@@ -68,7 +68,7 @@ func LoadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {

 			return nil, fmt.Errorf("Error saving key file: %s", err)

 		}

 	} else if err != nil {

-		log.Fatalf("Error loading key file: %s", err)

+		return nil, fmt.Errorf("Error loading key file: %s", err)

 	}

 	return trustKey, nil

 }

@@ -9,6 +9,7 @@ import (

 	"net/http/httptest"

 	"os"

 	"path"

+	"path/filepath"

 	"strings"

 	"testing"

 	"time"

@@ -187,6 +188,7 @@ func newTestEngine(t Fataler, autorestart bool, root string) *engine.Engine {

 		// Either InterContainerCommunication or EnableIptables must be set,

 		// otherwise NewDaemon will fail because of conflicting settings.

 		InterContainerCommunication: true,

+		TrustKeyPath:                filepath.Join(root, "key.json"),

 	}

 	d, err := daemon.NewDaemon(cfg, eng)

 	if err != nil {

@@ -51,7 +51,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0

 clone hg code.google.com/p/gosqlite 74691fb6f837

-clone git github.com/docker/libtrust d273ef2565ca

+clone git github.com/docker/libtrust 230dfd18c232

 clone git github.com/Sirupsen/logrus v0.6.0

@@ -55,16 +55,7 @@ func (k *ecPublicKey) CurveName() string {

 // KeyID returns a distinct identifier which is unique to this Public Key.

 func (k *ecPublicKey) KeyID() string {

-	// Generate and return a libtrust fingerprint of the EC public key.

-	// For an EC key this should be:

-	//   SHA256("EC"+curveName+bytes(X)+bytes(Y))

-	// Then truncated to 240 bits and encoded into 12 base32 groups like so:

-	//   ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP

-	hasher := crypto.SHA256.New()

-	hasher.Write([]byte(k.KeyType() + k.CurveName()))

-	hasher.Write(k.X.Bytes())

-	hasher.Write(k.Y.Bytes())

-	return keyIDEncode(hasher.Sum(nil)[:30])

+	return keyIDFromCryptoKey(k)

 }

 func (k *ecPublicKey) String() string {

@@ -11,9 +11,21 @@ func FilterByHosts(keys []PublicKey, host string, includeEmpty bool) ([]PublicKe

 	filtered := make([]PublicKey, 0, len(keys))

 	for _, pubKey := range keys {

-		hosts, ok := pubKey.GetExtendedField("hosts").([]interface{})

+		var hosts []string

+		switch v := pubKey.GetExtendedField("hosts").(type) {

+		case []string:

+			hosts = v

+		case []interface{}:

+			for _, value := range v {

+				h, ok := value.(string)

+				if !ok {

+					continue

+				}

+				hosts = append(hosts, h)

+			}

+		}

-		if !ok || (ok && len(hosts) == 0) {

+		if len(hosts) == 0 {

 			if includeEmpty {

 				filtered = append(filtered, pubKey)

 			}

@@ -21,12 +33,7 @@ func FilterByHosts(keys []PublicKey, host string, includeEmpty bool) ([]PublicKe

 		}

 		// Check if any hosts match pattern

-		for _, hostVal := range hosts {

-			hostPattern, ok := hostVal.(string)

-			if !ok {

-				continue

-			}

-

+		for _, hostPattern := range hosts {

 			match, err := filepath.Match(hostPattern, host)

 			if err != nil {

 				return nil, err

@@ -37,7 +44,6 @@ func FilterByHosts(keys []PublicKey, host string, includeEmpty bool) ([]PublicKe

 				continue

 			}

 		}

-

 	}

 	return filtered, nil

@@ -27,6 +27,8 @@ func TestFilter(t *testing.T) {

 			t.Fatal(err)

 		}

+		// we use both []interface{} and []string here because jwt uses

+		// []interface{} format, while PEM uses []string

 		switch {

 		case i == 0:

 			// Don't add entries for this key, key 0.

@@ -36,10 +38,10 @@ func TestFilter(t *testing.T) {

 			key.AddExtendedField("hosts", []interface{}{"*.even.example.com"})

 		case i == 7:

 			// Should catch only the last key, and make it match any hostname.

-			key.AddExtendedField("hosts", []interface{}{"*"})

+			key.AddExtendedField("hosts", []string{"*"})

 		default:

 			// should catch keys 1, 3, 5.

