Merge pull request #33111 from cpuguy83/rerun_vendor

Re-run vndr

vendor.conf

@@ -56,13 +56,8 @@ github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
 github.com/mistifyio/go-zfs 22c9b32c84eb0d0c6f4043b6e90fc94073de92fa
 github.com/pborman/uuid v1.0
 
-# get desired notary commit, might also need to be updated in Dockerfile
-github.com/docker/notary v0.4.2
-
 google.golang.org/grpc v1.0.4
 github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f
-github.com/docker/go v1.5.1-1-1-gbaf439e
-github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
 # When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly
 github.com/opencontainers/runc b6b70e53451794e8333e9b602cc096b47a20bd0f 
@@ -134,16 +129,9 @@ github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f
 github.com/spf13/cobra v1.5.1 https://github.com/dnephin/cobra.git
 github.com/spf13/pflag 9ff6c6923cfffbcd502984b8e0c80539a94968b7
 github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
-github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
 github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github.com/ijc25/Gotty
 
 # metrics
 github.com/docker/go-metrics 8fd5772bf1584597834c6f7961a530f06cbfbb87
 
-# composefile
-github.com/mitchellh/mapstructure f3009df150dadf309fdee4a54ed65c124afad715
-github.com/xeipuuv/gojsonpointer e0fe6f68307607d540ed8eac07a342c33fa1b54a
-github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45
-github.com/xeipuuv/gojsonschema 93e72a773fade158921402d6a24c819b48aba29d
-gopkg.in/yaml.v2 4c78c975fe7c825c6d1466c42be594d1d6f3aba6
 github.com/opencontainers/selinux v1.0.0-rc1

vendor/github.com/agl/ed25519/LICENSE

@@ -1,27 +0,0 @@
-Copyright (c) 2012 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/agl/ed25519/ed25519.go

@@ -1,125 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// http://ed25519.cr.yp.to/.
-package ed25519
-
-// This code is a port of the public domain, "ref10" implementation of ed25519
-// from SUPERCOP.
-
-import (
-	"crypto/sha512"
-	"crypto/subtle"
-	"io"
-
-	"github.com/agl/ed25519/edwards25519"
-)
-
-const (
-	PublicKeySize  = 32
-	PrivateKeySize = 64
-	SignatureSize  = 64
-)
-
-// GenerateKey generates a public/private key pair using randomness from rand.
-func GenerateKey(rand io.Reader) (publicKey *[PublicKeySize]byte, privateKey *[PrivateKeySize]byte, err error) {
-	privateKey = new([64]byte)
-	publicKey = new([32]byte)
-	_, err = io.ReadFull(rand, privateKey[:32])
-	if err != nil {
-		return nil, nil, err
-	}
-
-	h := sha512.New()
-	h.Write(privateKey[:32])
-	digest := h.Sum(nil)
-
-	digest[0] &= 248
-	digest[31] &= 127
-	digest[31] |= 64
-
-	var A edwards25519.ExtendedGroupElement
-	var hBytes [32]byte
-	copy(hBytes[:], digest)
-	edwards25519.GeScalarMultBase(&A, &hBytes)
-	A.ToBytes(publicKey)
-
-	copy(privateKey[32:], publicKey[:])
-	return
-}
-
-// Sign signs the message with privateKey and returns a signature.
-func Sign(privateKey *[PrivateKeySize]byte, message []byte) *[SignatureSize]byte {
-	h := sha512.New()
-	h.Write(privateKey[:32])
-
-	var digest1, messageDigest, hramDigest [64]byte
-	var expandedSecretKey [32]byte
-	h.Sum(digest1[:0])
-	copy(expandedSecretKey[:], digest1[:])
-	expandedSecretKey[0] &= 248
-	expandedSecretKey[31] &= 63
-	expandedSecretKey[31] |= 64
-
-	h.Reset()
-	h.Write(digest1[32:])
-	h.Write(message)
-	h.Sum(messageDigest[:0])
-
-	var messageDigestReduced [32]byte
-	edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
-	var R edwards25519.ExtendedGroupElement
-	edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
-
-	var encodedR [32]byte
-	R.ToBytes(&encodedR)
-
-	h.Reset()
-	h.Write(encodedR[:])
-	h.Write(privateKey[32:])
-	h.Write(message)
-	h.Sum(hramDigest[:0])
-	var hramDigestReduced [32]byte
-	edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
-
-	var s [32]byte
-	edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
-
-	signature := new([64]byte)
-	copy(signature[:], encodedR[:])
-	copy(signature[32:], s[:])
-	return signature
-}
-
-// Verify returns true iff sig is a valid signature of message by publicKey.
-func Verify(publicKey *[PublicKeySize]byte, message []byte, sig *[SignatureSize]byte) bool {
-	if sig[63]&224 != 0 {
-		return false
-	}
-
-	var A edwards25519.ExtendedGroupElement
-	if !A.FromBytes(publicKey) {
-		return false
-	}
-
-	h := sha512.New()
-	h.Write(sig[:32])
-	h.Write(publicKey[:])
-	h.Write(message)
-	var digest [64]byte
-	h.Sum(digest[:0])
-
-	var hReduced [32]byte
-	edwards25519.ScReduce(&hReduced, &digest)
-
-	var R edwards25519.ProjectiveGroupElement
-	var b [32]byte
-	copy(b[:], sig[32:])
-	edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
-
-	var checkR [32]byte
-	R.ToBytes(&checkR)
-	return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
-}

vendor/github.com/agl/ed25519/edwards25519/const.go

@@ -1,1411 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package edwards25519
-
-var d = FieldElement{
-	-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116,
-}
-
-var d2 = FieldElement{
-	-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199,
-}
-
-var SqrtM1 = FieldElement{
-	-32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
-}
-
-var A = FieldElement{
-	486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-}
-
-var bi = [8]PreComputedGroupElement{
-	{
-		FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
-		FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
-		FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
-	},
-	{
-		FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
-		FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
-		FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
-	},
-	{
-		FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
-		FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
-		FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
-	},
-	{
-		FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
-		FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
-		FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
-	},
-	{
-		FieldElement{-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
-		FieldElement{-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
-		FieldElement{4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
-	},
-	{
-		FieldElement{-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
-		FieldElement{25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
-		FieldElement{23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
-	},
-	{
-		FieldElement{-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
-		FieldElement{-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
-		FieldElement{-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
-	},
-	{
-		FieldElement{-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
-		FieldElement{-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
-		FieldElement{-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
-	},
-}
-
-var base = [32][8]PreComputedGroupElement{
-	{
-		{
-			FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
-			FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
-			FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
-		},
-		{
-			FieldElement{-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303},
-			FieldElement{-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081},
-			FieldElement{26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697},
-		},
-		{
-			FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
-			FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
-			FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
-		},
-		{
-			FieldElement{-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540},
-			FieldElement{23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397},
-			FieldElement{7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325},
-		},
-		{
-			FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
-			FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
-			FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
-		},
-		{
-			FieldElement{-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777},
-			FieldElement{-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737},
-			FieldElement{-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652},
-		},
-		{
-			FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
-			FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
-			FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
-		},
-		{
-			FieldElement{14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726},
-			FieldElement{-7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955},
-			FieldElement{27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425},
-		},
-	},
-	{
-		{
-			FieldElement{-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171},
-			FieldElement{27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510},
-			FieldElement{17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660},
-		},
-		{
-			FieldElement{-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639},
-			FieldElement{29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963},
-			FieldElement{5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950},
-		},
-		{
-			FieldElement{-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568},
-			FieldElement{12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335},
-			FieldElement{25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628},
-		},
-		{
-			FieldElement{-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007},
-			FieldElement{-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772},
-			FieldElement{-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653},
-		},
-		{
-			FieldElement{2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567},
-			FieldElement{13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686},
-			FieldElement{21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372},
-		},
-		{
-			FieldElement{-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887},
-			FieldElement{-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954},
-			FieldElement{-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953},
-		},
-		{
-			FieldElement{24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833},
-			FieldElement{-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532},
-			FieldElement{-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876},
-		},
-		{
-			FieldElement{2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268},
-			FieldElement{33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214},
-			FieldElement{1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038},
-		},
-	},
-	{
-		{
-			FieldElement{6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800},
-			FieldElement{4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645},
-			FieldElement{-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664},
-		},
-		{
-			FieldElement{1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933},
-			FieldElement{-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182},
-			FieldElement{-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222},
-		},
-		{
-			FieldElement{-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991},
-			FieldElement{20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880},
-			FieldElement{9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092},
-		},
-		{
-			FieldElement{-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295},
-			FieldElement{19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788},
-			FieldElement{8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553},
-		},
-		{
-			FieldElement{-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026},
-			FieldElement{11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347},
-			FieldElement{-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033},
-		},
-		{
-			FieldElement{-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395},
-			FieldElement{-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278},
-			FieldElement{1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890},
-		},
-		{
-			FieldElement{32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995},
-			FieldElement{-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596},
-			FieldElement{-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891},
-		},
-		{
-			FieldElement{31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060},
-			FieldElement{11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608},
-			FieldElement{-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606},
-		},
-	},
-	{
-		{
-			FieldElement{7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389},
-			FieldElement{-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016},
-			FieldElement{-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341},
-		},
-		{
-			FieldElement{-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505},
-			FieldElement{14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553},
-			FieldElement{-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655},
-		},
-		{
-			FieldElement{15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220},
-			FieldElement{12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631},
-			FieldElement{-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099},
-		},
-		{
-			FieldElement{26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556},
-			FieldElement{14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749},
-			FieldElement{236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930},
-		},
-		{
-			FieldElement{1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391},
-			FieldElement{5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253},
-			FieldElement{20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066},
-		},
-		{
-			FieldElement{24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958},
-			FieldElement{-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082},
-			FieldElement{-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383},
-		},
-		{
-			FieldElement{-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521},
-			FieldElement{-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807},
-			FieldElement{23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948},
-		},
-		{
-			FieldElement{9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134},
-			FieldElement{-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455},
-			FieldElement{27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629},
-		},
-	},
-	{
-		{
-			FieldElement{-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069},
-			FieldElement{-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746},
-			FieldElement{24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919},
-		},
-		{
-			FieldElement{11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837},
-			FieldElement{8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906},
-			FieldElement{-28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771},
-		},
-		{
-			FieldElement{-25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817},
-			FieldElement{10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098},
-			FieldElement{10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409},
-		},
-		{
-			FieldElement{-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504},
-			FieldElement{-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727},
-			FieldElement{28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420},
-		},
-		{
-			FieldElement{-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003},
-			FieldElement{-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605},
-			FieldElement{-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384},
-		},
-		{
-			FieldElement{-26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701},
-			FieldElement{-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683},
-			FieldElement{29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708},
-		},
-		{
-			FieldElement{-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563},
-			FieldElement{-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260},
-			FieldElement{-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387},
-		},
-		{
-			FieldElement{-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672},
-			FieldElement{23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686},
-			FieldElement{-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665},
-		},
-	},
-	{
-		{
-			FieldElement{11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182},
-			FieldElement{-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277},
-			FieldElement{14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628},
-		},
-		{
-			FieldElement{-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474},
-			FieldElement{-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539},
-			FieldElement{-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822},
-		},
-		{
-			FieldElement{-10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970},
-			FieldElement{19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756},
-			FieldElement{-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508},
-		},
-		{
-			FieldElement{-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683},
-			FieldElement{-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655},
-			FieldElement{-20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158},
-		},
-		{
-			FieldElement{-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125},
-			FieldElement{-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839},
-			FieldElement{-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664},
-		},
-		{
-			FieldElement{27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294},
-			FieldElement{-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899},
-			FieldElement{-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070},
-		},
-		{
-			FieldElement{3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294},
-			FieldElement{-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949},
-			FieldElement{-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083},
-		},
-		{
-			FieldElement{31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420},
-			FieldElement{-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940},
-			FieldElement{29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396},
-		},
-	},
-	{
-		{
-			FieldElement{-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567},
-			FieldElement{20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127},
-			FieldElement{-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294},
-		},
-		{
-			FieldElement{-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887},
-			FieldElement{22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964},
-			FieldElement{16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195},
-		},
-		{
-			FieldElement{9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244},
-			FieldElement{24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999},
-			FieldElement{-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762},
-		},
-		{
-			FieldElement{-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274},
-			FieldElement{-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236},
-			FieldElement{-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605},
-		},
-		{
-			FieldElement{-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761},
-			FieldElement{-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884},
-			FieldElement{-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482},
-		},
-		{
-			FieldElement{-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638},
-			FieldElement{-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490},
-			FieldElement{-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170},
-		},
-		{
-			FieldElement{5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736},
-			FieldElement{10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124},
-			FieldElement{-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392},
-		},
-		{
-			FieldElement{8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029},
-			FieldElement{6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048},
-			FieldElement{28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958},
-		},
-	},
-	{
-		{
-			FieldElement{24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593},
-			FieldElement{26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071},
-			FieldElement{-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692},
-		},
-		{
-			FieldElement{11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687},
-			FieldElement{-160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441},
-			FieldElement{-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001},
-		},
-		{
-			FieldElement{-938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460},
-			FieldElement{-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007},
-			FieldElement{-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762},
-		},
-		{
-			FieldElement{15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005},
-			FieldElement{-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674},
-			FieldElement{4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035},
-		},
-		{
-			FieldElement{7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590},
-			FieldElement{-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957},
-			FieldElement{-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812},
-		},
-		{
-			FieldElement{33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740},
-			FieldElement{-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122},
-			FieldElement{-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158},
-		},
-		{
-			FieldElement{8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885},
-			FieldElement{26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140},
-			FieldElement{19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857},
-		},
-		{
-			FieldElement{801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155},
-			FieldElement{19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260},
-			FieldElement{19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483},
-		},
-	},
-	{
-		{
-			FieldElement{-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677},
-			FieldElement{32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815},
-			FieldElement{22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751},
-		},
-		{
-			FieldElement{-16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203},
-			FieldElement{-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208},
-			FieldElement{1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230},
-		},
-		{
-			FieldElement{16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850},
-			FieldElement{-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389},
-			FieldElement{-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968},
-		},
-		{
-			FieldElement{-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689},
-			FieldElement{14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880},
-			FieldElement{5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304},
-		},
-		{
-			FieldElement{30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632},
-			FieldElement{-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412},
-			FieldElement{20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566},
-		},
-		{
-			FieldElement{-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038},
-			FieldElement{-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232},
-			FieldElement{-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943},
-		},
-		{
-			FieldElement{17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856},
-			FieldElement{23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738},
-			FieldElement{15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971},
-		},
-		{
-			FieldElement{-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718},
-			FieldElement{-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697},
-			FieldElement{-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883},
-		},
-	},
-	{
-		{
-			FieldElement{5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912},
-			FieldElement{-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358},
-			FieldElement{3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849},
-		},
-		{
-			FieldElement{29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307},
-			FieldElement{-14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977},
-			FieldElement{-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335},
-		},
-		{
-			FieldElement{-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644},
-			FieldElement{-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616},
-			FieldElement{-27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735},
-		},
-		{
-			FieldElement{-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099},
-			FieldElement{29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341},
-			FieldElement{-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336},
-		},
-		{
-			FieldElement{-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646},
-			FieldElement{31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425},
-			FieldElement{-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388},
-		},
-		{
-			FieldElement{-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743},
-			FieldElement{-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822},
-			FieldElement{-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462},
-		},
-		{
-			FieldElement{18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985},
-			FieldElement{9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702},
-			FieldElement{-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797},
-		},
-		{
-			FieldElement{21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293},
-			FieldElement{27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100},
-			FieldElement{19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688},
-		},
-	},
-	{
-		{
-			FieldElement{12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186},
-			FieldElement{2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610},
-			FieldElement{-2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707},
-		},
-		{
-			FieldElement{7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220},
-			FieldElement{915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025},
-			FieldElement{32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044},
-		},
-		{
-			FieldElement{32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992},
-			FieldElement{-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027},
-			FieldElement{21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197},
-		},
-		{
-			FieldElement{8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901},
-			FieldElement{31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952},
-			FieldElement{19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878},
-		},
-		{
-			FieldElement{-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390},
-			FieldElement{32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730},
-			FieldElement{2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730},
-		},
-		{
-			FieldElement{-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180},
-			FieldElement{-30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272},
-			FieldElement{-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715},
-		},
-		{
-			FieldElement{-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970},
-			FieldElement{-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772},
-			FieldElement{-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865},
-		},
-		{
-			FieldElement{15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750},
-			FieldElement{20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373},
-			FieldElement{32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348},
-		},
-	},
-	{
-		{
-			FieldElement{9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144},
-			FieldElement{-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195},
-			FieldElement{5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086},
-		},
-		{
-			FieldElement{-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684},
-			FieldElement{-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518},
-			FieldElement{-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233},
-		},
-		{
-			FieldElement{-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793},
-			FieldElement{-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794},
-			FieldElement{580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435},
-		},
-		{
-			FieldElement{23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921},
-			FieldElement{13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518},
-			FieldElement{2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563},
-		},
-		{
-			FieldElement{14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278},
-			FieldElement{-27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024},
-			FieldElement{4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030},
-		},
-		{
-			FieldElement{10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783},
-			FieldElement{27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717},
-			FieldElement{6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844},
-		},
-		{
-			FieldElement{14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333},
-			FieldElement{16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048},
-			FieldElement{22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760},
-		},
-		{
-			FieldElement{-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760},
-			FieldElement{-15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757},
-			FieldElement{-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112},
-		},
-	},
-	{
-		{
-			FieldElement{-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468},
-			FieldElement{3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184},
-			FieldElement{10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289},
-		},
-		{
-			FieldElement{15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066},
-			FieldElement{24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882},
-			FieldElement{13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226},
-		},
-		{
-			FieldElement{16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101},
-			FieldElement{29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279},
-			FieldElement{-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811},
-		},
-		{
-			FieldElement{27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709},
-			FieldElement{20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714},
-			FieldElement{-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121},
-		},
-		{
-			FieldElement{9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464},
-			FieldElement{12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847},
-			FieldElement{13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400},
-		},
-		{
-			FieldElement{4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414},
-			FieldElement{-15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158},
-			FieldElement{17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045},
-		},
-		{
-			FieldElement{-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415},
-			FieldElement{-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459},
-			FieldElement{-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079},
-		},
-		{
-			FieldElement{21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412},
-			FieldElement{-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743},
-			FieldElement{-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836},
-		},
-	},
-	{
-		{
-			FieldElement{12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022},
-			FieldElement{18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429},
-			FieldElement{-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065},
-		},
-		{
-			FieldElement{30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861},
-			FieldElement{10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000},
-			FieldElement{-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101},
-		},
-		{
-			FieldElement{32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815},
-			FieldElement{29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642},
-			FieldElement{10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966},
-		},
-		{
-			FieldElement{25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574},
-			FieldElement{-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742},
-			FieldElement{-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689},
-		},
-		{
-			FieldElement{12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020},
-			FieldElement{-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772},
-			FieldElement{3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982},
-		},
-		{
-			FieldElement{-14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953},
-			FieldElement{-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218},
-			FieldElement{-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265},
-		},
-		{
-			FieldElement{29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073},
-			FieldElement{-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325},
-			FieldElement{-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798},
-		},
-		{
-			FieldElement{-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870},
-			FieldElement{-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863},
-			FieldElement{-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927},
-		},
-	},
-	{
-		{
-			FieldElement{-2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267},
-			FieldElement{-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663},
-			FieldElement{22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862},
-		},
-		{
-			FieldElement{-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673},
-			FieldElement{15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943},
-			FieldElement{15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020},
-		},
-		{
-			FieldElement{-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238},
-			FieldElement{11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064},
-			FieldElement{14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795},
-		},
-		{
-			FieldElement{15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052},
-			FieldElement{-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904},
-			FieldElement{29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531},
-		},
-		{
-			FieldElement{-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979},
-			FieldElement{-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841},
-			FieldElement{10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431},
-		},
-		{
-			FieldElement{10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324},
-			FieldElement{-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940},
-			FieldElement{10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320},
-		},
-		{
-			FieldElement{-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184},
-			FieldElement{14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114},
-			FieldElement{30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878},
-		},
-		{
-			FieldElement{12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784},
-			FieldElement{-2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091},
-			FieldElement{-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585},
-		},
-	},
-	{
-		{
-			FieldElement{-8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208},
-			FieldElement{10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864},
-			FieldElement{17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661},
-		},
-		{
-			FieldElement{7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233},
-			FieldElement{26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212},
-			FieldElement{-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525},
-		},
-		{
-			FieldElement{-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068},
-			FieldElement{9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397},
-			FieldElement{-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988},
-		},
-		{
-			FieldElement{5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889},
-			FieldElement{32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038},
-			FieldElement{14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697},
-		},
-		{
-			FieldElement{20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875},
-			FieldElement{-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905},
-			FieldElement{-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656},
-		},
-		{
-			FieldElement{11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818},
-			FieldElement{27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714},
-			FieldElement{10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203},
-		},
-		{
-			FieldElement{20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931},
-			FieldElement{-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024},
-			FieldElement{-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084},
-		},
-		{
-			FieldElement{-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204},
-			FieldElement{20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817},
-			FieldElement{27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667},
-		},
-	},
-	{
-		{
-			FieldElement{11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504},
-			FieldElement{-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768},
-			FieldElement{-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255},
-		},
-		{
-			FieldElement{6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790},
-			FieldElement{1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438},
-			FieldElement{-22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333},
-		},
-		{
-			FieldElement{17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971},
-			FieldElement{31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905},
-			FieldElement{29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409},
-		},
-		{
-			FieldElement{12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409},
-			FieldElement{6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499},
-			FieldElement{-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363},
-		},
-		{
-			FieldElement{28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664},
-			FieldElement{-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324},
-			FieldElement{-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940},
-		},
-		{
-			FieldElement{13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990},
-			FieldElement{-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914},
-			FieldElement{-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290},
-		},
-		{
-			FieldElement{24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257},
-			FieldElement{-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433},
-			FieldElement{-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236},
-		},
-		{
-			FieldElement{-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045},
-			FieldElement{11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093},
-			FieldElement{-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347},
-		},
-	},
-	{
-		{
-			FieldElement{-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191},
-			FieldElement{-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507},
-			FieldElement{-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906},
-		},
-		{
-			FieldElement{3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018},
-			FieldElement{-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109},
-			FieldElement{-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926},
-		},
-		{
-			FieldElement{-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528},
-			FieldElement{8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625},
-			FieldElement{-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286},
-		},
-		{
-			FieldElement{2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033},
-			FieldElement{27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866},
-			FieldElement{21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896},
-		},
-		{
-			FieldElement{30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075},
-			FieldElement{26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347},
-			FieldElement{-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437},
-		},
-		{
-			FieldElement{-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165},
-			FieldElement{-18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588},
-			FieldElement{-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193},
-		},
-		{
-			FieldElement{-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017},
-			FieldElement{-28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883},
-			FieldElement{21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961},
-		},
-		{
-			FieldElement{8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043},
-			FieldElement{29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663},
-			FieldElement{-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362},
-		},
-	},
-	{
-		{
-			FieldElement{-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860},
-			FieldElement{2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466},
-			FieldElement{-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063},
-		},
-		{
-			FieldElement{-26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997},
-			FieldElement{-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295},
-			FieldElement{-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369},
-		},
-		{
-			FieldElement{9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385},
-			FieldElement{18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109},
-			FieldElement{2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906},
-		},
-		{
-			FieldElement{4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424},
-			FieldElement{-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185},
-			FieldElement{7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962},
-		},
-		{
-			FieldElement{-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325},
-			FieldElement{10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593},
-			FieldElement{696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404},
-		},
-		{
-			FieldElement{-11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644},
-			FieldElement{17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801},
-			FieldElement{26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804},
-		},
-		{
-			FieldElement{-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884},
-			FieldElement{-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577},
-			FieldElement{-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849},
-		},
-		{
-			FieldElement{32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473},
-			FieldElement{-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644},
-			FieldElement{-2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319},
-		},
-	},
-	{
-		{
-			FieldElement{-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599},
-			FieldElement{-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768},
-			FieldElement{-27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084},
-		},
-		{
-			FieldElement{-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328},
-			FieldElement{-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369},
-			FieldElement{20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920},
-		},
-		{
-			FieldElement{12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815},
-			FieldElement{-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025},
-			FieldElement{-21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397},
-		},
-		{
-			FieldElement{-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448},
-			FieldElement{6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981},
-			FieldElement{30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165},
-		},
-		{
-			FieldElement{32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501},
-			FieldElement{17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073},
-			FieldElement{-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861},
-		},
-		{
-			FieldElement{14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845},
-			FieldElement{-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211},
-			FieldElement{18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870},
-		},
-		{
-			FieldElement{10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096},
-			FieldElement{33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803},
-			FieldElement{-32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168},
-		},
-		{
-			FieldElement{30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965},
-			FieldElement{-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505},
-			FieldElement{18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598},
-		},
-	},
-	{
-		{
-			FieldElement{5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782},
-			FieldElement{5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900},
-			FieldElement{-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479},
-		},
-		{
-			FieldElement{-12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208},
-			FieldElement{8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232},
-			FieldElement{17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719},
-		},
-		{
-			FieldElement{16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271},
-			FieldElement{-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326},
-			FieldElement{-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132},
-		},
-		{
-			FieldElement{14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300},
-			FieldElement{8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570},
-			FieldElement{15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670},
-		},
-		{
-			FieldElement{-2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994},
-			FieldElement{-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913},
-			FieldElement{31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317},
-		},
-		{
-			FieldElement{-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730},
-			FieldElement{842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096},
-			FieldElement{-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078},
-		},
-		{
-			FieldElement{-15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411},
-			FieldElement{-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905},
-			FieldElement{-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654},
-		},
-		{
-			FieldElement{-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870},
-			FieldElement{-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498},
-			FieldElement{12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579},
-		},
-	},
-	{
-		{
-			FieldElement{14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677},
-			FieldElement{10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647},
-			FieldElement{-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743},
-		},
-		{
-			FieldElement{-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468},
-			FieldElement{21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375},
-			FieldElement{-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155},
-		},
-		{
-			FieldElement{6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725},
-			FieldElement{-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612},
-			FieldElement{-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943},
-		},
-		{
-			FieldElement{-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944},
-			FieldElement{30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928},
-			FieldElement{9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406},
-		},
-		{
-			FieldElement{22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139},
-			FieldElement{-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963},
-			FieldElement{-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693},
-		},
-		{
-			FieldElement{1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734},
-			FieldElement{-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680},
-			FieldElement{-24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410},
-		},
-		{
-			FieldElement{-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931},
-			FieldElement{-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654},
-			FieldElement{22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710},
-		},
-		{
-			FieldElement{29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180},
-			FieldElement{-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684},
-			FieldElement{-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895},
-		},
-	},
-	{
-		{
-			FieldElement{22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501},
-			FieldElement{-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413},
-			FieldElement{6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880},
-		},
-		{
-			FieldElement{-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874},
-			FieldElement{22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962},
-			FieldElement{-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899},
-		},
-		{
-			FieldElement{21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152},
-			FieldElement{9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063},
-			FieldElement{7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080},
-		},
-		{
-			FieldElement{-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146},
-			FieldElement{-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183},
-			FieldElement{-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133},
-		},
-		{
-			FieldElement{-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421},
-			FieldElement{-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622},
-			FieldElement{-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197},
-		},
-		{
-			FieldElement{2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663},
-			FieldElement{31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753},
-			FieldElement{4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755},
-		},
-		{
-			FieldElement{-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862},
-			FieldElement{-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118},
-			FieldElement{26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171},
-		},
-		{
-			FieldElement{15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380},
-			FieldElement{16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824},
-			FieldElement{28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270},
-		},
-	},
-	{
-		{
-			FieldElement{-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438},
-			FieldElement{-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584},
-			FieldElement{-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562},
-		},
-		{
-			FieldElement{30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471},
-			FieldElement{18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610},
-			FieldElement{19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269},
-		},
-		{
-			FieldElement{-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650},
-			FieldElement{14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369},
-			FieldElement{19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461},
-		},
-		{
-			FieldElement{30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462},
-			FieldElement{-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793},
-			FieldElement{-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218},
-		},
-		{
-			FieldElement{-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226},
-			FieldElement{18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019},
-			FieldElement{-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037},
-		},
-		{
-			FieldElement{31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171},
-			FieldElement{-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132},
-			FieldElement{-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841},
-		},
-		{
-			FieldElement{21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181},
-			FieldElement{-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210},
-			FieldElement{-1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040},
-		},
-		{
-			FieldElement{3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935},
-			FieldElement{24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105},
-			FieldElement{-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814},
-		},
-	},
-	{
-		{
-			FieldElement{793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852},
-			FieldElement{5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581},
-			FieldElement{-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646},
-		},
-		{
-			FieldElement{10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844},
-			FieldElement{10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025},
-			FieldElement{27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453},
-		},
-		{
-			FieldElement{-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068},
-			FieldElement{4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192},
-			FieldElement{-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921},
-		},
-		{
-			FieldElement{-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259},
-			FieldElement{-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426},
-			FieldElement{-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072},
-		},
-		{
-			FieldElement{-17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305},
-			FieldElement{13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832},
-			FieldElement{28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943},
-		},
-		{
-			FieldElement{-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011},
-			FieldElement{24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447},
-			FieldElement{17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494},
-		},
-		{
-			FieldElement{-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245},
-			FieldElement{-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859},
-			FieldElement{28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915},
-		},
-		{
-			FieldElement{16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707},
-			FieldElement{10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848},
-			FieldElement{-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224},
-		},
-	},
-	{
-		{
-			FieldElement{-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391},
-			FieldElement{15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215},
-			FieldElement{-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101},
-		},
-		{
-			FieldElement{23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713},
-			FieldElement{21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849},
-			FieldElement{-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930},
-		},
-		{
-			FieldElement{-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940},
-			FieldElement{-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031},
-			FieldElement{-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404},
-		},
-		{
-			FieldElement{-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243},
-			FieldElement{-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116},
-			FieldElement{-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525},
-		},
-		{
-			FieldElement{-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509},
-			FieldElement{-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883},
-			FieldElement{15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865},
-		},
-		{
-			FieldElement{-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660},
-			FieldElement{4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273},
-			FieldElement{-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138},
-		},
-		{
-			FieldElement{-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560},
-			FieldElement{-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135},
-			FieldElement{2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941},
-		},
-		{
-			FieldElement{-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739},
-			FieldElement{18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756},
-			FieldElement{-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819},
-		},
-	},
-	{
-		{
-			FieldElement{-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347},
-			FieldElement{-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028},
-			FieldElement{21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075},
-		},
-		{
-			FieldElement{16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799},
-			FieldElement{-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609},
-			FieldElement{-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817},
-		},
-		{
-			FieldElement{-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989},
-			FieldElement{-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523},
-			FieldElement{4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278},
-		},
-		{
-			FieldElement{31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045},
-			FieldElement{19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377},
-			FieldElement{24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480},
-		},
-		{
-			FieldElement{17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016},
-			FieldElement{510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426},
-			FieldElement{18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525},
-		},
-		{
-			FieldElement{13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396},
-			FieldElement{9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080},
-			FieldElement{12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892},
-		},
-		{
-			FieldElement{15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275},
-			FieldElement{11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074},
-			FieldElement{20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140},
-		},
-		{
-			FieldElement{-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717},
-			FieldElement{-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101},
-			FieldElement{24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127},
-		},
-	},
-	{
-		{
-			FieldElement{-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632},
-			FieldElement{-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415},
-			FieldElement{-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160},
-		},
-		{
-			FieldElement{31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876},
-			FieldElement{22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625},
-			FieldElement{-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478},
-		},
-		{
-			FieldElement{27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164},
-			FieldElement{26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595},
-			FieldElement{-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248},
-		},
-		{
-			FieldElement{-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858},
-			FieldElement{15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193},
-			FieldElement{8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184},
-		},
-		{
-			FieldElement{-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942},
-			FieldElement{-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635},
-			FieldElement{21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948},
-		},
-		{
-			FieldElement{11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935},
-			FieldElement{-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415},
-			FieldElement{-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416},
-		},
-		{
-			FieldElement{-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018},
-			FieldElement{4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778},
-			FieldElement{366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659},
-		},
-		{
-			FieldElement{-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385},
-			FieldElement{18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503},
-			FieldElement{476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329},
-		},
-	},
-	{
-		{
-			FieldElement{20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056},
-			FieldElement{-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838},
-			FieldElement{24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948},
-		},
-		{
-			FieldElement{-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691},
-			FieldElement{-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118},
-			FieldElement{-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517},
-		},
-		{
-			FieldElement{-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269},
-			FieldElement{-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904},
-			FieldElement{-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589},
-		},
-		{
-			FieldElement{-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193},
-			FieldElement{-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910},
-			FieldElement{-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930},
-		},
-		{
-			FieldElement{-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667},
-			FieldElement{25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481},
-			FieldElement{-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876},
-		},
-		{
-			FieldElement{22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640},
-			FieldElement{-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278},
-			FieldElement{-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112},
-		},
-		{
-			FieldElement{26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272},
-			FieldElement{17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012},
-			FieldElement{-10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221},
-		},
-		{
-			FieldElement{30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046},
-			FieldElement{13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345},
-			FieldElement{-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310},
-		},
-	},
-	{
-		{
-			FieldElement{19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937},
-			FieldElement{31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636},
-			FieldElement{-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008},
-		},
-		{
-			FieldElement{-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429},
-			FieldElement{-15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576},
-			FieldElement{31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066},
-		},
-		{
-			FieldElement{-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490},
-			FieldElement{-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104},
-			FieldElement{33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053},
-		},
-		{
-			FieldElement{31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275},
-			FieldElement{-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511},
-			FieldElement{22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095},
-		},
-		{
-			FieldElement{-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439},
-			FieldElement{23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939},
-			FieldElement{-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424},
-		},
-		{
-			FieldElement{2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310},
-			FieldElement{3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608},
-			FieldElement{-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079},
-		},
-		{
-			FieldElement{-23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101},
-			FieldElement{21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418},
-			FieldElement{18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576},
-		},
-		{
-			FieldElement{30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356},
-			FieldElement{9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996},
-			FieldElement{-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099},
-		},
-	},
-	{
-		{
-			FieldElement{-26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728},
-			FieldElement{-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658},
-			FieldElement{-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242},
-		},
-		{
-			FieldElement{-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001},
-			FieldElement{-4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766},
-			FieldElement{18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373},
-		},
-		{
-			FieldElement{26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458},
-			FieldElement{-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628},
-			FieldElement{-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657},
-		},
-		{
-			FieldElement{-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062},
-			FieldElement{25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616},
-			FieldElement{31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014},
-		},
-		{
-			FieldElement{24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383},
-			FieldElement{-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814},
-			FieldElement{-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718},
-		},
-		{
-			FieldElement{30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417},
-			FieldElement{2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222},
-			FieldElement{33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444},
-		},
-		{
-			FieldElement{-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597},
-			FieldElement{23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970},
-			FieldElement{1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799},
-		},
-		{
-			FieldElement{-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647},
-			FieldElement{13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511},
-			FieldElement{-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032},
-		},
-	},
-	{
-		{
-			FieldElement{9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834},
-			FieldElement{-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461},
-			FieldElement{29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062},
-		},
-		{
-			FieldElement{-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516},
-			FieldElement{-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547},
-			FieldElement{-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240},
-		},
-		{
-			FieldElement{-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038},
-			FieldElement{-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741},
-			FieldElement{16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103},
-		},
-		{
-			FieldElement{-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747},
-			FieldElement{-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323},
-			FieldElement{31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016},
-		},
-		{
-			FieldElement{-14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373},
-			FieldElement{15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228},
-			FieldElement{-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141},
-		},
-		{
-			FieldElement{16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399},
-			FieldElement{11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831},
-			FieldElement{-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376},
-		},
-		{
-			FieldElement{-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313},
-			FieldElement{-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958},
-			FieldElement{-6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577},
-		},
-		{
-			FieldElement{-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743},
-			FieldElement{29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684},
-			FieldElement{-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476},
-		},
-	},
-}

