@@ -168,7 +168,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION docker-v1.10-4

+ENV NOTARY_VERSION docker-v1.10-5

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -145,7 +145,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION docker-v1.10-4

+ENV NOTARY_VERSION docker-v1.10-5

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -116,7 +116,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-#ENV NOTARY_VERSION docker-v1.10-4

+#ENV NOTARY_VERSION docker-v1.10-5

 #RUN set -x \

 #	&& export GOPATH="$(mktemp -d)" \

 #	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -116,7 +116,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install notary server

-ENV NOTARY_VERSION docker-v1.10-4

+ENV NOTARY_VERSION docker-v1.10-5

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

@@ -50,7 +50,7 @@ clone git github.com/docker/distribution c301f8ab27f4913c968b8d73a38e5dda79b9d3d

 clone git github.com/vbatts/tar-split v0.9.11

 # get desired notary commit, might also need to be updated in Dockerfile

-clone git github.com/docker/notary docker-v1.10-4

+clone git github.com/docker/notary docker-v1.10-5

 clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git

 clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf

@@ -34,7 +34,7 @@ _space := $(empty) $(empty)

 COVERDIR=.cover

 COVERPROFILE?=$(COVERDIR)/cover.out

 COVERMODE=count

-PKGS = $(shell go list ./... | tr '\n' ' ')

+PKGS ?= $(shell go list ./... | tr '\n' ' ')

 GO_VERSION = $(shell go version | awk '{print $$3}')

@@ -124,7 +124,7 @@ endef

 gen-cover: go_version

 	@mkdir -p "$(COVERDIR)"

 	$(foreach PKG,$(PKGS),$(call gocover,$(PKG)))

-	rm "$(COVERDIR)"/*testutils*.coverage.txt

+	rm -f "$(COVERDIR)"/*testutils*.coverage.txt

 # Generates the cover binaries and runs them all in serial, so this can be used

 # run all tests with a yubikey without any problems

@@ -140,6 +140,9 @@ ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $(

 # Codecov knows how to merge multiple coverage files, so covmerge is not needed

 ci: gen-cover

+yubikey-tests: override PKGS = github.com/docker/notary/cmd/notary github.com/docker/notary/trustmanager/yubikey

+yubikey-tests: ci

+

 covmerge:

 	@gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE)

 	@go tool cover -func="$(COVERPROFILE)"

@@ -18,8 +18,6 @@ machine:

     CIRCLE_PAIN: "mode: set"

   # Put the coverage profile somewhere codecov's script can find it

     COVERPROFILE: coverage.out

-  # Set the pull request number so codecov can figure it out

-    PULL_REQUEST: ${CI_PULL_REQUEST##*/}

   hosts:

   # Not used yet

@@ -2,6 +2,8 @@ package notary

 // application wide constants

 const (

+	// MinRSABitSize is the minimum bit size for RSA keys allowed in notary

+	MinRSABitSize = 2048

 	// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold

 	MinThreshold = 1

 	// PrivKeyPerms are the file permissions to use when writing private keys to disk

@@ -19,6 +19,7 @@ import (

 	"github.com/Sirupsen/logrus"

 	"github.com/agl/ed25519"

+	"github.com/docker/notary"

 	"github.com/docker/notary/tuf/data"

 )

@@ -324,7 +325,7 @@ func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) {

 }

 // ValidateCertificate returns an error if the certificate is not valid for notary

-// Currently, this is only a time expiry check

+// Currently this is only a time expiry check, and ensuring the public key has a large enough modulus if RSA

 func ValidateCertificate(c *x509.Certificate) error {

 	if (c.NotBefore).After(c.NotAfter) {

 		return fmt.Errorf("certificate validity window is invalid")

@@ -335,6 +336,16 @@ func ValidateCertificate(c *x509.Certificate) error {

 	if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {

 		return fmt.Errorf("certificate is expired")

 	}

+	// If we have an RSA key, make sure it's long enough

+	if c.PublicKeyAlgorithm == x509.RSA {

+		rsaKey, ok := c.PublicKey.(*rsa.PublicKey)

+		if !ok {

+			return fmt.Errorf("unable to parse RSA public key")

+		}

+		if rsaKey.N.BitLen() < notary.MinRSABitSize {

+			return fmt.Errorf("RSA bit length is too short")

+		}

+	}

 	return nil

 }

@@ -54,7 +54,7 @@ func (c *Client) Update() error {

 	if err != nil {

 		logrus.Debug("Error occurred. Root will be downloaded and another update attempted")

 		if err := c.downloadRoot(); err != nil {

-			logrus.Error("Client Update (Root):", err)

+			logrus.Debug("Client Update (Root):", err)

 			return err

 		}

 		// If we error again, we now have the latest root and just want to fail

@@ -68,12 +68,12 @@ func (c *Client) Update() error {

 func (c *Client) update() error {

 	err := c.downloadTimestamp()

 	if err != nil {

-		logrus.Errorf("Client Update (Timestamp): %s", err.Error())

+		logrus.Debugf("Client Update (Timestamp): %s", err.Error())

 		return err

 	}

 	err = c.downloadSnapshot()

 	if err != nil {

-		logrus.Errorf("Client Update (Snapshot): %s", err.Error())

+		logrus.Debugf("Client Update (Snapshot): %s", err.Error())

 		return err

 	}

 	err = c.checkRoot()

@@ -86,7 +86,7 @@ func (c *Client) update() error {

 	// will always need top level targets at a minimum

 	err = c.downloadTargets("targets")

 	if err != nil {

-		logrus.Errorf("Client Update (Targets): %s", err.Error())

