Support passing in root keys on repo initialization #801
Conversation
|
Can one of the admins verify this patch? |
ecordell
force-pushed
the
root-keys-on-init
branch
from
540cdd4
to
cea9e8d
Compare
|
jenkins, test this please |
|
thank you @ecordell for this awesome work! I had some design concerns about how this might work with a Maybe we could only allow for up to 1 key on init: And if we wanted to add more keys: What do you think? |
ecordell
force-pushed
the
root-keys-on-init
branch
from
cea9e8d
to
d2e7af3
Compare
|
Thanks for taking a look @riyazdf ! To limit the scope, I've simply rebased on master and changed Looks like circle is failing because of temporary connection issue; I don't have the ability to restart it afaict. |
|
jenkins, test this please |
|
I'll review this fully next week but in the meantime, thank you! This is a feature we've had quite a few people asking for. I largely agree with @riyazdf's suggestions, though it might be nice to find a way to cleanly combine the key and cert so that if we do decide to allow multiple keys/certs to be added on init in the future there's a nice way to do it. Also worth noting there might be a use case to add multiple certs but fewer keys (i.e. you want other keys to be able to sign root but you personally only hold one of them. This is a specific use case we discussed with one user at DockerCon). |
| @@ -285,7 +320,7 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error { | |||
| cmd.Printf("Root key found, using: %s\n", rootKeyID) | |||
| } | |||
|
|
|||
| if err = nRepo.Initialize(rootKeyID); err != nil { | |||
| if err = nRepo.Initialize([]string{rootKeyID}); err != nil { | |||
There was a problem hiding this comment.
If other root keys already exist on this host, this rootKeyID may not necessarily correspond to the --rootkey we pass in. We should change the conditional logic above such that it prioritizes keys from the --rootkey flag if we passed any in
Edit: this is resolved now in above logic
ecordell
force-pushed
the
root-keys-on-init
branch
2 times, most recently
from
18d2ad4
to
8f3dec0
Compare
|
@riyazdf Fixed the issues you noted and rebased. |
|
jenkins, test this please |
| rootPubKey2, err := repo.CryptoService.Create("root", repo.gun, data.ECDSAKey) | ||
| require.NoError(t, err, "error generating second root key: %s", err) | ||
|
|
||
| err = repo.Initialize([]string{rootPubKeyID, rootPubKey2.ID()}, data.CanonicalTimestampRole) |
There was a problem hiding this comment.
could we verify that both keys were included in the root metadata?
Something like:
require.Len(t, repo.tufRepo.Root.Signed.Roles[data.CanonicalRootRole].KeyIDs, 2)
There was a problem hiding this comment.
Definitely, will update
|
thank you @ecordell for working on this! I have a couple of small nits and test case additions, but I really like how this looks, cc @cyli @endophage for additional review. I'll also link #813 for tracking, since it is somewhat coupled with the discussion above Also, if you could update the initial PR description to reflect the updated behavior (just single root key) that would be awesome :) |
|
@riyazdf @endophage maybe |
|
@ecordell This is awesome - thanks so much for adding this! Being able to import existing root keys and certs will become really important for our use cases in the future. It looks fantastic aside from the test nitpicks above! |
|
@cyli: @endophage and I just discussed that it might be useful to allow for multiple The use case would be to add other admins to be root-signers, but without having to share private key material directly. Ex: |
|
That makes sense - and I guess certs and keys don't really need to be On Thursday, July 7, 2016, Riyaz Faizullabhoy [email protected]
|
|
Thanks @riyazdf and @cyli for taking the time to review! I agree that passing multiple certs and root keys (and not needing to correlate them) makes sense. I'm happy to work on the implementation but I think it makes more sense to do that in a separate PR. Just updated with the last couple of points w.r.t. the tests; just let me know if it's important that cert loading be in this PR as well or if it can wait for a separate one. |
ecordell
force-pushed
the
root-keys-on-init
branch
2 times, most recently
from
3b1316c
to
62ade6b
Compare
ecordell
force-pushed
the
root-keys-on-init
branch
from
62ade6b
to
a2426a7
Compare
|
jenkins, test this please |
|
Hi everyone! Sorry to make things more complicated, but I have created new pull request at #821 based on top of a (probably slightly out-of-date) version of this commit. It adds the --rootcert flag to allow a root cert and root key to be imported together. I'm very willing to work with everyone here to get all the functionality approved asap -- please let me know the best way to co-ordinate things. Cheers. |
| err = ioutil.WriteFile(badKeyFilename, nonPEMKey, 0644) | ||
| require.NoError(t, err) | ||
|
|
||
| _, err = runCommand(t, tempDir, "-s", server.URL, "init", "gun2", "--rootKey", badKeyFilename) |
There was a problem hiding this comment.
I think the flag for these next few test cases should have --rootkey as opposed to --rootKey?
|
Thanks so much for all your work and your responsiveness on this @ecordell! Aside from one last nitpick about the |
| return err | ||
| } | ||
|
|
||
| privKey, _, err := trustmanager.GetPasswdDecryptBytes(t.retriever, pemBytes, "", "imported root") |
There was a problem hiding this comment.
something I just noticed from #821 - it might make sense to just change the last arg here to data.CanonicalRootRole, so that NOTARY_ROOT_PASSPHRASE can be used to automate this
Signed-off-by: Evan Cordell <[email protected]>
ecordell
force-pushed
the
root-keys-on-init
branch
from
a2426a7
to
96daed2
Compare
|
Updated and rebased! |
|
jenkins, test this please |
|
LGTM after changes, thank you again @ecordell for contributing this! |
| if err != nil { | ||
| return err | ||
| func (r *NotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...string) error { | ||
| privKeys := []data.PrivateKey{} |
There was a problem hiding this comment.
In all likelihood privKeys will have the same length as rootKeyIDs so we should initialize appropriately: privKeys := make([]data.PrivateKey, 0, len(rootKeyIDs))
There was a problem hiding this comment.
I'm not so sure - I think you should be able to initialize with one private key and multiple public keys, so that these two don't match up.
There was a problem hiding this comment.
That's not implemented in this PR though. Although @dnwake's PR for --rootcert may make my comment moot.
|
Left some comments on minor stuff but overall good to merge this now. LGTM and thank you! |
This addresses #731 by adding a
--rootkeyflag toinit.Example:
resulting root.json:
{ "signed": { "_type": "Root", "consistent_snapshot": false, "expires": "2026-06-21T14:20:03.15135742-04:00", "keys": { "956fbe52f38738cb5c31b1cbff06842ceda8e429f55164a61349cd233a50813f": { "keytype": "ecdsa-x509", "keyval": { "private": null, "public": "..." } } // ... }, "roles": { "root": { "keyids": [ "956fbe52f38738cb5c31b1cbff06842ceda8e429f55164a61349cd233a50813f" ], "threshold": 1 } // ... }, "version": 1 }, "signatures": [{ "keyid": "956fbe52f38738cb5c31b1cbff06842ceda8e429f55164a61349cd233a50813f", "method": "ecdsa", "sig": "70BvEbnWA1bHoc2IjnIE8XFI1N4I1WQxyd2GDNX/Avfmy89Z5J1w0pL507LpLd1DbV6p6CtqPgCdb5oCMeXt5w==" } }] }Additionally, the underlying TUF apis are updated to allow multiple root keys and certs, but that is not currently exposed to the CLI.