vendor/github.com/agl/ed25519/edwards25519/edwards25519.go

@@ -1,2127 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package edwards25519 implements operations in GF(2**255-19) and on an
-// Edwards curve that is isomorphic to curve25519. See
-// http://ed25519.cr.yp.to/.
-package edwards25519
-
-// This code is a port of the public domain, "ref10" implementation of ed25519
-// from SUPERCOP.
-
-// FieldElement represents an element of the field GF(2^255 - 19).  An element
-// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
-// t[3]+2^102 t[4]+...+2^230 t[9].  Bounds on each t[i] vary depending on
-// context.
-type FieldElement [10]int32
-
-func FeZero(fe *FieldElement) {
-	for i := range fe {
-		fe[i] = 0
-	}
-}
-
-func FeOne(fe *FieldElement) {
-	FeZero(fe)
-	fe[0] = 1
-}
-
-func FeAdd(dst, a, b *FieldElement) {
-	for i := range dst {
-		dst[i] = a[i] + b[i]
-	}
-}
-
-func FeSub(dst, a, b *FieldElement) {
-	for i := range dst {
-		dst[i] = a[i] - b[i]
-	}
-}
-
-func FeCopy(dst, src *FieldElement) {
-	for i := range dst {
-		dst[i] = src[i]
-	}
-}
-
-// Replace (f,g) with (g,g) if b == 1;
-// replace (f,g) with (f,g) if b == 0.
-//
-// Preconditions: b in {0,1}.
-func FeCMove(f, g *FieldElement, b int32) {
-	var x FieldElement
-	b = -b
-	for i := range x {
-		x[i] = b & (f[i] ^ g[i])
-	}
-
-	for i := range f {
-		f[i] ^= x[i]
-	}
-}
-
-func load3(in []byte) int64 {
-	var r int64
-	r = int64(in[0])
-	r |= int64(in[1]) << 8
-	r |= int64(in[2]) << 16
-	return r
-}
-
-func load4(in []byte) int64 {
-	var r int64
-	r = int64(in[0])
-	r |= int64(in[1]) << 8
-	r |= int64(in[2]) << 16
-	r |= int64(in[3]) << 24
-	return r
-}
-
-func FeFromBytes(dst *FieldElement, src *[32]byte) {
-	h0 := load4(src[:])
-	h1 := load3(src[4:]) << 6
-	h2 := load3(src[7:]) << 5
-	h3 := load3(src[10:]) << 3
-	h4 := load3(src[13:]) << 2
-	h5 := load4(src[16:])
-	h6 := load3(src[20:]) << 7
-	h7 := load3(src[23:]) << 5
-	h8 := load3(src[26:]) << 4
-	h9 := (load3(src[29:]) & 8388607) << 2
-
-	var carry [10]int64
-	carry[9] = (h9 + 1<<24) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	carry[1] = (h1 + 1<<24) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[3] = (h3 + 1<<24) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[5] = (h5 + 1<<24) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	carry[7] = (h7 + 1<<24) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[0] = (h0 + 1<<25) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[2] = (h2 + 1<<25) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[4] = (h4 + 1<<25) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[6] = (h6 + 1<<25) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	carry[8] = (h8 + 1<<25) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	dst[0] = int32(h0)
-	dst[1] = int32(h1)
-	dst[2] = int32(h2)
-	dst[3] = int32(h3)
-	dst[4] = int32(h4)
-	dst[5] = int32(h5)
-	dst[6] = int32(h6)
-	dst[7] = int32(h7)
-	dst[8] = int32(h8)
-	dst[9] = int32(h9)
-}
-
-// FeToBytes marshals h to s.
-// Preconditions:
-//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Write p=2^255-19; q=floor(h/p).
-// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
-//
-// Proof:
-//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
-//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
-//
-//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
-//   Then 0<y<1.
-//
-//   Write r=h-pq.
-//   Have 0<=r<=p-1=2^255-20.
-//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
-//
-//   Write x=r+19(2^-255)r+y.
-//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
-//
-//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
-//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
-func FeToBytes(s *[32]byte, h *FieldElement) {
-	var carry [10]int32
-
-	q := (19*h[9] + (1 << 24)) >> 25
-	q = (h[0] + q) >> 26
-	q = (h[1] + q) >> 25
-	q = (h[2] + q) >> 26
-	q = (h[3] + q) >> 25
-	q = (h[4] + q) >> 26
-	q = (h[5] + q) >> 25
-	q = (h[6] + q) >> 26
-	q = (h[7] + q) >> 25
-	q = (h[8] + q) >> 26
-	q = (h[9] + q) >> 25
-
-	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
-	h[0] += 19 * q
-	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
-
-	carry[0] = h[0] >> 26
-	h[1] += carry[0]
-	h[0] -= carry[0] << 26
-	carry[1] = h[1] >> 25
-	h[2] += carry[1]
-	h[1] -= carry[1] << 25
-	carry[2] = h[2] >> 26
-	h[3] += carry[2]
-	h[2] -= carry[2] << 26
-	carry[3] = h[3] >> 25
-	h[4] += carry[3]
-	h[3] -= carry[3] << 25
-	carry[4] = h[4] >> 26
-	h[5] += carry[4]
-	h[4] -= carry[4] << 26
-	carry[5] = h[5] >> 25
-	h[6] += carry[5]
-	h[5] -= carry[5] << 25
-	carry[6] = h[6] >> 26
-	h[7] += carry[6]
-	h[6] -= carry[6] << 26
-	carry[7] = h[7] >> 25
-	h[8] += carry[7]
-	h[7] -= carry[7] << 25
-	carry[8] = h[8] >> 26
-	h[9] += carry[8]
-	h[8] -= carry[8] << 26
-	carry[9] = h[9] >> 25
-	h[9] -= carry[9] << 25
-	// h10 = carry9
-
-	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
-	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
-	// evidently 2^255 h10-2^255 q = 0.
-	// Goal: Output h[0]+...+2^230 h[9].
-
-	s[0] = byte(h[0] >> 0)
-	s[1] = byte(h[0] >> 8)
-	s[2] = byte(h[0] >> 16)
-	s[3] = byte((h[0] >> 24) | (h[1] << 2))
-	s[4] = byte(h[1] >> 6)
-	s[5] = byte(h[1] >> 14)
-	s[6] = byte((h[1] >> 22) | (h[2] << 3))
-	s[7] = byte(h[2] >> 5)
-	s[8] = byte(h[2] >> 13)
-	s[9] = byte((h[2] >> 21) | (h[3] << 5))
-	s[10] = byte(h[3] >> 3)
-	s[11] = byte(h[3] >> 11)
-	s[12] = byte((h[3] >> 19) | (h[4] << 6))
-	s[13] = byte(h[4] >> 2)
-	s[14] = byte(h[4] >> 10)
-	s[15] = byte(h[4] >> 18)
-	s[16] = byte(h[5] >> 0)
-	s[17] = byte(h[5] >> 8)
-	s[18] = byte(h[5] >> 16)
-	s[19] = byte((h[5] >> 24) | (h[6] << 1))
-	s[20] = byte(h[6] >> 7)
-	s[21] = byte(h[6] >> 15)
-	s[22] = byte((h[6] >> 23) | (h[7] << 3))
-	s[23] = byte(h[7] >> 5)
-	s[24] = byte(h[7] >> 13)
-	s[25] = byte((h[7] >> 21) | (h[8] << 4))
-	s[26] = byte(h[8] >> 4)
-	s[27] = byte(h[8] >> 12)
-	s[28] = byte((h[8] >> 20) | (h[9] << 6))
-	s[29] = byte(h[9] >> 2)
-	s[30] = byte(h[9] >> 10)
-	s[31] = byte(h[9] >> 18)
-}
-
-func FeIsNegative(f *FieldElement) byte {
-	var s [32]byte
-	FeToBytes(&s, f)
-	return s[0] & 1
-}
-
-func FeIsNonZero(f *FieldElement) int32 {
-	var s [32]byte
-	FeToBytes(&s, f)
-	var x uint8
-	for _, b := range s {
-		x |= b
-	}
-	x |= x >> 4
-	x |= x >> 2
-	x |= x >> 1
-	return int32(x & 1)
-}
-
-// FeNeg sets h = -f
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func FeNeg(h, f *FieldElement) {
-	for i := range h {
-		h[i] = -f[i]
-	}
-}
-
-// FeMul calculates h = f * g
-// Can overlap h with f or g.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Notes on implementation strategy:
-//
-// Using schoolbook multiplication.
-// Karatsuba would save a little in some cost models.
-//
-// Most multiplications by 2 and 19 are 32-bit precomputations;
-// cheaper than 64-bit postcomputations.
-//
-// There is one remaining multiplication by 19 in the carry chain;
-// one *19 precomputation can be merged into this,
-// but the resulting data flow is considerably less clean.
-//
-// There are 12 carries below.
-// 10 of them are 2-way parallelizable and vectorizable.
-// Can get away with 11 carries, but then data flow is much deeper.
-//
-// With tighter constraints on inputs can squeeze carries into int32.
-func FeMul(h, f, g *FieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	g0 := g[0]
-	g1 := g[1]
-	g2 := g[2]
-	g3 := g[3]
-	g4 := g[4]
-	g5 := g[5]
-	g6 := g[6]
-	g7 := g[7]
-	g8 := g[8]
-	g9 := g[9]
-	g1_19 := 19 * g1 /* 1.4*2^29 */
-	g2_19 := 19 * g2 /* 1.4*2^30; still ok */
-	g3_19 := 19 * g3
-	g4_19 := 19 * g4
-	g5_19 := 19 * g5
-	g6_19 := 19 * g6
-	g7_19 := 19 * g7
-	g8_19 := 19 * g8
-	g9_19 := 19 * g9
-	f1_2 := 2 * f1
-	f3_2 := 2 * f3
-	f5_2 := 2 * f5
-	f7_2 := 2 * f7
-	f9_2 := 2 * f9
-	f0g0 := int64(f0) * int64(g0)
-	f0g1 := int64(f0) * int64(g1)
-	f0g2 := int64(f0) * int64(g2)
-	f0g3 := int64(f0) * int64(g3)
-	f0g4 := int64(f0) * int64(g4)
-	f0g5 := int64(f0) * int64(g5)
-	f0g6 := int64(f0) * int64(g6)
-	f0g7 := int64(f0) * int64(g7)
-	f0g8 := int64(f0) * int64(g8)
-	f0g9 := int64(f0) * int64(g9)
-	f1g0 := int64(f1) * int64(g0)
-	f1g1_2 := int64(f1_2) * int64(g1)
-	f1g2 := int64(f1) * int64(g2)
-	f1g3_2 := int64(f1_2) * int64(g3)
-	f1g4 := int64(f1) * int64(g4)
-	f1g5_2 := int64(f1_2) * int64(g5)
-	f1g6 := int64(f1) * int64(g6)
-	f1g7_2 := int64(f1_2) * int64(g7)
-	f1g8 := int64(f1) * int64(g8)
-	f1g9_38 := int64(f1_2) * int64(g9_19)
-	f2g0 := int64(f2) * int64(g0)
-	f2g1 := int64(f2) * int64(g1)
-	f2g2 := int64(f2) * int64(g2)
-	f2g3 := int64(f2) * int64(g3)
-	f2g4 := int64(f2) * int64(g4)
-	f2g5 := int64(f2) * int64(g5)
-	f2g6 := int64(f2) * int64(g6)
-	f2g7 := int64(f2) * int64(g7)
-	f2g8_19 := int64(f2) * int64(g8_19)
-	f2g9_19 := int64(f2) * int64(g9_19)
-	f3g0 := int64(f3) * int64(g0)
-	f3g1_2 := int64(f3_2) * int64(g1)
-	f3g2 := int64(f3) * int64(g2)
-	f3g3_2 := int64(f3_2) * int64(g3)
-	f3g4 := int64(f3) * int64(g4)
-	f3g5_2 := int64(f3_2) * int64(g5)
-	f3g6 := int64(f3) * int64(g6)
-	f3g7_38 := int64(f3_2) * int64(g7_19)
-	f3g8_19 := int64(f3) * int64(g8_19)
-	f3g9_38 := int64(f3_2) * int64(g9_19)
-	f4g0 := int64(f4) * int64(g0)
-	f4g1 := int64(f4) * int64(g1)
-	f4g2 := int64(f4) * int64(g2)
-	f4g3 := int64(f4) * int64(g3)
-	f4g4 := int64(f4) * int64(g4)
-	f4g5 := int64(f4) * int64(g5)
-	f4g6_19 := int64(f4) * int64(g6_19)
-	f4g7_19 := int64(f4) * int64(g7_19)
-	f4g8_19 := int64(f4) * int64(g8_19)
-	f4g9_19 := int64(f4) * int64(g9_19)
-	f5g0 := int64(f5) * int64(g0)
-	f5g1_2 := int64(f5_2) * int64(g1)
-	f5g2 := int64(f5) * int64(g2)
-	f5g3_2 := int64(f5_2) * int64(g3)
-	f5g4 := int64(f5) * int64(g4)
-	f5g5_38 := int64(f5_2) * int64(g5_19)
-	f5g6_19 := int64(f5) * int64(g6_19)
-	f5g7_38 := int64(f5_2) * int64(g7_19)
-	f5g8_19 := int64(f5) * int64(g8_19)
-	f5g9_38 := int64(f5_2) * int64(g9_19)
-	f6g0 := int64(f6) * int64(g0)
-	f6g1 := int64(f6) * int64(g1)
-	f6g2 := int64(f6) * int64(g2)
-	f6g3 := int64(f6) * int64(g3)
-	f6g4_19 := int64(f6) * int64(g4_19)
-	f6g5_19 := int64(f6) * int64(g5_19)
-	f6g6_19 := int64(f6) * int64(g6_19)
-	f6g7_19 := int64(f6) * int64(g7_19)
-	f6g8_19 := int64(f6) * int64(g8_19)
-	f6g9_19 := int64(f6) * int64(g9_19)
-	f7g0 := int64(f7) * int64(g0)
-	f7g1_2 := int64(f7_2) * int64(g1)
-	f7g2 := int64(f7) * int64(g2)
-	f7g3_38 := int64(f7_2) * int64(g3_19)
-	f7g4_19 := int64(f7) * int64(g4_19)
-	f7g5_38 := int64(f7_2) * int64(g5_19)
-	f7g6_19 := int64(f7) * int64(g6_19)
-	f7g7_38 := int64(f7_2) * int64(g7_19)
-	f7g8_19 := int64(f7) * int64(g8_19)
-	f7g9_38 := int64(f7_2) * int64(g9_19)
-	f8g0 := int64(f8) * int64(g0)
-	f8g1 := int64(f8) * int64(g1)
-	f8g2_19 := int64(f8) * int64(g2_19)
-	f8g3_19 := int64(f8) * int64(g3_19)
-	f8g4_19 := int64(f8) * int64(g4_19)
-	f8g5_19 := int64(f8) * int64(g5_19)
-	f8g6_19 := int64(f8) * int64(g6_19)
-	f8g7_19 := int64(f8) * int64(g7_19)
-	f8g8_19 := int64(f8) * int64(g8_19)
-	f8g9_19 := int64(f8) * int64(g9_19)
-	f9g0 := int64(f9) * int64(g0)
-	f9g1_38 := int64(f9_2) * int64(g1_19)
-	f9g2_19 := int64(f9) * int64(g2_19)
-	f9g3_38 := int64(f9_2) * int64(g3_19)
-	f9g4_19 := int64(f9) * int64(g4_19)
-	f9g5_38 := int64(f9_2) * int64(g5_19)
-	f9g6_19 := int64(f9) * int64(g6_19)
-	f9g7_38 := int64(f9_2) * int64(g7_19)
-	f9g8_19 := int64(f9) * int64(g8_19)
-	f9g9_38 := int64(f9_2) * int64(g9_19)
-	h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
-	h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
-	h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
-	h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
-	h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
-	h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
-	h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
-	h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
-	h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
-	h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
-	var carry [10]int64
-
-	/*
-	  |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
-	    i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
-	  |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
-	    i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
-	*/
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	/* |h0| <= 2^25 */
-	/* |h4| <= 2^25 */
-	/* |h1| <= 1.51*2^58 */
-	/* |h5| <= 1.51*2^58 */
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	/* |h1| <= 2^24; from now on fits into int32 */
-	/* |h5| <= 2^24; from now on fits into int32 */
-	/* |h2| <= 1.21*2^59 */
-	/* |h6| <= 1.21*2^59 */
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	/* |h2| <= 2^25; from now on fits into int32 unchanged */
-	/* |h6| <= 2^25; from now on fits into int32 unchanged */
-	/* |h3| <= 1.51*2^58 */
-	/* |h7| <= 1.51*2^58 */
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-	/* |h3| <= 2^24; from now on fits into int32 unchanged */
-	/* |h7| <= 2^24; from now on fits into int32 unchanged */
-	/* |h4| <= 1.52*2^33 */
-	/* |h8| <= 1.52*2^33 */
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-	/* |h4| <= 2^25; from now on fits into int32 unchanged */
-	/* |h8| <= 2^25; from now on fits into int32 unchanged */
-	/* |h5| <= 1.01*2^24 */
-	/* |h9| <= 1.51*2^58 */
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	/* |h9| <= 2^24; from now on fits into int32 unchanged */
-	/* |h0| <= 1.8*2^37 */
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	/* |h0| <= 2^25; from now on fits into int32 unchanged */
-	/* |h1| <= 1.01*2^24 */
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// FeSquare calculates h = f*f. Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func FeSquare(h, f *FieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	f0_2 := 2 * f0
-	f1_2 := 2 * f1
-	f2_2 := 2 * f2
-	f3_2 := 2 * f3
-	f4_2 := 2 * f4
-	f5_2 := 2 * f5
-	f6_2 := 2 * f6
-	f7_2 := 2 * f7
-	f5_38 := 38 * f5 // 1.31*2^30
-	f6_19 := 19 * f6 // 1.31*2^30
-	f7_38 := 38 * f7 // 1.31*2^30
-	f8_19 := 19 * f8 // 1.31*2^30
-	f9_38 := 38 * f9 // 1.31*2^30
-	f0f0 := int64(f0) * int64(f0)
-	f0f1_2 := int64(f0_2) * int64(f1)
-	f0f2_2 := int64(f0_2) * int64(f2)
-	f0f3_2 := int64(f0_2) * int64(f3)
-	f0f4_2 := int64(f0_2) * int64(f4)
-	f0f5_2 := int64(f0_2) * int64(f5)
-	f0f6_2 := int64(f0_2) * int64(f6)
-	f0f7_2 := int64(f0_2) * int64(f7)
-	f0f8_2 := int64(f0_2) * int64(f8)
-	f0f9_2 := int64(f0_2) * int64(f9)
-	f1f1_2 := int64(f1_2) * int64(f1)
-	f1f2_2 := int64(f1_2) * int64(f2)
-	f1f3_4 := int64(f1_2) * int64(f3_2)
-	f1f4_2 := int64(f1_2) * int64(f4)
-	f1f5_4 := int64(f1_2) * int64(f5_2)
-	f1f6_2 := int64(f1_2) * int64(f6)
-	f1f7_4 := int64(f1_2) * int64(f7_2)
-	f1f8_2 := int64(f1_2) * int64(f8)
-	f1f9_76 := int64(f1_2) * int64(f9_38)
-	f2f2 := int64(f2) * int64(f2)
-	f2f3_2 := int64(f2_2) * int64(f3)
-	f2f4_2 := int64(f2_2) * int64(f4)
-	f2f5_2 := int64(f2_2) * int64(f5)
-	f2f6_2 := int64(f2_2) * int64(f6)
-	f2f7_2 := int64(f2_2) * int64(f7)
-	f2f8_38 := int64(f2_2) * int64(f8_19)
-	f2f9_38 := int64(f2) * int64(f9_38)
-	f3f3_2 := int64(f3_2) * int64(f3)
-	f3f4_2 := int64(f3_2) * int64(f4)
-	f3f5_4 := int64(f3_2) * int64(f5_2)
-	f3f6_2 := int64(f3_2) * int64(f6)
-	f3f7_76 := int64(f3_2) * int64(f7_38)
-	f3f8_38 := int64(f3_2) * int64(f8_19)
-	f3f9_76 := int64(f3_2) * int64(f9_38)
-	f4f4 := int64(f4) * int64(f4)
-	f4f5_2 := int64(f4_2) * int64(f5)
-	f4f6_38 := int64(f4_2) * int64(f6_19)
-	f4f7_38 := int64(f4) * int64(f7_38)
-	f4f8_38 := int64(f4_2) * int64(f8_19)
-	f4f9_38 := int64(f4) * int64(f9_38)
-	f5f5_38 := int64(f5) * int64(f5_38)
-	f5f6_38 := int64(f5_2) * int64(f6_19)
-	f5f7_76 := int64(f5_2) * int64(f7_38)
-	f5f8_38 := int64(f5_2) * int64(f8_19)
-	f5f9_76 := int64(f5_2) * int64(f9_38)
-	f6f6_19 := int64(f6) * int64(f6_19)
-	f6f7_38 := int64(f6) * int64(f7_38)
-	f6f8_38 := int64(f6_2) * int64(f8_19)
-	f6f9_38 := int64(f6) * int64(f9_38)
-	f7f7_38 := int64(f7) * int64(f7_38)
-	f7f8_38 := int64(f7_2) * int64(f8_19)
-	f7f9_76 := int64(f7_2) * int64(f9_38)
-	f8f8_19 := int64(f8) * int64(f8_19)
-	f8f9_38 := int64(f8) * int64(f9_38)
-	f9f9_38 := int64(f9) * int64(f9_38)
-	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
-	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
-	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
-	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
-	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
-	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
-	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
-	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
-	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
-	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
-	var carry [10]int64
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// FeSquare2 sets h = 2 * f * f
-//
-// Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
-// See fe_mul.c for discussion of implementation strategy.
-func FeSquare2(h, f *FieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	f0_2 := 2 * f0
-	f1_2 := 2 * f1
-	f2_2 := 2 * f2
-	f3_2 := 2 * f3
-	f4_2 := 2 * f4
-	f5_2 := 2 * f5
-	f6_2 := 2 * f6
-	f7_2 := 2 * f7
-	f5_38 := 38 * f5 // 1.959375*2^30
-	f6_19 := 19 * f6 // 1.959375*2^30
-	f7_38 := 38 * f7 // 1.959375*2^30
-	f8_19 := 19 * f8 // 1.959375*2^30
-	f9_38 := 38 * f9 // 1.959375*2^30
-	f0f0 := int64(f0) * int64(f0)
-	f0f1_2 := int64(f0_2) * int64(f1)
-	f0f2_2 := int64(f0_2) * int64(f2)
-	f0f3_2 := int64(f0_2) * int64(f3)
-	f0f4_2 := int64(f0_2) * int64(f4)
-	f0f5_2 := int64(f0_2) * int64(f5)
-	f0f6_2 := int64(f0_2) * int64(f6)
-	f0f7_2 := int64(f0_2) * int64(f7)
-	f0f8_2 := int64(f0_2) * int64(f8)
-	f0f9_2 := int64(f0_2) * int64(f9)
-	f1f1_2 := int64(f1_2) * int64(f1)
-	f1f2_2 := int64(f1_2) * int64(f2)
-	f1f3_4 := int64(f1_2) * int64(f3_2)
-	f1f4_2 := int64(f1_2) * int64(f4)
-	f1f5_4 := int64(f1_2) * int64(f5_2)
-	f1f6_2 := int64(f1_2) * int64(f6)
-	f1f7_4 := int64(f1_2) * int64(f7_2)
-	f1f8_2 := int64(f1_2) * int64(f8)
-	f1f9_76 := int64(f1_2) * int64(f9_38)
-	f2f2 := int64(f2) * int64(f2)
-	f2f3_2 := int64(f2_2) * int64(f3)
-	f2f4_2 := int64(f2_2) * int64(f4)
-	f2f5_2 := int64(f2_2) * int64(f5)
-	f2f6_2 := int64(f2_2) * int64(f6)
-	f2f7_2 := int64(f2_2) * int64(f7)
-	f2f8_38 := int64(f2_2) * int64(f8_19)
-	f2f9_38 := int64(f2) * int64(f9_38)
-	f3f3_2 := int64(f3_2) * int64(f3)
-	f3f4_2 := int64(f3_2) * int64(f4)
-	f3f5_4 := int64(f3_2) * int64(f5_2)
-	f3f6_2 := int64(f3_2) * int64(f6)
-	f3f7_76 := int64(f3_2) * int64(f7_38)
-	f3f8_38 := int64(f3_2) * int64(f8_19)
-	f3f9_76 := int64(f3_2) * int64(f9_38)
-	f4f4 := int64(f4) * int64(f4)
-	f4f5_2 := int64(f4_2) * int64(f5)
-	f4f6_38 := int64(f4_2) * int64(f6_19)
-	f4f7_38 := int64(f4) * int64(f7_38)
-	f4f8_38 := int64(f4_2) * int64(f8_19)
-	f4f9_38 := int64(f4) * int64(f9_38)
-	f5f5_38 := int64(f5) * int64(f5_38)
-	f5f6_38 := int64(f5_2) * int64(f6_19)
-	f5f7_76 := int64(f5_2) * int64(f7_38)
-	f5f8_38 := int64(f5_2) * int64(f8_19)
-	f5f9_76 := int64(f5_2) * int64(f9_38)
-	f6f6_19 := int64(f6) * int64(f6_19)
-	f6f7_38 := int64(f6) * int64(f7_38)
-	f6f8_38 := int64(f6_2) * int64(f8_19)
-	f6f9_38 := int64(f6) * int64(f9_38)
-	f7f7_38 := int64(f7) * int64(f7_38)
-	f7f8_38 := int64(f7_2) * int64(f8_19)
-	f7f9_76 := int64(f7_2) * int64(f9_38)
-	f8f8_19 := int64(f8) * int64(f8_19)
-	f8f9_38 := int64(f8) * int64(f9_38)
-	f9f9_38 := int64(f9) * int64(f9_38)
-	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
-	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
-	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
-	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
-	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
-	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
-	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
-	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
-	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
-	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
-	var carry [10]int64
-
-	h0 += h0
-	h1 += h1
-	h2 += h2
-	h3 += h3
-	h4 += h4
-	h5 += h5
-	h6 += h6
-	h7 += h7
-	h8 += h8
-	h9 += h9
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-func FeInvert(out, z *FieldElement) {
-	var t0, t1, t2, t3 FieldElement
-	var i int
-
-	FeSquare(&t0, z)        // 2^1
-	FeSquare(&t1, &t0)      // 2^2
-	for i = 1; i < 2; i++ { // 2^3
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, z, &t1)      // 2^3 + 2^0
-	FeMul(&t0, &t0, &t1)    // 2^3 + 2^1 + 2^0
-	FeSquare(&t2, &t0)      // 2^4 + 2^2 + 2^1
-	FeMul(&t1, &t1, &t2)    // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
-	FeSquare(&t2, &t1)      // 5,4,3,2,1
-	for i = 1; i < 5; i++ { // 9,8,7,6,5
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)     // 9,8,7,6,5,4,3,2,1,0
-	FeSquare(&t2, &t1)       // 10..1
-	for i = 1; i < 10; i++ { // 19..10
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t2, &t2, &t1)     // 19..0
-	FeSquare(&t3, &t2)       // 20..1
-	for i = 1; i < 20; i++ { // 39..20
-		FeSquare(&t3, &t3)
-	}
-	FeMul(&t2, &t3, &t2)     // 39..0
-	FeSquare(&t2, &t2)       // 40..1
-	for i = 1; i < 10; i++ { // 49..10
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)     // 49..0
-	FeSquare(&t2, &t1)       // 50..1
-	for i = 1; i < 50; i++ { // 99..50
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t2, &t2, &t1)      // 99..0
-	FeSquare(&t3, &t2)        // 100..1
-	for i = 1; i < 100; i++ { // 199..100
-		FeSquare(&t3, &t3)
-	}
-	FeMul(&t2, &t3, &t2)     // 199..0
-	FeSquare(&t2, &t2)       // 200..1
-	for i = 1; i < 50; i++ { // 249..50
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)    // 249..0
-	FeSquare(&t1, &t1)      // 250..1
-	for i = 1; i < 5; i++ { // 254..5
-		FeSquare(&t1, &t1)
-	}
-	FeMul(out, &t1, &t0) // 254..5,3,1,0
-}
-
-func fePow22523(out, z *FieldElement) {
-	var t0, t1, t2 FieldElement
-	var i int
-
-	FeSquare(&t0, z)
-	for i = 1; i < 1; i++ {
-		FeSquare(&t0, &t0)
-	}
-	FeSquare(&t1, &t0)
-	for i = 1; i < 2; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, z, &t1)
-	FeMul(&t0, &t0, &t1)
-	FeSquare(&t0, &t0)
-	for i = 1; i < 1; i++ {
-		FeSquare(&t0, &t0)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t1, &t0)
-	for i = 1; i < 5; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t1, &t0)
-	for i = 1; i < 10; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, &t1, &t0)
-	FeSquare(&t2, &t1)
-	for i = 1; i < 20; i++ {
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)
-	FeSquare(&t1, &t1)
-	for i = 1; i < 10; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t1, &t0)
-	for i = 1; i < 50; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t1, &t1, &t0)
-	FeSquare(&t2, &t1)
-	for i = 1; i < 100; i++ {
-		FeSquare(&t2, &t2)
-	}
-	FeMul(&t1, &t2, &t1)
-	FeSquare(&t1, &t1)
-	for i = 1; i < 50; i++ {
-		FeSquare(&t1, &t1)
-	}
-	FeMul(&t0, &t1, &t0)
-	FeSquare(&t0, &t0)
-	for i = 1; i < 2; i++ {
-		FeSquare(&t0, &t0)
-	}
-	FeMul(out, &t0, z)
-}
-
-// Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
-// y^2 where d = -121665/121666.
-//
-// Several representations are used:
-//   ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
-//   ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
-//   CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
-//   PreComputedGroupElement: (y+x,y-x,2dxy)
-
-type ProjectiveGroupElement struct {
-	X, Y, Z FieldElement
-}
-
-type ExtendedGroupElement struct {
-	X, Y, Z, T FieldElement
-}
-
-type CompletedGroupElement struct {
-	X, Y, Z, T FieldElement
-}
-
-type PreComputedGroupElement struct {
-	yPlusX, yMinusX, xy2d FieldElement
-}
-
-type CachedGroupElement struct {
-	yPlusX, yMinusX, Z, T2d FieldElement
-}
-
-func (p *ProjectiveGroupElement) Zero() {
-	FeZero(&p.X)
-	FeOne(&p.Y)
-	FeOne(&p.Z)
-}
-
-func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) {
-	var t0 FieldElement
-
-	FeSquare(&r.X, &p.X)
-	FeSquare(&r.Z, &p.Y)
-	FeSquare2(&r.T, &p.Z)
-	FeAdd(&r.Y, &p.X, &p.Y)
-	FeSquare(&t0, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.X)
-	FeSub(&r.Z, &r.Z, &r.X)
-	FeSub(&r.X, &t0, &r.Y)
-	FeSub(&r.T, &r.T, &r.Z)
-}
-
-func (p *ProjectiveGroupElement) ToBytes(s *[32]byte) {
-	var recip, x, y FieldElement
-
-	FeInvert(&recip, &p.Z)
-	FeMul(&x, &p.X, &recip)
-	FeMul(&y, &p.Y, &recip)
-	FeToBytes(s, &y)
-	s[31] ^= FeIsNegative(&x) << 7
-}
-
-func (p *ExtendedGroupElement) Zero() {
-	FeZero(&p.X)
-	FeOne(&p.Y)
-	FeOne(&p.Z)
-	FeZero(&p.T)
-}
-
-func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) {
-	var q ProjectiveGroupElement
-	p.ToProjective(&q)
-	q.Double(r)
-}
-
-func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) {
-	FeAdd(&r.yPlusX, &p.Y, &p.X)
-	FeSub(&r.yMinusX, &p.Y, &p.X)
-	FeCopy(&r.Z, &p.Z)
-	FeMul(&r.T2d, &p.T, &d2)
-}
-
-func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) {
-	FeCopy(&r.X, &p.X)
-	FeCopy(&r.Y, &p.Y)
-	FeCopy(&r.Z, &p.Z)
-}
-
-func (p *ExtendedGroupElement) ToBytes(s *[32]byte) {
-	var recip, x, y FieldElement
-
-	FeInvert(&recip, &p.Z)
-	FeMul(&x, &p.X, &recip)
-	FeMul(&y, &p.Y, &recip)
-	FeToBytes(s, &y)
-	s[31] ^= FeIsNegative(&x) << 7
-}
-
-func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool {
-	var u, v, v3, vxx, check FieldElement
-
-	FeFromBytes(&p.Y, s)
-	FeOne(&p.Z)
-	FeSquare(&u, &p.Y)
-	FeMul(&v, &u, &d)
-	FeSub(&u, &u, &p.Z) // y = y^2-1
-	FeAdd(&v, &v, &p.Z) // v = dy^2+1
-
-	FeSquare(&v3, &v)
-	FeMul(&v3, &v3, &v) // v3 = v^3
-	FeSquare(&p.X, &v3)
-	FeMul(&p.X, &p.X, &v)
-	FeMul(&p.X, &p.X, &u) // x = uv^7
-
-	fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
-	FeMul(&p.X, &p.X, &v3)
-	FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
-
-	var tmpX, tmp2 [32]byte
-
-	FeSquare(&vxx, &p.X)
-	FeMul(&vxx, &vxx, &v)
-	FeSub(&check, &vxx, &u) // vx^2-u
-	if FeIsNonZero(&check) == 1 {
-		FeAdd(&check, &vxx, &u) // vx^2+u
-		if FeIsNonZero(&check) == 1 {
-			return false
-		}
-		FeMul(&p.X, &p.X, &SqrtM1)
-
-		FeToBytes(&tmpX, &p.X)
-		for i, v := range tmpX {
-			tmp2[31-i] = v
-		}
-	}
-
-	if FeIsNegative(&p.X) == (s[31] >> 7) {
-		FeNeg(&p.X, &p.X)
-	}
-
-	FeMul(&p.T, &p.X, &p.Y)
-	return true
-}
-
-func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) {
-	FeMul(&r.X, &p.X, &p.T)
-	FeMul(&r.Y, &p.Y, &p.Z)
-	FeMul(&r.Z, &p.Z, &p.T)
-}
-
-func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) {
-	FeMul(&r.X, &p.X, &p.T)
-	FeMul(&r.Y, &p.Y, &p.Z)
-	FeMul(&r.Z, &p.Z, &p.T)
-	FeMul(&r.T, &p.X, &p.Y)
-}
-
-func (p *PreComputedGroupElement) Zero() {
-	FeOne(&p.yPlusX)
-	FeOne(&p.yMinusX)
-	FeZero(&p.xy2d)
-}
-
-func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yPlusX)
-	FeMul(&r.Y, &r.Y, &q.yMinusX)
-	FeMul(&r.T, &q.T2d, &p.T)
-	FeMul(&r.X, &p.Z, &q.Z)
-	FeAdd(&t0, &r.X, &r.X)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeAdd(&r.Z, &t0, &r.T)
-	FeSub(&r.T, &t0, &r.T)
-}
-
-func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yMinusX)
-	FeMul(&r.Y, &r.Y, &q.yPlusX)
-	FeMul(&r.T, &q.T2d, &p.T)
-	FeMul(&r.X, &p.Z, &q.Z)
-	FeAdd(&t0, &r.X, &r.X)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeSub(&r.Z, &t0, &r.T)
-	FeAdd(&r.T, &t0, &r.T)
-}
-
-func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yPlusX)
-	FeMul(&r.Y, &r.Y, &q.yMinusX)
-	FeMul(&r.T, &q.xy2d, &p.T)
-	FeAdd(&t0, &p.Z, &p.Z)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeAdd(&r.Z, &t0, &r.T)
-	FeSub(&r.T, &t0, &r.T)
-}
-
-func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
-	var t0 FieldElement
-
-	FeAdd(&r.X, &p.Y, &p.X)
-	FeSub(&r.Y, &p.Y, &p.X)
-	FeMul(&r.Z, &r.X, &q.yMinusX)
-	FeMul(&r.Y, &r.Y, &q.yPlusX)
-	FeMul(&r.T, &q.xy2d, &p.T)
-	FeAdd(&t0, &p.Z, &p.Z)
-	FeSub(&r.X, &r.Z, &r.Y)
-	FeAdd(&r.Y, &r.Z, &r.Y)
-	FeSub(&r.Z, &t0, &r.T)
-	FeAdd(&r.T, &t0, &r.T)
-}
-
-func slide(r *[256]int8, a *[32]byte) {
-	for i := range r {
-		r[i] = int8(1 & (a[i>>3] >> uint(i&7)))
-	}
-
-	for i := range r {
-		if r[i] != 0 {
-			for b := 1; b <= 6 && i+b < 256; b++ {
-				if r[i+b] != 0 {
-					if r[i]+(r[i+b]<<uint(b)) <= 15 {
-						r[i] += r[i+b] << uint(b)
-						r[i+b] = 0
-					} else if r[i]-(r[i+b]<<uint(b)) >= -15 {
-						r[i] -= r[i+b] << uint(b)
-						for k := i + b; k < 256; k++ {
-							if r[k] == 0 {
-								r[k] = 1
-								break
-							}
-							r[k] = 0
-						}
-					} else {
-						break
-					}
-				}
-			}
-		}
-	}
-}
-
-// GeDoubleScalarMultVartime sets r = a*A + b*B
-// where a = a[0]+256*a[1]+...+256^31 a[31].
-// and b = b[0]+256*b[1]+...+256^31 b[31].
-// B is the Ed25519 base point (x,4/5) with x positive.
-func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte) {
-	var aSlide, bSlide [256]int8
-	var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
-	var t CompletedGroupElement
-	var u, A2 ExtendedGroupElement
-	var i int
-
-	slide(&aSlide, a)
-	slide(&bSlide, b)
-
-	A.ToCached(&Ai[0])
-	A.Double(&t)
-	t.ToExtended(&A2)
-
-	for i := 0; i < 7; i++ {
-		geAdd(&t, &A2, &Ai[i])
-		t.ToExtended(&u)
-		u.ToCached(&Ai[i+1])
-	}
-
-	r.Zero()
-
-	for i = 255; i >= 0; i-- {
-		if aSlide[i] != 0 || bSlide[i] != 0 {
-			break
-		}
-	}
-
-	for ; i >= 0; i-- {
-		r.Double(&t)
-
-		if aSlide[i] > 0 {
-			t.ToExtended(&u)
-			geAdd(&t, &u, &Ai[aSlide[i]/2])
-		} else if aSlide[i] < 0 {
-			t.ToExtended(&u)
-			geSub(&t, &u, &Ai[(-aSlide[i])/2])
-		}
-
-		if bSlide[i] > 0 {
-			t.ToExtended(&u)
-			geMixedAdd(&t, &u, &bi[bSlide[i]/2])
-		} else if bSlide[i] < 0 {
-			t.ToExtended(&u)
-			geMixedSub(&t, &u, &bi[(-bSlide[i])/2])
-		}
-
-		t.ToProjective(r)
-	}
-}
-
-// equal returns 1 if b == c and 0 otherwise.
-func equal(b, c int32) int32 {
-	x := uint32(b ^ c)
-	x--
-	return int32(x >> 31)
-}
-
-// negative returns 1 if b < 0 and 0 otherwise.
-func negative(b int32) int32 {
-	return (b >> 31) & 1
-}
-
-func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) {
-	FeCMove(&t.yPlusX, &u.yPlusX, b)
-	FeCMove(&t.yMinusX, &u.yMinusX, b)
-	FeCMove(&t.xy2d, &u.xy2d, b)
-}
-
-func selectPoint(t *PreComputedGroupElement, pos int32, b int32) {
-	var minusT PreComputedGroupElement
-	bNegative := negative(b)
-	bAbs := b - (((-bNegative) & b) << 1)
-
-	t.Zero()
-	for i := int32(0); i < 8; i++ {
-		PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1))
-	}
-	FeCopy(&minusT.yPlusX, &t.yMinusX)
-	FeCopy(&minusT.yMinusX, &t.yPlusX)
-	FeNeg(&minusT.xy2d, &t.xy2d)
-	PreComputedGroupElementCMove(t, &minusT, bNegative)
-}
-
-// GeScalarMultBase computes h = a*B, where
-//   a = a[0]+256*a[1]+...+256^31 a[31]
-//   B is the Ed25519 base point (x,4/5) with x positive.
-//
-// Preconditions:
-//   a[31] <= 127
-func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte) {
-	var e [64]int8
-
-	for i, v := range a {
-		e[2*i] = int8(v & 15)
-		e[2*i+1] = int8((v >> 4) & 15)
-	}
-
-	// each e[i] is between 0 and 15 and e[63] is between 0 and 7.
-
-	carry := int8(0)
-	for i := 0; i < 63; i++ {
-		e[i] += carry
-		carry = (e[i] + 8) >> 4
-		e[i] -= carry << 4
-	}
-	e[63] += carry
-	// each e[i] is between -8 and 8.
-
-	h.Zero()
-	var t PreComputedGroupElement
-	var r CompletedGroupElement
-	for i := int32(1); i < 64; i += 2 {
-		selectPoint(&t, i/2, int32(e[i]))
-		geMixedAdd(&r, h, &t)
-		r.ToExtended(h)
-	}
-
-	var s ProjectiveGroupElement
-
-	h.Double(&r)
-	r.ToProjective(&s)
-	s.Double(&r)
-	r.ToProjective(&s)
-	s.Double(&r)
-	r.ToProjective(&s)
-	s.Double(&r)
-	r.ToExtended(h)
-
-	for i := int32(0); i < 64; i += 2 {
-		selectPoint(&t, i/2, int32(e[i]))
-		geMixedAdd(&r, h, &t)
-		r.ToExtended(h)
-	}
-}
-
-// The scalars are GF(2^252 + 27742317777372353535851937790883648493).
-
-// Input:
-//   a[0]+256*a[1]+...+256^31*a[31] = a
-//   b[0]+256*b[1]+...+256^31*b[31] = b
-//   c[0]+256*c[1]+...+256^31*c[31] = c
-//
-// Output:
-//   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
-//   where l = 2^252 + 27742317777372353535851937790883648493.
-func ScMulAdd(s, a, b, c *[32]byte) {
-	a0 := 2097151 & load3(a[:])
-	a1 := 2097151 & (load4(a[2:]) >> 5)
-	a2 := 2097151 & (load3(a[5:]) >> 2)
-	a3 := 2097151 & (load4(a[7:]) >> 7)
-	a4 := 2097151 & (load4(a[10:]) >> 4)
-	a5 := 2097151 & (load3(a[13:]) >> 1)
-	a6 := 2097151 & (load4(a[15:]) >> 6)
-	a7 := 2097151 & (load3(a[18:]) >> 3)
-	a8 := 2097151 & load3(a[21:])
-	a9 := 2097151 & (load4(a[23:]) >> 5)
-	a10 := 2097151 & (load3(a[26:]) >> 2)
-	a11 := (load4(a[28:]) >> 7)
-	b0 := 2097151 & load3(b[:])
-	b1 := 2097151 & (load4(b[2:]) >> 5)
-	b2 := 2097151 & (load3(b[5:]) >> 2)
-	b3 := 2097151 & (load4(b[7:]) >> 7)
-	b4 := 2097151 & (load4(b[10:]) >> 4)
-	b5 := 2097151 & (load3(b[13:]) >> 1)
-	b6 := 2097151 & (load4(b[15:]) >> 6)
-	b7 := 2097151 & (load3(b[18:]) >> 3)
-	b8 := 2097151 & load3(b[21:])
-	b9 := 2097151 & (load4(b[23:]) >> 5)
-	b10 := 2097151 & (load3(b[26:]) >> 2)
-	b11 := (load4(b[28:]) >> 7)
-	c0 := 2097151 & load3(c[:])
-	c1 := 2097151 & (load4(c[2:]) >> 5)
-	c2 := 2097151 & (load3(c[5:]) >> 2)
-	c3 := 2097151 & (load4(c[7:]) >> 7)
-	c4 := 2097151 & (load4(c[10:]) >> 4)
-	c5 := 2097151 & (load3(c[13:]) >> 1)
-	c6 := 2097151 & (load4(c[15:]) >> 6)
-	c7 := 2097151 & (load3(c[18:]) >> 3)
-	c8 := 2097151 & load3(c[21:])
-	c9 := 2097151 & (load4(c[23:]) >> 5)
-	c10 := 2097151 & (load3(c[26:]) >> 2)
-	c11 := (load4(c[28:]) >> 7)
-	var carry [23]int64
-
-	s0 := c0 + a0*b0
-	s1 := c1 + a0*b1 + a1*b0
-	s2 := c2 + a0*b2 + a1*b1 + a2*b0
-	s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
-	s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
-	s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
-	s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
-	s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
-	s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
-	s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
-	s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
-	s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
-	s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
-	s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
-	s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
-	s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
-	s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
-	s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
-	s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
-	s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
-	s20 := a9*b11 + a10*b10 + a11*b9
-	s21 := a10*b11 + a11*b10
-	s22 := a11 * b11
-	s23 := int64(0)
-
-	carry[0] = (s0 + (1 << 20)) >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[2] = (s2 + (1 << 20)) >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[4] = (s4 + (1 << 20)) >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[12] = (s12 + (1 << 20)) >> 21
-	s13 += carry[12]
-	s12 -= carry[12] << 21
-	carry[14] = (s14 + (1 << 20)) >> 21
-	s15 += carry[14]
-	s14 -= carry[14] << 21
-	carry[16] = (s16 + (1 << 20)) >> 21
-	s17 += carry[16]
-	s16 -= carry[16] << 21
-	carry[18] = (s18 + (1 << 20)) >> 21
-	s19 += carry[18]
-	s18 -= carry[18] << 21
-	carry[20] = (s20 + (1 << 20)) >> 21
-	s21 += carry[20]
-	s20 -= carry[20] << 21
-	carry[22] = (s22 + (1 << 20)) >> 21
-	s23 += carry[22]
-	s22 -= carry[22] << 21
-
-	carry[1] = (s1 + (1 << 20)) >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[3] = (s3 + (1 << 20)) >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[5] = (s5 + (1 << 20)) >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-	carry[13] = (s13 + (1 << 20)) >> 21
-	s14 += carry[13]
-	s13 -= carry[13] << 21
-	carry[15] = (s15 + (1 << 20)) >> 21
-	s16 += carry[15]
-	s15 -= carry[15] << 21
-	carry[17] = (s17 + (1 << 20)) >> 21
-	s18 += carry[17]
-	s17 -= carry[17] << 21
-	carry[19] = (s19 + (1 << 20)) >> 21
-	s20 += carry[19]
-	s19 -= carry[19] << 21
-	carry[21] = (s21 + (1 << 20)) >> 21
-	s22 += carry[21]
-	s21 -= carry[21] << 21
-
-	s11 += s23 * 666643
-	s12 += s23 * 470296
-	s13 += s23 * 654183
-	s14 -= s23 * 997805
-	s15 += s23 * 136657
-	s16 -= s23 * 683901
-	s23 = 0
-
-	s10 += s22 * 666643
-	s11 += s22 * 470296
-	s12 += s22 * 654183
-	s13 -= s22 * 997805
-	s14 += s22 * 136657
-	s15 -= s22 * 683901
-	s22 = 0
-
-	s9 += s21 * 666643
-	s10 += s21 * 470296
-	s11 += s21 * 654183
-	s12 -= s21 * 997805
-	s13 += s21 * 136657
-	s14 -= s21 * 683901
-	s21 = 0
-
-	s8 += s20 * 666643
-	s9 += s20 * 470296
-	s10 += s20 * 654183
-	s11 -= s20 * 997805
-	s12 += s20 * 136657
-	s13 -= s20 * 683901
-	s20 = 0
-
-	s7 += s19 * 666643
-	s8 += s19 * 470296
-	s9 += s19 * 654183
-	s10 -= s19 * 997805
-	s11 += s19 * 136657
-	s12 -= s19 * 683901
-	s19 = 0
-
-	s6 += s18 * 666643
-	s7 += s18 * 470296
-	s8 += s18 * 654183
-	s9 -= s18 * 997805
-	s10 += s18 * 136657
-	s11 -= s18 * 683901
-	s18 = 0
-
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[12] = (s12 + (1 << 20)) >> 21
-	s13 += carry[12]
-	s12 -= carry[12] << 21
-	carry[14] = (s14 + (1 << 20)) >> 21
-	s15 += carry[14]
-	s14 -= carry[14] << 21
-	carry[16] = (s16 + (1 << 20)) >> 21
-	s17 += carry[16]
-	s16 -= carry[16] << 21
-
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-	carry[13] = (s13 + (1 << 20)) >> 21
-	s14 += carry[13]
-	s13 -= carry[13] << 21
-	carry[15] = (s15 + (1 << 20)) >> 21
-	s16 += carry[15]
-	s15 -= carry[15] << 21
-
-	s5 += s17 * 666643
-	s6 += s17 * 470296
-	s7 += s17 * 654183
-	s8 -= s17 * 997805
-	s9 += s17 * 136657
-	s10 -= s17 * 683901
-	s17 = 0
-
-	s4 += s16 * 666643
-	s5 += s16 * 470296
-	s6 += s16 * 654183
-	s7 -= s16 * 997805
-	s8 += s16 * 136657
-	s9 -= s16 * 683901
-	s16 = 0
-
-	s3 += s15 * 666643
-	s4 += s15 * 470296
-	s5 += s15 * 654183
-	s6 -= s15 * 997805
-	s7 += s15 * 136657
-	s8 -= s15 * 683901
-	s15 = 0
-
-	s2 += s14 * 666643
-	s3 += s14 * 470296
-	s4 += s14 * 654183
-	s5 -= s14 * 997805
-	s6 += s14 * 136657
-	s7 -= s14 * 683901
-	s14 = 0
-
-	s1 += s13 * 666643
-	s2 += s13 * 470296
-	s3 += s13 * 654183
-	s4 -= s13 * 997805
-	s5 += s13 * 136657
-	s6 -= s13 * 683901
-	s13 = 0
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = (s0 + (1 << 20)) >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[2] = (s2 + (1 << 20)) >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[4] = (s4 + (1 << 20)) >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	carry[1] = (s1 + (1 << 20)) >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[3] = (s3 + (1 << 20)) >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[5] = (s5 + (1 << 20)) >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[11] = s11 >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	s[0] = byte(s0 >> 0)
-	s[1] = byte(s0 >> 8)
-	s[2] = byte((s0 >> 16) | (s1 << 5))
-	s[3] = byte(s1 >> 3)
-	s[4] = byte(s1 >> 11)
-	s[5] = byte((s1 >> 19) | (s2 << 2))
-	s[6] = byte(s2 >> 6)
-	s[7] = byte((s2 >> 14) | (s3 << 7))
-	s[8] = byte(s3 >> 1)
-	s[9] = byte(s3 >> 9)
-	s[10] = byte((s3 >> 17) | (s4 << 4))
-	s[11] = byte(s4 >> 4)
-	s[12] = byte(s4 >> 12)
-	s[13] = byte((s4 >> 20) | (s5 << 1))
-	s[14] = byte(s5 >> 7)
-	s[15] = byte((s5 >> 15) | (s6 << 6))
-	s[16] = byte(s6 >> 2)
-	s[17] = byte(s6 >> 10)
-	s[18] = byte((s6 >> 18) | (s7 << 3))
-	s[19] = byte(s7 >> 5)
-	s[20] = byte(s7 >> 13)
-	s[21] = byte(s8 >> 0)
-	s[22] = byte(s8 >> 8)
-	s[23] = byte((s8 >> 16) | (s9 << 5))
-	s[24] = byte(s9 >> 3)
-	s[25] = byte(s9 >> 11)
-	s[26] = byte((s9 >> 19) | (s10 << 2))
-	s[27] = byte(s10 >> 6)
-	s[28] = byte((s10 >> 14) | (s11 << 7))
-	s[29] = byte(s11 >> 1)
-	s[30] = byte(s11 >> 9)
-	s[31] = byte(s11 >> 17)
-}
-
-// Input:
-//   s[0]+256*s[1]+...+256^63*s[63] = s
-//
-// Output:
-//   s[0]+256*s[1]+...+256^31*s[31] = s mod l
-//   where l = 2^252 + 27742317777372353535851937790883648493.
-func ScReduce(out *[32]byte, s *[64]byte) {
-	s0 := 2097151 & load3(s[:])
-	s1 := 2097151 & (load4(s[2:]) >> 5)
-	s2 := 2097151 & (load3(s[5:]) >> 2)
-	s3 := 2097151 & (load4(s[7:]) >> 7)
-	s4 := 2097151 & (load4(s[10:]) >> 4)
-	s5 := 2097151 & (load3(s[13:]) >> 1)
-	s6 := 2097151 & (load4(s[15:]) >> 6)
-	s7 := 2097151 & (load3(s[18:]) >> 3)
-	s8 := 2097151 & load3(s[21:])
-	s9 := 2097151 & (load4(s[23:]) >> 5)
-	s10 := 2097151 & (load3(s[26:]) >> 2)
-	s11 := 2097151 & (load4(s[28:]) >> 7)
-	s12 := 2097151 & (load4(s[31:]) >> 4)
-	s13 := 2097151 & (load3(s[34:]) >> 1)
-	s14 := 2097151 & (load4(s[36:]) >> 6)
-	s15 := 2097151 & (load3(s[39:]) >> 3)
-	s16 := 2097151 & load3(s[42:])
-	s17 := 2097151 & (load4(s[44:]) >> 5)
-	s18 := 2097151 & (load3(s[47:]) >> 2)
-	s19 := 2097151 & (load4(s[49:]) >> 7)
-	s20 := 2097151 & (load4(s[52:]) >> 4)
-	s21 := 2097151 & (load3(s[55:]) >> 1)
-	s22 := 2097151 & (load4(s[57:]) >> 6)
-	s23 := (load4(s[60:]) >> 3)
-
-	s11 += s23 * 666643
-	s12 += s23 * 470296
-	s13 += s23 * 654183
-	s14 -= s23 * 997805
-	s15 += s23 * 136657
-	s16 -= s23 * 683901
-	s23 = 0
-
-	s10 += s22 * 666643
-	s11 += s22 * 470296
-	s12 += s22 * 654183
-	s13 -= s22 * 997805
-	s14 += s22 * 136657
-	s15 -= s22 * 683901
-	s22 = 0
-
-	s9 += s21 * 666643
-	s10 += s21 * 470296
-	s11 += s21 * 654183
-	s12 -= s21 * 997805
-	s13 += s21 * 136657
-	s14 -= s21 * 683901
-	s21 = 0
-
-	s8 += s20 * 666643
-	s9 += s20 * 470296
-	s10 += s20 * 654183
-	s11 -= s20 * 997805
-	s12 += s20 * 136657
-	s13 -= s20 * 683901
-	s20 = 0
-
-	s7 += s19 * 666643
-	s8 += s19 * 470296
-	s9 += s19 * 654183
-	s10 -= s19 * 997805
-	s11 += s19 * 136657
-	s12 -= s19 * 683901
-	s19 = 0
-
-	s6 += s18 * 666643
-	s7 += s18 * 470296
-	s8 += s18 * 654183
-	s9 -= s18 * 997805
-	s10 += s18 * 136657
-	s11 -= s18 * 683901
-	s18 = 0
-
-	var carry [17]int64
-
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[12] = (s12 + (1 << 20)) >> 21
-	s13 += carry[12]
-	s12 -= carry[12] << 21
-	carry[14] = (s14 + (1 << 20)) >> 21
-	s15 += carry[14]
-	s14 -= carry[14] << 21
-	carry[16] = (s16 + (1 << 20)) >> 21
-	s17 += carry[16]
-	s16 -= carry[16] << 21
-
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-	carry[13] = (s13 + (1 << 20)) >> 21
-	s14 += carry[13]
-	s13 -= carry[13] << 21
-	carry[15] = (s15 + (1 << 20)) >> 21
-	s16 += carry[15]
-	s15 -= carry[15] << 21
-
-	s5 += s17 * 666643
-	s6 += s17 * 470296
-	s7 += s17 * 654183
-	s8 -= s17 * 997805
-	s9 += s17 * 136657
-	s10 -= s17 * 683901
-	s17 = 0
-
-	s4 += s16 * 666643
-	s5 += s16 * 470296
-	s6 += s16 * 654183
-	s7 -= s16 * 997805
-	s8 += s16 * 136657
-	s9 -= s16 * 683901
-	s16 = 0
-
-	s3 += s15 * 666643
-	s4 += s15 * 470296
-	s5 += s15 * 654183
-	s6 -= s15 * 997805
-	s7 += s15 * 136657
-	s8 -= s15 * 683901
-	s15 = 0
-
-	s2 += s14 * 666643
-	s3 += s14 * 470296
-	s4 += s14 * 654183
-	s5 -= s14 * 997805
-	s6 += s14 * 136657
-	s7 -= s14 * 683901
-	s14 = 0
-
-	s1 += s13 * 666643
-	s2 += s13 * 470296
-	s3 += s13 * 654183
-	s4 -= s13 * 997805
-	s5 += s13 * 136657
-	s6 -= s13 * 683901
-	s13 = 0
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = (s0 + (1 << 20)) >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[2] = (s2 + (1 << 20)) >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[4] = (s4 + (1 << 20)) >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[6] = (s6 + (1 << 20)) >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[8] = (s8 + (1 << 20)) >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[10] = (s10 + (1 << 20)) >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	carry[1] = (s1 + (1 << 20)) >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[3] = (s3 + (1 << 20)) >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[5] = (s5 + (1 << 20)) >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[7] = (s7 + (1 << 20)) >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[9] = (s9 + (1 << 20)) >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[11] = (s11 + (1 << 20)) >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-	carry[11] = s11 >> 21
-	s12 += carry[11]
-	s11 -= carry[11] << 21
-
-	s0 += s12 * 666643
-	s1 += s12 * 470296
-	s2 += s12 * 654183
-	s3 -= s12 * 997805
-	s4 += s12 * 136657
-	s5 -= s12 * 683901
-	s12 = 0
-
-	carry[0] = s0 >> 21
-	s1 += carry[0]
-	s0 -= carry[0] << 21
-	carry[1] = s1 >> 21
-	s2 += carry[1]
-	s1 -= carry[1] << 21
-	carry[2] = s2 >> 21
-	s3 += carry[2]
-	s2 -= carry[2] << 21
-	carry[3] = s3 >> 21
-	s4 += carry[3]
-	s3 -= carry[3] << 21
-	carry[4] = s4 >> 21
-	s5 += carry[4]
-	s4 -= carry[4] << 21
-	carry[5] = s5 >> 21
-	s6 += carry[5]
-	s5 -= carry[5] << 21
-	carry[6] = s6 >> 21
-	s7 += carry[6]
-	s6 -= carry[6] << 21
-	carry[7] = s7 >> 21
-	s8 += carry[7]
-	s7 -= carry[7] << 21
-	carry[8] = s8 >> 21
-	s9 += carry[8]
-	s8 -= carry[8] << 21
-	carry[9] = s9 >> 21
-	s10 += carry[9]
-	s9 -= carry[9] << 21
-	carry[10] = s10 >> 21
-	s11 += carry[10]
-	s10 -= carry[10] << 21
-
-	out[0] = byte(s0 >> 0)
-	out[1] = byte(s0 >> 8)
-	out[2] = byte((s0 >> 16) | (s1 << 5))
-	out[3] = byte(s1 >> 3)
-	out[4] = byte(s1 >> 11)
-	out[5] = byte((s1 >> 19) | (s2 << 2))
-	out[6] = byte(s2 >> 6)
-	out[7] = byte((s2 >> 14) | (s3 << 7))
-	out[8] = byte(s3 >> 1)
-	out[9] = byte(s3 >> 9)
-	out[10] = byte((s3 >> 17) | (s4 << 4))
-	out[11] = byte(s4 >> 4)
-	out[12] = byte(s4 >> 12)
-	out[13] = byte((s4 >> 20) | (s5 << 1))
-	out[14] = byte(s5 >> 7)
-	out[15] = byte((s5 >> 15) | (s6 << 6))
-	out[16] = byte(s6 >> 2)
-	out[17] = byte(s6 >> 10)
-	out[18] = byte((s6 >> 18) | (s7 << 3))
-	out[19] = byte(s7 >> 5)
-	out[20] = byte(s7 >> 13)
-	out[21] = byte(s8 >> 0)
-	out[22] = byte(s8 >> 8)
-	out[23] = byte((s8 >> 16) | (s9 << 5))
-	out[24] = byte(s9 >> 3)
-	out[25] = byte(s9 >> 11)
-	out[26] = byte((s9 >> 19) | (s10 << 2))
-	out[27] = byte(s10 >> 6)
-	out[28] = byte((s10 >> 14) | (s11 << 7))
-	out[29] = byte(s11 >> 1)
-	out[30] = byte(s11 >> 9)
-	out[31] = byte(s11 >> 17)
-}

vendor/github.com/docker/docker-credential-helpers/client/client.go

@@ -1,87 +0,0 @@
-package client
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"strings"
-
-	"github.com/docker/docker-credential-helpers/credentials"
-)
-
-// Store uses an external program to save credentials.
-func Store(program ProgramFunc, credentials *credentials.Credentials) error {
-	cmd := program("store")
-
-	buffer := new(bytes.Buffer)
-	if err := json.NewEncoder(buffer).Encode(credentials); err != nil {
-		return err
-	}
-	cmd.Input(buffer)
-
-	out, err := cmd.Output()
-	if err != nil {
-		t := strings.TrimSpace(string(out))
-		return fmt.Errorf("error storing credentials - err: %v, out: `%s`", err, t)
-	}
-
-	return nil
-}
-
-// Get executes an external program to get the credentials from a native store.
-func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error) {
-	cmd := program("get")
-	cmd.Input(strings.NewReader(serverURL))
-
-	out, err := cmd.Output()
-	if err != nil {
-		t := strings.TrimSpace(string(out))
-
-		if credentials.IsErrCredentialsNotFoundMessage(t) {
-			return nil, credentials.NewErrCredentialsNotFound()
-		}
-
-		return nil, fmt.Errorf("error getting credentials - err: %v, out: `%s`", err, t)
-	}
-
-	resp := &credentials.Credentials{
-		ServerURL: serverURL,
-	}
-
-	if err := json.NewDecoder(bytes.NewReader(out)).Decode(resp); err != nil {
-		return nil, err
-	}
-
-	return resp, nil
-}
-
-// Erase executes a program to remove the server credentials from the native store.
-func Erase(program ProgramFunc, serverURL string) error {
-	cmd := program("erase")
-	cmd.Input(strings.NewReader(serverURL))
-	out, err := cmd.Output()
-	if err != nil {
-		t := strings.TrimSpace(string(out))
-		return fmt.Errorf("error erasing credentials - err: %v, out: `%s`", err, t)
-	}
-
-	return nil
-}
-
-// List executes a program to list server credentials in the native store.
-func List(program ProgramFunc) (map[string]string, error) {
-	cmd := program("list")
-	cmd.Input(strings.NewReader("unused"))
-	out, err := cmd.Output()
-	if err != nil {
-		t := strings.TrimSpace(string(out))
-		return nil, fmt.Errorf("error listing credentials - err: %v, out: `%s`", err, t)
-	}
-
-	var resp map[string]string
-	if err = json.NewDecoder(bytes.NewReader(out)).Decode(&resp); err != nil {
-		return nil, err
-	}
-
-	return resp, nil
-}

vendor/github.com/docker/docker-credential-helpers/client/command.go

@@ -1,37 +0,0 @@
-package client
-
-import (
-	"io"
-	"os/exec"
-)
-
-// Program is an interface to execute external programs.
-type Program interface {
-	Output() ([]byte, error)
-	Input(in io.Reader)
-}
-
-// ProgramFunc is a type of function that initializes programs based on arguments.
-type ProgramFunc func(args ...string) Program
-
-// NewShellProgramFunc creates programs that are executed in a Shell.
-func NewShellProgramFunc(name string) ProgramFunc {
-	return func(args ...string) Program {
-		return &Shell{cmd: exec.Command(name, args...)}
-	}
-}
-
-// Shell invokes shell commands to talk with a remote credentials helper.
-type Shell struct {
-	cmd *exec.Cmd
-}
-
-// Output returns responses from the remote credentials helper.
-func (s *Shell) Output() ([]byte, error) {
-	return s.cmd.Output()
-}
-
-// Input sets the input to send to a remote credentials helper.
-func (s *Shell) Input(in io.Reader) {
-	s.cmd.Stdin = in
-}

vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go

@@ -1,150 +0,0 @@
-package credentials
-
-import (
-	"bufio"
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-)
-
-// Credentials holds the information shared between docker and the credentials store.
-type Credentials struct {
-	ServerURL string
-	Username  string
-	Secret    string
-}
-
-// Docker credentials should be labeled as such in credentials stores that allow labelling.
-// That label allows to filter out non-Docker credentials too at lookup/search in macOS keychain,
-// Windows credentials manager and Linux libsecret. Default value is "Docker Credentials"
-var CredsLabel = "Docker Credentials"
-
-func SetCredsLabel(label string) {
-	CredsLabel = label
-}
-
-// Serve initializes the credentials helper and parses the action argument.
-// This function is designed to be called from a command line interface.
-// It uses os.Args[1] as the key for the action.
-// It uses os.Stdin as input and os.Stdout as output.
-// This function terminates the program with os.Exit(1) if there is an error.
-func Serve(helper Helper) {
-	var err error
-	if len(os.Args) != 2 {
-		err = fmt.Errorf("Usage: %s <store|get|erase|list>", os.Args[0])
-	}
-
-	if err == nil {
-		err = HandleCommand(helper, os.Args[1], os.Stdin, os.Stdout)
-	}
-
-	if err != nil {
-		fmt.Fprintf(os.Stdout, "%v\n", err)
-		os.Exit(1)
-	}
-}
-
-// HandleCommand uses a helper and a key to run a credential action.
-func HandleCommand(helper Helper, key string, in io.Reader, out io.Writer) error {
-	switch key {
-	case "store":
-		return Store(helper, in)
-	case "get":
-		return Get(helper, in, out)
-	case "erase":
-		return Erase(helper, in)
-	case "list":
-		return List(helper, out)
-	}
-	return fmt.Errorf("Unknown credential action `%s`", key)
-}
-
-// Store uses a helper and an input reader to save credentials.
-// The reader must contain the JSON serialization of a Credentials struct.
-func Store(helper Helper, reader io.Reader) error {
-	scanner := bufio.NewScanner(reader)
-
-	buffer := new(bytes.Buffer)
-	for scanner.Scan() {
-		buffer.Write(scanner.Bytes())
-	}
-
-	if err := scanner.Err(); err != nil && err != io.EOF {
-		return err
-	}
-
-	var creds Credentials
-	if err := json.NewDecoder(buffer).Decode(&creds); err != nil {
-		return err
-	}
-
-	return helper.Add(&creds)
-}
-
-// Get retrieves the credentials for a given server url.
-// The reader must contain the server URL to search.
-// The writer is used to write the JSON serialization of the credentials.
-func Get(helper Helper, reader io.Reader, writer io.Writer) error {
-	scanner := bufio.NewScanner(reader)
-
-	buffer := new(bytes.Buffer)
-	for scanner.Scan() {
-		buffer.Write(scanner.Bytes())
-	}
-
-	if err := scanner.Err(); err != nil && err != io.EOF {
-		return err
-	}
-
-	serverURL := strings.TrimSpace(buffer.String())
-
-	username, secret, err := helper.Get(serverURL)
-	if err != nil {
-		return err
-	}
-
-	resp := Credentials{
-		Username: username,
-		Secret:   secret,
-	}
-
-	buffer.Reset()
-	if err := json.NewEncoder(buffer).Encode(resp); err != nil {
-		return err
-	}
-
-	fmt.Fprint(writer, buffer.String())
-	return nil
-}
-
-// Erase removes credentials from the store.
-// The reader must contain the server URL to remove.
-func Erase(helper Helper, reader io.Reader) error {
-	scanner := bufio.NewScanner(reader)
-
-	buffer := new(bytes.Buffer)
-	for scanner.Scan() {
-		buffer.Write(scanner.Bytes())
-	}
-
-	if err := scanner.Err(); err != nil && err != io.EOF {
-		return err
-	}
-
-	serverURL := strings.TrimSpace(buffer.String())
-
-	return helper.Delete(serverURL)
-}
-
-//List returns all the serverURLs of keys in
-//the OS store as a list of strings
-func List(helper Helper, writer io.Writer) error {
-	accts, err := helper.List()
-	if err != nil {
-		return err
-	}
-	return json.NewEncoder(writer).Encode(accts)
-}

vendor/github.com/docker/docker-credential-helpers/credentials/error.go

@@ -1,37 +0,0 @@
-package credentials
-
-// ErrCredentialsNotFound standarizes the not found error, so every helper returns
-// the same message and docker can handle it properly.
-const errCredentialsNotFoundMessage = "credentials not found in native keychain"
-
-// errCredentialsNotFound represents an error
-// raised when credentials are not in the store.
-type errCredentialsNotFound struct{}
-
-// Error returns the standard error message
-// for when the credentials are not in the store.
-func (errCredentialsNotFound) Error() string {
-	return errCredentialsNotFoundMessage
-}
-
-// NewErrCredentialsNotFound creates a new error
-// for when the credentials are not in the store.
-func NewErrCredentialsNotFound() error {
-	return errCredentialsNotFound{}
-}
-
-// IsErrCredentialsNotFound returns true if the error
-// was caused by not having a set of credentials in a store.
-func IsErrCredentialsNotFound(err error) bool {
-	_, ok := err.(errCredentialsNotFound)
-	return ok
-}
-
-// IsErrCredentialsNotFoundMessage returns true if the error
-// was caused by not having a set of credentials in a store.
-//
-// This function helps to check messages returned by an
-// external program via its standard output.
-func IsErrCredentialsNotFoundMessage(err string) bool {
-	return err == errCredentialsNotFoundMessage
-}

vendor/github.com/docker/docker-credential-helpers/credentials/helper.go

@@ -1,14 +0,0 @@
-package credentials
-
-// Helper is the interface a credentials store helper must implement.
-type Helper interface {
-	// Add appends credentials to the store.
-	Add(*Credentials) error
-	// Delete removes credentials from the store.
-	Delete(serverURL string) error
-	// Get retrieves credentials from the store.
-	// It returns username and secret as strings.
-	Get(serverURL string) (string, string, error)
-	// List returns the stored serverURLs and their associated usernames.
-	List() (map[string]string, error)
-}

vendor/github.com/docker/go/LICENSE

@@ -1,27 +0,0 @@
-Copyright (c) 2012 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/docker/go/README.md

@@ -1,16 +0,0 @@
-[![Circle CI](https://circleci.com/gh/jfrazelle/go.svg?style=svg)](https://circleci.com/gh/jfrazelle/go)
-
-This is a repository used for building go packages based off upstream with
-small patches.
-
-It is only used so far for a canonical json pkg.
-
-I hope we do not need to use it for anything else in the future.
-
-**To update:**
-
-```console
-$ make update
-```
-
-This will nuke the current package, clone upstream and apply the patch.

vendor/github.com/docker/go/canonical/json/decode.go

@@ -1,1094 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Represents JSON data structure using native Go types: booleans, floats,
-// strings, arrays, and maps.
-
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"reflect"
-	"runtime"
-	"strconv"
-	"unicode"
-	"unicode/utf16"
-	"unicode/utf8"
-)
-
-// Unmarshal parses the JSON-encoded data and stores the result
-// in the value pointed to by v.
-//
-// Unmarshal uses the inverse of the encodings that
-// Marshal uses, allocating maps, slices, and pointers as necessary,
-// with the following additional rules:
-//
-// To unmarshal JSON into a pointer, Unmarshal first handles the case of
-// the JSON being the JSON literal null.  In that case, Unmarshal sets
-// the pointer to nil.  Otherwise, Unmarshal unmarshals the JSON into
-// the value pointed at by the pointer.  If the pointer is nil, Unmarshal
-// allocates a new value for it to point to.
-//
-// To unmarshal JSON into a struct, Unmarshal matches incoming object
-// keys to the keys used by Marshal (either the struct field name or its tag),
-// preferring an exact match but also accepting a case-insensitive match.
-//
-// To unmarshal JSON into an interface value,
-// Unmarshal stores one of these in the interface value:
-//
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	string, for JSON strings
-//	[]interface{}, for JSON arrays
-//	map[string]interface{}, for JSON objects
-//	nil for JSON null
-//
-// To unmarshal a JSON array into a slice, Unmarshal resets the slice to nil
-// and then appends each element to the slice.
-//
-// To unmarshal a JSON object into a map, Unmarshal replaces the map
-// with an empty map and then adds key-value pairs from the object to
-// the map.
-//
-// If a JSON value is not appropriate for a given target type,
-// or if a JSON number overflows the target type, Unmarshal
-// skips that field and completes the unmarshalling as best it can.
-// If no more serious errors are encountered, Unmarshal returns
-// an UnmarshalTypeError describing the earliest such error.
-//
-// The JSON null value unmarshals into an interface, map, pointer, or slice
-// by setting that Go value to nil. Because null is often used in JSON to mean
-// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
-// on the value and produces no error.
-//
-// When unmarshaling quoted strings, invalid UTF-8 or
-// invalid UTF-16 surrogate pairs are not treated as an error.
-// Instead, they are replaced by the Unicode replacement
-// character U+FFFD.
-//
-func Unmarshal(data []byte, v interface{}) error {
-	// Check for well-formedness.
-	// Avoids filling out half a data structure
-	// before discovering a JSON syntax error.
-	var d decodeState
-	err := checkValid(data, &d.scan)
-	if err != nil {
-		return err
-	}
-
-	d.init(data)
-	return d.unmarshal(v)
-}
-
-// Unmarshaler is the interface implemented by objects
-// that can unmarshal a JSON description of themselves.
-// The input can be assumed to be a valid encoding of
-// a JSON value. UnmarshalJSON must copy the JSON data
-// if it wishes to retain the data after returning.
-type Unmarshaler interface {
-	UnmarshalJSON([]byte) error
-}
-
-// An UnmarshalTypeError describes a JSON value that was
-// not appropriate for a value of a specific Go type.
-type UnmarshalTypeError struct {
-	Value  string       // description of JSON value - "bool", "array", "number -5"
-	Type   reflect.Type // type of Go value it could not be assigned to
-	Offset int64        // error occurred after reading Offset bytes
-}
-
-func (e *UnmarshalTypeError) Error() string {
-	return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
-}
-
-// An UnmarshalFieldError describes a JSON object key that
-// led to an unexported (and therefore unwritable) struct field.
-// (No longer used; kept for compatibility.)
-type UnmarshalFieldError struct {
-	Key   string
-	Type  reflect.Type
-	Field reflect.StructField
-}
-
-func (e *UnmarshalFieldError) Error() string {
-	return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
-}
-
-// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
-// (The argument to Unmarshal must be a non-nil pointer.)
-type InvalidUnmarshalError struct {
-	Type reflect.Type
-}
-
-func (e *InvalidUnmarshalError) Error() string {
-	if e.Type == nil {
-		return "json: Unmarshal(nil)"
-	}
-
-	if e.Type.Kind() != reflect.Ptr {
-		return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
-	}
-	return "json: Unmarshal(nil " + e.Type.String() + ")"
-}
-
-func (d *decodeState) unmarshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			err = r.(error)
-		}
-	}()
-
-	rv := reflect.ValueOf(v)
-	if rv.Kind() != reflect.Ptr || rv.IsNil() {
-		return &InvalidUnmarshalError{reflect.TypeOf(v)}
-	}
-
-	d.scan.reset()
-	// We decode rv not rv.Elem because the Unmarshaler interface
-	// test must be applied at the top level of the value.
-	d.value(rv)
-	return d.savedError
-}
-
-// A Number represents a JSON number literal.
-type Number string
-
-// String returns the literal text of the number.
-func (n Number) String() string { return string(n) }
-
-// Float64 returns the number as a float64.
-func (n Number) Float64() (float64, error) {
-	return strconv.ParseFloat(string(n), 64)
-}
-
-// Int64 returns the number as an int64.
-func (n Number) Int64() (int64, error) {
-	return strconv.ParseInt(string(n), 10, 64)
-}
-
-// decodeState represents the state while decoding a JSON value.
-type decodeState struct {
-	data       []byte
-	off        int // read offset in data
-	scan       scanner
-	nextscan   scanner // for calls to nextValue
-	savedError error
-	useNumber  bool
-	canonical  bool
-}
-
-// errPhase is used for errors that should not happen unless
-// there is a bug in the JSON decoder or something is editing
-// the data slice while the decoder executes.
-var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
-
-func (d *decodeState) init(data []byte) *decodeState {
-	d.data = data
-	d.off = 0
-	d.savedError = nil
-	return d
-}
-
-// error aborts the decoding by panicking with err.
-func (d *decodeState) error(err error) {
-	panic(err)
-}
-
-// saveError saves the first err it is called with,
-// for reporting at the end of the unmarshal.
-func (d *decodeState) saveError(err error) {
-	if d.savedError == nil {
-		d.savedError = err
-	}
-}
-
-// next cuts off and returns the next full JSON value in d.data[d.off:].
-// The next value is known to be an object or array, not a literal.
-func (d *decodeState) next() []byte {
-	c := d.data[d.off]
-	item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-	if err != nil {
-		d.error(err)
-	}
-	d.off = len(d.data) - len(rest)
-
-	// Our scanner has seen the opening brace/bracket
-	// and thinks we're still in the middle of the object.
-	// invent a closing brace/bracket to get it out.
-	if c == '{' {
-		d.scan.step(&d.scan, '}')
-	} else {
-		d.scan.step(&d.scan, ']')
-	}
-
-	return item
-}
-
-// scanWhile processes bytes in d.data[d.off:] until it
-// receives a scan code not equal to op.
-// It updates d.off and returns the new scan code.
-func (d *decodeState) scanWhile(op int) int {
-	var newOp int
-	for {
-		if d.off >= len(d.data) {
-			newOp = d.scan.eof()
-			d.off = len(d.data) + 1 // mark processed EOF with len+1
-		} else {
-			c := int(d.data[d.off])
-			d.off++
-			newOp = d.scan.step(&d.scan, c)
-		}
-		if newOp != op {
-			break
-		}
-	}
-	return newOp
-}
-
-// value decodes a JSON value from d.data[d.off:] into the value.
-// it updates d.off to point past the decoded value.
-func (d *decodeState) value(v reflect.Value) {
-	if !v.IsValid() {
-		_, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-		if err != nil {
-			d.error(err)
-		}
-		d.off = len(d.data) - len(rest)
-
-		// d.scan thinks we're still at the beginning of the item.
-		// Feed in an empty string - the shortest, simplest value -
-		// so that it knows we got to the end of the value.
-		if d.scan.redo {
-			// rewind.
-			d.scan.redo = false
-			d.scan.step = stateBeginValue
-		}
-		d.scan.step(&d.scan, '"')
-		d.scan.step(&d.scan, '"')
-
-		n := len(d.scan.parseState)
-		if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
-			// d.scan thinks we just read an object key; finish the object
-			d.scan.step(&d.scan, ':')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '}')
-		}
-
-		return
-	}
-
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(v)
-
-	case scanBeginObject:
-		d.object(v)
-
-	case scanBeginLiteral:
-		d.literal(v)
-	}
-}
-
-type unquotedValue struct{}
-
-// valueQuoted is like value but decodes a
-// quoted string literal or literal null into an interface value.
-// If it finds anything other than a quoted string literal or null,
-// valueQuoted returns unquotedValue{}.
-func (d *decodeState) valueQuoted() interface{} {
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(reflect.Value{})
-
-	case scanBeginObject:
-		d.object(reflect.Value{})
-
-	case scanBeginLiteral:
-		switch v := d.literalInterface().(type) {
-		case nil, string:
-			return v
-		}
-	}
-	return unquotedValue{}
-}
-
-// indirect walks down v allocating pointers as needed,
-// until it gets to a non-pointer.
-// if it encounters an Unmarshaler, indirect stops and returns that.
-// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
-func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
-	// If v is a named type and is addressable,
-	// start with its address, so that if the type has pointer methods,
-	// we find them.
-	if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
-		v = v.Addr()
-	}
-	for {
-		// Load value from interface, but only if the result will be
-		// usefully addressable.
-		if v.Kind() == reflect.Interface && !v.IsNil() {
-			e := v.Elem()
-			if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
-				v = e
-				continue
-			}
-		}
-
-		if v.Kind() != reflect.Ptr {
-			break
-		}
-
-		if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
-			break
-		}
-		if v.IsNil() {
-			v.Set(reflect.New(v.Type().Elem()))
-		}
-		if v.Type().NumMethod() > 0 {
-			if u, ok := v.Interface().(Unmarshaler); ok {
-				return u, nil, reflect.Value{}
-			}
-			if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
-				return nil, u, reflect.Value{}
-			}
-		}
-		v = v.Elem()
-	}
-	return nil, nil, v
-}
-
-// array consumes an array from d.data[d.off-1:], decoding into the value v.
-// the first byte of the array ('[') has been read already.
-func (d *decodeState) array(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	}
-
-	v = pv
-
-	// Check type of target.
-	switch v.Kind() {
-	case reflect.Interface:
-		if v.NumMethod() == 0 {
-			// Decoding into nil interface?  Switch to non-reflect code.
-			v.Set(reflect.ValueOf(d.arrayInterface()))
-			return
-		}
-		// Otherwise it's invalid.
-		fallthrough
-	default:
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	case reflect.Array:
-	case reflect.Slice:
-		break
-	}
-
-	i := 0
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		// Get element of array, growing if necessary.
-		if v.Kind() == reflect.Slice {
-			// Grow slice if necessary
-			if i >= v.Cap() {
-				newcap := v.Cap() + v.Cap()/2
-				if newcap < 4 {
-					newcap = 4
-				}
-				newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
-				reflect.Copy(newv, v)
-				v.Set(newv)
-			}
-			if i >= v.Len() {
-				v.SetLen(i + 1)
-			}
-		}
-
-		if i < v.Len() {
-			// Decode into element.
-			d.value(v.Index(i))
-		} else {
-			// Ran out of fixed array: skip.
-			d.value(reflect.Value{})
-		}
-		i++
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-
-	if i < v.Len() {
-		if v.Kind() == reflect.Array {
-			// Array.  Zero the rest.
-			z := reflect.Zero(v.Type().Elem())
-			for ; i < v.Len(); i++ {
-				v.Index(i).Set(z)
-			}
-		} else {
-			v.SetLen(i)
-		}
-	}
-	if i == 0 && v.Kind() == reflect.Slice {
-		v.Set(reflect.MakeSlice(v.Type(), 0, 0))
-	}
-}
-
-var nullLiteral = []byte("null")
-
-// object consumes an object from d.data[d.off-1:], decoding into the value v.
-// the first byte ('{') of the object has been read already.
-func (d *decodeState) object(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-	v = pv
-
-	// Decoding into nil interface?  Switch to non-reflect code.
-	if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
-		v.Set(reflect.ValueOf(d.objectInterface()))
-		return
-	}
-
-	// Check type of target: struct or map[string]T
-	switch v.Kind() {
-	case reflect.Map:
-		// map must have string kind
-		t := v.Type()
-		if t.Key().Kind() != reflect.String {
-			d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-			d.off--
-			d.next() // skip over { } in input
-			return
-		}
-		if v.IsNil() {
-			v.Set(reflect.MakeMap(t))
-		}
-	case reflect.Struct:
-
-	default:
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-
-	var mapElem reflect.Value
-
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquoteBytes(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Figure out field corresponding to key.
-		var subv reflect.Value
-		destring := false // whether the value is wrapped in a string to be decoded first
-
-		if v.Kind() == reflect.Map {
-			elemType := v.Type().Elem()
-			if !mapElem.IsValid() {
-				mapElem = reflect.New(elemType).Elem()
-			} else {
-				mapElem.Set(reflect.Zero(elemType))
-			}
-			subv = mapElem
-		} else {
-			var f *field
-			fields := cachedTypeFields(v.Type(), false)
-			for i := range fields {
-				ff := &fields[i]
-				if bytes.Equal(ff.nameBytes, key) {
-					f = ff
-					break
-				}
-				if f == nil && ff.equalFold(ff.nameBytes, key) {
-					f = ff
-				}
-			}
-			if f != nil {
-				subv = v
-				destring = f.quoted
-				for _, i := range f.index {
-					if subv.Kind() == reflect.Ptr {
-						if subv.IsNil() {
-							subv.Set(reflect.New(subv.Type().Elem()))
-						}
-						subv = subv.Elem()
-					}
-					subv = subv.Field(i)
-				}
-			}
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		if destring {
-			switch qv := d.valueQuoted().(type) {
-			case nil:
-				d.literalStore(nullLiteral, subv, false)
-			case string:
-				d.literalStore([]byte(qv), subv, true)
-			default:
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
-			}
-		} else {
-			d.value(subv)
-		}
-
-		// Write value back to map;
-		// if using struct, subv points into struct already.
-		if v.Kind() == reflect.Map {
-			kv := reflect.ValueOf(key).Convert(v.Type().Key())
-			v.SetMapIndex(kv, subv)
-		}
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-}
-
-// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
-// The first byte of the literal has been read already
-// (that's how the caller knows it's a literal).
-func (d *decodeState) literal(v reflect.Value) {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-
-	d.literalStore(d.data[start:d.off], v, false)
-}
-
-// convertNumber converts the number literal s to a float64 or a Number
-// depending on the setting of d.useNumber.
-func (d *decodeState) convertNumber(s string) (interface{}, error) {
-	if d.useNumber {
-		return Number(s), nil
-	}
-	f, err := strconv.ParseFloat(s, 64)
-	if err != nil {
-		return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-	}
-	return f, nil
-}
-
-var numberType = reflect.TypeOf(Number(""))
-
-// literalStore decodes a literal stored in item into v.
-//
-// fromQuoted indicates whether this literal came from unwrapping a
-// string from the ",string" struct tag option. this is used only to
-// produce more helpful error messages.
-func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
-	// Check for unmarshaler.
-	if len(item) == 0 {
-		//Empty string given
-		d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-		return
-	}
-	wantptr := item[0] == 'n' // null
-	u, ut, pv := d.indirect(v, wantptr)
-	if u != nil {
-		err := u.UnmarshalJSON(item)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		if item[0] != '"' {
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-			return
-		}
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		err := ut.UnmarshalText(s)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-
-	v = pv
-
-	switch c := item[0]; c {
-	case 'n': // null
-		switch v.Kind() {
-		case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
-			v.Set(reflect.Zero(v.Type()))
-			// otherwise, ignore null for primitives/string
-		}
-	case 't', 'f': // true, false
-		value := c == 't'
-		switch v.Kind() {
-		default:
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		case reflect.Bool:
-			v.SetBool(value)
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(value))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		}
-
-	case '"': // string
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		switch v.Kind() {
-		default:
-			d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-		case reflect.Slice:
-			if v.Type().Elem().Kind() != reflect.Uint8 {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-				break
-			}
-			b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
-			n, err := base64.StdEncoding.Decode(b, s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			v.Set(reflect.ValueOf(b[0:n]))
-		case reflect.String:
-			v.SetString(string(s))
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(string(s)))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-		}
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		s := string(item)
-		switch v.Kind() {
-		default:
-			if v.Kind() == reflect.String && v.Type() == numberType {
-				v.SetString(s)
-				break
-			}
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-			}
-		case reflect.Interface:
-			n, err := d.convertNumber(s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			if v.NumMethod() != 0 {
-				d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-				break
-			}
-			v.Set(reflect.ValueOf(n))
-
-		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-			n, err := strconv.ParseInt(s, 10, 64)
-			if err != nil || v.OverflowInt(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetInt(n)
-
-		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-			n, err := strconv.ParseUint(s, 10, 64)
-			if err != nil || v.OverflowUint(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetUint(n)
-
-		case reflect.Float32, reflect.Float64:
-			n, err := strconv.ParseFloat(s, v.Type().Bits())
-			if err != nil || v.OverflowFloat(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetFloat(n)
-		}
-	}
-}
-
-// The xxxInterface routines build up a value to be stored
-// in an empty interface.  They are not strictly necessary,
-// but they avoid the weight of reflection in this common case.
-
-// valueInterface is like value but returns interface{}
-func (d *decodeState) valueInterface() interface{} {
-	switch d.scanWhile(scanSkipSpace) {
-	default:
-		d.error(errPhase)
-		panic("unreachable")
-	case scanBeginArray:
-		return d.arrayInterface()
-	case scanBeginObject:
-		return d.objectInterface()
-	case scanBeginLiteral:
-		return d.literalInterface()
-	}
-}
-
-// arrayInterface is like array but returns []interface{}.
-func (d *decodeState) arrayInterface() []interface{} {
-	var v = make([]interface{}, 0)
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		v = append(v, d.valueInterface())
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-	return v
-}
-
-// objectInterface is like object but returns map[string]interface{}.
-func (d *decodeState) objectInterface() map[string]interface{} {
-	m := make(map[string]interface{})
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read string key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		m[key] = d.valueInterface()
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-	return m
-}
-
-// literalInterface is like literal but returns an interface value.
-func (d *decodeState) literalInterface() interface{} {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-	item := d.data[start:d.off]
-
-	switch c := item[0]; c {
-	case 'n': // null
-		return nil
-
-	case 't', 'f': // true, false
-		return c == 't'
-
-	case '"': // string
-		s, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-		return s
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			d.error(errPhase)
-		}
-		n, err := d.convertNumber(string(item))
-		if err != nil {
-			d.saveError(err)
-		}
-		return n
-	}
-}
-
-// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
-// or it returns -1.
-func getu4(s []byte) rune {
-	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
-		return -1
-	}
-	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
-	if err != nil {
-		return -1
-	}
-	return rune(r)
-}
-
-// unquote converts a quoted JSON string literal s into an actual string t.
-// The rules are different than for Go, so cannot use strconv.Unquote.
-func unquote(s []byte) (t string, ok bool) {
-	s, ok = unquoteBytes(s)
-	t = string(s)
-	return
-}
-
-func unquoteBytes(s []byte) (t []byte, ok bool) {
-	if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
-		return
-	}
-	s = s[1 : len(s)-1]
-
-	// Check for unusual characters. If there are none,
-	// then no unquoting is needed, so return a slice of the
-	// original bytes.
-	r := 0
-	for r < len(s) {
-		c := s[r]
-		if c == '\\' || c == '"' || c < ' ' {
-			break
-		}
-		if c < utf8.RuneSelf {
-			r++
-			continue
-		}
-		rr, size := utf8.DecodeRune(s[r:])
-		if rr == utf8.RuneError && size == 1 {
-			break
-		}
-		r += size
-	}
-	if r == len(s) {
-		return s, true
-	}
-
-	b := make([]byte, len(s)+2*utf8.UTFMax)
-	w := copy(b, s[0:r])
-	for r < len(s) {
-		// Out of room?  Can only happen if s is full of
-		// malformed UTF-8 and we're replacing each
-		// byte with RuneError.
-		if w >= len(b)-2*utf8.UTFMax {
-			nb := make([]byte, (len(b)+utf8.UTFMax)*2)
-			copy(nb, b[0:w])
-			b = nb
-		}
-		switch c := s[r]; {
-		case c == '\\':
-			r++
-			if r >= len(s) {
-				return
-			}
-			switch s[r] {
-			default:
-				return
-			case '"', '\\', '/', '\'':
-				b[w] = s[r]
-				r++
-				w++
-			case 'b':
-				b[w] = '\b'
-				r++
-				w++
-			case 'f':
-				b[w] = '\f'
-				r++
-				w++
-			case 'n':
-				b[w] = '\n'
-				r++
-				w++
-			case 'r':
-				b[w] = '\r'
-				r++
-				w++
-			case 't':
-				b[w] = '\t'
-				r++
-				w++
-			case 'u':
-				r--
-				rr := getu4(s[r:])
-				if rr < 0 {
-					return
-				}
-				r += 6
-				if utf16.IsSurrogate(rr) {
-					rr1 := getu4(s[r:])
-					if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
-						// A valid pair; consume.
-						r += 6
-						w += utf8.EncodeRune(b[w:], dec)
-						break
-					}
-					// Invalid surrogate; fall back to replacement rune.
-					rr = unicode.ReplacementChar
-				}
-				w += utf8.EncodeRune(b[w:], rr)
-			}
-
-		// Quote, control characters are invalid.
-		case c == '"', c < ' ':
-			return
-
-		// ASCII
-		case c < utf8.RuneSelf:
-			b[w] = c
-			r++
-			w++
-
-		// Coerce to well-formed UTF-8.
-		default:
-			rr, size := utf8.DecodeRune(s[r:])
-			r += size
-			w += utf8.EncodeRune(b[w:], rr)
-		}
-	}
-	return b[0:w], true
-}

