Signed-off-by: cyli <cyli@twistedmatrix.com>
cyli authored on 2016/01/28 02:46:26... | ... |
@@ -168,7 +168,7 @@ RUN set -x \ |
168 | 168 |
&& rm -rf "$GOPATH" |
169 | 169 |
|
170 | 170 |
# Install notary server |
171 |
-ENV NOTARY_VERSION docker-v1.10-4 |
|
171 |
+ENV NOTARY_VERSION docker-v1.10-5 |
|
172 | 172 |
RUN set -x \ |
173 | 173 |
&& export GOPATH="$(mktemp -d)" \ |
174 | 174 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
... | ... |
@@ -145,7 +145,7 @@ RUN set -x \ |
145 | 145 |
&& rm -rf "$GOPATH" |
146 | 146 |
|
147 | 147 |
# Install notary server |
148 |
-ENV NOTARY_VERSION docker-v1.10-4 |
|
148 |
+ENV NOTARY_VERSION docker-v1.10-5 |
|
149 | 149 |
RUN set -x \ |
150 | 150 |
&& export GOPATH="$(mktemp -d)" \ |
151 | 151 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
... | ... |
@@ -116,7 +116,7 @@ RUN set -x \ |
116 | 116 |
&& rm -rf "$GOPATH" |
117 | 117 |
|
118 | 118 |
# Install notary server |
119 |
-#ENV NOTARY_VERSION docker-v1.10-4 |
|
119 |
+#ENV NOTARY_VERSION docker-v1.10-5 |
|
120 | 120 |
#RUN set -x \ |
121 | 121 |
# && export GOPATH="$(mktemp -d)" \ |
122 | 122 |
# && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
... | ... |
@@ -116,7 +116,7 @@ RUN set -x \ |
116 | 116 |
&& rm -rf "$GOPATH" |
117 | 117 |
|
118 | 118 |
# Install notary server |
119 |
-ENV NOTARY_VERSION docker-v1.10-4 |
|
119 |
+ENV NOTARY_VERSION docker-v1.10-5 |
|
120 | 120 |
RUN set -x \ |
121 | 121 |
&& export GOPATH="$(mktemp -d)" \ |
122 | 122 |
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ |
... | ... |
@@ -50,7 +50,7 @@ clone git github.com/docker/distribution c301f8ab27f4913c968b8d73a38e5dda79b9d3d |
50 | 50 |
clone git github.com/vbatts/tar-split v0.9.11 |
51 | 51 |
|
52 | 52 |
# get desired notary commit, might also need to be updated in Dockerfile |
53 |
-clone git github.com/docker/notary docker-v1.10-4 |
|
53 |
+clone git github.com/docker/notary docker-v1.10-5 |
|
54 | 54 |
|
55 | 55 |
clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git |
56 | 56 |
clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf |
... | ... |
@@ -34,7 +34,7 @@ _space := $(empty) $(empty) |
34 | 34 |
COVERDIR=.cover |
35 | 35 |
COVERPROFILE?=$(COVERDIR)/cover.out |
36 | 36 |
COVERMODE=count |
37 |
-PKGS = $(shell go list ./... | tr '\n' ' ') |
|
37 |
+PKGS ?= $(shell go list ./... | tr '\n' ' ') |
|
38 | 38 |
|
39 | 39 |
GO_VERSION = $(shell go version | awk '{print $$3}') |
40 | 40 |
|
... | ... |
@@ -124,7 +124,7 @@ endef |
124 | 124 |
gen-cover: go_version |
125 | 125 |
@mkdir -p "$(COVERDIR)" |
126 | 126 |
$(foreach PKG,$(PKGS),$(call gocover,$(PKG))) |
127 |
- rm "$(COVERDIR)"/*testutils*.coverage.txt |
|
127 |
+ rm -f "$(COVERDIR)"/*testutils*.coverage.txt |
|
128 | 128 |
|
129 | 129 |
# Generates the cover binaries and runs them all in serial, so this can be used |
130 | 130 |
# run all tests with a yubikey without any problems |
... | ... |
@@ -140,6 +140,9 @@ ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $( |
140 | 140 |
# Codecov knows how to merge multiple coverage files, so covmerge is not needed |
141 | 141 |
ci: gen-cover |
142 | 142 |
|
143 |
+yubikey-tests: override PKGS = github.com/docker/notary/cmd/notary github.com/docker/notary/trustmanager/yubikey |
|
144 |
+yubikey-tests: ci |
|
145 |
+ |
|
143 | 146 |
covmerge: |
144 | 147 |
@gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE) |
145 | 148 |
@go tool cover -func="$(COVERPROFILE)" |
... | ... |
@@ -18,8 +18,6 @@ machine: |
18 | 18 |
CIRCLE_PAIN: "mode: set" |
19 | 19 |
# Put the coverage profile somewhere codecov's script can find it |
20 | 20 |
COVERPROFILE: coverage.out |
21 |
- # Set the pull request number so codecov can figure it out |
|
22 |