+		logrus.Debugf("Client Update (Targets): %s", err.Error())

 		return err

 	}

 	return nil

@@ -60,7 +60,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro

 	}

 	var sigBytes [ed25519.SignatureSize]byte

 	if len(sig) != ed25519.SignatureSize {

-		logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))

+		logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))

 		return ErrInvalid

 	}

 	copy(sigBytes[:], sig)

@@ -78,7 +78,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro

 	}

 	if !ed25519.Verify(&keyBytes, msg, &sigBytes) {

-		logrus.Infof("failed ed25519 verification")

+		logrus.Debugf("failed ed25519 verification")

 		return ErrInvalid

 	}

 	return nil

@@ -87,23 +87,23 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro

 func verifyPSS(key interface{}, digest, sig []byte) error {

 	rsaPub, ok := key.(*rsa.PublicKey)

 	if !ok {

-		logrus.Infof("value was not an RSA public key")

+		logrus.Debugf("value was not an RSA public key")

 		return ErrInvalid

 	}

 	if rsaPub.N.BitLen() < minRSAKeySizeBit {

-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())

+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())

 		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}

 	}

 	if len(sig) < minRSAKeySizeByte {

-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))

+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))

 		return ErrInvalid

 	}

 	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}

 	if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {

-		logrus.Infof("failed RSAPSS verification: %s", err)

+		logrus.Debugf("failed RSAPSS verification: %s", err)

 		return ErrInvalid

 	}

 	return nil

@@ -117,12 +117,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {

 	case data.RSAx509Key:

 		pemCert, _ := pem.Decode([]byte(key.Public()))

 		if pemCert == nil {

-			logrus.Infof("failed to decode PEM-encoded x509 certificate")

+			logrus.Debugf("failed to decode PEM-encoded x509 certificate")

 			return nil, ErrInvalid

 		}

 		cert, err := x509.ParseCertificate(pemCert.Bytes)

 		if err != nil {

-			logrus.Infof("failed to parse x509 certificate: %s\n", err)

+			logrus.Debugf("failed to parse x509 certificate: %s\n", err)

 			return nil, ErrInvalid

 		}

 		pubKey = cert.PublicKey

@@ -130,12 +130,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {

 		var err error

 		pubKey, err = x509.ParsePKIXPublicKey(key.Public())

 		if err != nil {

-			logrus.Infof("failed to parse public key: %s\n", err)

+			logrus.Debugf("failed to parse public key: %s\n", err)

 			return nil, ErrInvalid

 		}

 	default:

 		// only accept RSA keys

-		logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm)

+		logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm)

 		return nil, ErrInvalidKeyType{}

 	}

@@ -172,17 +172,17 @@ func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte)

 	rsaPub, ok := pubKey.(*rsa.PublicKey)

 	if !ok {

-		logrus.Infof("value was not an RSA public key")

+		logrus.Debugf("value was not an RSA public key")

 		return ErrInvalid

 	}

 	if rsaPub.N.BitLen() < minRSAKeySizeBit {

-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())

+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())

 		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}

 	}

 	if len(sig) < minRSAKeySizeByte {

-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))

+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))

 		return ErrInvalid

 	}

@@ -207,13 +207,13 @@ func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte)

 	k, _ := pem.Decode([]byte(key.Public()))

 	if k == nil {

-		logrus.Infof("failed to decode PEM-encoded x509 certificate")

+		logrus.Debugf("failed to decode PEM-encoded x509 certificate")

 		return ErrInvalid

 	}

 	pub, err := x509.ParsePKIXPublicKey(k.Bytes)

 	if err != nil {

-		logrus.Infof("failed to parse public key: %s\n", err)

+		logrus.Debugf("failed to parse public key: %s\n", err)

 		return ErrInvalid

 	}

@@ -232,13 +232,13 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

 	case data.ECDSAx509Key:

 		pemCert, _ := pem.Decode([]byte(key.Public()))

 		if pemCert == nil {

-			logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())

+			logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())

 			logrus.Debugf("certificate bytes: %s", string(key.Public()))

 			return ErrInvalid

 		}

 		cert, err := x509.ParseCertificate(pemCert.Bytes)

 		if err != nil {

-			logrus.Infof("failed to parse x509 certificate: %s\n", err)

+			logrus.Debugf("failed to parse x509 certificate: %s\n", err)

 			return ErrInvalid

 		}

 		pubKey = cert.PublicKey

@@ -246,25 +246,25 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

 		var err error

 		pubKey, err = x509.ParsePKIXPublicKey(key.Public())

 		if err != nil {

-			logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)

+			logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)

 			return ErrInvalid

 		}

 	default:

 		// only accept ECDSA keys.

-		logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm)

+		logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm)

 		return ErrInvalidKeyType{}

 	}

 	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)

 	if !ok {

-		logrus.Infof("value isn't an ECDSA public key")

+		logrus.Debugf("value isn't an ECDSA public key")

 		return ErrInvalid

 	}

 	sigLength := len(sig)

 	expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)

 	if sigLength != expectedOctetLength {

-		logrus.Infof("signature had an unexpected length")

+		logrus.Debugf("signature had an unexpected length")

 		return ErrInvalid

 	}

@@ -275,7 +275,7 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error

 	digest := sha256.Sum256(msg)

 	if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {

-		logrus.Infof("failed ECDSA signature validation")

+		logrus.Debugf("failed ECDSA signature validation")

 		return ErrInvalid

 	}