kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Include a new version of notary with less verbose INFO+ logging

Browse source 
Signed-off-by: cyli <cyli@twistedmatrix.com>
This commit is contained in:
cyli 2016-01-27 09:46:26 -08:00 committed by Tibor Vass
parent a8bf0dad6f
commit 16ba075162
11 changed files with 50 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Dockerfile
View file

@ -168,7 +168,7 @@ RUN set -x \
&& rm -rf "$GOPATH" && rm -rf "$GOPATH"
# Install notary server # Install notary server
ENV NOTARY_VERSION docker-v1.10-4 ENV NOTARY_VERSION docker-v1.10-5
RUN set -x \ RUN set -x \
&& export GOPATH="$(mktemp -d)" \ && export GOPATH="$(mktemp -d)" \
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

2
Dockerfile.armhf
View file

@ -145,7 +145,7 @@ RUN set -x \
&& rm -rf "$GOPATH" && rm -rf "$GOPATH"
# Install notary server # Install notary server
ENV NOTARY_VERSION docker-v1.10-4 ENV NOTARY_VERSION docker-v1.10-5
RUN set -x \ RUN set -x \
&& export GOPATH="$(mktemp -d)" \ && export GOPATH="$(mktemp -d)" \
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

2
Dockerfile.ppc64le
View file

@ -116,7 +116,7 @@ RUN set -x \
&& rm -rf "$GOPATH" && rm -rf "$GOPATH"
# Install notary server # Install notary server
#ENV NOTARY_VERSION docker-v1.10-4 #ENV NOTARY_VERSION docker-v1.10-5
#RUN set -x \ #RUN set -x \
# && export GOPATH="$(mktemp -d)" \ # && export GOPATH="$(mktemp -d)" \
# && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ # && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

2
Dockerfile.s390x
View file

@ -116,7 +116,7 @@ RUN set -x \
&& rm -rf "$GOPATH" && rm -rf "$GOPATH"
# Install notary server # Install notary server
ENV NOTARY_VERSION docker-v1.10-4 ENV NOTARY_VERSION docker-v1.10-5
RUN set -x \ RUN set -x \
&& export GOPATH="$(mktemp -d)" \ && export GOPATH="$(mktemp -d)" \
&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

2
hack/vendor.sh
View file

@ -50,7 +50,7 @@ clone git github.com/docker/distribution c301f8ab27f4913c968b8d73a38e5dda79b9d3d
clone git github.com/vbatts/tar-split v0.9.11 clone git github.com/vbatts/tar-split v0.9.11
# get desired notary commit, might also need to be updated in Dockerfile # get desired notary commit, might also need to be updated in Dockerfile
clone git github.com/docker/notary docker-v1.10-4 clone git github.com/docker/notary docker-v1.10-5
clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git
clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf

7
vendor/src/github.com/docker/notary/Makefile vendored
View file

@ -34,7 +34,7 @@ _space := $(empty) $(empty)
COVERDIR=.cover COVERDIR=.cover
COVERPROFILE?=$(COVERDIR)/cover.out COVERPROFILE?=$(COVERDIR)/cover.out
COVERMODE=count COVERMODE=count
PKGS = $(shell go list ./... | tr '\n' ' ') PKGS ?= $(shell go list ./... | tr '\n' ' ')
GO_VERSION = $(shell go version | awk '{print $$3}') GO_VERSION = $(shell go version | awk '{print $$3}')
@ -124,7 +124,7 @@ endef
gen-cover: go_version gen-cover: go_version
@mkdir -p "$(COVERDIR)" @mkdir -p "$(COVERDIR)"
$(foreach PKG,$(PKGS),$(call gocover,$(PKG))) $(foreach PKG,$(PKGS),$(call gocover,$(PKG)))
rm "$(COVERDIR)"/*testutils*.coverage.txt rm -f "$(COVERDIR)"/*testutils*.coverage.txt
# Generates the cover binaries and runs them all in serial, so this can be used # Generates the cover binaries and runs them all in serial, so this can be used
# run all tests with a yubikey without any problems # run all tests with a yubikey without any problems
@ -140,6 +140,9 @@ ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $(
# Codecov knows how to merge multiple coverage files, so covmerge is not needed # Codecov knows how to merge multiple coverage files, so covmerge is not needed
ci: gen-cover ci: gen-cover
yubikey-tests: override PKGS = github.com/docker/notary/cmd/notary github.com/docker/notary/trustmanager/yubikey
yubikey-tests: ci
covmerge: covmerge:
@gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE) @gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE)
@go tool cover -func="$(COVERPROFILE)" @go tool cover -func="$(COVERPROFILE)"

