diff --git a/Dockerfile b/Dockerfile index f27dabd800..b307f5a61b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -167,7 +167,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install notary server -ENV NOTARY_VERSION docker-v1.10-4 +ENV NOTARY_VERSION docker-v1.10-5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index af92ea7b31..75b957d054 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -110,7 +110,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install notary server -ENV NOTARY_VERSION docker-v1.10-4 +ENV NOTARY_VERSION docker-v1.10-5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 60c4373a10..10e4e0bd71 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -144,7 +144,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install notary server -ENV NOTARY_VERSION docker-v1.10-4 +ENV NOTARY_VERSION docker-v1.10-5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index 5c72840e10..406c312213 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -123,7 +123,7 @@ RUN set -x \ # TODO update this when we upgrade to Go 1.5.1+ # Install notary server -#ENV NOTARY_VERSION docker-v1.10-4 +#ENV NOTARY_VERSION docker-v1.10-5 #RUN set -x \ # && export GOPATH="$(mktemp -d)" \ # && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ diff --git a/Dockerfile.s390x b/Dockerfile.s390x index a8c76dcb07..b804bd85e4 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -116,7 +116,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install notary server -ENV NOTARY_VERSION docker-v1.10-4 +ENV NOTARY_VERSION docker-v1.10-5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/notary.git "$GOPATH/src/github.com/docker/notary" \ diff --git a/hack/vendor.sh b/hack/vendor.sh index 11b54d07cd..70f766c94e 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -50,7 +50,7 @@ clone git github.com/docker/distribution c301f8ab27f4913c968b8d73a38e5dda79b9d3d clone git github.com/vbatts/tar-split v0.9.11 # get desired notary commit, might also need to be updated in Dockerfile -clone git github.com/docker/notary docker-v1.10-4 +clone git github.com/docker/notary docker-v1.10-5 clone git google.golang.org/grpc 174192fc93efcb188fc8f46ca447f0da606b6885 https://github.com/grpc/grpc-go.git clone git github.com/miekg/pkcs11 80f102b5cac759de406949c47f0928b99bd64cdf diff --git a/vendor/src/github.com/docker/notary/Makefile b/vendor/src/github.com/docker/notary/Makefile index 1f45ed5dd2..949d79864a 100644 --- a/vendor/src/github.com/docker/notary/Makefile +++ b/vendor/src/github.com/docker/notary/Makefile @@ -34,7 +34,7 @@ _space := $(empty) $(empty) COVERDIR=.cover COVERPROFILE?=$(COVERDIR)/cover.out COVERMODE=count -PKGS = $(shell go list ./... | tr '\n' ' ') +PKGS ?= $(shell go list ./... | tr '\n' ' ') GO_VERSION = $(shell go version | awk '{print $$3}') @@ -124,7 +124,7 @@ endef gen-cover: go_version @mkdir -p "$(COVERDIR)" $(foreach PKG,$(PKGS),$(call gocover,$(PKG))) - rm "$(COVERDIR)"/*testutils*.coverage.txt + rm -f "$(COVERDIR)"/*testutils*.coverage.txt # Generates the cover binaries and runs them all in serial, so this can be used # run all tests with a yubikey without any problems @@ -140,6 +140,9 @@ ci: OPTS = -tags "${NOTARY_BUILDTAGS}" -race -coverpkg "$(shell ./coverpkg.sh $( # Codecov knows how to merge multiple coverage files, so covmerge is not needed ci: gen-cover +yubikey-tests: override PKGS = github.com/docker/notary/cmd/notary github.com/docker/notary/trustmanager/yubikey +yubikey-tests: ci + covmerge: @gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE) @go tool cover -func="$(COVERPROFILE)" diff --git a/vendor/src/github.com/docker/notary/circle.yml b/vendor/src/github.com/docker/notary/circle.yml index 99a3639056..163d610f24 100644 --- a/vendor/src/github.com/docker/notary/circle.yml +++ b/vendor/src/github.com/docker/notary/circle.yml @@ -18,8 +18,6 @@ machine: CIRCLE_PAIN: "mode: set" # Put the coverage profile somewhere codecov's script can find it COVERPROFILE: coverage.out - # Set the pull request number so codecov can figure it out - PULL_REQUEST: ${CI_PULL_REQUEST##*/} hosts: # Not used yet diff --git a/vendor/src/github.com/docker/notary/const.go b/vendor/src/github.com/docker/notary/const.go index 6eb278cf98..a1140c0dc0 100644 --- a/vendor/src/github.com/docker/notary/const.go +++ b/vendor/src/github.com/docker/notary/const.go @@ -2,6 +2,8 @@ package notary // application wide constants const ( + // MinRSABitSize is the minimum bit