Add a GetPrivateKey method to cryptoservice so that we can future-proof

cryptoservice having multiple keystores Signed-off-by: Ying Li <ying.li@docker.com>
2026-03-31 16:28:59 +07:00 · 2015-10-29 16:34:40 -07:00
parent 7dc0dbec84
commit 91d54899d7
8 changed files with 38 additions and 4 deletions
--- a/client/client.go
+++ b/client/client.go
@@ -137,7 +137,7 @@ func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
 // Initialize creates a new repository by using rootKey as the root Key for the
 // TUF repository.
 func (r *NotaryRepository) Initialize(rootKeyID string) error {
-	privKey, _, err := r.cryptoService.GetKey(rootKeyID)
+	privKey, _, err := r.cryptoService.GetPrivateKey(rootKeyID)
 	if err != nil {
 		return err
 	}
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -303,13 +303,13 @@ func testAddListTarget(t *testing.T, rootType string) {
 	rootJSONFile := filepath.Join(tempBaseDir, "tuf", filepath.FromSlash(gun), "metadata", "root.json")
 	rootFileBytes, err := ioutil.ReadFile(rootJSONFile)

-	signedTargets, err := savedTUFRepo.SignTargets("targets", data.DefaultExpires("targets"), nil)
+	signedTargets, err := savedTUFRepo.SignTargets("targets", data.DefaultExpires("targets"))
 	assert.NoError(t, err)

-	signedSnapshot, err := savedTUFRepo.SignSnapshot(data.DefaultExpires("snapshot"), nil)
+	signedSnapshot, err := savedTUFRepo.SignSnapshot(data.DefaultExpires("snapshot"))
 	assert.NoError(t, err)

-	signedTimestamp, err := savedTUFRepo.SignTimestamp(data.DefaultExpires("timestamp"), nil)
+	signedTimestamp, err := savedTUFRepo.SignTimestamp(data.DefaultExpires("timestamp"))
 	assert.NoError(t, err)

 	mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/root.json", func(w http.ResponseWriter, r *http.Request) {
--- a/cryptoservice/crypto_service.go
+++ b/cryptoservice/crypto_service.go
@@ -66,6 +66,11 @@ func (ccs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
 	return data.PublicKeyFromPrivate(privKey), nil
 }

+// GetPrivateKey returns a private key by ID
+func (ccs *CryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return ccs.keyStore.GetKey(keyID)
+}
+
 // GetKey returns a key by ID
 func (ccs *CryptoService) GetKey(keyID string) data.PublicKey {
 	key, _, err := ccs.keyStore.GetKey(keyID)
--- a/signer/api/rsa_hardware_crypto_service.go
+++ b/signer/api/rsa_hardware_crypto_service.go
@@ -120,6 +120,11 @@ func (s *RSAHardwareCryptoService) GetKey(keyID string) data.PublicKey {
 	return key
 }

+// GetPrivateKey is not implemented
+func (s *RSAHardwareCryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Not yet implemented")
+}
+
 // Sign returns a signature for a given signature request
 func (s *RSAHardwareCryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature, error) {
 	signatures := make([]data.Signature, 0, len(keyIDs))
--- a/signer/signer_trust.go
+++ b/signer/signer_trust.go
@@ -2,6 +2,7 @@ package signer

 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"time"
@@ -94,6 +95,11 @@ func (trust *NotarySigner) GetKey(keyid string) data.PublicKey {
 	return data.NewPublicKey(publicKey.KeyInfo.Algorithm.Algorithm, publicKey.PublicKey)
 }

+// GetPrivateKey errors in all cases
+func (trust *NotarySigner) GetPrivateKey(keyid string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Private key access not permitted.")
+}
+
 // CheckHealth checks the health of one of the clients, since both clients run
 // from the same GRPC server.
 func (trust *NotarySigner) CheckHealth(timeout time.Duration) error {
--- a/tuf/signed/ed25519.go
+++ b/tuf/signed/ed25519.go
@@ -81,3 +81,8 @@ func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error
 func (e *Ed25519) GetKey(keyID string) data.PublicKey {
 	return data.PublicKeyFromPrivate(e.keys[keyID])
 }
+
+// GetPrivateKey returns a single private key based on the ID
+func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return e.keys[keyID], "", nil
+}
--- a/tuf/signed/interface.go
+++ b/tuf/signed/interface.go
@@ -25,6 +25,10 @@ type KeyService interface {
 	// GetKey retrieves the public key if present, otherwise it returns nil
 	GetKey(keyID string) data.PublicKey

+	// GetPrivateKey retrieves the private key and role if present, otherwise
+	// it returns nil
+	GetPrivateKey(keyID string) (data.PrivateKey, string, error)
+
 	// RemoveKey deletes the specified key
 	RemoveKey(keyID string) error
 }
--- a/tuf/signed/sign_test.go
+++ b/tuf/signed/sign_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"testing"

 	"github.com/docker/notary/trustmanager"
@@ -40,6 +41,10 @@ func (mts *FailingCryptoService) GetKey(keyID string) data.PublicKey {
 	return nil
 }

+func (mts *FailingCryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Not implemented")
+}
+
 func (mts *FailingCryptoService) RemoveKey(keyID string) error {
 	return nil
 }
@@ -67,6 +72,10 @@ func (mts *MockCryptoService) GetKey(keyID string) data.PublicKey {
 	return nil
 }

+func (mts *MockCryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Not implemented")
+}
+
 func (mts *MockCryptoService) RemoveKey(keyID string) error {
 	return nil
 }