- PULL_REQUEST: ${CI_PULL_REQUEST##*/} |
|
23 | 21 |
|
24 | 22 |
hosts: |
25 | 23 |
# Not used yet |
... | ... |
@@ -2,6 +2,8 @@ package notary |
2 | 2 |
|
3 | 3 |
// application wide constants |
4 | 4 |
const ( |
5 |
+ // MinRSABitSize is the minimum bit size for RSA keys allowed in notary |
|
6 |
+ MinRSABitSize = 2048 |
|
5 | 7 |
// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold |
6 | 8 |
MinThreshold = 1 |
7 | 9 |
// PrivKeyPerms are the file permissions to use when writing private keys to disk |
... | ... |
@@ -19,6 +19,7 @@ import ( |
19 | 19 |
|
20 | 20 |
"github.com/Sirupsen/logrus" |
21 | 21 |
"github.com/agl/ed25519" |
22 |
+ "github.com/docker/notary" |
|
22 | 23 |
"github.com/docker/notary/tuf/data" |
23 | 24 |
) |
24 | 25 |
|
... | ... |
@@ -324,7 +325,7 @@ func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) { |
324 | 324 |
} |
325 | 325 |
|
326 | 326 |
// ValidateCertificate returns an error if the certificate is not valid for notary |
327 |
-// Currently, this is only a time expiry check |
|
327 |
+// Currently this is only a time expiry check, and ensuring the public key has a large enough modulus if RSA |
|
328 | 328 |
func ValidateCertificate(c *x509.Certificate) error { |
329 | 329 |
if (c.NotBefore).After(c.NotAfter) { |
330 | 330 |
return fmt.Errorf("certificate validity window is invalid") |
... | ... |
@@ -335,6 +336,16 @@ func ValidateCertificate(c *x509.Certificate) error { |
335 | 335 |
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) { |
336 | 336 |
return fmt.Errorf("certificate is expired") |
337 | 337 |
} |
338 |
+ // If we have an RSA key, make sure it's long enough |
|
339 |
+ if c.PublicKeyAlgorithm == x509.RSA { |
|
340 |
+ rsaKey, ok := c.PublicKey.(*rsa.PublicKey) |
|
341 |
+ if !ok { |
|
342 |
+ return fmt.Errorf("unable to parse RSA public key") |
|
343 |
+ } |
|
344 |
+ if rsaKey.N.BitLen() < notary.MinRSABitSize { |
|
345 |
+ return fmt.Errorf("RSA bit length is too short") |
|
346 |
+ } |
|
347 |
+ } |
|
338 | 348 |
return nil |
339 | 349 |
} |
340 | 350 |
|
... | ... |
@@ -54,7 +54,7 @@ func (c *Client) Update() error { |
54 | 54 |
if err != nil { |
55 | 55 |
logrus.Debug("Error occurred. Root will be downloaded and another update attempted") |
56 | 56 |
if err := c.downloadRoot(); err != nil { |
57 |
- logrus.Error("Client Update (Root):", err) |
|
57 |
+ logrus.Debug("Client Update (Root):", err) |
|
58 | 58 |
return err |
59 | 59 |
} |
60 | 60 |
// If we error again, we now have the latest root and just want to fail |
... | ... |
@@ -68,12 +68,12 @@ func (c *Client) Update() error { |
68 | 68 |
func (c *Client) update() error { |
69 | 69 |
err := c.downloadTimestamp() |
70 | 70 |
if err != nil { |
71 |
- logrus.Errorf("Client Update (Timestamp): %s", err.Error()) |
|
71 |
+ logrus.Debugf("Client Update (Timestamp): %s", err.Error()) |
|
72 | 72 |
return err |
73 | 73 |
} |
74 | 74 |
err = c.downloadSnapshot() |
75 | 75 |
if err != nil { |
76 |
- logrus.Errorf("Client Update (Snapshot): %s", err.Error()) |
|
76 |
+ logrus.Debugf("Client Update (Snapshot): %s", err.Error()) |
|
77 | 77 |
return err |
78 | 78 |
} |
79 | 79 |
err = c.checkRoot() |
... | ... |
@@ -86,7 +86,7 @@ func (c *Client) update() error { |
86 | 86 |
// will always need top level targets at a minimum |
87 | 87 |
err = c.downloadTargets("targets") |
88 | 88 |
if err != nil { |
89 |
- logrus.Errorf("Client Update (Targets): %s", err.Error()) |
|
89 |
+ logrus.Debugf("Client Update (Targets): %s", err.Error()) |
|
90 | 90 |
return err |
91 | 91 |
} |
92 | 92 |
return nil |
... | ... |
@@ -60,7 +60,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro |
60 | 60 |
} |
61 | 61 |
var sigBytes [ed25519.SignatureSize]byte |
62 | 62 |