2
vendor/src/github.com/docker/notary/circle.yml vendored
View file

@ -18,8 +18,6 @@ machine:
CIRCLE_PAIN: "mode: set" CIRCLE_PAIN: "mode: set"
# Put the coverage profile somewhere codecov's script can find it # Put the coverage profile somewhere codecov's script can find it
COVERPROFILE: coverage.out COVERPROFILE: coverage.out
# Set the pull request number so codecov can figure it out
PULL_REQUEST: ${CI_PULL_REQUEST##*/}
hosts: hosts:
# Not used yet # Not used yet

2
vendor/src/github.com/docker/notary/const.go vendored
View file

@ -2,6 +2,8 @@ package notary
// application wide constants // application wide constants
const ( const (
// MinRSABitSize is the minimum bit size for RSA keys allowed in notary
MinRSABitSize = 2048
// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold // MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold
MinThreshold = 1 MinThreshold = 1
// PrivKeyPerms are the file permissions to use when writing private keys to disk // PrivKeyPerms are the file permissions to use when writing private keys to disk

13
vendor/src/github.com/docker/notary/trustmanager/x509utils.go vendored
View file

@ -19,6 +19,7 @@ import (
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
"github.com/agl/ed25519" "github.com/agl/ed25519"
"github.com/docker/notary"
"github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/data"
) )
@ -324,7 +325,7 @@ func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) {
} }
// ValidateCertificate returns an error if the certificate is not valid for notary // ValidateCertificate returns an error if the certificate is not valid for notary
// Currently, this is only a time expiry check // Currently this is only a time expiry check, and ensuring the public key has a large enough modulus if RSA
func ValidateCertificate(c *x509.Certificate) error { func ValidateCertificate(c *x509.Certificate) error {
if (c.NotBefore).After(c.NotAfter) { if (c.NotBefore).After(c.NotAfter) {
return fmt.Errorf("certificate validity window is invalid") return fmt.Errorf("certificate validity window is invalid")
@ -335,6 +336,16 @@ func ValidateCertificate(c *x509.Certificate) error {
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) { if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
return fmt.Errorf("certificate is expired") return fmt.Errorf("certificate is expired")
} }
// If we have an RSA key, make sure it's long enough
if c.PublicKeyAlgorithm == x509.RSA {
rsaKey, ok := c.PublicKey.(*rsa.PublicKey)
if !ok {
return fmt.Errorf("unable to parse RSA public key")
}
if rsaKey.N.BitLen() < notary.MinRSABitSize {
return fmt.Errorf("RSA bit length is too short")
}
}
return nil return nil
} }