vendor/github.com/docker/go/canonical/json/encode.go

@@ -1,1245 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package json implements encoding and decoding of JSON objects as defined in
-// RFC 4627. The mapping between JSON objects and Go values is described
-// in the documentation for the Marshal and Unmarshal functions.
-//
-// See "JSON and Go" for an introduction to this package:
-// https://golang.org/doc/articles/json_and_go.html
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"math"
-	"reflect"
-	"runtime"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"unicode"
-	"unicode/utf8"
-)
-
-// Marshal returns the JSON encoding of v.
-//
-// Marshal traverses the value v recursively.
-// If an encountered value implements the Marshaler interface
-// and is not a nil pointer, Marshal calls its MarshalJSON method
-// to produce JSON.  The nil pointer exception is not strictly necessary
-// but mimics a similar, necessary exception in the behavior of
-// UnmarshalJSON.
-//
-// Otherwise, Marshal uses the following type-dependent default encodings:
-//
-// Boolean values encode as JSON booleans.
-//
-// Floating point, integer, and Number values encode as JSON numbers.
-//
-// String values encode as JSON strings coerced to valid UTF-8,
-// replacing invalid bytes with the Unicode replacement rune.
-// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
-// to keep some browsers from misinterpreting JSON output as HTML.
-// Ampersand "&" is also escaped to "\u0026" for the same reason.
-//
-// Array and slice values encode as JSON arrays, except that
-// []byte encodes as a base64-encoded string, and a nil slice
-// encodes as the null JSON object.
-//
-// Struct values encode as JSON objects. Each exported struct field
-// becomes a member of the object unless
-//   - the field's tag is "-", or
-//   - the field is empty and its tag specifies the "omitempty" option.
-// The empty values are false, 0, any
-// nil pointer or interface value, and any array, slice, map, or string of
-// length zero. The object's default key string is the struct field name
-// but can be specified in the struct field's tag value. The "json" key in
-// the struct field's tag value is the key name, followed by an optional comma
-// and options. Examples:
-//
-//   // Field is ignored by this package.
-//   Field int `json:"-"`
-//
-//   // Field appears in JSON as key "myName".
-//   Field int `json:"myName"`
-//
-//   // Field appears in JSON as key "myName" and
-//   // the field is omitted from the object if its value is empty,
-//   // as defined above.
-//   Field int `json:"myName,omitempty"`
-//
-//   // Field appears in JSON as key "Field" (the default), but
-//   // the field is skipped if empty.
-//   // Note the leading comma.
-//   Field int `json:",omitempty"`
-//
-// The "string" option signals that a field is stored as JSON inside a
-// JSON-encoded string. It applies only to fields of string, floating point,
-// integer, or boolean types. This extra level of encoding is sometimes used
-// when communicating with JavaScript programs:
-//
-//    Int64String int64 `json:",string"`
-//
-// The key name will be used if it's a non-empty string consisting of
-// only Unicode letters, digits, dollar signs, percent signs, hyphens,
-// underscores and slashes.
-//
-// Anonymous struct fields are usually marshaled as if their inner exported fields
-// were fields in the outer struct, subject to the usual Go visibility rules amended
-// as described in the next paragraph.
-// An anonymous struct field with a name given in its JSON tag is treated as
-// having that name, rather than being anonymous.
-// An anonymous struct field of interface type is treated the same as having
-// that type as its name, rather than being anonymous.
-//
-// The Go visibility rules for struct fields are amended for JSON when
-// deciding which field to marshal or unmarshal. If there are
-// multiple fields at the same level, and that level is the least
-// nested (and would therefore be the nesting level selected by the
-// usual Go rules), the following extra rules apply:
-//
-// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
-// even if there are multiple untagged fields that would otherwise conflict.
-// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
-// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
-//
-// Handling of anonymous struct fields is new in Go 1.1.
-// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
-// an anonymous struct field in both current and earlier versions, give the field
-// a JSON tag of "-".
-//
-// Map values encode as JSON objects.
-// The map's key type must be string; the map keys are used as JSON object
-// keys, subject to the UTF-8 coercion described for string values above.
-//
-// Pointer values encode as the value pointed to.
-// A nil pointer encodes as the null JSON object.
-//
-// Interface values encode as the value contained in the interface.
-// A nil interface value encodes as the null JSON object.
-//
-// Channel, complex, and function values cannot be encoded in JSON.
-// Attempting to encode such a value causes Marshal to return
-// an UnsupportedTypeError.
-//
-// JSON cannot represent cyclic data structures and Marshal does not
-// handle them.  Passing cyclic structures to Marshal will result in
-// an infinite recursion.
-//
-func Marshal(v interface{}) ([]byte, error) {
-	return marshal(v, false)
-}
-
-// MarshalIndent is like Marshal but applies Indent to format the output.
-func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
-	b, err := Marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	var buf bytes.Buffer
-	err = Indent(&buf, b, prefix, indent)
-	if err != nil {
-		return nil, err
-	}
-	return buf.Bytes(), nil
-}
-
-// MarshalCanonical is like Marshal but encodes into Canonical JSON.
-// Read more at: http://wiki.laptop.org/go/Canonical_JSON
-func MarshalCanonical(v interface{}) ([]byte, error) {
-	return marshal(v, true)
-}
-
-func marshal(v interface{}, canonical bool) ([]byte, error) {
-	e := &encodeState{canonical: canonical}
-	err := e.marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	return e.Bytes(), nil
-}
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must
-// be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
-	// The characters can only appear in string literals,
-	// so just scan the string one byte at a time.
-	start := 0
-	for i, c := range src {
-		if c == '<' || c == '>' || c == '&' {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-}
-
-// Marshaler is the interface implemented by objects that
-// can marshal themselves into valid JSON.
-type Marshaler interface {
-	MarshalJSON() ([]byte, error)
-}
-
-// An UnsupportedTypeError is returned by Marshal when attempting
-// to encode an unsupported value type.
-type UnsupportedTypeError struct {
-	Type reflect.Type
-}
-
-func (e *UnsupportedTypeError) Error() string {
-	return "json: unsupported type: " + e.Type.String()
-}
-
-type UnsupportedValueError struct {
-	Value reflect.Value
-	Str   string
-}
-
-func (e *UnsupportedValueError) Error() string {
-	return "json: unsupported value: " + e.Str
-}
-
-// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
-// attempting to encode a string value with invalid UTF-8 sequences.
-// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
-// replacing invalid bytes with the Unicode replacement rune U+FFFD.
-// This error is no longer generated but is kept for backwards compatibility
-// with programs that might mention it.
-type InvalidUTF8Error struct {
-	S string // the whole string value that caused the error
-}
-
-func (e *InvalidUTF8Error) Error() string {
-	return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
-}
-
-type MarshalerError struct {
-	Type reflect.Type
-	Err  error
-}
-
-func (e *MarshalerError) Error() string {
-	return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
-}
-
-var hex = "0123456789abcdef"
-
-// An encodeState encodes JSON into a bytes.Buffer.
-type encodeState struct {
-	bytes.Buffer // accumulated output
-	scratch      [64]byte
-	canonical    bool
-}
-
-var encodeStatePool sync.Pool
-
-func newEncodeState(canonical bool) *encodeState {
-	if v := encodeStatePool.Get(); v != nil {
-		e := v.(*encodeState)
-		e.Reset()
-		e.canonical = canonical
-		return e
-	}
-	return &encodeState{canonical: canonical}
-}
-
-func (e *encodeState) marshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			if s, ok := r.(string); ok {
-				panic(s)
-			}
-			err = r.(error)
-		}
-	}()
-	e.reflectValue(reflect.ValueOf(v))
-	return nil
-}
-
-func (e *encodeState) error(err error) {
-	panic(err)
-}
-
-func isEmptyValue(v reflect.Value) bool {
-	switch v.Kind() {
-	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
-		return v.Len() == 0
-	case reflect.Bool:
-		return !v.Bool()
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return v.Int() == 0
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return v.Uint() == 0
-	case reflect.Float32, reflect.Float64:
-		return v.Float() == 0
-	case reflect.Interface, reflect.Ptr:
-		return v.IsNil()
-	}
-	return false
-}
-
-func (e *encodeState) reflectValue(v reflect.Value) {
-	e.valueEncoder(v)(e, v, false)
-}
-
-type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
-
-var encoderCache struct {
-	sync.RWMutex
-	m map[reflect.Type]encoderFunc
-}
-
-func (e *encodeState) valueEncoder(v reflect.Value) encoderFunc {
-	if !v.IsValid() {
-		return invalidValueEncoder
-	}
-	return e.typeEncoder(v.Type())
-}
-
-func (e *encodeState) typeEncoder(t reflect.Type) encoderFunc {
-	encoderCache.RLock()
-	f := encoderCache.m[t]
-	encoderCache.RUnlock()
-	if f != nil {
-		return f
-	}
-
-	// To deal with recursive types, populate the map with an
-	// indirect func before we build it. This type waits on the
-	// real func (f) to be ready and then calls it.  This indirect
-	// func is only used for recursive types.
-	encoderCache.Lock()
-	if encoderCache.m == nil {
-		encoderCache.m = make(map[reflect.Type]encoderFunc)
-	}
-	var wg sync.WaitGroup
-	wg.Add(1)
-	encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
-		wg.Wait()
-		f(e, v, quoted)
-	}
-	encoderCache.Unlock()
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = e.newTypeEncoder(t, true)
-	wg.Done()
-	encoderCache.Lock()
-	encoderCache.m[t] = f
-	encoderCache.Unlock()
-	return f
-}
-
-var (
-	marshalerType     = reflect.TypeOf(new(Marshaler)).Elem()
-	textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
-)
-
-// newTypeEncoder constructs an encoderFunc for a type.
-// The returned encoder only checks CanAddr when allowAddr is true.
-func (e *encodeState) newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
-	if t.Implements(marshalerType) {
-		return marshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(marshalerType) {
-			return newCondAddrEncoder(addrMarshalerEncoder, e.newTypeEncoder(t, false))
-		}
-	}
-
-	if t.Implements(textMarshalerType) {
-		return textMarshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(textMarshalerType) {
-			return newCondAddrEncoder(addrTextMarshalerEncoder, e.newTypeEncoder(t, false))
-		}
-	}
-
-	switch t.Kind() {
-	case reflect.Bool:
-		return boolEncoder
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return intEncoder
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return uintEncoder
-	case reflect.Float32:
-		return float32Encoder
-	case reflect.Float64:
-		return float64Encoder
-	case reflect.String:
-		return stringEncoder
-	case reflect.Interface:
-		return interfaceEncoder
-	case reflect.Struct:
-		return e.newStructEncoder(t)
-	case reflect.Map:
-		return e.newMapEncoder(t)
-	case reflect.Slice:
-		return e.newSliceEncoder(t)
-	case reflect.Array:
-		return e.newArrayEncoder(t)
-	case reflect.Ptr:
-		return e.newPtrEncoder(t)
-	default:
-		return unsupportedTypeEncoder
-	}
-}
-
-func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteString("null")
-}
-
-func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err == nil {
-		_, err = e.stringBytes(b)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err == nil {
-		_, err = e.stringBytes(b)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if quoted {
-		e.WriteByte('"')
-	}
-	if v.Bool() {
-		e.WriteString("true")
-	} else {
-		e.WriteString("false")
-	}
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-type floatEncoder int // number of bits
-
-func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	f := v.Float()
-	if math.IsInf(f, 0) || math.IsNaN(f) || (e.canonical && math.Floor(f) != f) {
-		e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
-	}
-
-	var b []byte
-	if e.canonical {
-		b = strconv.AppendInt(e.scratch[:0], int64(f), 10)
-	} else {
-		b = strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
-	}
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-var (
-	float32Encoder = (floatEncoder(32)).encode
-	float64Encoder = (floatEncoder(64)).encode
-)
-
-func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Type() == numberType {
-		numStr := v.String()
-		if numStr == "" {
-			numStr = "0" // Number's zero-val
-		}
-		e.WriteString(numStr)
-		return
-	}
-	if quoted {
-		sb, err := Marshal(v.String())
-		if err != nil {
-			e.error(err)
-		}
-		e.string(string(sb))
-	} else {
-		e.string(v.String())
-	}
-}
-
-func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.reflectValue(v.Elem())
-}
-
-func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.error(&UnsupportedTypeError{v.Type()})
-}
-
-type structEncoder struct {
-	fields    []field
-	fieldEncs []encoderFunc
-}
-
-func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteByte('{')
-	first := true
-	for i, f := range se.fields {
-		fv := fieldByIndex(v, f.index)
-		if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
-			continue
-		}
-		if first {
-			first = false
-		} else {
-			e.WriteByte(',')
-		}
-		e.string(f.name)
-		e.WriteByte(':')
-		se.fieldEncs[i](e, fv, f.quoted)
-	}
-	e.WriteByte('}')
-}
-
-func (e *encodeState) newStructEncoder(t reflect.Type) encoderFunc {
-	fields := cachedTypeFields(t, e.canonical)
-	se := &structEncoder{
-		fields:    fields,
-		fieldEncs: make([]encoderFunc, len(fields)),
-	}
-	for i, f := range fields {
-		se.fieldEncs[i] = e.typeEncoder(typeByIndex(t, f.index))
-	}
-	return se.encode
-}
-
-type mapEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.WriteByte('{')
-	var sv stringValues = v.MapKeys()
-	sort.Sort(sv)
-	for i, k := range sv {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		e.string(k.String())
-		e.WriteByte(':')
-		me.elemEnc(e, v.MapIndex(k), false)
-	}
-	e.WriteByte('}')
-}
-
-func (e *encodeState) newMapEncoder(t reflect.Type) encoderFunc {
-	if t.Key().Kind() != reflect.String {
-		return unsupportedTypeEncoder
-	}
-	me := &mapEncoder{e.typeEncoder(t.Elem())}
-	return me.encode
-}
-
-func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	s := v.Bytes()
-	e.WriteByte('"')
-	if len(s) < 1024 {
-		// for small buffers, using Encode directly is much faster.
-		dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
-		base64.StdEncoding.Encode(dst, s)
-		e.Write(dst)
-	} else {
-		// for large buffers, avoid unnecessary extra temporary
-		// buffer space.
-		enc := base64.NewEncoder(base64.StdEncoding, e)
-		enc.Write(s)
-		enc.Close()
-	}
-	e.WriteByte('"')
-}
-
-// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
-type sliceEncoder struct {
-	arrayEnc encoderFunc
-}
-
-func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	se.arrayEnc(e, v, false)
-}
-
-func (e *encodeState) newSliceEncoder(t reflect.Type) encoderFunc {
-	// Byte slices get special treatment; arrays don't.
-	if t.Elem().Kind() == reflect.Uint8 {
-		return encodeByteSlice
-	}
-	enc := &sliceEncoder{e.newArrayEncoder(t)}
-	return enc.encode
-}
-
-type arrayEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	e.WriteByte('[')
-	n := v.Len()
-	for i := 0; i < n; i++ {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		ae.elemEnc(e, v.Index(i), false)
-	}
-	e.WriteByte(']')
-}
-
-func (e *encodeState) newArrayEncoder(t reflect.Type) encoderFunc {
-	enc := &arrayEncoder{e.typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type ptrEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	pe.elemEnc(e, v.Elem(), quoted)
-}
-
-func (e *encodeState) newPtrEncoder(t reflect.Type) encoderFunc {
-	enc := &ptrEncoder{e.typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type condAddrEncoder struct {
-	canAddrEnc, elseEnc encoderFunc
-}
-
-func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.CanAddr() {
-		ce.canAddrEnc(e, v, quoted)
-	} else {
-		ce.elseEnc(e, v, quoted)
-	}
-}
-
-// newCondAddrEncoder returns an encoder that checks whether its value
-// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
-func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
-	enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
-	return enc.encode
-}
-
-func isValidTag(s string) bool {
-	if s == "" {
-		return false
-	}
-	for _, c := range s {
-		switch {
-		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
-			// Backslash and quote chars are reserved, but
-			// otherwise any punctuation chars are allowed
-			// in a tag name.
-		default:
-			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-				return false
-			}
-		}
-	}
-	return true
-}
-
-func fieldByIndex(v reflect.Value, index []int) reflect.Value {
-	for _, i := range index {
-		if v.Kind() == reflect.Ptr {
-			if v.IsNil() {
-				return reflect.Value{}
-			}
-			v = v.Elem()
-		}
-		v = v.Field(i)
-	}
-	return v
-}
-
-func typeByIndex(t reflect.Type, index []int) reflect.Type {
-	for _, i := range index {
-		if t.Kind() == reflect.Ptr {
-			t = t.Elem()
-		}
-		t = t.Field(i).Type
-	}
-	return t
-}
-
-// stringValues is a slice of reflect.Value holding *reflect.StringValue.
-// It implements the methods to sort by string.
-type stringValues []reflect.Value
-
-func (sv stringValues) Len() int           { return len(sv) }
-func (sv stringValues) Swap(i, j int)      { sv[i], sv[j] = sv[j], sv[i] }
-func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
-func (sv stringValues) get(i int) string   { return sv[i].String() }
-
-// NOTE: keep in sync with stringBytes below.
-func (e *encodeState) string(s string) (int, error) {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if b != '\\' && b != '"' {
-				if e.canonical || (0x20 <= b && b != '<' && b != '>' && b != '&') {
-					i++
-					continue
-				}
-			}
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, > and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		if e.canonical {
-			i++
-			continue
-		}
-		c, size := utf8.DecodeRuneInString(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.WriteString(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0, nil
-}
-
-// NOTE: keep in sync with string above.
-func (e *encodeState) stringBytes(s []byte) (int, error) {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if b != '\\' && b != '"' {
-				if e.canonical || (0x20 <= b && b != '<' && b != '>' && b != '&') {
-					i++
-					continue
-				}
-			}
-			if start < i {
-				e.Write(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, >, and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		if e.canonical {
-			i++
-			continue
-		}
-		c, size := utf8.DecodeRune(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.Write(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0, nil
-}
-
-// A field represents a single field found in a struct.
-type field struct {
-	name      string
-	nameBytes []byte                 // []byte(name)
-	equalFold func(s, t []byte) bool // bytes.EqualFold or equivalent
-
-	tag       bool
-	index     []int
-	typ       reflect.Type
-	omitEmpty bool
-	quoted    bool
-}
-
-func fillField(f field) field {
-	f.nameBytes = []byte(f.name)
-	f.equalFold = foldFunc(f.nameBytes)
-	return f
-}
-
-// byName sorts field by name, breaking ties with depth,
-// then breaking ties with "name came from json tag", then
-// breaking ties with index sequence.
-type byName []field
-
-func (x byName) Len() int { return len(x) }
-
-func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byName) Less(i, j int) bool {
-	if x[i].name != x[j].name {
-		return x[i].name < x[j].name
-	}
-	if len(x[i].index) != len(x[j].index) {
-		return len(x[i].index) < len(x[j].index)
-	}
-	if x[i].tag != x[j].tag {
-		return x[i].tag
-	}
-	return byIndex(x).Less(i, j)
-}
-
-// byIndex sorts field by index sequence.
-type byIndex []field
-
-func (x byIndex) Len() int { return len(x) }
-
-func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byIndex) Less(i, j int) bool {
-	for k, xik := range x[i].index {
-		if k >= len(x[j].index) {
-			return false
-		}
-		if xik != x[j].index[k] {
-			return xik < x[j].index[k]
-		}
-	}
-	return len(x[i].index) < len(x[j].index)
-}
-
-// typeFields returns a list of fields that JSON should recognize for the given type.
-// The algorithm is breadth-first search over the set of structs to include - the top struct
-// and then any reachable anonymous structs.
-func typeFields(t reflect.Type) []field {
-	// Anonymous fields to explore at the current level and the next.
-	current := []field{}
-	next := []field{{typ: t}}
-
-	// Count of queued names for current level and the next.
-	count := map[reflect.Type]int{}
-	nextCount := map[reflect.Type]int{}
-
-	// Types already visited at an earlier level.
-	visited := map[reflect.Type]bool{}
-
-	// Fields found.
-	var fields []field
-
-	for len(next) > 0 {
-		current, next = next, current[:0]
-		count, nextCount = nextCount, map[reflect.Type]int{}
-
-		for _, f := range current {
-			if visited[f.typ] {
-				continue
-			}
-			visited[f.typ] = true
-
-			// Scan f.typ for fields to include.
-			for i := 0; i < f.typ.NumField(); i++ {
-				sf := f.typ.Field(i)
-				if sf.PkgPath != "" { // unexported
-					continue
-				}
-				tag := sf.Tag.Get("json")
-				if tag == "-" {
-					continue
-				}
-				name, opts := parseTag(tag)
-				if !isValidTag(name) {
-					name = ""
-				}
-				index := make([]int, len(f.index)+1)
-				copy(index, f.index)
-				index[len(f.index)] = i
-
-				ft := sf.Type
-				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
-					// Follow pointer.
-					ft = ft.Elem()
-				}
-
-				// Only strings, floats, integers, and booleans can be quoted.
-				quoted := false
-				if opts.Contains("string") {
-					switch ft.Kind() {
-					case reflect.Bool,
-						reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
-						reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
-						reflect.Float32, reflect.Float64,
-						reflect.String:
-						quoted = true
-					}
-				}
-
-				// Record found field and index sequence.
-				if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
-					tagged := name != ""
-					if name == "" {
-						name = sf.Name
-					}
-					fields = append(fields, fillField(field{
-						name:      name,
-						tag:       tagged,
-						index:     index,
-						typ:       ft,
-						omitEmpty: opts.Contains("omitempty"),
-						quoted:    quoted,
-					}))
-					if count[f.typ] > 1 {
-						// If there were multiple instances, add a second,
-						// so that the annihilation code will see a duplicate.
-						// It only cares about the distinction between 1 or 2,
-						// so don't bother generating any more copies.
-						fields = append(fields, fields[len(fields)-1])
-					}
-					continue
-				}
-
-				// Record new anonymous struct to explore in next round.
-				nextCount[ft]++
-				if nextCount[ft] == 1 {
-					next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
-				}
-			}
-		}
-	}
-
-	sort.Sort(byName(fields))
-
-	// Delete all fields that are hidden by the Go rules for embedded fields,
-	// except that fields with JSON tags are promoted.
-
-	// The fields are sorted in primary order of name, secondary order
-	// of field index length. Loop over names; for each name, delete
-	// hidden fields by choosing the one dominant field that survives.
-	out := fields[:0]
-	for advance, i := 0, 0; i < len(fields); i += advance {
-		// One iteration per name.
-		// Find the sequence of fields with the name of this first field.
-		fi := fields[i]
-		name := fi.name
-		for advance = 1; i+advance < len(fields); advance++ {
-			fj := fields[i+advance]
-			if fj.name != name {
-				break
-			}
-		}
-		if advance == 1 { // Only one field with this name
-			out = append(out, fi)
-			continue
-		}
-		dominant, ok := dominantField(fields[i : i+advance])
-		if ok {
-			out = append(out, dominant)
-		}
-	}
-
-	return out
-}
-
-// dominantField looks through the fields, all of which are known to
-// have the same name, to find the single field that dominates the
-// others using Go's embedding rules, modified by the presence of
-// JSON tags. If there are multiple top-level fields, the boolean
-// will be false: This condition is an error in Go and we skip all
-// the fields.
-func dominantField(fields []field) (field, bool) {
-	// The fields are sorted in increasing index-length order. The winner
-	// must therefore be one with the shortest index length. Drop all
-	// longer entries, which is easy: just truncate the slice.
-	length := len(fields[0].index)
-	tagged := -1 // Index of first tagged field.
-	for i, f := range fields {
-		if len(f.index) > length {
-			fields = fields[:i]
-			break
-		}
-		if f.tag {
-			if tagged >= 0 {
-				// Multiple tagged fields at the same level: conflict.
-				// Return no field.
-				return field{}, false
-			}
-			tagged = i
-		}
-	}
-	if tagged >= 0 {
-		return fields[tagged], true
-	}
-	// All remaining fields have the same length. If there's more than one,
-	// we have a conflict (two fields named "X" at the same level) and we
-	// return no field.
-	if len(fields) > 1 {
-		return field{}, false
-	}
-	return fields[0], true
-}
-
-type fields struct {
-	byName  []field
-	byIndex []field
-}
-
-var fieldCache struct {
-	sync.RWMutex
-	m map[reflect.Type]*fields
-}
-
-// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
-func cachedTypeFields(t reflect.Type, canonical bool) []field {
-	fieldCache.RLock()
-	x := fieldCache.m[t]
-	fieldCache.RUnlock()
-
-	var f []field
-	if x != nil {
-		if canonical {
-			f = x.byName
-		}
-		f = x.byIndex
-	}
-	if f != nil {
-		return f
-	}
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = typeFields(t)
-	if f == nil {
-		f = []field{}
-	}
-	if !canonical {
-		sort.Sort(byIndex(f))
-	}
-
-	fieldCache.Lock()
-	if fieldCache.m == nil {
-		fieldCache.m = map[reflect.Type]*fields{}
-	}
-	x = fieldCache.m[t]
-	fieldCache.Unlock()
-	if x == nil {
-		x = new(fields)
-	}
-	if canonical {
-		x.byName = f
-	} else {
-		x.byIndex = f
-	}
-	return f
-}

vendor/github.com/docker/go/canonical/json/fold.go

@@ -1,143 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"unicode/utf8"
-)
-
-const (
-	caseMask     = ^byte(0x20) // Mask to ignore case in ASCII.
-	kelvin       = '\u212a'
-	smallLongEss = '\u017f'
-)
-
-// foldFunc returns one of four different case folding equivalence
-// functions, from most general (and slow) to fastest:
-//
-// 1) bytes.EqualFold, if the key s contains any non-ASCII UTF-8
-// 2) equalFoldRight, if s contains special folding ASCII ('k', 'K', 's', 'S')
-// 3) asciiEqualFold, no special, but includes non-letters (including _)
-// 4) simpleLetterEqualFold, no specials, no non-letters.
-//
-// The letters S and K are special because they map to 3 runes, not just 2:
-//  * S maps to s and to U+017F 'ſ' Latin small letter long s
-//  * k maps to K and to U+212A 'K' Kelvin sign
-// See https://play.golang.org/p/tTxjOc0OGo
-//
-// The returned function is specialized for matching against s and
-// should only be given s. It's not curried for performance reasons.
-func foldFunc(s []byte) func(s, t []byte) bool {
-	nonLetter := false
-	special := false // special letter
-	for _, b := range s {
-		if b >= utf8.RuneSelf {
-			return bytes.EqualFold
-		}
-		upper := b & caseMask
-		if upper < 'A' || upper > 'Z' {
-			nonLetter = true
-		} else if upper == 'K' || upper == 'S' {
-			// See above for why these letters are special.
-			special = true
-		}
-	}
-	if special {
-		return equalFoldRight
-	}
-	if nonLetter {
-		return asciiEqualFold
-	}
-	return simpleLetterEqualFold
-}
-
-// equalFoldRight is a specialization of bytes.EqualFold when s is
-// known to be all ASCII (including punctuation), but contains an 's',
-// 'S', 'k', or 'K', requiring a Unicode fold on the bytes in t.
-// See comments on foldFunc.
-func equalFoldRight(s, t []byte) bool {
-	for _, sb := range s {
-		if len(t) == 0 {
-			return false
-		}
-		tb := t[0]
-		if tb < utf8.RuneSelf {
-			if sb != tb {
-				sbUpper := sb & caseMask
-				if 'A' <= sbUpper && sbUpper <= 'Z' {
-					if sbUpper != tb&caseMask {
-						return false
-					}
-				} else {
-					return false
-				}
-			}
-			t = t[1:]
-			continue
-		}
-		// sb is ASCII and t is not. t must be either kelvin
-		// sign or long s; sb must be s, S, k, or K.
-		tr, size := utf8.DecodeRune(t)
-		switch sb {
-		case 's', 'S':
-			if tr != smallLongEss {
-				return false
-			}
-		case 'k', 'K':
-			if tr != kelvin {
-				return false
-			}
-		default:
-			return false
-		}
-		t = t[size:]
-
-	}
-	if len(t) > 0 {
-		return false
-	}
-	return true
-}
-
-// asciiEqualFold is a specialization of bytes.EqualFold for use when
-// s is all ASCII (but may contain non-letters) and contains no
-// special-folding letters.
-// See comments on foldFunc.
-func asciiEqualFold(s, t []byte) bool {
-	if len(s) != len(t) {
-		return false
-	}
-	for i, sb := range s {
-		tb := t[i]
-		if sb == tb {
-			continue
-		}
-		if ('a' <= sb && sb <= 'z') || ('A' <= sb && sb <= 'Z') {
-			if sb&caseMask != tb&caseMask {
-				return false
-			}
-		} else {
-			return false
-		}
-	}
-	return true
-}
-
-// simpleLetterEqualFold is a specialization of bytes.EqualFold for
-// use when s is all ASCII letters (no underscores, etc) and also
-// doesn't contain 'k', 'K', 's', or 'S'.
-// See comments on foldFunc.
-func simpleLetterEqualFold(s, t []byte) bool {
-	if len(s) != len(t) {
-		return false
-	}
-	for i, b := range s {
-		if b&caseMask != t[i]&caseMask {
-			return false
-		}
-	}
-	return true
-}

vendor/github.com/docker/go/canonical/json/indent.go

@@ -1,137 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
-	return compact(dst, src, false)
-}
-
-func compact(dst *bytes.Buffer, src []byte, escape bool) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	start := 0
-	for i, c := range src {
-		if escape && (c == '<' || c == '>' || c == '&') {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-		v := scan.step(&scan, int(c))
-		if v >= scanSkipSpace {
-			if v == scanError {
-				break
-			}
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			start = i + 1
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-	return nil
-}
-
-func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
-	dst.WriteByte('\n')
-	dst.WriteString(prefix)
-	for i := 0; i < depth; i++ {
-		dst.WriteString(indent)
-	}
-}
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, and has no trailing newline, to make it
-// easier to embed inside other formatted JSON data.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	needIndent := false
-	depth := 0
-	for _, c := range src {
-		scan.bytes++
-		v := scan.step(&scan, int(c))
-		if v == scanSkipSpace {
-			continue
-		}
-		if v == scanError {
-			break
-		}
-		if needIndent && v != scanEndObject && v != scanEndArray {
-			needIndent = false
-			depth++
-			newline(dst, prefix, indent, depth)
-		}
-
-		// Emit semantically uninteresting bytes
-		// (in particular, punctuation in strings) unmodified.
-		if v == scanContinue {
-			dst.WriteByte(c)
-			continue
-		}
-
-		// Add spacing around real punctuation.
-		switch c {
-		case '{', '[':
-			// delay indent so that empty object and array are formatted as {} and [].
-			needIndent = true
-			dst.WriteByte(c)
-
-		case ',':
-			dst.WriteByte(c)
-			newline(dst, prefix, indent, depth)
-
-		case ':':
-			dst.WriteByte(c)
-			dst.WriteByte(' ')
-
-		case '}', ']':
-			if needIndent {
-				// suppress indent in empty object/array
-				needIndent = false
-			} else {
-				depth--
-				newline(dst, prefix, indent, depth)
-			}
-			dst.WriteByte(c)
-
-		default:
-			dst.WriteByte(c)
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	return nil
-}

vendor/github.com/docker/go/canonical/json/scanner.go

@@ -1,630 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, nextValue, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import "strconv"
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-func checkValid(data []byte, scan *scanner) error {
-	scan.reset()
-	for _, c := range data {
-		scan.bytes++
-		if scan.step(scan, int(c)) == scanError {
-			return scan.err
-		}
-	}
-	if scan.eof() == scanError {
-		return scan.err
-	}
-	return nil
-}
-
-// nextValue splits data after the next whole JSON value,
-// returning that value and the bytes that follow it as separate slices.
-// scan is passed in for use by nextValue to avoid an allocation.
-func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
-	scan.reset()
-	for i, c := range data {
-		v := scan.step(scan, int(c))
-		if v >= scanEndObject {
-			switch v {
-			// probe the scanner with a space to determine whether we will
-			// get scanEnd on the next character. Otherwise, if the next character
-			// is not a space, scanEndTop allocates a needless error.
-			case scanEndObject, scanEndArray:
-				if scan.step(scan, ' ') == scanEnd {
-					return data[:i+1], data[i+1:], nil
-				}
-			case scanError:
-				return nil, nil, scan.err
-			case scanEnd:
-				return data[0:i], data[i:], nil
-			}
-		}
-	}
-	if scan.eof() == scanError {
-		return nil, nil, scan.err
-	}
-	return data, nil, nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-type SyntaxError struct {
-	msg    string // description of error
-	Offset int64  // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset() and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in.  (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
-	// The step is a func to be called to execute the next transition.
-	// Also tried using an integer constant and a single func
-	// with a switch, but using the func directly was 10% faster
-	// on a 64-bit Mac Mini, and it's nicer to read.
-	step func(*scanner, int) int
-
-	// Reached end of top-level value.
-	endTop bool
-
-	// Stack of what we're in the middle of - array values, object keys, object values.
-	parseState []int
-
-	// Error that happened, if any.
-	err error
-
-	// 1-byte redo (see undo method)
-	redo      bool
-	redoCode  int
-	redoState func(*scanner, int) int
-
-	// total bytes consumed, updated by decoder.Decode
-	bytes int64
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
-	// Continue.
-	scanContinue     = iota // uninteresting byte
-	scanBeginLiteral        // end implied by next result != scanContinue
-	scanBeginObject         // begin object
-	scanObjectKey           // just finished object key (string)
-	scanObjectValue         // just finished non-last object value
-	scanEndObject           // end object (implies scanObjectValue if possible)
-	scanBeginArray          // begin array
-	scanArrayValue          // just finished array value
-	scanEndArray            // end array (implies scanArrayValue if possible)
-	scanSkipSpace           // space byte; can skip; known to be last "continue" result
-
-	// Stop.
-	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
-	scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned.  If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
-	parseObjectKey   = iota // parsing object key (before colon)
-	parseObjectValue        // parsing object value (after colon)
-	parseArrayValue         // parsing array value
-)
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
-	s.step = stateBeginValue
-	s.parseState = s.parseState[0:0]
-	s.err = nil
-	s.redo = false
-	s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
-	if s.err != nil {
-		return scanError
-	}
-	if s.endTop {
-		return scanEnd
-	}
-	s.step(s, ' ')
-	if s.endTop {
-		return scanEnd
-	}
-	if s.err == nil {
-		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
-	}
-	return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-func (s *scanner) pushParseState(p int) {
-	s.parseState = append(s.parseState, p)
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
-	n := len(s.parseState) - 1
-	s.parseState = s.parseState[0:n]
-	s.redo = false
-	if n == 0 {
-		s.step = stateEndTop
-		s.endTop = true
-	} else {
-		s.step = stateEndValue
-	}
-}
-
-func isSpace(c rune) bool {
-	return c == ' ' || c == '\t' || c == '\r' || c == '\n'
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c int) int {
-	if c <= ' ' && isSpace(rune(c)) {
-		return scanSkipSpace
-	}
-	if c == ']' {
-		return stateEndValue(s, c)
-	}
-	return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c int) int {
-	if c <= ' ' && isSpace(rune(c)) {
-		return scanSkipSpace
-	}
-	switch c {
-	case '{':
-		s.step = stateBeginStringOrEmpty
-		s.pushParseState(parseObjectKey)
-		return scanBeginObject
-	case '[':
-		s.step = stateBeginValueOrEmpty
-		s.pushParseState(parseArrayValue)
-		return scanBeginArray
-	case '"':
-		s.step = stateInString
-		return scanBeginLiteral
-	case '-':
-		s.step = stateNeg
-		return scanBeginLiteral
-	case '0': // beginning of 0.123
-		s.step = state0
-		return scanBeginLiteral
-	case 't': // beginning of true
-		s.step = stateT
-		return scanBeginLiteral
-	case 'f': // beginning of false
-		s.step = stateF
-		return scanBeginLiteral
-	case 'n': // beginning of null
-		s.step = stateN
-		return scanBeginLiteral
-	}
-	if '1' <= c && c <= '9' { // beginning of 1234.5
-		s.step = state1
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c int) int {
-	if c <= ' ' && isSpace(rune(c)) {
-		return scanSkipSpace
-	}
-	if c == '}' {
-		n := len(s.parseState)
-		s.parseState[n-1] = parseObjectValue
-		return stateEndValue(s, c)
-	}
-	return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c int) int {
-	if c <= ' ' && isSpace(rune(c)) {
-		return scanSkipSpace
-	}
-	if c == '"' {
-		s.step = stateInString
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c int) int {
-	n := len(s.parseState)
-	if n == 0 {
-		// Completed top-level before the current byte.
-		s.step = stateEndTop
-		s.endTop = true
-		return stateEndTop(s, c)
-	}
-	if c <= ' ' && isSpace(rune(c)) {
-		s.step = stateEndValue
-		return scanSkipSpace
-	}
-	ps := s.parseState[n-1]
-	switch ps {
-	case parseObjectKey:
-		if c == ':' {
-			s.parseState[n-1] = parseObjectValue
-			s.step = stateBeginValue
-			return scanObjectKey
-		}
-		return s.error(c, "after object key")
-	case parseObjectValue:
-		if c == ',' {
-			s.parseState[n-1] = parseObjectKey
-			s.step = stateBeginString
-			return scanObjectValue
-		}
-		if c == '}' {
-			s.popParseState()
-			return scanEndObject
-		}
-		return s.error(c, "after object key:value pair")
-	case parseArrayValue:
-		if c == ',' {
-			s.step = stateBeginValue
-			return scanArrayValue
-		}
-		if c == ']' {
-			s.popParseState()
-			return scanEndArray
-		}
-		return s.error(c, "after array element")
-	}
-	return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c int) int {
-	if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
-		// Complain about non-space byte on next call.
-		s.error(c, "after top-level value")
-	}
-	return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c int) int {
-	if c == '"' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	if c == '\\' {
-		s.step = stateInStringEsc
-		return scanContinue
-	}
-	if c < 0x20 {
-		return s.error(c, "in string literal")
-	}
-	return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c int) int {
-	switch c {
-	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
-		s.step = stateInString
-		return scanContinue
-	}
-	if c == 'u' {
-		s.step = stateInStringEscU
-		return scanContinue
-	}
-	return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c int) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU1
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c int) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU12
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c int) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU123
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c int) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInString
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c int) int {
-	if c == '0' {
-		s.step = state0
-		return scanContinue
-	}
-	if '1' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c int) int {
-	if '0' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c int) int {
-	if c == '.' {
-		s.step = stateDot
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c int) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c int) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c int) int {
-	if c == '+' {
-		s.step = stateESign
-		return scanContinue
-	}
-	if c == '-' {
-		s.step = stateESign
-		return scanContinue
-	}
-	return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c int) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c int) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c int) int {
-	if c == 'r' {
-		s.step = stateTr
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c int) int {
-	if c == 'u' {
-		s.step = stateTru
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c int) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c int) int {
-	if c == 'a' {
-		s.step = stateFa
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c int) int {
-	if c == 'l' {
-		s.step = stateFal
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c int) int {
-	if c == 's' {
-		s.step = stateFals
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c int) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c int) int {
-	if c == 'u' {
-		s.step = stateNu
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c int) int {
-	if c == 'l' {
-		s.step = stateNul
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c int) int {
-	if c == 'l' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c int) int {
-	return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c int, context string) int {
-	s.step = stateError
-	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
-	return scanError
-}
-
-// quoteChar formats c as a quoted character literal
-func quoteChar(c int) string {
-	// special cases - different from quoted strings
-	if c == '\'' {
-		return `'\''`
-	}
-	if c == '"' {
-		return `'"'`
-	}
-
-	// use quoted string with different quotation marks
-	s := strconv.Quote(string(c))
-	return "'" + s[1:len(s)-1] + "'"
-}
-
-// undo causes the scanner to return scanCode from the next state transition.
-// This gives callers a simple 1-byte undo mechanism.
-func (s *scanner) undo(scanCode int) {
-	if s.redo {
-		panic("json: invalid use of scanner")
-	}
-	s.redoCode = scanCode
-	s.redoState = s.step
-	s.step = stateRedo
-	s.redo = true
-}
-
-// stateRedo helps implement the scanner's 1-byte undo.
-func stateRedo(s *scanner, c int) int {
-	s.redo = false
-	s.step = s.redoState
-	return s.redoCode
-}

vendor/github.com/docker/go/canonical/json/stream.go

@@ -1,487 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"errors"
-	"io"
-)
-
-// A Decoder reads and decodes JSON objects from an input stream.
-type Decoder struct {
-	r     io.Reader
-	buf   []byte
-	d     decodeState
-	scanp int // start of unread data in buf
-	scan  scanner
-	err   error
-
-	tokenState int
-	tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
-	return &Decoder{r: r}
-}
-
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v interface{}) error {
-	if dec.err != nil {
-		return dec.err
-	}
-
-	if err := dec.tokenPrepareForDecode(); err != nil {
-		return err
-	}
-
-	if !dec.tokenValueAllowed() {
-		return &SyntaxError{msg: "not at beginning of value"}
-	}
-
-	// Read whole value into buffer.
-	n, err := dec.readValue()
-	if err != nil {
-		return err
-	}
-	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
-	dec.scanp += n
-
-	// Don't save err from unmarshal into dec.err:
-	// the connection is still usable since we read a complete JSON
-	// object from it before the error happened.
-	err = dec.d.unmarshal(v)
-
-	// fixup token streaming state
-	dec.tokenValueEnd()
-
-	return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
-	return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
-	dec.scan.reset()
-
-	scanp := dec.scanp
-	var err error
-Input:
-	for {
-		// Look in the buffer for a new value.
-		for i, c := range dec.buf[scanp:] {
-			dec.scan.bytes++
-			v := dec.scan.step(&dec.scan, int(c))
-			if v == scanEnd {
-				scanp += i
-				break Input
-			}
-			// scanEnd is delayed one byte.
-			// We might block trying to get that byte from src,
-			// so instead invent a space byte.
-			if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
-				scanp += i + 1
-				break Input
-			}
-			if v == scanError {
-				dec.err = dec.scan.err
-				return 0, dec.scan.err
-			}
-		}
-		scanp = len(dec.buf)
-
-		// Did the last read have an error?
-		// Delayed until now to allow buffer scan.
-		if err != nil {
-			if err == io.EOF {
-				if dec.scan.step(&dec.scan, ' ') == scanEnd {
-					break Input
-				}
-				if nonSpace(dec.buf) {
-					err = io.ErrUnexpectedEOF
-				}
-			}
-			dec.err = err
-			return 0, err
-		}
-
-		n := scanp - dec.scanp
-		err = dec.refill()
-		scanp = dec.scanp + n
-	}
-	return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
-	// Make room to read more into the buffer.
-	// First slide down data already consumed.
-	if dec.scanp > 0 {
-		n := copy(dec.buf, dec.buf[dec.scanp:])
-		dec.buf = dec.buf[:n]
-		dec.scanp = 0
-	}
-
-	// Grow buffer if not large enough.
-	const minRead = 512
-	if cap(dec.buf)-len(dec.buf) < minRead {
-		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
-		copy(newBuf, dec.buf)
-		dec.buf = newBuf
-	}
-
-	// Read.  Delay error for next iteration (after scan).
-	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
-	dec.buf = dec.buf[0 : len(dec.buf)+n]
-
-	return err
-}
-
-func nonSpace(b []byte) bool {
-	for _, c := range b {
-		if !isSpace(rune(c)) {
-			return true
-		}
-	}
-	return false
-}
-
-// An Encoder writes JSON objects to an output stream.
-type Encoder struct {
-	w         io.Writer
-	err       error
-	canonical bool
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
-	return &Encoder{w: w}
-}
-
-// Canonical causes the encoder to switch to Canonical JSON mode.
-// Read more at: http://wiki.laptop.org/go/Canonical_JSON
-func (enc *Encoder) Canonical() { enc.canonical = true }
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v interface{}) error {
-	if enc.err != nil {
-		return enc.err
-	}
-	e := newEncodeState(enc.canonical)
-	err := e.marshal(v)
-	if err != nil {
-		return err
-	}
-
-	if !enc.canonical {
-		// Terminate each value with a newline.
-		// This makes the output look a little nicer
-		// when debugging, and some kind of space
-		// is required if the encoded value was a number,
-		// so that the reader knows there aren't more
-		// digits coming.
-		e.WriteByte('\n')
-	}
-
-	if _, err = enc.w.Write(e.Bytes()); err != nil {
-		enc.err = err
-	}
-	encodeStatePool.Put(e)
-	return err
-}
-
-// RawMessage is a raw encoded JSON object.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns *m as the JSON encoding of m.
-func (m *RawMessage) MarshalJSON() ([]byte, error) {
-	return *m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
-	if m == nil {
-		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
-	}
-	*m = append((*m)[0:0], data...)
-	return nil
-}
-
-var _ Marshaler = (*RawMessage)(nil)
-var _ Unmarshaler = (*RawMessage)(nil)
-
-// A Token holds a value of one of these types:
-//
-//	Delim, for the four JSON delimiters [ ] { }
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	Number, for JSON numbers
-//	string, for JSON string literals
-//	nil, for JSON null
-//
-type Token interface{}
-
-const (
-	tokenTopValue = iota
-	tokenArrayStart
-	tokenArrayValue
-	tokenArrayComma
-	tokenObjectStart
-	tokenObjectKey
-	tokenObjectColon
-	tokenObjectValue
-	tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
-	// Note: Not calling peek before switch, to avoid
-	// putting peek into the standard Decode path.
-	// peek is only called when using the Token API.
-	switch dec.tokenState {
-	case tokenArrayComma:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ',' {
-			return &SyntaxError{"expected comma after array element", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenArrayValue
-	case tokenObjectColon:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ':' {
-			return &SyntaxError{"expected colon after object key", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenObjectValue
-	}
-	return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
-	switch dec.tokenState {
-	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		return true
-	}
-	return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
-	switch dec.tokenState {
-	case tokenArrayStart, tokenArrayValue:
-		dec.tokenState = tokenArrayComma
-	case tokenObjectValue:
-		dec.tokenState = tokenObjectComma
-	}
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
-	return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
-	for {
-		c, err := dec.peek()
-		if err != nil {
-			return nil, err
-		}
-		switch c {
-		case '[':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenArrayStart
-			return Delim('['), nil
-
-		case ']':
-			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim(']'), nil
-
-		case '{':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenObjectStart
-			return Delim('{'), nil
-
-		case '}':
-			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim('}'), nil
-
-		case ':':
-			if dec.tokenState != tokenObjectColon {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = tokenObjectValue
-			continue
-
-		case ',':
-			if dec.tokenState == tokenArrayComma {
-				dec.scanp++
-				dec.tokenState = tokenArrayValue
-				continue
-			}
-			if dec.tokenState == tokenObjectComma {
-				dec.scanp++
-				dec.tokenState = tokenObjectKey
-				continue
-			}
-			return dec.tokenError(c)
-
-		case '"':
-			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
-				var x string
-				old := dec.tokenState
-				dec.tokenState = tokenTopValue
-				err := dec.Decode(&x)
-				dec.tokenState = old
-				if err != nil {
-					clearOffset(err)
-					return nil, err
-				}
-				dec.tokenState = tokenObjectColon
-				return x, nil
-			}
-			fallthrough
-
-		default:
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			var x interface{}
-			if err := dec.Decode(&x); err != nil {
-				clearOffset(err)
-				return nil, err
-			}
-			return x, nil
-		}
-	}
-}
-
-func clearOffset(err error) {
-	if s, ok := err.(*SyntaxError); ok {
-		s.Offset = 0
-	}
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
-	var context string
-	switch dec.tokenState {
-	case tokenTopValue:
-		context = " looking for beginning of value"
-	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		context = " looking for beginning of value"
-	case tokenArrayComma:
-		context = " after array element"
-	case tokenObjectKey:
-		context = " looking for beginning of object key string"
-	case tokenObjectColon:
-		context = " after object key"
-	case tokenObjectComma:
-		context = " after object key:value pair"
-	}
-	return nil, &SyntaxError{"invalid character " + quoteChar(int(c)) + " " + context, 0}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
-	c, err := dec.peek()
-	return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
-	var err error
-	for {
-		for i := dec.scanp; i < len(dec.buf); i++ {
-			c := dec.buf[i]
-			if isSpace(rune(c)) {
-				continue
-			}
-			dec.scanp = i
-			return c, nil
-		}
-		// buffer has been scanned, now report any error
-		if err != nil {
-			return 0, err
-		}
-		err = dec.refill()
-	}
-}
-
-/*
-TODO
-
-// EncodeToken writes the given JSON token to the stream.
-// It returns an error if the delimiters [ ] { } are not properly used.
-//
-// EncodeToken does not call Flush, because usually it is part of
-// a larger operation such as Encode, and those will call Flush when finished.
-// Callers that create an Encoder and then invoke EncodeToken directly,
-// without using Encode, need to call Flush when finished to ensure that
-// the JSON is written to the underlying writer.
-func (e *Encoder) EncodeToken(t Token) error  {
-	...
-}
-
-*/

vendor/github.com/docker/go/canonical/json/tags.go

@@ -1,44 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
-	if idx := strings.Index(tag, ","); idx != -1 {
-		return tag[:idx], tagOptions(tag[idx+1:])
-	}
-	return tag, tagOptions("")
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
-	if len(o) == 0 {
-		return false
-	}
-	s := string(o)
-	for s != "" {
-		var next string
-		i := strings.Index(s, ",")
-		if i >= 0 {
-			s, next = s[:i], s[i+1:]
-		}
-		if s == optionName {
-			return true
-		}
-		s = next
-	}
-	return false
-}

vendor/github.com/docker/notary/LICENSE

@@ -1,201 +0,0 @@
-Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2015 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/docker/notary/README.md

@@ -1,100 +0,0 @@
-# Notary
-[![Circle CI](https://circleci.com/gh/docker/notary/tree/master.svg?style=shield)](https://circleci.com/gh/docker/notary/tree/master) [![CodeCov](https://codecov.io/github/docker/notary/coverage.svg?branch=master)](https://codecov.io/github/docker/notary) [![GoReportCard](https://goreportcard.com/badge/docker/notary)](https://goreportcard.com/report/github.com/docker/notary)
-
-The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting
-with trusted collections.  Please see the [service architecture](docs/service_architecture.md) documentation
-for more information.
-
-
-Notary aims to make the internet more secure by making it easy for people to
-publish and verify content. We often rely on TLS to secure our communications
-with a web server which is inherently flawed, as any compromise of the server
-enables malicious content to be substituted for the legitimate content.
-
-With Notary, publishers can sign their content offline using keys kept highly
-secure. Once the publisher is ready to make the content available, they can
-push their signed trusted collection to a Notary Server.
-
-Consumers, having acquired the publisher's public key through a secure channel,
-can then communicate with any notary server or (insecure) mirror, relying
-only on the publisher's key to determine the validity and integrity of the
-received content.
-
-## Goals
-
-Notary is based on [The Update Framework](https://www.theupdateframework.com/), a secure general design for the problem of software distribution and updates. By using TUF, notary achieves a number of key advantages:
-
-* **Survivable Key Compromise**: Content publishers must manage keys in order to sign their content. Signing keys may be compromised or lost so systems must be designed in order to be flexible and recoverable in the case of key compromise. TUF's notion of key roles is utilized to separate responsibilities across a hierarchy of keys such that loss of any particular key (except the root role) by itself is not fatal to the security of the system.
-* **Freshness Guarantees**: Replay attacks are a common problem in designing secure systems, where previously valid payloads are replayed to trick another system. The same problem exists in the software update systems, where old signed can be presented as the most recent. notary makes use of timestamping on publishing so that consumers can know that they are receiving the most up to date content. This is particularly important when dealing with software update where old vulnerable versions could be used to attack users.
-* **Configurable Trust Thresholds**: Oftentimes there are a large number of publishers that are allowed to publish a particular piece of content. For example, open source projects where there are a number of core maintainers. Trust thresholds can be used so that content consumers require a configurable number of signatures on a piece of content in order to trust it. Using thresholds increases security so that loss of individual signing keys doesn't allow publishing of malicious content.
-* **Signing Delegation**: To allow for flexible publishing of trusted collections, a content publisher can delegate part of their collection to another signer. This delegation is represented as signed metadata so that a consumer of the content can verify both the content and the delegation.
-* **Use of Existing Distribution**: Notary's trust guarantees are not tied at all to particular distribution channels from which content is delivered. Therefore, trust can be added to any existing content delivery mechanism.
-* **Untrusted Mirrors and Transport**: All of the notary metadata can be mirrored and distributed via arbitrary channels.
-
-## Security
-
-Please see our [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations.
-
-Our last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)).
-
-Any security vulnerabilities can be reported to security@docker.com.
-
-# Getting started with the Notary CLI
-
-Please get the Notary Client CLI binary from [the official releases page](https://github.com/docker/notary/releases) or you can [build one yourself](#building-notary).
-The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags.
-
-To use the Notary CLI with Docker hub images, please have a look at our
-[getting started docs](docs/getting_started.md).
-
-For more advanced usage, please see the
-[advanced usage docs](docs/advanced_usage.md).
-
-To use the CLI against a local Notary server rather than against Docker Hub:
-
-1. Please ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed.
-1. `git clone https://github.com/docker/notary.git` and from the cloned repository path,
-    start up a local Notary server and signer and copy the config file and testing certs to your
-    local notary config directory:
-
-    ```sh
-    $ docker-compose build
-    $ docker-compose up -d
-    $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
-    ```
-
-1. Add `127.0.0.1 notary-server` to your `/etc/hosts`, or if using docker-machine,
-    add `$(docker-machine ip) notary-server`).
-
-You can run through the examples in the
-[getting started docs](docs/getting_started.md) and
-[advanced usage docs](docs/advanced_usage.md), but
-without the `-s` (server URL) argument to the `notary` command since the server
-URL is specified already in the configuration, file you copied.
-
-You can also leave off the `-d ~/.docker/trust` argument if you do not care
-to use `notary` with Docker images.
-
-
-## Building Notary
-
-Prerequisites:
-
-- Go >= 1.7
-
-- [godep](https://github.com/tools/godep) installed
-- libtool development headers installed
-    - Ubuntu: `apt-get install libltdl-dev`
-    - CentOS/RedHat: `yum install libtool-ltdl-devel`
-    - Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool`
-
-Run `make binaries`, which creates the Notary Client CLI binary at `bin/notary`.
-Note that `make binaries` assumes a standard Go directory structure, in which
-Notary is checked out to the `src` directory in your `GOPATH`. For example:
-```
-$GOPATH/
-    src/
-        github.com/
-            docker/
-                notary/
-```

vendor/github.com/docker/notary/client/changelist/change.go

@@ -1,102 +0,0 @@
-package changelist
-
-import (
-	"github.com/docker/notary/tuf/data"
-)
-
-// Scopes for TUFChanges are simply the TUF roles.
-// Unfortunately because of targets delegations, we can only
-// cover the base roles.
-const (
-	ScopeRoot      = "root"
-	ScopeTargets   = "targets"
-	ScopeSnapshot  = "snapshot"
-	ScopeTimestamp = "timestamp"
-)
-
-// Types for TUFChanges are namespaced by the Role they
-// are relevant for. The Root and Targets roles are the
-// only ones for which user action can cause a change, as
-// all changes in Snapshot and Timestamp are programmatically
-// generated base on Root and Targets changes.
-const (
-	TypeRootRole          = "role"
-	TypeTargetsTarget     = "target"
-	TypeTargetsDelegation = "delegation"
-	TypeWitness           = "witness"
-)
-
-// TUFChange represents a change to a TUF repo
-type TUFChange struct {
-	// Abbreviated because Go doesn't permit a field and method of the same name
-	Actn       string `json:"action"`
-	Role       string `json:"role"`
-	ChangeType string `json:"type"`
-	ChangePath string `json:"path"`
-	Data       []byte `json:"data"`
-}
-
-// TUFRootData represents a modification of the keys associated
-// with a role that appears in the root.json
-type TUFRootData struct {
-	Keys     data.KeyList `json:"keys"`
-	RoleName string       `json:"role"`
-}
-
-// NewTUFChange initializes a TUFChange object
-func NewTUFChange(action string, role, changeType, changePath string, content []byte) *TUFChange {
-	return &TUFChange{
-		Actn:       action,
-		Role:       role,
-		ChangeType: changeType,
-		ChangePath: changePath,
-		Data:       content,
-	}
-}
-
-// Action return c.Actn
-func (c TUFChange) Action() string {
-	return c.Actn
-}
-
-// Scope returns c.Role
-func (c TUFChange) Scope() string {
-	return c.Role
-}
-
-// Type returns c.ChangeType
-func (c TUFChange) Type() string {
-	return c.ChangeType
-}
-
-// Path return c.ChangePath
-func (c TUFChange) Path() string {
-	return c.ChangePath
-}
-
-// Content returns c.Data
-func (c TUFChange) Content() []byte {
-	return c.Data
-}
-
-// TUFDelegation represents a modification to a target delegation
-// this includes creating a delegations. This format is used to avoid
-// unexpected race conditions between humans modifying the same delegation
-type TUFDelegation struct {
-	NewName       string       `json:"new_name,omitempty"`
-	NewThreshold  int          `json:"threshold, omitempty"`
-	AddKeys       data.KeyList `json:"add_keys, omitempty"`
-	RemoveKeys    []string     `json:"remove_keys,omitempty"`
-	AddPaths      []string     `json:"add_paths,omitempty"`
-	RemovePaths   []string     `json:"remove_paths,omitempty"`
-	ClearAllPaths bool         `json:"clear_paths,omitempty"`
-}
-
-// ToNewRole creates a fresh role object from the TUFDelegation data
-func (td TUFDelegation) ToNewRole(scope string) (*data.Role, error) {
-	name := scope
-	if td.NewName != "" {
-		name = td.NewName
-	}
-	return data.NewRole(name, td.NewThreshold, td.AddKeys.IDs(), td.AddPaths)
-}

vendor/github.com/docker/notary/client/changelist/changelist.go

@@ -1,77 +0,0 @@
-package changelist
-
-// memChangeList implements a simple in memory change list.
-type memChangelist struct {
-	changes []Change
-}
-
-// NewMemChangelist instantiates a new in-memory changelist
-func NewMemChangelist() Changelist {
-	return &memChangelist{}
-}
-
-// List returns a list of Changes
-func (cl memChangelist) List() []Change {
-	return cl.changes
-}
-
-// Add adds a change to the in-memory change list
-func (cl *memChangelist) Add(c Change) error {
-	cl.changes = append(cl.changes, c)
-	return nil
-}
-
-// Remove deletes the changes found at the given indices
-func (cl *memChangelist) Remove(idxs []int) error {
-	remove := make(map[int]struct{})
-	for _, i := range idxs {
-		remove[i] = struct{}{}
-	}
-	var keep []Change
-
-	for i, c := range cl.changes {
-		if _, ok := remove[i]; ok {
-			continue
-		}
-		keep = append(keep, c)
-	}
-	cl.changes = keep
-	return nil
-}
-
-// Clear empties the changelist file.
-func (cl *memChangelist) Clear(archive string) error {
-	// appending to a nil list initializes it.
-	cl.changes = nil
-	return nil
-}
-
-// Close is a no-op in this in-memory change-list
-func (cl *memChangelist) Close() error {
-	return nil
-}
-
-func (cl *memChangelist) NewIterator() (ChangeIterator, error) {
-	return &MemChangeListIterator{index: 0, collection: cl.changes}, nil
-}
-
-// MemChangeListIterator is a concrete instance of ChangeIterator
-type MemChangeListIterator struct {
-	index      int
-	collection []Change // Same type as memChangeList.changes
-}
-
-// Next returns the next Change
-func (m *MemChangeListIterator) Next() (item Change, err error) {
-	if m.index >= len(m.collection) {
-		return nil, IteratorBoundsError(m.index)
-	}
-	item = m.collection[m.index]
-	m.index++
-	return item, err
-}
-
-// HasNext indicates whether the iterator is exhausted
-func (m *MemChangeListIterator) HasNext() bool {
-	return m.index < len(m.collection)
-}

