keystoremanager

package
v0.0.0-...-f7d0ea7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 10, 2015 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrNoValidPrivateKey is returned if a key being imported doesn't
	// look like a private key
	ErrNoValidPrivateKey = errors.New("no valid private key found")

	// ErrRootKeyNotEncrypted is returned if a root key being imported is
	// unencrypted
	ErrRootKeyNotEncrypted = errors.New("only encrypted root keys may be imported")

	// ErrNoKeysFoundForGUN is returned if no keys are found for the
	// specified GUN during export
	ErrNoKeysFoundForGUN = errors.New("no keys found for specified GUN")
)

Functions

func IsZipSymlink(f *zip.File) bool

IsZipSymlink returns true if the file described by the zip file header is a symlink.

Types

type ErrRootRotationFail

type ErrRootRotationFail struct {
	Reason string
}

ErrRootRotationFail is returned when we fail to do a full root key rotation by either failing to add the new root certificate, or delete the old ones

func (ErrRootRotationFail) Error

func (err ErrRootRotationFail) Error() string

ErrRootRotationFail is returned when we fail to do a full root key rotation by either failing to add the new root certificate, or delete the old ones

type ErrValidationFail

type ErrValidationFail struct {
	Reason string
}

ErrValidationFail is returned when there is no valid trusted certificates being served inside of the roots.json

func (ErrValidationFail) Error

func (err ErrValidationFail) Error() string

ErrValidationFail is returned when there is no valid trusted certificates being served inside of the roots.json

type KeyStoreManager

type KeyStoreManager struct {
	// contains filtered or unexported fields
}

KeyStoreManager is an abstraction around the root and non-root key stores, and related CA stores

func NewKeyStoreManager

func NewKeyStoreManager(baseDir string, passphraseRetriever passphrase.Retriever) (*KeyStoreManager, error)

NewKeyStoreManager returns an initialized KeyStoreManager, or an error if it fails to create the KeyFileStores or load certificates

func (*KeyStoreManager) AddTrustedCACert

func (km *KeyStoreManager) AddTrustedCACert(cert *x509.Certificate)

AddTrustedCACert adds a cert to the trusted CA certificate store

func (*KeyStoreManager) AddTrustedCert

func (km *KeyStoreManager) AddTrustedCert(cert *x509.Certificate)

AddTrustedCert adds a cert to the trusted certificate store (not the CA store)

func (*KeyStoreManager) ExportAllKeys

func (km *KeyStoreManager) ExportAllKeys(dest io.Writer, newPassphraseRetriever passphrase.Retriever) error

ExportAllKeys exports all keys to an io.Writer in zip format. newPassphraseRetriever will be used to obtain passphrases to use to encrypt the existing keys.

func (*KeyStoreManager) ExportKeysByGUN

func (km *KeyStoreManager) ExportKeysByGUN(dest io.Writer, gun string, passphraseRetriever passphrase.Retriever) error

ExportKeysByGUN exports all keys associated with a specified GUN to an io.Writer in zip format. passphraseRetriever is used to select new passphrases to use to encrypt the keys.

func (*KeyStoreManager) ExportRootKey

func (km *KeyStoreManager) ExportRootKey(dest io.Writer, keyID string) error

ExportRootKey exports the specified root key to an io.Writer in PEM format. The key's existing encryption is preserved.

func (*KeyStoreManager) ExportRootKeyReencrypt

func (km *KeyStoreManager) ExportRootKeyReencrypt(dest io.Writer, keyID string, newPassphraseRetriever passphrase.Retriever) error

ExportRootKeyReencrypt exports the specified root key to an io.Writer in PEM format. The key is reencrypted with a new passphrase.

func (*KeyStoreManager) GenRootKey

func (km *KeyStoreManager) GenRootKey(algorithm string) (string, error)

GenRootKey generates a new root key

func (*KeyStoreManager) GetRootCryptoService

func (km *KeyStoreManager) GetRootCryptoService(rootKeyID string) (*cryptoservice.UnlockedCryptoService, error)

GetRootCryptoService retrieves a root key and a cryptoservice to use with it TODO(mccauley): remove this as its no longer needed once we have key caching in the keystores

func (*KeyStoreManager) ImportKeysZip

func (km *KeyStoreManager) ImportKeysZip(zipReader zip.Reader) error

ImportKeysZip imports keys from a zip file provided as an zip.Reader. The keys in the root_keys directory are left encrypted, but the other keys are decrypted with the specified passphrase.

func (*KeyStoreManager) ImportRootKey

func (km *KeyStoreManager) ImportRootKey(source io.Reader, keyID string) error

ImportRootKey imports a root in PEM format key from an io.Reader The key's existing encryption is preserved. The keyID parameter is necessary because otherwise we'd need the passphrase to decrypt the key in order to compute the ID.

func (*KeyStoreManager) NonRootKeyStore

func (km *KeyStoreManager) NonRootKeyStore() *trustmanager.KeyFileStore

NonRootKeyStore returns the non-root key store being managed by this KeyStoreManager

func (*KeyStoreManager) RootKeyStore

func (km *KeyStoreManager) RootKeyStore() *trustmanager.KeyFileStore

RootKeyStore returns the root key store being managed by this KeyStoreManager

func (*KeyStoreManager) TrustedCAStore

func (km *KeyStoreManager) TrustedCAStore() trustmanager.X509Store

TrustedCAStore returns the CA store being managed by this KeyStoreManager

func (*KeyStoreManager) TrustedCertificateStore

func (km *KeyStoreManager) TrustedCertificateStore() trustmanager.X509Store

TrustedCertificateStore returns the trusted certificate store being managed by this KeyStoreManager

func (*KeyStoreManager) ValidateRoot

func (km *KeyStoreManager) ValidateRoot(root *data.Signed, gun string) error

ValidateRoot receives a new root, validates its correctness and attempts to do root key rotation if needed.

First we list the current trusted certificates we have for a particular GUN. If that list is non-empty means that we've already seen this repository before, and have a list of trusted certificates for it. In this case, we use this list of certificates to attempt to validate this root file.

If the previous validation suceeds, or in the case where we found no trusted certificates for this particular GUN, we check the integrity of the root by making sure that it is validated by itself. This means that we will attempt to validate the root data with the certificates that are included in the root keys themselves.

If this last steps succeeds, we attempt to do root rotation, by ensuring that we only trust the certificates that are present in the new root.

This mechanism of operation is essentially Trust On First Use (TOFU): if we have never seen a certificate for a particular CN, we trust it. If later we see a different certificate for that certificate, we return an ErrValidationFailed error.

Note that since we only allow trust data to be downloaded over an HTTPS channel we are using the current public PKI to validate the first download of the certificate adding an extra layer of security over the normal (SSH style) trust model. We shall call this: TOFUS.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL