@@ -1,17 +1,5 @@

 package api

-import (

-	"encoding/json"

-	"encoding/pem"

-	"fmt"

-	"os"

-	"path/filepath"

-

-	"github.com/docker/docker/pkg/ioutils"

-	"github.com/docker/docker/pkg/system"

-	"github.com/docker/libtrust"

-)

-

 // Common constants for daemon and client.

 const (

 	// DefaultVersion of Current REST API

@@ -21,45 +9,3 @@ const (

 	// command to specify that no base image is to be used.

 	NoBaseImageSpecifier string = "scratch"

 )

-

-// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,

-// otherwise generates a new one

-func LoadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {

-	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "")

-	if err != nil {

-		return nil, err

-	}

-	trustKey, err := libtrust.LoadKeyFile(trustKeyPath)

-	if err == libtrust.ErrKeyFileDoesNotExist {

-		trustKey, err = libtrust.GenerateECP256PrivateKey()

-		if err != nil {

-			return nil, fmt.Errorf("Error generating key: %s", err)

-		}

-		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))

-		if err != nil {

-			return nil, fmt.Errorf("Error serializing key: %s", err)

-		}

-		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {

-			return nil, fmt.Errorf("Error saving key file: %s", err)

-		}

-	} else if err != nil {

-		return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)

-	}

-	return trustKey, nil

-}

-

-func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {

-	if ext == ".json" || ext == ".jwk" {

-		encoded, err = json.Marshal(key)

-		if err != nil {

-			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)

-		}

-	} else {

-		pemBlock, err := key.PEMBlock()

-		if err != nil {

-			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)

-		}

-		encoded = pem.EncodeToMemory(pemBlock)

-	}

-	return

-}

deleted file mode 100644

@@ -1,77 +0,0 @@

-package api

-

-import (

-	"io/ioutil"

-	"path/filepath"

-	"testing"

-

-	"os"

-)

-

-// LoadOrCreateTrustKey

-func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {

-	tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")

-	if err != nil {

-		t.Fatal(err)

-	}

-	defer os.RemoveAll(tmpKeyFolderPath)

-

-	tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile")

-	if err != nil {

-		t.Fatal(err)

-	}

-

-	if _, err := LoadOrCreateTrustKey(tmpKeyFile.Name()); err == nil {

-		t.Fatal("expected an error, got nothing.")

-	}

-

-}

-

-func TestLoadOrCreateTrustKeyCreateKey(t *testing.T) {

-	tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")

-	if err != nil {

-		t.Fatal(err)

-	}

-	defer os.RemoveAll(tmpKeyFolderPath)

-

-	// Without the need to create the folder hierarchy

-	tmpKeyFile := filepath.Join(tmpKeyFolderPath, "keyfile")

-

-	if key, err := LoadOrCreateTrustKey(tmpKeyFile); err != nil || key == nil {

-		t.Fatalf("expected a new key file, got : %v and %v", err, key)

-	}

-

-	if _, err := os.Stat(tmpKeyFile); err != nil {

-		t.Fatalf("Expected to find a file %s, got %v", tmpKeyFile, err)

-	}

-

-	// With the need to create the folder hierarchy as tmpKeyFie is in a path

-	// where some folders do not exist.

-	tmpKeyFile = filepath.Join(tmpKeyFolderPath, "folder/hierarchy/keyfile")

-

-	if key, err := LoadOrCreateTrustKey(tmpKeyFile); err != nil || key == nil {

-		t.Fatalf("expected a new key file, got : %v and %v", err, key)

-	}

-

-	if _, err := os.Stat(tmpKeyFile); err != nil {

-		t.Fatalf("Expected to find a file %s, got %v", tmpKeyFile, err)

-	}

-

-	// With no path at all

-	defer os.Remove("keyfile")

-	if key, err := LoadOrCreateTrustKey("keyfile"); err != nil || key == nil {

-		t.Fatalf("expected a new key file, got : %v and %v", err, key)

-	}

-

-	if _, err := os.Stat("keyfile"); err != nil {

-		t.Fatalf("Expected to find a file keyfile, got %v", err)

-	}

-}

-

-func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {

-	tmpKeyFile := filepath.Join("fixtures", "keyfile")

-

-	if key, err := LoadOrCreateTrustKey(tmpKeyFile); err != nil || key == nil {

-		t.Fatalf("expected a key file, got : %v and %v", err, key)

-	}

-}

deleted file mode 100644

@@ -1,7 +0,0 @@

-keyID: AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY

-

-MHcCAQEEILHTRWdcpKWsnORxSFyBnndJ4ROU41hMtr/GCiLVvwBQoAoGCCqGSM49

-AwEHoUQDQgAElpVFbQ2V2UQKajqdE3fVxJ+/pE/YuEFOxWbOxF2be19BY209/iky

-NzeFFK7SLpQ4CBJ7zDVXOHsMzrkY/GquGA==

@@ -19,7 +19,6 @@ import (

 	"time"

 	containerd "github.com/containerd/containerd/api/grpc/types"

