From 91d54899d77e5f475fb7b919085f94dfb1ed520a Mon Sep 17 00:00:00 2001
From: Ying Li <ying.li@docker.com>
Date: Thu, 29 Oct 2015 16:34:40 -0700
Subject: [PATCH] Add a GetPrivateKey method to cryptoservice so that we can
 future-proof cryptoservice having multiple keystores

Signed-off-by: Ying Li <ying.li@docker.com>
---
 client/client.go                          | 2 +-
 client/client_test.go                     | 6 +++---
 cryptoservice/crypto_service.go           | 5 +++++
 signer/api/rsa_hardware_crypto_service.go | 5 +++++
 signer/signer_trust.go                    | 6 ++++++
 tuf/signed/ed25519.go                     | 5 +++++
 tuf/signed/interface.go                   | 4 ++++
 tuf/signed/sign_test.go                   | 9 +++++++++
 8 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/client/client.go b/client/client.go
index fa9954d604..ccadf7d613 100644
--- a/client/client.go
+++ b/client/client.go
@@ -137,7 +137,7 @@ func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
 // Initialize creates a new repository by using rootKey as the root Key for the
 // TUF repository.
 func (r *NotaryRepository) Initialize(rootKeyID string) error {
-	privKey, _, err := r.cryptoService.GetKey(rootKeyID)
+	privKey, _, err := r.cryptoService.GetPrivateKey(rootKeyID)
 	if err != nil {
 		return err
 	}
diff --git a/client/client_test.go b/client/client_test.go
index 949d0568bd..eb2864ff52 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -303,13 +303,13 @@ func testAddListTarget(t *testing.T, rootType string) {
 	rootJSONFile := filepath.Join(tempBaseDir, "tuf", filepath.FromSlash(gun), "metadata", "root.json")
 	rootFileBytes, err := ioutil.ReadFile(rootJSONFile)
 
-	signedTargets, err := savedTUFRepo.SignTargets("targets", data.DefaultExpires("targets"), nil)
+	signedTargets, err := savedTUFRepo.SignTargets("targets", data.DefaultExpires("targets"))
 	assert.NoError(t, err)
 
-	signedSnapshot, err := savedTUFRepo.SignSnapshot(data.DefaultExpires("snapshot"), nil)
+	signedSnapshot, err := savedTUFRepo.SignSnapshot(data.DefaultExpires("snapshot"))
 	assert.NoError(t, err)
 
-	signedTimestamp, err := savedTUFRepo.SignTimestamp(data.DefaultExpires("timestamp"), nil)
+	signedTimestamp, err := savedTUFRepo.SignTimestamp(data.DefaultExpires("timestamp"))
 	assert.NoError(t, err)
 
 	mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/root.json", func(w http.ResponseWriter, r *http.Request) {
diff --git a/cryptoservice/crypto_service.go b/cryptoservice/crypto_service.go
index 64caa8b682..8f39ee90ee 100644
--- a/cryptoservice/crypto_service.go
+++ b/cryptoservice/crypto_service.go
@@ -66,6 +66,11 @@ func (ccs *CryptoService) Create(role, algorithm string) (data.PublicKey, error)
 	return data.PublicKeyFromPrivate(privKey), nil
 }
 
+// GetPrivateKey returns a private key by ID
+func (ccs *CryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return ccs.keyStore.GetKey(keyID)
+}
+
 // GetKey returns a key by ID
 func (ccs *CryptoService) GetKey(keyID string) data.PublicKey {
 	key, _, err := ccs.keyStore.GetKey(keyID)
diff --git a/signer/api/rsa_hardware_crypto_service.go b/signer/api/rsa_hardware_crypto_service.go
index 67a60bdd37..dba643f89b 100644
--- a/signer/api/rsa_hardware_crypto_service.go
+++ b/signer/api/rsa_hardware_crypto_service.go
@@ -120,6 +120,11 @@ func (s *RSAHardwareCryptoService) GetKey(keyID string) data.PublicKey {
 	return key
 }
 
+// GetPrivateKey is not implemented
+func (s *RSAHardwareCryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Not yet implemented")
+}
+
 // Sign returns a signature for a given signature request
 func (s *RSAHardwareCryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature, error) {
 	signatures := make([]data.Signature, 0, len(keyIDs))
diff --git a/signer/signer_trust.go b/signer/signer_trust.go
index 9fc7612777..9f7264077f 100644
--- a/signer/signer_trust.go
+++ b/signer/signer_trust.go
@@ -2,6 +2,7 @@ package signer
 
 import (
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"time"
@@ -94,6 +95,11 @@ func (trust *NotarySigner) GetKey(keyid string) data.PublicKey {
 	return data.NewPublicKey(publicKey.KeyInfo.Algorithm.Algorithm, publicKey.PublicKey)
 }
 
+// GetPrivateKey errors in all cases
+func (trust *NotarySigner) GetPrivateKey(keyid string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Private key access not permitted.")
+}
+
 // CheckHealth checks the health of one of the clients, since both clients run
 // from the same GRPC server.
 func (trust *NotarySigner) CheckHealth(timeout time.Duration) error {
diff --git a/tuf/signed/ed25519.go b/tuf/signed/ed25519.go
index d7b08d8e10..cbc1e64bd1 100644
--- a/tuf/signed/ed25519.go
+++ b/tuf/signed/ed25519.go
@@ -81,3 +81,8 @@ func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error
 func (e *Ed25519) GetKey(keyID string) data.PublicKey {
 	return data.PublicKeyFromPrivate(e.keys[keyID])
 }
+
+// GetPrivateKey returns a single private key based on the ID
+func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return e.keys[keyID], "", nil
+}
diff --git a/tuf/signed/interface.go b/tuf/signed/interface.go
index b83fb76651..4cc6a53d35 100644
--- a/tuf/signed/interface.go
+++ b/tuf/signed/interface.go
@@ -25,6 +25,10 @@ type KeyService interface {
 	// GetKey retrieves the public key if present, otherwise it returns nil
 	GetKey(keyID string) data.PublicKey
 
+	// GetPrivateKey retrieves the private key and role if present, otherwise
+	// it returns nil
+	GetPrivateKey(keyID string) (data.PrivateKey, string, error)
+
 	// RemoveKey deletes the specified key
 	RemoveKey(keyID string) error
 }
diff --git a/tuf/signed/sign_test.go b/tuf/signed/sign_test.go
index c8c047eec8..b9a93dbf2e 100644
--- a/tuf/signed/sign_test.go
+++ b/tuf/signed/sign_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"testing"
 
 	"github.com/docker/notary/trustmanager"
@@ -40,6 +41,10 @@ func (mts *FailingCryptoService) GetKey(keyID string) data.PublicKey {
 	return nil
 }
 
+func (mts *FailingCryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Not implemented")
+}
+
 func (mts *FailingCryptoService) RemoveKey(keyID string) error {
 	return nil
 }
@@ -67,6 +72,10 @@ func (mts *MockCryptoService) GetKey(keyID string) data.PublicKey {
 	return nil
 }
 
+func (mts *MockCryptoService) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
+	return nil, "", errors.New("Not implemented")
+}
+
 func (mts *MockCryptoService) RemoveKey(keyID string) error {
 	return nil
 }