From 4fee997956c6b0f5b8a7b85bd17e4ba87475cb24 Mon Sep 17 00:00:00 2001 From: Marina Moore Date: Mon, 29 Nov 2021 15:56:45 -0500 Subject: [PATCH] add use of keyfile passphrase Signed-off-by: Marina Moore --- go.mod | 1 + go.sum | 1 + tuf-notary/cmd/delegate.go | 9 +++++-- tuf-notary/cmd/main.go | 2 +- tuf-notary/registry-access.go | 2 +- tuf-notary/tuf-repository.go | 45 ++++++++++++++++++++++++++++++----- 6 files changed, 50 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 14d0f54..489e910 100644 --- a/go.mod +++ b/go.mod @@ -63,6 +63,7 @@ require ( golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect golang.org/x/text v0.3.5 // indirect google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect google.golang.org/grpc v1.38.0 // indirect diff --git a/go.sum b/go.sum index b852afe..6711f05 100644 --- a/go.sum +++ b/go.sum @@ -966,6 +966,7 @@ golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/tuf-notary/cmd/delegate.go b/tuf-notary/cmd/delegate.go index 4dfff15..ae499cd 100644 --- a/tuf-notary/cmd/delegate.go +++ b/tuf-notary/cmd/delegate.go @@ -10,7 +10,7 @@ import ( func init() { register("delegate", cmdDelegate, ` -usage: tuf-notary delegate [--repo= --keyfiles= --threshold=] +usage: tuf-notary delegate [--repo= --keyfiles= --threshold= --no-passphrase] Add a delegation from the top-level targets role to delegatee and push the updated targets metadata to the TUF reposistory on the registry. @@ -42,6 +42,11 @@ func cmdDelegate(args []string, opts docopt.Opts) error { } } + passphrase := true + if p := opts["--no-passphrase"]; p != nil { + passphrase = !p.(bool) + } + registry := args[0] delegatee := args[1] @@ -55,7 +60,7 @@ func cmdDelegate(args []string, opts docopt.Opts) error { } //add delegation - err = tufnotary.Delegate(repository, delegatee, keyfiles, threshold) + err = tufnotary.Delegate(repository, delegatee, keyfiles, threshold, passphrase) if err != nil { return err diff --git a/tuf-notary/cmd/main.go b/tuf-notary/cmd/main.go index c2bce5d..f0615e2 100644 --- a/tuf-notary/cmd/main.go +++ b/tuf-notary/cmd/main.go @@ -11,7 +11,7 @@ func main() { usage := ` Usage: tuf-notary [....] - tuf-notary [....] [--repo= --keyfiles= --threshold] + tuf-notary [....] [--repo= --keyfiles= --threshold= --no-passphrase] Commands: help Show usage for a specific command diff --git a/tuf-notary/registry-access.go b/tuf-notary/registry-access.go index 1febeb9..badf2d5 100644 --- a/tuf-notary/registry-access.go +++ b/tuf-notary/registry-access.go @@ -68,6 +68,6 @@ func DownloadTUFMetadata(registry string, repository string, name string) error fileStore := content.NewFile("") defer fileStore.Close() allowedMediaTypes := []string{mediaType} - desc, err := oras.Copy(ctx, reg, ref, fileStore, "", oras.WithAllowedMediaTypes(allowedMediaTypes)) + _, err = oras.Copy(ctx, reg, ref, fileStore, "", oras.WithAllowedMediaTypes(allowedMediaTypes)) return err } diff --git a/tuf-notary/tuf-repository.go b/tuf-notary/tuf-repository.go index 0a4ad67..cb13dfb 100644 --- a/tuf-notary/tuf-repository.go +++ b/tuf-notary/tuf-repository.go @@ -1,14 +1,19 @@ package tufnotary import ( + "bytes" + "errors" "fmt" "os" "path/filepath" + "strings" + "syscall" "github.com/theupdateframework/go-tuf" "github.com/theupdateframework/go-tuf/data" "github.com/theupdateframework/go-tuf/pkg/keys" util "github.com/theupdateframework/go-tuf/util" + "golang.org/x/crypto/ssh/terminal" ) func Init(repository string) error { @@ -65,7 +70,7 @@ func Init(repository string) error { return err } -func Delegate(repository string, delegatee string, keyfiles []string, threshold int) error { +func Delegate(repository string, delegatee string, keyfiles []string, threshold int, passphrase bool) error { workingDir, err := os.Getwd() if err != nil { return err @@ -73,12 +78,10 @@ func Delegate(repository string, delegatee string, keyfiles []string, threshold dir := filepath.Join(workingDir, repository) - //TODO: allow for this to be true - // insecure := true var p util.PassphraseFunc - //if !insecure { - //p = getPassphrase - //} + if passphrase { + p = getPassphrase + } repo, err := tuf.NewRepo(tuf.FileSystemStore(dir, p)) if err != nil { @@ -148,3 +151,33 @@ func Delegate(repository string, delegatee string, keyfiles []string, threshold err = repo.Commit() return err } + +//from go-tuf/cmd/tuf/main.go +func getPassphrase(role string, confirm bool) ([]byte, error) { + if pass := os.Getenv(fmt.Sprintf("TUF_%s_PASSPHRASE", strings.ToUpper(role))); pass != "" { + return []byte(pass), nil + } + + fmt.Printf("Enter %s keys passphrase: ", role) + passphrase, err := terminal.ReadPassword(int(syscall.Stdin)) + fmt.Println() + if err != nil { + return nil, err + } + + if !confirm { + return passphrase, nil + } + + fmt.Printf("Repeat %s keys passphrase: ", role) + confirmation, err := terminal.ReadPassword(int(syscall.Stdin)) + fmt.Println() + if err != nil { + return nil, err + } + + if !bytes.Equal(passphrase, confirmation) { + return nil, errors.New("The entered passphrases do not match") + } + return passphrase, nil +}