Update libtrust version

Signed-off-by: Victor Vieux <vieux@docker.com>

api/common.go

@@ -68,7 +68,7 @@ func LoadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
 			return nil, fmt.Errorf("Error saving key file: %s", err)
 		}
 	} else if err != nil {
-		log.Fatalf("Error loading key file: %s", err)
+		return nil, fmt.Errorf("Error loading key file: %s", err)
 	}
 	return trustKey, nil
 }

integration/utils_test.go

@@ -9,6 +9,7 @@ import (
 	"net/http/httptest"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"testing"
 	"time"
@@ -187,6 +188,7 @@ func newTestEngine(t Fataler, autorestart bool, root string) *engine.Engine {
 		// Either InterContainerCommunication or EnableIptables must be set,
 		// otherwise NewDaemon will fail because of conflicting settings.
 		InterContainerCommunication: true,
+		TrustKeyPath:                filepath.Join(root, "key.json"),
 	}
 	d, err := daemon.NewDaemon(cfg, eng)
 	if err != nil {

project/vendor.sh

@@ -51,7 +51,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0
 
 clone hg code.google.com/p/gosqlite 74691fb6f837
 
-clone git github.com/docker/libtrust d273ef2565ca
+clone git github.com/docker/libtrust 230dfd18c232
 
 clone git github.com/Sirupsen/logrus v0.6.0
 

vendor/src/github.com/docker/libtrust/ec_key.go

@@ -55,16 +55,7 @@ func (k *ecPublicKey) CurveName() string {
 
 // KeyID returns a distinct identifier which is unique to this Public Key.
 func (k *ecPublicKey) KeyID() string {
-	// Generate and return a libtrust fingerprint of the EC public key.
-	// For an EC key this should be:
-	//   SHA256("EC"+curveName+bytes(X)+bytes(Y))
-	// Then truncated to 240 bits and encoded into 12 base32 groups like so:
-	//   ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
-	hasher := crypto.SHA256.New()
-	hasher.Write([]byte(k.KeyType() + k.CurveName()))
-	hasher.Write(k.X.Bytes())
-	hasher.Write(k.Y.Bytes())
-	return keyIDEncode(hasher.Sum(nil)[:30])
+	return keyIDFromCryptoKey(k)
 }
 
 func (k *ecPublicKey) String() string {

vendor/src/github.com/docker/libtrust/filter.go

@@ -11,9 +11,21 @@ func FilterByHosts(keys []PublicKey, host string, includeEmpty bool) ([]PublicKe
 	filtered := make([]PublicKey, 0, len(keys))
 
 	for _, pubKey := range keys {
-		hosts, ok := pubKey.GetExtendedField("hosts").([]interface{})
+		var hosts []string
+		switch v := pubKey.GetExtendedField("hosts").(type) {
+		case []string:
+			hosts = v
+		case []interface{}:
+			for _, value := range v {
+				h, ok := value.(string)
+				if !ok {
+					continue
+				}
+				hosts = append(hosts, h)
+			}
+		}
 
-		if !ok || (ok && len(hosts) == 0) {
+		if len(hosts) == 0 {
 			if includeEmpty {
 				filtered = append(filtered, pubKey)
 			}
@@ -21,12 +33,7 @@ func FilterByHosts(keys []PublicKey, host string, includeEmpty bool) ([]PublicKe
 		}
 
 		// Check if any hosts match pattern
-		for _, hostVal := range hosts {
-			hostPattern, ok := hostVal.(string)
-			if !ok {
-				continue
-			}
-
+		for _, hostPattern := range hosts {
 			match, err := filepath.Match(hostPattern, host)
 			if err != nil {
 				return nil, err
@@ -37,7 +44,6 @@ func FilterByHosts(keys []PublicKey, host string, includeEmpty bool) ([]PublicKe
 				continue
 			}
 		}
-
 	}
 
 	return filtered, nil

vendor/src/github.com/docker/libtrust/filter_test.go

@@ -27,6 +27,8 @@ func TestFilter(t *testing.T) {
 			t.Fatal(err)
 		}
 
+		// we use both []interface{} and []string here because jwt uses
+		// []interface{} format, while PEM uses []string
 		switch {
 		case i == 0:
 			// Don't add entries for this key, key 0.
@@ -36,10 +38,10 @@ func TestFilter(t *testing.T) {
 			key.AddExtendedField("hosts", []interface{}{"*.even.example.com"})
 		case i == 7:
 			// Should catch only the last key, and make it match any hostname.
-			key.AddExtendedField("hosts", []interface{}{"*"})
+			key.AddExtendedField("hosts", []string{"*"})
 		default:
 			// should catch keys 1, 3, 5.
-			key.AddExtendedField("hosts", []interface{}{"*.example.com"})
+			key.AddExtendedField("hosts", []string{"*.example.com"})
 		}
 
 		keys = append(keys, key)

vendor/src/github.com/docker/libtrust/key_files_test.go

@@ -138,7 +138,7 @@ func testTrustedHostKeysFile(t *testing.T, trustedHostKeysFilename string) {
 	}
 
 	for addr, hostKey := range trustedHostKeysMapping {
-		t.Logf("Host Address: %s\n", addr)
+		t.Logf("Host Address: %d\n", addr)
 		t.Logf("Host Key: %s\n\n", hostKey)
 	}
 