if len(sig) != ed25519.SignatureSize { |
63 |
- logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) |
|
63 |
+ logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) |
|
64 | 64 |
return ErrInvalid |
65 | 65 |
} |
66 | 66 |
copy(sigBytes[:], sig) |
... | ... |
@@ -78,7 +78,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro |
78 | 78 |
} |
79 | 79 |
|
80 | 80 |
if !ed25519.Verify(&keyBytes, msg, &sigBytes) { |
81 |
- logrus.Infof("failed ed25519 verification") |
|
81 |
+ logrus.Debugf("failed ed25519 verification") |
|
82 | 82 |
return ErrInvalid |
83 | 83 |
} |
84 | 84 |
return nil |
... | ... |
@@ -87,23 +87,23 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro |
87 | 87 |
func verifyPSS(key interface{}, digest, sig []byte) error { |
88 | 88 |
rsaPub, ok := key.(*rsa.PublicKey) |
89 | 89 |
if !ok { |
90 |
- logrus.Infof("value was not an RSA public key") |
|
90 |
+ logrus.Debugf("value was not an RSA public key") |
|
91 | 91 |
return ErrInvalid |
92 | 92 |
} |
93 | 93 |
|
94 | 94 |
if rsaPub.N.BitLen() < minRSAKeySizeBit { |
95 |
- logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) |
|
95 |
+ logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) |
|
96 | 96 |
return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} |
97 | 97 |
} |
98 | 98 |
|
99 | 99 |
if len(sig) < minRSAKeySizeByte { |
100 |
- logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) |
|
100 |
+ logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) |
|
101 | 101 |
return ErrInvalid |
102 | 102 |
} |
103 | 103 |
|
104 | 104 |
opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256} |
105 | 105 |
if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil { |
106 |
- logrus.Infof("failed RSAPSS verification: %s", err) |
|
106 |
+ logrus.Debugf("failed RSAPSS verification: %s", err) |
|
107 | 107 |
return ErrInvalid |
108 | 108 |
} |
109 | 109 |
return nil |
... | ... |
@@ -117,12 +117,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) { |
117 | 117 |
case data.RSAx509Key: |
118 | 118 |
pemCert, _ := pem.Decode([]byte(key.Public())) |
119 | 119 |
if pemCert == nil { |
120 |
- logrus.Infof("failed to decode PEM-encoded x509 certificate") |
|
120 |
+ logrus.Debugf("failed to decode PEM-encoded x509 certificate") |
|
121 | 121 |
return nil, ErrInvalid |
122 | 122 |
} |
123 | 123 |
cert, err := x509.ParseCertificate(pemCert.Bytes) |
124 | 124 |
if err != nil { |
125 |
- logrus.Infof("failed to parse x509 certificate: %s\n", err) |
|
125 |
+ logrus.Debugf("failed to parse x509 certificate: %s\n", err) |
|
126 | 126 |
return nil, ErrInvalid |
127 | 127 |
} |
128 | 128 |
pubKey = cert.PublicKey |
... | ... |
@@ -130,12 +130,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) { |
130 | 130 |
var err error |
131 | 131 |
pubKey, err = x509.ParsePKIXPublicKey(key.Public()) |
132 | 132 |
if err != nil { |
133 |
- logrus.Infof("failed to parse public key: %s\n", err) |
|
133 |
+ logrus.Debugf("failed to parse public key: %s\n", err) |
|
134 | 134 |
return nil, ErrInvalid |
135 | 135 |
} |
136 | 136 |
default: |
137 | 137 |
// only accept RSA keys |
138 |
- logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm) |
|
138 |
+ logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm) |
|
139 | 139 |
return nil, ErrInvalidKeyType{} |
140 | 140 |
} |
141 | 141 |
|
... | ... |
@@ -172,17 +172,17 @@ func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) |
172 | 172 |
|
173 | 173 |
rsaPub, ok := pubKey.(*rsa.PublicKey) |
174 | 174 |
if !ok { |
175 |
- logrus.Infof("value was not an RSA public key") |
|
175 |
+ logrus.Debugf("value was not an RSA public key") |
|
176 | 176 |
return ErrInvalid |
177 | 177 |
} |
178 | 178 |
|
179 | 179 |
if rsaPub.N.BitLen() < minRSAKeySizeBit { |
