daemon/config: remove and local trustkey utilities

Turned out that the loadOrCreateTrustKey() utility was doing exactly the
same as libtrust.LoadOrCreateTrustKey(), so making it a thin wrapped. I kept
the tests to verify the behavior, but we could remove them as we only need this
for our integration tests.

The storage location for the generated key was changed (again as we only need
this for some integration tests), so we can remove the TrustKeyPath from the
config.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5cdd6ab7cd4af97da2150cd649acfdb19ea8d700)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

cmd/dockerd/daemon_windows.go

@@ -24,7 +24,7 @@ func setDefaultUmask() error {
 }
 
 func getDaemonConfDir(root string) (string, error) {
-	return filepath.Join(root, `\config`), nil
+	return filepath.Join(root, "config"), nil
 }
 
 // preNotifyReady sends a message to the host when the API is active, but before the daemon is

cmd/dockerd/docker_windows.go

@@ -24,7 +24,7 @@ func runDaemon(opts *daemonOptions) error {
 
 	// Windows specific settings as these are not defaulted.
 	if opts.configFile == "" {
-		opts.configFile = filepath.Join(opts.daemonConfig.Root, `config\daemon.json`)
+		opts.configFile = filepath.Join(opts.daemonConfig.Root, "config", "daemon.json")
 	}
 	if runAsService {
 		// If Windows SCM manages the service - no need for PID files

daemon/trustkey.go

@@ -1,57 +1,9 @@
 package daemon // import "github.com/docker/docker/daemon"
 
-import (
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/system"
-	"github.com/docker/libtrust"
-)
+import "github.com/docker/libtrust"
 
 // LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
-// otherwise generates a new one
-// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
-// a refactor or this function to be moved into libtrust
+// otherwise generates a new one.
 func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
-	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755)
-	if err != nil {
-		return nil, err
-	}
-	trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
-	if err == libtrust.ErrKeyFileDoesNotExist {
-		trustKey, err = libtrust.GenerateECP256PrivateKey()
-		if err != nil {
-			return nil, fmt.Errorf("Error generating key: %s", err)
-		}
-		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
-		if err != nil {
-			return nil, fmt.Errorf("Error serializing key: %s", err)
-		}
-		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
-			return nil, fmt.Errorf("Error saving key file: %s", err)
-		}
-	} else if err != nil {
-		return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
-	}
-	return trustKey, nil
-}
-
-func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
-	if ext == ".json" || ext == ".jwk" {
-		encoded, err = json.Marshal(key)
-		if err != nil {
-			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
-		}
-	} else {
-		pemBlock, err := key.PEMBlock()
-		if err != nil {
-			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
-		}
-		encoded = pem.EncodeToMemory(pemBlock)
-	}
-	return
+	return libtrust.LoadOrCreateTrustKey(trustKeyPath)
 }

daemon/trustkey_test.go

@@ -7,29 +7,20 @@ import (
 
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
-	"gotest.tools/v3/fs"
 )
 
 // LoadOrCreateTrustKey
 func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
-	tmpKeyFolderPath, err := os.MkdirTemp("", "api-trustkey-test")
+	tmpKeyFile, err := os.CreateTemp(t.TempDir(), "keyfile")
 	assert.NilError(t, err)
-	defer os.RemoveAll(tmpKeyFolderPath)
-
-	tmpKeyFile, err := os.CreateTemp(tmpKeyFolderPath, "keyfile")
-	assert.NilError(t, err)
-	defer tmpKeyFile.Close()
+	_ = tmpKeyFile.Close()
 
 	_, err = loadOrCreateTrustKey(tmpKeyFile.Name())
-	assert.Check(t, is.ErrorContains(err, "Error loading key file"))
+	assert.Check(t, is.ErrorContains(err, "error loading key file"))
 }
 
 func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
-	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
-	defer tmpKeyFolderPath.Remove()
-
-	// Without the need to create the folder hierarchy
-	tmpKeyFile := tmpKeyFolderPath.Join("keyfile")
+	tmpKeyFile := filepath.Join(t.TempDir(), "keyfile")
 
 	key, err := loadOrCreateTrustKey(tmpKeyFile)
 	assert.NilError(t, err)
@@ -40,10 +31,7 @@ func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
 }
 
 func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {
-	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
-	defer tmpKeyFolderPath.Remove()
-	tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")
-
+	tmpKeyFile := filepath.Join(t.TempDir(), "folder/hierarchy/keyfile")
 	key, err := loadOrCreateTrustKey(tmpKeyFile)
 	assert.NilError(t, err)
 	assert.Check(t, key != nil)