centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-04-12 06:19:22 +07:00
Code Issues Packages Projects Releases Wiki Activity
1,392 Commits 57 Branches 28 Tags
1c4d02455bbbbb1de77eb0dafe9081173faab377
Commit Graph

183 Commits

Author SHA1 Message Date
Riyaz Faizullabhoy
2964e8c6f4 add integration test for adding/listing/removing targets from roles 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 2016-01-28 10:20:27 -08:00
Riyaz Faizullabhoy
83c5ed255b Add check for RSA key len before adding 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 2016-01-26 23:27:06 -08:00
Riyaz Faizullabhoy
138d6cea09 Add, remove, and list delegation command. TUF changelist action change 
for deletions (force vs. individual items)
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 2016-01-18 16:24:45 -08:00
HuKeping
fdc0f04268 Keep code style consistent 
GetLeafCerts and GetIntermediaCerts are similiar and a consistent
implementation will be more friendly to those people who wants to read
the code.

Signed-off-by: Hu Keping <hukeping@huawei.com>
 2016-01-18 19:58:02 +08:00
Ying Li
877d47bb5c Add tests to ensure you can just drop a key in tuf_key and use it for signing. 
This is important for user keys, which do not necessarily need to be under a GUN,
and may have a role other than one of the canonical roles (e.g. "user" role).

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-15 18:54:41 -08:00
David Lawrence
48ecd8d2cb some cleanup of certs code 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-15 11:30:32 -08:00
Udo Seidel
f1067998f6 added /usr/lib64 to search paths 
Signed-off-by: Udo Seidel <udoseidel@gmx.de>
 2016-01-07 11:56:22 +01:00
Ying Li
0465365fb6 Return an error if unable to encrypt a key as a valid PEM file 
Also address review comments and fix semantic conflict after rebase.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-23 09:44:51 -08:00
David Lawrence
2bf5d4b09a test for legacy keys and some bugfixes for same 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence
f2ec72b5b6 aliases removed from file names 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence
6d5b8ff54a add role into PEM headers 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence
1f329868e8 making filestores consistent so you can Get, Remove, etc... the paths returned by ListFiles 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence
8f7fddd5d5 breaking up low level storage into logical files 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
Miloslav Trmač
06e58c1d11 Tighten TestNewCertificate tests 
Using the just added facility to generate a certificate as of a specific
time, tighten TestNewCertificate to use equality comparisons.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-12-09 20:02:10 +01:00
Miloslav Trmač
bd6d937f43 Fix computation of certificate expiration 
Instead of 3650 days, actually use 10 years (i.e. take into account leap
days).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-12-09 20:02:10 +01:00
Miloslav Trmač
3c6335c572 Explicitly supply validity times to certificate generation 
Add explicit startTime and endTime parameters to
cryptoservice.GenerateCertificate and trustmanager.NewCertificate.

trustmanager.NewCertificate as a low-level data manipulation function
should not be hard-coding policy (10-year expiration); that policy
belongs to its callers, or one more level higher to callers of
cryptoservice.GenerateCertificate.

These places hard-coding policy now also have an explict comment to
that effect.

In addition to conceptual cleanliness, this will allow writing tests
of certificate expiry by generating appropriate expired or nearly-expired
certificates.

Tests which don't care about the policy much will continue to use the
just added cryptoservice.GenerateTestingCertificate.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-12-09 20:02:10 +01:00
Ying Li
68962ce0f7 Merge pull request #281 from docker/better-pkcs11-logging 
Log whether a pkcs11 library was found and if it was loadable.

This unfortunately prints out every time any operation is done on the Yubikey, producing a lot of log output, but perhaps that is better because an operation might fail at any given time.

Output if no Yubikey:
DEBU[0000] Failed to initialize PKCS11 environment: loaded library /usr/local/lib/libykcs11.dylib, but no HSM slots found 

If there is a Yubikey:
DEBU[0000] Initialized PKCS11 library /usr/local/lib/libykcs11.dylib and started HSM session
 2015-11-13 15:51:11 -08:00
Ying Li
f9bd60701f Log whether a pkcs11 library was found and if it was loadable. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-11-13 02:53:39 -08:00
Ying Li
587906e6c6 More defensive coding around listing our keys in the yubikey. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-11-13 00:08:53 -08:00
Diogo Monica
d2f69fe5bc Adding another path to search for ykcs libs 
Signed-off-by: Diogo Monica <diogo@docker.com>
 2015-11-12 01:22:40 -08:00
Ying Li
87231d9a5d Fix new bug where adding a duplicate key to a yubikey added to the backup. 
Added a test for this case as well - thanks @endophage!

