Merge pull request #19788 from cyli/vendor-notary

Include a new version of notary with less verbose INFO+ logging

Dockerfile

@@ -167,7 +167,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install notary server
-ENV NOTARY_VERSION docker-v1.10-4
+ENV NOTARY_VERSION docker-v1.10-5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

Dockerfile.aarch64

@@ -110,7 +110,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install notary server
-ENV NOTARY_VERSION docker-v1.10-4
+ENV NOTARY_VERSION docker-v1.10-5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

Dockerfile.armhf

@@ -144,7 +144,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install notary server
-ENV NOTARY_VERSION docker-v1.10-4
+ENV NOTARY_VERSION docker-v1.10-5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

Dockerfile.ppc64le

@@ -123,7 +123,7 @@ RUN set -x \
 
 # TODO update this when we upgrade to Go 1.5.1+
 # Install notary server
-#ENV NOTARY_VERSION docker-v1.10-4
+#ENV NOTARY_VERSION docker-v1.10-5
 #RUN set -x \
 #	&& export GOPATH="$(mktemp -d)" \
 #	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

Dockerfile.s390x

@@ -116,7 +116,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install notary server
-ENV NOTARY_VERSION docker-v1.10-4
+ENV NOTARY_VERSION docker-v1.10-5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \

hack/vendor.sh

@@ -50,7 +50,7 @@ clone git github.com/docker/distribution c301f8ab27f4913c968b8d73a38e5dda79b9d3d
 clone git github.com/vbatts/tar-split v0.9.11
 
 # get desired notary commit, might also need to be updated in Dockerfile
-clone git github.com/docker/notary docker-v1.10-4
+clone git github.com/docker/notary docker-v1.10-5
 
 clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git
 clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf

vendor/src/github.com/docker/notary/Makefile

@@ -34,7 +34,7 @@ _space := $(empty) $(empty)
 COVERDIR=.cover
 COVERPROFILE?=$(COVERDIR)/cover.out
 COVERMODE=count
-PKGS = $(shell go list ./... | tr '\n' ' ')
+PKGS ?= $(shell go list ./... | tr '\n' ' ')
 
 GO_VERSION = $(shell go version | awk '{print $$3}')
 
@@ -124,7 +124,7 @@ endef
 gen-cover: go_version
 	@mkdir -p "$(COVERDIR)"
 	$(foreach PKG,$(PKGS),$(call gocover,$(PKG)))
-	rm "$(COVERDIR)"/*testutils*.coverage.txt
+	rm -f "$(COVERDIR)"/*testutils*.coverage.txt
 
 # Generates the cover binaries and runs them all in serial, so this can be used
 # run all tests with a yubikey without any problems
@@ -140,6 +140,9 @@ ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $(
 # Codecov knows how to merge multiple coverage files, so covmerge is not needed
 ci: gen-cover
 
+yubikey-tests: override PKGS = github.com/docker/notary/cmd/notary github.com/docker/notary/trustmanager/yubikey
+yubikey-tests: ci
+
 covmerge:
 	@gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE)
 	@go tool cover -func="$(COVERPROFILE)"

vendor/src/github.com/docker/notary/circle.yml

@@ -18,8 +18,6 @@ machine:
     CIRCLE_PAIN: "mode: set"
   # Put the coverage profile somewhere codecov's script can find it
     COVERPROFILE: coverage.out
-  # Set the pull request number so codecov can figure it out
-    PULL_REQUEST: ${CI_PULL_REQUEST##*/}
 
   hosts:
   # Not used yet

vendor/src/github.com/docker/notary/const.go

@@ -2,6 +2,8 @@ package notary
 
 // application wide constants
 const (
+	// MinRSABitSize is the minimum bit size for RSA keys allowed in notary
+	MinRSABitSize = 2048
 	// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold
 	MinThreshold = 1
 	// PrivKeyPerms are the file permissions to use when writing private keys to disk

vendor/src/github.com/docker/notary/trustmanager/x509utils.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/agl/ed25519"
+	"github.com/docker/notary"
 	"github.com/docker/notary/tuf/data"
 )
 
