2017-09-26 20:16:18 -04:00
|
|
|
package trust
|
|
|
|
|
|
|
|
import (
|
2017-10-10 13:16:01 -04:00
|
|
|
"bytes"
|
2017-09-26 20:16:18 -04:00
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
|
|
|
|
|
|
|
"github.com/docker/cli/cli"
|
|
|
|
"github.com/docker/cli/cli/command"
|
|
|
|
"github.com/docker/cli/cli/trust"
|
|
|
|
"github.com/docker/notary"
|
|
|
|
"github.com/docker/notary/storage"
|
2017-10-23 05:23:39 -04:00
|
|
|
"github.com/docker/notary/trustmanager"
|
2017-09-26 20:16:18 -04:00
|
|
|
tufutils "github.com/docker/notary/tuf/utils"
|
2017-10-25 13:13:24 -04:00
|
|
|
"github.com/pkg/errors"
|
2017-09-26 20:16:18 -04:00
|
|
|
"github.com/spf13/cobra"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
ownerReadOnlyPerms = 0400
|
|
|
|
ownerReadAndWritePerms = 0600
|
|
|
|
)
|
|
|
|
|
|
|
|
type keyLoadOptions struct {
|
|
|
|
keyName string
|
|
|
|
}
|
|
|
|
|
|
|
|
func newKeyLoadCommand(dockerCli command.Streams) *cobra.Command {
|
|
|
|
var options keyLoadOptions
|
|
|
|
cmd := &cobra.Command{
|
2017-10-09 13:44:52 -04:00
|
|
|
Use: "load [OPTIONS] KEY",
|
2017-09-26 20:16:18 -04:00
|
|
|
Short: "Load a private key file for signing",
|
|
|
|
Args: cli.ExactArgs(1),
|
|
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
|
|
return loadPrivKey(dockerCli, args[0], options)
|
|
|
|
},
|
|
|
|
}
|
|
|
|
flags := cmd.Flags()
|
|
|
|
flags.StringVarP(&options.keyName, "name", "n", "signer", "Name for the loaded key")
|
|
|
|
return cmd
|
|
|
|
}
|
|
|
|
|
|
|
|
func loadPrivKey(streams command.Streams, keyPath string, options keyLoadOptions) error {
|
|
|
|
trustDir := trust.GetTrustDirectory()
|
2017-10-10 13:16:01 -04:00
|
|
|
keyFileStore, err := storage.NewPrivateKeyFileStorage(trustDir, notary.KeyExtension)
|
2017-09-26 20:16:18 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-10-23 05:23:39 -04:00
|
|
|
privKeyImporters := []trustmanager.Importer{keyFileStore}
|
2017-09-26 20:16:18 -04:00
|
|
|
|
|
|
|
fmt.Fprintf(streams.Out(), "\nLoading key from \"%s\"...\n", keyPath)
|
|
|
|
|
|
|
|
// Always use a fresh passphrase retriever for each import
|
|
|
|
passRet := trust.GetPassphraseRetriever(streams.In(), streams.Out())
|
2017-10-10 13:16:01 -04:00
|
|
|
keyBytes, err := getPrivKeyBytesFromPath(keyPath)
|
|
|
|
if err != nil {
|
2017-10-25 13:13:24 -04:00
|
|
|
return errors.Wrapf(err, "error reading key from %s", keyPath)
|
2017-10-10 13:16:01 -04:00
|
|
|
}
|
|
|
|
if err := loadPrivKeyBytesToStore(keyBytes, privKeyImporters, keyPath, options.keyName, passRet); err != nil {
|
2017-10-25 13:13:24 -04:00
|
|
|
return errors.Wrapf(err, "error importing key from %s", keyPath)
|
2017-09-26 20:16:18 -04:00
|
|
|
}
|
|
|
|
fmt.Fprintf(streams.Out(), "Successfully imported key from %s\n", keyPath)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2017-10-10 13:16:01 -04:00
|
|
|
func getPrivKeyBytesFromPath(keyPath string) ([]byte, error) {
|
2017-09-26 20:16:18 -04:00
|
|
|
fileInfo, err := os.Stat(keyPath)
|
|
|
|
if err != nil {
|
2017-10-10 13:16:01 -04:00
|
|
|
return nil, err
|
2017-09-26 20:16:18 -04:00
|
|
|
}
|
|
|
|
if fileInfo.Mode() != ownerReadOnlyPerms && fileInfo.Mode() != ownerReadAndWritePerms {
|
2017-10-10 13:16:01 -04:00
|
|
|
return nil, fmt.Errorf("private key permission from %s should be set to 400 or 600", keyPath)
|
2017-09-26 20:16:18 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
from, err := os.OpenFile(keyPath, os.O_RDONLY, notary.PrivExecPerms)
|
|
|
|
if err != nil {
|
2017-10-10 13:16:01 -04:00
|
|
|
return nil, err
|
2017-09-26 20:16:18 -04:00
|
|
|
}
|
|
|
|
defer from.Close()
|
|
|
|
|
2017-10-25 13:13:24 -04:00
|
|
|
return ioutil.ReadAll(from)
|
2017-10-10 13:16:01 -04:00
|
|
|
}
|
|
|
|
|
2017-10-23 05:23:39 -04:00
|
|
|
func loadPrivKeyBytesToStore(privKeyBytes []byte, privKeyImporters []trustmanager.Importer, keyPath, keyName string, passRet notary.PassRetriever) error {
|
2017-10-10 13:16:01 -04:00
|
|
|
if _, _, err := tufutils.ExtractPrivateKeyAttributes(privKeyBytes); err != nil {
|
2017-10-09 13:44:52 -04:00
|
|
|
return fmt.Errorf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add", keyPath)
|
2017-09-26 20:16:18 -04:00
|
|
|
}
|
2017-10-10 13:16:01 -04:00
|
|
|
// Make a reader, rewind the file pointer
|
2017-10-23 05:23:39 -04:00
|
|
|
return trustmanager.ImportKeys(bytes.NewReader(privKeyBytes), privKeyImporters, keyName, "", passRet)
|
2017-09-26 20:16:18 -04:00
|
|
|
}
|