vendor/github.com/docker/notary/client/changelist/file_changelist.go

@@ -1,197 +0,0 @@
-package changelist
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"sort"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution/uuid"
-	"path/filepath"
-)
-
-// FileChangelist stores all the changes as files
-type FileChangelist struct {
-	dir string
-}
-
-// NewFileChangelist is a convenience method for returning FileChangeLists
-func NewFileChangelist(dir string) (*FileChangelist, error) {
-	logrus.Debug("Making dir path: ", dir)
-	err := os.MkdirAll(dir, 0700)
-	if err != nil {
-		return nil, err
-	}
-	return &FileChangelist{dir: dir}, nil
-}
-
-// getFileNames reads directory, filtering out child directories
-func getFileNames(dirName string) ([]os.FileInfo, error) {
-	var dirListing, fileInfos []os.FileInfo
-	dir, err := os.Open(dirName)
-	if err != nil {
-		return fileInfos, err
-	}
-	defer dir.Close()
-	dirListing, err = dir.Readdir(0)
-	if err != nil {
-		return fileInfos, err
-	}
-	for _, f := range dirListing {
-		if f.IsDir() {
-			continue
-		}
-		fileInfos = append(fileInfos, f)
-	}
-	sort.Sort(fileChanges(fileInfos))
-	return fileInfos, nil
-}
-
-// Read a JSON formatted file from disk; convert to TUFChange struct
-func unmarshalFile(dirname string, f os.FileInfo) (*TUFChange, error) {
-	c := &TUFChange{}
-	raw, err := ioutil.ReadFile(filepath.Join(dirname, f.Name()))
-	if err != nil {
-		return c, err
-	}
-	err = json.Unmarshal(raw, c)
-	if err != nil {
-		return c, err
-	}
-	return c, nil
-}
-
-// List returns a list of sorted changes
-func (cl FileChangelist) List() []Change {
-	var changes []Change
-	fileInfos, err := getFileNames(cl.dir)
-	if err != nil {
-		return changes
-	}
-	for _, f := range fileInfos {
-		c, err := unmarshalFile(cl.dir, f)
-		if err != nil {
-			logrus.Warn(err.Error())
-			continue
-		}
-		changes = append(changes, c)
-	}
-	return changes
-}
-
-// Add adds a change to the file change list
-func (cl FileChangelist) Add(c Change) error {
-	cJSON, err := json.Marshal(c)
-	if err != nil {
-		return err
-	}
-	filename := fmt.Sprintf("%020d_%s.change", time.Now().UnixNano(), uuid.Generate())
-	return ioutil.WriteFile(filepath.Join(cl.dir, filename), cJSON, 0644)
-}
-
-// Remove deletes the changes found at the given indices
-func (cl FileChangelist) Remove(idxs []int) error {
-	fileInfos, err := getFileNames(cl.dir)
-	if err != nil {
-		return err
-	}
-	remove := make(map[int]struct{})
-	for _, i := range idxs {
-		remove[i] = struct{}{}
-	}
-	for i, c := range fileInfos {
-		if _, ok := remove[i]; ok {
-			file := filepath.Join(cl.dir, c.Name())
-			if err := os.Remove(file); err != nil {
-				logrus.Errorf("could not remove change %d: %s", i, err.Error())
-			}
-		}
-	}
-	return nil
-}
-
-// Clear clears the change list
-// N.B. archiving not currently implemented
-func (cl FileChangelist) Clear(archive string) error {
-	dir, err := os.Open(cl.dir)
-	if err != nil {
-		return err
-	}
-	defer dir.Close()
-	files, err := dir.Readdir(0)
-	if err != nil {
-		return err
-	}
-	for _, f := range files {
-		os.Remove(filepath.Join(cl.dir, f.Name()))
-	}
-	return nil
-}
-
-// Close is a no-op
-func (cl FileChangelist) Close() error {
-	// Nothing to do here
-	return nil
-}
-
-// NewIterator creates an iterator from FileChangelist
-func (cl FileChangelist) NewIterator() (ChangeIterator, error) {
-	fileInfos, err := getFileNames(cl.dir)
-	if err != nil {
-		return &FileChangeListIterator{}, err
-	}
-	return &FileChangeListIterator{dirname: cl.dir, collection: fileInfos}, nil
-}
-
-// IteratorBoundsError is an Error type used by Next()
-type IteratorBoundsError int
-
-// Error implements the Error interface
-func (e IteratorBoundsError) Error() string {
-	return fmt.Sprintf("Iterator index (%d) out of bounds", e)
-}
-
-// FileChangeListIterator is a concrete instance of ChangeIterator
-type FileChangeListIterator struct {
-	index      int
-	dirname    string
-	collection []os.FileInfo
-}
-
-// Next returns the next Change in the FileChangeList
-func (m *FileChangeListIterator) Next() (item Change, err error) {
-	if m.index >= len(m.collection) {
-		return nil, IteratorBoundsError(m.index)
-	}
-	f := m.collection[m.index]
-	m.index++
-	item, err = unmarshalFile(m.dirname, f)
-	return
-}
-
-// HasNext indicates whether iterator is exhausted
-func (m *FileChangeListIterator) HasNext() bool {
-	return m.index < len(m.collection)
-}
-
-type fileChanges []os.FileInfo
-
-// Len returns the length of a file change list
-func (cs fileChanges) Len() int {
-	return len(cs)
-}
-
-// Less compares the names of two different file changes
-func (cs fileChanges) Less(i, j int) bool {
-	return cs[i].Name() < cs[j].Name()
-}
-
-// Swap swaps the position of two file changes
-func (cs fileChanges) Swap(i, j int) {
-	tmp := cs[i]
-	cs[i] = cs[j]
-	cs[j] = tmp
-}

vendor/github.com/docker/notary/client/changelist/interface.go

@@ -1,73 +0,0 @@
-package changelist
-
-// Changelist is the interface for all TUF change lists
-type Changelist interface {
-	// List returns the ordered list of changes
-	// currently stored
-	List() []Change
-
-	// Add change appends the provided change to
-	// the list of changes
-	Add(Change) error
-
-	// Clear empties the current change list.
-	// Archive may be provided as a directory path
-	// to save a copy of the changelist in that location
-	Clear(archive string) error
-
-	// Remove deletes the changes corresponding with the indices given
-	Remove(idxs []int) error
-
-	// Close syncronizes any pending writes to the underlying
-	// storage and closes the file/connection
-	Close() error
-
-	// NewIterator returns an iterator for walking through the list
-	// of changes currently stored
-	NewIterator() (ChangeIterator, error)
-}
-
-const (
-	// ActionCreate represents a Create action
-	ActionCreate = "create"
-	// ActionUpdate represents an Update action
-	ActionUpdate = "update"
-	// ActionDelete represents a Delete action
-	ActionDelete = "delete"
-)
-
-// Change is the interface for a TUF Change
-type Change interface {
-	// "create","update", or "delete"
-	Action() string
-
-	// Where the change should be made.
-	// For TUF this will be the role
-	Scope() string
-
-	// The content type being affected.
-	// For TUF this will be "target", or "delegation".
-	// If the type is "delegation", the Scope will be
-	// used to determine if a root role is being updated
-	// or a target delegation.
-	Type() string
-
-	// Path indicates the entry within a role to be affected by the
-	// change. For targets, this is simply the target's path,
-	// for delegations it's the delegated role name.
-	Path() string
-
-	// Serialized content that the interpreter of a changelist
-	// can use to apply the change.
-	// For TUF this will be the serialized JSON that needs
-	// to be inserted or merged. In the case of a "delete"
-	// action, it will be nil.
-	Content() []byte
-}
-
-// ChangeIterator is the interface for iterating across collections of
-// TUF Change items
-type ChangeIterator interface {
-	Next() (Change, error)
-	HasNext() bool
-}

vendor/github.com/docker/notary/client/client.go

@@ -1,1014 +0,0 @@
-package client
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	"github.com/docker/notary/client/changelist"
-	"github.com/docker/notary/cryptoservice"
-	store "github.com/docker/notary/storage"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/trustpinning"
-	"github.com/docker/notary/tuf"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/signed"
-	"github.com/docker/notary/tuf/utils"
-)
-
-func init() {
-	data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
-}
-
-// ErrRepoNotInitialized is returned when trying to publish an uninitialized
-// notary repository
-type ErrRepoNotInitialized struct{}
-
-func (err ErrRepoNotInitialized) Error() string {
-	return "repository has not been initialized"
-}
-
-// ErrInvalidRemoteRole is returned when the server is requested to manage
-// a key type that is not permitted
-type ErrInvalidRemoteRole struct {
-	Role string
-}
-
-func (err ErrInvalidRemoteRole) Error() string {
-	return fmt.Sprintf(
-		"notary does not permit the server managing the %s key", err.Role)
-}
-
-// ErrInvalidLocalRole is returned when the client wants to manage
-// a key type that is not permitted
-type ErrInvalidLocalRole struct {
-	Role string
-}
-
-func (err ErrInvalidLocalRole) Error() string {
-	return fmt.Sprintf(
-		"notary does not permit the client managing the %s key", err.Role)
-}
-
-// ErrRepositoryNotExist is returned when an action is taken on a remote
-// repository that doesn't exist
-type ErrRepositoryNotExist struct {
-	remote string
-	gun    string
-}
-
-func (err ErrRepositoryNotExist) Error() string {
-	return fmt.Sprintf("%s does not have trust data for %s", err.remote, err.gun)
-}
-
-const (
-	tufDir = "tuf"
-)
-
-// NotaryRepository stores all the information needed to operate on a notary
-// repository.
-type NotaryRepository struct {
-	baseDir       string
-	gun           string
-	baseURL       string
-	tufRepoPath   string
-	fileStore     store.MetadataStore
-	CryptoService signed.CryptoService
-	tufRepo       *tuf.Repo
-	invalid       *tuf.Repo // known data that was parsable but deemed invalid
-	roundTrip     http.RoundTripper
-	trustPinning  trustpinning.TrustPinConfig
-}
-
-// repositoryFromKeystores is a helper function for NewNotaryRepository that
-// takes some basic NotaryRepository parameters as well as keystores (in order
-// of usage preference), and returns a NotaryRepository.
-func repositoryFromKeystores(baseDir, gun, baseURL string, rt http.RoundTripper,
-	keyStores []trustmanager.KeyStore, trustPin trustpinning.TrustPinConfig) (*NotaryRepository, error) {
-
-	cryptoService := cryptoservice.NewCryptoService(keyStores...)
-
-	nRepo := &NotaryRepository{
-		gun:           gun,
-		baseDir:       baseDir,
-		baseURL:       baseURL,
-		tufRepoPath:   filepath.Join(baseDir, tufDir, filepath.FromSlash(gun)),
-		CryptoService: cryptoService,
-		roundTrip:     rt,
-		trustPinning:  trustPin,
-	}
-
-	fileStore, err := store.NewFilesystemStore(
-		nRepo.tufRepoPath,
-		"metadata",
-		"json",
-	)
-	if err != nil {
-		return nil, err
-	}
-	nRepo.fileStore = fileStore
-
-	return nRepo, nil
-}
-
-// Target represents a simplified version of the data TUF operates on, so external
-// applications don't have to depend on TUF data types.
-type Target struct {
-	Name   string      // the name of the target
-	Hashes data.Hashes // the hash of the target
-	Length int64       // the size in bytes of the target
-}
-
-// TargetWithRole represents a Target that exists in a particular role - this is
-// produced by ListTargets and GetTargetByName
-type TargetWithRole struct {
-	Target
-	Role string
-}
-
-// NewTarget is a helper method that returns a Target
-func NewTarget(targetName string, targetPath string) (*Target, error) {
-	b, err := ioutil.ReadFile(targetPath)
-	if err != nil {
-		return nil, err
-	}
-
-	meta, err := data.NewFileMeta(bytes.NewBuffer(b), data.NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Target{Name: targetName, Hashes: meta.Hashes, Length: meta.Length}, nil
-}
-
-func rootCertKey(gun string, privKey data.PrivateKey) (data.PublicKey, error) {
-	// Hard-coded policy: the generated certificate expires in 10 years.
-	startTime := time.Now()
-	cert, err := cryptoservice.GenerateCertificate(
-		privKey, gun, startTime, startTime.Add(notary.Year*10))
-	if err != nil {
-		return nil, err
-	}
-
-	x509PublicKey := utils.CertToKey(cert)
-	if x509PublicKey == nil {
-		return nil, fmt.Errorf(
-			"cannot use regenerated certificate: format %s", cert.PublicKeyAlgorithm)
-	}
-
-	return x509PublicKey, nil
-}
-
-// Initialize creates a new repository by using rootKey as the root Key for the
-// TUF repository. The server must be reachable (and is asked to generate a
-// timestamp key and possibly other serverManagedRoles), but the created repository
-// result is only stored on local disk, not published to the server. To do that,
-// use r.Publish() eventually.
-func (r *NotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...string) error {
-	privKeys := make([]data.PrivateKey, 0, len(rootKeyIDs))
-	for _, keyID := range rootKeyIDs {
-		privKey, _, err := r.CryptoService.GetPrivateKey(keyID)
-		if err != nil {
-			return err
-		}
-		privKeys = append(privKeys, privKey)
-	}
-
-	// currently we only support server managing timestamps and snapshots, and
-	// nothing else - timestamps are always managed by the server, and implicit
-	// (do not have to be passed in as part of `serverManagedRoles`, so that
-	// the API of Initialize doesn't change).
-	var serverManagesSnapshot bool
-	locallyManagedKeys := []string{
-		data.CanonicalTargetsRole,
-		data.CanonicalSnapshotRole,
-		// root is also locally managed, but that should have been created
-		// already
-	}
-	remotelyManagedKeys := []string{data.CanonicalTimestampRole}
-	for _, role := range serverManagedRoles {
-		switch role {
-		case data.CanonicalTimestampRole:
-			continue // timestamp is already in the right place
-		case data.CanonicalSnapshotRole:
-			// because we put Snapshot last
-			locallyManagedKeys = []string{data.CanonicalTargetsRole}
-			remotelyManagedKeys = append(
-				remotelyManagedKeys, data.CanonicalSnapshotRole)
-			serverManagesSnapshot = true
-		default:
-			return ErrInvalidRemoteRole{Role: role}
-		}
-	}
-
-	rootKeys := make([]data.PublicKey, 0, len(privKeys))
-	for _, privKey := range privKeys {
-		rootKey, err := rootCertKey(r.gun, privKey)
-		if err != nil {
-			return err
-		}
-		rootKeys = append(rootKeys, rootKey)
-	}
-
-	var (
-		rootRole = data.NewBaseRole(
-			data.CanonicalRootRole,
-			notary.MinThreshold,
-			rootKeys...,
-		)
-		timestampRole data.BaseRole
-		snapshotRole  data.BaseRole
-		targetsRole   data.BaseRole
-	)
-
-	// we want to create all the local keys first so we don't have to
-	// make unnecessary network calls
-	for _, role := range locallyManagedKeys {
-		// This is currently hardcoding the keys to ECDSA.
-		key, err := r.CryptoService.Create(role, r.gun, data.ECDSAKey)
-		if err != nil {
-			return err
-		}
-		switch role {
-		case data.CanonicalSnapshotRole:
-			snapshotRole = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		case data.CanonicalTargetsRole:
-			targetsRole = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		}
-	}
-	for _, role := range remotelyManagedKeys {
-		// This key is generated by the remote server.
-		key, err := getRemoteKey(r.baseURL, r.gun, role, r.roundTrip)
-		if err != nil {
-			return err
-		}
-		logrus.Debugf("got remote %s %s key with keyID: %s",
-			role, key.Algorithm(), key.ID())
-		switch role {
-		case data.CanonicalSnapshotRole:
-			snapshotRole = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		case data.CanonicalTimestampRole:
-			timestampRole = data.NewBaseRole(
-				role,
-				notary.MinThreshold,
-				key,
-			)
-		}
-	}
-
-	r.tufRepo = tuf.NewRepo(r.CryptoService)
-
-	err := r.tufRepo.InitRoot(
-		rootRole,
-		timestampRole,
-		snapshotRole,
-		targetsRole,
-		false,
-	)
-	if err != nil {
-		logrus.Debug("Error on InitRoot: ", err.Error())
-		return err
-	}
-	_, err = r.tufRepo.InitTargets(data.CanonicalTargetsRole)
-	if err != nil {
-		logrus.Debug("Error on InitTargets: ", err.Error())
-		return err
-	}
-	err = r.tufRepo.InitSnapshot()
-	if err != nil {
-		logrus.Debug("Error on InitSnapshot: ", err.Error())
-		return err
-	}
-
-	return r.saveMetadata(serverManagesSnapshot)
-}
-
-// adds a TUF Change template to the given roles
-func addChange(cl *changelist.FileChangelist, c changelist.Change, roles ...string) error {
-
-	if len(roles) == 0 {
-		roles = []string{data.CanonicalTargetsRole}
-	}
-
-	var changes []changelist.Change
-	for _, role := range roles {
-		// Ensure we can only add targets to the CanonicalTargetsRole,
-		// or a Delegation role (which is <CanonicalTargetsRole>/something else)
-		if role != data.CanonicalTargetsRole && !data.IsDelegation(role) && !data.IsWildDelegation(role) {
-			return data.ErrInvalidRole{
-				Role:   role,
-				Reason: "cannot add targets to this role",
-			}
-		}
-
-		changes = append(changes, changelist.NewTUFChange(
-			c.Action(),
-			role,
-			c.Type(),
-			c.Path(),
-			c.Content(),
-		))
-	}
-
-	for _, c := range changes {
-		if err := cl.Add(c); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// AddTarget creates new changelist entries to add a target to the given roles
-// in the repository when the changelist gets applied at publish time.
-// If roles are unspecified, the default role is "targets"
-func (r *NotaryRepository) AddTarget(target *Target, roles ...string) error {
-
-	if len(target.Hashes) == 0 {
-		return fmt.Errorf("no hashes specified for target \"%s\"", target.Name)
-	}
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-	logrus.Debugf("Adding target \"%s\" with sha256 \"%x\" and size %d bytes.\n", target.Name, target.Hashes["sha256"], target.Length)
-
-	meta := data.FileMeta{Length: target.Length, Hashes: target.Hashes}
-	metaJSON, err := json.Marshal(meta)
-	if err != nil {
-		return err
-	}
-
-	template := changelist.NewTUFChange(
-		changelist.ActionCreate, "", changelist.TypeTargetsTarget,
-		target.Name, metaJSON)
-	return addChange(cl, template, roles...)
-}
-
-// RemoveTarget creates new changelist entries to remove a target from the given
-// roles in the repository when the changelist gets applied at publish time.
-// If roles are unspecified, the default role is "target".
-func (r *NotaryRepository) RemoveTarget(targetName string, roles ...string) error {
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	logrus.Debugf("Removing target \"%s\"", targetName)
-	template := changelist.NewTUFChange(changelist.ActionDelete, "",
-		changelist.TypeTargetsTarget, targetName, nil)
-	return addChange(cl, template, roles...)
-}
-
-// ListTargets lists all targets for the current repository. The list of
-// roles should be passed in order from highest to lowest priority.
-//
-// IMPORTANT: if you pass a set of roles such as [ "targets/a", "targets/x"
-// "targets/a/b" ], even though "targets/a/b" is part of the "targets/a" subtree
-// its entries will be strictly shadowed by those in other parts of the "targets/a"
-// subtree and also the "targets/x" subtree, as we will defer parsing it until
-// we explicitly reach it in our iteration of the provided list of roles.
-func (r *NotaryRepository) ListTargets(roles ...string) ([]*TargetWithRole, error) {
-	if err := r.Update(false); err != nil {
-		return nil, err
-	}
-
-	if len(roles) == 0 {
-		roles = []string{data.CanonicalTargetsRole}
-	}
-	targets := make(map[string]*TargetWithRole)
-	for _, role := range roles {
-		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
-		skipRoles := utils.StrSliceRemove(roles, role)
-
-		// Define a visitor function to populate the targets map in priority order
-		listVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			// We found targets so we should try to add them to our targets map
-			for targetName, targetMeta := range tgt.Signed.Targets {
-				// Follow the priority by not overriding previously set targets
-				// and check that this path is valid with this role
-				if _, ok := targets[targetName]; ok || !validRole.CheckPaths(targetName) {
-					continue
-				}
-				targets[targetName] = &TargetWithRole{
-					Target: Target{
-						Name:   targetName,
-						Hashes: targetMeta.Hashes,
-						Length: targetMeta.Length,
-					},
-					Role: validRole.Name,
-				}
-			}
-			return nil
-		}
-
-		r.tufRepo.WalkTargets("", role, listVisitorFunc, skipRoles...)
-	}
-
-	var targetList []*TargetWithRole
-	for _, v := range targets {
-		targetList = append(targetList, v)
-	}
-
-	return targetList, nil
-}
-
-// GetTargetByName returns a target by the given name. If no roles are passed
-// it uses the targets role and does a search of the entire delegation
-// graph, finding the first entry in a breadth first search of the delegations.
-// If roles are passed, they should be passed in descending priority and
-// the target entry found in the subtree of the highest priority role
-// will be returned.
-// See the IMPORTANT section on ListTargets above. Those roles also apply here.
-func (r *NotaryRepository) GetTargetByName(name string, roles ...string) (*TargetWithRole, error) {
-	if err := r.Update(false); err != nil {
-		return nil, err
-	}
-
-	if len(roles) == 0 {
-		roles = append(roles, data.CanonicalTargetsRole)
-	}
-	var resultMeta data.FileMeta
-	var resultRoleName string
-	var foundTarget bool
-	for _, role := range roles {
-		// Define an array of roles to skip for this walk (see IMPORTANT comment above)
-		skipRoles := utils.StrSliceRemove(roles, role)
-
-		// Define a visitor function to find the specified target
-		getTargetVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			if tgt == nil {
-				return nil
-			}
-			// We found the target and validated path compatibility in our walk,
-			// so we should stop our walk and set the resultMeta and resultRoleName variables
-			if resultMeta, foundTarget = tgt.Signed.Targets[name]; foundTarget {
-				resultRoleName = validRole.Name
-				return tuf.StopWalk{}
-			}
-			return nil
-		}
-		// Check that we didn't error, and that we assigned to our target
-		if err := r.tufRepo.WalkTargets(name, role, getTargetVisitorFunc, skipRoles...); err == nil && foundTarget {
-			return &TargetWithRole{Target: Target{Name: name, Hashes: resultMeta.Hashes, Length: resultMeta.Length}, Role: resultRoleName}, nil
-		}
-	}
-	return nil, fmt.Errorf("No trust data for %s", name)
-
-}
-
-// TargetSignedStruct is a struct that contains a Target, the role it was found in, and the list of signatures for that role
-type TargetSignedStruct struct {
-	Role       data.DelegationRole
-	Target     Target
-	Signatures []data.Signature
-}
-
-// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
-// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
-// If given an empty string for a target name, it will return back all targets signed into the repository in every role
-func (r *NotaryRepository) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
-	if err := r.Update(false); err != nil {
-		return nil, err
-	}
-
-	var targetInfoList []TargetSignedStruct
-
-	// Define a visitor function to find the specified target
-	getAllTargetInfoByNameVisitorFunc := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		if tgt == nil {
-			return nil
-		}
-		// We found a target and validated path compatibility in our walk,
-		// so add it to our list if we have a match
-		// if we have an empty name, add all targets, else check if we have it
-		var targetMetaToAdd data.Files
-		if name == "" {
-			targetMetaToAdd = tgt.Signed.Targets
-		} else {
-			if meta, ok := tgt.Signed.Targets[name]; ok {
-				targetMetaToAdd = data.Files{name: meta}
-			}
-		}
-
-		for targetName, resultMeta := range targetMetaToAdd {
-			targetInfo := TargetSignedStruct{
-				Role:       validRole,
-				Target:     Target{Name: targetName, Hashes: resultMeta.Hashes, Length: resultMeta.Length},
-				Signatures: tgt.Signatures,
-			}
-			targetInfoList = append(targetInfoList, targetInfo)
-		}
-		// continue walking to all child roles
-		return nil
-	}
-
-	// Check that we didn't error, and that we found the target at least once
-	if err := r.tufRepo.WalkTargets(name, "", getAllTargetInfoByNameVisitorFunc); err != nil {
-		return nil, err
-	}
-	if len(targetInfoList) == 0 {
-		return nil, fmt.Errorf("No valid trust data for %s", name)
-	}
-	return targetInfoList, nil
-}
-
-// GetChangelist returns the list of the repository's unpublished changes
-func (r *NotaryRepository) GetChangelist() (changelist.Changelist, error) {
-	changelistDir := filepath.Join(r.tufRepoPath, "changelist")
-	cl, err := changelist.NewFileChangelist(changelistDir)
-	if err != nil {
-		logrus.Debug("Error initializing changelist")
-		return nil, err
-	}
-	return cl, nil
-}
-
-// RoleWithSignatures is a Role with its associated signatures
-type RoleWithSignatures struct {
-	Signatures []data.Signature
-	data.Role
-}
-
-// ListRoles returns a list of RoleWithSignatures objects for this repo
-// This represents the latest metadata for each role in this repo
-func (r *NotaryRepository) ListRoles() ([]RoleWithSignatures, error) {
-	// Update to latest repo state
-	if err := r.Update(false); err != nil {
-		return nil, err
-	}
-
-	// Get all role info from our updated keysDB, can be empty
-	roles := r.tufRepo.GetAllLoadedRoles()
-
-	var roleWithSigs []RoleWithSignatures
-
-	// Populate RoleWithSignatures with Role from keysDB and signatures from TUF metadata
-	for _, role := range roles {
-		roleWithSig := RoleWithSignatures{Role: *role, Signatures: nil}
-		switch role.Name {
-		case data.CanonicalRootRole:
-			roleWithSig.Signatures = r.tufRepo.Root.Signatures
-		case data.CanonicalTargetsRole:
-			roleWithSig.Signatures = r.tufRepo.Targets[data.CanonicalTargetsRole].Signatures
-		case data.CanonicalSnapshotRole:
-			roleWithSig.Signatures = r.tufRepo.Snapshot.Signatures
-		case data.CanonicalTimestampRole:
-			roleWithSig.Signatures = r.tufRepo.Timestamp.Signatures
-		default:
-			if !data.IsDelegation(role.Name) {
-				continue
-			}
-			if _, ok := r.tufRepo.Targets[role.Name]; ok {
-				// We'll only find a signature if we've published any targets with this delegation
-				roleWithSig.Signatures = r.tufRepo.Targets[role.Name].Signatures
-			}
-		}
-		roleWithSigs = append(roleWithSigs, roleWithSig)
-	}
-	return roleWithSigs, nil
-}
-
-// Publish pushes the local changes in signed material to the remote notary-server
-// Conceptually it performs an operation similar to a `git rebase`
-func (r *NotaryRepository) Publish() error {
-	cl, err := r.GetChangelist()
-	if err != nil {
-		return err
-	}
-	if err = r.publish(cl); err != nil {
-		return err
-	}
-	if err = cl.Clear(""); err != nil {
-		// This is not a critical problem when only a single host is pushing
-		// but will cause weird behaviour if changelist cleanup is failing
-		// and there are multiple hosts writing to the repo.
-		logrus.Warn("Unable to clear changelist. You may want to manually delete the folder ", filepath.Join(r.tufRepoPath, "changelist"))
-	}
-	return nil
-}
-
-// publish pushes the changes in the given changelist to the remote notary-server
-// Conceptually it performs an operation similar to a `git rebase`
-func (r *NotaryRepository) publish(cl changelist.Changelist) error {
-	var initialPublish bool
-	// update first before publishing
-	if err := r.Update(true); err != nil {
-		// If the remote is not aware of the repo, then this is being published
-		// for the first time.  Try to load from disk instead for publishing.
-		if _, ok := err.(ErrRepositoryNotExist); ok {
-			err := r.bootstrapRepo()
-			if err != nil {
-				logrus.Debugf("Unable to load repository from local files: %s",
-					err.Error())
-				if _, ok := err.(store.ErrMetaNotFound); ok {
-					return ErrRepoNotInitialized{}
-				}
-				return err
-			}
-			// Ensure we will push the initial root and targets file.  Either or
-			// both of the root and targets may not be marked as Dirty, since
-			// there may not be any changes that update them, so use a
-			// different boolean.
-			initialPublish = true
-		} else {
-			// We could not update, so we cannot publish.
-			logrus.Error("Could not publish Repository since we could not update: ", err.Error())
-			return err
-		}
-	}
-	// apply the changelist to the repo
-	if err := applyChangelist(r.tufRepo, r.invalid, cl); err != nil {
-		logrus.Debug("Error applying changelist")
-		return err
-	}
-
-	// these are the TUF files we will need to update, serialized as JSON before
-	// we send anything to remote
-	updatedFiles := make(map[string][]byte)
-
-	// check if our root file is nearing expiry or dirty. Resign if it is.  If
-	// root is not dirty but we are publishing for the first time, then just
-	// publish the existing root we have.
-	if nearExpiry(r.tufRepo.Root.Signed.SignedCommon) || r.tufRepo.Root.Dirty {
-		rootJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalRootRole)
-		if err != nil {
-			return err
-		}
-		updatedFiles[data.CanonicalRootRole] = rootJSON
-	} else if initialPublish {
-		rootJSON, err := r.tufRepo.Root.MarshalJSON()
-		if err != nil {
-			return err
-		}
-		updatedFiles[data.CanonicalRootRole] = rootJSON
-	}
-
-	// iterate through all the targets files - if they are dirty, sign and update
-	for roleName, roleObj := range r.tufRepo.Targets {
-		if roleObj.Dirty || (roleName == data.CanonicalTargetsRole && initialPublish) {
-			targetsJSON, err := serializeCanonicalRole(r.tufRepo, roleName)
-			if err != nil {
-				return err
-			}
-			updatedFiles[roleName] = targetsJSON
-		}
-	}
-
-	// if we initialized the repo while designating the server as the snapshot
-	// signer, then there won't be a snapshots file.  However, we might now
-	// have a local key (if there was a rotation), so initialize one.
-	if r.tufRepo.Snapshot == nil {
-		if err := r.tufRepo.InitSnapshot(); err != nil {
-			return err
-		}
-	}
-
-	snapshotJSON, err := serializeCanonicalRole(
-		r.tufRepo, data.CanonicalSnapshotRole)
-
-	if err == nil {
-		// Only update the snapshot if we've successfully signed it.
-		updatedFiles[data.CanonicalSnapshotRole] = snapshotJSON
-	} else if signErr, ok := err.(signed.ErrInsufficientSignatures); ok && signErr.FoundKeys == 0 {
-		// If signing fails due to us not having the snapshot key, then
-		// assume the server is going to sign, and do not include any snapshot
-		// data.
-		logrus.Debugf("Client does not have the key to sign snapshot. " +
-			"Assuming that server should sign the snapshot.")
-	} else {
-		logrus.Debugf("Client was unable to sign the snapshot: %s", err.Error())
-		return err
-	}
-
-	remote, err := getRemoteStore(r.baseURL, r.gun, r.roundTrip)
-	if err != nil {
-		return err
-	}
-
-	return remote.SetMulti(updatedFiles)
-}
-
-// bootstrapRepo loads the repository from the local file system (i.e.
-// a not yet published repo or a possibly obsolete local copy) into
-// r.tufRepo.  This attempts to load metadata for all roles.  Since server
-// snapshots are supported, if the snapshot metadata fails to load, that's ok.
-// This assumes that bootstrapRepo is only used by Publish() or RotateKey()
-func (r *NotaryRepository) bootstrapRepo() error {
-	b := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
-
-	logrus.Debugf("Loading trusted collection.")
-
-	for _, role := range data.BaseRoles {
-		jsonBytes, err := r.fileStore.GetSized(role, store.NoSizeLimit)
-		if err != nil {
-			if _, ok := err.(store.ErrMetaNotFound); ok &&
-				// server snapshots are supported, and server timestamp management
-				// is required, so if either of these fail to load that's ok - especially
-				// if the repo is new
-				role == data.CanonicalSnapshotRole || role == data.CanonicalTimestampRole {
-				continue
-			}
-			return err
-		}
-		if err := b.Load(role, jsonBytes, 1, true); err != nil {
-			return err
-		}
-	}
-
-	tufRepo, _, err := b.Finish()
-	if err == nil {
-		r.tufRepo = tufRepo
-	}
-	return nil
-}
-
-// saveMetadata saves contents of r.tufRepo onto the local disk, creating
-// signatures as necessary, possibly prompting for passphrases.
-func (r *NotaryRepository) saveMetadata(ignoreSnapshot bool) error {
-	logrus.Debugf("Saving changes to Trusted Collection.")
-
-	rootJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalRootRole)
-	if err != nil {
-		return err
-	}
-	err = r.fileStore.Set(data.CanonicalRootRole, rootJSON)
-	if err != nil {
-		return err
-	}
-
-	targetsToSave := make(map[string][]byte)
-	for t := range r.tufRepo.Targets {
-		signedTargets, err := r.tufRepo.SignTargets(t, data.DefaultExpires(data.CanonicalTargetsRole))
-		if err != nil {
-			return err
-		}
-		targetsJSON, err := json.Marshal(signedTargets)
-		if err != nil {
-			return err
-		}
-		targetsToSave[t] = targetsJSON
-	}
-
-	for role, blob := range targetsToSave {
-		parentDir := filepath.Dir(role)
-		os.MkdirAll(parentDir, 0755)
-		r.fileStore.Set(role, blob)
-	}
-
-	if ignoreSnapshot {
-		return nil
-	}
-
-	snapshotJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalSnapshotRole)
-	if err != nil {
-		return err
-	}
-
-	return r.fileStore.Set(data.CanonicalSnapshotRole, snapshotJSON)
-}
-
-// returns a properly constructed ErrRepositoryNotExist error based on this
-// repo's information
-func (r *NotaryRepository) errRepositoryNotExist() error {
-	host := r.baseURL
-	parsed, err := url.Parse(r.baseURL)
-	if err == nil {
-		host = parsed.Host // try to exclude the scheme and any paths
-	}
-	return ErrRepositoryNotExist{remote: host, gun: r.gun}
-}
-
-// Update bootstraps a trust anchor (root.json) before updating all the
-// metadata from the repo.
-func (r *NotaryRepository) Update(forWrite bool) error {
-	c, err := r.bootstrapClient(forWrite)
-	if err != nil {
-		if _, ok := err.(store.ErrMetaNotFound); ok {
-			return r.errRepositoryNotExist()
-		}
-		return err
-	}
-	repo, invalid, err := c.Update()
-	if err != nil {
-		// notFound.Resource may include a checksum so when the role is root,
-		// it will be root or root.<checksum>. Therefore best we can
-		// do it match a "root." prefix
-		if notFound, ok := err.(store.ErrMetaNotFound); ok && strings.HasPrefix(notFound.Resource, data.CanonicalRootRole+".") {
-			return r.errRepositoryNotExist()
-		}
-		return err
-	}
-	// we can be assured if we are at this stage that the repo we built is good
-	// no need to test the following function call for an error as it will always be fine should the repo be good- it is!
-	r.tufRepo = repo
-	r.invalid = invalid
-	warnRolesNearExpiry(repo)
-	return nil
-}
-
-// bootstrapClient attempts to bootstrap a root.json to be used as the trust
-// anchor for a repository. The checkInitialized argument indicates whether
-// we should always attempt to contact the server to determine if the repository
-// is initialized or not. If set to true, we will always attempt to download
-// and return an error if the remote repository errors.
-//
-// Populates a tuf.RepoBuilder with this root metadata (only use
-// TUFClient.Update to load the rest).
-//
-// Fails if the remote server is reachable and does not know the repo
-// (i.e. before the first r.Publish()), in which case the error is
-// store.ErrMetaNotFound, or if the root metadata (from whichever source is used)
-// is not trusted.
-//
-// Returns a TUFClient for the remote server, which may not be actually
-// operational (if the URL is invalid but a root.json is cached).
-func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*TUFClient, error) {
-	minVersion := 1
-	// the old root on disk should not be validated against any trust pinning configuration
-	// because if we have an old root, it itself is the thing that pins trust
-	oldBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService, trustpinning.TrustPinConfig{})
-
-	// by default, we want to use the trust pinning configuration on any new root that we download
-	newBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
-
-	// Try to read root from cache first. We will trust this root until we detect a problem
-	// during update which will cause us to download a new root and perform a rotation.
-	// If we have an old root, and it's valid, then we overwrite the newBuilder to be one
-	// preloaded with the old root or one which uses the old root for trust bootstrapping.
-	if rootJSON, err := r.fileStore.GetSized(data.CanonicalRootRole, store.NoSizeLimit); err == nil {
-		// if we can't load the cached root, fail hard because that is how we pin trust
-		if err := oldBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, true); err != nil {
-			return nil, err
-		}
-
-		// again, the root on disk is the source of trust pinning, so use an empty trust
-		// pinning configuration
-		newBuilder = tuf.NewRepoBuilder(r.gun, r.CryptoService, trustpinning.TrustPinConfig{})
-
-		if err := newBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, false); err != nil {
-			// Ok, the old root is expired - we want to download a new one.  But we want to use the
-			// old root to verify the new root, so bootstrap a new builder with the old builder
-			// but use the trustpinning to validate the new root
-			minVersion = oldBuilder.GetLoadedVersion(data.CanonicalRootRole)
-			newBuilder = oldBuilder.BootstrapNewBuilderWithNewTrustpin(r.trustPinning)
-		}
-	}
-
-	remote, remoteErr := getRemoteStore(r.baseURL, r.gun, r.roundTrip)
-	if remoteErr != nil {
-		logrus.Error(remoteErr)
-	} else if !newBuilder.IsLoaded(data.CanonicalRootRole) || checkInitialized {
-		// remoteErr was nil and we were not able to load a root from cache or
-		// are specifically checking for initialization of the repo.
-
-		// if remote store successfully set up, try and get root from remote
-		// We don't have any local data to determine the size of root, so try the maximum (though it is restricted at 100MB)
-		tmpJSON, err := remote.GetSized(data.CanonicalRootRole, store.NoSizeLimit)
-		if err != nil {
-			// we didn't have a root in cache and were unable to load one from
-			// the server. Nothing we can do but error.
-			return nil, err
-		}
-
-		if !newBuilder.IsLoaded(data.CanonicalRootRole) {
-			// we always want to use the downloaded root if we couldn't load from cache
-			if err := newBuilder.Load(data.CanonicalRootRole, tmpJSON, minVersion, false); err != nil {
-				return nil, err
-			}
-
-			err = r.fileStore.Set(data.CanonicalRootRole, tmpJSON)
-			if err != nil {
-				// if we can't write cache we should still continue, just log error
-				logrus.Errorf("could not save root to cache: %s", err.Error())
-			}
-		}
-	}
-
-	// We can only get here if remoteErr != nil (hence we don't download any new root),
-	// and there was no root on disk
-	if !newBuilder.IsLoaded(data.CanonicalRootRole) {
-		return nil, ErrRepoNotInitialized{}
-	}
-
-	return NewTUFClient(oldBuilder, newBuilder, remote, r.fileStore), nil
-}
-
-// RotateKey removes all existing keys associated with the role, and either
-// creates and adds one new key or delegates managing the key to the server.
-// These changes are staged in a changelist until publish is called.
-func (r *NotaryRepository) RotateKey(role string, serverManagesKey bool) error {
-	// We currently support remotely managing timestamp and snapshot keys
-	canBeRemoteKey := role == data.CanonicalTimestampRole || role == data.CanonicalSnapshotRole
-	// And locally managing root, targets, and snapshot keys
-	canBeLocalKey := (role == data.CanonicalSnapshotRole || role == data.CanonicalTargetsRole ||
-		role == data.CanonicalRootRole)
-
-	switch {
-	case !data.ValidRole(role) || data.IsDelegation(role):
-		return fmt.Errorf("notary does not currently permit rotating the %s key", role)
-	case serverManagesKey && !canBeRemoteKey:
-		return ErrInvalidRemoteRole{Role: role}
-	case !serverManagesKey && !canBeLocalKey:
-		return ErrInvalidLocalRole{Role: role}
-	}
-
-	var (
-		pubKey    data.PublicKey
-		err       error
-		errFmtMsg string
-	)
-	switch serverManagesKey {
-	case true:
-		pubKey, err = rotateRemoteKey(r.baseURL, r.gun, role, r.roundTrip)
-		errFmtMsg = "unable to rotate remote key: %s"
-	default:
-		pubKey, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
-		errFmtMsg = "unable to generate key: %s"
-	}
-
-	if err != nil {
-		return fmt.Errorf(errFmtMsg, err)
-	}
-
-	// if this is a root role, generate a root cert for the public key
-	if role == data.CanonicalRootRole {
-		privKey, _, err := r.CryptoService.GetPrivateKey(pubKey.ID())
-		if err != nil {
-			return err
-		}
-		pubKey, err = rootCertKey(r.gun, privKey)
-		if err != nil {
-			return err
-		}
-	}
-
-	cl := changelist.NewMemChangelist()
-	if err := r.rootFileKeyChange(cl, role, changelist.ActionCreate, pubKey); err != nil {
-		return err
-	}
-	return r.publish(cl)
-}
-
-func (r *NotaryRepository) rootFileKeyChange(cl changelist.Changelist, role, action string, key data.PublicKey) error {
-	kl := make(data.KeyList, 0, 1)
-	kl = append(kl, key)
-	meta := changelist.TUFRootData{
-		RoleName: role,
-		Keys:     kl,
-	}
-	metaJSON, err := json.Marshal(meta)
-	if err != nil {
-		return err
-	}
-
-	c := changelist.NewTUFChange(
-		action,
-		changelist.ScopeRoot,
-		changelist.TypeRootRole,
-		role,
-		metaJSON,
-	)
-	return cl.Add(c)
-}
-
-// DeleteTrustData removes the trust data stored for this repo in the TUF cache on the client side
-// Note that we will not delete any private key material from local storage
-func (r *NotaryRepository) DeleteTrustData(deleteRemote bool) error {
-	// Remove the tufRepoPath directory, which includes local TUF metadata files and changelist information
-	if err := os.RemoveAll(r.tufRepoPath); err != nil {
-		return fmt.Errorf("error clearing TUF repo data: %v", err)
-	}
-	// Note that this will require admin permission in this NotaryRepository's roundtripper
-	if deleteRemote {
-		remote, err := getRemoteStore(r.baseURL, r.gun, r.roundTrip)
-		if err != nil {
-			return err
-		}
-		if err := remote.RemoveAll(); err != nil {
-			return err
-		}
-	}
-	return nil
-}

vendor/github.com/docker/notary/client/delegations.go

@@ -1,299 +0,0 @@
-package client
-
-import (
-	"encoding/json"
-	"fmt"
-	"path/filepath"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	"github.com/docker/notary/client/changelist"
-	store "github.com/docker/notary/storage"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// AddDelegation creates changelist entries to add provided delegation public keys and paths.
-// This method composes AddDelegationRoleAndKeys and AddDelegationPaths (each creates one changelist if called).
-func (r *NotaryRepository) AddDelegation(name string, delegationKeys []data.PublicKey, paths []string) error {
-	if len(delegationKeys) > 0 {
-		err := r.AddDelegationRoleAndKeys(name, delegationKeys)
-		if err != nil {
-			return err
-		}
-	}
-	if len(paths) > 0 {
-		err := r.AddDelegationPaths(name, paths)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
-// This method is the simplest way to create a new delegation, because the delegation must have at least
-// one key upon creation to be valid since we will reject the changelist while validating the threshold.
-func (r *NotaryRepository) AddDelegationRoleAndKeys(name string, delegationKeys []data.PublicKey) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-
-	logrus.Debugf(`Adding delegation "%s" with threshold %d, and %d keys\n`,
-		name, notary.MinThreshold, len(delegationKeys))
-
-	// Defaulting to threshold of 1, since we don't allow for larger thresholds at the moment.
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		NewThreshold: notary.MinThreshold,
-		AddKeys:      data.KeyList(delegationKeys),
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newCreateDelegationChange(name, tdJSON)
-	return addChange(cl, template, name)
-}
-
-// AddDelegationPaths creates a changelist entry to add provided paths to an existing delegation.
-// This method cannot create a new delegation itself because the role must meet the key threshold upon creation.
-func (r *NotaryRepository) AddDelegationPaths(name string, paths []string) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-
-	logrus.Debugf(`Adding %s paths to delegation %s\n`, paths, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		AddPaths: paths,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newCreateDelegationChange(name, tdJSON)
-	return addChange(cl, template, name)
-}
-
-// RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and paths.
-// This method composes RemoveDelegationPaths and RemoveDelegationKeys (each creates one changelist if called).
-func (r *NotaryRepository) RemoveDelegationKeysAndPaths(name string, keyIDs, paths []string) error {
-	if len(paths) > 0 {
-		err := r.RemoveDelegationPaths(name, paths)
-		if err != nil {
-			return err
-		}
-	}
-	if len(keyIDs) > 0 {
-		err := r.RemoveDelegationKeys(name, keyIDs)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// RemoveDelegationRole creates a changelist to remove all paths and keys from a role, and delete the role in its entirety.
-func (r *NotaryRepository) RemoveDelegationRole(name string) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-
-	logrus.Debugf(`Removing delegation "%s"\n`, name)
-
-	template := newDeleteDelegationChange(name, nil)
-	return addChange(cl, template, name)
-}
-
-// RemoveDelegationPaths creates a changelist entry to remove provided paths from an existing delegation.
-func (r *NotaryRepository) RemoveDelegationPaths(name string, paths []string) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-
-	logrus.Debugf(`Removing %s paths from delegation "%s"\n`, paths, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		RemovePaths: paths,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newUpdateDelegationChange(name, tdJSON)
-	return addChange(cl, template, name)
-}
-
-// RemoveDelegationKeys creates a changelist entry to remove provided keys from an existing delegation.
-// When this changelist is applied, if the specified keys are the only keys left in the role,
-// the role itself will be deleted in its entirety.
-// It can also delete a key from all delegations under a parent using a name
-// with a wildcard at the end.
-func (r *NotaryRepository) RemoveDelegationKeys(name string, keyIDs []string) error {
-
-	if !data.IsDelegation(name) && !data.IsWildDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-
-	logrus.Debugf(`Removing %s keys from delegation "%s"\n`, keyIDs, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		RemoveKeys: keyIDs,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newUpdateDelegationChange(name, tdJSON)
-	return addChange(cl, template, name)
-}
-
-// ClearDelegationPaths creates a changelist entry to remove all paths from an existing delegation.
-func (r *NotaryRepository) ClearDelegationPaths(name string) error {
-
-	if !data.IsDelegation(name) {
-		return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
-	}
-
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return err
-	}
-	defer cl.Close()
-
-	logrus.Debugf(`Removing all paths from delegation "%s"\n`, name)
-
-	tdJSON, err := json.Marshal(&changelist.TUFDelegation{
-		ClearAllPaths: true,
-	})
-	if err != nil {
-		return err
-	}
-
-	template := newUpdateDelegationChange(name, tdJSON)
-	return addChange(cl, template, name)
-}
-
-func newUpdateDelegationChange(name string, content []byte) *changelist.TUFChange {
-	return changelist.NewTUFChange(
-		changelist.ActionUpdate,
-		name,
-		changelist.TypeTargetsDelegation,
-		"", // no path for delegations
-		content,
-	)
-}
-
-func newCreateDelegationChange(name string, content []byte) *changelist.TUFChange {
-	return changelist.NewTUFChange(
-		changelist.ActionCreate,
-		name,
-		changelist.TypeTargetsDelegation,
-		"", // no path for delegations
-		content,
-	)
-}
-
-func newDeleteDelegationChange(name string, content []byte) *changelist.TUFChange {
-	return changelist.NewTUFChange(
-		changelist.ActionDelete,
-		name,
-		changelist.TypeTargetsDelegation,
-		"", // no path for delegations
-		content,
-	)
-}
-
-// GetDelegationRoles returns the keys and roles of the repository's delegations
-// Also converts key IDs to canonical key IDs to keep consistent with signing prompts
-func (r *NotaryRepository) GetDelegationRoles() ([]data.Role, error) {
-	// Update state of the repo to latest
-	if err := r.Update(false); err != nil {
-		return nil, err
-	}
-
-	// All top level delegations (ex: targets/level1) are stored exclusively in targets.json
-	_, ok := r.tufRepo.Targets[data.CanonicalTargetsRole]
-	if !ok {
-		return nil, store.ErrMetaNotFound{Resource: data.CanonicalTargetsRole}
-	}
-
-	// make a copy for traversing nested delegations
-	allDelegations := []data.Role{}
-
-	// Define a visitor function to populate the delegations list and translate their key IDs to canonical IDs
-	delegationCanonicalListVisitor := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		// For the return list, update with a copy that includes canonicalKeyIDs
-		// These aren't validated by the validRole
-		canonicalDelegations, err := translateDelegationsToCanonicalIDs(tgt.Signed.Delegations)
-		if err != nil {
-			return err
-		}
-		allDelegations = append(allDelegations, canonicalDelegations...)
-		return nil
-	}
-	err := r.tufRepo.WalkTargets("", "", delegationCanonicalListVisitor)
-	if err != nil {
-		return nil, err
-	}
-	return allDelegations, nil
-}
-
-func translateDelegationsToCanonicalIDs(delegationInfo data.Delegations) ([]data.Role, error) {
-	canonicalDelegations := make([]data.Role, len(delegationInfo.Roles))
-	// Do a copy by value to ensure local delegation metadata is untouched
-	for idx, origRole := range delegationInfo.Roles {
-		canonicalDelegations[idx] = *origRole
-	}
-	delegationKeys := delegationInfo.Keys
-	for i, delegation := range canonicalDelegations {
-		canonicalKeyIDs := []string{}
-		for _, keyID := range delegation.KeyIDs {
-			pubKey, ok := delegationKeys[keyID]
-			if !ok {
-				return []data.Role{}, fmt.Errorf("Could not translate canonical key IDs for %s", delegation.Name)
-			}
-			canonicalKeyID, err := utils.CanonicalKeyID(pubKey)
-			if err != nil {
-				return []data.Role{}, fmt.Errorf("Could not translate canonical key IDs for %s: %v", delegation.Name, err)
-			}
-			canonicalKeyIDs = append(canonicalKeyIDs, canonicalKeyID)
-		}
-		canonicalDelegations[i].KeyIDs = canonicalKeyIDs
-	}
-	return canonicalDelegations, nil
-}

vendor/github.com/docker/notary/client/helpers.go

@@ -1,278 +0,0 @@
-package client
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary/client/changelist"
-	store "github.com/docker/notary/storage"
-	"github.com/docker/notary/tuf"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// Use this to initialize remote HTTPStores from the config settings
-func getRemoteStore(baseURL, gun string, rt http.RoundTripper) (store.RemoteStore, error) {
-	s, err := store.NewHTTPStore(
-		baseURL+"/v2/"+gun+"/_trust/tuf/",
-		"",
-		"json",
-		"key",
-		rt,
-	)
-	if err != nil {
-		return store.OfflineStore{}, err
-	}
-	return s, err
-}
-
-func applyChangelist(repo *tuf.Repo, invalid *tuf.Repo, cl changelist.Changelist) error {
-	it, err := cl.NewIterator()
-	if err != nil {
-		return err
-	}
-	index := 0
-	for it.HasNext() {
-		c, err := it.Next()
-		if err != nil {
-			return err
-		}
-		isDel := data.IsDelegation(c.Scope()) || data.IsWildDelegation(c.Scope())
-		switch {
-		case c.Scope() == changelist.ScopeTargets || isDel:
-			err = applyTargetsChange(repo, invalid, c)
-		case c.Scope() == changelist.ScopeRoot:
-			err = applyRootChange(repo, c)
-		default:
-			return fmt.Errorf("scope not supported: %s", c.Scope())
-		}
-		if err != nil {
-			logrus.Debugf("error attempting to apply change #%d: %s, on scope: %s path: %s type: %s", index, c.Action(), c.Scope(), c.Path(), c.Type())
-			return err
-		}
-		index++
-	}
-	logrus.Debugf("applied %d change(s)", index)
-	return nil
-}
-
-func applyTargetsChange(repo *tuf.Repo, invalid *tuf.Repo, c changelist.Change) error {
-	switch c.Type() {
-	case changelist.TypeTargetsTarget:
-		return changeTargetMeta(repo, c)
-	case changelist.TypeTargetsDelegation:
-		return changeTargetsDelegation(repo, c)
-	case changelist.TypeWitness:
-		return witnessTargets(repo, invalid, c.Scope())
-	default:
-		return fmt.Errorf("only target meta and delegations changes supported")
-	}
-}
-
-func changeTargetsDelegation(repo *tuf.Repo, c changelist.Change) error {
-	switch c.Action() {
-	case changelist.ActionCreate:
-		td := changelist.TUFDelegation{}
-		err := json.Unmarshal(c.Content(), &td)
-		if err != nil {
-			return err
-		}
-
-		// Try to create brand new role or update one
-		// First add the keys, then the paths.  We can only add keys and paths in this scenario
-		err = repo.UpdateDelegationKeys(c.Scope(), td.AddKeys, []string{}, td.NewThreshold)
-		if err != nil {
-			return err
-		}
-		return repo.UpdateDelegationPaths(c.Scope(), td.AddPaths, []string{}, false)
-	case changelist.ActionUpdate:
-		td := changelist.TUFDelegation{}
-		err := json.Unmarshal(c.Content(), &td)
-		if err != nil {
-			return err
-		}
-		if data.IsWildDelegation(c.Scope()) {
-			return repo.PurgeDelegationKeys(c.Scope(), td.RemoveKeys)
-		}
-
-		delgRole, err := repo.GetDelegationRole(c.Scope())
-		if err != nil {
-			return err
-		}
-
-		// We need to translate the keys from canonical ID to TUF ID for compatibility
-		canonicalToTUFID := make(map[string]string)
-		for tufID, pubKey := range delgRole.Keys {
-			canonicalID, err := utils.CanonicalKeyID(pubKey)
-			if err != nil {
-				return err
-			}
-			canonicalToTUFID[canonicalID] = tufID
-		}
-
-		removeTUFKeyIDs := []string{}
-		for _, canonID := range td.RemoveKeys {
-			removeTUFKeyIDs = append(removeTUFKeyIDs, canonicalToTUFID[canonID])
-		}
-
-		err = repo.UpdateDelegationKeys(c.Scope(), td.AddKeys, removeTUFKeyIDs, td.NewThreshold)
-		if err != nil {
-			return err
-		}
-		return repo.UpdateDelegationPaths(c.Scope(), td.AddPaths, td.RemovePaths, td.ClearAllPaths)
-	case changelist.ActionDelete:
-		return repo.DeleteDelegation(c.Scope())
-	default:
-		return fmt.Errorf("unsupported action against delegations: %s", c.Action())
-	}
-
-}
-
-func changeTargetMeta(repo *tuf.Repo, c changelist.Change) error {
-	var err error
-	switch c.Action() {
-	case changelist.ActionCreate:
-		logrus.Debug("changelist add: ", c.Path())
-		meta := &data.FileMeta{}
-		err = json.Unmarshal(c.Content(), meta)
-		if err != nil {
-			return err
-		}
-		files := data.Files{c.Path(): *meta}
-
-		// Attempt to add the target to this role
-		if _, err = repo.AddTargets(c.Scope(), files); err != nil {
-			logrus.Errorf("couldn't add target to %s: %s", c.Scope(), err.Error())
-		}
-
-	case changelist.ActionDelete:
-		logrus.Debug("changelist remove: ", c.Path())
-
-		// Attempt to remove the target from this role
-		if err = repo.RemoveTargets(c.Scope(), c.Path()); err != nil {
-			logrus.Errorf("couldn't remove target from %s: %s", c.Scope(), err.Error())
-		}
-
-	default:
-		err = fmt.Errorf("action not yet supported: %s", c.Action())
-	}
-	return err
-}
-
-func applyRootChange(repo *tuf.Repo, c changelist.Change) error {
-	var err error
-	switch c.Type() {
-	case changelist.TypeRootRole:
-		err = applyRootRoleChange(repo, c)
-	default:
-		err = fmt.Errorf("type of root change not yet supported: %s", c.Type())
-	}
-	return err // might be nil
-}
-
-func applyRootRoleChange(repo *tuf.Repo, c changelist.Change) error {
-	switch c.Action() {
-	case changelist.ActionCreate:
-		// replaces all keys for a role
-		d := &changelist.TUFRootData{}
-		err := json.Unmarshal(c.Content(), d)
-		if err != nil {
-			return err
-		}
-		err = repo.ReplaceBaseKeys(d.RoleName, d.Keys...)
-		if err != nil {
-			return err
-		}
-	default:
-		return fmt.Errorf("action not yet supported for root: %s", c.Action())
-	}
-	return nil
-}
-
-func nearExpiry(r data.SignedCommon) bool {
-	plus6mo := time.Now().AddDate(0, 6, 0)
-	return r.Expires.Before(plus6mo)
-}
-
-func warnRolesNearExpiry(r *tuf.Repo) {
-	//get every role and its respective signed common and call nearExpiry on it
-	//Root check
-	if nearExpiry(r.Root.Signed.SignedCommon) {
-		logrus.Warn("root is nearing expiry, you should re-sign the role metadata")
-	}
-	//Targets and delegations check
-	for role, signedTOrD := range r.Targets {
-		//signedTOrD is of type *data.SignedTargets
-		if nearExpiry(signedTOrD.Signed.SignedCommon) {
-			logrus.Warn(role, " metadata is nearing expiry, you should re-sign the role metadata")
-		}
-	}
-	//Snapshot check
-	if nearExpiry(r.Snapshot.Signed.SignedCommon) {
-		logrus.Warn("snapshot is nearing expiry, you should re-sign the role metadata")
-	}
-	//do not need to worry about Timestamp, notary signer will re-sign with the timestamp key
-}
-
-// Fetches a public key from a remote store, given a gun and role
-func getRemoteKey(url, gun, role string, rt http.RoundTripper) (data.PublicKey, error) {
-	remote, err := getRemoteStore(url, gun, rt)
-	if err != nil {
-		return nil, err
-	}
-	rawPubKey, err := remote.GetKey(role)
-	if err != nil {
-		return nil, err
-	}
-
-	pubKey, err := data.UnmarshalPublicKey(rawPubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return pubKey, nil
-}
-
-// Rotates a private key in a remote store and returns the public key component
-func rotateRemoteKey(url, gun, role string, rt http.RoundTripper) (data.PublicKey, error) {
-	remote, err := getRemoteStore(url, gun, rt)
-	if err != nil {
-		return nil, err
-	}
-	rawPubKey, err := remote.RotateKey(role)
-	if err != nil {
-		return nil, err
-	}
-
-	pubKey, err := data.UnmarshalPublicKey(rawPubKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return pubKey, nil
-}
-
-// signs and serializes the metadata for a canonical role in a TUF repo to JSON
-func serializeCanonicalRole(tufRepo *tuf.Repo, role string) (out []byte, err error) {
-	var s *data.Signed
-	switch {
-	case role == data.CanonicalRootRole:
-		s, err = tufRepo.SignRoot(data.DefaultExpires(role))
-	case role == data.CanonicalSnapshotRole:
-		s, err = tufRepo.SignSnapshot(data.DefaultExpires(role))
-	case tufRepo.Targets[role] != nil:
-		s, err = tufRepo.SignTargets(
-			role, data.DefaultExpires(data.CanonicalTargetsRole))
-	default:
-		err = fmt.Errorf("%s not supported role to sign on the client", role)
-	}
-
-	if err != nil {
-		return
-	}
-
-	return json.Marshal(s)
-}

vendor/github.com/docker/notary/client/repo.go

@@ -1,29 +0,0 @@
-// +build !pkcs11
-
-package client
-
-import (
-	"fmt"
-	"net/http"
-
-	"github.com/docker/notary"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/trustpinning"
-)
-
-// NewNotaryRepository is a helper method that returns a new notary repository.
-// It takes the base directory under where all the trust files will be stored
-// (This is normally defaults to "~/.notary" or "~/.docker/trust" when enabling
-// docker content trust).
-func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
-	retriever notary.PassRetriever, trustPinning trustpinning.TrustPinConfig) (
-	*NotaryRepository, error) {
-
-	fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
-	}
-
-	return repositoryFromKeystores(baseDir, gun, baseURL, rt,
-		[]trustmanager.KeyStore{fileKeyStore}, trustPinning)
-}

vendor/github.com/docker/notary/client/repo_pkcs11.go

@@ -1,34 +0,0 @@
-// +build pkcs11
-
-package client
-
-import (
-	"fmt"
-	"net/http"
-
-	"github.com/docker/notary"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/trustmanager/yubikey"
-	"github.com/docker/notary/trustpinning"
-)
-
-// NewNotaryRepository is a helper method that returns a new notary repository.
-// It takes the base directory under where all the trust files will be stored
-// (usually ~/.docker/trust/).
-func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
-	retriever notary.PassRetriever, trustPinning trustpinning.TrustPinConfig) (
-	*NotaryRepository, error) {
-
-	fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
-	}
-
-	keyStores := []trustmanager.KeyStore{fileKeyStore}
-	yubiKeyStore, _ := yubikey.NewYubiStore(fileKeyStore, retriever)
-	if yubiKeyStore != nil {
-		keyStores = []trustmanager.KeyStore{yubiKeyStore, fileKeyStore}
-	}
-
-	return repositoryFromKeystores(baseDir, gun, baseURL, rt, keyStores, trustPinning)
-}

