import-root, list, and remove working with yubikey

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)

cmd/notary/keys.go

@@ -12,6 +12,7 @@ import (
 	"github.com/docker/notary/cryptoservice"
 	"github.com/docker/notary/keystoremanager"
 	"github.com/docker/notary/passphrase"
+	"github.com/docker/notary/signer/api"
 	"github.com/docker/notary/trustmanager"
 
 	"github.com/docker/notary/tuf/data"
@@ -119,7 +120,8 @@ func keysRemoveKey(cmd *cobra.Command, args []string) {
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
 	}
-	cs := cryptoservice.NewCryptoService("", fileKeyStore)
+	yubiStore := api.NewYubiKeyStore(retriever)
+	cs := cryptoservice.NewCryptoService("", yubiStore, fileKeyStore)
 
 	keyID := args[0]
 
@@ -160,7 +162,8 @@ func keysList(cmd *cobra.Command, args []string) {
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
 	}
-	cs := cryptoservice.NewCryptoService("", fileKeyStore)
+	yubiStore := api.NewYubiKeyStore(retriever)
+	cs := cryptoservice.NewCryptoService("", yubiStore, fileKeyStore)
 
 	// Get a map of all the keys/roles
 	keysMap := cs.ListAllKeys()
@@ -354,7 +357,8 @@ func keysImportRoot(cmd *cobra.Command, args []string) {
 	if err != nil {
 		fatalf("failed to create private key store in directory: %s", keysPath)
 	}
-	cs := cryptoservice.NewCryptoService("", fileKeyStore)
+	yubiStore := api.NewYubiKeyStore(retriever)
+	cs := cryptoservice.NewCryptoService("", yubiStore, fileKeyStore)
 
 	importFile, err := os.Open(importFilename)
 	if err != nil {

signer/api/ecdsa_hardware_crypto_service.go

@@ -366,15 +366,17 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error {
 }
 
 func (s *YubiKeyStore) ExportKey(keyID string) ([]byte, error) {
-	// TODO(diogo): actually implement this
 	logrus.Debugf("Attempting to export: %s key inside of YubiKeyStore", keyID)
-	return nil, nil
+	return nil, errors.New("Keys cannot be exported from a Yubikey.")
 }
 
 func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyID string) error {
-	// TODO(diogo): actually implement this
 	logrus.Debugf("Attempting to import: %s key inside of YubiKeyStore", keyID)
-	return nil
+	privKey, _, err := trustmanager.GetPasswdDecryptBytes(s.passRetriever, pemBytes, "imported", "root")
+	if err != nil {
+		return err
+	}
+	return s.AddKey(privKey.ID(), "root", privKey)
 }
 
 func cleanup(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) {

trustmanager/keyfilestore.go

@@ -197,7 +197,7 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached
 	// See if the key is encrypted. If its encrypted we'll fail to parse the private key
 	privKey, err := ParsePEMPrivateKey(keyBytes, "")
 	if err != nil {
-		privKey, _, retErr = getPasswdDecryptBytes(s, passphraseRetriever, keyBytes, name, string(keyAlias))
+		privKey, _, retErr = GetPasswdDecryptBytes(passphraseRetriever, keyBytes, name, string(keyAlias))
 	}
 	if retErr != nil {
 		return nil, "", retErr
@@ -270,7 +270,7 @@ func getRawKey(s LimitedFileStore, name string) ([]byte, string, error) {
 
 // Get the password to decript the given pem bytes.  Return the password,
 // because it is useful for importing
-func getPasswdDecryptBytes(s LimitedFileStore, passphraseRetriever passphrase.Retriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error) {
+func GetPasswdDecryptBytes(passphraseRetriever passphrase.Retriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error) {
 	var (
 		passwd  string
 		retErr  error
@@ -329,7 +329,7 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*
 
 func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error {
 
-	privKey, passphrase, err := getPasswdDecryptBytes(s, passphraseRetriever, pemBytes, "imported", alias)
+	privKey, passphrase, err := GetPasswdDecryptBytes(passphraseRetriever, pemBytes, "imported", alias)
 
 	if err != nil {
 		return err