From bd229f102ae5e782f646d984f772cdb34d5a0dd2 Mon Sep 17 00:00:00 2001 From: Volodymyr Khoroz Date: Fri, 11 Aug 2023 15:47:32 +0300 Subject: [PATCH] Cleanup: extract common logic to add new TUF key This simply makes the next commit easier; and is good anyway. Signed-off-by: Volodymyr Khoroz --- .../keys/tuf_updates_add_offline_key.go | 23 ++++++----------- .../keys/tuf_updates_rotate_offline_key.go | 25 ++++++------------- subcommands/keys/tuf_utils.go | 10 ++++++++ 3 files changed, 25 insertions(+), 33 deletions(-) diff --git a/subcommands/keys/tuf_updates_add_offline_key.go b/subcommands/keys/tuf_updates_add_offline_key.go index 83c8fcf1..cb5a1499 100644 --- a/subcommands/keys/tuf_updates_add_offline_key.go +++ b/subcommands/keys/tuf_updates_add_offline_key.go @@ -90,28 +90,21 @@ func doTufUpdatesAddOfflineKey(cmd *cobra.Command, args []string) { } func addOfflineRootKey(root *client.AtsTufRoot, creds OfflineCreds, keyType TufKeyType) { - subcommands.DieNotNil(checkNoTufSigner(root, creds, root.Signed.Roles["root"].KeyIDs)) + oldKids := root.Signed.Roles["root"].KeyIDs + subcommands.DieNotNil(checkNoTufSigner(root, creds, oldKids)) kp := genTufKeyPair(keyType) - root.Signed.Keys[kp.signer.Id] = kp.atsPub - root.Signed.Roles["root"].KeyIDs = append(root.Signed.Roles["root"].KeyIDs, kp.signer.Id) - - base := "tufrepo/keys/fioctl-root-" + kp.signer.Id - creds[base+".pub"] = kp.atsPubBytes - creds[base+".sec"] = kp.atsPrivBytes + addOfflineTufKey(root, "root", kp, oldKids, creds) fmt.Println("= New root keyid:", kp.signer.Id) } func addOfflineTargetsKey(root *client.AtsTufRoot, creds OfflineCreds, keyType TufKeyType, onlineTargetsId string) { - subcommands.DieNotNil(checkNoTufSigner(root, creds, - subcommands.SliceRemove(root.Signed.Roles["targets"].KeyIDs, onlineTargetsId))) + oldKids := root.Signed.Roles["targets"].KeyIDs + if len(oldKids) > 1 { + subcommands.DieNotNil(checkNoTufSigner(root, creds, subcommands.SliceRemove(oldKids, onlineTargetsId))) + } kp := genTufKeyPair(keyType) - root.Signed.Keys[kp.signer.Id] = kp.atsPub - root.Signed.Roles["targets"].KeyIDs = append(root.Signed.Roles["targets"].KeyIDs, kp.signer.Id) - - base := "tufrepo/keys/fioctl-targets-" + kp.signer.Id - creds[base+".pub"] = kp.atsPubBytes - creds[base+".sec"] = kp.atsPrivBytes + addOfflineTufKey(root, "targets", kp, oldKids, creds) fmt.Println("= New targets keyid:", kp.signer.Id) } diff --git a/subcommands/keys/tuf_updates_rotate_offline_key.go b/subcommands/keys/tuf_updates_rotate_offline_key.go index 5ae12b89..88dac9bf 100644 --- a/subcommands/keys/tuf_updates_rotate_offline_key.go +++ b/subcommands/keys/tuf_updates_rotate_offline_key.go @@ -207,18 +207,14 @@ func doTufUpdatesRotateOfflineTargetsKey(cmd *cobra.Command) { func replaceOfflineRootKey( root *client.AtsTufRoot, creds OfflineCreds, keyType TufKeyType, ) (TufSigner, OfflineCreds) { - oldKey, err := FindOneTufSigner(root, creds, root.Signed.Roles["root"].KeyIDs) + oldKids := root.Signed.Roles["root"].KeyIDs + oldKey, err := FindOneTufSigner(root, creds, oldKids) subcommands.DieNotNil(err) - newKids := subcommands.SliceRemove(root.Signed.Roles["root"].KeyIDs, oldKey.Id) + oldKids = subcommands.SliceRemove(oldKids, oldKey.Id) kp := genTufKeyPair(keyType) - root.Signed.Keys[kp.signer.Id] = kp.atsPub + addOfflineTufKey(root, "root", kp, oldKids, creds) root.Signed.Expires = time.Now().AddDate(1, 0, 0).UTC().Round(time.Second) // 1 year validity - root.Signed.Roles["root"].KeyIDs = append(newKids, kp.signer.Id) - - base := "tufrepo/keys/fioctl-root-" + kp.signer.Id - creds[base+".pub"] = kp.atsPubBytes - creds[base+".sec"] = kp.atsPrivBytes return kp.signer, creds } @@ -227,21 +223,14 @@ func replaceOfflineTargetsKey( ) (TufSigner, OfflineCreds) { // Support first key rotation (no offline targets key yet) for backward-compatibility. oldKids := root.Signed.Roles["targets"].KeyIDs - oldOfflineKids := subcommands.SliceRemove(oldKids, onlineTargetsId) - if len(oldOfflineKids) > 0 { - oldKey, err := FindOneTufSigner(root, creds, oldOfflineKids) + if len(oldKids) > 1 { + oldKey, err := FindOneTufSigner(root, creds, subcommands.SliceRemove(oldKids, onlineTargetsId)) subcommands.DieNotNil(err) oldKids = subcommands.SliceRemove(oldKids, oldKey.Id) } kp := genTufKeyPair(keyType) - root.Signed.Keys[kp.signer.Id] = kp.atsPub - root.Signed.Roles["targets"].KeyIDs = append(oldKids, kp.signer.Id) - root.Signed.Roles["targets"].Threshold = 1 - - base := "tufrepo/keys/fioctl-targets-" + kp.signer.Id - creds[base+".pub"] = kp.atsPubBytes - creds[base+".sec"] = kp.atsPrivBytes + addOfflineTufKey(root, "targets", kp, oldKids, creds) return kp.signer, creds } diff --git a/subcommands/keys/tuf_utils.go b/subcommands/keys/tuf_utils.go index 49765ebf..e366e780 100644 --- a/subcommands/keys/tuf_utils.go +++ b/subcommands/keys/tuf_utils.go @@ -313,6 +313,16 @@ func findTufSigners(root *client.AtsTufRoot, creds OfflineCreds, keyids []string return matchSigners, nil } +func addOfflineTufKey( + root *client.AtsTufRoot, role tuf.RoleName, key TufKeyPair, oldKids []string, creds OfflineCreds, +) { + base := fmt.Sprintf("tufrepo/keys/fioctl-%s-%s", role, key.signer.Id) + creds[base+".pub"] = key.atsPubBytes + creds[base+".sec"] = key.atsPrivBytes + root.Signed.Keys[key.signer.Id] = key.atsPub + root.Signed.Roles[role].KeyIDs = append(oldKids, key.signer.Id) +} + func removeUnusedTufKeys(root *client.AtsTufRoot) { var inuse []string for _, role := range root.Signed.Roles {