vendor/github.com/docker/notary/client/tufclient.go

@@ -1,239 +0,0 @@
-package client
-
-import (
-	"encoding/json"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	store "github.com/docker/notary/storage"
-	"github.com/docker/notary/tuf"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/signed"
-)
-
-// TUFClient is a usability wrapper around a raw TUF repo
-type TUFClient struct {
-	remote     store.RemoteStore
-	cache      store.MetadataStore
-	oldBuilder tuf.RepoBuilder
-	newBuilder tuf.RepoBuilder
-}
-
-// NewTUFClient initialized a TUFClient with the given repo, remote source of content, and cache
-func NewTUFClient(oldBuilder, newBuilder tuf.RepoBuilder, remote store.RemoteStore, cache store.MetadataStore) *TUFClient {
-	return &TUFClient{
-		oldBuilder: oldBuilder,
-		newBuilder: newBuilder,
-		remote:     remote,
-		cache:      cache,
-	}
-}
-
-// Update performs an update to the TUF repo as defined by the TUF spec
-func (c *TUFClient) Update() (*tuf.Repo, *tuf.Repo, error) {
-	// 1. Get timestamp
-	//   a. If timestamp error (verification, expired, etc...) download new root and return to 1.
-	// 2. Check if local snapshot is up to date
-	//   a. If out of date, get updated snapshot
-	//     i. If snapshot error, download new root and return to 1.
-	// 3. Check if root correct against snapshot
-	//   a. If incorrect, download new root and return to 1.
-	// 4. Iteratively download and search targets and delegations to find target meta
-	logrus.Debug("updating TUF client")
-	err := c.update()
-	if err != nil {
-		logrus.Debug("Error occurred. Root will be downloaded and another update attempted")
-		logrus.Debug("Resetting the TUF builder...")
-
-		c.newBuilder = c.newBuilder.BootstrapNewBuilder()
-
-		if err := c.downloadRoot(); err != nil {
-			logrus.Debug("Client Update (Root):", err)
-			return nil, nil, err
-		}
-		// If we error again, we now have the latest root and just want to fail
-		// out as there's no expectation the problem can be resolved automatically
-		logrus.Debug("retrying TUF client update")
-		if err := c.update(); err != nil {
-			return nil, nil, err
-		}
-	}
-	return c.newBuilder.Finish()
-}
-
-func (c *TUFClient) update() error {
-	if err := c.downloadTimestamp(); err != nil {
-		logrus.Debugf("Client Update (Timestamp): %s", err.Error())
-		return err
-	}
-	if err := c.downloadSnapshot(); err != nil {
-		logrus.Debugf("Client Update (Snapshot): %s", err.Error())
-		return err
-	}
-	// will always need top level targets at a minimum
-	if err := c.downloadTargets(); err != nil {
-		logrus.Debugf("Client Update (Targets): %s", err.Error())
-		return err
-	}
-	return nil
-}
-
-// downloadRoot is responsible for downloading the root.json
-func (c *TUFClient) downloadRoot() error {
-	role := data.CanonicalRootRole
-	consistentInfo := c.newBuilder.GetConsistentInfo(role)
-
-	// We can't read an exact size for the root metadata without risking getting stuck in the TUF update cycle
-	// since it's possible that downloading timestamp/snapshot metadata may fail due to a signature mismatch
-	if !consistentInfo.ChecksumKnown() {
-		logrus.Debugf("Loading root with no expected checksum")
-
-		// get the cached root, if it exists, just for version checking
-		cachedRoot, _ := c.cache.GetSized(role, -1)
-		// prefer to download a new root
-		_, remoteErr := c.tryLoadRemote(consistentInfo, cachedRoot)
-		return remoteErr
-	}
-
-	_, err := c.tryLoadCacheThenRemote(consistentInfo)
-	return err
-}
-
-// downloadTimestamp is responsible for downloading the timestamp.json
-// Timestamps are special in that we ALWAYS attempt to download and only
-// use cache if the download fails (and the cache is still valid).
-func (c *TUFClient) downloadTimestamp() error {
-	logrus.Debug("Loading timestamp...")
-	role := data.CanonicalTimestampRole
-	consistentInfo := c.newBuilder.GetConsistentInfo(role)
-
-	// always get the remote timestamp, since it supersedes the local one
-	cachedTS, cachedErr := c.cache.GetSized(role, notary.MaxTimestampSize)
-	_, remoteErr := c.tryLoadRemote(consistentInfo, cachedTS)
-
-	// check that there was no remote error, or if there was a network problem
-	// If there was a validation error, we should error out so we can download a new root or fail the update
-	switch remoteErr.(type) {
-	case nil:
-		return nil
-	case store.ErrMetaNotFound, store.ErrServerUnavailable, store.ErrOffline, store.NetworkError:
-		break
-	default:
-		return remoteErr
-	}
-
-	// since it was a network error: get the cached timestamp, if it exists
-	if cachedErr != nil {
-		logrus.Debug("no cached or remote timestamp available")
-		return remoteErr
-	}
-
-	logrus.Warn("Error while downloading remote metadata, using cached timestamp - this might not be the latest version available remotely")
-	err := c.newBuilder.Load(role, cachedTS, 1, false)
-	if err == nil {
-		logrus.Debug("successfully verified cached timestamp")
-	}
-	return err
-
-}
-
-// downloadSnapshot is responsible for downloading the snapshot.json
-func (c *TUFClient) downloadSnapshot() error {
-	logrus.Debug("Loading snapshot...")
-	role := data.CanonicalSnapshotRole
-	consistentInfo := c.newBuilder.GetConsistentInfo(role)
-
-	_, err := c.tryLoadCacheThenRemote(consistentInfo)
-	return err
-}
-
-// downloadTargets downloads all targets and delegated targets for the repository.
-// It uses a pre-order tree traversal as it's necessary to download parents first
-// to obtain the keys to validate children.
-func (c *TUFClient) downloadTargets() error {
-	toDownload := []data.DelegationRole{{
-		BaseRole: data.BaseRole{Name: data.CanonicalTargetsRole},
-		Paths:    []string{""},
-	}}
-
-	for len(toDownload) > 0 {
-		role := toDownload[0]
-		toDownload = toDownload[1:]
-
-		consistentInfo := c.newBuilder.GetConsistentInfo(role.Name)
-		if !consistentInfo.ChecksumKnown() {
-			logrus.Debugf("skipping %s because there is no checksum for it", role.Name)
-			continue
-		}
-
-		children, err := c.getTargetsFile(role, consistentInfo)
-		switch err.(type) {
-		case signed.ErrExpired, signed.ErrRoleThreshold:
-			if role.Name == data.CanonicalTargetsRole {
-				return err
-			}
-			logrus.Warnf("Error getting %s: %s", role.Name, err)
-			break
-		case nil:
-			toDownload = append(children, toDownload...)
-		default:
-			return err
-		}
-	}
-	return nil
-}
-
-func (c TUFClient) getTargetsFile(role data.DelegationRole, ci tuf.ConsistentInfo) ([]data.DelegationRole, error) {
-	logrus.Debugf("Loading %s...", role.Name)
-	tgs := &data.SignedTargets{}
-
-	raw, err := c.tryLoadCacheThenRemote(ci)
-	if err != nil {
-		return nil, err
-	}
-
-	// we know it unmarshals because if `tryLoadCacheThenRemote` didn't fail, then
-	// the raw has already been loaded into the builder
-	json.Unmarshal(raw, tgs)
-	return tgs.GetValidDelegations(role), nil
-}
-
-func (c *TUFClient) tryLoadCacheThenRemote(consistentInfo tuf.ConsistentInfo) ([]byte, error) {
-	cachedTS, err := c.cache.GetSized(consistentInfo.RoleName, consistentInfo.Length())
-	if err != nil {
-		logrus.Debugf("no %s in cache, must download", consistentInfo.RoleName)
-		return c.tryLoadRemote(consistentInfo, nil)
-	}
-
-	if err = c.newBuilder.Load(consistentInfo.RoleName, cachedTS, 1, false); err == nil {
-		logrus.Debugf("successfully verified cached %s", consistentInfo.RoleName)
-		return cachedTS, nil
-	}
-
-	logrus.Debugf("cached %s is invalid (must download): %s", consistentInfo.RoleName, err)
-	return c.tryLoadRemote(consistentInfo, cachedTS)
-}
-
-func (c *TUFClient) tryLoadRemote(consistentInfo tuf.ConsistentInfo, old []byte) ([]byte, error) {
-	consistentName := consistentInfo.ConsistentName()
-	raw, err := c.remote.GetSized(consistentName, consistentInfo.Length())
-	if err != nil {
-		logrus.Debugf("error downloading %s: %s", consistentName, err)
-		return old, err
-	}
-
-	// try to load the old data into the old builder - only use it to validate
-	// versions if it loads successfully.  If it errors, then the loaded version
-	// will be 1
-	c.oldBuilder.Load(consistentInfo.RoleName, old, 1, true)
-	minVersion := c.oldBuilder.GetLoadedVersion(consistentInfo.RoleName)
-	if err := c.newBuilder.Load(consistentInfo.RoleName, raw, minVersion, false); err != nil {
-		logrus.Debugf("downloaded %s is invalid: %s", consistentName, err)
-		return raw, err
-	}
-	logrus.Debugf("successfully verified downloaded %s", consistentName)
-	if err := c.cache.Set(consistentInfo.RoleName, raw); err != nil {
-		logrus.Debugf("Unable to write %s to cache: %s", consistentInfo.RoleName, err)
-	}
-	return raw, nil
-}

vendor/github.com/docker/notary/client/witness.go

@@ -1,69 +0,0 @@
-package client
-
-import (
-	"path/filepath"
-
-	"github.com/docker/notary/client/changelist"
-	"github.com/docker/notary/tuf"
-	"github.com/docker/notary/tuf/data"
-)
-
-// Witness creates change objects to witness (i.e. re-sign) the given
-// roles on the next publish. One change is created per role
-func (r *NotaryRepository) Witness(roles ...string) ([]string, error) {
-	cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
-	if err != nil {
-		return nil, err
-	}
-	defer cl.Close()
-
-	successful := make([]string, 0, len(roles))
-	for _, role := range roles {
-		// scope is role
-		c := changelist.NewTUFChange(
-			changelist.ActionUpdate,
-			role,
-			changelist.TypeWitness,
-			"",
-			nil,
-		)
-		err = cl.Add(c)
-		if err != nil {
-			break
-		}
-		successful = append(successful, role)
-	}
-	return successful, err
-}
-
-func witnessTargets(repo *tuf.Repo, invalid *tuf.Repo, role string) error {
-	if r, ok := repo.Targets[role]; ok {
-		// role is already valid, mark for re-signing/updating
-		r.Dirty = true
-		return nil
-	}
-
-	if roleObj, err := repo.GetDelegationRole(role); err == nil && invalid != nil {
-		// A role with a threshold > len(keys) is technically invalid, but we let it build in the builder because
-		// we want to be able to download the role (which may still have targets on it), add more keys, and then
-		// witness the role, thus bringing it back to valid.  However, if no keys have been added before witnessing,
-		// then it is still an invalid role, and can't be witnessed because nothing can bring it back to valid.
-		if roleObj.Threshold > len(roleObj.Keys) {
-			return data.ErrInvalidRole{
-				Role:   role,
-				Reason: "role does not specify enough valid signing keys to meet its required threshold",
-			}
-		}
-		if r, ok := invalid.Targets[role]; ok {
-			// role is recognized but invalid, move to valid data and mark for re-signing
-			repo.Targets[role] = r
-			r.Dirty = true
-			return nil
-		}
-	}
-	// role isn't recognized, even as invalid
-	return data.ErrInvalidRole{
-		Role:   role,
-		Reason: "this role is not known",
-	}
-}

vendor/github.com/docker/notary/const.go

@@ -1,70 +0,0 @@
-package notary
-
-import "time"
-
-// application wide constants
-const (
-	// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
-	MaxDownloadSize int64 = 100 << 20
-	// MaxTimestampSize is the maximum size of timestamp metadata - 1MiB.
-	MaxTimestampSize int64 = 1 << 20
-	// MinRSABitSize is the minimum bit size for RSA keys allowed in notary
-	MinRSABitSize = 2048
-	// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold
-	MinThreshold = 1
-	// PrivKeyPerms are the file permissions to use when writing private keys to disk
-	PrivKeyPerms = 0700
-	// PubCertPerms are the file permissions to use when writing public certificates to disk
-	PubCertPerms = 0755
-	// Sha256HexSize is how big a Sha256 hex is in number of characters
-	Sha256HexSize = 64
-	// Sha512HexSize is how big a Sha512 hex is in number of characters
-	Sha512HexSize = 128
-	// SHA256 is the name of SHA256 hash algorithm
-	SHA256 = "sha256"
-	// SHA512 is the name of SHA512 hash algorithm
-	SHA512 = "sha512"
-	// TrustedCertsDir is the directory, under the notary repo base directory, where trusted certs are stored
-	TrustedCertsDir = "trusted_certificates"
-	// PrivDir is the directory, under the notary repo base directory, where private keys are stored
-	PrivDir = "private"
-	// RootKeysSubdir is the subdirectory under PrivDir where root private keys are stored
-	RootKeysSubdir = "root_keys"
-	// NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored
-	NonRootKeysSubdir = "tuf_keys"
-	// KeyExtension is the file extension to use for private key files
-	KeyExtension = "key"
-
-	// Day is a duration of one day
-	Day  = 24 * time.Hour
-	Year = 365 * Day
-
-	// NotaryRootExpiry is the duration representing the expiry time of the Root role
-	NotaryRootExpiry      = 10 * Year
-	NotaryTargetsExpiry   = 3 * Year
-	NotarySnapshotExpiry  = 3 * Year
-	NotaryTimestampExpiry = 14 * Day
-
-	ConsistentMetadataCacheMaxAge = 30 * Day
-	CurrentMetadataCacheMaxAge    = 5 * time.Minute
-	// CacheMaxAgeLimit is the generally recommended maximum age for Cache-Control headers
-	// (one year, in seconds, since one year is forever in terms of internet
-	// content)
-	CacheMaxAgeLimit = 1 * Year
-
-	MySQLBackend     = "mysql"
-	MemoryBackend    = "memory"
-	SQLiteBackend    = "sqlite3"
-	RethinkDBBackend = "rethinkdb"
-
-	DefaultImportRole = "delegation"
-)
-
-// NotaryDefaultExpiries is the construct used to configure the default expiry times of
-// the various role files.
-var NotaryDefaultExpiries = map[string]time.Duration{
-	"root":      NotaryRootExpiry,
-	"targets":   NotaryTargetsExpiry,
-	"snapshot":  NotarySnapshotExpiry,
-	"timestamp": NotaryTimestampExpiry,
-}

vendor/github.com/docker/notary/const_nowindows.go

@@ -1,16 +0,0 @@
-// +build !windows
-
-package notary
-
-import (
-	"os"
-	"syscall"
-)
-
-// NotarySupportedSignals contains the signals we would like to capture:
-// - SIGUSR1, indicates a increment of the log level.
-// - SIGUSR2, indicates a decrement of the log level.
-var NotarySupportedSignals = []os.Signal{
-	syscall.SIGUSR1,
-	syscall.SIGUSR2,
-}

vendor/github.com/docker/notary/const_windows.go

@@ -1,8 +0,0 @@
-// +build windows
-
-package notary
-
-import "os"
-
-// NotarySupportedSignals does not contain any signals, because SIGUSR1/2 are not supported on windows
-var NotarySupportedSignals = []os.Signal{}

vendor/github.com/docker/notary/cryptoservice/certificate.go

@@ -1,41 +0,0 @@
-package cryptoservice
-
-import (
-	"crypto"
-	"crypto/rand"
-	"crypto/x509"
-	"fmt"
-	"time"
-
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// GenerateCertificate generates an X509 Certificate from a template, given a GUN and validity interval
-func GenerateCertificate(rootKey data.PrivateKey, gun string, startTime, endTime time.Time) (*x509.Certificate, error) {
-	signer := rootKey.CryptoSigner()
-	if signer == nil {
-		return nil, fmt.Errorf("key type not supported for Certificate generation: %s\n", rootKey.Algorithm())
-	}
-
-	return generateCertificate(signer, gun, startTime, endTime)
-}
-
-func generateCertificate(signer crypto.Signer, gun string, startTime, endTime time.Time) (*x509.Certificate, error) {
-	template, err := utils.NewCertificate(gun, startTime, endTime)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create the certificate template for: %s (%v)", gun, err)
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, signer.Public(), signer)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create the certificate for: %s (%v)", gun, err)
-	}
-
-	cert, err := x509.ParseCertificate(derBytes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse the certificate for key: %s (%v)", gun, err)
-	}
-
-	return cert, nil
-}

vendor/github.com/docker/notary/cryptoservice/crypto_service.go

@@ -1,181 +0,0 @@
-package cryptoservice
-
-import (
-	"crypto/rand"
-	"fmt"
-
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-var (
-	// ErrNoValidPrivateKey is returned if a key being imported doesn't
-	// look like a private key
-	ErrNoValidPrivateKey = errors.New("no valid private key found")
-
-	// ErrRootKeyNotEncrypted is returned if a root key being imported is
-	// unencrypted
-	ErrRootKeyNotEncrypted = errors.New("only encrypted root keys may be imported")
-)
-
-// CryptoService implements Sign and Create, holding a specific GUN and keystore to
-// operate on
-type CryptoService struct {
-	keyStores []trustmanager.KeyStore
-}
-
-// NewCryptoService returns an instance of CryptoService
-func NewCryptoService(keyStores ...trustmanager.KeyStore) *CryptoService {
-	return &CryptoService{keyStores: keyStores}
-}
-
-// Create is used to generate keys for targets, snapshots and timestamps
-func (cs *CryptoService) Create(role, gun, algorithm string) (data.PublicKey, error) {
-	var privKey data.PrivateKey
-	var err error
-
-	switch algorithm {
-	case data.RSAKey:
-		privKey, err = utils.GenerateRSAKey(rand.Reader, notary.MinRSABitSize)
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate RSA key: %v", err)
-		}
-	case data.ECDSAKey:
-		privKey, err = utils.GenerateECDSAKey(rand.Reader)
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate EC key: %v", err)
-		}
-	case data.ED25519Key:
-		privKey, err = utils.GenerateED25519Key(rand.Reader)
-		if err != nil {
-			return nil, fmt.Errorf("failed to generate ED25519 key: %v", err)
-		}
-	default:
-		return nil, fmt.Errorf("private key type not supported for key generation: %s", algorithm)
-	}
-	logrus.Debugf("generated new %s key for role: %s and keyID: %s", algorithm, role, privKey.ID())
-
-	// Store the private key into our keystore
-	for _, ks := range cs.keyStores {
-		err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, privKey)
-		if err == nil {
-			return data.PublicKeyFromPrivate(privKey), nil
-		}
-	}
-	if err != nil {
-		return nil, fmt.Errorf("failed to add key to filestore: %v", err)
-	}
-
-	return nil, fmt.Errorf("keystores would not accept new private keys for unknown reasons")
-}
-
-// GetPrivateKey returns a private key and role if present by ID.
-func (cs *CryptoService) GetPrivateKey(keyID string) (k data.PrivateKey, role string, err error) {
-	for _, ks := range cs.keyStores {
-		if k, role, err = ks.GetKey(keyID); err == nil {
-			return
-		}
-		switch err.(type) {
-		case trustmanager.ErrPasswordInvalid, trustmanager.ErrAttemptsExceeded:
-			return
-		default:
-			continue
-		}
-	}
-	return // returns whatever the final values were
-}
-
-// GetKey returns a key by ID
-func (cs *CryptoService) GetKey(keyID string) data.PublicKey {
-	privKey, _, err := cs.GetPrivateKey(keyID)
-	if err != nil {
-		return nil
-	}
-	return data.PublicKeyFromPrivate(privKey)
-}
-
-// GetKeyInfo returns role and GUN info of a key by ID
-func (cs *CryptoService) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) {
-	for _, store := range cs.keyStores {
-		if info, err := store.GetKeyInfo(keyID); err == nil {
-			return info, nil
-		}
-	}
-	return trustmanager.KeyInfo{}, fmt.Errorf("Could not find info for keyID %s", keyID)
-}
-
-// RemoveKey deletes a key by ID
-func (cs *CryptoService) RemoveKey(keyID string) (err error) {
-	for _, ks := range cs.keyStores {
-		ks.RemoveKey(keyID)
-	}
-	return // returns whatever the final values were
-}
-
-// AddKey adds a private key to a specified role.
-// The GUN is inferred from the cryptoservice itself for non-root roles
-func (cs *CryptoService) AddKey(role, gun string, key data.PrivateKey) (err error) {
-	// First check if this key already exists in any of our keystores
-	for _, ks := range cs.keyStores {
-		if keyInfo, err := ks.GetKeyInfo(key.ID()); err == nil {
-			if keyInfo.Role != role {
-				return fmt.Errorf("key with same ID already exists for role: %s", keyInfo.Role)
-			}
-			logrus.Debugf("key with same ID %s and role %s already exists", key.ID(), keyInfo.Role)
-			return nil
-		}
-	}
-	// If the key didn't exist in any of our keystores, add and return on the first successful keystore
-	for _, ks := range cs.keyStores {
-		// Try to add to this keystore, return if successful
-		if err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, key); err == nil {
-			return nil
-		}
-	}
-	return // returns whatever the final values were
-}
-
-// ListKeys returns a list of key IDs valid for the given role
-func (cs *CryptoService) ListKeys(role string) []string {
-	var res []string
-	for _, ks := range cs.keyStores {
-		for k, r := range ks.ListKeys() {
-			if r.Role == role {
-				res = append(res, k)
-			}
-		}
-	}
-	return res
-}
-
-// ListAllKeys returns a map of key IDs to role
-func (cs *CryptoService) ListAllKeys() map[string]string {
-	res := make(map[string]string)
-	for _, ks := range cs.keyStores {
-		for k, r := range ks.ListKeys() {
-			res[k] = r.Role // keys are content addressed so don't care about overwrites
-		}
-	}
-	return res
-}
-
-// CheckRootKeyIsEncrypted makes sure the root key is encrypted. We have
-// internal assumptions that depend on this.
-func CheckRootKeyIsEncrypted(pemBytes []byte) error {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return ErrNoValidPrivateKey
-	}
-
-	if !x509.IsEncryptedPEMBlock(block) {
-		return ErrRootKeyNotEncrypted
-	}
-
-	return nil
-}

vendor/github.com/docker/notary/notary.go

@@ -1,7 +0,0 @@
-package notary
-
-// PassRetriever is a callback function that should retrieve a passphrase
-// for a given named key. If it should be treated as new passphrase (e.g. with
-// confirmation), createNew will be true. Attempts is passed in so that implementers
-// decide how many chances to give to a human, for example.
-type PassRetriever func(keyName, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error)

vendor/github.com/docker/notary/passphrase/passphrase.go

@@ -1,205 +0,0 @@
-// Package passphrase is a utility function for managing passphrase
-// for TUF and Notary keys.
-package passphrase
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/docker/docker/pkg/term"
-	"github.com/docker/notary"
-)
-
-const (
-	idBytesToDisplay            = 7
-	tufRootAlias                = "root"
-	tufTargetsAlias             = "targets"
-	tufSnapshotAlias            = "snapshot"
-	tufRootKeyGenerationWarning = `You are about to create a new root signing key passphrase. This passphrase
-will be used to protect the most sensitive key in your signing system. Please
-choose a long, complex passphrase and be careful to keep the password and the
-key file itself secure and backed up. It is highly recommended that you use a
-password manager to generate the passphrase and keep it safe. There will be no
-way to recover this key. You can find the key in your config directory.`
-)
-
-var (
-	// ErrTooShort is returned if the passphrase entered for a new key is
-	// below the minimum length
-	ErrTooShort = errors.New("Passphrase too short")
-
-	// ErrDontMatch is returned if the two entered passphrases don't match.
-	// new key is below the minimum length
-	ErrDontMatch = errors.New("The entered passphrases do not match")
-
-	// ErrTooManyAttempts is returned if the maximum number of passphrase
-	// entry attempts is reached.
-	ErrTooManyAttempts = errors.New("Too many attempts")
-
-	// ErrNoInput is returned if we do not have a valid input method for passphrases
-	ErrNoInput = errors.New("Please either use environment variables or STDIN with a terminal to provide key passphrases")
-)
-
-// PromptRetriever returns a new Retriever which will provide a prompt on stdin
-// and stdout to retrieve a passphrase. stdin will be checked if it is a terminal,
-// else the PromptRetriever will error when attempting to retrieve a passphrase.
-// Upon successful passphrase retrievals, the passphrase will be cached such that
-// subsequent prompts will produce the same passphrase.
-func PromptRetriever() notary.PassRetriever {
-	if !term.IsTerminal(os.Stdin.Fd()) {
-		return func(string, string, bool, int) (string, bool, error) {
-			return "", false, ErrNoInput
-		}
-	}
-	return PromptRetrieverWithInOut(os.Stdin, os.Stdout, nil)
-}
-
-type boundRetriever struct {
-	in              io.Reader
-	out             io.Writer
-	aliasMap        map[string]string
-	passphraseCache map[string]string
-}
-
-func (br *boundRetriever) getPassphrase(keyName, alias string, createNew bool, numAttempts int) (string, bool, error) {
-	if numAttempts == 0 {
-		if alias == tufRootAlias && createNew {
-			fmt.Fprintln(br.out, tufRootKeyGenerationWarning)
-		}
-
-		if pass, ok := br.passphraseCache[alias]; ok {
-			return pass, false, nil
-		}
-	} else if !createNew { // per `if`, numAttempts > 0 if we're at this `else`
-		if numAttempts > 3 {
-			return "", true, ErrTooManyAttempts
-		}
-		fmt.Fprintln(br.out, "Passphrase incorrect. Please retry.")
-	}
-
-	// passphrase not cached and we're not aborting, get passphrase from user!
-	return br.requestPassphrase(keyName, alias, createNew, numAttempts)
-}
-
-func (br *boundRetriever) requestPassphrase(keyName, alias string, createNew bool, numAttempts int) (string, bool, error) {
-	// Figure out if we should display a different string for this alias
-	displayAlias := alias
-	if val, ok := br.aliasMap[alias]; ok {
-		displayAlias = val
-	}
-
-	// If typing on the terminal, we do not want the terminal to echo the
-	// password that is typed (so it doesn't display)
-	if term.IsTerminal(os.Stdin.Fd()) {
-		state, err := term.SaveState(os.Stdin.Fd())
-		if err != nil {
-			return "", false, err
-		}
-		term.DisableEcho(os.Stdin.Fd(), state)
-		defer term.RestoreTerminal(os.Stdin.Fd(), state)
-	}
-
-	indexOfLastSeparator := strings.LastIndex(keyName, string(filepath.Separator))
-	if indexOfLastSeparator == -1 {
-		indexOfLastSeparator = 0
-	}
-
-	var shortName string
-	if len(keyName) > indexOfLastSeparator+idBytesToDisplay {
-		if indexOfLastSeparator > 0 {
-			keyNamePrefix := keyName[:indexOfLastSeparator]
-			keyNameID := keyName[indexOfLastSeparator+1 : indexOfLastSeparator+idBytesToDisplay+1]
-			shortName = keyNameID + " (" + keyNamePrefix + ")"
-		} else {
-			shortName = keyName[indexOfLastSeparator : indexOfLastSeparator+idBytesToDisplay]
-		}
-	}
-
-	withID := fmt.Sprintf(" with ID %s", shortName)
-	if shortName == "" {
-		withID = ""
-	}
-
-	switch {
-	case createNew:
-		fmt.Fprintf(br.out, "Enter passphrase for new %s key%s: ", displayAlias, withID)
-	case displayAlias == "yubikey":
-		fmt.Fprintf(br.out, "Enter the %s for the attached Yubikey: ", keyName)
-	default:
-		fmt.Fprintf(br.out, "Enter passphrase for %s key%s: ", displayAlias, withID)
-	}
-
-	stdin := bufio.NewReader(br.in)
-	passphrase, err := stdin.ReadBytes('\n')
-	fmt.Fprintln(br.out)
-	if err != nil {
-		return "", false, err
-	}
-
-	retPass := strings.TrimSpace(string(passphrase))
-
-	if createNew {
-		err = br.verifyAndConfirmPassword(stdin, retPass, displayAlias, withID)
-		if err != nil {
-			return "", false, err
-		}
-	}
-
-	br.cachePassword(alias, retPass)
-
-	return retPass, false, nil
-}
-
-func (br *boundRetriever) verifyAndConfirmPassword(stdin *bufio.Reader, retPass, displayAlias, withID string) error {
-	if len(retPass) < 8 {
-		fmt.Fprintln(br.out, "Passphrase is too short. Please use a password manager to generate and store a good random passphrase.")
-		return ErrTooShort
-	}
-
-	fmt.Fprintf(br.out, "Repeat passphrase for new %s key%s: ", displayAlias, withID)
-	confirmation, err := stdin.ReadBytes('\n')
-	fmt.Fprintln(br.out)
-	if err != nil {
-		return err
-	}
-	confirmationStr := strings.TrimSpace(string(confirmation))
-
-	if retPass != confirmationStr {
-		fmt.Fprintln(br.out, "Passphrases do not match. Please retry.")
-		return ErrDontMatch
-	}
-	return nil
-}
-
-func (br *boundRetriever) cachePassword(alias, retPass string) {
-	br.passphraseCache[alias] = retPass
-}
-
-// PromptRetrieverWithInOut returns a new Retriever which will provide a
-// prompt using the given in and out readers. The passphrase will be cached
-// such that subsequent prompts will produce the same passphrase.
-// aliasMap can be used to specify display names for TUF key aliases. If aliasMap
-// is nil, a sensible default will be used.
-func PromptRetrieverWithInOut(in io.Reader, out io.Writer, aliasMap map[string]string) notary.PassRetriever {
-	bound := &boundRetriever{
-		in:              in,
-		out:             out,
-		aliasMap:        aliasMap,
-		passphraseCache: make(map[string]string),
-	}
-
-	return bound.getPassphrase
-}
-
-// ConstantRetriever returns a new Retriever which will return a constant string
-// as a passphrase.
-func ConstantRetriever(constantPassphrase string) notary.PassRetriever {
-	return func(k, a string, c bool, n int) (string, bool, error) {
-		return constantPassphrase, false, nil
-	}
-}

vendor/github.com/docker/notary/storage/errors.go

@@ -1,22 +0,0 @@
-package storage
-
-import (
-	"errors"
-	"fmt"
-)
-
-var (
-	// ErrPathOutsideStore indicates that the returned path would be
-	// outside the store
-	ErrPathOutsideStore = errors.New("path outside file store")
-)
-
-// ErrMetaNotFound indicates we did not find a particular piece
-// of metadata in the store
-type ErrMetaNotFound struct {
-	Resource string
-}
-
-func (err ErrMetaNotFound) Error() string {
-	return fmt.Sprintf("%s trust data unavailable.  Has a notary repository been initialized?", err.Resource)
-}

vendor/github.com/docker/notary/storage/filestore.go

@@ -1,222 +0,0 @@
-package storage
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/docker/notary"
-)
-
-// NewFilesystemStore creates a new store in a directory tree
-func NewFilesystemStore(baseDir, subDir, extension string) (*FilesystemStore, error) {
-	baseDir = filepath.Join(baseDir, subDir)
-
-	return NewFileStore(baseDir, extension, notary.PrivKeyPerms)
-}
-
-// NewFileStore creates a fully configurable file store
-func NewFileStore(baseDir, fileExt string, perms os.FileMode) (*FilesystemStore, error) {
-	baseDir = filepath.Clean(baseDir)
-	if err := createDirectory(baseDir, perms); err != nil {
-		return nil, err
-	}
-	if !strings.HasPrefix(fileExt, ".") {
-		fileExt = "." + fileExt
-	}
-
-	return &FilesystemStore{
-		baseDir: baseDir,
-		ext:     fileExt,
-		perms:   perms,
-	}, nil
-}
-
-// NewSimpleFileStore is a convenience wrapper to create a world readable,
-// owner writeable filestore
-func NewSimpleFileStore(baseDir, fileExt string) (*FilesystemStore, error) {
-	return NewFileStore(baseDir, fileExt, notary.PubCertPerms)
-}
-
-// NewPrivateKeyFileStorage initializes a new filestore for private keys, appending
-// the notary.PrivDir to the baseDir.
-func NewPrivateKeyFileStorage(baseDir, fileExt string) (*FilesystemStore, error) {
-	baseDir = filepath.Join(baseDir, notary.PrivDir)
-	return NewFileStore(baseDir, fileExt, notary.PrivKeyPerms)
-}
-
-// NewPrivateSimpleFileStore is a wrapper to create an owner readable/writeable
-// _only_ filestore
-func NewPrivateSimpleFileStore(baseDir, fileExt string) (*FilesystemStore, error) {
-	return NewFileStore(baseDir, fileExt, notary.PrivKeyPerms)
-}
-
-// FilesystemStore is a store in a locally accessible directory
-type FilesystemStore struct {
-	baseDir string
-	ext     string
-	perms   os.FileMode
-}
-
-func (f *FilesystemStore) getPath(name string) (string, error) {
-	fileName := fmt.Sprintf("%s%s", name, f.ext)
-	fullPath := filepath.Join(f.baseDir, fileName)
-
-	if !strings.HasPrefix(fullPath, f.baseDir) {
-		return "", ErrPathOutsideStore
-	}
-	return fullPath, nil
-}
-
-// GetSized returns the meta for the given name (a role) up to size bytes
-// If size is "NoSizeLimit", this corresponds to "infinite," but we cut off at a
-// predefined threshold "notary.MaxDownloadSize". If the file is larger than size
-// we return ErrMaliciousServer for consistency with the HTTPStore
-func (f *FilesystemStore) GetSized(name string, size int64) ([]byte, error) {
-	p, err := f.getPath(name)
-	if err != nil {
-		return nil, err
-	}
-	file, err := os.OpenFile(p, os.O_RDONLY, f.perms)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = ErrMetaNotFound{Resource: name}
-		}
-		return nil, err
-	}
-	defer file.Close()
-
-	if size == NoSizeLimit {
-		size = notary.MaxDownloadSize
-	}
-
-	stat, err := file.Stat()
-	if err != nil {
-		return nil, err
-	}
-	if stat.Size() > size {
-		return nil, ErrMaliciousServer{}
-	}
-
-	l := io.LimitReader(file, size)
-	return ioutil.ReadAll(l)
-}
-
-// Get returns the meta for the given name.
-func (f *FilesystemStore) Get(name string) ([]byte, error) {
-	p, err := f.getPath(name)
-	if err != nil {
-		return nil, err
-	}
-	meta, err := ioutil.ReadFile(p)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = ErrMetaNotFound{Resource: name}
-		}
-		return nil, err
-	}
-	return meta, nil
-}
-
-// SetMulti sets the metadata for multiple roles in one operation
-func (f *FilesystemStore) SetMulti(metas map[string][]byte) error {
-	for role, blob := range metas {
-		err := f.Set(role, blob)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// Set sets the meta for a single role
-func (f *FilesystemStore) Set(name string, meta []byte) error {
-	fp, err := f.getPath(name)
-	if err != nil {
-		return err
-	}
-
-	// Ensures the parent directories of the file we are about to write exist
-	err = os.MkdirAll(filepath.Dir(fp), f.perms)
-	if err != nil {
-		return err
-	}
-
-	// if something already exists, just delete it and re-write it
-	os.RemoveAll(fp)
-
-	// Write the file to disk
-	if err = ioutil.WriteFile(fp, meta, f.perms); err != nil {
-		return err
-	}
-	return nil
-}
-
-// RemoveAll clears the existing filestore by removing its base directory
-func (f *FilesystemStore) RemoveAll() error {
-	return os.RemoveAll(f.baseDir)
-}
-
-// Remove removes the metadata for a single role - if the metadata doesn't
-// exist, no error is returned
-func (f *FilesystemStore) Remove(name string) error {
-	p, err := f.getPath(name)
-	if err != nil {
-		return err
-	}
-	return os.RemoveAll(p) // RemoveAll succeeds if path doesn't exist
-}
-
-// Location returns a human readable name for the storage location
-func (f FilesystemStore) Location() string {
-	return f.baseDir
-}
-
-// ListFiles returns a list of all the filenames that can be used with Get*
-// to retrieve content from this filestore
-func (f FilesystemStore) ListFiles() []string {
-	files := make([]string, 0, 0)
-	filepath.Walk(f.baseDir, func(fp string, fi os.FileInfo, err error) error {
-		// If there are errors, ignore this particular file
-		if err != nil {
-			return nil
-		}
-		// Ignore if it is a directory
-		if fi.IsDir() {
-			return nil
-		}
-
-		// If this is a symlink, ignore it
-		if fi.Mode()&os.ModeSymlink == os.ModeSymlink {
-			return nil
-		}
-
-		// Only allow matches that end with our certificate extension (e.g. *.crt)
-		matched, _ := filepath.Match("*"+f.ext, fi.Name())
-
-		if matched {
-			// Find the relative path for this file relative to the base path.
-			fp, err = filepath.Rel(f.baseDir, fp)
-			if err != nil {
-				return err
-			}
-			trimmed := strings.TrimSuffix(fp, f.ext)
-			files = append(files, trimmed)
-		}
-		return nil
-	})
-	return files
-}
-
-// createDirectory receives a string of the path to a directory.
-// It does not support passing files, so the caller has to remove
-// the filename by doing filepath.Dir(full_path_to_file)
-func createDirectory(dir string, perms os.FileMode) error {
-	// This prevents someone passing /path/to/dir and 'dir' not being created
-	// If two '//' exist, MkdirAll deals it with correctly
-	dir = dir + "/"
-	return os.MkdirAll(dir, perms)
-}

vendor/github.com/docker/notary/storage/httpstore.go

@@ -1,339 +0,0 @@
-// A Store that can fetch and set metadata on a remote server.
-// Some API constraints:
-// - Response bodies for error codes should be unmarshallable as:
-//   {"errors": [{..., "detail": <serialized validation error>}]}
-//   else validation error details, etc. will be unparsable.  The errors
-//   should have a github.com/docker/notary/tuf/validation/SerializableError
-//   in the Details field.
-//   If writing your own server, please have a look at
-//   github.com/docker/distribution/registry/api/errcode
-
-package storage
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"mime/multipart"
-	"net/http"
-	"net/url"
-	"path"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	"github.com/docker/notary/tuf/validation"
-)
-
-// ErrServerUnavailable indicates an error from the server. code allows us to
-// populate the http error we received
-type ErrServerUnavailable struct {
-	code int
-}
-
-// NetworkError represents any kind of network error when attempting to make a request
-type NetworkError struct {
-	Wrapped error
-}
-
-func (n NetworkError) Error() string {
-	return n.Wrapped.Error()
-}
-
-func (err ErrServerUnavailable) Error() string {
-	if err.code == 401 {
-		return fmt.Sprintf("you are not authorized to perform this operation: server returned 401.")
-	}
-	return fmt.Sprintf("unable to reach trust server at this time: %d.", err.code)
-}
-
-// ErrMaliciousServer indicates the server returned a response that is highly suspected
-// of being malicious. i.e. it attempted to send us more data than the known size of a
-// particular role metadata.
-type ErrMaliciousServer struct{}
-
-func (err ErrMaliciousServer) Error() string {
-	return "trust server returned a bad response."
-}
-
-// ErrInvalidOperation indicates that the server returned a 400 response and
-// propagate any body we received.
-type ErrInvalidOperation struct {
-	msg string
-}
-
-func (err ErrInvalidOperation) Error() string {
-	if err.msg != "" {
-		return fmt.Sprintf("trust server rejected operation: %s", err.msg)
-	}
-	return "trust server rejected operation."
-}
-
-// HTTPStore manages pulling and pushing metadata from and to a remote
-// service over HTTP. It assumes the URL structure of the remote service
-// maps identically to the structure of the TUF repo:
-// <baseURL>/<metaPrefix>/(root|targets|snapshot|timestamp).json
-// <baseURL>/<targetsPrefix>/foo.sh
-//
-// If consistent snapshots are disabled, it is advised that caching is not
-// enabled. Simple set a cachePath (and ensure it's writeable) to enable
-// caching.
-type HTTPStore struct {
-	baseURL       url.URL
-	metaPrefix    string
-	metaExtension string
-	keyExtension  string
-	roundTrip     http.RoundTripper
-}
-
-// NewHTTPStore initializes a new store against a URL and a number of configuration options
-func NewHTTPStore(baseURL, metaPrefix, metaExtension, keyExtension string, roundTrip http.RoundTripper) (RemoteStore, error) {
-	base, err := url.Parse(baseURL)
-	if err != nil {
-		return nil, err
-	}
-	if !base.IsAbs() {
-		return nil, errors.New("HTTPStore requires an absolute baseURL")
-	}
-	if roundTrip == nil {
-		return &OfflineStore{}, nil
-	}
-	return &HTTPStore{
-		baseURL:       *base,
-		metaPrefix:    metaPrefix,
-		metaExtension: metaExtension,
-		keyExtension:  keyExtension,
-		roundTrip:     roundTrip,
-	}, nil
-}
-
-func tryUnmarshalError(resp *http.Response, defaultError error) error {
-	bodyBytes, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return defaultError
-	}
-	var parsedErrors struct {
-		Errors []struct {
-			Detail validation.SerializableError `json:"detail"`
-		} `json:"errors"`
-	}
-	if err := json.Unmarshal(bodyBytes, &parsedErrors); err != nil {
-		return defaultError
-	}
-	if len(parsedErrors.Errors) != 1 {
-		return defaultError
-	}
-	err = parsedErrors.Errors[0].Detail.Error
-	if err == nil {
-		return defaultError
-	}
-	return err
-}
-
-func translateStatusToError(resp *http.Response, resource string) error {
-	switch resp.StatusCode {
-	case http.StatusOK:
-		return nil
-	case http.StatusNotFound:
-		return ErrMetaNotFound{Resource: resource}
-	case http.StatusBadRequest:
-		return tryUnmarshalError(resp, ErrInvalidOperation{})
-	default:
-		return ErrServerUnavailable{code: resp.StatusCode}
-	}
-}
-
-// GetSized downloads the named meta file with the given size. A short body
-// is acceptable because in the case of timestamp.json, the size is a cap,
-// not an exact length.
-// If size is "NoSizeLimit", this corresponds to "infinite," but we cut off at a
-// predefined threshold "notary.MaxDownloadSize".
-func (s HTTPStore) GetSized(name string, size int64) ([]byte, error) {
-	url, err := s.buildMetaURL(name)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("GET", url.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return nil, NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	if err := translateStatusToError(resp, name); err != nil {
-		logrus.Debugf("received HTTP status %d when requesting %s.", resp.StatusCode, name)
-		return nil, err
-	}
-	if size == NoSizeLimit {
-		size = notary.MaxDownloadSize
-	}
-	if resp.ContentLength > size {
-		return nil, ErrMaliciousServer{}
-	}
-	logrus.Debugf("%d when retrieving metadata for %s", resp.StatusCode, name)
-	b := io.LimitReader(resp.Body, size)
-	body, err := ioutil.ReadAll(b)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-// Set sends a single piece of metadata to the TUF server
-func (s HTTPStore) Set(name string, blob []byte) error {
-	return s.SetMulti(map[string][]byte{name: blob})
-}
-
-// Remove always fails, because we should never be able to delete metadata
-// remotely
-func (s HTTPStore) Remove(name string) error {
-	return ErrInvalidOperation{msg: "cannot delete individual metadata files"}
-}
-
-// NewMultiPartMetaRequest builds a request with the provided metadata updates
-// in multipart form
-func NewMultiPartMetaRequest(url string, metas map[string][]byte) (*http.Request, error) {
-	body := &bytes.Buffer{}
-	writer := multipart.NewWriter(body)
-	for role, blob := range metas {
-		part, err := writer.CreateFormFile("files", role)
-		if err != nil {
-			return nil, err
-		}
-		_, err = io.Copy(part, bytes.NewBuffer(blob))
-		if err != nil {
-			return nil, err
-		}
-	}
-	err := writer.Close()
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("POST", url, body)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Content-Type", writer.FormDataContentType())
-	return req, nil
-}
-
-// SetMulti does a single batch upload of multiple pieces of TUF metadata.
-// This should be preferred for updating a remote server as it enable the server
-// to remain consistent, either accepting or rejecting the complete update.
-func (s HTTPStore) SetMulti(metas map[string][]byte) error {
-	url, err := s.buildMetaURL("")
-	if err != nil {
-		return err
-	}
-	req, err := NewMultiPartMetaRequest(url.String(), metas)
-	if err != nil {
-		return err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	// if this 404's something is pretty wrong
-	return translateStatusToError(resp, "POST metadata endpoint")
-}
-
-// RemoveAll will attempt to delete all TUF metadata for a GUN
-func (s HTTPStore) RemoveAll() error {
-	url, err := s.buildMetaURL("")
-	if err != nil {
-		return err
-	}
-	req, err := http.NewRequest("DELETE", url.String(), nil)
-	if err != nil {
-		return err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	return translateStatusToError(resp, "DELETE metadata for GUN endpoint")
-}
-
-func (s HTTPStore) buildMetaURL(name string) (*url.URL, error) {
-	var filename string
-	if name != "" {
-		filename = fmt.Sprintf("%s.%s", name, s.metaExtension)
-	}
-	uri := path.Join(s.metaPrefix, filename)
-	return s.buildURL(uri)
-}
-
-func (s HTTPStore) buildKeyURL(name string) (*url.URL, error) {
-	filename := fmt.Sprintf("%s.%s", name, s.keyExtension)
-	uri := path.Join(s.metaPrefix, filename)
-	return s.buildURL(uri)
-}
-
-func (s HTTPStore) buildURL(uri string) (*url.URL, error) {
-	sub, err := url.Parse(uri)
-	if err != nil {
-		return nil, err
-	}
-	return s.baseURL.ResolveReference(sub), nil
-}
-
-// GetKey retrieves a public key from the remote server
-func (s HTTPStore) GetKey(role string) ([]byte, error) {
-	url, err := s.buildKeyURL(role)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("GET", url.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return nil, NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	if err := translateStatusToError(resp, role+" key"); err != nil {
-		return nil, err
-	}
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-// RotateKey rotates a private key and returns the public component from the remote server
-func (s HTTPStore) RotateKey(role string) ([]byte, error) {
-	url, err := s.buildKeyURL(role)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequest("POST", url.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	resp, err := s.roundTrip.RoundTrip(req)
-	if err != nil {
-		return nil, NetworkError{Wrapped: err}
-	}
-	defer resp.Body.Close()
-	if err := translateStatusToError(resp, role+" key"); err != nil {
-		return nil, err
-	}
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	return body, nil
-}
-
-// Location returns a human readable name for the storage location
-func (s HTTPStore) Location() string {
-	return s.baseURL.String()
-}

vendor/github.com/docker/notary/storage/interfaces.go

@@ -1,34 +0,0 @@
-package storage
-
-// NoSizeLimit is represented as -1 for arguments to GetMeta
-const NoSizeLimit int64 = -1
-
-// MetadataStore must be implemented by anything that intends to interact
-// with a store of TUF files
-type MetadataStore interface {
-	GetSized(name string, size int64) ([]byte, error)
-	Set(name string, blob []byte) error
-	SetMulti(map[string][]byte) error
-	RemoveAll() error
-	Remove(name string) error
-}
-
-// PublicKeyStore must be implemented by a key service
-type PublicKeyStore interface {
-	GetKey(role string) ([]byte, error)
-	RotateKey(role string) ([]byte, error)
-}
-
-// RemoteStore is similar to LocalStore with the added expectation that it should
-// provide a way to download targets once located
-type RemoteStore interface {
-	MetadataStore
-	PublicKeyStore
-}
-
-// Bootstrapper is a thing that can set itself up
-type Bootstrapper interface {
-	// Bootstrap instructs a configured Bootstrapper to perform
-	// its setup operations.
-	Bootstrap() error
-}

vendor/github.com/docker/notary/storage/memorystore.go

@@ -1,124 +0,0 @@
-package storage
-
-import (
-	"crypto/sha256"
-
-	"github.com/docker/notary"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// NewMemoryStore returns a MetadataStore that operates entirely in memory.
-// Very useful for testing
-func NewMemoryStore(initial map[string][]byte) *MemoryStore {
-	var consistent = make(map[string][]byte)
-	if initial == nil {
-		initial = make(map[string][]byte)
-	} else {
-		// add all seed meta to consistent
-		for name, data := range initial {
-			checksum := sha256.Sum256(data)
-			path := utils.ConsistentName(name, checksum[:])
-			consistent[path] = data
-		}
-	}
-	return &MemoryStore{
-		data:       initial,
-		consistent: consistent,
-	}
-}
-
-// MemoryStore implements a mock RemoteStore entirely in memory.
-// For testing purposes only.
-type MemoryStore struct {
-	data       map[string][]byte
-	consistent map[string][]byte
-}
-
-// GetSized returns up to size bytes of data references by name.
-// If size is "NoSizeLimit", this corresponds to "infinite," but we cut off at a
-// predefined threshold "notary.MaxDownloadSize", as we will always know the
-// size for everything but a timestamp and sometimes a root,
-// neither of which should be exceptionally large
-func (m MemoryStore) GetSized(name string, size int64) ([]byte, error) {
-	d, ok := m.data[name]
-	if ok {
-		if size == NoSizeLimit {
-			size = notary.MaxDownloadSize
-		}
-		if int64(len(d)) < size {
-			return d, nil
-		}
-		return d[:size], nil
-	}
-	d, ok = m.consistent[name]
-	if ok {
-		if int64(len(d)) < size {
-			return d, nil
-		}
-		return d[:size], nil
-	}
-	return nil, ErrMetaNotFound{Resource: name}
-}
-
-// Get returns the data associated with name
-func (m MemoryStore) Get(name string) ([]byte, error) {
-	if d, ok := m.data[name]; ok {
-		return d, nil
-	}
-	if d, ok := m.consistent[name]; ok {
-		return d, nil
-	}
-	return nil, ErrMetaNotFound{Resource: name}
-}
-
-// Set sets the metadata value for the given name
-func (m *MemoryStore) Set(name string, meta []byte) error {
-	m.data[name] = meta
-
-	checksum := sha256.Sum256(meta)
-	path := utils.ConsistentName(name, checksum[:])
-	m.consistent[path] = meta
-	return nil
-}
-
-// SetMulti sets multiple pieces of metadata for multiple names
-// in a single operation.
-func (m *MemoryStore) SetMulti(metas map[string][]byte) error {
-	for role, blob := range metas {
-		m.Set(role, blob)
-	}
-	return nil
-}
-
-// Remove removes the metadata for a single role - if the metadata doesn't
-// exist, no error is returned
-func (m *MemoryStore) Remove(name string) error {
-	if meta, ok := m.data[name]; ok {
-		checksum := sha256.Sum256(meta)
-		path := utils.ConsistentName(name, checksum[:])
-		delete(m.data, name)
-		delete(m.consistent, path)
-	}
-	return nil
-}
-
-// RemoveAll clears the existing memory store by setting this store as new empty one
-func (m *MemoryStore) RemoveAll() error {
-	*m = *NewMemoryStore(nil)
-	return nil
-}
-
-// Location provides a human readable name for the storage location
-func (m MemoryStore) Location() string {
-	return "memory"
-}
-
-// ListFiles returns a list of all files. The names returned should be
-// usable with Get directly, with no modification.
-func (m *MemoryStore) ListFiles() []string {
-	names := make([]string, 0, len(m.data))
-	for n := range m.data {
-		names = append(names, n)
-	}
-	return names
-}

vendor/github.com/docker/notary/storage/offlinestore.go

@@ -1,54 +0,0 @@
-package storage
-
-// ErrOffline is used to indicate we are operating offline
-type ErrOffline struct{}
-
-func (e ErrOffline) Error() string {
-	return "client is offline"
-}
-
-var err = ErrOffline{}
-
-// OfflineStore is to be used as a placeholder for a nil store. It simply
-// returns ErrOffline for every operation
-type OfflineStore struct{}
-
-// GetSized returns ErrOffline
-func (es OfflineStore) GetSized(name string, size int64) ([]byte, error) {
-	return nil, err
-}
-
-// Set returns ErrOffline
-func (es OfflineStore) Set(name string, blob []byte) error {
-	return err
-}
-
-// SetMulti returns ErrOffline
-func (es OfflineStore) SetMulti(map[string][]byte) error {
-	return err
-}
-
-// Remove returns ErrOffline
-func (es OfflineStore) Remove(name string) error {
-	return err
-}
-
-// GetKey returns ErrOffline
-func (es OfflineStore) GetKey(role string) ([]byte, error) {
-	return nil, err
-}
-
-// RotateKey returns ErrOffline
-func (es OfflineStore) RotateKey(role string) ([]byte, error) {
-	return nil, err
-}
-
-// RemoveAll return ErrOffline
-func (es OfflineStore) RemoveAll() error {
-	return err
-}
-
-// Location returns a human readable name for the storage location
-func (es OfflineStore) Location() string {
-	return "offline"
-}

vendor/github.com/docker/notary/trustmanager/interfaces.go

@@ -1,82 +0,0 @@
-package trustmanager
-
-import (
-	"fmt"
-
-	"github.com/docker/notary/tuf/data"
-)
-
-// Storage implements the bare bones primitives (no hierarchy)
-type Storage interface {
-	// Add writes a file to the specified location, returning an error if this
-	// is not possible (reasons may include permissions errors). The path is cleaned
-	// before being made absolute against the store's base dir.
-	Set(fileName string, data []byte) error
-
-	// Remove deletes a file from the store relative to the store's base directory.
-	// The path is cleaned before being made absolute to ensure no path traversal
-	// outside the base directory is possible.
-	Remove(fileName string) error
-
-	// Get returns the file content found at fileName relative to the base directory
-	// of the file store. The path is cleaned before being made absolute to ensure
-	// path traversal outside the store is not possible. If the file is not found
-	// an error to that effect is returned.
-	Get(fileName string) ([]byte, error)
-
-	// ListFiles returns a list of paths relative to the base directory of the
-	// filestore. Any of these paths must be retrievable via the
-	// Storage.Get method.
-	ListFiles() []string
-
-	// Location returns a human readable name indicating where the implementer
-	// is storing keys
-	Location() string
-}
-
-// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key
-type ErrAttemptsExceeded struct{}
-
-// ErrAttemptsExceeded is returned when too many attempts have been made to decrypt a key
-func (err ErrAttemptsExceeded) Error() string {
-	return "maximum number of passphrase attempts exceeded"
-}
-
-// ErrPasswordInvalid is returned when signing fails. It could also mean the signing
-// key file was corrupted, but we have no way to distinguish.
-type ErrPasswordInvalid struct{}
-
-// ErrPasswordInvalid is returned when signing fails. It could also mean the signing
-// key file was corrupted, but we have no way to distinguish.
-func (err ErrPasswordInvalid) Error() string {
-	return "password invalid, operation has failed."
-}
-
-// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.
-type ErrKeyNotFound struct {
-	KeyID string
-}
-
-// ErrKeyNotFound is returned when the keystore fails to retrieve a specific key.
-func (err ErrKeyNotFound) Error() string {
-	return fmt.Sprintf("signing key not found: %s", err.KeyID)
-}
-
-// KeyStore is a generic interface for private key storage
-type KeyStore interface {
-	// AddKey adds a key to the KeyStore, and if the key already exists,
-	// succeeds.  Otherwise, returns an error if it cannot add.
-	AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error
-	// Should fail with ErrKeyNotFound if the keystore is operating normally
-	// and knows that it does not store the requested key.
-	GetKey(keyID string) (data.PrivateKey, string, error)
-	GetKeyInfo(keyID string) (KeyInfo, error)
-	ListKeys() map[string]KeyInfo
-	RemoveKey(keyID string) error
-	Name() string
-}
-
-type cachedKey struct {
-	alias string
-	key   data.PrivateKey
-}

vendor/github.com/docker/notary/trustmanager/keystore.go

@@ -1,325 +0,0 @@
-package trustmanager
-
-import (
-	"encoding/pem"
-	"fmt"
-	"path/filepath"
-	"strings"
-	"sync"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	store "github.com/docker/notary/storage"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-type keyInfoMap map[string]KeyInfo
-
-// KeyInfo stores the role, path, and gun for a corresponding private key ID
-// It is assumed that each private key ID is unique
-type KeyInfo struct {
-	Gun  string
-	Role string
-}
-
-// GenericKeyStore is a wrapper for Storage instances that provides
-// translation between the []byte form and Public/PrivateKey objects
-type GenericKeyStore struct {
-	store Storage
-	sync.Mutex
-	notary.PassRetriever
-	cachedKeys map[string]*cachedKey
-	keyInfoMap
-}
-
-// NewKeyFileStore returns a new KeyFileStore creating a private directory to
-// hold the keys.
-func NewKeyFileStore(baseDir string, p notary.PassRetriever) (*GenericKeyStore, error) {
-	fileStore, err := store.NewPrivateKeyFileStorage(baseDir, notary.KeyExtension)
-	if err != nil {
-		return nil, err
-	}
-	return NewGenericKeyStore(fileStore, p), nil
-}
-
-// NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory
-func NewKeyMemoryStore(p notary.PassRetriever) *GenericKeyStore {
-	memStore := store.NewMemoryStore(nil)
-	return NewGenericKeyStore(memStore, p)
-}
-
-// NewGenericKeyStore creates a GenericKeyStore wrapping the provided
-// Storage instance, using the PassRetriever to enc/decrypt keys
-func NewGenericKeyStore(s Storage, p notary.PassRetriever) *GenericKeyStore {
-	ks := GenericKeyStore{
-		store:         s,
-		PassRetriever: p,
-		cachedKeys:    make(map[string]*cachedKey),
-		keyInfoMap:    make(keyInfoMap),
-	}
-	ks.loadKeyInfo()
-	return &ks
-}
-
-func generateKeyInfoMap(s Storage) map[string]KeyInfo {
-	keyInfoMap := make(map[string]KeyInfo)
-	for _, keyPath := range s.ListFiles() {
-		d, err := s.Get(keyPath)
-		if err != nil {
-			logrus.Error(err)
-			continue
-		}
-		keyID, keyInfo, err := KeyInfoFromPEM(d, keyPath)
-		if err != nil {
-			logrus.Error(err)
-			continue
-		}
-		keyInfoMap[keyID] = keyInfo
-	}
-	return keyInfoMap
-}
-
-// Attempts to infer the keyID, role, and GUN from the specified key path.
-// Note that non-root roles can only be inferred if this is a legacy style filename: KEYID_ROLE.key
-func inferKeyInfoFromKeyPath(keyPath string) (string, string, string) {
-	var keyID, role, gun string
-	keyID = filepath.Base(keyPath)
-	underscoreIndex := strings.LastIndex(keyID, "_")
-
-	// This is the legacy KEYID_ROLE filename
-	// The keyID is the first part of the keyname
-	// The keyRole is the second part of the keyname
-	// in a key named abcde_root, abcde is the keyID and root is the KeyAlias
-	if underscoreIndex != -1 {
-		role = keyID[underscoreIndex+1:]
-		keyID = keyID[:underscoreIndex]
-	}
-
-	if filepath.HasPrefix(keyPath, notary.RootKeysSubdir+"/") {
-		return keyID, data.CanonicalRootRole, ""
-	}
-
-	keyPath = strings.TrimPrefix(keyPath, notary.NonRootKeysSubdir+"/")
-	gun = getGunFromFullID(keyPath)
-	return keyID, role, gun
-}
-
-func getGunFromFullID(fullKeyID string) string {
-	keyGun := filepath.Dir(fullKeyID)
-	// If the gun is empty, Dir will return .
-	if keyGun == "." {
-		keyGun = ""
-	}
-	return keyGun
-}
-
-func (s *GenericKeyStore) loadKeyInfo() {
-	s.keyInfoMap = generateKeyInfoMap(s.store)
-}
-
-// GetKeyInfo returns the corresponding gun and role key info for a keyID
-func (s *GenericKeyStore) GetKeyInfo(keyID string) (KeyInfo, error) {
-	if info, ok := s.keyInfoMap[keyID]; ok {
-		return info, nil
-	}
-	return KeyInfo{}, fmt.Errorf("Could not find info for keyID %s", keyID)
-}
-
-// AddKey stores the contents of a PEM-encoded private key as a PEM block
-func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error {
-	var (
-		chosenPassphrase string
-		giveup           bool
-		err              error
-		pemPrivKey       []byte
-	)
-	s.Lock()
-	defer s.Unlock()
-	if keyInfo.Role == data.CanonicalRootRole || data.IsDelegation(keyInfo.Role) || !data.ValidRole(keyInfo.Role) {
-		keyInfo.Gun = ""
-	}
-	name := filepath.Join(keyInfo.Gun, privKey.ID())
-	for attempts := 0; ; attempts++ {
-		chosenPassphrase, giveup, err = s.PassRetriever(name, keyInfo.Role, true, attempts)
-		if err == nil {
-			break
-		}
-		if giveup || attempts > 10 {
-			return ErrAttemptsExceeded{}
-		}
-	}
-
-	if chosenPassphrase != "" {
-		pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase)
-	} else {
-		pemPrivKey, err = utils.KeyToPEM(privKey, keyInfo.Role)
-	}
-
-	if err != nil {
-		return err
-	}
-
-	s.cachedKeys[name] = &cachedKey{alias: keyInfo.Role, key: privKey}
-	err = s.store.Set(filepath.Join(getSubdir(keyInfo.Role), name), pemPrivKey)
-	if err != nil {
-		return err
-	}
-	s.keyInfoMap[privKey.ID()] = keyInfo
-	return nil
-}
-
-// GetKey returns the PrivateKey given a KeyID
-func (s *GenericKeyStore) GetKey(name string) (data.PrivateKey, string, error) {
-	s.Lock()
-	defer s.Unlock()
-	cachedKeyEntry, ok := s.cachedKeys[name]
-	if ok {
-		return cachedKeyEntry.key, cachedKeyEntry.alias, nil
-	}
-
-	keyBytes, _, keyAlias, err := getKey(s.store, name)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// See if the key is encrypted. If its encrypted we'll fail to parse the private key
-	privKey, err := utils.ParsePEMPrivateKey(keyBytes, "")
-	if err != nil {
-		privKey, _, err = GetPasswdDecryptBytes(s.PassRetriever, keyBytes, name, string(keyAlias))
-		if err != nil {
-			return nil, "", err
-		}
-	}
-	s.cachedKeys[name] = &cachedKey{alias: keyAlias, key: privKey}
-	return privKey, keyAlias, nil
-}
-
-// ListKeys returns a list of unique PublicKeys present on the KeyFileStore, by returning a copy of the keyInfoMap
-func (s *GenericKeyStore) ListKeys() map[string]KeyInfo {
-	return copyKeyInfoMap(s.keyInfoMap)
-}
-
-// RemoveKey removes the key from the keyfilestore
-func (s *GenericKeyStore) RemoveKey(keyID string) error {
-	s.Lock()
-	defer s.Unlock()
-
-	_, filename, _, err := getKey(s.store, keyID)
-	switch err.(type) {
-	case ErrKeyNotFound, nil:
-		break
-	default:
-		return err
-	}
-
-	delete(s.cachedKeys, keyID)
-
-	err = s.store.Remove(filename) // removing a file that doesn't exist doesn't fail
-	if err != nil {
-		return err
-	}
-
-	// Remove this key from our keyInfo map if we removed from our filesystem
-	delete(s.keyInfoMap, filepath.Base(keyID))
-	return nil
-}
-
-// Name returns a user friendly name for the location this store
-// keeps its data
-func (s *GenericKeyStore) Name() string {
-	return s.store.Location()
-}
-
-// copyKeyInfoMap returns a deep copy of the passed-in keyInfoMap
-func copyKeyInfoMap(keyInfoMap map[string]KeyInfo) map[string]KeyInfo {
-	copyMap := make(map[string]KeyInfo)
-	for keyID, keyInfo := range keyInfoMap {
-		copyMap[keyID] = KeyInfo{Role: keyInfo.Role, Gun: keyInfo.Gun}
-	}
-	return copyMap
-}
-
-// KeyInfoFromPEM attempts to get a keyID and KeyInfo from the filename and PEM bytes of a key
-func KeyInfoFromPEM(pemBytes []byte, filename string) (string, KeyInfo, error) {
-	keyID, role, gun := inferKeyInfoFromKeyPath(filename)
-	if role == "" {
-		block, _ := pem.Decode(pemBytes)
-		if block == nil {
-			return "", KeyInfo{}, fmt.Errorf("could not decode PEM block for key %s", filename)
-		}
-		if keyRole, ok := block.Headers["role"]; ok {
-			role = keyRole
-		}
-	}
-	return keyID, KeyInfo{Gun: gun, Role: role}, nil
-}
-
-// getKey finds the key and role for the given keyID. It attempts to
-// look both in the newer format PEM headers, and also in the legacy filename
-// format. It returns: the key bytes, the filename it was found under, the role,
-// and an error
-func getKey(s Storage, keyID string) ([]byte, string, string, error) {
-	name := strings.TrimSpace(strings.TrimSuffix(filepath.Base(keyID), filepath.Ext(keyID)))
-
-	for _, file := range s.ListFiles() {
-		filename := filepath.Base(file)
-
-		if strings.HasPrefix(filename, name) {
-			d, err := s.Get(file)
-			if err != nil {
-				return nil, "", "", err
-			}
-			block, _ := pem.Decode(d)
-			if block != nil {
-				if role, ok := block.Headers["role"]; ok {
-					return d, file, role, nil
-				}
-			}
-
-			role := strings.TrimPrefix(filename, name+"_")
-			return d, file, role, nil
-		}
-	}
-
-	return nil, "", "", ErrKeyNotFound{KeyID: keyID}
-}
-
-// Assumes 2 subdirectories, 1 containing root keys and 1 containing TUF keys
-func getSubdir(alias string) string {
-	if alias == data.CanonicalRootRole {
-		return notary.RootKeysSubdir
-	}
-	return notary.NonRootKeysSubdir
-}
-
-// GetPasswdDecryptBytes gets the password to decrypt the given pem bytes.
-// Returns the password and private key
-func GetPasswdDecryptBytes(passphraseRetriever notary.PassRetriever, pemBytes []byte, name, alias string) (data.PrivateKey, string, error) {
-	var (
-		passwd  string
-		privKey data.PrivateKey
-	)
-	for attempts := 0; ; attempts++ {
-		var (
-			giveup bool
-			err    error
-		)
-		if attempts > 10 {
-			return nil, "", ErrAttemptsExceeded{}
-		}
-		passwd, giveup, err = passphraseRetriever(name, alias, false, attempts)
-		// Check if the passphrase retriever got an error or if it is telling us to give up
-		if giveup || err != nil {
-			return nil, "", ErrPasswordInvalid{}
-		}
-
-		// Try to convert PEM encoded bytes back to a PrivateKey using the passphrase
-		privKey, err = utils.ParsePEMPrivateKey(pemBytes, passwd)
-		if err == nil {
-			// We managed to parse the PrivateKey. We've succeeded!
-			break
-		}
-	}
-	return privKey, passwd, nil
-}

vendor/github.com/docker/notary/trustmanager/yubikey/import.go

@@ -1,57 +0,0 @@
-// +build pkcs11
-
-package yubikey
-
-import (
-	"encoding/pem"
-	"errors"
-	"github.com/docker/notary"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// YubiImport is a wrapper around the YubiStore that allows us to import private
-// keys to the yubikey
-type YubiImport struct {
-	dest          *YubiStore
-	passRetriever notary.PassRetriever
-}
-
-// NewImporter returns a wrapper for the YubiStore provided that enables importing
-// keys via the simple Set(string, []byte) interface
-func NewImporter(ys *YubiStore, ret notary.PassRetriever) *YubiImport {
-	return &YubiImport{
-		dest:          ys,
-		passRetriever: ret,
-	}
-}
-
-// Set determines if we are allowed to set the given key on the Yubikey and
-// calls through to YubiStore.AddKey if it's valid
-func (s *YubiImport) Set(name string, bytes []byte) error {
-	block, _ := pem.Decode(bytes)
-	if block == nil {
-		return errors.New("invalid PEM data, could not parse")
-	}
-	role, ok := block.Headers["role"]
-	if !ok {
-		return errors.New("no role found for key")
-	}
-	ki := trustmanager.KeyInfo{
-		// GUN is ignored by YubiStore
-		Role: role,
-	}
-	privKey, err := utils.ParsePEMPrivateKey(bytes, "")
-	if err != nil {
-		privKey, _, err = trustmanager.GetPasswdDecryptBytes(
-			s.passRetriever,
-			bytes,
-			name,
-			ki.Role,
-		)
-		if err != nil {
-			return err
-		}
-	}
-	return s.dest.AddKey(ki, privKey)
-}