8
vendor/src/github.com/docker/notary/tuf/client/client.go vendored
View file

@ -54,7 +54,7 @@ func (c *Client) Update() error {
if err != nil { if err != nil {
logrus.Debug("Error occurred. Root will be downloaded and another update attempted") logrus.Debug("Error occurred. Root will be downloaded and another update attempted")
if err := c.downloadRoot(); err != nil { if err := c.downloadRoot(); err != nil {
logrus.Error("Client Update (Root):", err) logrus.Debug("Client Update (Root):", err)
return err return err
} }
// If we error again, we now have the latest root and just want to fail // If we error again, we now have the latest root and just want to fail
@ -68,12 +68,12 @@ func (c *Client) Update() error {
func (c *Client) update() error { func (c *Client) update() error {
err := c.downloadTimestamp() err := c.downloadTimestamp()
if err != nil { if err != nil {
logrus.Errorf("Client Update (Timestamp): %s", err.Error()) logrus.Debugf("Client Update (Timestamp): %s", err.Error())
return err return err
} }
err = c.downloadSnapshot() err = c.downloadSnapshot()
if err != nil { if err != nil {
logrus.Errorf("Client Update (Snapshot): %s", err.Error()) logrus.Debugf("Client Update (Snapshot): %s", err.Error())
return err return err
} }
err = c.checkRoot() err = c.checkRoot()
@ -86,7 +86,7 @@ func (c *Client) update() error {
// will always need top level targets at a minimum // will always need top level targets at a minimum
err = c.downloadTargets("targets") err = c.downloadTargets("targets")
if err != nil { if err != nil {
logrus.Errorf("Client Update (Targets): %s", err.Error()) logrus.Debugf("Client Update (Targets): %s", err.Error())
return err return err
} }
return nil return nil

44
vendor/src/github.com/docker/notary/tuf/signed/verifiers.go vendored
View file

