From c9c91a3b425d18bec32ad2e23add5a836b5b552e Mon Sep 17 00:00:00 2001 From: Umayr Shahid Date: Wed, 19 Jul 2017 20:42:38 +0500 Subject: [PATCH] Add PKCS#8 support There are two modes in which notary can run with. For FIPS mode, that could be switched on by setting an environment variable `GOFIPS`, only PKCS#8 keys are supported, any other type of key will throw an error. In Non-FIPS mode, private encrypted keys are supported as well, however all new keys that get generated, will be PKCS#8. Signed-off-by: Umayr Shahid --- client/backwards_compatibility_test.go | 6 ++ cmd/notary/integration_test.go | 40 ++++----- cmd/notary/keys.go | 2 +- cryptoservice/crypto_service.go | 14 +-- fixtures/notary-server.key | 56 ++++++------ fixtures/notary-signer.key | 56 ++++++------ fixtures/secure.example.com.key | 56 ++++++------ trustmanager/keystore.go | 23 +++-- trustmanager/keystore_test.go | 113 ++++++++++--------------- utils/keys.go | 2 +- utils/keys_test.go | 6 +- 11 files changed, 179 insertions(+), 195 deletions(-) diff --git a/client/backwards_compatibility_test.go b/client/backwards_compatibility_test.go index c825200cf..edbc247bf 100644 --- a/client/backwards_compatibility_test.go +++ b/client/backwards_compatibility_test.go @@ -176,6 +176,9 @@ func Test0Dot3Migration(t *testing.T) { // We can read and publish from notary0.1 repos func Test0Dot1RepoFormat(t *testing.T) { + if notary.FIPSEnabled() { + t.Skip("skip backward compatibility test in FIPS mode") + } // make a temporary directory and copy the fixture into it, since updating // and publishing will modify the files tmpDir, err := ioutil.TempDir("", "notary-backwards-compat-test") @@ -236,6 +239,9 @@ func Test0Dot1RepoFormat(t *testing.T) { // We can read and publish from notary0.3 repos func Test0Dot3RepoFormat(t *testing.T) { + if notary.FIPSEnabled() { + t.Skip("skip backward compatibility test in FIPS mode") + } // make a temporary directory and copy the fixture into it, since updating // and publishing will modify the files tmpDir, err := ioutil.TempDir("", "notary-backwards-compat-test") diff --git a/cmd/notary/integration_test.go b/cmd/notary/integration_test.go index 21ad0d317..1b7be7fa3 100644 --- a/cmd/notary/integration_test.go +++ b/cmd/notary/integration_test.go @@ -111,7 +111,7 @@ func TestInitWithRootKey(t *testing.T) { require.NoError(t, err) // if the key has a root role, AddKey sets the gun to "" so we have done the same here - encryptedPEMPrivKey, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", testPassphrase) + encryptedPEMPrivKey, err := utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalRootRole, "", testPassphrase) require.NoError(t, err) encryptedPEMKeyFilename := filepath.Join(tempDir, "encrypted_key.key") err = ioutil.WriteFile(encryptedPEMKeyFilename, encryptedPEMPrivKey, 0644) @@ -146,7 +146,7 @@ func TestInitWithRootKey(t *testing.T) { // check error if unencrypted PEM used unencryptedPrivKey, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - unencryptedPEMPrivKey, err := utils.KeyToPEM(unencryptedPrivKey, data.CanonicalRootRole, "") + unencryptedPEMPrivKey, err := utils.ConvertPrivateKeyToPKCS8(unencryptedPrivKey, data.CanonicalRootRole, "", "") require.NoError(t, err) unencryptedPEMKeyFilename := filepath.Join(tempDir, "unencrypted_key.key") err = ioutil.WriteFile(unencryptedPEMKeyFilename, unencryptedPEMPrivKey, 0644) @@ -161,7 +161,7 @@ func TestInitWithRootKey(t *testing.T) { require.NoError(t, err) // Blank gun name since it is a root key - badPassPEMPrivKey, err := utils.EncryptPrivateKey(badPassPrivKey, data.CanonicalRootRole, "", "bad_pass") + badPassPEMPrivKey, err := utils.ConvertPrivateKeyToPKCS8(badPassPrivKey, data.CanonicalRootRole, "", "bad_pass") require.NoError(t, err) badPassPEMKeyFilename := filepath.Join(tempDir, "badpass_key.key") err = ioutil.WriteFile(badPassPEMKeyFilename, badPassPEMPrivKey, 0644) @@ -173,7 +173,7 @@ func TestInitWithRootKey(t *testing.T) { // check error if wrong role specified snapshotPrivKey, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - snapshotPEMPrivKey, err := utils.KeyToPEM(snapshotPrivKey, data.CanonicalSnapshotRole, "gun2") + snapshotPEMPrivKey, err := utils.ConvertPrivateKeyToPKCS8(snapshotPrivKey, data.CanonicalSnapshotRole, "gun2", "") require.NoError(t, err) snapshotPEMKeyFilename := filepath.Join(tempDir, "snapshot_key.key") err = ioutil.WriteFile(snapshotPEMKeyFilename, snapshotPEMPrivKey, 0644) @@ -1150,9 +1150,9 @@ func TestClientDelegationsPublishing(t *testing.T) { tempFile.Close() defer os.Remove(tempFile.Name()) - privKeyBytesNoRole, err := utils.KeyToPEM(privKey, "", "") + privKeyBytesNoRole, err := utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) - privKeyBytesWithRole, err := utils.KeyToPEM(privKey, "user", "") + privKeyBytesWithRole, err := utils.ConvertPrivateKeyToPKCS8(privKey, "user", "", "") require.NoError(t, err) // Set up targets for publishing @@ -1582,7 +1582,7 @@ func TestKeyRotation(t *testing.T) { // create encrypted root keys rootPrivKey1, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - encryptedPEMPrivKey1, err := utils.EncryptPrivateKey(rootPrivKey1, data.CanonicalRootRole, "", testPassphrase) + encryptedPEMPrivKey1, err := utils.ConvertPrivateKeyToPKCS8(rootPrivKey1, data.CanonicalRootRole, "", testPassphrase) require.NoError(t, err) encryptedPEMKeyFilename1 := filepath.Join(tempDir, "encrypted_key.key") err = ioutil.WriteFile(encryptedPEMKeyFilename1, encryptedPEMPrivKey1, 0644) @@ -1590,7 +1590,7 @@ func TestKeyRotation(t *testing.T) { rootPrivKey2, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - encryptedPEMPrivKey2, err := utils.EncryptPrivateKey(rootPrivKey2, data.CanonicalRootRole, "", testPassphrase) + encryptedPEMPrivKey2, err := utils.ConvertPrivateKeyToPKCS8(rootPrivKey2, data.CanonicalRootRole, "", testPassphrase) require.NoError(t, err) encryptedPEMKeyFilename2 := filepath.Join(tempDir, "encrypted_key2.key") err = ioutil.WriteFile(encryptedPEMKeyFilename2, encryptedPEMPrivKey2, 0644) @@ -1663,7 +1663,7 @@ func TestKeyRotationNonRoot(t *testing.T) { privKey, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalTargetsRole, "", testPassphrase) + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalTargetsRole, "", testPassphrase) require.NoError(t, err) nBytes, err := tempFile.Write(pemBytes) @@ -1678,7 +1678,7 @@ func TestKeyRotationNonRoot(t *testing.T) { privKey2, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes2, err := utils.KeyToPEM(privKey2, data.CanonicalTargetsRole, "") + pemBytes2, err := utils.ConvertPrivateKeyToPKCS8(privKey2, data.CanonicalTargetsRole, "", "") require.NoError(t, err) nBytes2, err := tempFile2.Write(pemBytes2) @@ -2506,7 +2506,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", "") + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalRootRole, "", "") require.NoError(t, err) nBytes, err := tempFile.Write(pemBytes) @@ -2534,7 +2534,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err = tempFile2.Write(pemBytes) @@ -2560,7 +2560,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err = tempFile3.Write(pemBytes) @@ -2590,7 +2590,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err = tempFile4.Write(pemBytes) @@ -2621,7 +2621,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err = tempFile5.Write(pemBytes) @@ -2652,7 +2652,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", testPassphrase) + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalRootRole, "", testPassphrase) require.NoError(t, err) nBytes, err = tempFile6.Write(pemBytes) @@ -2678,7 +2678,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err = tempFile7.Write(pemBytes) @@ -2708,7 +2708,7 @@ func TestClientKeyImport(t *testing.T) { privKey, err = utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err = utils.EncryptPrivateKey(privKey, data.CanonicalSnapshotRole, "", "") + pemBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalSnapshotRole, "", "") require.NoError(t, err) nBytes, err = tempFile8.Write(pemBytes) @@ -2752,7 +2752,7 @@ func TestAddDelImportKeyPublishFlow(t *testing.T) { keyFile, err := ioutil.TempFile("", "pemfile") require.NoError(t, err) defer os.Remove(keyFile.Name()) - pemBytes, err := utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err := keyFile.Write(pemBytes) require.NoError(t, err) @@ -3005,7 +3005,7 @@ func TestDelegationKeyImportExport(t *testing.T) { defer os.Remove(keyFile.Name()) privKey, err := utils.GenerateRSAKey(rand.Reader, 2048) require.NoError(t, err) - pemBytes, err := utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) nBytes, err := keyFile.Write(pemBytes) require.NoError(t, err) diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go index ea192bf5c..452f4a066 100644 --- a/cmd/notary/keys.go +++ b/cmd/notary/keys.go @@ -260,7 +260,7 @@ func generateKeyToFile(role, algorithm string, retriever notary.PassRetriever, o } if chosenPassphrase != "" { - pemPrivKey, err = tufutils.EncryptPrivateKey(privKey, data.RoleName(role), "", chosenPassphrase) + pemPrivKey, err = tufutils.ConvertPrivateKeyToPKCS8(privKey, data.RoleName(role), "", chosenPassphrase) if err != nil { return err } diff --git a/cryptoservice/crypto_service.go b/cryptoservice/crypto_service.go index 9cafb2816..ccff16ec6 100644 --- a/cryptoservice/crypto_service.go +++ b/cryptoservice/crypto_service.go @@ -1,12 +1,13 @@ package cryptoservice import ( - "fmt" - "crypto/x509" "encoding/pem" "errors" + "fmt" + "github.com/Sirupsen/logrus" + "github.com/docker/notary" "github.com/docker/notary/trustmanager" "github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/utils" @@ -143,9 +144,12 @@ func CheckRootKeyIsEncrypted(pemBytes []byte) error { return ErrNoValidPrivateKey } - if !x509.IsEncryptedPEMBlock(block) { - return ErrRootKeyNotEncrypted + if block.Type == "ENCRYPTED PRIVATE KEY" { + return nil + } + if !notary.FIPSEnabled() && x509.IsEncryptedPEMBlock(block) { + return nil } - return nil + return ErrRootKeyNotEncrypted } diff --git a/fixtures/notary-server.key b/fixtures/notary-server.key index cd19c4be5..871d41f64 100644 --- a/fixtures/notary-server.key +++ b/fixtures/notary-server.key @@ -1,28 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAqNt5+U61Ws6/Qg54kYp+LkscfcOLQ7aeVm7wAhNIlsNk9Jeh -hz5ymumgRZidxsUULcL3jPnEFbm9wCoyEuznSaXkAOXzq6ZwuXYL+Zfw25meUh68 -wJvSYGJq8O1I9XcnkOo6T62uAoRez2DiHKHk6eHljkic87WUMn7ZwS1UYEyGF119 -ZFWVX1lRbE9hUJO3ovRsP1J7JclUHR2cWGvfEgJrKEOWGW9yNdU5NSx7Akuj8vae -rS973clvayYqKjbtkYTv1sIaokrbXf8U2p8CUZQ+SFhN9glNyCOFLWmWa2A3opkX -pFVe86sIEwQMzbJmrWYQ9aOhPS2fQyRYSsMA1wIDAQABAoIBAG6mtD1dCJajGM3u -sa+d86XebqMzOtV6nDPDqt+RR2YUUNm/a4g2sd817WLt6aZRizGZq6LkIUyjVObS -P9ILEF1AqjK0fYMkJIZEBwDeQmWFOyxRHBuTgL7Mf4u10rOYC4N5GhEQnRDlMUPw -FvvwUxO4hjdA+ijx+lVErulaDQq0yj5mL4LWu4cHm576OufzgHOIp6fQtfRVJIXD -W2ginblgYFLd+PPiM1RMPR/Pj63VWXWBn1VwLAxWN889E4VG2medl0taQgkNQ3/W -0J04KiTXPrtcUBy2AGoHikvN7gG7Up2IwRRbsXkUdhQNZ/HnIQlkFfteiqqt9VNR -Nsi31nECgYEA0qE+96TvYf8jeZsqrl8YQAvjXWrNA05eKZlT6cm6XpyXq22v9Cgn -2KXEhRwHZF2dQ2C+1PvboeTUbpdPX1nY2shY59L7+t68F/jxotcjx0yL+ZC742Fy -bWsc8Us0Ir2DD5g/+0F+LRLFJKSfJPdLzEkvwuYnlm6RcFlbxIxW6h0CgYEAzTrE -6ulEhN0fKeJY/UaK/8GlLllXc2Z5t7mRicN1s782l5qi0n1R57VJw/Ezx4JN1mcQ -4axe9zzjAA5JfSDfyTyNedP1KOmCaKmBqGa9JppxGcVQpMDg8+QvYnJ8o5JXEXSE -TOnpY4RTEA1RGnA5KbbJ7R1MiHUGXC9nizVHxIMCgYB8cu1DYN5XpmoNddK4CFPJ -s7x4+5t6MpmMNp3P6nMFZ7xte3eU6QzyAq+kfjUX5f//SXA3Y0AX3Z5uYVRyYCGy -0uFEx/I9/dBg0aPjtP3cyauCnzOEW5VCdSE6qFZ7mEGRu0FCcSXd99MnnWSycLMG -Vs+zdk05osan/QQtk0XfOQKBgDfkIWy4SmjEr5AAjKutYn10hz+wJRjQd6WJbBFQ -oeVp1bxD6MPaTUwFGym5rphO7FPPjdFn2BUNB+Uj/u+M3GU5kG31Q3b44QMP5reu -AyVYOiUCj4vO23SQWDc/ZqJFYGDokn8/1Me9acGdXtEMbwTlOujQad9fv3OrlU9c -G0dxAoGAHcntflD6UvQ5/PYOirNJL1GhSspF7u72NrsYjaoZls83uIqucJiB5hMH -Ovq1TJbl0DwDBOyMmt5gZraPQB0P5/5GvnxqGlIAKIwi2VuQ2XHpSBE8Pg5Pveb8 -sgFLFnwL5+JyqOP65AV3Eh5b4BJc6kqKz4gVmKLBQeo6lE13sNs= ------END RSA PRIVATE KEY----- - +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCo23n5TrVazr9C +DniRin4uSxx9w4tDtp5WbvACE0iWw2T0l6GHPnKa6aBFmJ3GxRQtwveM+cQVub3A +KjIS7OdJpeQA5fOrpnC5dgv5l/DbmZ5SHrzAm9JgYmrw7Uj1dyeQ6jpPra4ChF7P +YOIcoeTp4eWOSJzztZQyftnBLVRgTIYXXX1kVZVfWVFsT2FQk7ei9Gw/UnslyVQd +HZxYa98SAmsoQ5YZb3I11Tk1LHsCS6Py9p6tL3vdyW9rJioqNu2RhO/WwhqiSttd +/xTanwJRlD5IWE32CU3II4UtaZZrYDeimRekVV7zqwgTBAzNsmatZhD1o6E9LZ9D +JFhKwwDXAgMBAAECggEAbqa0PV0IlqMYze6xr53zpd5uozM61XqcM8Oq35FHZhRQ +2b9riDax3zXtYu3pplGLMZmrouQhTKNU5tI/0gsQXUCqMrR9gyQkhkQHAN5CZYU7 +LFEcG5OAvsx/i7XSs5gLg3kaERCdEOUxQ/AW+/BTE7iGN0D6KPH6VUSu6VoNCrTK +PmYvgta7hwebnvo65/OAc4inp9C19FUkhcNbaCKduWBgUt348+IzVEw9H8+PrdVZ +dYGfVXAsDFY3zz0ThUbaZ52XS1pCCQ1Df9bQnTgqJNc+u1xQHLYAageKS83uAbtS +nYjBFFuxeRR2FA1n8echCWQV+16Kqq31U1E2yLfWcQKBgQDSoT73pO9h/yN5myqu +XxhAC+Ndas0DTl4pmVPpybpenJerba/0KCfYpcSFHAdkXZ1DYL7U+9uh5NRul09f +WdjayFjn0vv63rwX+PGi1yPHTIv5kLvjYXJtaxzxSzQivYMPmD/7QX4tEsUkpJ8k +90vMSS/C5ieWbpFwWVvEjFbqHQKBgQDNOsTq6USE3R8p4lj9Ror/waUuWVdzZnm3 +uZGJw3WzvzaXmqLSfVHntUnD8TPHgk3WZxDhrF73POMADkl9IN/JPI150/Uo6YJo +qYGoZr0mmnEZxVCkwODz5C9icnyjklcRdIRM6eljhFMQDVEacDkptsntHUyIdQZc +L2eLNUfEgwKBgHxy7UNg3lemag110rgIU8mzvHj7m3oymYw2nc/qcwVnvG17d5Tp +DPICr6R+NRfl//9JcDdjQBfdnm5hVHJgIbLS4UTH8j390GDRo+O0/dzJq4KfM4Rb +lUJ1ITqoVnuYQZG7QUJxJd330yedZLJwswZWz7N2TTmixqf9BC2TRd85AoGAN+Qh +bLhKaMSvkACMq61ifXSHP7AlGNB3pYlsEVCh5WnVvEPow9pNTAUbKbmumE7sU8+N +0WfYFQ0H5SP+74zcZTmQbfVDdvjhAw/mt64DJVg6JQKPi87bdJBYNz9mokVgYOiS +fz/Ux71pwZ1e0QxvBOU66NBp31+/c6uVT1wbR3ECgYAdye1+UPpS9Dn89g6Ks0kv +UaFKykXu7vY2uxiNqhmWzze4iq5wmIHmEwc6+rVMluXQPAME7Iya3mBmto9AHQ/n +/ka+fGoaUgAojCLZW5DZcelIETw+Dk+95vyyAUsWfAvn4nKo4/rkBXcSHlvgElzq +SorPiBWYosFB6jqUTXew2w== +-----END PRIVATE KEY----- diff --git a/fixtures/notary-signer.key b/fixtures/notary-signer.key index 2db6e2ce9..eec675f42 100644 --- a/fixtures/notary-signer.key +++ b/fixtures/notary-signer.key @@ -1,28 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2E7z4r3FPoz11AL3QfGzpuZNdZDMTmhXaQt5Uqo6PAC8a3rA -ETZckIBtNLcU5Eg7Kg5VANUK/Y+TaVlcZapKsfxJja6aNEkiE8OKo31Xkz+ByYyb -YRSDCanaXhuwOTUxDoZJu53mSNgZlyn25fEBU7y18tUtAXuiEliqJ7Ek359mRDLF -OBKqsjsworWlS8Zf99roRfOkrDFNA8leIb9lBbQ+f6B2vP78J/Q9xXJX8aFzZFH5 -aMrOqoCINQmgS0qb/FBVFxI9tqBUsJ7QpmvtWa0NacexS/1kH0FE2UiVFUM6FUMI -Jwy7/MS1zG4fyNrt9p+LnE23q8IGYe4JdC1NSwIDAQABAoIBAHykYhyRxYrZpv3Y -B6pUIHVX1+Ka4V98+IFrPynHNW9F7UzxmqNQc95AYq0xojQ4+v6s64ZjPMYHaaYW -/AsJKamN+sRNjEX8rko9LzIuE7yhp6QABbjXHPsAiPgZdF5CrFX2Q558yinHfFeC -sualDWK3JxEajaiBGU8BEGt2xAymuWACGblrM1aAEZa8B84TW3CzzcdyzAkn8P3e -piJCe+DWMc33441r0KlV5GruwF9ewXiWzZtXAOiP/0xEDICFdlFWbO39myMpxDdU -Y0uZ+zmn2G3gz2tz25thH0Wl7mDQ3AA0VlHurgPBBEekeZPQmjiKW+F4slCzXvuy -kW/urIECgYEA/LhY+OWlZVXzIEly7z1/cU9/WImqTs2uRKDeQHMwZrd7D9BXkJuQ -jPN+jZlMYBBrxoaCywbMrgB80Z3MgGHaSx9OIDEZmaxyuQv0zQJCMogysYkbCcaD -mHYnyAf7OXa708Z168WAisEhrwa/DXBn3/hPoBkrbMsuPF/J+tEP7lsCgYEA2x2g -86SitgPVeNV3iuZ6D/SV0QIbDWOYoST2GQn2LnfALIOrzpXRClOSQZ2pGtg9gYo1 -owUyyOSv2Fke93p3ufHv3Gqvjl55lzBVV0siHkEXwHcol36DDGQcskVnXJqaL3IF -tiOisuJS9A7PW7gEi0miyGzzB/kh/IEWHKqLL9ECgYEAoBOFB+MuqMmQftsHWlLx -7qwUVdidb90IjZ/4J4rPFcESyimFzas8HIv/lWGM5yx/l/iL0F42N+FHLt9tMcTJ -qNvjeLChLp307RGNtm2/0JJEyf+2iLKdmGz/Nc0YbIWw46vJ9dXcXgeHdn4ndjPF -GDEI/rfysa7hUoy6O41BMhECgYBPJsLPgHdufLAOeD44pM0PGnFMERCoo4OtImbr -4JdXbdazvdTASYo7yriYj1VY5yhAtSZu/x+7RjDnXDo9d7XsK6NT4g4Mxb/yh3ks -kW1/tE/aLLEzGHZKcZeUJlISN57e6Ld7dh/9spf4pajuHuk1T6JH+GNKTAqk5hSQ -wmKJIQKBgCGBWGvJrCeT5X9oHdrlHj2YoKvIIG1eibagcjcKemD7sWzi7Q4P7JIo -xeX8K1WVxdBpo4/RiQcGFmwSmSUKwwr1dO00xtjxIl7ip4DU+WAM7CdmcOIOMbr4 -rP9T/wy1ZBkERCIw2ElybTzB8yuOlNLuOMhUeU55xUMFNYYrWEp2 ------END RSA PRIVATE KEY----- - +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYTvPivcU+jPXU +AvdB8bOm5k11kMxOaFdpC3lSqjo8ALxresARNlyQgG00txTkSDsqDlUA1Qr9j5Np +WVxlqkqx/EmNrpo0SSITw4qjfVeTP4HJjJthFIMJqdpeG7A5NTEOhkm7neZI2BmX +Kfbl8QFTvLXy1S0Be6ISWKonsSTfn2ZEMsU4EqqyOzCitaVLxl/32uhF86SsMU0D +yV4hv2UFtD5/oHa8/vwn9D3FclfxoXNkUfloys6qgIg1CaBLSpv8UFUXEj22oFSw +ntCma+1ZrQ1px7FL/WQfQUTZSJUVQzoVQwgnDLv8xLXMbh/I2u32n4ucTberwgZh +7gl0LU1LAgMBAAECggEAfKRiHJHFitmm/dgHqlQgdVfX4prhX3z4gWs/Kcc1b0Xt +TPGao1Bz3kBirTGiNDj6/qzrhmM8xgdpphb8CwkpqY36xE2MRfyuSj0vMi4TvKGn +pAAFuNcc+wCI+Bl0XkKsVfZDnnzKKcd8V4Ky5qUNYrcnERqNqIEZTwEQa3bEDKa5 +YAIZuWszVoARlrwHzhNbcLPNx3LMCSfw/d6mIkJ74NYxzffjjWvQqVXkau7AX17B +eJbNm1cA6I//TEQMgIV2UVZs7f2bIynEN1RjS5n7OafYbeDPa3Pbm2EfRaXuYNDc +ADRWUe6uA8EER6R5k9CaOIpb4XiyULNe+7KRb+6sgQKBgQD8uFj45aVlVfMgSXLv +PX9xT39YiapOza5EoN5AczBmt3sP0FeQm5CM836NmUxgEGvGhoLLBsyuAHzRncyA +YdpLH04gMRmZrHK5C/TNAkIyiDKxiRsJxoOYdifIB/s5drvTxnXrxYCKwSGvBr8N +cGff+E+gGStsyy48X8n60Q/uWwKBgQDbHaDzpKK2A9V41XeK5noP9JXRAhsNY5ih +JPYZCfYud8Asg6vOldEKU5JBnaka2D2BijWjBTLI5K/YWR73ene58e/caq+OXnmX +MFVXSyIeQRfAdyiXfoMMZByyRWdcmpovcgW2I6Ky4lL0Ds9buASLSaLIbPMH+SH8 +gRYcqosv0QKBgQCgE4UH4y6oyZB+2wdaUvHurBRV2J1v3QiNn/gnis8VwRLKKYXN +qzwci/+VYYznLH+X+IvQXjY34Ucu320xxMmo2+N4sKEunfTtEY22bb/QkkTJ/7aI +sp2YbP81zRhshbDjq8n11dxeB4d2fid2M8UYMQj+t/KxruFSjLo7jUEyEQKBgE8m +ws+Ad258sA54PjikzQ8acUwREKijg60iZuvgl1dt1rO91MBJijvKuJiPVVjnKEC1 +Jm7/H7tGMOdcOj13tewro1PiDgzFv/KHeSyRbX+0T9ossTMYdkpxl5QmUhI3nt7o +t3t2H/2yl/ilqO4e6TVPokf4Y0pMCqTmFJDCYokhAoGAIYFYa8msJ5Plf2gd2uUe +PZigq8ggbV6JtqByNwp6YPuxbOLtDg/skijF5fwrVZXF0Gmjj9GJBwYWbBKZJQrD +CvV07TTG2PEiXuKngNT5YAzsJ2Zw4g4xuvis/1P/DLVkGQREIjDYSXJtPMHzK46U +0u44yFR5TnnFQwU1hitYSnY= +-----END PRIVATE KEY----- diff --git a/fixtures/secure.example.com.key b/fixtures/secure.example.com.key index 345f7fede..f35b10bb0 100644 --- a/fixtures/secure.example.com.key +++ b/fixtures/secure.example.com.key @@ -1,28 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAmLYiYCTAWJBWAuxZLqVmV4FiUdGgEqoQvCbN73zF/mQfhq0C -ITo6xSxs1QiGDOzUtkpzXzziSj4J5+et4JkFleeEKaMcHadeIsSlHGvVtXDv93oR -3ydmfZO+ULRU8xHloqcLr1KrOP1daLfdMRbactd75UQgvw9XTsdeMVX5AlicSENV -KV+AQXvVpv8PT10MSvlBFam4reXuY/SkeMbIaW5pFu6AQv3Zmftt2ta0CB9kb1mY -d+OKru8Hnnq5aJw6R3GhP0TBd25P1PkiSxM2KGYZZk0W/NZqLK9/LTFKTNCv7VjC -bysVo7HxCY0bQe/bDP82v7SnLtb3aZogfva4HQIDAQABAoIBAQCLPj+X5MrRtkIH -BlTHGJ95mIr6yaYofpMlzEgoX1/1dnvcg/IWNA8UbE6L7Oq17FiEItyR8WTwhyLn -JrO/wCd8qQ40HPrs+wf1sdJPWPATMfhMcizLihSE2mtFETkILcByD9iyszFWlIdQ -jZ4NPaZP4rWgtf8Z1zYnqdf0Kk0T2imFya0qyoRLo40kxeb4p5K53JD7rPLQNyvO -YeFXTuKxBrFEMs6/wFjl+TO4nfHQXQlgQp4MNd9L5fEQBj+TvGVX+zcQEmzxljK8 -zFNXyxvXgjBPD+0V7yRhTYjrUfZJ4RX1yKDpdsva6BXL7t9hNEg/aGnKRDYF3i5q -WQz8csCBAoGBAMfdtAr3RCuCxe0TIVBon5wubau6HLOxorcXSvxO5PO2kzhy3+GY -xcCMJ+Wo0dTFXjQD3oxRKuDrPRK7AX/grYn7qJo6W7SM9xYEq3HspJJFGkcRsvem -MALt8bvG5NkGmLJD+pTOKVaTZRjW3BM6GcMzBgsLynQcLllRtNI8Hcw9AoGBAMOa -CMsWQfoOUjUffrXN0UnXLEPEeazPobnCHVtE244FdX/BFu5WMA7qqaPRyvnfK0Vl -vF5sGNiBCOnq1zjYee6FD2eyAzVmWJXM1DB4Ewp4ZaABS0ZCZgNfyd1badY4IZpw -pjYEQprguw+J8yZItNJRo+WBmnSgZy6o1bpDaflhAoGAYf61GS9VkFPlQbFAg1FY -+NXW1f1Bt2VgV48nKAByx3/8PRAt70ndo+PUaAlXIJDI+I3xHzFo6bDNWBKy0IVT -8TSf3UbB0gvP1k7h1NDnfAQ/txrZeg1Uuwr5nE0Pxc0zLyyffzh6EkXgqsYmT5MM -MKYiz2WvlTCAFTE3jGEHZy0CgYBti/cgxnZs9VhVKC5u47YzBK9lxMPgZOjOgEiw -tP/Bqo0D38BX+y0vLX2UogprpvE1DKVSvHetyZaUa1HeJF8llp/qE2h4n7k9LFoq -SxVe588CrbbawpUfjqYfsvKzZvxq4mw0FG65DuO08C2dY1rh75c7EjrO1obzOtt4 -VgkkAQKBgDnRyLnzlMfvjCyW9+cHbURQNe2iupfnlrXWEntg56USBVrFtfRQxDRp -fBtlq+0BNfDVdoVNasTCBW16UKoRBH1/k5idz5QPEbKY2055sNxHMVg0uzdb4HXr -73uaYzNrT8P7wyHFF3UL5bd0aO5DT1VYvGlHHgOhCyqcM+RBgPBS ------END RSA PRIVATE KEY----- - +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYtiJgJMBYkFYC +7FkupWZXgWJR0aASqhC8Js3vfMX+ZB+GrQIhOjrFLGzVCIYM7NS2SnNfPOJKPgnn +563gmQWV54Qpoxwdp14ixKUca9W1cO/3ehHfJ2Z9k75QtFTzEeWipwuvUqs4/V1o +t90xFtpy13vlRCC/D1dOx14xVfkCWJxIQ1UpX4BBe9Wm/w9PXQxK+UEVqbit5e5j +9KR4xshpbmkW7oBC/dmZ+23a1rQIH2RvWZh344qu7weeerlonDpHcaE/RMF3bk/U ++SJLEzYoZhlmTRb81mosr38tMUpM0K/tWMJvKxWjsfEJjRtB79sM/za/tKcu1vdp +miB+9rgdAgMBAAECggEBAIs+P5fkytG2QgcGVMcYn3mYivrJpih+kyXMSChfX/V2 +e9yD8hY0DxRsTovs6rXsWIQi3JHxZPCHIucms7/AJ3ypDjQc+uz7B/Wx0k9Y8BMx ++ExyLMuKFITaa0UROQgtwHIP2LKzMVaUh1CNng09pk/itaC1/xnXNiep1/QqTRPa +KYXJrSrKhEujjSTF5vinkrnckPus8tA3K85h4VdO4rEGsUQyzr/AWOX5M7id8dBd +CWBCngw130vl8RAGP5O8ZVf7NxASbPGWMrzMU1fLG9eCME8P7RXvJGFNiOtR9knh +FfXIoOl2y9roFcvu32E0SD9oacpENgXeLmpZDPxywIECgYEAx920CvdEK4LF7RMh +UGifnC5tq7ocs7GitxdK/E7k87aTOHLf4ZjFwIwn5ajR1MVeNAPejFEq4Os9ErsB +f+CtifuomjpbtIz3FgSrceykkkUaRxGy96YwAu3xu8bk2QaYskP6lM4pVpNlGNbc +EzoZwzMGCwvKdBwuWVG00jwdzD0CgYEAw5oIyxZB+g5SNR9+tc3RSdcsQ8R5rM+h +ucIdW0TbjgV1f8EW7lYwDuqpo9HK+d8rRWW8XmwY2IEI6erXONh57oUPZ7IDNWZY +lczUMHgTCnhloAFLRkJmA1/J3Vtp1jghmnCmNgRCmuC7D4nzJki00lGj5YGadKBn +LqjVukNp+WECgYBh/rUZL1WQU+VBsUCDUVj41dbV/UG3ZWBXjycoAHLHf/w9EC3v +Sd2j49RoCVcgkMj4jfEfMWjpsM1YErLQhVPxNJ/dRsHSC8/WTuHU0Od8BD+3Gtl6 +DVS7CvmcTQ/FzTMvLJ9/OHoSReCqxiZPkwwwpiLPZa+VMIAVMTeMYQdnLQKBgG2L +9yDGdmz1WFUoLm7jtjMEr2XEw+Bk6M6ASLC0/8GqjQPfwFf7LS8tfZSiCmum8TUM +pVK8d63JlpRrUd4kXyWWn+oTaHifuT0sWipLFV7nzwKtttrClR+Oph+y8rNm/Gri +bDQUbrkO47TwLZ1jWuHvlzsSOs7WhvM623hWCSQBAoGAOdHIufOUx++MLJb35wdt +RFA17aK6l+eWtdYSe2DnpRIFWsW19FDENGl8G2Wr7QE18NV2hU1qxMIFbXpQqhEE +fX+TmJ3PlA8RspjbTnmw3EcxWDS7N1vgdevve5pjM2tPw/vDIcUXdQvlt3Ro7kNP +VVi8aUceA6ELKpwz5EGA8FI= +-----END PRIVATE KEY----- diff --git a/trustmanager/keystore.go b/trustmanager/keystore.go index 2049a3ef7..9f4760488 100644 --- a/trustmanager/keystore.go +++ b/trustmanager/keystore.go @@ -1,7 +1,6 @@ package trustmanager import ( - "encoding/pem" "fmt" "path/filepath" "strings" @@ -114,11 +113,7 @@ func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error } } - if chosenPassphrase != "" { - pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase) - } else { - pemPrivKey, err = utils.KeyToPEM(privKey, keyInfo.Role, keyInfo.Gun) - } + pemPrivKey, err = utils.ConvertPrivateKeyToPKCS8(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase) if err != nil { return err @@ -204,11 +199,11 @@ func copyKeyInfoMap(keyInfoMap map[string]KeyInfo) map[string]KeyInfo { func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo, error) { var keyID string keyID = filepath.Base(filename) - block, _ := pem.Decode(pemBytes) - if block == nil { - return "", KeyInfo{}, fmt.Errorf("could not decode PEM block for key %s", filename) + role, gun, err := utils.ExtractPrivateKeyAttributes(pemBytes) + if err != nil { + return "", KeyInfo{}, err } - return keyID, KeyInfo{Gun: data.GUN(block.Headers["gun"]), Role: data.RoleName(block.Headers["role"])}, nil + return keyID, KeyInfo{Gun: gun, Role: role}, nil } // getKeyRole finds the role for the given keyID. It attempts to look @@ -224,10 +219,12 @@ func getKeyRole(s Storage, keyID string) (data.RoleName, error) { if err != nil { return "", err } - block, _ := pem.Decode(d) - if block != nil { - return data.RoleName(block.Headers["role"]), nil + + role, _, err := utils.ExtractPrivateKeyAttributes(d) + if err != nil { + return "", err } + return role, nil } } return "", ErrKeyNotFound{KeyID: keyID} diff --git a/trustmanager/keystore_test.go b/trustmanager/keystore_test.go index 8c876d04a..a287181c6 100644 --- a/trustmanager/keystore_test.go +++ b/trustmanager/keystore_test.go @@ -2,8 +2,8 @@ package trustmanager import ( "crypto/rand" + "encoding/pem" "errors" - "fmt" "io/ioutil" "os" "path/filepath" @@ -58,7 +58,7 @@ func testAddKeyWithRole(t *testing.T, role data.RoleName) { // Check to see if file exists b, err := ioutil.ReadFile(expectedFilePath) require.NoError(t, err, "expected file not found") - require.Contains(t, string(b), "-----BEGIN EC PRIVATE KEY-----") + require.Contains(t, string(b), "-----BEGIN ENCRYPTED PRIVATE KEY-----") // Check that we have the role and gun info for this key's ID keyInfo, ok := store.keyInfoMap[privKey.ID()] @@ -91,9 +91,9 @@ func TestKeyStoreInternalState(t *testing.T) { var privKeyPEM []byte // generate the correct PEM role header if role == data.CanonicalRootRole || data.IsDelegation(role) || !data.ValidRole(role) { - privKeyPEM, err = utils.KeyToPEM(privKey, role, "") + privKeyPEM, err = utils.ConvertPrivateKeyToPKCS8(privKey, role, "", "") } else { - privKeyPEM, err = utils.KeyToPEM(privKey, role, gun) + privKeyPEM, err = utils.ConvertPrivateKeyToPKCS8(privKey, role, gun, "") } require.NoError(t, err, "could not generate PEM") @@ -176,71 +176,45 @@ func TestGet(t *testing.T) { } func testGetKeyWithRole(t *testing.T, gun data.GUN, role data.RoleName) { - var testData []byte - if gun == "" { - testData = []byte(fmt.Sprintf(`-----BEGIN RSA PRIVATE KEY----- -role: %s + var testPEM []byte + testPEM = []byte(`-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2cL8WamG24ihl +JSVG8ZVel05lPqYD0S8ol1L+zzwsHkim2DS+a5BLX5+QJtCfZrR+Pzo+4pCrjU+N +R/71aYNm/M95h/JSJxdEoTgYCCHNJD8IYpTc6lXyy49lSQh7svLpZ2dQwHoGB5VC +tpsh8xvLLbXfk/G7ihEeZqG7/Tnoe+uotkiODOTjxiTGvQQjoAc4hQgzGH4sjC7U +8E8zB0j1BQWM/fhRX/ww3V/SRB2T1u0aAurF1BnUdDazZMBxWQ7DxmY3FNbeNXqf +KKeQMN1Rodu8hJw0gxL1hbOWmcYksmGZfPDzYXiHBdscCFr/wimOl9BO/o2xbV5+ +phbph9cFAgMBAAECggEBAIAcA9L1uM/3V25O+zIqCj11+jLWHzWm+nqCaGFNnG9O +hK3EPKVKWvTSnPVYjD6inDPaqkfmSLhubmJDICGsif0ToY0xjVNq58flfcJCU5n9 +zdVRhD7svpXTo0n4UuCp9DE5zy7BOe5p/MHwAFeCow21d3UcKi8K8KJsZz3ev38j +9Y8ASd24NcyZfE4mnjDjA/MuzlPoQYMwAh4f3mrEKu5v9dCT+m70lJTzSNAc4gD0 +93mMkGRsUKjvZyCu/IlXncBczaSVovX5IGdiGPa7Qk+CP9r+PGQUasb+e5o7VMzh +xyjIrCV1u48vRyJsc7xrZ+PUkVk74u9mQ3wxQXNzi7ECgYEA5BftyMlzv2oqAzQg +isS0f616qX5YmRK/riC/4+HRaXEsA/LiI8tuW04vdgcelUqxo1TFpv+J4z16ItF5 +kscb6ev9wsFa0VInsvI3hqZ8e4AuqlvU8Rii1anxkbwE5mstRgeR9p410+0T2GiW +JaWVy8mxsneVI0sdR5ooJ+ZBQpcCgYEAzMLtV52aQvnCLPejPI+fBnOjoLXTVaaB +xqZWfOzuozjYVlqSUsKbKbMVtIy+rPIJt26/qw8i6V8Dx2HlUcySU5fAumpWigK4 +Dh64eZ+yJrQeqgRJoLoZhTbgxe4fv7+f649WcipwD0ptEaqjD11Wdr0973tw0wdc +Pqn9SlPoksMCgYBqUKj5xMRZvQ82DQ75/3Oua1rYM9byCmYjsIogmrn0Ltb4RDaZ +vpGCp2/B0NG1fmpMGhBCpatMqvQJ1J+ZBYuCPgg6xcsh8+wjIXk2HtW47udRappX +gkcr1hmN9xhFmkEw+ghT7ixiyodMgHszsvmeUjWsXMa7+5/7JuR+rHlQowKBgE0T +Lr3lMDT3yJSeno5kTWrjSntrFeLOq1j4MeQSV32PHzfaHewTHs7if1AYDooRDYFD +qdgc+Xo47rY1blmNFKNsovpInsySW2/NNolpiGizMjuzI3fhtUuErbUzfjXyTqMf +sF2HBelrjYSx43EcJDjL4S1tHLoCskFQQWyiCxB7AoGBANSohPiPmJLvCEmZTdHm +KcRNz9jE0wO5atCZADIfuOrYHYTQk3YTI5V3GviUNLdmbw4TQChwAgAYVNth1rpL +5jSqfF3RtNBePZixG2WzxYd2ZwvJxvKa33i1E8UfM+yEZH4Gc5ukDt28m0fyFBmi +QvS5quTEllrvrVuWfhpsjl/l +-----END PRIVATE KEY----- +`) + testBlock, _ := pem.Decode(testPEM) + require.NotEmpty(t, testBlock, "could not decode pem") -MIIEogIBAAKCAQEAyUIXjsrWRrvPa4Bzp3VJ6uOUGPay2fUpSV8XzNxZxIG/Opdr -+k3EQi1im6WOqF3Y5AS1UjYRxNuRN+cAZeo3uS1pOTuoSupBXuchVw8s4hZJ5vXn -TRmGb+xY7tZ1ZVgPfAZDib9sRSUsL/gC+aSyprAjG/YBdbF06qKbfOfsoCEYW1OQ -82JqHzQH514RFYPTnEGpvfxWaqmFQLmv0uMxV/cAYvqtrGkXuP0+a8PknlD2obw5 -0rHE56Su1c3Q42S7L51K38tpbgWOSRcTfDUWEj5v9wokkNQvyKBwbS996s4EJaZd -7r6M0h1pHnuRxcSaZLYRwgOe1VNGg2VfWzgd5QIDAQABAoIBAF9LGwpygmj1jm3R -YXGd+ITugvYbAW5wRb9G9mb6wspnwNsGTYsz/UR0ZudZyaVw4jx8+jnV/i3e5PC6 -QRcAgqf8l4EQ/UuThaZg/AlT1yWp9g4UyxNXja87EpTsGKQGwTYxZRM4/xPyWOzR -mt8Hm8uPROB9aA2JG9npaoQG8KSUj25G2Qot3ukw/IOtqwN/Sx1EqF0EfCH1K4KU -a5TrqlYDFmHbqT1zTRec/BTtVXNsg8xmF94U1HpWf3Lpg0BPYT7JiN2DPoLelRDy -a/A+a3ZMRNISL5wbq/jyALLOOyOkIqa+KEOeW3USuePd6RhDMzMm/0ocp5FCwYfo -k4DDeaECgYEA0eSMD1dPGo+u8UTD8i7ZsZCS5lmXLNuuAg5f5B/FGghD8ymPROIb -dnJL5QSbUpmBsYJ+nnO8RiLrICGBe7BehOitCKi/iiZKJO6edrfNKzhf4XlU0HFl -jAOMa975pHjeCoZ1cXJOEO9oW4SWTCyBDBSqH3/ZMgIOiIEk896lSmkCgYEA9Xf5 -Jqv3HtQVvjugV/axAh9aI8LMjlfFr9SK7iXpY53UdcylOSWKrrDok3UnrSEykjm7 -UL3eCU5jwtkVnEXesNn6DdYo3r43E6iAiph7IBkB5dh0yv3vhIXPgYqyTnpdz4pg -3yPGBHMPnJUBThg1qM7k6a2BKHWySxEgC1DTMB0CgYAGvdmF0J8Y0k6jLzs/9yNE -4cjmHzCM3016gW2xDRgumt9b2xTf+Ic7SbaIV5qJj6arxe49NqhwdESrFohrKaIP -kM2l/o2QaWRuRT/Pvl2Xqsrhmh0QSOQjGCYVfOb10nAHVIRHLY22W4o1jk+piLBo -a+1+74NRaOGAnu1J6/fRKQKBgAF180+dmlzemjqFlFCxsR/4G8s2r4zxTMXdF+6O -3zKuj8MbsqgCZy7e8qNeARxwpCJmoYy7dITNqJ5SOGSzrb2Trn9ClP+uVhmR2SH6 -AlGQlIhPn3JNzI0XVsLIloMNC13ezvDE/7qrDJ677EQQtNEKWiZh1/DrsmHr+irX -EkqpAoGAJWe8PC0XK2RE9VkbSPg9Ehr939mOLWiHGYTVWPttUcum/rTKu73/X/mj -WxnPWGtzM1pHWypSokW90SP4/xedMxludvBvmz+CTYkNJcBGCrJumy11qJhii9xp -EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0= ------END RSA PRIVATE KEY----- -`, role)) - } else { - testData = []byte(fmt.Sprintf(`-----BEGIN RSA PRIVATE KEY----- -gun: %s -role: %s + testPrivKey, err := utils.ParsePKCS8ToTufKey(testBlock.Bytes, nil) + require.NoError(t, err, "could not parse pkcs8 key") + + testData, err := utils.ConvertPrivateKeyToPKCS8(testPrivKey, role, gun, "") + require.NoError(t, err, "could not wrap pkcs8 key") -MIIEogIBAAKCAQEAyUIXjsrWRrvPa4Bzp3VJ6uOUGPay2fUpSV8XzNxZxIG/Opdr -+k3EQi1im6WOqF3Y5AS1UjYRxNuRN+cAZeo3uS1pOTuoSupBXuchVw8s4hZJ5vXn -TRmGb+xY7tZ1ZVgPfAZDib9sRSUsL/gC+aSyprAjG/YBdbF06qKbfOfsoCEYW1OQ -82JqHzQH514RFYPTnEGpvfxWaqmFQLmv0uMxV/cAYvqtrGkXuP0+a8PknlD2obw5 -0rHE56Su1c3Q42S7L51K38tpbgWOSRcTfDUWEj5v9wokkNQvyKBwbS996s4EJaZd -7r6M0h1pHnuRxcSaZLYRwgOe1VNGg2VfWzgd5QIDAQABAoIBAF9LGwpygmj1jm3R -YXGd+ITugvYbAW5wRb9G9mb6wspnwNsGTYsz/UR0ZudZyaVw4jx8+jnV/i3e5PC6 -QRcAgqf8l4EQ/UuThaZg/AlT1yWp9g4UyxNXja87EpTsGKQGwTYxZRM4/xPyWOzR -mt8Hm8uPROB9aA2JG9npaoQG8KSUj25G2Qot3ukw/IOtqwN/Sx1EqF0EfCH1K4KU -a5TrqlYDFmHbqT1zTRec/BTtVXNsg8xmF94U1HpWf3Lpg0BPYT7JiN2DPoLelRDy -a/A+a3ZMRNISL5wbq/jyALLOOyOkIqa+KEOeW3USuePd6RhDMzMm/0ocp5FCwYfo -k4DDeaECgYEA0eSMD1dPGo+u8UTD8i7ZsZCS5lmXLNuuAg5f5B/FGghD8ymPROIb -dnJL5QSbUpmBsYJ+nnO8RiLrICGBe7BehOitCKi/iiZKJO6edrfNKzhf4XlU0HFl -jAOMa975pHjeCoZ1cXJOEO9oW4SWTCyBDBSqH3/ZMgIOiIEk896lSmkCgYEA9Xf5 -Jqv3HtQVvjugV/axAh9aI8LMjlfFr9SK7iXpY53UdcylOSWKrrDok3UnrSEykjm7 -UL3eCU5jwtkVnEXesNn6DdYo3r43E6iAiph7IBkB5dh0yv3vhIXPgYqyTnpdz4pg -3yPGBHMPnJUBThg1qM7k6a2BKHWySxEgC1DTMB0CgYAGvdmF0J8Y0k6jLzs/9yNE -4cjmHzCM3016gW2xDRgumt9b2xTf+Ic7SbaIV5qJj6arxe49NqhwdESrFohrKaIP -kM2l/o2QaWRuRT/Pvl2Xqsrhmh0QSOQjGCYVfOb10nAHVIRHLY22W4o1jk+piLBo -a+1+74NRaOGAnu1J6/fRKQKBgAF180+dmlzemjqFlFCxsR/4G8s2r4zxTMXdF+6O -3zKuj8MbsqgCZy7e8qNeARxwpCJmoYy7dITNqJ5SOGSzrb2Trn9ClP+uVhmR2SH6 -AlGQlIhPn3JNzI0XVsLIloMNC13ezvDE/7qrDJ677EQQtNEKWiZh1/DrsmHr+irX -EkqpAoGAJWe8PC0XK2RE9VkbSPg9Ehr939mOLWiHGYTVWPttUcum/rTKu73/X/mj -WxnPWGtzM1pHWypSokW90SP4/xedMxludvBvmz+CTYkNJcBGCrJumy11qJhii9xp -EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0= ------END RSA PRIVATE KEY----- -`, gun, role)) - } testName := "keyID" testExt := "key" perms := os.FileMode(0755) @@ -266,7 +240,7 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0= privKey, _, err := store.GetKey(testName) require.NoError(t, err, "failed to get %s key from store (it's in %s)", role, filepath.Join(tempBaseDir, notary.PrivDir)) - pemPrivKey, err := utils.KeyToPEM(privKey, role, gun) + pemPrivKey, err := utils.ConvertPrivateKeyToPKCS8(privKey, role, gun, "") require.NoError(t, err, "failed to convert key to PEM") require.Equal(t, testData, pemPrivKey) } @@ -274,6 +248,9 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0= // TestGetLegacyKey ensures we can still load keys where the role // is stored as part of the filename (i.e. _.key func TestGetLegacyKey(t *testing.T) { + if notary.FIPSEnabled() { + t.Skip("skip backward compatibility test in FIPS mode") + } testData := []byte(`-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAyUIXjsrWRrvPa4Bzp3VJ6uOUGPay2fUpSV8XzNxZxIG/Opdr +k3EQi1im6WOqF3Y5AS1UjYRxNuRN+cAZeo3uS1pOTuoSupBXuchVw8s4hZJ5vXn diff --git a/utils/keys.go b/utils/keys.go index 581f11f34..b2cacb6aa 100644 --- a/utils/keys.go +++ b/utils/keys.go @@ -132,7 +132,7 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN return errors.New("maximum number of passphrase attempts exceeded") } } - blockBytes, err = utils.EncryptPrivateKey(privKey, tufdata.RoleName(block.Headers["role"]), tufdata.GUN(block.Headers["gun"]), chosenPassphrase) + blockBytes, err = utils.ConvertPrivateKeyToPKCS8(privKey, tufdata.RoleName(block.Headers["role"]), tufdata.GUN(block.Headers["gun"]), chosenPassphrase) if err != nil { return errors.New("failed to encrypt key with given passphrase") } diff --git a/utils/keys_test.go b/utils/keys_test.go index 90bd4cd5c..ee9579e2a 100644 --- a/utils/keys_test.go +++ b/utils/keys_test.go @@ -494,7 +494,7 @@ func TestEncryptedKeyImportFail(t *testing.T) { privKey, err := utils.GenerateECDSAKey(rand.Reader) require.NoError(t, err) - pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalRootRole, "", cannedPassphrase) + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalRootRole, "", cannedPassphrase) require.NoError(t, err) in := bytes.NewBuffer(pemBytes) @@ -511,7 +511,7 @@ func TestEncryptedKeyImportSuccess(t *testing.T) { originalKey := privKey.Private() require.NoError(t, err) - pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalSnapshotRole, "somegun", cannedPassphrase) + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, data.CanonicalSnapshotRole, "somegun", cannedPassphrase) require.NoError(t, err) b, _ := pem.Decode(pemBytes) @@ -547,7 +547,7 @@ func TestEncryption(t *testing.T) { originalKey := privKey.Private() require.NoError(t, err) - pemBytes, err := utils.EncryptPrivateKey(privKey, "", "", "") + pemBytes, err := utils.ConvertPrivateKeyToPKCS8(privKey, "", "", "") require.NoError(t, err) in := bytes.NewBuffer(pemBytes)