vendor/github.com/docker/notary/trustmanager/yubikey/non_pkcs11.go

@@ -1,9 +0,0 @@
-// go list ./... and go test ./... will not pick up this package without this
-// file, because go ? ./... does not honor build tags.
-
-// e.g. "go list -tags pkcs11 ./..." will not list this package if all the
-// files in it have a build tag.
-
-// See https://github.com/golang/go/issues/11246
-
-package yubikey

vendor/github.com/docker/notary/trustmanager/yubikey/pkcs11_darwin.go

@@ -1,9 +0,0 @@
-// +build pkcs11,darwin
-
-package yubikey
-
-var possiblePkcs11Libs = []string{
-	"/usr/local/lib/libykcs11.dylib",
-	"/usr/local/docker/lib/libykcs11.dylib",
-	"/usr/local/docker-experimental/lib/libykcs11.dylib",
-}

vendor/github.com/docker/notary/trustmanager/yubikey/pkcs11_interface.go

@@ -1,40 +0,0 @@
-// +build pkcs11
-
-// an interface around the pkcs11 library, so that things can be mocked out
-// for testing
-
-package yubikey
-
-import "github.com/miekg/pkcs11"
-
-// IPKCS11 is an interface for wrapping github.com/miekg/pkcs11
-type pkcs11LibLoader func(module string) IPKCS11Ctx
-
-func defaultLoader(module string) IPKCS11Ctx {
-	return pkcs11.New(module)
-}
-
-// IPKCS11Ctx is an interface for wrapping the parts of
-// github.com/miekg/pkcs11.Ctx that yubikeystore requires
-type IPKCS11Ctx interface {
-	Destroy()
-	Initialize() error
-	Finalize() error
-	GetSlotList(tokenPresent bool) ([]uint, error)
-	OpenSession(slotID uint, flags uint) (pkcs11.SessionHandle, error)
-	CloseSession(sh pkcs11.SessionHandle) error
-	Login(sh pkcs11.SessionHandle, userType uint, pin string) error
-	Logout(sh pkcs11.SessionHandle) error
-	CreateObject(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) (
-		pkcs11.ObjectHandle, error)
-	DestroyObject(sh pkcs11.SessionHandle, oh pkcs11.ObjectHandle) error
-	GetAttributeValue(sh pkcs11.SessionHandle, o pkcs11.ObjectHandle,
-		a []*pkcs11.Attribute) ([]*pkcs11.Attribute, error)
-	FindObjectsInit(sh pkcs11.SessionHandle, temp []*pkcs11.Attribute) error
-	FindObjects(sh pkcs11.SessionHandle, max int) (
-		[]pkcs11.ObjectHandle, bool, error)
-	FindObjectsFinal(sh pkcs11.SessionHandle) error
-	SignInit(sh pkcs11.SessionHandle, m []*pkcs11.Mechanism,
-		o pkcs11.ObjectHandle) error
-	Sign(sh pkcs11.SessionHandle, message []byte) ([]byte, error)
-}

vendor/github.com/docker/notary/trustmanager/yubikey/pkcs11_linux.go

@@ -1,10 +0,0 @@
-// +build pkcs11,linux
-
-package yubikey
-
-var possiblePkcs11Libs = []string{
-	"/usr/lib/libykcs11.so",
-	"/usr/lib64/libykcs11.so",
-	"/usr/lib/x86_64-linux-gnu/libykcs11.so",
-	"/usr/local/lib/libykcs11.so",
-}

vendor/github.com/docker/notary/trustmanager/yubikey/yubikeystore.go

@@ -1,914 +0,0 @@
-// +build pkcs11
-
-package yubikey
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"io"
-	"math/big"
-	"os"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/signed"
-	"github.com/docker/notary/tuf/utils"
-	"github.com/miekg/pkcs11"
-)
-
-const (
-	// UserPin is the user pin of a yubikey (in PIV parlance, is the PIN)
-	UserPin = "123456"
-	// SOUserPin is the "Security Officer" user pin - this is the PIV management
-	// (MGM) key, which is different than the admin pin of the Yubikey PGP interface
-	// (which in PIV parlance is the PUK, and defaults to 12345678)
-	SOUserPin = "010203040506070801020304050607080102030405060708"
-	numSlots  = 4 // number of slots in the yubikey
-
-	// KeymodeNone means that no touch or PIN is required to sign with the yubikey
-	KeymodeNone = 0
-	// KeymodeTouch means that only touch is required to sign with the yubikey
-	KeymodeTouch = 1
-	// KeymodePinOnce means that the pin entry is required once the first time to sign with the yubikey
-	KeymodePinOnce = 2
-	// KeymodePinAlways means that pin entry is required every time to sign with the yubikey
-	KeymodePinAlways = 4
-
-	// the key size, when importing a key into yubikey, MUST be 32 bytes
-	ecdsaPrivateKeySize = 32
-
-	sigAttempts = 5
-)
-
-// what key mode to use when generating keys
-var (
-	yubikeyKeymode = KeymodeTouch | KeymodePinOnce
-	// order in which to prefer token locations on the yubikey.
-	// corresponds to: 9c, 9e, 9d, 9a
-	slotIDs = []int{2, 1, 3, 0}
-)
-
-// SetYubikeyKeyMode - sets the mode when generating yubikey keys.
-// This is to be used for testing.  It does nothing if not building with tag
-// pkcs11.
-func SetYubikeyKeyMode(keyMode int) error {
-	// technically 7 (1 | 2 | 4) is valid, but KeymodePinOnce +
-	// KeymdoePinAlways don't really make sense together
-	if keyMode < 0 || keyMode > 5 {
-		return errors.New("Invalid key mode")
-	}
-	yubikeyKeymode = keyMode
-	return nil
-}
-
-// SetTouchToSignUI - allows configurable UX for notifying a user that they
-// need to touch the yubikey to sign. The callback may be used to provide a
-// mechanism for updating a GUI (such as removing a modal) after the touch
-// has been made
-func SetTouchToSignUI(notifier func(), callback func()) {
-	touchToSignUI = notifier
-	if callback != nil {
-		touchDoneCallback = callback
-	}
-}
-
-var touchToSignUI = func() {
-	fmt.Println("Please touch the attached Yubikey to perform signing.")
-}
-
-var touchDoneCallback = func() {
-	// noop
-}
-
-var pkcs11Lib string
-
-func init() {
-	for _, loc := range possiblePkcs11Libs {
-		_, err := os.Stat(loc)
-		if err == nil {
-			p := pkcs11.New(loc)
-			if p != nil {
-				pkcs11Lib = loc
-				return
-			}
-		}
-	}
-}
-
-// ErrBackupFailed is returned when a YubiStore fails to back up a key that
-// is added
-type ErrBackupFailed struct {
-	err string
-}
-
-func (err ErrBackupFailed) Error() string {
-	return fmt.Sprintf("Failed to backup private key to: %s", err.err)
-}
-
-// An error indicating that the HSM is not present (as opposed to failing),
-// i.e. that we can confidently claim that the key is not stored in the HSM
-// without notifying the user about a missing or failing HSM.
-type errHSMNotPresent struct {
-	err string
-}
-
-func (err errHSMNotPresent) Error() string {
-	return err.err
-}
-
-type yubiSlot struct {
-	role   string
-	slotID []byte
-}
-
-// YubiPrivateKey represents a private key inside of a yubikey
-type YubiPrivateKey struct {
-	data.ECDSAPublicKey
-	passRetriever notary.PassRetriever
-	slot          []byte
-	libLoader     pkcs11LibLoader
-}
-
-// yubikeySigner wraps a YubiPrivateKey and implements the crypto.Signer interface
-type yubikeySigner struct {
-	YubiPrivateKey
-}
-
-// NewYubiPrivateKey returns a YubiPrivateKey, which implements the data.PrivateKey
-// interface except that the private material is inaccessible
-func NewYubiPrivateKey(slot []byte, pubKey data.ECDSAPublicKey,
-	passRetriever notary.PassRetriever) *YubiPrivateKey {
-
-	return &YubiPrivateKey{
-		ECDSAPublicKey: pubKey,
-		passRetriever:  passRetriever,
-		slot:           slot,
-		libLoader:      defaultLoader,
-	}
-}
-
-// Public is a required method of the crypto.Signer interface
-func (ys *yubikeySigner) Public() crypto.PublicKey {
-	publicKey, err := x509.ParsePKIXPublicKey(ys.YubiPrivateKey.Public())
-	if err != nil {
-		return nil
-	}
-
-	return publicKey
-}
-
-func (y *YubiPrivateKey) setLibLoader(loader pkcs11LibLoader) {
-	y.libLoader = loader
-}
-
-// CryptoSigner returns a crypto.Signer tha wraps the YubiPrivateKey. Needed for
-// Certificate generation only
-func (y *YubiPrivateKey) CryptoSigner() crypto.Signer {
-	return &yubikeySigner{YubiPrivateKey: *y}
-}
-
-// Private is not implemented in hardware  keys
-func (y *YubiPrivateKey) Private() []byte {
-	// We cannot return the private material from a Yubikey
-	// TODO(david): We probably want to return an error here
-	return nil
-}
-
-// SignatureAlgorithm returns which algorithm this key uses to sign - currently
-// hardcoded to ECDSA
-func (y YubiPrivateKey) SignatureAlgorithm() data.SigAlgorithm {
-	return data.ECDSASignature
-}
-
-// Sign is a required method of the crypto.Signer interface and the data.PrivateKey
-// interface
-func (y *YubiPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) ([]byte, error) {
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, y.libLoader)
-	if err != nil {
-		return nil, err
-	}
-	defer cleanup(ctx, session)
-
-	v := signed.Verifiers[data.ECDSASignature]
-	for i := 0; i < sigAttempts; i++ {
-		sig, err := sign(ctx, session, y.slot, y.passRetriever, msg)
-		if err != nil {
-			return nil, fmt.Errorf("failed to sign using Yubikey: %v", err)
-		}
-		if err := v.Verify(&y.ECDSAPublicKey, sig, msg); err == nil {
-			return sig, nil
-		}
-	}
-	return nil, errors.New("Failed to generate signature on Yubikey.")
-}
-
-// If a byte array is less than the number of bytes specified by
-// ecdsaPrivateKeySize, left-zero-pad the byte array until
-// it is the required size.
-func ensurePrivateKeySize(payload []byte) []byte {
-	final := payload
-	if len(payload) < ecdsaPrivateKeySize {
-		final = make([]byte, ecdsaPrivateKeySize)
-		copy(final[ecdsaPrivateKeySize-len(payload):], payload)
-	}
-	return final
-}
-
-// addECDSAKey adds a key to the yubikey
-func addECDSAKey(
-	ctx IPKCS11Ctx,
-	session pkcs11.SessionHandle,
-	privKey data.PrivateKey,
-	pkcs11KeyID []byte,
-	passRetriever notary.PassRetriever,
-	role string,
-) error {
-	logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID())
-
-	err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SOUserPin)
-	if err != nil {
-		return err
-	}
-	defer ctx.Logout(session)
-
-	// Create an ecdsa.PrivateKey out of the private key bytes
-	ecdsaPrivKey, err := x509.ParseECPrivateKey(privKey.Private())
-	if err != nil {
-		return err
-	}
-
-	ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes())
-
-	// Hard-coded policy: the generated certificate expires in 10 years.
-	startTime := time.Now()
-	template, err := utils.NewCertificate(role, startTime, startTime.AddDate(10, 0, 0))
-	if err != nil {
-		return fmt.Errorf("failed to create the certificate template: %v", err)
-	}
-
-	certBytes, err := x509.CreateCertificate(rand.Reader, template, template, ecdsaPrivKey.Public(), ecdsaPrivKey)
-	if err != nil {
-		return fmt.Errorf("failed to create the certificate: %v", err)
-	}
-
-	certTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
-		pkcs11.NewAttribute(pkcs11.CKA_VALUE, certBytes),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-	}
-
-	privateKeyTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
-		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}),
-		pkcs11.NewAttribute(pkcs11.CKA_VALUE, ecdsaPrivKeyD),
-		pkcs11.NewAttribute(pkcs11.CKA_VENDOR_DEFINED, yubikeyKeymode),
-	}
-
-	_, err = ctx.CreateObject(session, certTemplate)
-	if err != nil {
-		return fmt.Errorf("error importing: %v", err)
-	}
-
-	_, err = ctx.CreateObject(session, privateKeyTemplate)
-	if err != nil {
-		return fmt.Errorf("error importing: %v", err)
-	}
-
-	return nil
-}
-
-func getECDSAKey(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte) (*data.ECDSAPublicKey, string, error) {
-	findTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
-	}
-
-	attrTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0}),
-		pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, []byte{0}),
-		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0}),
-	}
-
-	if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
-		logrus.Debugf("Failed to init: %s", err.Error())
-		return nil, "", err
-	}
-	obj, _, err := ctx.FindObjects(session, 1)
-	if err != nil {
-		logrus.Debugf("Failed to find objects: %v", err)
-		return nil, "", err
-	}
-	if err := ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize: %s", err.Error())
-		return nil, "", err
-	}
-	if len(obj) != 1 {
-		logrus.Debugf("should have found one object")
-		return nil, "", errors.New("no matching keys found inside of yubikey")
-	}
-
-	// Retrieve the public-key material to be able to create a new ECSAKey
-	attr, err := ctx.GetAttributeValue(session, obj[0], attrTemplate)
-	if err != nil {
-		logrus.Debugf("Failed to get Attribute for: %v", obj[0])
-		return nil, "", err
-	}
-
-	// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
-	var rawPubKey []byte
-	for _, a := range attr {
-		if a.Type == pkcs11.CKA_EC_POINT {
-			rawPubKey = a.Value
-		}
-
-	}
-
-	ecdsaPubKey := ecdsa.PublicKey{Curve: elliptic.P256(), X: new(big.Int).SetBytes(rawPubKey[3:35]), Y: new(big.Int).SetBytes(rawPubKey[35:])}
-	pubBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPubKey)
-	if err != nil {
-		logrus.Debugf("Failed to Marshal public key")
-		return nil, "", err
-	}
-
-	return data.NewECDSAPublicKey(pubBytes), data.CanonicalRootRole, nil
-}
-
-// sign returns a signature for a given signature request
-func sign(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever notary.PassRetriever, payload []byte) ([]byte, error) {
-	err := login(ctx, session, passRetriever, pkcs11.CKU_USER, UserPin)
-	if err != nil {
-		return nil, fmt.Errorf("error logging in: %v", err)
-	}
-	defer ctx.Logout(session)
-
-	// Define the ECDSA Private key template
-	class := pkcs11.CKO_PRIVATE_KEY
-	privateKeyTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, class),
-		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-	}
-
-	if err := ctx.FindObjectsInit(session, privateKeyTemplate); err != nil {
-		logrus.Debugf("Failed to init find objects: %s", err.Error())
-		return nil, err
-	}
-	obj, _, err := ctx.FindObjects(session, 1)
-	if err != nil {
-		logrus.Debugf("Failed to find objects: %v", err)
-		return nil, err
-	}
-	if err = ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize find objects: %s", err.Error())
-		return nil, err
-	}
-	if len(obj) != 1 {
-		return nil, errors.New("length of objects found not 1")
-	}
-
-	var sig []byte
-	err = ctx.SignInit(
-		session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)}, obj[0])
-	if err != nil {
-		return nil, err
-	}
-
-	// Get the SHA256 of the payload
-	digest := sha256.Sum256(payload)
-
-	if (yubikeyKeymode & KeymodeTouch) > 0 {
-		touchToSignUI()
-		defer touchDoneCallback()
-	}
-	// a call to Sign, whether or not Sign fails, will clear the SignInit
-	sig, err = ctx.Sign(session, digest[:])
-	if err != nil {
-		logrus.Debugf("Error while signing: %s", err)
-		return nil, err
-	}
-
-	if sig == nil {
-		return nil, errors.New("Failed to create signature")
-	}
-	return sig[:], nil
-}
-
-func yubiRemoveKey(ctx IPKCS11Ctx, session pkcs11.SessionHandle, pkcs11KeyID []byte, passRetriever notary.PassRetriever, keyID string) error {
-	err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SOUserPin)
-	if err != nil {
-		return err
-	}
-	defer ctx.Logout(session)
-
-	template := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-		pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		//pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
-	}
-
-	if err := ctx.FindObjectsInit(session, template); err != nil {
-		logrus.Debugf("Failed to init find objects: %s", err.Error())
-		return err
-	}
-	obj, b, err := ctx.FindObjects(session, 1)
-	if err != nil {
-		logrus.Debugf("Failed to find objects: %s %v", err.Error(), b)
-		return err
-	}
-	if err := ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize find objects: %s", err.Error())
-		return err
-	}
-	if len(obj) != 1 {
-		logrus.Debugf("should have found exactly one object")
-		return err
-	}
-
-	// Delete the certificate
-	err = ctx.DestroyObject(session, obj[0])
-	if err != nil {
-		logrus.Debugf("Failed to delete cert")
-		return err
-	}
-	return nil
-}
-
-func yubiListKeys(ctx IPKCS11Ctx, session pkcs11.SessionHandle) (keys map[string]yubiSlot, err error) {
-	keys = make(map[string]yubiSlot)
-	findTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-		//pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID),
-		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE),
-	}
-
-	attrTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{0}),
-		pkcs11.NewAttribute(pkcs11.CKA_VALUE, []byte{0}),
-	}
-
-	if err = ctx.FindObjectsInit(session, findTemplate); err != nil {
-		logrus.Debugf("Failed to init: %s", err.Error())
-		return
-	}
-	objs, b, err := ctx.FindObjects(session, numSlots)
-	for err == nil {
-		var o []pkcs11.ObjectHandle
-		o, b, err = ctx.FindObjects(session, numSlots)
-		if err != nil {
-			continue
-		}
-		if len(o) == 0 {
-			break
-		}
-		objs = append(objs, o...)
-	}
-	if err != nil {
-		logrus.Debugf("Failed to find: %s %v", err.Error(), b)
-		if len(objs) == 0 {
-			return nil, err
-		}
-	}
-	if err = ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize: %s", err.Error())
-		return
-	}
-	if len(objs) == 0 {
-		return nil, errors.New("No keys found in yubikey.")
-	}
-	logrus.Debugf("Found %d objects matching list filters", len(objs))
-	for _, obj := range objs {
-		var (
-			cert *x509.Certificate
-			slot []byte
-		)
-		// Retrieve the public-key material to be able to create a new ECDSA
-		attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
-		if err != nil {
-			logrus.Debugf("Failed to get Attribute for: %v", obj)
-			continue
-		}
-
-		// Iterate through all the attributes of this key and saves CKA_PUBLIC_EXPONENT and CKA_MODULUS. Removes ordering specific issues.
-		for _, a := range attr {
-			if a.Type == pkcs11.CKA_ID {
-				slot = a.Value
-			}
-			if a.Type == pkcs11.CKA_VALUE {
-				cert, err = x509.ParseCertificate(a.Value)
-				if err != nil {
-					continue
-				}
-				if !data.ValidRole(cert.Subject.CommonName) {
-					continue
-				}
-			}
-		}
-
-		// we found nothing
-		if cert == nil {
-			continue
-		}
-
-		var ecdsaPubKey *ecdsa.PublicKey
-		switch cert.PublicKeyAlgorithm {
-		case x509.ECDSA:
-			ecdsaPubKey = cert.PublicKey.(*ecdsa.PublicKey)
-		default:
-			logrus.Infof("Unsupported x509 PublicKeyAlgorithm: %d", cert.PublicKeyAlgorithm)
-			continue
-		}
-
-		pubBytes, err := x509.MarshalPKIXPublicKey(ecdsaPubKey)
-		if err != nil {
-			logrus.Debugf("Failed to Marshal public key")
-			continue
-		}
-
-		keys[data.NewECDSAPublicKey(pubBytes).ID()] = yubiSlot{
-			role:   cert.Subject.CommonName,
-			slotID: slot,
-		}
-	}
-	return
-}
-
-func getNextEmptySlot(ctx IPKCS11Ctx, session pkcs11.SessionHandle) ([]byte, error) {
-	findTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, true),
-	}
-	attrTemplate := []*pkcs11.Attribute{
-		pkcs11.NewAttribute(pkcs11.CKA_ID, []byte{0}),
-	}
-
-	if err := ctx.FindObjectsInit(session, findTemplate); err != nil {
-		logrus.Debugf("Failed to init: %s", err.Error())
-		return nil, err
-	}
-	objs, b, err := ctx.FindObjects(session, numSlots)
-	// if there are more objects than `numSlots`, get all of them until
-	// there are no more to get
-	for err == nil {
-		var o []pkcs11.ObjectHandle
-		o, b, err = ctx.FindObjects(session, numSlots)
-		if err != nil {
-			continue
-		}
-		if len(o) == 0 {
-			break
-		}
-		objs = append(objs, o...)
-	}
-	taken := make(map[int]bool)
-	if err != nil {
-		logrus.Debugf("Failed to find: %s %v", err.Error(), b)
-		return nil, err
-	}
-	if err = ctx.FindObjectsFinal(session); err != nil {
-		logrus.Debugf("Failed to finalize: %s\n", err.Error())
-		return nil, err
-	}
-	for _, obj := range objs {
-		// Retrieve the slot ID
-		attr, err := ctx.GetAttributeValue(session, obj, attrTemplate)
-		if err != nil {
-			continue
-		}
-
-		// Iterate through attributes. If an ID attr was found, mark it as taken
-		for _, a := range attr {
-			if a.Type == pkcs11.CKA_ID {
-				if len(a.Value) < 1 {
-					continue
-				}
-				// a byte will always be capable of representing all slot IDs
-				// for the Yubikeys
-				slotNum := int(a.Value[0])
-				if slotNum >= numSlots {
-					// defensive
-					continue
-				}
-				taken[slotNum] = true
-			}
-		}
-	}
-	// iterate the token locations in our preferred order and use the first
-	// available one. Otherwise exit the loop and return an error.
-	for _, loc := range slotIDs {
-		if !taken[loc] {
-			return []byte{byte(loc)}, nil
-		}
-	}
-	return nil, errors.New("Yubikey has no available slots.")
-}
-
-// YubiStore is a KeyStore for private keys inside a Yubikey
-type YubiStore struct {
-	passRetriever notary.PassRetriever
-	keys          map[string]yubiSlot
-	backupStore   trustmanager.KeyStore
-	libLoader     pkcs11LibLoader
-}
-
-// NewYubiStore returns a YubiStore, given a backup key store to write any
-// generated keys to (usually a KeyFileStore)
-func NewYubiStore(backupStore trustmanager.KeyStore, passphraseRetriever notary.PassRetriever) (
-	*YubiStore, error) {
-
-	s := &YubiStore{
-		passRetriever: passphraseRetriever,
-		keys:          make(map[string]yubiSlot),
-		backupStore:   backupStore,
-		libLoader:     defaultLoader,
-	}
-	s.ListKeys() // populate keys field
-	return s, nil
-}
-
-// Name returns a user friendly name for the location this store
-// keeps its data
-func (s YubiStore) Name() string {
-	return "yubikey"
-}
-
-func (s *YubiStore) setLibLoader(loader pkcs11LibLoader) {
-	s.libLoader = loader
-}
-
-// ListKeys returns a list of keys in the yubikey store
-func (s *YubiStore) ListKeys() map[string]trustmanager.KeyInfo {
-	if len(s.keys) > 0 {
-		return buildKeyMap(s.keys)
-	}
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		return nil
-	}
-	defer cleanup(ctx, session)
-
-	keys, err := yubiListKeys(ctx, session)
-	if err != nil {
-		logrus.Debugf("Failed to list key from the yubikey: %s", err.Error())
-		return nil
-	}
-	s.keys = keys
-
-	return buildKeyMap(keys)
-}
-
-// AddKey puts a key inside the Yubikey, as well as writing it to the backup store
-func (s *YubiStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error {
-	added, err := s.addKey(privKey.ID(), keyInfo.Role, privKey)
-	if err != nil {
-		return err
-	}
-	if added && s.backupStore != nil {
-		err = s.backupStore.AddKey(keyInfo, privKey)
-		if err != nil {
-			defer s.RemoveKey(privKey.ID())
-			return ErrBackupFailed{err: err.Error()}
-		}
-	}
-	return nil
-}
-
-// Only add if we haven't seen the key already.  Return whether the key was
-// added.
-func (s *YubiStore) addKey(keyID, role string, privKey data.PrivateKey) (
-	bool, error) {
-
-	// We only allow adding root keys for now
-	if role != data.CanonicalRootRole {
-		return false, fmt.Errorf(
-			"yubikey only supports storing root keys, got %s for key: %s", role, keyID)
-	}
-
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		return false, err
-	}
-	defer cleanup(ctx, session)
-
-	if k, ok := s.keys[keyID]; ok {
-		if k.role == role {
-			// already have the key and it's associated with the correct role
-			return false, nil
-		}
-	}
-
-	slot, err := getNextEmptySlot(ctx, session)
-	if err != nil {
-		logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error())
-		return false, err
-	}
-	logrus.Debugf("Attempting to store key using yubikey slot %v", slot)
-
-	err = addECDSAKey(
-		ctx, session, privKey, slot, s.passRetriever, role)
-	if err == nil {
-		s.keys[privKey.ID()] = yubiSlot{
-			role:   role,
-			slotID: slot,
-		}
-		return true, nil
-	}
-	logrus.Debugf("Failed to add key to yubikey: %v", err)
-
-	return false, err
-}
-
-// GetKey retrieves a key from the Yubikey only (it does not look inside the
-// backup store)
-func (s *YubiStore) GetKey(keyID string) (data.PrivateKey, string, error) {
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		if _, ok := err.(errHSMNotPresent); ok {
-			err = trustmanager.ErrKeyNotFound{KeyID: keyID}
-		}
-		return nil, "", err
-	}
-	defer cleanup(ctx, session)
-
-	key, ok := s.keys[keyID]
-	if !ok {
-		return nil, "", trustmanager.ErrKeyNotFound{KeyID: keyID}
-	}
-
-	pubKey, alias, err := getECDSAKey(ctx, session, key.slotID)
-	if err != nil {
-		logrus.Debugf("Failed to get key from slot %s: %s", key.slotID, err.Error())
-		return nil, "", err
-	}
-	// Check to see if we're returning the intended keyID
-	if pubKey.ID() != keyID {
-		return nil, "", fmt.Errorf("expected root key: %s, but found: %s", keyID, pubKey.ID())
-	}
-	privKey := NewYubiPrivateKey(key.slotID, *pubKey, s.passRetriever)
-	if privKey == nil {
-		return nil, "", errors.New("could not initialize new YubiPrivateKey")
-	}
-
-	return privKey, alias, err
-}
-
-// RemoveKey deletes a key from the Yubikey only (it does not remove it from the
-// backup store)
-func (s *YubiStore) RemoveKey(keyID string) error {
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader)
-	if err != nil {
-		logrus.Debugf("No yubikey found, using alternative key storage: %s", err.Error())
-		return nil
-	}
-	defer cleanup(ctx, session)
-
-	key, ok := s.keys[keyID]
-	if !ok {
-		return errors.New("Key not present in yubikey")
-	}
-	err = yubiRemoveKey(ctx, session, key.slotID, s.passRetriever, keyID)
-	if err == nil {
-		delete(s.keys, keyID)
-	} else {
-		logrus.Debugf("Failed to remove from the yubikey KeyID %s: %v", keyID, err)
-	}
-
-	return err
-}
-
-// GetKeyInfo is not yet implemented
-func (s *YubiStore) GetKeyInfo(keyID string) (trustmanager.KeyInfo, error) {
-	return trustmanager.KeyInfo{}, fmt.Errorf("Not yet implemented")
-}
-
-func cleanup(ctx IPKCS11Ctx, session pkcs11.SessionHandle) {
-	err := ctx.CloseSession(session)
-	if err != nil {
-		logrus.Debugf("Error closing session: %s", err.Error())
-	}
-	finalizeAndDestroy(ctx)
-}
-
-func finalizeAndDestroy(ctx IPKCS11Ctx) {
-	err := ctx.Finalize()
-	if err != nil {
-		logrus.Debugf("Error finalizing: %s", err.Error())
-	}
-	ctx.Destroy()
-}
-
-// SetupHSMEnv is a method that depends on the existences
-func SetupHSMEnv(libraryPath string, libLoader pkcs11LibLoader) (
-	IPKCS11Ctx, pkcs11.SessionHandle, error) {
-
-	if libraryPath == "" {
-		return nil, 0, errHSMNotPresent{err: "no library found"}
-	}
-	p := libLoader(libraryPath)
-
-	if p == nil {
-		return nil, 0, fmt.Errorf("failed to load library %s", libraryPath)
-	}
-
-	if err := p.Initialize(); err != nil {
-		defer finalizeAndDestroy(p)
-		return nil, 0, fmt.Errorf("found library %s, but initialize error %s", libraryPath, err.Error())
-	}
-
-	slots, err := p.GetSlotList(true)
-	if err != nil {
-		defer finalizeAndDestroy(p)
-		return nil, 0, fmt.Errorf(
-			"loaded library %s, but failed to list HSM slots %s", libraryPath, err)
-	}
-	// Check to see if we got any slots from the HSM.
-	if len(slots) < 1 {
-		defer finalizeAndDestroy(p)
-		return nil, 0, fmt.Errorf(
-			"loaded library %s, but no HSM slots found", libraryPath)
-	}
-
-	// CKF_SERIAL_SESSION: TRUE if cryptographic functions are performed in serial with the application; FALSE if the functions may be performed in parallel with the application.
-	// CKF_RW_SESSION: TRUE if the session is read/write; FALSE if the session is read-only
-	session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
-	if err != nil {
-		defer cleanup(p, session)
-		return nil, 0, fmt.Errorf(
-			"loaded library %s, but failed to start session with HSM %s",
-			libraryPath, err)
-	}
-
-	logrus.Debugf("Initialized PKCS11 library %s and started HSM session", libraryPath)
-	return p, session, nil
-}
-
-// IsAccessible returns true if a Yubikey can be accessed
-func IsAccessible() bool {
-	if pkcs11Lib == "" {
-		return false
-	}
-	ctx, session, err := SetupHSMEnv(pkcs11Lib, defaultLoader)
-	if err != nil {
-		return false
-	}
-	defer cleanup(ctx, session)
-	return true
-}
-
-func login(ctx IPKCS11Ctx, session pkcs11.SessionHandle, passRetriever notary.PassRetriever, userFlag uint, defaultPassw string) error {
-	// try default password
-	err := ctx.Login(session, userFlag, defaultPassw)
-	if err == nil {
-		return nil
-	}
-
-	// default failed, ask user for password
-	for attempts := 0; ; attempts++ {
-		var (
-			giveup bool
-			err    error
-			user   string
-		)
-		if userFlag == pkcs11.CKU_SO {
-			user = "SO Pin"
-		} else {
-			user = "User Pin"
-		}
-		passwd, giveup, err := passRetriever(user, "yubikey", false, attempts)
-		// Check if the passphrase retriever got an error or if it is telling us to give up
-		if giveup || err != nil {
-			return trustmanager.ErrPasswordInvalid{}
-		}
-		if attempts > 2 {
-			return trustmanager.ErrAttemptsExceeded{}
-		}
-
-		// attempt to login. Loop if failed
-		err = ctx.Login(session, userFlag, passwd)
-		if err == nil {
-			return nil
-		}
-	}
-}
-
-func buildKeyMap(keys map[string]yubiSlot) map[string]trustmanager.KeyInfo {
-	res := make(map[string]trustmanager.KeyInfo)
-	for k, v := range keys {
-		res[k] = trustmanager.KeyInfo{Role: v.role, Gun: ""}
-	}
-	return res
-}

vendor/github.com/docker/notary/trustpinning/certs.go

@@ -1,291 +0,0 @@
-package trustpinning
-
-import (
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/signed"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// ErrValidationFail is returned when there is no valid trusted certificates
-// being served inside of the roots.json
-type ErrValidationFail struct {
-	Reason string
-}
-
-// ErrValidationFail is returned when there is no valid trusted certificates
-// being served inside of the roots.json
-func (err ErrValidationFail) Error() string {
-	return fmt.Sprintf("could not validate the path to a trusted root: %s", err.Reason)
-}
-
-// ErrRootRotationFail is returned when we fail to do a full root key rotation
-// by either failing to add the new root certificate, or delete the old ones
-type ErrRootRotationFail struct {
-	Reason string
-}
-
-// ErrRootRotationFail is returned when we fail to do a full root key rotation
-// by either failing to add the new root certificate, or delete the old ones
-func (err ErrRootRotationFail) Error() string {
-	return fmt.Sprintf("could not rotate trust to a new trusted root: %s", err.Reason)
-}
-
-func prettyFormatCertIDs(certs map[string]*x509.Certificate) string {
-	ids := make([]string, 0, len(certs))
-	for id := range certs {
-		ids = append(ids, id)
-	}
-	return strings.Join(ids, ", ")
-}
-
-/*
-ValidateRoot receives a new root, validates its correctness and attempts to
-do root key rotation if needed.
-
-First we check if we have any trusted certificates for a particular GUN in
-a previous root, if we have one. If the previous root is not nil and we find
-certificates for this GUN, we've already seen this repository before, and
-have a list of trusted certificates for it. In this case, we use this list of
-certificates to attempt to validate this root file.
-
-If the previous validation succeeds, we check the integrity of the root by
-making sure that it is validated by itself. This means that we will attempt to
-validate the root data with the certificates that are included in the root keys
-themselves.
-
-However, if we do not have any current trusted certificates for this GUN, we
-check if there are any pinned certificates specified in the trust_pinning section
-of the notary client config.  If this section specifies a Certs section with this
-GUN, we attempt to validate that the certificates present in the downloaded root
-file match the pinned ID.
-
-If the Certs section is empty for this GUN, we check if the trust_pinning
-section specifies a CA section specified in the config for this GUN.  If so, we check
-that the specified CA is valid and has signed a certificate included in the downloaded
-root file.  The specified CA can be a prefix for this GUN.
-
-If both the Certs and CA configs do not match this GUN, we fall back to the TOFU
-section in the config: if true, we trust certificates specified in the root for
-this GUN. If later we see a different certificate for that certificate, we return
-an ErrValidationFailed error.
-
-Note that since we only allow trust data to be downloaded over an HTTPS channel
-we are using the current public PKI to validate the first download of the certificate
-adding an extra layer of security over the normal (SSH style) trust model.
-We shall call this: TOFUS.
-
-Validation failure at any step will result in an ErrValidationFailed error.
-*/
-func ValidateRoot(prevRoot *data.SignedRoot, root *data.Signed, gun string, trustPinning TrustPinConfig) (*data.SignedRoot, error) {
-	logrus.Debugf("entered ValidateRoot with dns: %s", gun)
-	signedRoot, err := data.RootFromSigned(root)
-	if err != nil {
-		return nil, err
-	}
-
-	rootRole, err := signedRoot.BuildBaseRole(data.CanonicalRootRole)
-	if err != nil {
-		return nil, err
-	}
-
-	// Retrieve all the leaf and intermediate certificates in root for which the CN matches the GUN
-	allLeafCerts, allIntCerts := parseAllCerts(signedRoot)
-	certsFromRoot, err := validRootLeafCerts(allLeafCerts, gun, true)
-	validIntCerts := validRootIntCerts(allIntCerts)
-
-	if err != nil {
-		logrus.Debugf("error retrieving valid leaf certificates for: %s, %v", gun, err)
-		return nil, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}
-	}
-
-	logrus.Debugf("found %d leaf certs, of which %d are valid leaf certs for %s", len(allLeafCerts), len(certsFromRoot), gun)
-
-	// If we have a previous root, let's try to use it to validate that this new root is valid.
-	havePrevRoot := prevRoot != nil
-	if havePrevRoot {
-		// Retrieve all the trusted certificates from our previous root
-		// Note that we do not validate expiries here since our originally trusted root might have expired certs
-		allTrustedLeafCerts, allTrustedIntCerts := parseAllCerts(prevRoot)
-		trustedLeafCerts, err := validRootLeafCerts(allTrustedLeafCerts, gun, false)
-		if err != nil {
-			return nil, &ErrValidationFail{Reason: "could not retrieve trusted certs from previous root role data"}
-		}
-
-		// Use the certificates we found in the previous root for the GUN to verify its signatures
-		// This could potentially be an empty set, in which case we will fail to verify
-		logrus.Debugf("found %d valid root leaf certificates for %s: %s", len(trustedLeafCerts), gun,
-			prettyFormatCertIDs(trustedLeafCerts))
-
-		// Extract the previous root's threshold for signature verification
-		prevRootRoleData, ok := prevRoot.Signed.Roles[data.CanonicalRootRole]
-		if !ok {
-			return nil, &ErrValidationFail{Reason: "could not retrieve previous root role data"}
-		}
-		err = signed.VerifySignatures(
-			root, data.BaseRole{Keys: utils.CertsToKeys(trustedLeafCerts, allTrustedIntCerts), Threshold: prevRootRoleData.Threshold})
-		if err != nil {
-			logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
-			return nil, &ErrRootRotationFail{Reason: "failed to validate data with current trusted certificates"}
-		}
-		// Clear the IsValid marks we could have received from VerifySignatures
-		for i := range root.Signatures {
-			root.Signatures[i].IsValid = false
-		}
-	}
-
-	// Regardless of having a previous root or not, confirm that the new root validates against the trust pinning
-	logrus.Debugf("checking root against trust_pinning config", gun)
-	trustPinCheckFunc, err := NewTrustPinChecker(trustPinning, gun, !havePrevRoot)
-	if err != nil {
-		return nil, &ErrValidationFail{Reason: err.Error()}
-	}
-
-	validPinnedCerts := map[string]*x509.Certificate{}
-	for id, cert := range certsFromRoot {
-		logrus.Debugf("checking trust-pinning for cert: %s", id)
-		if ok := trustPinCheckFunc(cert, validIntCerts[id]); !ok {
-			logrus.Debugf("trust-pinning check failed for cert: %s", id)
-			continue
-		}
-		validPinnedCerts[id] = cert
-	}
-	if len(validPinnedCerts) == 0 {
-		return nil, &ErrValidationFail{Reason: "unable to match any certificates to trust_pinning config"}
-	}
-	certsFromRoot = validPinnedCerts
-
-	// Validate the integrity of the new root (does it have valid signatures)
-	// Note that certsFromRoot is guaranteed to be unchanged only if we had prior cert data for this GUN or enabled TOFUS
-	// If we attempted to pin a certain certificate or CA, certsFromRoot could have been pruned accordingly
-	err = signed.VerifySignatures(root, data.BaseRole{
-		Keys: utils.CertsToKeys(certsFromRoot, validIntCerts), Threshold: rootRole.Threshold})
-	if err != nil {
-		logrus.Debugf("failed to verify TUF data for: %s, %v", gun, err)
-		return nil, &ErrValidationFail{Reason: "failed to validate integrity of roots"}
-	}
-
-	logrus.Debugf("root validation succeeded for %s", gun)
-	// Call RootFromSigned to make sure we pick up on the IsValid markings from VerifySignatures
-	return data.RootFromSigned(root)
-}
-
-// validRootLeafCerts returns a list of possibly (if checkExpiry is true) non-expired, non-sha1 certificates
-// found in root whose Common-Names match the provided GUN. Note that this
-// "validity" alone does not imply any measure of trust.
-func validRootLeafCerts(allLeafCerts map[string]*x509.Certificate, gun string, checkExpiry bool) (map[string]*x509.Certificate, error) {
-	validLeafCerts := make(map[string]*x509.Certificate)
-
-	// Go through every leaf certificate and check that the CN matches the gun
-	for id, cert := range allLeafCerts {
-		// Validate that this leaf certificate has a CN that matches the exact gun
-		if cert.Subject.CommonName != gun {
-			logrus.Debugf("error leaf certificate CN: %s doesn't match the given GUN: %s",
-				cert.Subject.CommonName, gun)
-			continue
-		}
-		// Make sure the certificate is not expired if checkExpiry is true
-		// and warn if it hasn't expired yet but is within 6 months of expiry
-		if err := utils.ValidateCertificate(cert, checkExpiry); err != nil {
-			logrus.Debugf("%s is invalid: %s", id, err.Error())
-			continue
-		}
-
-		validLeafCerts[id] = cert
-	}
-
-	if len(validLeafCerts) < 1 {
-		logrus.Debugf("didn't find any valid leaf certificates for %s", gun)
-		return nil, errors.New("no valid leaf certificates found in any of the root keys")
-	}
-
-	logrus.Debugf("found %d valid leaf certificates for %s: %s", len(validLeafCerts), gun,
-		prettyFormatCertIDs(validLeafCerts))
-	return validLeafCerts, nil
-}
-
-// validRootIntCerts filters the passed in structure of intermediate certificates to only include non-expired, non-sha1 certificates
-// Note that this "validity" alone does not imply any measure of trust.
-func validRootIntCerts(allIntCerts map[string][]*x509.Certificate) map[string][]*x509.Certificate {
-	validIntCerts := make(map[string][]*x509.Certificate)
-
-	// Go through every leaf cert ID, and build its valid intermediate certificate list
-	for leafID, intCertList := range allIntCerts {
-		for _, intCert := range intCertList {
-			if err := utils.ValidateCertificate(intCert, true); err != nil {
-				continue
-			}
-			validIntCerts[leafID] = append(validIntCerts[leafID], intCert)
-		}
-
-	}
-	return validIntCerts
-}
-
-// parseAllCerts returns two maps, one with all of the leafCertificates and one
-// with all the intermediate certificates found in signedRoot
-func parseAllCerts(signedRoot *data.SignedRoot) (map[string]*x509.Certificate, map[string][]*x509.Certificate) {
-	if signedRoot == nil {
-		return nil, nil
-	}
-
-	leafCerts := make(map[string]*x509.Certificate)
-	intCerts := make(map[string][]*x509.Certificate)
-
-	// Before we loop through all root keys available, make sure any exist
-	rootRoles, ok := signedRoot.Signed.Roles[data.CanonicalRootRole]
-	if !ok {
-		logrus.Debugf("tried to parse certificates from invalid root signed data")
-		return nil, nil
-	}
-
-	logrus.Debugf("found the following root keys: %v", rootRoles.KeyIDs)
-	// Iterate over every keyID for the root role inside of roots.json
-	for _, keyID := range rootRoles.KeyIDs {
-		// check that the key exists in the signed root keys map
-		key, ok := signedRoot.Signed.Keys[keyID]
-		if !ok {
-			logrus.Debugf("error while getting data for keyID: %s", keyID)
-			continue
-		}
-
-		// Decode all the x509 certificates that were bundled with this
-		// Specific root key
-		decodedCerts, err := utils.LoadCertBundleFromPEM(key.Public())
-		if err != nil {
-			logrus.Debugf("error while parsing root certificate with keyID: %s, %v", keyID, err)
-			continue
-		}
-
-		// Get all non-CA certificates in the decoded certificates
-		leafCertList := utils.GetLeafCerts(decodedCerts)
-
-		// If we got no leaf certificates or we got more than one, fail
-		if len(leafCertList) != 1 {
-			logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID)
-			continue
-		}
-		// If we found a leaf certificate, assert that the cert bundle started with a leaf
-		if decodedCerts[0].IsCA {
-			logrus.Debugf("invalid chain due to leaf certificate not being first certificate for keyID: %s", keyID)
-			continue
-		}
-
-		// Get the ID of the leaf certificate
-		leafCert := leafCertList[0]
-
-		// Store the leaf cert in the map
-		leafCerts[key.ID()] = leafCert
-
-		// Get all the remainder certificates marked as a CA to be used as intermediates
-		intermediateCerts := utils.GetIntermediateCerts(decodedCerts)
-		intCerts[key.ID()] = intermediateCerts
-	}
-
-	return leafCerts, intCerts
-}

vendor/github.com/docker/notary/trustpinning/trustpin.go

@@ -1,121 +0,0 @@
-package trustpinning
-
-import (
-	"crypto/x509"
-	"fmt"
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary/tuf/utils"
-	"strings"
-)
-
-// TrustPinConfig represents the configuration under the trust_pinning section of the config file
-// This struct represents the preferred way to bootstrap trust for this repository
-type TrustPinConfig struct {
-	CA          map[string]string
-	Certs       map[string][]string
-	DisableTOFU bool
-}
-
-type trustPinChecker struct {
-	gun           string
-	config        TrustPinConfig
-	pinnedCAPool  *x509.CertPool
-	pinnedCertIDs []string
-}
-
-// CertChecker is a function type that will be used to check leaf certs against pinned trust
-type CertChecker func(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool
-
-// NewTrustPinChecker returns a new certChecker function from a TrustPinConfig for a GUN
-func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string, firstBootstrap bool) (CertChecker, error) {
-	t := trustPinChecker{gun: gun, config: trustPinConfig}
-	// Determine the mode, and if it's even valid
-	if pinnedCerts, ok := trustPinConfig.Certs[gun]; ok {
-		logrus.Debugf("trust-pinning using Cert IDs")
-		t.pinnedCertIDs = pinnedCerts
-		return t.certsCheck, nil
-	}
-
-	if caFilepath, err := getPinnedCAFilepathByPrefix(gun, trustPinConfig); err == nil {
-		logrus.Debugf("trust-pinning using root CA bundle at: %s", caFilepath)
-
-		// Try to add the CA certs from its bundle file to our certificate store,
-		// and use it to validate certs in the root.json later
-		caCerts, err := utils.LoadCertBundleFromFile(caFilepath)
-		if err != nil {
-			return nil, fmt.Errorf("could not load root cert from CA path")
-		}
-		// Now only consider certificates that are direct children from this CA cert chain
-		caRootPool := x509.NewCertPool()
-		for _, caCert := range caCerts {
-			if err = utils.ValidateCertificate(caCert, true); err != nil {
-				logrus.Debugf("ignoring root CA certificate with CN %s in bundle: %s", caCert.Subject.CommonName, err)
-				continue
-			}
-			caRootPool.AddCert(caCert)
-		}
-		// If we didn't have any valid CA certs, error out
-		if len(caRootPool.Subjects()) == 0 {
-			return nil, fmt.Errorf("invalid CA certs provided")
-		}
-		t.pinnedCAPool = caRootPool
-		return t.caCheck, nil
-	}
-
-	// If TOFUs is disabled and we don't have any previous trusted root data for this GUN, we error out
-	if trustPinConfig.DisableTOFU && firstBootstrap {
-		return nil, fmt.Errorf("invalid trust pinning specified")
-
-	}
-	return t.tofusCheck, nil
-}
-
-func (t trustPinChecker) certsCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
-	// reconstruct the leaf + intermediate cert chain, which is bundled as {leaf, intermediates...},
-	// in order to get the matching id in the root file
-	key, err := utils.CertBundleToKey(leafCert, intCerts)
-	if err != nil {
-		logrus.Debug("error creating cert bundle: ", err.Error())
-		return false
-	}
-	return utils.StrSliceContains(t.pinnedCertIDs, key.ID())
-}
-
-func (t trustPinChecker) caCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
-	// Use intermediate certificates included in the root TUF metadata for our validation
-	caIntPool := x509.NewCertPool()
-	for _, intCert := range intCerts {
-		caIntPool.AddCert(intCert)
-	}
-	// Attempt to find a valid certificate chain from the leaf cert to CA root
-	// Use this certificate if such a valid chain exists (possibly using intermediates)
-	var err error
-	if _, err = leafCert.Verify(x509.VerifyOptions{Roots: t.pinnedCAPool, Intermediates: caIntPool}); err == nil {
-		return true
-	}
-	logrus.Debugf("unable to find a valid certificate chain from leaf cert to CA root: %s", err)
-	return false
-}
-
-func (t trustPinChecker) tofusCheck(leafCert *x509.Certificate, intCerts []*x509.Certificate) bool {
-	return true
-}
-
-// Will return the CA filepath corresponding to the most specific (longest) entry in the map that is still a prefix
-// of the provided gun.  Returns an error if no entry matches this GUN as a prefix.
-func getPinnedCAFilepathByPrefix(gun string, t TrustPinConfig) (string, error) {
-	specificGUN := ""
-	specificCAFilepath := ""
-	foundCA := false
-	for gunPrefix, caFilepath := range t.CA {
-		if strings.HasPrefix(gun, gunPrefix) && len(gunPrefix) >= len(specificGUN) {
-			specificGUN = gunPrefix
-			specificCAFilepath = caFilepath
-			foundCA = true
-		}
-	}
-	if !foundCA {
-		return "", fmt.Errorf("could not find pinned CA for GUN: %s\n", gun)
-	}
-	return specificCAFilepath, nil
-}

vendor/github.com/docker/notary/tuf/LICENSE

@@ -1,30 +0,0 @@
-Copyright (c) 2015, Docker Inc.
-Copyright (c) 2014-2015 Prime Directive, Inc.
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Prime Directive, Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/docker/notary/tuf/README.md

@@ -1,6 +0,0 @@
-## Credits
-
-This implementation was originally forked from [flynn/go-tuf](https://github.com/flynn/go-tuf)
-
-This implementation retains the same 3 Clause BSD license present on 
-the original flynn implementation.

vendor/github.com/docker/notary/tuf/builder.go

@@ -1,710 +0,0 @@
-package tuf
-
-import (
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/docker/notary"
-
-	"github.com/docker/notary/trustpinning"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/signed"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// ErrBuildDone is returned when any functions are called on RepoBuilder, and it
-// is already finished building
-var ErrBuildDone = fmt.Errorf(
-	"the builder has finished building and cannot accept any more input or produce any more output")
-
-// ErrInvalidBuilderInput is returned when RepoBuilder.Load is called
-// with the wrong type of metadata for the state that it's in
-type ErrInvalidBuilderInput struct{ msg string }
-
-func (e ErrInvalidBuilderInput) Error() string {
-	return e.msg
-}
-
-// ConsistentInfo is the consistent name and size of a role, or just the name
-// of the role and a -1 if no file metadata for the role is known
-type ConsistentInfo struct {
-	RoleName string
-	fileMeta data.FileMeta
-}
-
-// ChecksumKnown determines whether or not we know enough to provide a size and
-// consistent name
-func (c ConsistentInfo) ChecksumKnown() bool {
-	// empty hash, no size : this is the zero value
-	return len(c.fileMeta.Hashes) > 0 || c.fileMeta.Length != 0
-}
-
-// ConsistentName returns the consistent name (rolename.sha256) for the role
-// given this consistent information
-func (c ConsistentInfo) ConsistentName() string {
-	return utils.ConsistentName(c.RoleName, c.fileMeta.Hashes[notary.SHA256])
-}
-
-// Length returns the expected length of the role as per this consistent
-// information - if no checksum information is known, the size is -1.
-func (c ConsistentInfo) Length() int64 {
-	if c.ChecksumKnown() {
-		return c.fileMeta.Length
-	}
-	return -1
-}
-
-// RepoBuilder is an interface for an object which builds a tuf.Repo
-type RepoBuilder interface {
-	Load(roleName string, content []byte, minVersion int, allowExpired bool) error
-	GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int, error)
-	GenerateTimestamp(prev *data.SignedTimestamp) ([]byte, int, error)
-	Finish() (*Repo, *Repo, error)
-	BootstrapNewBuilder() RepoBuilder
-	BootstrapNewBuilderWithNewTrustpin(trustpin trustpinning.TrustPinConfig) RepoBuilder
-
-	// informative functions
-	IsLoaded(roleName string) bool
-	GetLoadedVersion(roleName string) int
-	GetConsistentInfo(roleName string) ConsistentInfo
-}
-
-// finishedBuilder refuses any more input or output
-type finishedBuilder struct{}
-
-func (f finishedBuilder) Load(roleName string, content []byte, minVersion int, allowExpired bool) error {
-	return ErrBuildDone
-}
-func (f finishedBuilder) GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int, error) {
-	return nil, 0, ErrBuildDone
-}
-func (f finishedBuilder) GenerateTimestamp(prev *data.SignedTimestamp) ([]byte, int, error) {
-	return nil, 0, ErrBuildDone
-}
-func (f finishedBuilder) Finish() (*Repo, *Repo, error)    { return nil, nil, ErrBuildDone }
-func (f finishedBuilder) BootstrapNewBuilder() RepoBuilder { return f }
-func (f finishedBuilder) BootstrapNewBuilderWithNewTrustpin(trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return f
-}
-func (f finishedBuilder) IsLoaded(roleName string) bool        { return false }
-func (f finishedBuilder) GetLoadedVersion(roleName string) int { return 0 }
-func (f finishedBuilder) GetConsistentInfo(roleName string) ConsistentInfo {
-	return ConsistentInfo{RoleName: roleName}
-}
-
-// NewRepoBuilder is the only way to get a pre-built RepoBuilder
-func NewRepoBuilder(gun string, cs signed.CryptoService, trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return NewBuilderFromRepo(gun, NewRepo(cs), trustpin)
-}
-
-// NewBuilderFromRepo allows us to bootstrap a builder given existing repo data.
-// YOU PROBABLY SHOULDN'T BE USING THIS OUTSIDE OF TESTING CODE!!!
-func NewBuilderFromRepo(gun string, repo *Repo, trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return &repoBuilderWrapper{
-		RepoBuilder: &repoBuilder{
-			repo:                 repo,
-			invalidRoles:         NewRepo(nil),
-			gun:                  gun,
-			trustpin:             trustpin,
-			loadedNotChecksummed: make(map[string][]byte),
-		},
-	}
-}
-
-// repoBuilderWrapper embeds a repoBuilder, but once Finish is called, swaps
-// the embed out with a finishedBuilder
-type repoBuilderWrapper struct {
-	RepoBuilder
-}
-
-func (rbw *repoBuilderWrapper) Finish() (*Repo, *Repo, error) {
-	switch rbw.RepoBuilder.(type) {
-	case finishedBuilder:
-		return rbw.RepoBuilder.Finish()
-	default:
-		old := rbw.RepoBuilder
-		rbw.RepoBuilder = finishedBuilder{}
-		return old.Finish()
-	}
-}
-
-// repoBuilder actually builds a tuf.Repo
-type repoBuilder struct {
-	repo         *Repo
-	invalidRoles *Repo
-
-	// needed for root trust pininng verification
-	gun      string
-	trustpin trustpinning.TrustPinConfig
-
-	// in case we load root and/or targets before snapshot and timestamp (
-	// or snapshot and not timestamp), so we know what to verify when the
-	// data with checksums come in
-	loadedNotChecksummed map[string][]byte
-
-	// bootstrapped values to validate a new root
-	prevRoot                 *data.SignedRoot
-	bootstrappedRootChecksum *data.FileMeta
-
-	// for bootstrapping the next builder
-	nextRootChecksum *data.FileMeta
-}
-
-func (rb *repoBuilder) Finish() (*Repo, *Repo, error) {
-	return rb.repo, rb.invalidRoles, nil
-}
-
-func (rb *repoBuilder) BootstrapNewBuilder() RepoBuilder {
-	return &repoBuilderWrapper{RepoBuilder: &repoBuilder{
-		repo:                 NewRepo(rb.repo.cryptoService),
-		invalidRoles:         NewRepo(nil),
-		gun:                  rb.gun,
-		loadedNotChecksummed: make(map[string][]byte),
-		trustpin:             rb.trustpin,
-
-		prevRoot:                 rb.repo.Root,
-		bootstrappedRootChecksum: rb.nextRootChecksum,
-	}}
-}
-
-func (rb *repoBuilder) BootstrapNewBuilderWithNewTrustpin(trustpin trustpinning.TrustPinConfig) RepoBuilder {
-	return &repoBuilderWrapper{RepoBuilder: &repoBuilder{
-		repo:                 NewRepo(rb.repo.cryptoService),
-		gun:                  rb.gun,
-		loadedNotChecksummed: make(map[string][]byte),
-		trustpin:             trustpin,
-
-		prevRoot:                 rb.repo.Root,
-		bootstrappedRootChecksum: rb.nextRootChecksum,
-	}}
-}
-
-// IsLoaded returns whether a particular role has already been loaded
-func (rb *repoBuilder) IsLoaded(roleName string) bool {
-	switch roleName {
-	case data.CanonicalRootRole:
-		return rb.repo.Root != nil
-	case data.CanonicalSnapshotRole:
-		return rb.repo.Snapshot != nil
-	case data.CanonicalTimestampRole:
-		return rb.repo.Timestamp != nil
-	default:
-		return rb.repo.Targets[roleName] != nil
-	}
-}
-
-// GetLoadedVersion returns the metadata version, if it is loaded, or 1 (the
-// minimum valid version number) otherwise
-func (rb *repoBuilder) GetLoadedVersion(roleName string) int {
-	switch {
-	case roleName == data.CanonicalRootRole && rb.repo.Root != nil:
-		return rb.repo.Root.Signed.Version
-	case roleName == data.CanonicalSnapshotRole && rb.repo.Snapshot != nil:
-		return rb.repo.Snapshot.Signed.Version
-	case roleName == data.CanonicalTimestampRole && rb.repo.Timestamp != nil:
-		return rb.repo.Timestamp.Signed.Version
-	default:
-		if tgts, ok := rb.repo.Targets[roleName]; ok {
-			return tgts.Signed.Version
-		}
-	}
-
-	return 1
-}
-
-// GetConsistentInfo returns the consistent name and size of a role, if it is known,
-// otherwise just the rolename and a -1 for size (both of which are inside a
-// ConsistentInfo object)
-func (rb *repoBuilder) GetConsistentInfo(roleName string) ConsistentInfo {
-	info := ConsistentInfo{RoleName: roleName} // starts out with unknown filemeta
-	switch roleName {
-	case data.CanonicalTimestampRole:
-		// we do not want to get a consistent timestamp, but we do want to
-		// limit its size
-		info.fileMeta.Length = notary.MaxTimestampSize
-	case data.CanonicalSnapshotRole:
-		if rb.repo.Timestamp != nil {
-			info.fileMeta = rb.repo.Timestamp.Signed.Meta[roleName]
-		}
-	case data.CanonicalRootRole:
-		switch {
-		case rb.bootstrappedRootChecksum != nil:
-			info.fileMeta = *rb.bootstrappedRootChecksum
-		case rb.repo.Snapshot != nil:
-			info.fileMeta = rb.repo.Snapshot.Signed.Meta[roleName]
-		}
-	default:
-		if rb.repo.Snapshot != nil {
-			info.fileMeta = rb.repo.Snapshot.Signed.Meta[roleName]
-		}
-	}
-	return info
-}
-
-func (rb *repoBuilder) Load(roleName string, content []byte, minVersion int, allowExpired bool) error {
-	if !data.ValidRole(roleName) {
-		return ErrInvalidBuilderInput{msg: fmt.Sprintf("%s is an invalid role", roleName)}
-	}
-
-	if rb.IsLoaded(roleName) {
-		return ErrInvalidBuilderInput{msg: fmt.Sprintf("%s has already been loaded", roleName)}
-	}
-
-	var err error
-	switch roleName {
-	case data.CanonicalRootRole:
-		break
-	case data.CanonicalTimestampRole, data.CanonicalSnapshotRole, data.CanonicalTargetsRole:
-		err = rb.checkPrereqsLoaded([]string{data.CanonicalRootRole})
-	default: // delegations
-		err = rb.checkPrereqsLoaded([]string{data.CanonicalRootRole, data.CanonicalTargetsRole})
-	}
-	if err != nil {
-		return err
-	}
-
-	switch roleName {
-	case data.CanonicalRootRole:
-		return rb.loadRoot(content, minVersion, allowExpired)
-	case data.CanonicalSnapshotRole:
-		return rb.loadSnapshot(content, minVersion, allowExpired)
-	case data.CanonicalTimestampRole:
-		return rb.loadTimestamp(content, minVersion, allowExpired)
-	case data.CanonicalTargetsRole:
-		return rb.loadTargets(content, minVersion, allowExpired)
-	default:
-		return rb.loadDelegation(roleName, content, minVersion, allowExpired)
-	}
-}
-
-func (rb *repoBuilder) checkPrereqsLoaded(prereqRoles []string) error {
-	for _, req := range prereqRoles {
-		if !rb.IsLoaded(req) {
-			return ErrInvalidBuilderInput{msg: fmt.Sprintf("%s must be loaded first", req)}
-		}
-	}
-	return nil
-}
-
-// GenerateSnapshot generates a new snapshot given a previous (optional) snapshot
-// We can't just load the previous snapshot, because it may have been signed by a different
-// snapshot key (maybe from a previous root version).  Note that we need the root role and
-// targets role to be loaded, because we need to generate metadata for both (and we need
-// the root to be loaded so we can get the snapshot role to sign with)
-func (rb *repoBuilder) GenerateSnapshot(prev *data.SignedSnapshot) ([]byte, int, error) {
-	switch {
-	case rb.repo.cryptoService == nil:
-		return nil, 0, ErrInvalidBuilderInput{msg: "cannot generate snapshot without a cryptoservice"}
-	case rb.IsLoaded(data.CanonicalSnapshotRole):
-		return nil, 0, ErrInvalidBuilderInput{msg: "snapshot has already been loaded"}
-	case rb.IsLoaded(data.CanonicalTimestampRole):
-		return nil, 0, ErrInvalidBuilderInput{msg: "cannot generate snapshot if timestamp has already been loaded"}
-	}
-
-	if err := rb.checkPrereqsLoaded([]string{data.CanonicalRootRole}); err != nil {
-		return nil, 0, err
-	}
-
-	// If there is no previous snapshot, we need to generate one, and so the targets must
-	// have already been loaded.  Otherwise, so long as the previous snapshot structure is
-	// valid (it has a targets meta), we're good.
-	switch prev {
-	case nil:
-		if err := rb.checkPrereqsLoaded([]string{data.CanonicalTargetsRole}); err != nil {
-			return nil, 0, err
-		}
-
-		if err := rb.repo.InitSnapshot(); err != nil {
-			rb.repo.Snapshot = nil
-			return nil, 0, err
-		}
-	default:
-		if err := data.IsValidSnapshotStructure(prev.Signed); err != nil {
-			return nil, 0, err
-		}
-		rb.repo.Snapshot = prev
-	}
-
-	sgnd, err := rb.repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole))
-	if err != nil {
-		rb.repo.Snapshot = nil
-		return nil, 0, err
-	}
-
-	sgndJSON, err := json.Marshal(sgnd)
-	if err != nil {
-		rb.repo.Snapshot = nil
-		return nil, 0, err
-	}
-
-	// loadedNotChecksummed should currently contain the root awaiting checksumming,
-	// since it has to have been loaded.  Since the snapshot was generated using
-	// the root and targets data (there may not be any) that that have been loaded,
-	// remove all of them from rb.loadedNotChecksummed
-	for tgtName := range rb.repo.Targets {
-		delete(rb.loadedNotChecksummed, tgtName)
-	}
-	delete(rb.loadedNotChecksummed, data.CanonicalRootRole)
-
-	// The timestamp can't have been loaded yet, so we want to cache the snapshot
-	// bytes so we can validate the checksum when a timestamp gets generated or
-	// loaded later.
-	rb.loadedNotChecksummed[data.CanonicalSnapshotRole] = sgndJSON
-
-	return sgndJSON, rb.repo.Snapshot.Signed.Version, nil
-}
-
-// GenerateTimestamp generates a new timestamp given a previous (optional) timestamp
-// We can't just load the previous timestamp, because it may have been signed by a different
-// timestamp key (maybe from a previous root version)
-func (rb *repoBuilder) GenerateTimestamp(prev *data.SignedTimestamp) ([]byte, int, error) {
-	switch {
-	case rb.repo.cryptoService == nil:
-		return nil, 0, ErrInvalidBuilderInput{msg: "cannot generate timestamp without a cryptoservice"}
-	case rb.IsLoaded(data.CanonicalTimestampRole):
-		return nil, 0, ErrInvalidBuilderInput{msg: "timestamp has already been loaded"}
-	}
-
-	// SignTimestamp always serializes the loaded snapshot and signs in the data, so we must always
-	// have the snapshot loaded first
-	if err := rb.checkPrereqsLoaded([]string{data.CanonicalRootRole, data.CanonicalSnapshotRole}); err != nil {
-		return nil, 0, err
-	}
-
-	switch prev {
-	case nil:
-		if err := rb.repo.InitTimestamp(); err != nil {
-			rb.repo.Timestamp = nil
-			return nil, 0, err
-		}
-	default:
-		if err := data.IsValidTimestampStructure(prev.Signed); err != nil {
-			return nil, 0, err
-		}
-		rb.repo.Timestamp = prev
-	}
-
-	sgnd, err := rb.repo.SignTimestamp(data.DefaultExpires(data.CanonicalTimestampRole))
-	if err != nil {
-		rb.repo.Timestamp = nil
-		return nil, 0, err
-	}
-
-	sgndJSON, err := json.Marshal(sgnd)
-	if err != nil {
-		rb.repo.Timestamp = nil
-		return nil, 0, err
-	}
-
-	// The snapshot should have been loaded (and not checksummed, since a timestamp
-	// cannot have been loaded), so it is awaiting checksumming. Since this
-	// timestamp was generated using the snapshot awaiting checksumming, we can
-	// remove it from rb.loadedNotChecksummed. There should be no other items
-	// awaiting checksumming now since loading/generating a snapshot should have
-	// cleared out everything else in `loadNotChecksummed`.
-	delete(rb.loadedNotChecksummed, data.CanonicalSnapshotRole)
-
-	return sgndJSON, rb.repo.Timestamp.Signed.Version, nil
-}
-
-// loadRoot loads a root if one has not been loaded
-func (rb *repoBuilder) loadRoot(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalRootRole
-
-	signedObj, err := rb.bytesToSigned(content, data.CanonicalRootRole)
-	if err != nil {
-		return err
-	}
-	// ValidateRoot validates against the previous root's role, as well as validates that the root
-	// itself is self-consistent with its own signatures and thresholds.
-	// This assumes that ValidateRoot calls data.RootFromSigned, which validates
-	// the metadata, rather than just unmarshalling signedObject into a SignedRoot object itself.
-	signedRoot, err := trustpinning.ValidateRoot(rb.prevRoot, signedObj, rb.gun, rb.trustpin)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedRoot.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedRoot.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	rootRole, err := signedRoot.BuildBaseRole(data.CanonicalRootRole)
-	if err != nil { // this should never happen since the root has been validated
-		return err
-	}
-	rb.repo.Root = signedRoot
-	rb.repo.originalRootRole = rootRole
-	return nil
-}
-
-func (rb *repoBuilder) loadTimestamp(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalTimestampRole
-
-	timestampRole, err := rb.repo.Root.BuildBaseRole(roleName)
-	if err != nil { // this should never happen, since it's already been validated
-		return err
-	}
-
-	signedObj, err := rb.bytesToSignedAndValidateSigs(timestampRole, content)
-	if err != nil {
-		return err
-	}
-
-	signedTimestamp, err := data.TimestampFromSigned(signedObj)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedTimestamp.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedTimestamp.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	if err := rb.validateChecksumsFromTimestamp(signedTimestamp); err != nil {
-		return err
-	}
-
-	rb.repo.Timestamp = signedTimestamp
-	return nil
-}
-
-func (rb *repoBuilder) loadSnapshot(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalSnapshotRole
-
-	snapshotRole, err := rb.repo.Root.BuildBaseRole(roleName)
-	if err != nil { // this should never happen, since it's already been validated
-		return err
-	}
-
-	signedObj, err := rb.bytesToSignedAndValidateSigs(snapshotRole, content)
-	if err != nil {
-		return err
-	}
-
-	signedSnapshot, err := data.SnapshotFromSigned(signedObj)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedSnapshot.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedSnapshot.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	// at this point, the only thing left to validate is existing checksums - we can use
-	// this snapshot to bootstrap the next builder if needed - and we don't need to do
-	// the 2-value assignment since we've already validated the signedSnapshot, which MUST
-	// have root metadata
-	rootMeta := signedSnapshot.Signed.Meta[data.CanonicalRootRole]
-	rb.nextRootChecksum = &rootMeta
-
-	if err := rb.validateChecksumsFromSnapshot(signedSnapshot); err != nil {
-		return err
-	}
-
-	rb.repo.Snapshot = signedSnapshot
-	return nil
-}
-
-func (rb *repoBuilder) loadTargets(content []byte, minVersion int, allowExpired bool) error {
-	roleName := data.CanonicalTargetsRole
-
-	targetsRole, err := rb.repo.Root.BuildBaseRole(roleName)
-	if err != nil { // this should never happen, since it's already been validated
-		return err
-	}
-
-	signedObj, err := rb.bytesToSignedAndValidateSigs(targetsRole, content)
-	if err != nil {
-		return err
-	}
-
-	signedTargets, err := data.TargetsFromSigned(signedObj, roleName)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedTargets.Signed.SignedCommon), minVersion); err != nil {
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedTargets.Signed.SignedCommon), roleName); err != nil {
-			return err
-		}
-	}
-
-	signedTargets.Signatures = signedObj.Signatures
-	rb.repo.Targets[roleName] = signedTargets
-	return nil
-}
-
-func (rb *repoBuilder) loadDelegation(roleName string, content []byte, minVersion int, allowExpired bool) error {
-	delegationRole, err := rb.repo.GetDelegationRole(roleName)
-	if err != nil {
-		return err
-	}
-
-	// bytesToSigned checks checksum
-	signedObj, err := rb.bytesToSigned(content, roleName)
-	if err != nil {
-		return err
-	}
-
-	signedTargets, err := data.TargetsFromSigned(signedObj, roleName)
-	if err != nil {
-		return err
-	}
-
-	if err := signed.VerifyVersion(&(signedTargets.Signed.SignedCommon), minVersion); err != nil {
-		// don't capture in invalidRoles because the role we received is a rollback
-		return err
-	}
-
-	// verify signature
-	if err := signed.VerifySignatures(signedObj, delegationRole.BaseRole); err != nil {
-		rb.invalidRoles.Targets[roleName] = signedTargets
-		return err
-	}
-
-	if !allowExpired { // check must go at the end because all other validation should pass
-		if err := signed.VerifyExpiry(&(signedTargets.Signed.SignedCommon), roleName); err != nil {
-			rb.invalidRoles.Targets[roleName] = signedTargets
-			return err
-		}
-	}
-
-	signedTargets.Signatures = signedObj.Signatures
-	rb.repo.Targets[roleName] = signedTargets
-	return nil
-}
-
-func (rb *repoBuilder) validateChecksumsFromTimestamp(ts *data.SignedTimestamp) error {
-	sn, ok := rb.loadedNotChecksummed[data.CanonicalSnapshotRole]
-	if ok {
-		// by this point, the SignedTimestamp has been validated so it must have a snapshot hash
-		snMeta := ts.Signed.Meta[data.CanonicalSnapshotRole].Hashes
-		if err := data.CheckHashes(sn, data.CanonicalSnapshotRole, snMeta); err != nil {
-			return err
-		}
-		delete(rb.loadedNotChecksummed, data.CanonicalSnapshotRole)
-	}
-	return nil
-}
-
-func (rb *repoBuilder) validateChecksumsFromSnapshot(sn *data.SignedSnapshot) error {
-	var goodRoles []string
-	for roleName, loadedBytes := range rb.loadedNotChecksummed {
-		switch roleName {
-		case data.CanonicalSnapshotRole, data.CanonicalTimestampRole:
-			break
-		default:
-			if err := data.CheckHashes(loadedBytes, roleName, sn.Signed.Meta[roleName].Hashes); err != nil {
-				return err
-			}
-			goodRoles = append(goodRoles, roleName)
-		}
-	}
-	for _, roleName := range goodRoles {
-		delete(rb.loadedNotChecksummed, roleName)
-	}
-	return nil
-}
-
-func (rb *repoBuilder) validateChecksumFor(content []byte, roleName string) error {
-	// validate the bootstrap checksum for root, if provided
-	if roleName == data.CanonicalRootRole && rb.bootstrappedRootChecksum != nil {
-		if err := data.CheckHashes(content, roleName, rb.bootstrappedRootChecksum.Hashes); err != nil {
-			return err
-		}
-	}
-
-	// but we also want to cache the root content, so that when the snapshot is
-	// loaded it is validated (to make sure everything in the repo is self-consistent)
-	checksums := rb.getChecksumsFor(roleName)
-	if checksums != nil { // as opposed to empty, in which case hash check should fail
-		if err := data.CheckHashes(content, roleName, *checksums); err != nil {
-			return err
-		}
-	} else if roleName != data.CanonicalTimestampRole {
-		// timestamp is the only role which does not need to be checksummed, but
-		// for everything else, cache the contents in the list of roles that have
-		// not been checksummed by the snapshot/timestamp yet
-		rb.loadedNotChecksummed[roleName] = content
-	}
-
-	return nil
-}
-
-// Checksums the given bytes, and if they validate, convert to a data.Signed object.
-// If a checksums are nil (as opposed to empty), adds the bytes to the list of roles that
-// haven't been checksummed (unless it's a timestamp, which has no checksum reference).
-func (rb *repoBuilder) bytesToSigned(content []byte, roleName string) (*data.Signed, error) {
-	if err := rb.validateChecksumFor(content, roleName); err != nil {
-		return nil, err
-	}
-
-	// unmarshal to signed
-	signedObj := &data.Signed{}
-	if err := json.Unmarshal(content, signedObj); err != nil {
-		return nil, err
-	}
-
-	return signedObj, nil
-}
-
-func (rb *repoBuilder) bytesToSignedAndValidateSigs(role data.BaseRole, content []byte) (*data.Signed, error) {
-
-	signedObj, err := rb.bytesToSigned(content, role.Name)
-	if err != nil {
-		return nil, err
-	}
-
-	// verify signature
-	if err := signed.VerifySignatures(signedObj, role); err != nil {
-		return nil, err
-	}
-
-	return signedObj, nil
-}
-
-// If the checksum reference (the loaded timestamp for the snapshot role, and
-// the loaded snapshot for every other role except timestamp and snapshot) is nil,
-// then return nil for the checksums, meaning that the checksum is not yet
-// available.  If the checksum reference *is* loaded, then always returns the
-// Hashes object for the given role - if it doesn't exist, returns an empty Hash
-// object (against which any checksum validation would fail).
-func (rb *repoBuilder) getChecksumsFor(role string) *data.Hashes {
-	var hashes data.Hashes
-	switch role {
-	case data.CanonicalTimestampRole:
-		return nil
-	case data.CanonicalSnapshotRole:
-		if rb.repo.Timestamp == nil {
-			return nil
-		}
-		hashes = rb.repo.Timestamp.Signed.Meta[data.CanonicalSnapshotRole].Hashes
-	default:
-		if rb.repo.Snapshot == nil {
-			return nil
-		}
-		hashes = rb.repo.Snapshot.Signed.Meta[role].Hashes
-	}
-	return &hashes
-}

