made edits as per cyli's suggestions- using fallbackrole instead of r…

…ole and adding the gun header to keys with a path by path Signed-off-by: Avi Vaid <[email protected]>
notaryproject · Aug 3, 2016 · 2415f47 · 2415f47
1 parent e9c3cb6
commit 2415f47
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 18 deletions.
diff --git a/cmd/notary/integration_test.go b/cmd/notary/integration_test.go
@@ -102,7 +102,7 @@ func TestInitWithRootKey(t *testing.T) {
 	// create encrypted root key
 	privKey, err := utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
-	encryptedPEMPrivKey, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, testPassphrase)
+	encryptedPEMPrivKey, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", testPassphrase)
 	require.NoError(t, err)
 	encryptedPEMKeyFilename := filepath.Join(tempDir, "encrypted_key.key")
 	err = ioutil.WriteFile(encryptedPEMKeyFilename, encryptedPEMPrivKey, 0644)
@@ -150,7 +150,7 @@ func TestInitWithRootKey(t *testing.T) {
 	// instead of using a new retriever, we create a new key with a different pass
 	badPassPrivKey, err := utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
-	badPassPEMPrivKey, err := utils.EncryptPrivateKey(badPassPrivKey, data.CanonicalRootRole, "bad_pass")
+	badPassPEMPrivKey, err := utils.EncryptPrivateKey(badPassPrivKey, data.CanonicalRootRole, "", "bad_pass")
 	require.NoError(t, err)
 	badPassPEMKeyFilename := filepath.Join(tempDir, "badpass_key.key")
 	err = ioutil.WriteFile(badPassPEMKeyFilename, badPassPEMPrivKey, 0644)
@@ -1398,7 +1398,7 @@ func TestClientKeyImportExportOnly(t *testing.T) {
 	privKey, err := utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
 
-	pemBytes, err := utils.EncryptPrivateKey(privKey, "root", "")
+	pemBytes, err := utils.EncryptPrivateKey(privKey, "root", "", "")
 	require.NoError(t, err)
 
 	nBytes, err := tempFile.Write(pemBytes)
@@ -1426,7 +1426,7 @@ func TestClientKeyImportExportOnly(t *testing.T) {
 	privKey, err = utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
 
-	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "")
+	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "")
 	require.NoError(t, err)
 
 	nBytes, err = tempFile2.Write(pemBytes)
@@ -1452,7 +1452,7 @@ func TestClientKeyImportExportOnly(t *testing.T) {
 	privKey, err = utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
 
-	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "")
+	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "")
 	require.NoError(t, err)
 
 	nBytes, err = tempFile3.Write(pemBytes)
@@ -1478,7 +1478,7 @@ func TestClientKeyImportExportOnly(t *testing.T) {
 	privKey, err = utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
 
-	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "")
+	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "")
 	require.NoError(t, err)
 
 	nBytes, err = tempFile4.Write(pemBytes)
@@ -1507,7 +1507,7 @@ func TestClientKeyImportExportOnly(t *testing.T) {
 	privKey, err = utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
 
-	pemBytes, err = utils.EncryptPrivateKey(privKey, "root", testPassphrase)
+	pemBytes, err = utils.EncryptPrivateKey(privKey, "root", "", testPassphrase)
 	require.NoError(t, err)
 
 	nBytes, err = tempFile5.Write(pemBytes)
@@ -1533,7 +1533,7 @@ func TestClientKeyImportExportOnly(t *testing.T) {
 	privKey, err = utils.GenerateECDSAKey(rand.Reader)
 	require.NoError(t, err)
 
-	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "")
+	pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "")
 	require.NoError(t, err)
 
 	nBytes, err = tempFile6.Write(pemBytes)

diff --git a/trustmanager/keystore.go b/trustmanager/keystore.go
@@ -152,7 +152,7 @@ func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error
 	}
 
 	if chosenPassphrase != "" {
-		pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, chosenPassphrase)
+		pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, "", chosenPassphrase)
 	} else {
 		pemPrivKey, err = utils.KeyToPEM(privKey, keyInfo.Role)
 	}

diff --git a/tuf/utils/x509.go b/tuf/utils/x509.go
@@ -421,7 +421,7 @@ func KeyToPEM(privKey data.PrivateKey, role string) ([]byte, error) {
 