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:58 -08:00
Ying Li
43f2d40e43 Make our CI pick up trustmanager/yubikey again 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:55 -08:00
Ying Li
6cf0643d7d Roll back an add key to the yubikey if we can't back it up. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:46 -08:00
Ying Li
96bfaac05f Add tests for verifying signatures before returning a signature. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:43 -08:00
Ying Li
4b7fefd5ef Do not clean up a session if there is no session. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:35 -08:00
Ying Li
cee92fa363 Undo some changes from a bad stash pop that were unintentional. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:32 -08:00
Ying Li
38a5b5a342 Add FindObjectsFinalize to getNextEmptySlot. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:29 -08:00
Ying Li
10057562d8 Add fixes for Sign (do not continue if SignInit fails). 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:25 -08:00
Ying Li
73a26d59ac Inject errors into pkcs11 in order to test that the yubikey code cleans up. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:22 -08:00
Ying Li
09c0f9d05b Replace the pkcs11 library with interfaces for easier testing. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:17 -08:00
Ying Li
7108450a21 Add more unit tests for the YubiKeyStore. 
Including how it interacts with the backup key store, and with more
assertions against a new YubiKeyStore so that we won't get false
positives or negatives from the cache.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:13:14 -08:00
Diogo Mónica
b894d98392 Merge pull request #54 from docker/verify_hw_sigs 
add verification to yubikey signatures. Attempt to generate sig up to…

Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:13:05 -08:00
David Lawrence
9b8645c39f add verification to yubikey signatures. Attempt to generate sig up to 5 times, fail if all 5 are invalid 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:13:03 -08:00
David Lawrence
8628b57a96 private subdir should be added by keyfilestore, rather than all over the place 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:57 -08:00
Diogo Monica
0344dfc038 Making tests pass 
Signed-off-by: Diogo Monica <diogo@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
 2015-11-12 01:12:31 -08:00
David Lawrence
ee270b6a2b fixing integrations tests for new list keys layout 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:21 -08:00
David Lawrence
5c064e204b fixing lint/vet 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:21 -08:00
David Lawrence
6acc130e17 list shows where the key is stored 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:20 -08:00
David Lawrence
8ffbf116cc only tell user to touch when mode is enabled 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:17 -08:00
David Lawrence
b0354762d1 make touch to sign message configurable 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:17 -08:00
David Lawrence
e0c5bb7b83 comment about token location ordering 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:11:55 -08:00
David Lawrence
d2ca58bbf4 use the slots on the yubikey in the following order: 9c, 9e, 9d, 9a 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:11:55 -08:00
Ying Li
397adb4291 Pad the ECDSA key that gets put into the Yubikey so it has 32 bytes. 
Apparently that is required by the template, and will error if it
does not. Sometimes, ECDSA keys are generated which when encoded
seems to only have 31 bytes.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:49 -08:00
Diogo Mónica
91b7d87a7b Merge pull request #39 from docker/fix-import 
Do not back up a root key that is imported into Yubikey.

Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:11:46 -08:00
Ying Li
0280a82ae0 Do not back up a root key that is imported into Yubikey. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:43 -08:00
Ying Li
9ae2c80309 Fix bug with finding new slots to put keys. 
Previously it was just overwritting one slot over and over.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:36 -08:00
Diogo Mónica
94b6269521 Merge pull request #38 from docker/fixing-alias-panic 
Fixed panic on listKeys with invalid keys, added tests

Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:11:31 -08:00
Diogo Monica
baa92cefa3 Fixed panic on listKeys with invalid keys, added tests 
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
 2015-11-12 01:11:27 -08:00
Ying Li
53114aabdc Add a test to test adding multiple keys to a yubikey. 
If there are existing keys on the Yubikey, the YubiKeyStore should add
a key to the next available slot.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:21 -08:00
Ying Li
c82802b800 Move ecdsa_hardware_crypto_service to trustmanager/yubikeystore 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:10:56 -08:00