-			key.AddExtendedField("hosts", []interface{}{"*.example.com"})

+			key.AddExtendedField("hosts", []string{"*.example.com"})

 		}

 		keys = append(keys, key)

@@ -138,7 +138,7 @@ func testTrustedHostKeysFile(t *testing.T, trustedHostKeysFilename string) {

 	}

 	for addr, hostKey := range trustedHostKeysMapping {

-		t.Logf("Host Address: %s\n", addr)

+		t.Logf("Host Address: %d\n", addr)

 		t.Logf("Host Key: %s\n\n", hostKey)

 	}

@@ -160,7 +160,7 @@ func testTrustedHostKeysFile(t *testing.T, trustedHostKeysFilename string) {

 	}

 	for addr, hostKey := range trustedHostKeysMapping {

-		t.Logf("Host Address: %s\n", addr)

+		t.Logf("Host Address: %d\n", addr)

 		t.Logf("Host Key: %s\n\n", hostKey)

 	}

@@ -34,16 +34,7 @@ func (k *rsaPublicKey) KeyType() string {

 // KeyID returns a distinct identifier which is unique to this Public Key.

 func (k *rsaPublicKey) KeyID() string {

-	// Generate and return a 'libtrust' fingerprint of the RSA public key.

-	// For an RSA key this should be:

-	//   SHA256("RSA"+bytes(N)+bytes(E))

-	// Then truncated to 240 bits and encoded into 12 base32 groups like so:

-	//   ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP

-	hasher := crypto.SHA256.New()

-	hasher.Write([]byte(k.KeyType()))

-	hasher.Write(k.N.Bytes())

-	hasher.Write(serializeRSAPublicExponentParam(k.E))

-	return keyIDEncode(hasher.Sum(nil)[:30])

+	return keyIDFromCryptoKey(k)

 }

 func (k *rsaPublicKey) String() string {

@@ -201,7 +201,7 @@ func TestCollapseGrants(t *testing.T) {

 	collapsedGrants, expiration, err := CollapseStatements(statements, false)

 	if len(collapsedGrants) != 12 {

-		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %s", 12, len(collapsedGrants))

+		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %d", 12, len(collapsedGrants))

 	}

 	if expiration.After(time.Now().Add(time.Hour*5)) || expiration.Before(time.Now()) {

 		t.Fatalf("Unexpected expiration time: %s", expiration.String())

@@ -261,7 +261,7 @@ func TestCollapseGrants(t *testing.T) {

 	collapsedGrants, expiration, err = CollapseStatements(statements, false)

 	if len(collapsedGrants) != 12 {

-		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %s", 12, len(collapsedGrants))

+		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %d", 12, len(collapsedGrants))

 	}

 	if expiration.After(time.Now().Add(time.Hour*5)) || expiration.Before(time.Now()) {

 		t.Fatalf("Unexpected expiration time: %s", expiration.String())

@@ -2,6 +2,7 @@ package libtrust

 import (

 	"bytes"

+	"crypto"

 	"crypto/elliptic"

 	"crypto/x509"

 	"encoding/base32"

@@ -52,6 +53,21 @@ func keyIDEncode(b []byte) string {

 	return buf.String()

 }

+func keyIDFromCryptoKey(pubKey PublicKey) string {

+	// Generate and return a 'libtrust' fingerprint of the public key.

+	// For an RSA key this should be:

+	//   SHA256(DER encoded ASN1)

+	// Then truncated to 240 bits and encoded into 12 base32 groups like so:

+	//   ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP

+	derBytes, err := x509.MarshalPKIXPublicKey(pubKey.CryptoPublicKey())

+	if err != nil {

+		return ""

+	}

+	hasher := crypto.SHA256.New()

+	hasher.Write(derBytes)

+	return keyIDEncode(hasher.Sum(nil)[:30])

+}

+

 func stringFromMap(m map[string]interface{}, key string) (string, error) {

 	val, ok := m[key]

 	if !ok {

new file mode 100644

@@ -0,0 +1,23 @@

+package libtrust

+

+import (

+	"encoding/pem"

+	"reflect"

+	"testing"

+)

+

+func TestAddPEMHeadersToKey(t *testing.T) {

+	pk := &rsaPublicKey{nil, map[string]interface{}{}}

+	blk := &pem.Block{Headers: map[string]string{"hosts": "localhost,127.0.0.1"}}

+	addPEMHeadersToKey(blk, pk)

+

+	val := pk.GetExtendedField("hosts")

+	hosts, ok := val.([]string)

+	if !ok {

+		t.Fatalf("hosts type(%v), expected []string", reflect.TypeOf(val))

+	}

+	expected := []string{"localhost", "127.0.0.1"}

+	if !reflect.DeepEqual(hosts, expected) {

+		t.Errorf("hosts(%v), expected %v", hosts, expected)

+	}

+}