-	"github.com/docker/docker/api"

 	"github.com/docker/docker/api/types"

 	containertypes "github.com/docker/docker/api/types/container"

 	"github.com/docker/docker/api/types/swarm"

@@ -713,7 +712,7 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe

 		return nil, err

 	}

-	trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath)

+	trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)

 	if err != nil {

 		return nil, err

 	}

new file mode 100644

@@ -0,0 +1,7 @@

+-----BEGIN EC PRIVATE KEY-----

+keyID: AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY

+

+MHcCAQEEILHTRWdcpKWsnORxSFyBnndJ4ROU41hMtr/GCiLVvwBQoAoGCCqGSM49

+AwEHoUQDQgAElpVFbQ2V2UQKajqdE3fVxJ+/pE/YuEFOxWbOxF2be19BY209/iky

+NzeFFK7SLpQ4CBJ7zDVXOHsMzrkY/GquGA==

+-----END EC PRIVATE KEY-----

new file mode 100644

@@ -0,0 +1,57 @@

+package daemon

+

+import (

+	"encoding/json"

+	"encoding/pem"

+	"fmt"

+	"os"

+	"path/filepath"

+

+	"github.com/docker/docker/pkg/ioutils"

+	"github.com/docker/docker/pkg/system"

+	"github.com/docker/libtrust"

+)

+

+// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,

+// otherwise generates a new one

+// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need

+// a refactor or this function to be moved into libtrust

+func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {

+	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "")

+	if err != nil {

+		return nil, err

+	}

+	trustKey, err := libtrust.LoadKeyFile(trustKeyPath)

+	if err == libtrust.ErrKeyFileDoesNotExist {

+		trustKey, err = libtrust.GenerateECP256PrivateKey()

+		if err != nil {

+			return nil, fmt.Errorf("Error generating key: %s", err)

+		}

+		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))

+		if err != nil {

+			return nil, fmt.Errorf("Error serializing key: %s", err)

+		}

+		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {

+			return nil, fmt.Errorf("Error saving key file: %s", err)

+		}

+	} else if err != nil {

+		return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)

+	}

+	return trustKey, nil

+}

+

+func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {

+	if ext == ".json" || ext == ".jwk" {

+		encoded, err = json.Marshal(key)

+		if err != nil {

+			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)

+		}

+	} else {

+		pemBlock, err := key.PEMBlock()

+		if err != nil {

+			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)

+		}

+		encoded = pem.EncodeToMemory(pemBlock)

+	}

+	return

+}

new file mode 100644

@@ -0,0 +1,72 @@

+package daemon

+

+import (

+	"io/ioutil"

+	"os"

+	"path/filepath"

+	"testing"

+

+	"github.com/docker/docker/internal/testutil"

+	"github.com/gotestyourself/gotestyourself/fs"

+	"github.com/stretchr/testify/assert"

+	"github.com/stretchr/testify/require"

+)

+

+// LoadOrCreateTrustKey

+func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {

+	tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")

+	require.NoError(t, err)

+	defer os.RemoveAll(tmpKeyFolderPath)

+

+	tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile")

+	require.NoError(t, err)

+

+	_, err = loadOrCreateTrustKey(tmpKeyFile.Name())

+	testutil.ErrorContains(t, err, "Error loading key file")

+}

+

+func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {

+	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")

+	defer tmpKeyFolderPath.Remove()

+

+	// Without the need to create the folder hierarchy

+	tmpKeyFile := tmpKeyFolderPath.Join("keyfile")

+

+	key, err := loadOrCreateTrustKey(tmpKeyFile)

+	require.NoError(t, err)

+	assert.NotNil(t, key)

+

+	_, err = os.Stat(tmpKeyFile)

+	require.NoError(t, err, "key file doesn't exist")

+}

+

+func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {

+	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")

+	defer tmpKeyFolderPath.Remove()

+	tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")

+

+	key, err := loadOrCreateTrustKey(tmpKeyFile)

+	require.NoError(t, err)

+	assert.NotNil(t, key)

+

+	_, err = os.Stat(tmpKeyFile)

+	require.NoError(t, err, "key file doesn't exist")

+}

+

+func TestLoadOrCreateTrustKeyCreateKeyNoPath(t *testing.T) {

+	defer os.Remove("keyfile")

+	key, err := loadOrCreateTrustKey("keyfile")

+	require.NoError(t, err)

+	assert.NotNil(t, key)

+

+	_, err = os.Stat("keyfile")

+	require.NoError(t, err, "key file doesn't exist")

+}

+

+func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {

+	tmpKeyFile := filepath.Join("testdata", "keyfile")

+	key, err := loadOrCreateTrustKey(tmpKeyFile)

+	require.NoError(t, err)

+	expected := "AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY"

+	assert.Contains(t, key.String(), expected)

+}