@@ -324,7 +325,7 @@ func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) {
 }
 
 // ValidateCertificate returns an error if the certificate is not valid for notary
-// Currently, this is only a time expiry check
+// Currently this is only a time expiry check, and ensuring the public key has a large enough modulus if RSA
 func ValidateCertificate(c *x509.Certificate) error {
 	if (c.NotBefore).After(c.NotAfter) {
 		return fmt.Errorf("certificate validity window is invalid")
@@ -335,6 +336,16 @@ func ValidateCertificate(c *x509.Certificate) error {
 	if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
 		return fmt.Errorf("certificate is expired")
 	}
+	// If we have an RSA key, make sure it's long enough
+	if c.PublicKeyAlgorithm == x509.RSA {
+		rsaKey, ok := c.PublicKey.(*rsa.PublicKey)
+		if !ok {
+			return fmt.Errorf("unable to parse RSA public key")
+		}
+		if rsaKey.N.BitLen() < notary.MinRSABitSize {
+			return fmt.Errorf("RSA bit length is too short")
+		}
+	}
 	return nil
 }
 

vendor/src/github.com/docker/notary/tuf/client/client.go

@@ -54,7 +54,7 @@ func (c *Client) Update() error {
 	if err != nil {
 		logrus.Debug("Error occurred. Root will be downloaded and another update attempted")
 		if err := c.downloadRoot(); err != nil {
-			logrus.Error("Client Update (Root):", err)
+			logrus.Debug("Client Update (Root):", err)
 			return err
 		}
 		// If we error again, we now have the latest root and just want to fail
@@ -68,12 +68,12 @@ func (c *Client) Update() error {
 func (c *Client) update() error {
 	err := c.downloadTimestamp()
 	if err != nil {
-		logrus.Errorf("Client Update (Timestamp): %s", err.Error())
+		logrus.Debugf("Client Update (Timestamp): %s", err.Error())
 		return err
 	}
 	err = c.downloadSnapshot()
 	if err != nil {
-		logrus.Errorf("Client Update (Snapshot): %s", err.Error())
+		logrus.Debugf("Client Update (Snapshot): %s", err.Error())
 		return err
 	}
 	err = c.checkRoot()
@@ -86,7 +86,7 @@ func (c *Client) update() error {
 	// will always need top level targets at a minimum
 	err = c.downloadTargets("targets")
 	if err != nil {
-		logrus.Errorf("Client Update (Targets): %s", err.Error())
+		logrus.Debugf("Client Update (Targets): %s", err.Error())
 		return err
 	}
 	return nil

vendor/src/github.com/docker/notary/tuf/signed/verifiers.go

@@ -60,7 +60,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
 	}
 	var sigBytes [ed25519.SignatureSize]byte
 	if len(sig) != ed25519.SignatureSize {
-		logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
+		logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
 		return ErrInvalid
 	}
 	copy(sigBytes[:], sig)
@@ -78,7 +78,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
 	}
 
 	if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
-		logrus.Infof("failed ed25519 verification")
+		logrus.Debugf("failed ed25519 verification")
 		return ErrInvalid
 	}
 	return nil
@@ -87,23 +87,23 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro
 func verifyPSS(key interface{}, digest, sig []byte) error {
 	rsaPub, ok := key.(*rsa.PublicKey)
 	if !ok {
-		logrus.Infof("value was not an RSA public key")
+		logrus.Debugf("value was not an RSA public key")
 		return ErrInvalid
 	}
 
 	if rsaPub.N.BitLen() < minRSAKeySizeBit {
-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
 		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
 	}
 
 	if len(sig) < minRSAKeySizeByte {
-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
 		return ErrInvalid
 	}
 