size for RSA keys allowed in notary + MinRSABitSize = 2048 // MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold MinThreshold = 1 // PrivKeyPerms are the file permissions to use when writing private keys to disk diff --git a/vendor/src/github.com/docker/notary/trustmanager/x509utils.go b/vendor/src/github.com/docker/notary/trustmanager/x509utils.go index 64ca1e7226..f39ca8eb22 100644 --- a/vendor/src/github.com/docker/notary/trustmanager/x509utils.go +++ b/vendor/src/github.com/docker/notary/trustmanager/x509utils.go @@ -19,6 +19,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/agl/ed25519" + "github.com/docker/notary" "github.com/docker/notary/tuf/data" ) @@ -324,7 +325,7 @@ func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) { } // ValidateCertificate returns an error if the certificate is not valid for notary -// Currently, this is only a time expiry check +// Currently this is only a time expiry check, and ensuring the public key has a large enough modulus if RSA func ValidateCertificate(c *x509.Certificate) error { if (c.NotBefore).After(c.NotAfter) { return fmt.Errorf("certificate validity window is invalid") @@ -335,6 +336,16 @@ func ValidateCertificate(c *x509.Certificate) error { if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) { return fmt.Errorf("certificate is expired") } + // If we have an RSA key, make sure it's long enough + if c.PublicKeyAlgorithm == x509.RSA { + rsaKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return fmt.Errorf("unable to parse RSA public key") + } + if rsaKey.N.BitLen() < notary.MinRSABitSize { + return fmt.Errorf("RSA bit length is too short") + } + } return nil } diff --git a/vendor/src/github.com/docker/notary/tuf/client/client.go b/vendor/src/github.com/docker/notary/tuf/client/client.go index 33ffa20936..0eaa8c87e7 100644 --- a/vendor/src/github.com/docker/notary/tuf/client/client.go +++ b/vendor/src/github.com/docker/notary/tuf/client/client.go @@ -54,7 +54,7 @@ func (c *Client) Update() error { if err != nil { logrus.Debug("Error occurred. Root will be downloaded and another update attempted") if err := c.downloadRoot(); err != nil { - logrus.Error("Client Update (Root):", err) + logrus.Debug("Client Update (Root):", err) return err } // If we error again, we now have the latest root and just want to fail @@ -68,12 +68,12 @@ func (c *Client) Update() error { func (c *Client) update() error { err := c.downloadTimestamp() if err != nil { - logrus.Errorf("Client Update (Timestamp): %s", err.Error()) + logrus.Debugf("Client Update (Timestamp): %s", err.Error()) return err } err = c.downloadSnapshot() if err != nil { - logrus.Errorf("Client Update (Snapshot): %s", err.Error()) + logrus.Debugf("Client Update (Snapshot): %s", err.Error()) return err } err = c.checkRoot() @@ -86,7 +86,7 @@ func (c *Client) update() error { // will always need top level targets at a minimum err = c.downloadTargets("targets") if err != nil { - logrus.Errorf("Client Update (Targets): %s", err.Error()) + logrus.Debugf("Client Update (Targets): %s", err.Error()) return err } return nil diff --git a/vendor/src/github.com/docker/notary/tuf/signed/verifiers.go b/vendor/src/github.com/docker/notary/tuf/signed/verifiers.go index 4570bce3df..792186366d 100644 --- a/vendor/src/github.com/docker/notary/tuf/signed/verifiers.go +++ b/vendor/src/github.com/docker/notary/tuf/signed/verifiers.go @@ -60,7 +60,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro } var sigBytes [ed25519.SignatureSize]byte if len(sig) != ed25519.SignatureSize { - logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) + logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) return ErrInvalid } copy(sigBytes[:], sig) @@ -78,7 +78,7 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro } if !ed25519.Verify(&keyBytes, msg, &sigBytes) { - logrus.Infof("failed ed25519 verification") + logrus.Debugf("failed ed25519 verification") return ErrInvalid } return nil @@ -87,23 +87,23 @@ func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) erro func verifyPSS(key interface{}, digest, sig []byte) error { rsaPub, ok := key.