 // EncryptPrivateKey returns an encrypted PEM key given a Privatekey
 // and a passphrase
-func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, error) {
+func EncryptPrivateKey(key data.PrivateKey, role, gun, passphrase string) ([]byte, error) {
 	bt, err := blockType(key)
 	if err != nil {
 		return nil, err
@@ -443,6 +443,9 @@ func EncryptPrivateKey(key data.PrivateKey, role, passphrase string) ([]byte, er
 		return nil, fmt.Errorf("unable to encrypt key - invalid PEM file produced")
 	}
 	encryptedPEMBlock.Headers["role"] = role
+	if gun != "" {
+		encryptedPEMBlock.Headers["gun"] = gun
+	}
 
 	return pem.EncodeToMemory(encryptedPEMBlock), nil
 }

diff --git a/tuf/utils/x509_test.go b/tuf/utils/x509_test.go
@@ -124,15 +124,15 @@ func TestKeyOperations(t *testing.T) {
 	require.Equal(t, rsaKey.Private(), decodedRSAKey.Private())
 
 	// Encrypt our ED Key
-	encryptedEDKey, err := EncryptPrivateKey(edKey, "root", "ponies")
+	encryptedEDKey, err := EncryptPrivateKey(edKey, "root", "", "ponies")
 	require.NoError(t, err)
 
 	// Encrypt our EC Key
-	encryptedECKey, err := EncryptPrivateKey(ecKey, "root", "ponies")
+	encryptedECKey, err := EncryptPrivateKey(ecKey, "root", "", "ponies")
 	require.NoError(t, err)
 
 	// Encrypt our RSA Key
-	encryptedRSAKey, err := EncryptPrivateKey(rsaKey, "root", "ponies")
+	encryptedRSAKey, err := EncryptPrivateKey(rsaKey, "root", "", "ponies")
 	require.NoError(t, err)
 
 	// Check to see if ED key it is encrypted

diff --git a/utils/keys.go b/utils/keys.go
@@ -94,7 +94,7 @@ func ExportKeys(to io.Writer, s Exporter, from string) error {
 // Each block is written to the subpath indicated in the "path" PEM
 // header. If the file already exists, the file is truncated. Multiple
 // adjacent PEMs with the same "path" header are appended together.
-func ImportKeys(from io.Reader, to []Importer, role string, gun string, passRet notary.PassRetriever) error {
+func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGun string, passRet notary.PassRetriever) error {
 	data, err := ioutil.ReadAll(from)
 	if err != nil {
 		return err
@@ -106,11 +106,18 @@ func ImportKeys(from io.Reader, to []Importer, role string, gun string, passRet
 	for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
 		if block.Headers["role"] == "" {
 			// no worries about if check as for GUN here because empty roles will get a role:notary.DefaultImportRole
-			block.Headers["role"] = role
+			block.Headers["role"] = fallbackRole
+		}
+		if rawPath := block.Headers["path"]; rawPath != "" {
+			pathWOFileName := strings.TrimSuffix(rawPath, filepath.Base(rawPath))
+			if strings.Contains(pathWOFileName, notary.NonRootKeysSubdir) {
+				gunName := strings.TrimPrefix(pathWOFileName, notary.NonRootKeysSubdir)
+				block.Headers["gun"] = gunName[1:(len(gunName) - 1)] //removes the slashes
+			}
 		}
 		if block.Headers["gun"] == "" {
-			if gun != "" {
-				block.Headers["gun"] = gun
+			if fallbackGun != "" {
+				block.Headers["gun"] = fallbackGun
 			}
 		}
 		loc, ok := block.Headers["path"]
@@ -174,7 +181,7 @@ func ImportKeys(from io.Reader, to []Importer, role string, gun string, passRet
 				}
 				break
 			}
-			toSave, _ = utils.EncryptPrivateKey(privKey, block.Headers["role"], chosenPassphrase)
+			toSave, _ = utils.EncryptPrivateKey(privKey, block.Headers["role"], block.Headers["gun"], chosenPassphrase)
 		}
 
 		toWrite = append(toWrite, toSave...)