 	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
 	if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
-		logrus.Infof("failed RSAPSS verification: %s", err)
+		logrus.Debugf("failed RSAPSS verification: %s", err)
 		return ErrInvalid
 	}
 	return nil
@@ -117,12 +117,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
 	case data.RSAx509Key:
 		pemCert, _ := pem.Decode([]byte(key.Public()))
 		if pemCert == nil {
-			logrus.Infof("failed to decode PEM-encoded x509 certificate")
+			logrus.Debugf("failed to decode PEM-encoded x509 certificate")
 			return nil, ErrInvalid
 		}
 		cert, err := x509.ParseCertificate(pemCert.Bytes)
 		if err != nil {
-			logrus.Infof("failed to parse x509 certificate: %s\n", err)
+			logrus.Debugf("failed to parse x509 certificate: %s\n", err)
 			return nil, ErrInvalid
 		}
 		pubKey = cert.PublicKey
@@ -130,12 +130,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
 		var err error
 		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
 		if err != nil {
-			logrus.Infof("failed to parse public key: %s\n", err)
+			logrus.Debugf("failed to parse public key: %s\n", err)
 			return nil, ErrInvalid
 		}
 	default:
 		// only accept RSA keys
-		logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm)
+		logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm)
 		return nil, ErrInvalidKeyType{}
 	}
 
@@ -172,17 +172,17 @@ func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte)
 
 	rsaPub, ok := pubKey.(*rsa.PublicKey)
 	if !ok {
-		logrus.Infof("value was not an RSA public key")
+		logrus.Debugf("value was not an RSA public key")
 		return ErrInvalid
 	}
 
 	if rsaPub.N.BitLen() < minRSAKeySizeBit {
-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
 		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
 	}
 
 	if len(sig) < minRSAKeySizeByte {
-		logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
+		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
 		return ErrInvalid
 	}
 
@@ -207,13 +207,13 @@ func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte)
 
 	k, _ := pem.Decode([]byte(key.Public()))
 	if k == nil {
-		logrus.Infof("failed to decode PEM-encoded x509 certificate")
+		logrus.Debugf("failed to decode PEM-encoded x509 certificate")
 		return ErrInvalid
 	}
 
 	pub, err := x509.ParsePKIXPublicKey(k.Bytes)
 	if err != nil {
-		logrus.Infof("failed to parse public key: %s\n", err)
+		logrus.Debugf("failed to parse public key: %s\n", err)
 		return ErrInvalid
 	}
 
@@ -232,13 +232,13 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
 	case data.ECDSAx509Key:
 		pemCert, _ := pem.Decode([]byte(key.Public()))
 		if pemCert == nil {
-			logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
+			logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
 			logrus.Debugf("certificate bytes: %s", string(key.Public()))
 			return ErrInvalid
 		}
 		cert, err := x509.ParseCertificate(pemCert.Bytes)
 		if err != nil {
-			logrus.Infof("failed to parse x509 certificate: %s\n", err)
+			logrus.Debugf("failed to parse x509 certificate: %s\n", err)
 			return ErrInvalid
 		}
 		pubKey = cert.PublicKey
@@ -246,25 +246,25 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
 		var err error
 		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
 		if err != nil {
-			logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
+			logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
 			return ErrInvalid
 		}
 	default:
 		// only accept ECDSA keys.
-		logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm)
+		logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm)
 		return ErrInvalidKeyType{}
 	}
 
 	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
 	if !ok {
-		logrus.Infof("value isn't an ECDSA public key")
+		logrus.Debugf("value isn't an ECDSA public key")
 		return ErrInvalid
 	}
 
 	sigLength := len(sig)
 	expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)
 	if sigLength != expectedOctetLength {
-		logrus.Infof("signature had an unexpected length")
+		logrus.Debugf("signature had an unexpected length")
 		return ErrInvalid
 	}
 
@@ -275,7 +275,7 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error
 	digest := sha256.Sum256(msg)
 
 	if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {
-		logrus.Infof("failed ECDSA signature validation")
+		logrus.Debugf("failed ECDSA signature validation")
 		return ErrInvalid
 	}