootKeyFile) if err != nil { return nil, fmt.Errorf("Opening file to import as a root key: %v", err) } defer keyFile.Close() pemBytes, err := ioutil.ReadAll(keyFile) if err != nil { return nil, fmt.Errorf("Error reading input root key file: %v", err) } if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil { return nil, err } privKey, _, err := trustmanager.GetPasswdDecryptBytes(retriever, pemBytes, "", data.CanonicalRootRole) if err != nil { return nil, err } return privKey, nil }
func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error { if len(args) < 1 { cmd.Usage() return fmt.Errorf("Must specify a GUN") } config, err := t.configGetter() if err != nil { return err } gun := args[0] rt, err := getTransport(config, gun, readWrite) if err != nil { return err } trustPin, err := getTrustPinning(config) if err != nil { return err } nRepo, err := notaryclient.NewNotaryRepository( config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever, trustPin) if err != nil { return err } var rootKeyList []string if t.rootKey != "" { keyFile, err := os.Open(t.rootKey) if err != nil { return fmt.Errorf("Opening file for import: %v", err) } defer keyFile.Close() pemBytes, err := ioutil.ReadAll(keyFile) if err != nil { return fmt.Errorf("Error reading input file: %v", err) } if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil { return err } privKey, _, err := trustmanager.GetPasswdDecryptBytes(t.retriever, pemBytes, "", data.CanonicalRootRole) if err != nil { return err } err = nRepo.CryptoService.AddKey(data.CanonicalRootRole, "", privKey) if err != nil { return fmt.Errorf("Error importing key: %v", err) } rootKeyList = []string{data.PublicKeyFromPrivate(privKey).ID()} } else { rootKeyList = nRepo.CryptoService.ListKeys(data.CanonicalRootRole) } var rootKeyID string if len(rootKeyList) < 1 { cmd.Println("No root keys found. Generating a new root key...") rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey) rootKeyID = rootPublicKey.ID() if err != nil { return err } } else { // Choses the first root key available, which is initialization specific // but should return the HW one first. rootKeyID = rootKeyList[0] cmd.Printf("Root key found, using: %s\n", rootKeyID) } if err = nRepo.Initialize([]string{rootKeyID}); err != nil { return err } return nil }
// keysImport imports a private key from a PEM file for a role func (k *keyCommander) keysImport(cmd *cobra.Command, args []string) error { if len(args) != 1 { cmd.Usage() return fmt.Errorf("Must specify input filename for import") } config, err := k.configGetter() if err != nil { return err } ks, err := k.getKeyStores(config, true, false) if err != nil { return err } importFilename := args[0] importFile, err := os.Open(importFilename) if err != nil { return fmt.Errorf("Opening file for import: %v", err) } defer importFile.Close() pemBytes, err := ioutil.ReadAll(importFile) if err != nil { return fmt.Errorf("Error reading input file: %v", err) } pemRole := trustmanager.ReadRoleFromPEM(pemBytes) // If the PEM key doesn't have a role in it, we must have --role set if pemRole == "" && k.keysImportRole == "" { return fmt.Errorf("Could not infer role, and no role was specified for key") } // If both PEM role and a --role are provided and they don't match, error if pemRole != "" && k.keysImportRole != "" && pemRole != k.keysImportRole { return fmt.Errorf("Specified role %s does not match role %s in PEM headers", k.keysImportRole, pemRole) } // Determine which role to add to between PEM headers and --role flag: var importRole string if k.keysImportRole != "" { importRole = k.keysImportRole } else { importRole = pemRole } // If we're importing to targets or snapshot, we need a GUN if (importRole == data.CanonicalTargetsRole || importRole == data.CanonicalSnapshotRole) && k.keysImportGUN == "" { return fmt.Errorf("Must specify GUN for %s key", importRole) } // Root keys must be encrypted if importRole == data.CanonicalRootRole { if err = cryptoservice.CheckRootKeyIsEncrypted(pemBytes); err != nil { return err } } cs := cryptoservice.NewCryptoService(ks...) // Convert to a data.PrivateKey, potentially decrypting the key privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "") if err != nil { privKey, _, err = trustmanager.GetPasswdDecryptBytes(k.getRetriever(), pemBytes, "", "imported "+importRole) if err != nil { return err } } err = cs.AddKey(importRole, k.keysImportGUN, privKey) if err != nil { return fmt.Errorf("Error importing key: %v", err) } return nil }