180 |
- logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) |
|
180 |
+ logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) |
|
181 | 181 |
return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} |
182 | 182 |
} |
183 | 183 |
|
184 | 184 |
if len(sig) < minRSAKeySizeByte { |
185 |
- logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) |
|
185 |
+ logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) |
|
186 | 186 |
return ErrInvalid |
187 | 187 |
} |
188 | 188 |
|
... | ... |
@@ -207,13 +207,13 @@ func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) |
207 | 207 |
|
208 | 208 |
k, _ := pem.Decode([]byte(key.Public())) |
209 | 209 |
if k == nil { |
210 |
- logrus.Infof("failed to decode PEM-encoded x509 certificate") |
|
210 |
+ logrus.Debugf("failed to decode PEM-encoded x509 certificate") |
|
211 | 211 |
return ErrInvalid |
212 | 212 |
} |
213 | 213 |
|
214 | 214 |
pub, err := x509.ParsePKIXPublicKey(k.Bytes) |
215 | 215 |
if err != nil { |
216 |
- logrus.Infof("failed to parse public key: %s\n", err) |
|
216 |
+ logrus.Debugf("failed to parse public key: %s\n", err) |
|
217 | 217 |
return ErrInvalid |
218 | 218 |
} |
219 | 219 |
|
... | ... |
@@ -232,13 +232,13 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error |
232 | 232 |
case data.ECDSAx509Key: |
233 | 233 |
pemCert, _ := pem.Decode([]byte(key.Public())) |
234 | 234 |
if pemCert == nil { |
235 |
- logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) |
|
235 |
+ logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) |
|
236 | 236 |
logrus.Debugf("certificate bytes: %s", string(key.Public())) |
237 | 237 |
return ErrInvalid |
238 | 238 |
} |
239 | 239 |
cert, err := x509.ParseCertificate(pemCert.Bytes) |
240 | 240 |
if err != nil { |
241 |
- logrus.Infof("failed to parse x509 certificate: %s\n", err) |
|
241 |
+ logrus.Debugf("failed to parse x509 certificate: %s\n", err) |
|
242 | 242 |
return ErrInvalid |
243 | 243 |
} |
244 | 244 |
pubKey = cert.PublicKey |
... | ... |
@@ -246,25 +246,25 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error |
246 | 246 |
var err error |
247 | 247 |
pubKey, err = x509.ParsePKIXPublicKey(key.Public()) |
248 | 248 |
if err != nil { |
249 |
- logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) |
|
249 |
+ logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) |
|
250 | 250 |
return ErrInvalid |
251 | 251 |
} |
252 | 252 |
default: |
253 | 253 |
// only accept ECDSA keys. |
254 |
- logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm) |
|
254 |
+ logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm) |
|
255 | 255 |
return ErrInvalidKeyType{} |
256 | 256 |
} |
257 | 257 |
|
258 | 258 |
ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey) |
259 | 259 |
if !ok { |
260 |
- logrus.Infof("value isn't an ECDSA public key") |
|
260 |
+ logrus.Debugf("value isn't an ECDSA public key") |
|
261 | 261 |
return ErrInvalid |
262 | 262 |
} |
263 | 263 |
|
264 | 264 |
sigLength := len(sig) |
265 | 265 |
expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3) |
266 | 266 |
if sigLength != expectedOctetLength { |
267 |
- logrus.Infof("signature had an unexpected length") |
|
267 |
+ logrus.Debugf("signature had an unexpected length") |
|
268 | 268 |
return ErrInvalid |
269 | 269 |
} |
270 | 270 |
|
... | ... |
@@ -275,7 +275,7 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error |
275 | 275 |
digest := sha256.Sum256(msg) |
276 | 276 |
|
277 | 277 |
if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) { |
278 |
- logrus.Infof("failed ECDSA signature validation") |
|
278 |
+ logrus.Debugf("failed ECDSA signature validation") |
|
279 | 279 |
return ErrInvalid |
280 | 280 |
} |
281 | 281 |
|