vendor/github.com/docker/notary/tuf/data/errors.go

@@ -1,53 +0,0 @@
-package data
-
-import "fmt"
-
-// ErrInvalidMetadata is the error to be returned when metadata is invalid
-type ErrInvalidMetadata struct {
-	role string
-	msg  string
-}
-
-func (e ErrInvalidMetadata) Error() string {
-	return fmt.Sprintf("%s type metadata invalid: %s", e.role, e.msg)
-}
-
-// ErrMissingMeta - couldn't find the FileMeta object for the given Role, or
-// the FileMeta object contained no supported checksums
-type ErrMissingMeta struct {
-	Role string
-}
-
-func (e ErrMissingMeta) Error() string {
-	return fmt.Sprintf("no checksums for supported algorithms were provided for %s", e.Role)
-}
-
-// ErrInvalidChecksum is the error to be returned when checksum is invalid
-type ErrInvalidChecksum struct {
-	alg string
-}
-
-func (e ErrInvalidChecksum) Error() string {
-	return fmt.Sprintf("%s checksum invalid", e.alg)
-}
-
-// ErrMismatchedChecksum is the error to be returned when checksum is mismatched
-type ErrMismatchedChecksum struct {
-	alg      string
-	name     string
-	expected string
-}
-
-func (e ErrMismatchedChecksum) Error() string {
-	return fmt.Sprintf("%s checksum for %s did not match: expected %s", e.alg, e.name,
-		e.expected)
-}
-
-// ErrCertExpired is the error to be returned when a certificate has expired
-type ErrCertExpired struct {
-	CN string
-}
-
-func (e ErrCertExpired) Error() string {
-	return fmt.Sprintf("certificate with CN %s is expired", e.CN)
-}

vendor/github.com/docker/notary/tuf/data/keys.go

@@ -1,528 +0,0 @@
-package data
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/asn1"
-	"encoding/hex"
-	"errors"
-	"io"
-	"math/big"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/agl/ed25519"
-	"github.com/docker/go/canonical/json"
-)
-
-// PublicKey is the necessary interface for public keys
-type PublicKey interface {
-	ID() string
-	Algorithm() string
-	Public() []byte
-}
-
-// PrivateKey adds the ability to access the private key
-type PrivateKey interface {
-	PublicKey
-	Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error)
-	Private() []byte
-	CryptoSigner() crypto.Signer
-	SignatureAlgorithm() SigAlgorithm
-}
-
-// KeyPair holds the public and private key bytes
-type KeyPair struct {
-	Public  []byte `json:"public"`
-	Private []byte `json:"private"`
-}
-
-// Keys represents a map of key ID to PublicKey object. It's necessary
-// to allow us to unmarshal into an interface via the json.Unmarshaller
-// interface
-type Keys map[string]PublicKey
-
-// UnmarshalJSON implements the json.Unmarshaller interface
-func (ks *Keys) UnmarshalJSON(data []byte) error {
-	parsed := make(map[string]TUFKey)
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return err
-	}
-	final := make(map[string]PublicKey)
-	for k, tk := range parsed {
-		final[k] = typedPublicKey(tk)
-	}
-	*ks = final
-	return nil
-}
-
-// KeyList represents a list of keys
-type KeyList []PublicKey
-
-// UnmarshalJSON implements the json.Unmarshaller interface
-func (ks *KeyList) UnmarshalJSON(data []byte) error {
-	parsed := make([]TUFKey, 0, 1)
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return err
-	}
-	final := make([]PublicKey, 0, len(parsed))
-	for _, tk := range parsed {
-		final = append(final, typedPublicKey(tk))
-	}
-	*ks = final
-	return nil
-}
-
-// IDs generates a list of the hex encoded key IDs in the KeyList
-func (ks KeyList) IDs() []string {
-	keyIDs := make([]string, 0, len(ks))
-	for _, k := range ks {
-		keyIDs = append(keyIDs, k.ID())
-	}
-	return keyIDs
-}
-
-func typedPublicKey(tk TUFKey) PublicKey {
-	switch tk.Algorithm() {
-	case ECDSAKey:
-		return &ECDSAPublicKey{TUFKey: tk}
-	case ECDSAx509Key:
-		return &ECDSAx509PublicKey{TUFKey: tk}
-	case RSAKey:
-		return &RSAPublicKey{TUFKey: tk}
-	case RSAx509Key:
-		return &RSAx509PublicKey{TUFKey: tk}
-	case ED25519Key:
-		return &ED25519PublicKey{TUFKey: tk}
-	}
-	return &UnknownPublicKey{TUFKey: tk}
-}
-
-func typedPrivateKey(tk TUFKey) (PrivateKey, error) {
-	private := tk.Value.Private
-	tk.Value.Private = nil
-	switch tk.Algorithm() {
-	case ECDSAKey:
-		return NewECDSAPrivateKey(
-			&ECDSAPublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case ECDSAx509Key:
-		return NewECDSAPrivateKey(
-			&ECDSAx509PublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case RSAKey:
-		return NewRSAPrivateKey(
-			&RSAPublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case RSAx509Key:
-		return NewRSAPrivateKey(
-			&RSAx509PublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	case ED25519Key:
-		return NewED25519PrivateKey(
-			ED25519PublicKey{
-				TUFKey: tk,
-			},
-			private,
-		)
-	}
-	return &UnknownPrivateKey{
-		TUFKey:     tk,
-		privateKey: privateKey{private: private},
-	}, nil
-}
-
-// NewPublicKey creates a new, correctly typed PublicKey, using the
-// UnknownPublicKey catchall for unsupported ciphers
-func NewPublicKey(alg string, public []byte) PublicKey {
-	tk := TUFKey{
-		Type: alg,
-		Value: KeyPair{
-			Public: public,
-		},
-	}
-	return typedPublicKey(tk)
-}
-
-// NewPrivateKey creates a new, correctly typed PrivateKey, using the
-// UnknownPrivateKey catchall for unsupported ciphers
-func NewPrivateKey(pubKey PublicKey, private []byte) (PrivateKey, error) {
-	tk := TUFKey{
-		Type: pubKey.Algorithm(),
-		Value: KeyPair{
-			Public:  pubKey.Public(),
-			Private: private, // typedPrivateKey moves this value
-		},
-	}
-	return typedPrivateKey(tk)
-}
-
-// UnmarshalPublicKey is used to parse individual public keys in JSON
-func UnmarshalPublicKey(data []byte) (PublicKey, error) {
-	var parsed TUFKey
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return nil, err
-	}
-	return typedPublicKey(parsed), nil
-}
-
-// UnmarshalPrivateKey is used to parse individual private keys in JSON
-func UnmarshalPrivateKey(data []byte) (PrivateKey, error) {
-	var parsed TUFKey
-	err := json.Unmarshal(data, &parsed)
-	if err != nil {
-		return nil, err
-	}
-	return typedPrivateKey(parsed)
-}
-
-// TUFKey is the structure used for both public and private keys in TUF.
-// Normally it would make sense to use a different structures for public and
-// private keys, but that would change the key ID algorithm (since the canonical
-// JSON would be different). This structure should normally be accessed through
-// the PublicKey or PrivateKey interfaces.
-type TUFKey struct {
-	id    string
-	Type  string  `json:"keytype"`
-	Value KeyPair `json:"keyval"`
-}
-
-// Algorithm returns the algorithm of the key
-func (k TUFKey) Algorithm() string {
-	return k.Type
-}
-
-// ID efficiently generates if necessary, and caches the ID of the key
-func (k *TUFKey) ID() string {
-	if k.id == "" {
-		pubK := TUFKey{
-			Type: k.Algorithm(),
-			Value: KeyPair{
-				Public:  k.Public(),
-				Private: nil,
-			},
-		}
-		data, err := json.MarshalCanonical(&pubK)
-		if err != nil {
-			logrus.Error("Error generating key ID:", err)
-		}
-		digest := sha256.Sum256(data)
-		k.id = hex.EncodeToString(digest[:])
-	}
-	return k.id
-}
-
-// Public returns the public bytes
-func (k TUFKey) Public() []byte {
-	return k.Value.Public
-}
-
-// Public key types
-
-// ECDSAPublicKey represents an ECDSA key using a raw serialization
-// of the public key
-type ECDSAPublicKey struct {
-	TUFKey
-}
-
-// ECDSAx509PublicKey represents an ECDSA key using an x509 cert
-// as the serialized format of the public key
-type ECDSAx509PublicKey struct {
-	TUFKey
-}
-
-// RSAPublicKey represents an RSA key using a raw serialization
-// of the public key
-type RSAPublicKey struct {
-	TUFKey
-}
-
-// RSAx509PublicKey represents an RSA key using an x509 cert
-// as the serialized format of the public key
-type RSAx509PublicKey struct {
-	TUFKey
-}
-
-// ED25519PublicKey represents an ED25519 key using a raw serialization
-// of the public key
-type ED25519PublicKey struct {
-	TUFKey
-}
-
-// UnknownPublicKey is a catchall for key types that are not supported
-type UnknownPublicKey struct {
-	TUFKey
-}
-
-// NewECDSAPublicKey initializes a new public key with the ECDSAKey type
-func NewECDSAPublicKey(public []byte) *ECDSAPublicKey {
-	return &ECDSAPublicKey{
-		TUFKey: TUFKey{
-			Type: ECDSAKey,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewECDSAx509PublicKey initializes a new public key with the ECDSAx509Key type
-func NewECDSAx509PublicKey(public []byte) *ECDSAx509PublicKey {
-	return &ECDSAx509PublicKey{
-		TUFKey: TUFKey{
-			Type: ECDSAx509Key,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewRSAPublicKey initializes a new public key with the RSA type
-func NewRSAPublicKey(public []byte) *RSAPublicKey {
-	return &RSAPublicKey{
-		TUFKey: TUFKey{
-			Type: RSAKey,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewRSAx509PublicKey initializes a new public key with the RSAx509Key type
-func NewRSAx509PublicKey(public []byte) *RSAx509PublicKey {
-	return &RSAx509PublicKey{
-		TUFKey: TUFKey{
-			Type: RSAx509Key,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// NewED25519PublicKey initializes a new public key with the ED25519Key type
-func NewED25519PublicKey(public []byte) *ED25519PublicKey {
-	return &ED25519PublicKey{
-		TUFKey: TUFKey{
-			Type: ED25519Key,
-			Value: KeyPair{
-				Public:  public,
-				Private: nil,
-			},
-		},
-	}
-}
-
-// Private key types
-type privateKey struct {
-	private []byte
-}
-
-type signer struct {
-	signer crypto.Signer
-}
-
-// ECDSAPrivateKey represents a private ECDSA key
-type ECDSAPrivateKey struct {
-	PublicKey
-	privateKey
-	signer
-}
-
-// RSAPrivateKey represents a private RSA key
-type RSAPrivateKey struct {
-	PublicKey
-	privateKey
-	signer
-}
-
-// ED25519PrivateKey represents a private ED25519 key
-type ED25519PrivateKey struct {
-	ED25519PublicKey
-	privateKey
-}
-
-// UnknownPrivateKey is a catchall for unsupported key types
-type UnknownPrivateKey struct {
-	TUFKey
-	privateKey
-}
-
-// NewECDSAPrivateKey initializes a new ECDSA private key
-func NewECDSAPrivateKey(public PublicKey, private []byte) (*ECDSAPrivateKey, error) {
-	switch public.(type) {
-	case *ECDSAPublicKey, *ECDSAx509PublicKey:
-	default:
-		return nil, errors.New("Invalid public key type provided to NewECDSAPrivateKey")
-	}
-	ecdsaPrivKey, err := x509.ParseECPrivateKey(private)
-	if err != nil {
-		return nil, err
-	}
-	return &ECDSAPrivateKey{
-		PublicKey:  public,
-		privateKey: privateKey{private: private},
-		signer:     signer{signer: ecdsaPrivKey},
-	}, nil
-}
-
-// NewRSAPrivateKey initialized a new RSA private key
-func NewRSAPrivateKey(public PublicKey, private []byte) (*RSAPrivateKey, error) {
-	switch public.(type) {
-	case *RSAPublicKey, *RSAx509PublicKey:
-	default:
-		return nil, errors.New("Invalid public key type provided to NewRSAPrivateKey")
-	}
-	rsaPrivKey, err := x509.ParsePKCS1PrivateKey(private)
-	if err != nil {
-		return nil, err
-	}
-	return &RSAPrivateKey{
-		PublicKey:  public,
-		privateKey: privateKey{private: private},
-		signer:     signer{signer: rsaPrivKey},
-	}, nil
-}
-
-// NewED25519PrivateKey initialized a new ED25519 private key
-func NewED25519PrivateKey(public ED25519PublicKey, private []byte) (*ED25519PrivateKey, error) {
-	return &ED25519PrivateKey{
-		ED25519PublicKey: public,
-		privateKey:       privateKey{private: private},
-	}, nil
-}
-
-// Private return the serialized private bytes of the key
-func (k privateKey) Private() []byte {
-	return k.private
-}
-
-// CryptoSigner returns the underlying crypto.Signer for use cases where we need the default
-// signature or public key functionality (like when we generate certificates)
-func (s signer) CryptoSigner() crypto.Signer {
-	return s.signer
-}
-
-// CryptoSigner returns the ED25519PrivateKey which already implements crypto.Signer
-func (k ED25519PrivateKey) CryptoSigner() crypto.Signer {
-	return nil
-}
-
-// CryptoSigner returns the UnknownPrivateKey which already implements crypto.Signer
-func (k UnknownPrivateKey) CryptoSigner() crypto.Signer {
-	return nil
-}
-
-type ecdsaSig struct {
-	R *big.Int
-	S *big.Int
-}
-
-// Sign creates an ecdsa signature
-func (k ECDSAPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	ecdsaPrivKey, ok := k.CryptoSigner().(*ecdsa.PrivateKey)
-	if !ok {
-		return nil, errors.New("Signer was based on the wrong key type")
-	}
-	hashed := sha256.Sum256(msg)
-	sigASN1, err := ecdsaPrivKey.Sign(rand, hashed[:], opts)
-	if err != nil {
-		return nil, err
-	}
-
-	sig := ecdsaSig{}
-	_, err = asn1.Unmarshal(sigASN1, &sig)
-	if err != nil {
-		return nil, err
-	}
-	rBytes, sBytes := sig.R.Bytes(), sig.S.Bytes()
-	octetLength := (ecdsaPrivKey.Params().BitSize + 7) >> 3
-
-	// MUST include leading zeros in the output
-	rBuf := make([]byte, octetLength-len(rBytes), octetLength)
-	sBuf := make([]byte, octetLength-len(sBytes), octetLength)
-
-	rBuf = append(rBuf, rBytes...)
-	sBuf = append(sBuf, sBytes...)
-	return append(rBuf, sBuf...), nil
-}
-
-// Sign creates an rsa signature
-func (k RSAPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	hashed := sha256.Sum256(msg)
-	if opts == nil {
-		opts = &rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthEqualsHash,
-			Hash:       crypto.SHA256,
-		}
-	}
-	return k.CryptoSigner().Sign(rand, hashed[:], opts)
-}
-
-// Sign creates an ed25519 signature
-func (k ED25519PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	priv := [ed25519.PrivateKeySize]byte{}
-	copy(priv[:], k.private[ed25519.PublicKeySize:])
-	return ed25519.Sign(&priv, msg)[:], nil
-}
-
-// Sign on an UnknownPrivateKey raises an error because the client does not
-// know how to sign with this key type.
-func (k UnknownPrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (signature []byte, err error) {
-	return nil, errors.New("Unknown key type, cannot sign.")
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for a ECDSAPrivateKey
-func (k ECDSAPrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return ECDSASignature
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for a RSAPrivateKey
-func (k RSAPrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return RSAPSSSignature
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for a ED25519PrivateKey
-func (k ED25519PrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return EDDSASignature
-}
-
-// SignatureAlgorithm returns the SigAlgorithm for an UnknownPrivateKey
-func (k UnknownPrivateKey) SignatureAlgorithm() SigAlgorithm {
-	return ""
-}
-
-// PublicKeyFromPrivate returns a new TUFKey based on a private key, with
-// the private key bytes guaranteed to be nil.
-func PublicKeyFromPrivate(pk PrivateKey) PublicKey {
-	return typedPublicKey(TUFKey{
-		Type: pk.Algorithm(),
-		Value: KeyPair{
-			Public:  pk.Public(),
-			Private: nil,
-		},
-	})
-}

vendor/github.com/docker/notary/tuf/data/roles.go

@@ -1,338 +0,0 @@
-package data
-
-import (
-	"fmt"
-	"path"
-	"regexp"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-)
-
-// Canonical base role names
-const (
-	CanonicalRootRole      = "root"
-	CanonicalTargetsRole   = "targets"
-	CanonicalSnapshotRole  = "snapshot"
-	CanonicalTimestampRole = "timestamp"
-)
-
-// BaseRoles is an easy to iterate list of the top level
-// roles.
-var BaseRoles = []string{
-	CanonicalRootRole,
-	CanonicalTargetsRole,
-	CanonicalSnapshotRole,
-	CanonicalTimestampRole,
-}
-
-// Regex for validating delegation names
-var delegationRegexp = regexp.MustCompile("^[-a-z0-9_/]+$")
-
-// ErrNoSuchRole indicates the roles doesn't exist
-type ErrNoSuchRole struct {
-	Role string
-}
-
-func (e ErrNoSuchRole) Error() string {
-	return fmt.Sprintf("role does not exist: %s", e.Role)
-}
-
-// ErrInvalidRole represents an error regarding a role. Typically
-// something like a role for which sone of the public keys were
-// not found in the TUF repo.
-type ErrInvalidRole struct {
-	Role   string
-	Reason string
-}
-
-func (e ErrInvalidRole) Error() string {
-	if e.Reason != "" {
-		return fmt.Sprintf("tuf: invalid role %s. %s", e.Role, e.Reason)
-	}
-	return fmt.Sprintf("tuf: invalid role %s.", e.Role)
-}
-
-// ValidRole only determines the name is semantically
-// correct. For target delegated roles, it does NOT check
-// the the appropriate parent roles exist.
-func ValidRole(name string) bool {
-	if IsDelegation(name) {
-		return true
-	}
-
-	for _, v := range BaseRoles {
-		if name == v {
-			return true
-		}
-	}
-	return false
-}
-
-// IsDelegation checks if the role is a delegation or a root role
-func IsDelegation(role string) bool {
-	targetsBase := CanonicalTargetsRole + "/"
-
-	whitelistedChars := delegationRegexp.MatchString(role)
-
-	// Limit size of full role string to 255 chars for db column size limit
-	correctLength := len(role) < 256
-
-	// Removes ., .., extra slashes, and trailing slash
-	isClean := path.Clean(role) == role
-	return strings.HasPrefix(role, targetsBase) &&
-		whitelistedChars &&
-		correctLength &&
-		isClean
-}
-
-// IsBaseRole checks if the role is a base role
-func IsBaseRole(role string) bool {
-	for _, baseRole := range BaseRoles {
-		if role == baseRole {
-			return true
-		}
-	}
-	return false
-}
-
-// IsWildDelegation determines if a role represents a valid wildcard delegation
-// path, i.e. targets/*, targets/foo/*.
-// The wildcard may only appear as the final part of the delegation and must
-// be a whole segment, i.e. targets/foo* is not a valid wildcard delegation.
-func IsWildDelegation(role string) bool {
-	if path.Clean(role) != role {
-		return false
-	}
-	base := path.Dir(role)
-	if !(IsDelegation(base) || base == CanonicalTargetsRole) {
-		return false
-	}
-	return role[len(role)-2:] == "/*"
-}
-
-// BaseRole is an internal representation of a root/targets/snapshot/timestamp role, with its public keys included
-type BaseRole struct {
-	Keys      map[string]PublicKey
-	Name      string
-	Threshold int
-}
-
-// NewBaseRole creates a new BaseRole object with the provided parameters
-func NewBaseRole(name string, threshold int, keys ...PublicKey) BaseRole {
-	r := BaseRole{
-		Name:      name,
-		Threshold: threshold,
-		Keys:      make(map[string]PublicKey),
-	}
-	for _, k := range keys {
-		r.Keys[k.ID()] = k
-	}
-	return r
-}
-
-// ListKeys retrieves the public keys valid for this role
-func (b BaseRole) ListKeys() KeyList {
-	return listKeys(b.Keys)
-}
-
-// ListKeyIDs retrieves the list of key IDs valid for this role
-func (b BaseRole) ListKeyIDs() []string {
-	return listKeyIDs(b.Keys)
-}
-
-// Equals returns whether this BaseRole equals another BaseRole
-func (b BaseRole) Equals(o BaseRole) bool {
-	if b.Threshold != o.Threshold || b.Name != o.Name || len(b.Keys) != len(o.Keys) {
-		return false
-	}
-
-	for keyID, key := range b.Keys {
-		oKey, ok := o.Keys[keyID]
-		if !ok || key.ID() != oKey.ID() {
-			return false
-		}
-	}
-
-	return true
-}
-
-// DelegationRole is an internal representation of a delegation role, with its public keys included
-type DelegationRole struct {
-	BaseRole
-	Paths []string
-}
-
-func listKeys(keyMap map[string]PublicKey) KeyList {
-	keys := KeyList{}
-	for _, key := range keyMap {
-		keys = append(keys, key)
-	}
-	return keys
-}
-
-func listKeyIDs(keyMap map[string]PublicKey) []string {
-	keyIDs := []string{}
-	for id := range keyMap {
-		keyIDs = append(keyIDs, id)
-	}
-	return keyIDs
-}
-
-// Restrict restricts the paths and path hash prefixes for the passed in delegation role,
-// returning a copy of the role with validated paths as if it was a direct child
-func (d DelegationRole) Restrict(child DelegationRole) (DelegationRole, error) {
-	if !d.IsParentOf(child) {
-		return DelegationRole{}, fmt.Errorf("%s is not a parent of %s", d.Name, child.Name)
-	}
-	return DelegationRole{
-		BaseRole: BaseRole{
-			Keys:      child.Keys,
-			Name:      child.Name,
-			Threshold: child.Threshold,
-		},
-		Paths: RestrictDelegationPathPrefixes(d.Paths, child.Paths),
-	}, nil
-}
-
-// IsParentOf returns whether the passed in delegation role is the direct child of this role,
-// determined by delegation name.
-// Ex: targets/a is a direct parent of targets/a/b, but targets/a is not a direct parent of targets/a/b/c
-func (d DelegationRole) IsParentOf(child DelegationRole) bool {
-	return path.Dir(child.Name) == d.Name
-}
-
-// CheckPaths checks if a given path is valid for the role
-func (d DelegationRole) CheckPaths(path string) bool {
-	return checkPaths(path, d.Paths)
-}
-
-func checkPaths(path string, permitted []string) bool {
-	for _, p := range permitted {
-		if strings.HasPrefix(path, p) {
-			return true
-		}
-	}
-	return false
-}
-
-// RestrictDelegationPathPrefixes returns the list of valid delegationPaths that are prefixed by parentPaths
-func RestrictDelegationPathPrefixes(parentPaths, delegationPaths []string) []string {
-	validPaths := []string{}
-	if len(delegationPaths) == 0 {
-		return validPaths
-	}
-
-	// Validate each individual delegation path
-	for _, delgPath := range delegationPaths {
-		isPrefixed := false
-		for _, parentPath := range parentPaths {
-			if strings.HasPrefix(delgPath, parentPath) {
-				isPrefixed = true
-				break
-			}
-		}
-		// If the delegation path did not match prefix against any parent path, it is not valid
-		if isPrefixed {
-			validPaths = append(validPaths, delgPath)
-		}
-	}
-	return validPaths
-}
-
-// RootRole is a cut down role as it appears in the root.json
-// Eventually should only be used for immediately before and after serialization/deserialization
-type RootRole struct {
-	KeyIDs    []string `json:"keyids"`
-	Threshold int      `json:"threshold"`
-}
-
-// Role is a more verbose role as they appear in targets delegations
-// Eventually should only be used for immediately before and after serialization/deserialization
-type Role struct {
-	RootRole
-	Name  string   `json:"name"`
-	Paths []string `json:"paths,omitempty"`
-}
-
-// NewRole creates a new Role object from the given parameters
-func NewRole(name string, threshold int, keyIDs, paths []string) (*Role, error) {
-	if IsDelegation(name) {
-		if len(paths) == 0 {
-			logrus.Debugf("role %s with no Paths will never be able to publish content until one or more are added", name)
-		}
-	}
-	if threshold < 1 {
-		return nil, ErrInvalidRole{Role: name}
-	}
-	if !ValidRole(name) {
-		return nil, ErrInvalidRole{Role: name}
-	}
-	return &Role{
-		RootRole: RootRole{
-			KeyIDs:    keyIDs,
-			Threshold: threshold,
-		},
-		Name:  name,
-		Paths: paths,
-	}, nil
-
-}
-
-// CheckPaths checks if a given path is valid for the role
-func (r Role) CheckPaths(path string) bool {
-	return checkPaths(path, r.Paths)
-}
-
-// AddKeys merges the ids into the current list of role key ids
-func (r *Role) AddKeys(ids []string) {
-	r.KeyIDs = mergeStrSlices(r.KeyIDs, ids)
-}
-
-// AddPaths merges the paths into the current list of role paths
-func (r *Role) AddPaths(paths []string) error {
-	if len(paths) == 0 {
-		return nil
-	}
-	r.Paths = mergeStrSlices(r.Paths, paths)
-	return nil
-}
-
-// RemoveKeys removes the ids from the current list of key ids
-func (r *Role) RemoveKeys(ids []string) {
-	r.KeyIDs = subtractStrSlices(r.KeyIDs, ids)
-}
-
-// RemovePaths removes the paths from the current list of role paths
-func (r *Role) RemovePaths(paths []string) {
-	r.Paths = subtractStrSlices(r.Paths, paths)
-}
-
-func mergeStrSlices(orig, new []string) []string {
-	have := make(map[string]bool)
-	for _, e := range orig {
-		have[e] = true
-	}
-	merged := make([]string, len(orig), len(orig)+len(new))
-	copy(merged, orig)
-	for _, e := range new {
-		if !have[e] {
-			merged = append(merged, e)
-		}
-	}
-	return merged
-}
-
-func subtractStrSlices(orig, remove []string) []string {
-	kill := make(map[string]bool)
-	for _, e := range remove {
-		kill[e] = true
-	}
-	var keep []string
-	for _, e := range orig {
-		if !kill[e] {
-			keep = append(keep, e)
-		}
-	}
-	return keep
-}

vendor/github.com/docker/notary/tuf/data/root.go

@@ -1,171 +0,0 @@
-package data
-
-import (
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-)
-
-// SignedRoot is a fully unpacked root.json
-type SignedRoot struct {
-	Signatures []Signature
-	Signed     Root
-	Dirty      bool
-}
-
-// Root is the Signed component of a root.json
-type Root struct {
-	SignedCommon
-	Keys               Keys                 `json:"keys"`
-	Roles              map[string]*RootRole `json:"roles"`
-	ConsistentSnapshot bool                 `json:"consistent_snapshot"`
-}
-
-// isValidRootStructure returns an error, or nil, depending on whether the content of the struct
-// is valid for root metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func isValidRootStructure(r Root) error {
-	expectedType := TUFTypes[CanonicalRootRole]
-	if r.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: CanonicalRootRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, r.Type)}
-	}
-
-	if r.Version < 1 {
-		return ErrInvalidMetadata{
-			role: CanonicalRootRole, msg: "version cannot be less than 1"}
-	}
-
-	// all the base roles MUST appear in the root.json - other roles are allowed,
-	// but other than the mirror role (not currently supported) are out of spec
-	for _, roleName := range BaseRoles {
-		roleObj, ok := r.Roles[roleName]
-		if !ok || roleObj == nil {
-			return ErrInvalidMetadata{
-				role: CanonicalRootRole, msg: fmt.Sprintf("missing %s role specification", roleName)}
-		}
-		if err := isValidRootRoleStructure(CanonicalRootRole, roleName, *roleObj, r.Keys); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func isValidRootRoleStructure(metaContainingRole, rootRoleName string, r RootRole, validKeys Keys) error {
-	if r.Threshold < 1 {
-		return ErrInvalidMetadata{
-			role: metaContainingRole,
-			msg:  fmt.Sprintf("invalid threshold specified for %s: %v ", rootRoleName, r.Threshold),
-		}
-	}
-	for _, keyID := range r.KeyIDs {
-		if _, ok := validKeys[keyID]; !ok {
-			return ErrInvalidMetadata{
-				role: metaContainingRole,
-				msg:  fmt.Sprintf("key ID %s specified in %s without corresponding key", keyID, rootRoleName),
-			}
-		}
-	}
-	return nil
-}
-
-// NewRoot initializes a new SignedRoot with a set of keys, roles, and the consistent flag
-func NewRoot(keys map[string]PublicKey, roles map[string]*RootRole, consistent bool) (*SignedRoot, error) {
-	signedRoot := &SignedRoot{
-		Signatures: make([]Signature, 0),
-		Signed: Root{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes[CanonicalRootRole],
-				Version: 0,
-				Expires: DefaultExpires(CanonicalRootRole),
-			},
-			Keys:               keys,
-			Roles:              roles,
-			ConsistentSnapshot: consistent,
-		},
-		Dirty: true,
-	}
-
-	return signedRoot, nil
-}
-
-// BuildBaseRole returns a copy of a BaseRole using the information in this SignedRoot for the specified role name.
-// Will error for invalid role name or key metadata within this SignedRoot
-func (r SignedRoot) BuildBaseRole(roleName string) (BaseRole, error) {
-	roleData, ok := r.Signed.Roles[roleName]
-	if !ok {
-		return BaseRole{}, ErrInvalidRole{Role: roleName, Reason: "role not found in root file"}
-	}
-	// Get all public keys for the base role from TUF metadata
-	keyIDs := roleData.KeyIDs
-	pubKeys := make(map[string]PublicKey)
-	for _, keyID := range keyIDs {
-		pubKey, ok := r.Signed.Keys[keyID]
-		if !ok {
-			return BaseRole{}, ErrInvalidRole{
-				Role:   roleName,
-				Reason: fmt.Sprintf("key with ID %s was not found in root metadata", keyID),
-			}
-		}
-		pubKeys[keyID] = pubKey
-	}
-
-	return BaseRole{
-		Name:      roleName,
-		Keys:      pubKeys,
-		Threshold: roleData.Threshold,
-	}, nil
-}
-
-// ToSigned partially serializes a SignedRoot for further signing
-func (r SignedRoot) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(r.Signed)
-	if err != nil {
-		return nil, err
-	}
-	// cast into a json.RawMessage
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(r.Signatures))
-	copy(sigs, r.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// MarshalJSON returns the serialized form of SignedRoot as bytes
-func (r SignedRoot) MarshalJSON() ([]byte, error) {
-	signed, err := r.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// RootFromSigned fully unpacks a Signed object into a SignedRoot and ensures
-// that it is a valid SignedRoot
-func RootFromSigned(s *Signed) (*SignedRoot, error) {
-	r := Root{}
-	if s.Signed == nil {
-		return nil, ErrInvalidMetadata{
-			role: CanonicalRootRole,
-			msg:  "root file contained an empty payload",
-		}
-	}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &r); err != nil {
-		return nil, err
-	}
-	if err := isValidRootStructure(r); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedRoot{
-		Signatures: sigs,
-		Signed:     r,
-	}, nil
-}

vendor/github.com/docker/notary/tuf/data/serializer.go

@@ -1,36 +0,0 @@
-package data
-
-import "github.com/docker/go/canonical/json"
-
-// Serializer is an interface that can marshal and unmarshal TUF data.  This
-// is expected to be a canonical JSON marshaller
-type serializer interface {
-	MarshalCanonical(from interface{}) ([]byte, error)
-	Marshal(from interface{}) ([]byte, error)
-	Unmarshal(from []byte, to interface{}) error
-}
-
-// CanonicalJSON marshals to and from canonical JSON
-type canonicalJSON struct{}
-
-// MarshalCanonical returns the canonical JSON form of a thing
-func (c canonicalJSON) MarshalCanonical(from interface{}) ([]byte, error) {
-	return json.MarshalCanonical(from)
-}
-
-// Marshal returns the regular non-canonical JSON form of a thing
-func (c canonicalJSON) Marshal(from interface{}) ([]byte, error) {
-	return json.Marshal(from)
-}
-
-// Unmarshal unmarshals some JSON bytes
-func (c canonicalJSON) Unmarshal(from []byte, to interface{}) error {
-	return json.Unmarshal(from, to)
-}
-
-// defaultSerializer is a canonical JSON serializer
-var defaultSerializer serializer = canonicalJSON{}
-
-func setDefaultSerializer(s serializer) {
-	defaultSerializer = s
-}

vendor/github.com/docker/notary/tuf/data/snapshot.go

@@ -1,169 +0,0 @@
-package data
-
-import (
-	"bytes"
-	"fmt"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/go/canonical/json"
-	"github.com/docker/notary"
-)
-
-// SignedSnapshot is a fully unpacked snapshot.json
-type SignedSnapshot struct {
-	Signatures []Signature
-	Signed     Snapshot
-	Dirty      bool
-}
-
-// Snapshot is the Signed component of a snapshot.json
-type Snapshot struct {
-	SignedCommon
-	Meta Files `json:"meta"`
-}
-
-// IsValidSnapshotStructure returns an error, or nil, depending on whether the content of the
-// struct is valid for snapshot metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func IsValidSnapshotStructure(s Snapshot) error {
-	expectedType := TUFTypes[CanonicalSnapshotRole]
-	if s.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: CanonicalSnapshotRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, s.Type)}
-	}
-
-	if s.Version < 1 {
-		return ErrInvalidMetadata{
-			role: CanonicalSnapshotRole, msg: "version cannot be less than one"}
-	}
-
-	for _, role := range []string{CanonicalRootRole, CanonicalTargetsRole} {
-		// Meta is a map of FileMeta, so if the role isn't in the map it returns
-		// an empty FileMeta, which has an empty map, and you can check on keys
-		// from an empty map.
-		//
-		// For now sha256 is required and sha512 is not.
-		if _, ok := s.Meta[role].Hashes[notary.SHA256]; !ok {
-			return ErrInvalidMetadata{
-				role: CanonicalSnapshotRole,
-				msg:  fmt.Sprintf("missing %s sha256 checksum information", role),
-			}
-		}
-		if err := CheckValidHashStructures(s.Meta[role].Hashes); err != nil {
-			return ErrInvalidMetadata{
-				role: CanonicalSnapshotRole,
-				msg:  fmt.Sprintf("invalid %s checksum information, %v", role, err),
-			}
-		}
-	}
-	return nil
-}
-
-// NewSnapshot initilizes a SignedSnapshot with a given top level root
-// and targets objects
-func NewSnapshot(root *Signed, targets *Signed) (*SignedSnapshot, error) {
-	logrus.Debug("generating new snapshot...")
-	targetsJSON, err := json.Marshal(targets)
-	if err != nil {
-		logrus.Debug("Error Marshalling Targets")
-		return nil, err
-	}
-	rootJSON, err := json.Marshal(root)
-	if err != nil {
-		logrus.Debug("Error Marshalling Root")
-		return nil, err
-	}
-	rootMeta, err := NewFileMeta(bytes.NewReader(rootJSON), NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-	targetsMeta, err := NewFileMeta(bytes.NewReader(targetsJSON), NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-	return &SignedSnapshot{
-		Signatures: make([]Signature, 0),
-		Signed: Snapshot{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes[CanonicalSnapshotRole],
-				Version: 0,
-				Expires: DefaultExpires(CanonicalSnapshotRole),
-			},
-			Meta: Files{
-				CanonicalRootRole:    rootMeta,
-				CanonicalTargetsRole: targetsMeta,
-			},
-		},
-	}, nil
-}
-
-// ToSigned partially serializes a SignedSnapshot for further signing
-func (sp *SignedSnapshot) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(sp.Signed)
-	if err != nil {
-		return nil, err
-	}
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(sp.Signatures))
-	copy(sigs, sp.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// AddMeta updates a role in the snapshot with new meta
-func (sp *SignedSnapshot) AddMeta(role string, meta FileMeta) {
-	sp.Signed.Meta[role] = meta
-	sp.Dirty = true
-}
-
-// GetMeta gets the metadata for a particular role, returning an error if it's
-// not found
-func (sp *SignedSnapshot) GetMeta(role string) (*FileMeta, error) {
-	if meta, ok := sp.Signed.Meta[role]; ok {
-		if _, ok := meta.Hashes["sha256"]; ok {
-			return &meta, nil
-		}
-	}
-	return nil, ErrMissingMeta{Role: role}
-}
-
-// DeleteMeta removes a role from the snapshot. If the role doesn't
-// exist in the snapshot, it's a noop.
-func (sp *SignedSnapshot) DeleteMeta(role string) {
-	if _, ok := sp.Signed.Meta[role]; ok {
-		delete(sp.Signed.Meta, role)
-		sp.Dirty = true
-	}
-}
-
-// MarshalJSON returns the serialized form of SignedSnapshot as bytes
-func (sp *SignedSnapshot) MarshalJSON() ([]byte, error) {
-	signed, err := sp.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// SnapshotFromSigned fully unpacks a Signed object into a SignedSnapshot
-func SnapshotFromSigned(s *Signed) (*SignedSnapshot, error) {
-	sp := Snapshot{}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &sp); err != nil {
-		return nil, err
-	}
-	if err := IsValidSnapshotStructure(sp); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedSnapshot{
-		Signatures: sigs,
-		Signed:     sp,
-	}, nil
-}

vendor/github.com/docker/notary/tuf/data/targets.go

@@ -1,201 +0,0 @@
-package data
-
-import (
-	"errors"
-	"fmt"
-	"path"
-
-	"github.com/docker/go/canonical/json"
-)
-
-// SignedTargets is a fully unpacked targets.json, or target delegation
-// json file
-type SignedTargets struct {
-	Signatures []Signature
-	Signed     Targets
-	Dirty      bool
-}
-
-// Targets is the Signed components of a targets.json or delegation json file
-type Targets struct {
-	SignedCommon
-	Targets     Files       `json:"targets"`
-	Delegations Delegations `json:"delegations,omitempty"`
-}
-
-// isValidTargetsStructure returns an error, or nil, depending on whether the content of the struct
-// is valid for targets metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func isValidTargetsStructure(t Targets, roleName string) error {
-	if roleName != CanonicalTargetsRole && !IsDelegation(roleName) {
-		return ErrInvalidRole{Role: roleName}
-	}
-
-	// even if it's a delegated role, the metadata type is "Targets"
-	expectedType := TUFTypes[CanonicalTargetsRole]
-	if t.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: roleName, msg: fmt.Sprintf("expected type %s, not %s", expectedType, t.Type)}
-	}
-
-	if t.Version < 1 {
-		return ErrInvalidMetadata{role: roleName, msg: "version cannot be less than one"}
-	}
-
-	for _, roleObj := range t.Delegations.Roles {
-		if !IsDelegation(roleObj.Name) || path.Dir(roleObj.Name) != roleName {
-			return ErrInvalidMetadata{
-				role: roleName, msg: fmt.Sprintf("delegation role %s invalid", roleObj.Name)}
-		}
-		if err := isValidRootRoleStructure(roleName, roleObj.Name, roleObj.RootRole, t.Delegations.Keys); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// NewTargets intiializes a new empty SignedTargets object
-func NewTargets() *SignedTargets {
-	return &SignedTargets{
-		Signatures: make([]Signature, 0),
-		Signed: Targets{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes["targets"],
-				Version: 0,
-				Expires: DefaultExpires("targets"),
-			},
-			Targets:     make(Files),
-			Delegations: *NewDelegations(),
-		},
-		Dirty: true,
-	}
-}
-
-// GetMeta attempts to find the targets entry for the path. It
-// will return nil in the case of the target not being found.
-func (t SignedTargets) GetMeta(path string) *FileMeta {
-	for p, meta := range t.Signed.Targets {
-		if p == path {
-			return &meta
-		}
-	}
-	return nil
-}
-
-// GetValidDelegations filters the delegation roles specified in the signed targets, and
-// only returns roles that are direct children and restricts their paths
-func (t SignedTargets) GetValidDelegations(parent DelegationRole) []DelegationRole {
-	roles := t.buildDelegationRoles()
-	result := []DelegationRole{}
-	for _, r := range roles {
-		validRole, err := parent.Restrict(r)
-		if err != nil {
-			continue
-		}
-		result = append(result, validRole)
-	}
-	return result
-}
-
-// BuildDelegationRole returns a copy of a DelegationRole using the information in this SignedTargets for the specified role name.
-// Will error for invalid role name or key metadata within this SignedTargets.  Path data is not validated.
-func (t *SignedTargets) BuildDelegationRole(roleName string) (DelegationRole, error) {
-	for _, role := range t.Signed.Delegations.Roles {
-		if role.Name == roleName {
-			pubKeys := make(map[string]PublicKey)
-			for _, keyID := range role.KeyIDs {
-				pubKey, ok := t.Signed.Delegations.Keys[keyID]
-				if !ok {
-					// Couldn't retrieve all keys, so stop walking and return invalid role
-					return DelegationRole{}, ErrInvalidRole{
-						Role:   roleName,
-						Reason: "role lists unknown key " + keyID + " as a signing key",
-					}
-				}
-				pubKeys[keyID] = pubKey
-			}
-			return DelegationRole{
-				BaseRole: BaseRole{
-					Name:      role.Name,
-					Keys:      pubKeys,
-					Threshold: role.Threshold,
-				},
-				Paths: role.Paths,
-			}, nil
-		}
-	}
-	return DelegationRole{}, ErrNoSuchRole{Role: roleName}
-}
-
-// helper function to create DelegationRole structures from all delegations in a SignedTargets,
-// these delegations are read directly from the SignedTargets and not modified or validated
-func (t SignedTargets) buildDelegationRoles() []DelegationRole {
-	var roles []DelegationRole
-	for _, roleData := range t.Signed.Delegations.Roles {
-		delgRole, err := t.BuildDelegationRole(roleData.Name)
-		if err != nil {
-			continue
-		}
-		roles = append(roles, delgRole)
-	}
-	return roles
-}
-
-// AddTarget adds or updates the meta for the given path
-func (t *SignedTargets) AddTarget(path string, meta FileMeta) {
-	t.Signed.Targets[path] = meta
-	t.Dirty = true
-}
-
-// AddDelegation will add a new delegated role with the given keys,
-// ensuring the keys either already exist, or are added to the map
-// of delegation keys
-func (t *SignedTargets) AddDelegation(role *Role, keys []*PublicKey) error {
-	return errors.New("Not Implemented")
-}
-
-// ToSigned partially serializes a SignedTargets for further signing
-func (t *SignedTargets) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(t.Signed)
-	if err != nil {
-		return nil, err
-	}
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(t.Signatures))
-	copy(sigs, t.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// MarshalJSON returns the serialized form of SignedTargets as bytes
-func (t *SignedTargets) MarshalJSON() ([]byte, error) {
-	signed, err := t.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// TargetsFromSigned fully unpacks a Signed object into a SignedTargets, given
-// a role name (so it can validate the SignedTargets object)
-func TargetsFromSigned(s *Signed, roleName string) (*SignedTargets, error) {
-	t := Targets{}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &t); err != nil {
-		return nil, err
-	}
-	if err := isValidTargetsStructure(t, roleName); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedTargets{
-		Signatures: sigs,
-		Signed:     t,
-	}, nil
-}

vendor/github.com/docker/notary/tuf/data/timestamp.go

@@ -1,136 +0,0 @@
-package data
-
-import (
-	"bytes"
-	"fmt"
-
-	"github.com/docker/go/canonical/json"
-	"github.com/docker/notary"
-)
-
-// SignedTimestamp is a fully unpacked timestamp.json
-type SignedTimestamp struct {
-	Signatures []Signature
-	Signed     Timestamp
-	Dirty      bool
-}
-
-// Timestamp is the Signed component of a timestamp.json
-type Timestamp struct {
-	SignedCommon
-	Meta Files `json:"meta"`
-}
-
-// IsValidTimestampStructure returns an error, or nil, depending on whether the content of the struct
-// is valid for timestamp metadata.  This does not check signatures or expiry, just that
-// the metadata content is valid.
-func IsValidTimestampStructure(t Timestamp) error {
-	expectedType := TUFTypes[CanonicalTimestampRole]
-	if t.Type != expectedType {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, t.Type)}
-	}
-
-	if t.Version < 1 {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: "version cannot be less than one"}
-	}
-
-	// Meta is a map of FileMeta, so if the role isn't in the map it returns
-	// an empty FileMeta, which has an empty map, and you can check on keys
-	// from an empty map.
-	//
-	// For now sha256 is required and sha512 is not.
-	if _, ok := t.Meta[CanonicalSnapshotRole].Hashes[notary.SHA256]; !ok {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: "missing snapshot sha256 checksum information"}
-	}
-	if err := CheckValidHashStructures(t.Meta[CanonicalSnapshotRole].Hashes); err != nil {
-		return ErrInvalidMetadata{
-			role: CanonicalTimestampRole, msg: fmt.Sprintf("invalid snapshot checksum information, %v", err)}
-	}
-
-	return nil
-}
-
-// NewTimestamp initializes a timestamp with an existing snapshot
-func NewTimestamp(snapshot *Signed) (*SignedTimestamp, error) {
-	snapshotJSON, err := json.Marshal(snapshot)
-	if err != nil {
-		return nil, err
-	}
-	snapshotMeta, err := NewFileMeta(bytes.NewReader(snapshotJSON), NotaryDefaultHashes...)
-	if err != nil {
-		return nil, err
-	}
-	return &SignedTimestamp{
-		Signatures: make([]Signature, 0),
-		Signed: Timestamp{
-			SignedCommon: SignedCommon{
-				Type:    TUFTypes[CanonicalTimestampRole],
-				Version: 0,
-				Expires: DefaultExpires(CanonicalTimestampRole),
-			},
-			Meta: Files{
-				CanonicalSnapshotRole: snapshotMeta,
-			},
-		},
-	}, nil
-}
-
-// ToSigned partially serializes a SignedTimestamp such that it can
-// be signed
-func (ts *SignedTimestamp) ToSigned() (*Signed, error) {
-	s, err := defaultSerializer.MarshalCanonical(ts.Signed)
-	if err != nil {
-		return nil, err
-	}
-	signed := json.RawMessage{}
-	err = signed.UnmarshalJSON(s)
-	if err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(ts.Signatures))
-	copy(sigs, ts.Signatures)
-	return &Signed{
-		Signatures: sigs,
-		Signed:     &signed,
-	}, nil
-}
-
-// GetSnapshot gets the expected snapshot metadata hashes in the timestamp metadata,
-// or nil if it doesn't exist
-func (ts *SignedTimestamp) GetSnapshot() (*FileMeta, error) {
-	snapshotExpected, ok := ts.Signed.Meta[CanonicalSnapshotRole]
-	if !ok {
-		return nil, ErrMissingMeta{Role: CanonicalSnapshotRole}
-	}
-	return &snapshotExpected, nil
-}
-
-// MarshalJSON returns the serialized form of SignedTimestamp as bytes
-func (ts *SignedTimestamp) MarshalJSON() ([]byte, error) {
-	signed, err := ts.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	return defaultSerializer.Marshal(signed)
-}
-
-// TimestampFromSigned parsed a Signed object into a fully unpacked
-// SignedTimestamp
-func TimestampFromSigned(s *Signed) (*SignedTimestamp, error) {
-	ts := Timestamp{}
-	if err := defaultSerializer.Unmarshal(*s.Signed, &ts); err != nil {
-		return nil, err
-	}
-	if err := IsValidTimestampStructure(ts); err != nil {
-		return nil, err
-	}
-	sigs := make([]Signature, len(s.Signatures))
-	copy(sigs, s.Signatures)
-	return &SignedTimestamp{
-		Signatures: sigs,
-		Signed:     ts,
-	}, nil
-}