(*rsa.PublicKey) if !ok { - logrus.Infof("value was not an RSA public key") + logrus.Debugf("value was not an RSA public key") return ErrInvalid } if rsaPub.N.BitLen() < minRSAKeySizeBit { - logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) + logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} } if len(sig) < minRSAKeySizeByte { - logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) + logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) return ErrInvalid } opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256} if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil { - logrus.Infof("failed RSAPSS verification: %s", err) + logrus.Debugf("failed RSAPSS verification: %s", err) return ErrInvalid } return nil @@ -117,12 +117,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) { case data.RSAx509Key: pemCert, _ := pem.Decode([]byte(key.Public())) if pemCert == nil { - logrus.Infof("failed to decode PEM-encoded x509 certificate") + logrus.Debugf("failed to decode PEM-encoded x509 certificate") return nil, ErrInvalid } cert, err := x509.ParseCertificate(pemCert.Bytes) if err != nil { - logrus.Infof("failed to parse x509 certificate: %s\n", err) + logrus.Debugf("failed to parse x509 certificate: %s\n", err) return nil, ErrInvalid } pubKey = cert.PublicKey @@ -130,12 +130,12 @@ func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) { var err error pubKey, err = x509.ParsePKIXPublicKey(key.Public()) if err != nil { - logrus.Infof("failed to parse public key: %s\n", err) + logrus.Debugf("failed to parse public key: %s\n", err) return nil, ErrInvalid } default: // only accept RSA keys - logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm) + logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm) return nil, ErrInvalidKeyType{} } @@ -172,17 +172,17 @@ func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) rsaPub, ok := pubKey.(*rsa.PublicKey) if !ok { - logrus.Infof("value was not an RSA public key") + logrus.Debugf("value was not an RSA public key") return ErrInvalid } if rsaPub.N.BitLen() < minRSAKeySizeBit { - logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) + logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen()) return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)} } if len(sig) < minRSAKeySizeByte { - logrus.Infof("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) + logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig)) return ErrInvalid } @@ -207,13 +207,13 @@ func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) k, _ := pem.Decode([]byte(key.Public())) if k == nil { - logrus.Infof("failed to decode PEM-encoded x509 certificate") + logrus.Debugf("failed to decode PEM-encoded x509 certificate") return ErrInvalid } pub, err := x509.ParsePKIXPublicKey(k.Bytes) if err != nil { - logrus.Infof("failed to parse public key: %s\n", err) + logrus.Debugf("failed to parse public key: %s\n", err) return ErrInvalid } @@ -232,13 +232,13 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error case data.ECDSAx509Key: pemCert, _ := pem.Decode([]byte(key.Public())) if pemCert == nil { - logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) + logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) logrus.Debugf("certificate bytes: %s", string(key.Public())) return ErrInvalid } cert, err := x509.ParseCertificate(pemCert.Bytes) if err != nil { - logrus.Infof("failed to parse x509 certificate: %s\n", err) + logrus.Debugf("failed to parse x509 certificate: %s\n", err) return ErrInvalid } pubKey = cert.PublicKey @@ -246,25 +246,25 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error var err error pubKey, err = x509.ParsePKIXPublicKey(key.Public()) if err != nil { - logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) + logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) return ErrInvalid } default: // only accept ECDSA keys. - logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm) + logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm) return ErrInvalidKeyType{} } ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey) if !ok { - logrus.Infof("value isn't an ECDSA public key") + logrus.Debugf("value isn't an ECDSA public key") return ErrInvalid } sigLength := len(sig) expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3) if sigLength != expectedOctetLength { - logrus.Infof("signature had an unexpected length") + logrus.Debugf("signature had an unexpected length") return ErrInvalid } @@ -275,7 +275,7 @@ func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error digest := sha256.Sum256(msg) if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) { - logrus.Infof("failed ECDSA signature validation") + logrus.Debugf("failed ECDSA signature validation") return ErrInvalid }