@@ -160,7 +160,7 @@ func testTrustedHostKeysFile(t *testing.T, trustedHostKeysFilename string) {
 	}
 
 	for addr, hostKey := range trustedHostKeysMapping {
-		t.Logf("Host Address: %s\n", addr)
+		t.Logf("Host Address: %d\n", addr)
 		t.Logf("Host Key: %s\n\n", hostKey)
 	}
 

vendor/src/github.com/docker/libtrust/rsa_key.go

@@ -34,16 +34,7 @@ func (k *rsaPublicKey) KeyType() string {
 
 // KeyID returns a distinct identifier which is unique to this Public Key.
 func (k *rsaPublicKey) KeyID() string {
-	// Generate and return a 'libtrust' fingerprint of the RSA public key.
-	// For an RSA key this should be:
-	//   SHA256("RSA"+bytes(N)+bytes(E))
-	// Then truncated to 240 bits and encoded into 12 base32 groups like so:
-	//   ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
-	hasher := crypto.SHA256.New()
-	hasher.Write([]byte(k.KeyType()))
-	hasher.Write(k.N.Bytes())
-	hasher.Write(serializeRSAPublicExponentParam(k.E))
-	return keyIDEncode(hasher.Sum(nil)[:30])
+	return keyIDFromCryptoKey(k)
 }
 
 func (k *rsaPublicKey) String() string {

vendor/src/github.com/docker/libtrust/trustgraph/statement_test.go

@@ -201,7 +201,7 @@ func TestCollapseGrants(t *testing.T) {
 
 	collapsedGrants, expiration, err := CollapseStatements(statements, false)
 	if len(collapsedGrants) != 12 {
-		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %s", 12, len(collapsedGrants))
+		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %d", 12, len(collapsedGrants))
 	}
 	if expiration.After(time.Now().Add(time.Hour*5)) || expiration.Before(time.Now()) {
 		t.Fatalf("Unexpected expiration time: %s", expiration.String())
@@ -261,7 +261,7 @@ func TestCollapseGrants(t *testing.T) {
 
 	collapsedGrants, expiration, err = CollapseStatements(statements, false)
 	if len(collapsedGrants) != 12 {
-		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %s", 12, len(collapsedGrants))
+		t.Fatalf("Unexpected number of grants\n\tExpected: %d\n\tActual: %d", 12, len(collapsedGrants))
 	}
 	if expiration.After(time.Now().Add(time.Hour*5)) || expiration.Before(time.Now()) {
 		t.Fatalf("Unexpected expiration time: %s", expiration.String())

vendor/src/github.com/docker/libtrust/util.go

@@ -2,6 +2,7 @@ package libtrust
 
 import (
 	"bytes"
+	"crypto"
 	"crypto/elliptic"
 	"crypto/x509"
 	"encoding/base32"
@@ -52,6 +53,21 @@ func keyIDEncode(b []byte) string {
 	return buf.String()
 }
 
+func keyIDFromCryptoKey(pubKey PublicKey) string {
+	// Generate and return a 'libtrust' fingerprint of the public key.
+	// For an RSA key this should be:
+	//   SHA256(DER encoded ASN1)
+	// Then truncated to 240 bits and encoded into 12 base32 groups like so:
+	//   ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
+	derBytes, err := x509.MarshalPKIXPublicKey(pubKey.CryptoPublicKey())
+	if err != nil {
+		return ""
+	}
+	hasher := crypto.SHA256.New()
+	hasher.Write(derBytes)
+	return keyIDEncode(hasher.Sum(nil)[:30])
+}
+
 func stringFromMap(m map[string]interface{}, key string) (string, error) {
 	val, ok := m[key]
 	if !ok {

vendor/src/github.com/docker/libtrust/util_test.go

@@ -0,0 +1,23 @@
+package libtrust
+
+import (
+	"encoding/pem"
+	"reflect"
+	"testing"
+)
+
+func TestAddPEMHeadersToKey(t *testing.T) {
+	pk := &rsaPublicKey{nil, map[string]interface{}{}}
+	blk := &pem.Block{Headers: map[string]string{"hosts": "localhost,127.0.0.1"}}
+	addPEMHeadersToKey(blk, pk)
+
+	val := pk.GetExtendedField("hosts")
+	hosts, ok := val.([]string)
+	if !ok {
+		t.Fatalf("hosts type(%v), expected []string", reflect.TypeOf(val))
+	}
+	expected := []string{"localhost", "127.0.0.1"}
+	if !reflect.DeepEqual(hosts, expected) {
+		t.Errorf("hosts(%v), expected %v", hosts, expected)
+	}
+}