@ -60,7 +60,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
} }
var sigBytes [ed25519.SignatureSize]byte var sigBytes [ed25519.SignatureSize]byte
if len(sig) != ed25519.SignatureSize { if len(sig) != ed25519.SignatureSize {
logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
return ErrInvalid return ErrInvalid
} }
copy(sigBytes[:], sig) copy(sigBytes[:], sig)
@ -78,7 +78,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
} }
if !ed25519.Verify(&keyBytes, msg, &sigBytes) { if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
logrus.Infof("failed ed25519 verification") logrus.Debugf("failed ed25519 verification")
return ErrInvalid return ErrInvalid
} }
return nil return nil
@ -87,23 +87,23 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
func verifyPSS(key interface{}, digest, sig []byte) error { func verifyPSS(key interface{}, digest, sig []byte) error {
rsaPub, ok := key.(*rsa.PublicKey) rsaPub, ok := key.(*rsa.PublicKey)
if !ok { if !ok {
logrus.Infof("value was not an RSA public key") logrus.Debugf("value was not an RSA public key")
return ErrInvalid return ErrInvalid
} }
if rsaPub.N.BitLen() < minRSAKeySizeBit { if rsaPub.N.BitLen() < minRSAKeySizeBit {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
} }
if len(sig) < minRSAKeySizeByte { if len(sig) < minRSAKeySizeByte {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
return ErrInvalid return ErrInvalid
} }
opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256} opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil { if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
logrus.Infof("failed RSAPSS verification: %s", err) logrus.Debugf("failed RSAPSS verification: %s", err)
return ErrInvalid return ErrInvalid
} }
return nil return nil
@ -117,12 +117,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
case data.RSAx509Key: case data.RSAx509Key:
pemCert, _ := pem.Decode([]byte(key.Public())) pemCert, _ := pem.Decode([]byte(key.Public()))
if pemCert == nil { if pemCert == nil {
logrus.Infof("failed to decode PEM-encoded x509 certificate") logrus.Debugf("failed to decode PEM-encoded x509 certificate")
return nil, ErrInvalid return nil, ErrInvalid
} }
cert, err := x509.ParseCertificate(pemCert.Bytes) cert, err := x509.ParseCertificate(pemCert.Bytes)
if err != nil { if err != nil {
logrus.Infof("failed to parse x509 certificate: %s\n", err) logrus.Debugf("failed to parse x509 certificate: %s\n", err)
return nil, ErrInvalid return nil, ErrInvalid
} }
pubKey = cert.PublicKey pubKey = cert.PublicKey
@ -130,12 +130,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
var err error var err error
pubKey, err = x509.ParsePKIXPublicKey(key.Public()) pubKey, err = x509.ParsePKIXPublicKey(key.Public())
if err != nil { if err != nil {
logrus.Infof("failed to parse public key: %s\n", err) logrus.Debugf("failed to parse public key: %s\n", err)
return nil, ErrInvalid return nil, ErrInvalid
} }
default: default:
// only accept RSA keys // only accept RSA keys
logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm) logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm)
return nil, ErrInvalidKeyType{} return nil, ErrInvalidKeyType{}
} }
@ -172,17 +172,17 @@ func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte)
rsaPub, ok := pubKey.(*rsa.PublicKey) rsaPub, ok := pubKey.(*rsa.PublicKey)
if !ok { if !ok {
logrus.Infof("value was not an RSA public key") logrus.Debugf("value was not an RSA public key")
return ErrInvalid return ErrInvalid
} }
if rsaPub.N.BitLen() < minRSAKeySizeBit { if rsaPub.N.BitLen() < minRSAKeySizeBit {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
} }
if len(sig) < minRSAKeySizeByte { if len(sig) < minRSAKeySizeByte {
logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
return ErrInvalid return ErrInvalid
} }
@ -207,13 +207,13 @@ func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte)
k, _ := pem.Decode([]byte(key.Public())) k, _ := pem.Decode([]byte(key.Public()))
if k == nil { if k == nil {
logrus.Infof("failed to decode PEM-encoded x509 certificate") logrus.Debugf("failed to decode PEM-encoded x509 certificate")
return ErrInvalid return ErrInvalid
} }
pub, err := x509.ParsePKIXPublicKey(k.Bytes) pub, err := x509.ParsePKIXPublicKey(k.Bytes)
if err != nil { if err != nil {
logrus.Infof("failed to parse public key: %s\n", err) logrus.Debugf("failed to parse public key: %s\n", err)
return ErrInvalid return ErrInvalid
} }
@ -232,13 +232,13 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
case data.ECDSAx509Key: case data.ECDSAx509Key:
pemCert, _ := pem.Decode([]byte(key.Public())) pemCert, _ := pem.Decode([]byte(key.Public()))
if pemCert == nil { if pemCert == nil {
logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
logrus.Debugf("certificate bytes: %s", string(key.Public())) logrus.Debugf("certificate bytes: %s", string(key.Public()))
return ErrInvalid return ErrInvalid
} }
cert, err := x509.ParseCertificate(pemCert.Bytes) cert, err := x509.ParseCertificate(pemCert.Bytes)
if err != nil { if err != nil {
logrus.Infof("failed to parse x509 certificate: %s\n", err) logrus.Debugf("failed to parse x509 certificate: %s\n", err)
return ErrInvalid return ErrInvalid
} }
pubKey = cert.PublicKey pubKey = cert.PublicKey
@ -246,25 +246,25 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
var err error var err error
pubKey, err = x509.ParsePKIXPublicKey(key.Public()) pubKey, err = x509.ParsePKIXPublicKey(key.Public())
if err != nil { if err != nil {
logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
return ErrInvalid return ErrInvalid
} }
default: default:
// only accept ECDSA keys. // only accept ECDSA keys.
logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm) logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm)
return ErrInvalidKeyType{} return ErrInvalidKeyType{}
} }
ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey) ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
if !ok { if !ok {
logrus.Infof("value isn't an ECDSA public key") logrus.Debugf("value isn't an ECDSA public key")
return ErrInvalid return ErrInvalid
} }
sigLength := len(sig) sigLength := len(sig)
expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3) expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)
if sigLength != expectedOctetLength { if sigLength != expectedOctetLength {
logrus.Infof("signature had an unexpected length") logrus.Debugf("signature had an unexpected length")
return ErrInvalid return ErrInvalid
} }
@ -275,7 +275,7 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
digest := sha256.Sum256(msg) digest := sha256.Sum256(msg)
if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) { if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {
logrus.Infof("failed ECDSA signature validation") logrus.Debugf("failed ECDSA signature validation")
return ErrInvalid return ErrInvalid
} }