diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go index f239c6ebbc..b6e0d226fa 100644 --- a/cmd/notary/keys.go +++ b/cmd/notary/keys.go @@ -12,6 +12,7 @@ import ( "github.com/docker/notary/cryptoservice" "github.com/docker/notary/keystoremanager" "github.com/docker/notary/passphrase" + "github.com/docker/notary/signer/api" "github.com/docker/notary/trustmanager" "github.com/docker/notary/tuf/data" @@ -119,7 +120,8 @@ func keysRemoveKey(cmd *cobra.Command, args []string) { if err != nil { fatalf("failed to create private key store in directory: %s", keysPath) } - cs := cryptoservice.NewCryptoService("", fileKeyStore) + yubiStore := api.NewYubiKeyStore(retriever) + cs := cryptoservice.NewCryptoService("", yubiStore, fileKeyStore) keyID := args[0] @@ -160,7 +162,8 @@ func keysList(cmd *cobra.Command, args []string) { if err != nil { fatalf("failed to create private key store in directory: %s", keysPath) } - cs := cryptoservice.NewCryptoService("", fileKeyStore) + yubiStore := api.NewYubiKeyStore(retriever) + cs := cryptoservice.NewCryptoService("", yubiStore, fileKeyStore) // Get a map of all the keys/roles keysMap := cs.ListAllKeys() @@ -354,7 +357,8 @@ func keysImportRoot(cmd *cobra.Command, args []string) { if err != nil { fatalf("failed to create private key store in directory: %s", keysPath) } - cs := cryptoservice.NewCryptoService("", fileKeyStore) + yubiStore := api.NewYubiKeyStore(retriever) + cs := cryptoservice.NewCryptoService("", yubiStore, fileKeyStore) importFile, err := os.Open(importFilename) if err != nil { diff --git a/signer/api/ecdsa_hardware_crypto_service.go b/signer/api/ecdsa_hardware_crypto_service.go index b3fae3b3ba..de730b5073 100644 --- a/signer/api/ecdsa_hardware_crypto_service.go +++ b/signer/api/ecdsa_hardware_crypto_service.go @@ -366,15 +366,17 @@ func (s *YubiKeyStore) RemoveKey(keyID string) error { } func (s *YubiKeyStore) ExportKey(keyID string) ([]byte, error) { - // TODO(diogo): actually implement this logrus.Debugf("Attempting to export: %s key inside of YubiKeyStore", keyID) - return nil, nil + return nil, errors.New("Keys cannot be exported from a Yubikey.") } func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyID string) error { - // TODO(diogo): actually implement this logrus.Debugf("Attempting to import: %s key inside of YubiKeyStore", keyID) - return nil + privKey, _, err := trustmanager.GetPasswdDecryptBytes(s.passRetriever, pemBytes, "imported", "root") + if err != nil { + return err + } + return s.AddKey(privKey.ID(), "root", privKey) } func cleanup(ctx *pkcs11.Ctx, session pkcs11.SessionHandle) { diff --git a/trustmanager/keyfilestore.go b/trustmanager/keyfilestore.go index aa3db3743b..ecc9af9709 100644 --- a/trustmanager/keyfilestore.go +++ b/trustmanager/keyfilestore.go @@ -197,7 +197,7 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached // See if the key is encrypted. If its encrypted we'll fail to parse the private key privKey, err := ParsePEMPrivateKey(keyBytes, "") if err != nil { - privKey, _, retErr = getPasswdDecryptBytes(s, passphraseRetriever, keyBytes, name, string(keyAlias)) + privKey, _, retErr = GetPasswdDecryptBytes(passphraseRetriever, keyBytes, name, string(keyAlias)) } if retErr != nil { return nil, "", retErr @@ -270,7 +270,7 @@ func getRawKey(s LimitedFileStore, name string) ([]byte, string, error) { // Get the password to decript the given pem bytes. Return the password, // because it is useful for importing -func getPasswdDecryptBytes(s LimitedFileStore, passphraseRetriever passphrase.Retriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error) { +func GetPasswdDecryptBytes(passphraseRetriever passphrase.Retriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error) { var ( passwd string retErr error @@ -329,7 +329,7 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]* func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error { - privKey, passphrase, err := getPasswdDecryptBytes(s, passphraseRetriever, pemBytes, "imported", alias) + privKey, passphrase, err := GetPasswdDecryptBytes(passphraseRetriever, pemBytes, "imported", alias) if err != nil { return err