vendor/github.com/docker/notary/tuf/data/types.go

@@ -1,311 +0,0 @@
-package data
-
-import (
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/subtle"
-	"encoding/hex"
-	"fmt"
-	"hash"
-	"io"
-	"io/ioutil"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/go/canonical/json"
-	"github.com/docker/notary"
-)
-
-// SigAlgorithm for types of signatures
-type SigAlgorithm string
-
-func (k SigAlgorithm) String() string {
-	return string(k)
-}
-
-const defaultHashAlgorithm = "sha256"
-
-// Signature types
-const (
-	EDDSASignature       SigAlgorithm = "eddsa"
-	RSAPSSSignature      SigAlgorithm = "rsapss"
-	RSAPKCS1v15Signature SigAlgorithm = "rsapkcs1v15"
-	ECDSASignature       SigAlgorithm = "ecdsa"
-	PyCryptoSignature    SigAlgorithm = "pycrypto-pkcs#1 pss"
-)
-
-// Key types
-const (
-	ED25519Key   = "ed25519"
-	RSAKey       = "rsa"
-	RSAx509Key   = "rsa-x509"
-	ECDSAKey     = "ecdsa"
-	ECDSAx509Key = "ecdsa-x509"
-)
-
-// TUFTypes is the set of metadata types
-var TUFTypes = map[string]string{
-	CanonicalRootRole:      "Root",
-	CanonicalTargetsRole:   "Targets",
-	CanonicalSnapshotRole:  "Snapshot",
-	CanonicalTimestampRole: "Timestamp",
-}
-
-// SetTUFTypes allows one to override some or all of the default
-// type names in TUF.
-func SetTUFTypes(ts map[string]string) {
-	for k, v := range ts {
-		TUFTypes[k] = v
-	}
-}
-
-// ValidTUFType checks if the given type is valid for the role
-func ValidTUFType(typ, role string) bool {
-	if ValidRole(role) {
-		// All targets delegation roles must have
-		// the valid type is for targets.
-		if role == "" {
-			// role is unknown and does not map to
-			// a type
-			return false
-		}
-		if strings.HasPrefix(role, CanonicalTargetsRole+"/") {
-			role = CanonicalTargetsRole
-		}
-	}
-	// most people will just use the defaults so have this optimal check
-	// first. Do comparison just in case there is some unknown vulnerability
-	// if a key and value in the map differ.
-	if v, ok := TUFTypes[role]; ok {
-		return typ == v
-	}
-	return false
-}
-
-// Signed is the high level, partially deserialized metadata object
-// used to verify signatures before fully unpacking, or to add signatures
-// before fully packing
-type Signed struct {
-	Signed     *json.RawMessage `json:"signed"`
-	Signatures []Signature      `json:"signatures"`
-}
-
-// SignedCommon contains the fields common to the Signed component of all
-// TUF metadata files
-type SignedCommon struct {
-	Type    string    `json:"_type"`
-	Expires time.Time `json:"expires"`
-	Version int       `json:"version"`
-}
-
-// SignedMeta is used in server validation where we only need signatures
-// and common fields
-type SignedMeta struct {
-	Signed     SignedCommon `json:"signed"`
-	Signatures []Signature  `json:"signatures"`
-}
-
-// Signature is a signature on a piece of metadata
-type Signature struct {
-	KeyID     string       `json:"keyid"`
-	Method    SigAlgorithm `json:"method"`
-	Signature []byte       `json:"sig"`
-	IsValid   bool         `json:"-"`
-}
-
-// Files is the map of paths to file meta container in targets and delegations
-// metadata files
-type Files map[string]FileMeta
-
-// Hashes is the map of hash type to digest created for each metadata
-// and target file
-type Hashes map[string][]byte
-
-// NotaryDefaultHashes contains the default supported hash algorithms.
-var NotaryDefaultHashes = []string{notary.SHA256, notary.SHA512}
-
-// FileMeta contains the size and hashes for a metadata or target file. Custom
-// data can be optionally added.
-type FileMeta struct {
-	Length int64            `json:"length"`
-	Hashes Hashes           `json:"hashes"`
-	Custom *json.RawMessage `json:"custom,omitempty"`
-}
-
-// CheckHashes verifies all the checksums specified by the "hashes" of the payload.
-func CheckHashes(payload []byte, name string, hashes Hashes) error {
-	cnt := 0
-
-	// k, v indicate the hash algorithm and the corresponding value
-	for k, v := range hashes {
-		switch k {
-		case notary.SHA256:
-			checksum := sha256.Sum256(payload)
-			if subtle.ConstantTimeCompare(checksum[:], v) == 0 {
-				return ErrMismatchedChecksum{alg: notary.SHA256, name: name, expected: hex.EncodeToString(v)}
-			}
-			cnt++
-		case notary.SHA512:
-			checksum := sha512.Sum512(payload)
-			if subtle.ConstantTimeCompare(checksum[:], v) == 0 {
-				return ErrMismatchedChecksum{alg: notary.SHA512, name: name, expected: hex.EncodeToString(v)}
-			}
-			cnt++
-		}
-	}
-
-	if cnt == 0 {
-		return ErrMissingMeta{Role: name}
-	}
-
-	return nil
-}
-
-// CompareMultiHashes verifies that the two Hashes passed in can represent the same data.
-// This means that both maps must have at least one key defined for which they map, and no conflicts.
-// Note that we check the intersection of map keys, which adds support for non-default hash algorithms in notary
-func CompareMultiHashes(hashes1, hashes2 Hashes) error {
-	// First check if the two hash structures are valid
-	if err := CheckValidHashStructures(hashes1); err != nil {
-		return err
-	}
-	if err := CheckValidHashStructures(hashes2); err != nil {
-		return err
-	}
-	// Check if they have at least one matching hash, and no conflicts
-	cnt := 0
-	for hashAlg, hash1 := range hashes1 {
-
-		hash2, ok := hashes2[hashAlg]
-		if !ok {
-			continue
-		}
-
-		if subtle.ConstantTimeCompare(hash1[:], hash2[:]) == 0 {
-			return fmt.Errorf("mismatched %s checksum", hashAlg)
-		}
-		// If we reached here, we had a match
-		cnt++
-	}
-
-	if cnt == 0 {
-		return fmt.Errorf("at least one matching hash needed")
-	}
-
-	return nil
-}
-
-// CheckValidHashStructures returns an error, or nil, depending on whether
-// the content of the hashes is valid or not.
-func CheckValidHashStructures(hashes Hashes) error {
-	cnt := 0
-
-	for k, v := range hashes {
-		switch k {
-		case notary.SHA256:
-			if len(v) != sha256.Size {
-				return ErrInvalidChecksum{alg: notary.SHA256}
-			}
-			cnt++
-		case notary.SHA512:
-			if len(v) != sha512.Size {
-				return ErrInvalidChecksum{alg: notary.SHA512}
-			}
-			cnt++
-		}
-	}
-
-	if cnt == 0 {
-		return fmt.Errorf("at least one supported hash needed")
-	}
-
-	return nil
-}
-
-// NewFileMeta generates a FileMeta object from the reader, using the
-// hash algorithms provided
-func NewFileMeta(r io.Reader, hashAlgorithms ...string) (FileMeta, error) {
-	if len(hashAlgorithms) == 0 {
-		hashAlgorithms = []string{defaultHashAlgorithm}
-	}
-	hashes := make(map[string]hash.Hash, len(hashAlgorithms))
-	for _, hashAlgorithm := range hashAlgorithms {
-		var h hash.Hash
-		switch hashAlgorithm {
-		case notary.SHA256:
-			h = sha256.New()
-		case notary.SHA512:
-			h = sha512.New()
-		default:
-			return FileMeta{}, fmt.Errorf("Unknown hash algorithm: %s", hashAlgorithm)
-		}
-		hashes[hashAlgorithm] = h
-		r = io.TeeReader(r, h)
-	}
-	n, err := io.Copy(ioutil.Discard, r)
-	if err != nil {
-		return FileMeta{}, err
-	}
-	m := FileMeta{Length: n, Hashes: make(Hashes, len(hashes))}
-	for hashAlgorithm, h := range hashes {
-		m.Hashes[hashAlgorithm] = h.Sum(nil)
-	}
-	return m, nil
-}
-
-// Delegations holds a tier of targets delegations
-type Delegations struct {
-	Keys  Keys    `json:"keys"`
-	Roles []*Role `json:"roles"`
-}
-
-// NewDelegations initializes an empty Delegations object
-func NewDelegations() *Delegations {
-	return &Delegations{
-		Keys:  make(map[string]PublicKey),
-		Roles: make([]*Role, 0),
-	}
-}
-
-// These values are recommended TUF expiry times.
-var defaultExpiryTimes = map[string]time.Duration{
-	CanonicalRootRole:      notary.Year,
-	CanonicalTargetsRole:   90 * notary.Day,
-	CanonicalSnapshotRole:  7 * notary.Day,
-	CanonicalTimestampRole: notary.Day,
-}
-
-// SetDefaultExpiryTimes allows one to change the default expiries.
-func SetDefaultExpiryTimes(times map[string]time.Duration) {
-	for key, value := range times {
-		if _, ok := defaultExpiryTimes[key]; !ok {
-			logrus.Errorf("Attempted to set default expiry for an unknown role: %s", key)
-			continue
-		}
-		defaultExpiryTimes[key] = value
-	}
-}
-
-// DefaultExpires gets the default expiry time for the given role
-func DefaultExpires(role string) time.Time {
-	if d, ok := defaultExpiryTimes[role]; ok {
-		return time.Now().Add(d)
-	}
-	var t time.Time
-	return t.UTC().Round(time.Second)
-}
-
-type unmarshalledSignature Signature
-
-// UnmarshalJSON does a custom unmarshalling of the signature JSON
-func (s *Signature) UnmarshalJSON(data []byte) error {
-	uSignature := unmarshalledSignature{}
-	err := json.Unmarshal(data, &uSignature)
-	if err != nil {
-		return err
-	}
-	uSignature.Method = SigAlgorithm(strings.ToLower(string(uSignature.Method)))
-	*s = Signature(uSignature)
-	return nil
-}

vendor/github.com/docker/notary/tuf/signed/ed25519.go

@@ -1,111 +0,0 @@
-package signed
-
-import (
-	"crypto/rand"
-	"errors"
-
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-type edCryptoKey struct {
-	role    string
-	privKey data.PrivateKey
-}
-
-// Ed25519 implements a simple in memory cryptosystem for ED25519 keys
-type Ed25519 struct {
-	keys map[string]edCryptoKey
-}
-
-// NewEd25519 initializes a new empty Ed25519 CryptoService that operates
-// entirely in memory
-func NewEd25519() *Ed25519 {
-	return &Ed25519{
-		make(map[string]edCryptoKey),
-	}
-}
-
-// AddKey allows you to add a private key
-func (e *Ed25519) AddKey(role, gun string, k data.PrivateKey) error {
-	e.addKey(role, k)
-	return nil
-}
-
-// addKey allows you to add a private key
-func (e *Ed25519) addKey(role string, k data.PrivateKey) {
-	e.keys[k.ID()] = edCryptoKey{
-		role:    role,
-		privKey: k,
-	}
-}
-
-// RemoveKey deletes a key from the signer
-func (e *Ed25519) RemoveKey(keyID string) error {
-	delete(e.keys, keyID)
-	return nil
-}
-
-// ListKeys returns the list of keys IDs for the role
-func (e *Ed25519) ListKeys(role string) []string {
-	keyIDs := make([]string, 0, len(e.keys))
-	for id, edCryptoKey := range e.keys {
-		if edCryptoKey.role == role {
-			keyIDs = append(keyIDs, id)
-		}
-	}
-	return keyIDs
-}
-
-// ListAllKeys returns the map of keys IDs to role
-func (e *Ed25519) ListAllKeys() map[string]string {
-	keys := make(map[string]string)
-	for id, edKey := range e.keys {
-		keys[id] = edKey.role
-	}
-	return keys
-}
-
-// Create generates a new key and returns the public part
-func (e *Ed25519) Create(role, gun, algorithm string) (data.PublicKey, error) {
-	if algorithm != data.ED25519Key {
-		return nil, errors.New("only ED25519 supported by this cryptoservice")
-	}
-
-	private, err := utils.GenerateED25519Key(rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-
-	e.addKey(role, private)
-	return data.PublicKeyFromPrivate(private), nil
-}
-
-// PublicKeys returns a map of public keys for the ids provided, when those IDs are found
-// in the store.
-func (e *Ed25519) PublicKeys(keyIDs ...string) (map[string]data.PublicKey, error) {
-	k := make(map[string]data.PublicKey)
-	for _, keyID := range keyIDs {
-		if edKey, ok := e.keys[keyID]; ok {
-			k[keyID] = data.PublicKeyFromPrivate(edKey.privKey)
-		}
-	}
-	return k, nil
-}
-
-// GetKey returns a single public key based on the ID
-func (e *Ed25519) GetKey(keyID string) data.PublicKey {
-	if privKey, _, err := e.GetPrivateKey(keyID); err == nil {
-		return data.PublicKeyFromPrivate(privKey)
-	}
-	return nil
-}
-
-// GetPrivateKey returns a single private key and role if present, based on the ID
-func (e *Ed25519) GetPrivateKey(keyID string) (data.PrivateKey, string, error) {
-	if k, ok := e.keys[keyID]; ok {
-		return k.privKey, k.role, nil
-	}
-	return nil, "", trustmanager.ErrKeyNotFound{KeyID: keyID}
-}

vendor/github.com/docker/notary/tuf/signed/errors.go

@@ -1,96 +0,0 @@
-package signed
-
-import (
-	"fmt"
-	"strings"
-)
-
-// ErrInsufficientSignatures - can not create enough signatures on a piece of
-// metadata
-type ErrInsufficientSignatures struct {
-	FoundKeys     int
-	NeededKeys    int
-	MissingKeyIDs []string
-}
-
-func (e ErrInsufficientSignatures) Error() string {
-	candidates := ""
-	if len(e.MissingKeyIDs) > 0 {
-		candidates = fmt.Sprintf(" (%s)", strings.Join(e.MissingKeyIDs, ", "))
-	}
-
-	if e.FoundKeys == 0 {
-		return fmt.Sprintf("signing keys not available: need %d keys from %d possible keys%s",
-			e.NeededKeys, len(e.MissingKeyIDs), candidates)
-	}
-	return fmt.Sprintf("not enough signing keys: found %d of %d needed keys - %d other possible keys%s",
-		e.FoundKeys, e.NeededKeys, len(e.MissingKeyIDs), candidates)
-}
-
-// ErrExpired indicates a piece of metadata has expired
-type ErrExpired struct {
-	Role    string
-	Expired string
-}
-
-func (e ErrExpired) Error() string {
-	return fmt.Sprintf("%s expired at %v", e.Role, e.Expired)
-}
-
-// ErrLowVersion indicates the piece of metadata has a version number lower than
-// a version number we're already seen for this role
-type ErrLowVersion struct {
-	Actual  int
-	Current int
-}
-
-func (e ErrLowVersion) Error() string {
-	return fmt.Sprintf("version %d is lower than current version %d", e.Actual, e.Current)
-}
-
-// ErrRoleThreshold indicates we did not validate enough signatures to meet the threshold
-type ErrRoleThreshold struct {
-	Msg string
-}
-
-func (e ErrRoleThreshold) Error() string {
-	if e.Msg == "" {
-		return "valid signatures did not meet threshold"
-	}
-	return e.Msg
-}
-
-// ErrInvalidKeyType indicates the types for the key and signature it's associated with are
-// mismatched. Probably a sign of malicious behaviour
-type ErrInvalidKeyType struct{}
-
-func (e ErrInvalidKeyType) Error() string {
-	return "key type is not valid for signature"
-}
-
-// ErrInvalidKeyID indicates the specified key ID was incorrect for its associated data
-type ErrInvalidKeyID struct{}
-
-func (e ErrInvalidKeyID) Error() string {
-	return "key ID is not valid for key content"
-}
-
-// ErrInvalidKeyLength indicates that while we may support the cipher, the provided
-// key length is not specifically supported, i.e. we support RSA, but not 1024 bit keys
-type ErrInvalidKeyLength struct {
-	msg string
-}
-
-func (e ErrInvalidKeyLength) Error() string {
-	return fmt.Sprintf("key length is not supported: %s", e.msg)
-}
-
-// ErrNoKeys indicates no signing keys were found when trying to sign
-type ErrNoKeys struct {
-	KeyIDs []string
-}
-
-func (e ErrNoKeys) Error() string {
-	return fmt.Sprintf("could not find necessary signing keys, at least one of these keys must be available: %s",
-		strings.Join(e.KeyIDs, ", "))
-}

vendor/github.com/docker/notary/tuf/signed/interface.go

@@ -1,49 +0,0 @@
-package signed
-
-import (
-	"github.com/docker/notary/tuf/data"
-)
-
-// KeyService provides management of keys locally. It will never
-// accept or provide private keys. Communication between the KeyService
-// and a SigningService happen behind the Create function.
-type KeyService interface {
-	// Create issues a new key pair and is responsible for loading
-	// the private key into the appropriate signing service.
-	Create(role, gun, algorithm string) (data.PublicKey, error)
-
-	// AddKey adds a private key to the specified role and gun
-	AddKey(role, gun string, key data.PrivateKey) error
-
-	// GetKey retrieves the public key if present, otherwise it returns nil
-	GetKey(keyID string) data.PublicKey
-
-	// GetPrivateKey retrieves the private key and role if present and retrievable,
-	// otherwise it returns nil and an error
-	GetPrivateKey(keyID string) (data.PrivateKey, string, error)
-
-	// RemoveKey deletes the specified key, and returns an error only if the key
-	// removal fails. If the key doesn't exist, no error should be returned.
-	RemoveKey(keyID string) error
-
-	// ListKeys returns a list of key IDs for the role, or an empty list or
-	// nil if there are no keys.
-	ListKeys(role string) []string
-
-	// ListAllKeys returns a map of all available signing key IDs to role, or
-	// an empty map or nil if there are no keys.
-	ListAllKeys() map[string]string
-}
-
-// CryptoService is deprecated and all instances of its use should be
-// replaced with KeyService
-type CryptoService interface {
-	KeyService
-}
-
-// Verifier defines an interface for verfying signatures. An implementer
-// of this interface should verify signatures for one and only one
-// signing scheme.
-type Verifier interface {
-	Verify(key data.PublicKey, sig []byte, msg []byte) error
-}

vendor/github.com/docker/notary/tuf/signed/sign.go

@@ -1,113 +0,0 @@
-package signed
-
-// The Sign function is a choke point for all code paths that do signing.
-// We use this fact to do key ID translation. There are 2 types of key ID:
-//   - Scoped: the key ID based purely on the data that appears in the TUF
-//             files. This may be wrapped by a certificate that scopes the
-//             key to be used in a specific context.
-//   - Canonical: the key ID based purely on the public key bytes. This is
-//             used by keystores to easily identify keys that may be reused
-//             in many scoped locations.
-// Currently these types only differ in the context of Root Keys in Notary
-// for which the root key is wrapped using an x509 certificate.
-
-import (
-	"crypto/rand"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary/trustmanager"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// Sign takes a data.Signed and a cryptoservice containing private keys,
-// calculates and adds at least minSignature signatures using signingKeys the
-// data.Signed.  It will also clean up any signatures that are not in produced
-// by either a signingKey or an otherWhitelistedKey.
-// Note that in most cases, otherWhitelistedKeys should probably be null. They
-// are for keys you don't want to sign with, but you also don't want to remove
-// existing signatures by those keys.  For instance, if you want to call Sign
-// multiple times with different sets of signing keys without undoing removing
-// signatures produced by the previous call to Sign.
-func Sign(service CryptoService, s *data.Signed, signingKeys []data.PublicKey,
-	minSignatures int, otherWhitelistedKeys []data.PublicKey) error {
-
-	logrus.Debugf("sign called with %d/%d required keys", minSignatures, len(signingKeys))
-	signatures := make([]data.Signature, 0, len(s.Signatures)+1)
-	signingKeyIDs := make(map[string]struct{})
-	tufIDs := make(map[string]data.PublicKey)
-
-	privKeys := make(map[string]data.PrivateKey)
-
-	// Get all the private key objects related to the public keys
-	missingKeyIDs := []string{}
-	for _, key := range signingKeys {
-		canonicalID, err := utils.CanonicalKeyID(key)
-		tufIDs[key.ID()] = key
-		if err != nil {
-			return err
-		}
-		k, _, err := service.GetPrivateKey(canonicalID)
-		if err != nil {
-			if _, ok := err.(trustmanager.ErrKeyNotFound); ok {
-				missingKeyIDs = append(missingKeyIDs, canonicalID)
-				continue
-			}
-			return err
-		}
-		privKeys[key.ID()] = k
-	}
-
-	// include the list of otherWhitelistedKeys
-	for _, key := range otherWhitelistedKeys {
-		if _, ok := tufIDs[key.ID()]; !ok {
-			tufIDs[key.ID()] = key
-		}
-	}
-
-	// Check to ensure we have enough signing keys
-	if len(privKeys) < minSignatures {
-		return ErrInsufficientSignatures{FoundKeys: len(privKeys),
-			NeededKeys: minSignatures, MissingKeyIDs: missingKeyIDs}
-	}
-
-	emptyStruct := struct{}{}
-	// Do signing and generate list of signatures
-	for keyID, pk := range privKeys {
-		sig, err := pk.Sign(rand.Reader, *s.Signed, nil)
-		if err != nil {
-			logrus.Debugf("Failed to sign with key: %s. Reason: %v", keyID, err)
-			return err
-		}
-		signingKeyIDs[keyID] = emptyStruct
-		signatures = append(signatures, data.Signature{
-			KeyID:     keyID,
-			Method:    pk.SignatureAlgorithm(),
-			Signature: sig[:],
-		})
-	}
-
-	for _, sig := range s.Signatures {
-		if _, ok := signingKeyIDs[sig.KeyID]; ok {
-			// key is in the set of key IDs for which a signature has been created
-			continue
-		}
-		var (
-			k  data.PublicKey
-			ok bool
-		)
-		if k, ok = tufIDs[sig.KeyID]; !ok {
-			// key is no longer a valid signing key
-			continue
-		}
-		if err := VerifySignature(*s.Signed, &sig, k); err != nil {
-			// signature is no longer valid
-			continue
-		}
-		// keep any signatures that still represent valid keys and are
-		// themselves valid
-		signatures = append(signatures, sig)
-	}
-	s.Signatures = signatures
-	return nil
-}

vendor/github.com/docker/notary/tuf/signed/verifiers.go

@@ -1,283 +0,0 @@
-package signed
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"reflect"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/agl/ed25519"
-	"github.com/docker/notary/tuf/data"
-)
-
-const (
-	minRSAKeySizeBit  = 2048 // 2048 bits = 256 bytes
-	minRSAKeySizeByte = minRSAKeySizeBit / 8
-)
-
-// Verifiers serves as a map of all verifiers available on the system and
-// can be injected into a verificationService. For testing and configuration
-// purposes, it will not be used by default.
-var Verifiers = map[data.SigAlgorithm]Verifier{
-	data.RSAPSSSignature:      RSAPSSVerifier{},
-	data.RSAPKCS1v15Signature: RSAPKCS1v15Verifier{},
-	data.PyCryptoSignature:    RSAPyCryptoVerifier{},
-	data.ECDSASignature:       ECDSAVerifier{},
-	data.EDDSASignature:       Ed25519Verifier{},
-}
-
-// RegisterVerifier provides a convenience function for init() functions
-// to register additional verifiers or replace existing ones.
-func RegisterVerifier(algorithm data.SigAlgorithm, v Verifier) {
-	curr, ok := Verifiers[algorithm]
-	if ok {
-		typOld := reflect.TypeOf(curr)
-		typNew := reflect.TypeOf(v)
-		logrus.Debugf(
-			"replacing already loaded verifier %s:%s with %s:%s",
-			typOld.PkgPath(), typOld.Name(),
-			typNew.PkgPath(), typNew.Name(),
-		)
-	} else {
-		logrus.Debug("adding verifier for: ", algorithm)
-	}
-	Verifiers[algorithm] = v
-}
-
-// Ed25519Verifier used to verify Ed25519 signatures
-type Ed25519Verifier struct{}
-
-// Verify checks that an ed25519 signature is valid
-func (v Ed25519Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	if key.Algorithm() != data.ED25519Key {
-		return ErrInvalidKeyType{}
-	}
-	var sigBytes [ed25519.SignatureSize]byte
-	if len(sig) != ed25519.SignatureSize {
-		logrus.Debugf("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
-		return ErrInvalid
-	}
-	copy(sigBytes[:], sig)
-
-	var keyBytes [ed25519.PublicKeySize]byte
-	pub := key.Public()
-	if len(pub) != ed25519.PublicKeySize {
-		logrus.Errorf("public key is incorrect size, must be %d, was %d.", ed25519.PublicKeySize, len(pub))
-		return ErrInvalidKeyLength{msg: fmt.Sprintf("ed25519 public key must be %d bytes.", ed25519.PublicKeySize)}
-	}
-	n := copy(keyBytes[:], key.Public())
-	if n < ed25519.PublicKeySize {
-		logrus.Errorf("failed to copy the key, must have %d bytes, copied %d bytes.", ed25519.PublicKeySize, n)
-		return ErrInvalid
-	}
-
-	if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
-		logrus.Debugf("failed ed25519 verification")
-		return ErrInvalid
-	}
-	return nil
-}
-
-func verifyPSS(key interface{}, digest, sig []byte) error {
-	rsaPub, ok := key.(*rsa.PublicKey)
-	if !ok {
-		logrus.Debugf("value was not an RSA public key")
-		return ErrInvalid
-	}
-
-	if rsaPub.N.BitLen() < minRSAKeySizeBit {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
-		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
-	}
-
-	if len(sig) < minRSAKeySizeByte {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
-		return ErrInvalid
-	}
-
-	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
-	if err := rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
-		logrus.Debugf("failed RSAPSS verification: %s", err)
-		return ErrInvalid
-	}
-	return nil
-}
-
-func getRSAPubKey(key data.PublicKey) (crypto.PublicKey, error) {
-	algorithm := key.Algorithm()
-	var pubKey crypto.PublicKey
-
-	switch algorithm {
-	case data.RSAx509Key:
-		pemCert, _ := pem.Decode([]byte(key.Public()))
-		if pemCert == nil {
-			logrus.Debugf("failed to decode PEM-encoded x509 certificate")
-			return nil, ErrInvalid
-		}
-		cert, err := x509.ParseCertificate(pemCert.Bytes)
-		if err != nil {
-			logrus.Debugf("failed to parse x509 certificate: %s\n", err)
-			return nil, ErrInvalid
-		}
-		pubKey = cert.PublicKey
-	case data.RSAKey:
-		var err error
-		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
-		if err != nil {
-			logrus.Debugf("failed to parse public key: %s\n", err)
-			return nil, ErrInvalid
-		}
-	default:
-		// only accept RSA keys
-		logrus.Debugf("invalid key type for RSAPSS verifier: %s", algorithm)
-		return nil, ErrInvalidKeyType{}
-	}
-
-	return pubKey, nil
-}
-
-// RSAPSSVerifier checks RSASSA-PSS signatures
-type RSAPSSVerifier struct{}
-
-// Verify does the actual check.
-func (v RSAPSSVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	// will return err if keytype is not a recognized RSA type
-	pubKey, err := getRSAPubKey(key)
-	if err != nil {
-		return err
-	}
-
-	digest := sha256.Sum256(msg)
-
-	return verifyPSS(pubKey, digest[:], sig)
-}
-
-// RSAPKCS1v15Verifier checks RSA PKCS1v15 signatures
-type RSAPKCS1v15Verifier struct{}
-
-// Verify does the actual verification
-func (v RSAPKCS1v15Verifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	// will return err if keytype is not a recognized RSA type
-	pubKey, err := getRSAPubKey(key)
-	if err != nil {
-		return err
-	}
-	digest := sha256.Sum256(msg)
-
-	rsaPub, ok := pubKey.(*rsa.PublicKey)
-	if !ok {
-		logrus.Debugf("value was not an RSA public key")
-		return ErrInvalid
-	}
-
-	if rsaPub.N.BitLen() < minRSAKeySizeBit {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided key has length %d.", rsaPub.N.BitLen())
-		return ErrInvalidKeyLength{msg: fmt.Sprintf("RSA key must be at least %d bits.", minRSAKeySizeBit)}
-	}
-
-	if len(sig) < minRSAKeySizeByte {
-		logrus.Debugf("RSA keys less than 2048 bits are not acceptable, provided signature has length %d.", len(sig))
-		return ErrInvalid
-	}
-
-	if err = rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, digest[:], sig); err != nil {
-		logrus.Errorf("Failed verification: %s", err.Error())
-		return ErrInvalid
-	}
-	return nil
-}
-
-// RSAPyCryptoVerifier checks RSASSA-PSS signatures
-type RSAPyCryptoVerifier struct{}
-
-// Verify does the actual check.
-// N.B. We have not been able to make this work in a way that is compatible
-// with PyCrypto.
-func (v RSAPyCryptoVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	digest := sha256.Sum256(msg)
-	if key.Algorithm() != data.RSAKey {
-		return ErrInvalidKeyType{}
-	}
-
-	k, _ := pem.Decode([]byte(key.Public()))
-	if k == nil {
-		logrus.Debugf("failed to decode PEM-encoded x509 certificate")
-		return ErrInvalid
-	}
-
-	pub, err := x509.ParsePKIXPublicKey(k.Bytes)
-	if err != nil {
-		logrus.Debugf("failed to parse public key: %s\n", err)
-		return ErrInvalid
-	}
-
-	return verifyPSS(pub, digest[:], sig)
-}
-
-// ECDSAVerifier checks ECDSA signatures, decoding the keyType appropriately
-type ECDSAVerifier struct{}
-
-// Verify does the actual check.
-func (v ECDSAVerifier) Verify(key data.PublicKey, sig []byte, msg []byte) error {
-	algorithm := key.Algorithm()
-	var pubKey crypto.PublicKey
-
-	switch algorithm {
-	case data.ECDSAx509Key:
-		pemCert, _ := pem.Decode([]byte(key.Public()))
-		if pemCert == nil {
-			logrus.Debugf("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
-			logrus.Debugf("certificate bytes: %s", string(key.Public()))
-			return ErrInvalid
-		}
-		cert, err := x509.ParseCertificate(pemCert.Bytes)
-		if err != nil {
-			logrus.Debugf("failed to parse x509 certificate: %s\n", err)
-			return ErrInvalid
-		}
-		pubKey = cert.PublicKey
-	case data.ECDSAKey:
-		var err error
-		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
-		if err != nil {
-			logrus.Debugf("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
-			return ErrInvalid
-		}
-	default:
-		// only accept ECDSA keys.
-		logrus.Debugf("invalid key type for ECDSA verifier: %s", algorithm)
-		return ErrInvalidKeyType{}
-	}
-
-	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
-	if !ok {
-		logrus.Debugf("value isn't an ECDSA public key")
-		return ErrInvalid
-	}
-
-	sigLength := len(sig)
-	expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)
-	if sigLength != expectedOctetLength {
-		logrus.Debugf("signature had an unexpected length")
-		return ErrInvalid
-	}
-
-	rBytes, sBytes := sig[:sigLength/2], sig[sigLength/2:]
-	r := new(big.Int).SetBytes(rBytes)
-	s := new(big.Int).SetBytes(sBytes)
-
-	digest := sha256.Sum256(msg)
-
-	if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {
-		logrus.Debugf("failed ECDSA signature validation")
-		return ErrInvalid
-	}
-
-	return nil
-}

vendor/github.com/docker/notary/tuf/signed/verify.go

@@ -1,112 +0,0 @@
-package signed
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/go/canonical/json"
-	"github.com/docker/notary/tuf/data"
-)
-
-// Various basic signing errors
-var (
-	ErrMissingKey   = errors.New("tuf: missing key")
-	ErrNoSignatures = errors.New("tuf: data has no signatures")
-	ErrInvalid      = errors.New("tuf: signature verification failed")
-	ErrWrongMethod  = errors.New("tuf: invalid signature type")
-	ErrUnknownRole  = errors.New("tuf: unknown role")
-	ErrWrongType    = errors.New("tuf: meta file has wrong type")
-)
-
-// IsExpired checks if the given time passed before the present time
-func IsExpired(t time.Time) bool {
-	return t.Before(time.Now())
-}
-
-// VerifyExpiry returns ErrExpired if the metadata is expired
-func VerifyExpiry(s *data.SignedCommon, role string) error {
-	if IsExpired(s.Expires) {
-		logrus.Errorf("Metadata for %s expired", role)
-		return ErrExpired{Role: role, Expired: s.Expires.Format("Mon Jan 2 15:04:05 MST 2006")}
-	}
-	return nil
-}
-
-// VerifyVersion returns ErrLowVersion if the metadata version is lower than the min version
-func VerifyVersion(s *data.SignedCommon, minVersion int) error {
-	if s.Version < minVersion {
-		return ErrLowVersion{Actual: s.Version, Current: minVersion}
-	}
-	return nil
-}
-
-// VerifySignatures checks the we have sufficient valid signatures for the given role
-func VerifySignatures(s *data.Signed, roleData data.BaseRole) error {
-	if len(s.Signatures) == 0 {
-		return ErrNoSignatures
-	}
-
-	if roleData.Threshold < 1 {
-		return ErrRoleThreshold{}
-	}
-	logrus.Debugf("%s role has key IDs: %s", roleData.Name, strings.Join(roleData.ListKeyIDs(), ","))
-
-	// remarshal the signed part so we can verify the signature, since the signature has
-	// to be of a canonically marshalled signed object
-	var decoded map[string]interface{}
-	if err := json.Unmarshal(*s.Signed, &decoded); err != nil {
-		return err
-	}
-	msg, err := json.MarshalCanonical(decoded)
-	if err != nil {
-		return err
-	}
-
-	valid := make(map[string]struct{})
-	for i := range s.Signatures {
-		sig := &(s.Signatures[i])
-		logrus.Debug("verifying signature for key ID: ", sig.KeyID)
-		key, ok := roleData.Keys[sig.KeyID]
-		if !ok {
-			logrus.Debugf("continuing b/c keyid lookup was nil: %s\n", sig.KeyID)
-			continue
-		}
-		// Check that the signature key ID actually matches the content ID of the key
-		if key.ID() != sig.KeyID {
-			return ErrInvalidKeyID{}
-		}
-		if err := VerifySignature(msg, sig, key); err != nil {
-			logrus.Debugf("continuing b/c %s", err.Error())
-			continue
-		}
-		valid[sig.KeyID] = struct{}{}
-	}
-	if len(valid) < roleData.Threshold {
-		return ErrRoleThreshold{
-			Msg: fmt.Sprintf("valid signatures did not meet threshold for %s", roleData.Name),
-		}
-	}
-
-	return nil
-}
-
-// VerifySignature checks a single signature and public key against a payload
-// If the signature is verified, the signature's is valid field will actually
-// be mutated to be equal to the boolean true
-func VerifySignature(msg []byte, sig *data.Signature, pk data.PublicKey) error {
-	// method lookup is consistent due to Unmarshal JSON doing lower case for us.
-	method := sig.Method
-	verifier, ok := Verifiers[method]
-	if !ok {
-		return fmt.Errorf("signing method is not supported: %s\n", sig.Method)
-	}
-
-	if err := verifier.Verify(pk, sig.Signature, msg); err != nil {
-		return fmt.Errorf("signature was invalid\n")
-	}
-	sig.IsValid = true
-	return nil
-}

vendor/github.com/docker/notary/tuf/tuf.go

@@ -1,1148 +0,0 @@
-// Package tuf defines the core TUF logic around manipulating a repo.
-package tuf
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"path"
-	"sort"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/notary"
-	"github.com/docker/notary/tuf/data"
-	"github.com/docker/notary/tuf/signed"
-	"github.com/docker/notary/tuf/utils"
-)
-
-// ErrSigVerifyFail - signature verification failed
-type ErrSigVerifyFail struct{}
-
-func (e ErrSigVerifyFail) Error() string {
-	return "Error: Signature verification failed"
-}
-
-// ErrMetaExpired - metadata file has expired
-type ErrMetaExpired struct{}
-
-func (e ErrMetaExpired) Error() string {
-	return "Error: Metadata has expired"
-}
-
-// ErrLocalRootExpired - the local root file is out of date
-type ErrLocalRootExpired struct{}
-
-func (e ErrLocalRootExpired) Error() string {
-	return "Error: Local Root Has Expired"
-}
-
-// ErrNotLoaded - attempted to access data that has not been loaded into
-// the repo. This means specifically that the relevant JSON file has not
-// been loaded.
-type ErrNotLoaded struct {
-	Role string
-}
-
-func (err ErrNotLoaded) Error() string {
-	return fmt.Sprintf("%s role has not been loaded", err.Role)
-}
-
-// StopWalk - used by visitor functions to signal WalkTargets to stop walking
-type StopWalk struct{}
-
-// Repo is an in memory representation of the TUF Repo.
-// It operates at the data.Signed level, accepting and producing
-// data.Signed objects. Users of a Repo are responsible for
-// fetching raw JSON and using the Set* functions to populate
-// the Repo instance.
-type Repo struct {
-	Root          *data.SignedRoot
-	Targets       map[string]*data.SignedTargets
-	Snapshot      *data.SignedSnapshot
-	Timestamp     *data.SignedTimestamp
-	cryptoService signed.CryptoService
-
-	// Because Repo is a mutable structure, these keep track of what the root
-	// role was when a root is set on the repo (as opposed to what it might be
-	// after things like AddBaseKeys and RemoveBaseKeys have been called on it).
-	// If we know what the original was, we'll if and how to handle root
-	// rotations.
-	originalRootRole data.BaseRole
-}
-
-// NewRepo initializes a Repo instance with a CryptoService.
-// If the Repo will only be used for reading, the CryptoService
-// can be nil.
-func NewRepo(cryptoService signed.CryptoService) *Repo {
-	return &Repo{
-		Targets:       make(map[string]*data.SignedTargets),
-		cryptoService: cryptoService,
-	}
-}
-
-// AddBaseKeys is used to add keys to the role in root.json
-func (tr *Repo) AddBaseKeys(role string, keys ...data.PublicKey) error {
-	if tr.Root == nil {
-		return ErrNotLoaded{Role: data.CanonicalRootRole}
-	}
-	ids := []string{}
-	for _, k := range keys {
-		// Store only the public portion
-		tr.Root.Signed.Keys[k.ID()] = k
-		tr.Root.Signed.Roles[role].KeyIDs = append(tr.Root.Signed.Roles[role].KeyIDs, k.ID())
-		ids = append(ids, k.ID())
-	}
-	tr.Root.Dirty = true
-
-	// also, whichever role was switched out needs to be re-signed
-	// root has already been marked dirty.
-	switch role {
-	case data.CanonicalSnapshotRole:
-		if tr.Snapshot != nil {
-			tr.Snapshot.Dirty = true
-		}
-	case data.CanonicalTargetsRole:
-		if target, ok := tr.Targets[data.CanonicalTargetsRole]; ok {
-			target.Dirty = true
-		}
-	case data.CanonicalTimestampRole:
-		if tr.Timestamp != nil {
-			tr.Timestamp.Dirty = true
-		}
-	}
-	return nil
-}
-
-// ReplaceBaseKeys is used to replace all keys for the given role with the new keys
-func (tr *Repo) ReplaceBaseKeys(role string, keys ...data.PublicKey) error {
-	r, err := tr.GetBaseRole(role)
-	if err != nil {
-		return err
-	}
-	err = tr.RemoveBaseKeys(role, r.ListKeyIDs()...)
-	if err != nil {
-		return err
-	}
-	return tr.AddBaseKeys(role, keys...)
-}
-
-// RemoveBaseKeys is used to remove keys from the roles in root.json
-func (tr *Repo) RemoveBaseKeys(role string, keyIDs ...string) error {
-	if tr.Root == nil {
-		return ErrNotLoaded{Role: data.CanonicalRootRole}
-	}
-	var keep []string
-	toDelete := make(map[string]struct{})
-	emptyStruct := struct{}{}
-	// remove keys from specified role
-	for _, k := range keyIDs {
-		toDelete[k] = emptyStruct
-	}
-
-	oldKeyIDs := tr.Root.Signed.Roles[role].KeyIDs
-	for _, rk := range oldKeyIDs {
-		if _, ok := toDelete[rk]; !ok {
-			keep = append(keep, rk)
-		}
-	}
-
-	tr.Root.Signed.Roles[role].KeyIDs = keep
-
-	// also, whichever role had keys removed needs to be re-signed
-	// root has already been marked dirty.
-	switch role {
-	case data.CanonicalSnapshotRole:
-		if tr.Snapshot != nil {
-			tr.Snapshot.Dirty = true
-		}
-	case data.CanonicalTargetsRole:
-		if target, ok := tr.Targets[data.CanonicalTargetsRole]; ok {
-			target.Dirty = true
-		}
-	case data.CanonicalTimestampRole:
-		if tr.Timestamp != nil {
-			tr.Timestamp.Dirty = true
-		}
-	}
-
-	// determine which keys are no longer in use by any roles
-	for roleName, r := range tr.Root.Signed.Roles {
-		if roleName == role {
-			continue
-		}
-		for _, rk := range r.KeyIDs {
-			if _, ok := toDelete[rk]; ok {
-				delete(toDelete, rk)
-			}
-		}
-	}
-
-	// Remove keys no longer in use by any roles, except for root keys.
-	// Root private keys must be kept in tr.cryptoService to be able to sign
-	// for rotation, and root certificates must be kept in tr.Root.SignedKeys
-	// because we are not necessarily storing them elsewhere (tuf.Repo does not
-	// depend on certs.Manager, that is an upper layer), and without storing
-	// the certificates in their x509 form we are not able to do the
-	// util.CanonicalKeyID conversion.
-	if role != data.CanonicalRootRole {
-		for k := range toDelete {
-			delete(tr.Root.Signed.Keys, k)
-			tr.cryptoService.RemoveKey(k)
-		}
-	}
-	tr.Root.Dirty = true
-	return nil
-}
-
-// GetBaseRole gets a base role from this repo's metadata
-func (tr *Repo) GetBaseRole(name string) (data.BaseRole, error) {
-	if !data.ValidRole(name) {
-		return data.BaseRole{}, data.ErrInvalidRole{Role: name, Reason: "invalid base role name"}
-	}
-	if tr.Root == nil {
-		return data.BaseRole{}, ErrNotLoaded{data.CanonicalRootRole}
-	}
-	// Find the role data public keys for the base role from TUF metadata
-	baseRole, err := tr.Root.BuildBaseRole(name)
-	if err != nil {
-		return data.BaseRole{}, err
-	}
-
-	return baseRole, nil
-}
-
-// GetDelegationRole gets a delegation role from this repo's metadata, walking from the targets role down to the delegation itself
-func (tr *Repo) GetDelegationRole(name string) (data.DelegationRole, error) {
-	if !data.IsDelegation(name) {
-		return data.DelegationRole{}, data.ErrInvalidRole{Role: name, Reason: "invalid delegation name"}
-	}
-	if tr.Root == nil {
-		return data.DelegationRole{}, ErrNotLoaded{data.CanonicalRootRole}
-	}
-	_, ok := tr.Root.Signed.Roles[data.CanonicalTargetsRole]
-	if !ok {
-		return data.DelegationRole{}, ErrNotLoaded{data.CanonicalTargetsRole}
-	}
-	// Traverse target metadata, down to delegation itself
-	// Get all public keys for the base role from TUF metadata
-	_, ok = tr.Targets[data.CanonicalTargetsRole]
-	if !ok {
-		return data.DelegationRole{}, ErrNotLoaded{data.CanonicalTargetsRole}
-	}
-
-	// Start with top level roles in targets. Walk the chain of ancestors
-	// until finding the desired role, or we run out of targets files to search.
-	var foundRole *data.DelegationRole
-	buildDelegationRoleVisitor := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		// Try to find the delegation and build a DelegationRole structure
-		for _, role := range tgt.Signed.Delegations.Roles {
-			if role.Name == name {
-				delgRole, err := tgt.BuildDelegationRole(name)
-				if err != nil {
-					return err
-				}
-				// Check all public key certificates in the role for expiry
-				// Currently we do not reject expired delegation keys but warn if they might expire soon or have already
-				for keyID, pubKey := range delgRole.Keys {
-					certFromKey, err := utils.LoadCertFromPEM(pubKey.Public())
-					if err != nil {
-						continue
-					}
-					if err := utils.ValidateCertificate(certFromKey, true); err != nil {
-						if _, ok := err.(data.ErrCertExpired); !ok {
-							// do not allow other invalid cert errors
-							return err
-						}
-						logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
-					}
-				}
-				foundRole = &delgRole
-				return StopWalk{}
-			}
-		}
-		return nil
-	}
-
-	// Walk to the parent of this delegation, since that is where its role metadata exists
-	err := tr.WalkTargets("", path.Dir(name), buildDelegationRoleVisitor)
-	if err != nil {
-		return data.DelegationRole{}, err
-	}
-
-	// We never found the delegation. In the context of this repo it is considered
-	// invalid. N.B. it may be that it existed at one point but an ancestor has since
-	// been modified/removed.
-	if foundRole == nil {
-		return data.DelegationRole{}, data.ErrInvalidRole{Role: name, Reason: "delegation does not exist"}
-	}
-
-	return *foundRole, nil
-}
-
-// GetAllLoadedRoles returns a list of all role entries loaded in this TUF repo, could be empty
-func (tr *Repo) GetAllLoadedRoles() []*data.Role {
-	var res []*data.Role
-	if tr.Root == nil {
-		// if root isn't loaded, we should consider we have no loaded roles because we can't
-		// trust any other state that might be present
-		return res
-	}
-	for name, rr := range tr.Root.Signed.Roles {
-		res = append(res, &data.Role{
-			RootRole: *rr,
-			Name:     name,
-		})
-	}
-	for _, delegate := range tr.Targets {
-		for _, r := range delegate.Signed.Delegations.Roles {
-			res = append(res, r)
-		}
-	}
-	return res
-}
-
-// Walk to parent, and either create or update this delegation.  We can only create a new delegation if we're given keys
-// Ensure all updates are valid, by checking against parent ancestor paths and ensuring the keys meet the role threshold.
-func delegationUpdateVisitor(roleName string, addKeys data.KeyList, removeKeys, addPaths, removePaths []string, clearAllPaths bool, newThreshold int) walkVisitorFunc {
-	return func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		var err error
-		// Validate the changes underneath this restricted validRole for adding paths, reject invalid path additions
-		if len(addPaths) != len(data.RestrictDelegationPathPrefixes(validRole.Paths, addPaths)) {
-			return data.ErrInvalidRole{Role: roleName, Reason: "invalid paths to add to role"}
-		}
-		// Try to find the delegation and amend it using our changelist
-		var delgRole *data.Role
-		for _, role := range tgt.Signed.Delegations.Roles {
-			if role.Name == roleName {
-				// Make a copy and operate on this role until we validate the changes
-				keyIDCopy := make([]string, len(role.KeyIDs))
-				copy(keyIDCopy, role.KeyIDs)
-				pathsCopy := make([]string, len(role.Paths))
-				copy(pathsCopy, role.Paths)
-				delgRole = &data.Role{
-					RootRole: data.RootRole{
-						KeyIDs:    keyIDCopy,
-						Threshold: role.Threshold,
-					},
-					Name:  role.Name,
-					Paths: pathsCopy,
-				}
-				delgRole.RemovePaths(removePaths)
-				if clearAllPaths {
-					delgRole.Paths = []string{}
-				}
-				delgRole.AddPaths(addPaths)
-				delgRole.RemoveKeys(removeKeys)
-				break
-			}
-		}
-		// We didn't find the role earlier, so create it.
-		if addKeys == nil {
-			addKeys = data.KeyList{} // initialize to empty list if necessary so calling .IDs() below won't panic
-		}
-		if delgRole == nil {
-			delgRole, err = data.NewRole(roleName, newThreshold, addKeys.IDs(), addPaths)
-			if err != nil {
-				return err
-			}
-
-		}
-		// Add the key IDs to the role and the keys themselves to the parent
-		for _, k := range addKeys {
-			if !utils.StrSliceContains(delgRole.KeyIDs, k.ID()) {
-				delgRole.KeyIDs = append(delgRole.KeyIDs, k.ID())
-			}
-		}
-		// Make sure we have a valid role still
-		if len(delgRole.KeyIDs) < delgRole.Threshold {
-			logrus.Warnf("role %s has fewer keys than its threshold of %d; it will not be usable until keys are added to it", delgRole.Name, delgRole.Threshold)
-		}
-		// NOTE: this closure CANNOT error after this point, as we've committed to editing the SignedTargets metadata in the repo object.
-		// Any errors related to updating this delegation must occur before this point.
-		// If all of our changes were valid, we should edit the actual SignedTargets to match our copy
-		for _, k := range addKeys {
-			tgt.Signed.Delegations.Keys[k.ID()] = k
-		}
-		foundAt := utils.FindRoleIndex(tgt.Signed.Delegations.Roles, delgRole.Name)
-		if foundAt < 0 {
-			tgt.Signed.Delegations.Roles = append(tgt.Signed.Delegations.Roles, delgRole)
-		} else {
-			tgt.Signed.Delegations.Roles[foundAt] = delgRole
-		}
-		tgt.Dirty = true
-		utils.RemoveUnusedKeys(tgt)
-		return StopWalk{}
-	}
-}
-
-// UpdateDelegationKeys updates the appropriate delegations, either adding
-// a new delegation or updating an existing one. If keys are
-// provided, the IDs will be added to the role (if they do not exist
-// there already), and the keys will be added to the targets file.
-func (tr *Repo) UpdateDelegationKeys(roleName string, addKeys data.KeyList, removeKeys []string, newThreshold int) error {
-	if !data.IsDelegation(roleName) {
-		return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
-	}
-	parent := path.Dir(roleName)
-
-	if err := tr.VerifyCanSign(parent); err != nil {
-		return err
-	}
-
-	// check the parent role's metadata
-	_, ok := tr.Targets[parent]
-	if !ok { // the parent targetfile may not exist yet - if not, then create it
-		var err error
-		_, err = tr.InitTargets(parent)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Walk to the parent of this delegation, since that is where its role metadata exists
-	// We do not have to verify that the walker reached its desired role in this scenario
-	// since we've already done another walk to the parent role in VerifyCanSign, and potentially made a targets file
-	return tr.WalkTargets("", parent, delegationUpdateVisitor(roleName, addKeys, removeKeys, []string{}, []string{}, false, newThreshold))
-}
-
-// PurgeDelegationKeys removes the provided canonical key IDs from all delegations
-// present in the subtree rooted at role. The role argument must be provided in a wildcard
-// format, i.e. targets/* would remove the key from all delegations in the repo
-func (tr *Repo) PurgeDelegationKeys(role string, removeKeys []string) error {
-	if !data.IsWildDelegation(role) {
-		return data.ErrInvalidRole{
-			Role:   role,
-			Reason: "only wildcard roles can be used in a purge",
-		}
-	}
-
-	removeIDs := make(map[string]struct{})
-	for _, id := range removeKeys {
-		removeIDs[id] = struct{}{}
-	}
-
-	start := path.Dir(role)
-	tufIDToCanon := make(map[string]string)
-
-	purgeKeys := func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-		var (
-			deleteCandidates []string
-			err              error
-		)
-		for id, key := range tgt.Signed.Delegations.Keys {
-			var (
-				canonID string
-				ok      bool
-			)
-			if canonID, ok = tufIDToCanon[id]; !ok {
-				canonID, err = utils.CanonicalKeyID(key)
-				if err != nil {
-					return err
-				}
-				tufIDToCanon[id] = canonID
-			}
-			if _, ok := removeIDs[canonID]; ok {
-				deleteCandidates = append(deleteCandidates, id)
-			}
-		}
-		if len(deleteCandidates) == 0 {
-			// none of the interesting keys were present. We're done with this role
-			return nil
-		}
-		// now we know there are changes, check if we'll be able to sign them in
-		if err := tr.VerifyCanSign(validRole.Name); err != nil {
-			logrus.Warnf(
-				"role %s contains keys being purged but you do not have the necessary keys present to sign it; keys will not be purged from %s or its immediate children",
-				validRole.Name,
-				validRole.Name,
-			)
-			return nil
-		}
-		// we know we can sign in the changes, delete the keys
-		for _, id := range deleteCandidates {
-			delete(tgt.Signed.Delegations.Keys, id)
-		}
-		// delete candidate keys from all roles.
-		for _, role := range tgt.Signed.Delegations.Roles {
-			role.RemoveKeys(deleteCandidates)
-			if len(role.KeyIDs) < role.Threshold {
-				logrus.Warnf("role %s has fewer keys than its threshold of %d; it will not be usable until keys are added to it", role.Name, role.Threshold)
-			}
-		}
-		tgt.Dirty = true
-		return nil
-	}
-	return tr.WalkTargets("", start, purgeKeys)
-}
-
-// UpdateDelegationPaths updates the appropriate delegation's paths.
-// It is not allowed to create a new delegation.
-func (tr *Repo) UpdateDelegationPaths(roleName string, addPaths, removePaths []string, clearPaths bool) error {
-	if !data.IsDelegation(roleName) {
-		return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
-	}
-	parent := path.Dir(roleName)
-
-	if err := tr.VerifyCanSign(parent); err != nil {
-		return err
-	}
-
-	// check the parent role's metadata
-	_, ok := tr.Targets[parent]
-	if !ok { // the parent targetfile may not exist yet
-		// if not, this is an error because a delegation must exist to edit only paths
-		return data.ErrInvalidRole{Role: roleName, Reason: "no valid delegated role exists"}
-	}
-
-	// Walk to the parent of this delegation, since that is where its role metadata exists
-	// We do not have to verify that the walker reached its desired role in this scenario
-	// since we've already done another walk to the parent role in VerifyCanSign
-	err := tr.WalkTargets("", parent, delegationUpdateVisitor(roleName, data.KeyList{}, []string{}, addPaths, removePaths, clearPaths, notary.MinThreshold))
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// DeleteDelegation removes a delegated targets role from its parent
-// targets object. It also deletes the delegation from the snapshot.
-// DeleteDelegation will only make use of the role Name field.
-func (tr *Repo) DeleteDelegation(roleName string) error {
-	if !data.IsDelegation(roleName) {
-		return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
-	}
-
-	parent := path.Dir(roleName)
-	if err := tr.VerifyCanSign(parent); err != nil {
-		return err
-	}
-
-	// delete delegated data from Targets map and Snapshot - if they don't
-	// exist, these are no-op
-	delete(tr.Targets, roleName)
-	tr.Snapshot.DeleteMeta(roleName)
-
-	p, ok := tr.Targets[parent]
-	if !ok {
-		// if there is no parent metadata (the role exists though), then this
-		// is as good as done.
-		return nil
-	}
-
-	foundAt := utils.FindRoleIndex(p.Signed.Delegations.Roles, roleName)
-
-	if foundAt >= 0 {
-		var roles []*data.Role
-		// slice out deleted role
-		roles = append(roles, p.Signed.Delegations.Roles[:foundAt]...)
-		if foundAt+1 < len(p.Signed.Delegations.Roles) {
-			roles = append(roles, p.Signed.Delegations.Roles[foundAt+1:]...)
-		}
-		p.Signed.Delegations.Roles = roles
-
-		utils.RemoveUnusedKeys(p)
-
-		p.Dirty = true
-	} // if the role wasn't found, it's a good as deleted
-
-	return nil
-}
-
-// InitRoot initializes an empty root file with the 4 core roles passed to the
-// method, and the consistent flag.
-func (tr *Repo) InitRoot(root, timestamp, snapshot, targets data.BaseRole, consistent bool) error {
-	rootRoles := make(map[string]*data.RootRole)
-	rootKeys := make(map[string]data.PublicKey)
-
-	for _, r := range []data.BaseRole{root, timestamp, snapshot, targets} {
-		rootRoles[r.Name] = &data.RootRole{
-			Threshold: r.Threshold,
-			KeyIDs:    r.ListKeyIDs(),
-		}
-		for kid, k := range r.Keys {
-			rootKeys[kid] = k
-		}
-	}
-	r, err := data.NewRoot(rootKeys, rootRoles, consistent)
-	if err != nil {
-		return err
-	}
-	tr.Root = r
-	tr.originalRootRole = root
-	return nil
-}
-
-// InitTargets initializes an empty targets, and returns the new empty target
-func (tr *Repo) InitTargets(role string) (*data.SignedTargets, error) {
-	if !data.IsDelegation(role) && role != data.CanonicalTargetsRole {
-		return nil, data.ErrInvalidRole{
-			Role:   role,
-			Reason: fmt.Sprintf("role is not a valid targets role name: %s", role),
-		}
-	}
-	targets := data.NewTargets()
-	tr.Targets[role] = targets
-	return targets, nil
-}
-
-// InitSnapshot initializes a snapshot based on the current root and targets
-func (tr *Repo) InitSnapshot() error {
-	if tr.Root == nil {
-		return ErrNotLoaded{Role: data.CanonicalRootRole}
-	}
-	root, err := tr.Root.ToSigned()
-	if err != nil {
-		return err
-	}
-
-	if _, ok := tr.Targets[data.CanonicalTargetsRole]; !ok {
-		return ErrNotLoaded{Role: data.CanonicalTargetsRole}
-	}
-	targets, err := tr.Targets[data.CanonicalTargetsRole].ToSigned()
-	if err != nil {
-		return err
-	}
-	snapshot, err := data.NewSnapshot(root, targets)
-	if err != nil {
-		return err
-	}
-	tr.Snapshot = snapshot
-	return nil
-}
-
-// InitTimestamp initializes a timestamp based on the current snapshot
-func (tr *Repo) InitTimestamp() error {
-	snap, err := tr.Snapshot.ToSigned()
-	if err != nil {
-		return err
-	}
-	timestamp, err := data.NewTimestamp(snap)
-	if err != nil {
-		return err
-	}
-
-	tr.Timestamp = timestamp
-	return nil
-}
-
-// TargetMeta returns the FileMeta entry for the given path in the
-// targets file associated with the given role. This may be nil if
-// the target isn't found in the targets file.
-func (tr Repo) TargetMeta(role, path string) *data.FileMeta {
-	if t, ok := tr.Targets[role]; ok {
-		if m, ok := t.Signed.Targets[path]; ok {
-			return &m
-		}
-	}
-	return nil
-}
-
-// TargetDelegations returns a slice of Roles that are valid publishers
-// for the target path provided.
-func (tr Repo) TargetDelegations(role, path string) []*data.Role {
-	var roles []*data.Role
-	if t, ok := tr.Targets[role]; ok {
-		for _, r := range t.Signed.Delegations.Roles {
-			if r.CheckPaths(path) {
-				roles = append(roles, r)
-			}
-		}
-	}
-	return roles
-}
-
-// VerifyCanSign returns nil if the role exists and we have at least one
-// signing key for the role, false otherwise.  This does not check that we have
-// enough signing keys to meet the threshold, since we want to support the use
-// case of multiple signers for a role.  It returns an error if the role doesn't
-// exist or if there are no signing keys.
-func (tr *Repo) VerifyCanSign(roleName string) error {
-	var (
-		role            data.BaseRole
-		err             error
-		canonicalKeyIDs []string
-	)
-	// we only need the BaseRole part of a delegation because we're just
-	// checking KeyIDs
-	if data.IsDelegation(roleName) {
-		r, err := tr.GetDelegationRole(roleName)
-		if err != nil {
-			return err
-		}
-		role = r.BaseRole
-	} else {
-		role, err = tr.GetBaseRole(roleName)
-	}
-	if err != nil {
-		return data.ErrInvalidRole{Role: roleName, Reason: "does not exist"}
-	}
-
-	for keyID, k := range role.Keys {
-		check := []string{keyID}
-		if canonicalID, err := utils.CanonicalKeyID(k); err == nil {
-			check = append(check, canonicalID)
-			canonicalKeyIDs = append(canonicalKeyIDs, canonicalID)
-		}
-		for _, id := range check {
-			p, _, err := tr.cryptoService.GetPrivateKey(id)
-			if err == nil && p != nil {
-				return nil
-			}
-		}
-	}
-	return signed.ErrNoKeys{KeyIDs: canonicalKeyIDs}
-}
-
-// used for walking the targets/delegations tree, potentially modifying the underlying SignedTargets for the repo
-type walkVisitorFunc func(*data.SignedTargets, data.DelegationRole) interface{}
-
-// WalkTargets will apply the specified visitor function to iteratively walk the targets/delegation metadata tree,
-// until receiving a StopWalk.  The walk starts from the base "targets" role, and searches for the correct targetPath and/or rolePath
-// to call the visitor function on.  Any roles passed into skipRoles will be excluded from the walk, as well as roles in those subtrees
-func (tr *Repo) WalkTargets(targetPath, rolePath string, visitTargets walkVisitorFunc, skipRoles ...string) error {
-	// Start with the base targets role, which implicitly has the "" targets path
-	targetsRole, err := tr.GetBaseRole(data.CanonicalTargetsRole)
-	if err != nil {
-		return err
-	}
-	// Make the targets role have the empty path, when we treat it as a delegation role
-	roles := []data.DelegationRole{
-		{
-			BaseRole: targetsRole,
-			Paths:    []string{""},
-		},
-	}
-
-	for len(roles) > 0 {
-		role := roles[0]
-		roles = roles[1:]
-
-		// Check the role metadata
-		signedTgt, ok := tr.Targets[role.Name]
-		if !ok {
-			// The role meta doesn't exist in the repo so continue onward
-			continue
-		}
-
-		// We're at a prefix of the desired role subtree, so add its delegation role children and continue walking
-		if strings.HasPrefix(rolePath, role.Name+"/") {
-			roles = append(roles, signedTgt.GetValidDelegations(role)...)
-			continue
-		}
-
-		// Determine whether to visit this role or not:
-		// If the paths validate against the specified targetPath and the rolePath is empty or is in the subtree.
-		// Also check if we are choosing to skip visiting this role on this walk (see ListTargets and GetTargetByName priority)
-		if isValidPath(targetPath, role) && isAncestorRole(role.Name, rolePath) && !utils.StrSliceContains(skipRoles, role.Name) {
-			// If we had matching path or role name, visit this target and determine whether or not to keep walking
-			res := visitTargets(signedTgt, role)
-			switch typedRes := res.(type) {
-			case StopWalk:
-				// If the visitor function signalled a stop, return nil to finish the walk
-				return nil
-			case nil:
-				// If the visitor function signalled to continue, add this role's delegation to the walk
-				roles = append(roles, signedTgt.GetValidDelegations(role)...)
-			case error:
-				// Propagate any errors from the visitor
-				return typedRes
-			default:
-				// Return out with an error if we got a different result
-				return fmt.Errorf("unexpected return while walking: %v", res)
-			}
-
-		}
-	}
-	return nil
-}
-
-// helper function that returns whether the candidateChild role name is an ancestor or equal to the candidateAncestor role name
-// Will return true if given an empty candidateAncestor role name
-// The HasPrefix check is for determining whether the role name for candidateChild is a child (direct or further down the chain)
-// of candidateAncestor, for ex: candidateAncestor targets/a and candidateChild targets/a/b/c
-func isAncestorRole(candidateChild, candidateAncestor string) bool {
-	return candidateAncestor == "" || candidateAncestor == candidateChild || strings.HasPrefix(candidateChild, candidateAncestor+"/")
-}
-
-// helper function that returns whether the delegation Role is valid against the given path
-// Will return true if given an empty candidatePath
-func isValidPath(candidatePath string, delgRole data.DelegationRole) bool {
-	return candidatePath == "" || delgRole.CheckPaths(candidatePath)
-}
-
-// AddTargets will attempt to add the given targets specifically to
-// the directed role. If the metadata for the role doesn't exist yet,
-// AddTargets will create one.
-func (tr *Repo) AddTargets(role string, targets data.Files) (data.Files, error) {
-	err := tr.VerifyCanSign(role)
-	if err != nil {
-		return nil, err
-	}
-
-	// check existence of the role's metadata
-	_, ok := tr.Targets[role]
-	if !ok { // the targetfile may not exist yet - if not, then create it
-		var err error
-		_, err = tr.InitTargets(role)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	addedTargets := make(data.Files)
-	addTargetVisitor := func(targetPath string, targetMeta data.FileMeta) func(*data.SignedTargets, data.DelegationRole) interface{} {
-		return func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			// We've already validated the role's target path in our walk, so just modify the metadata
-			tgt.Signed.Targets[targetPath] = targetMeta
-			tgt.Dirty = true
-			// Also add to our new addedTargets map to keep track of every target we've added successfully
-			addedTargets[targetPath] = targetMeta
-			return StopWalk{}
-		}
-	}
-
-	// Walk the role tree while validating the target paths, and add all of our targets
-	for path, target := range targets {
-		tr.WalkTargets(path, role, addTargetVisitor(path, target))
-	}
-	if len(addedTargets) != len(targets) {
-		return nil, fmt.Errorf("Could not add all targets")
-	}
-	return nil, nil
-}
-
-// RemoveTargets removes the given target (paths) from the given target role (delegation)
-func (tr *Repo) RemoveTargets(role string, targets ...string) error {
-	if err := tr.VerifyCanSign(role); err != nil {
-		return err
-	}
-
-	removeTargetVisitor := func(targetPath string) func(*data.SignedTargets, data.DelegationRole) interface{} {
-		return func(tgt *data.SignedTargets, validRole data.DelegationRole) interface{} {
-			// We've already validated the role path in our walk, so just modify the metadata
-			// We don't check against the target path against the valid role paths because it's
-			// possible we got into an invalid state and are trying to fix it
-			delete(tgt.Signed.Targets, targetPath)
-			tgt.Dirty = true
-			return StopWalk{}
-		}
-	}
-
-	// if the role exists but metadata does not yet, then our work is done
-	_, ok := tr.Targets[role]
-	if ok {
-		for _, path := range targets {
-			tr.WalkTargets("", role, removeTargetVisitor(path))
-		}
-	}
-
-	return nil
-}
-
-// UpdateSnapshot updates the FileMeta for the given role based on the Signed object
-func (tr *Repo) UpdateSnapshot(role string, s *data.Signed) error {
-	jsonData, err := json.Marshal(s)
-	if err != nil {
-		return err
-	}
-	meta, err := data.NewFileMeta(bytes.NewReader(jsonData), data.NotaryDefaultHashes...)
-	if err != nil {
-		return err
-	}
-	tr.Snapshot.Signed.Meta[role] = meta
-	tr.Snapshot.Dirty = true
-	return nil
-}
-
-// UpdateTimestamp updates the snapshot meta in the timestamp based on the Signed object
-func (tr *Repo) UpdateTimestamp(s *data.Signed) error {
-	jsonData, err := json.Marshal(s)
-	if err != nil {
-		return err
-	}
-	meta, err := data.NewFileMeta(bytes.NewReader(jsonData), data.NotaryDefaultHashes...)
-	if err != nil {
-		return err
-	}
-	tr.Timestamp.Signed.Meta[data.CanonicalSnapshotRole] = meta
-	tr.Timestamp.Dirty = true
-	return nil
-}
-
-type versionedRootRole struct {
-	data.BaseRole
-	version int
-}
-
-type versionedRootRoles []versionedRootRole
-
-func (v versionedRootRoles) Len() int           { return len(v) }
-func (v versionedRootRoles) Swap(i, j int)      { v[i], v[j] = v[j], v[i] }
-func (v versionedRootRoles) Less(i, j int) bool { return v[i].version < v[j].version }
-
-// SignRoot signs the root, using all keys from the "root" role (i.e. currently trusted)
-// as well as available keys used to sign the previous version, if the public part is
-// carried in tr.Root.Keys and the private key is available (i.e. probably previously
-// trusted keys, to allow rollover).  If there are any errors, attempt to put root
-// back to the way it was (so version won't be incremented, for instance).
-func (tr *Repo) SignRoot(expires time.Time) (*data.Signed, error) {
-	logrus.Debug("signing root...")
-
-	// duplicate root and attempt to modify it rather than the existing root
-	rootBytes, err := tr.Root.MarshalJSON()
-	if err != nil {
-		return nil, err
-	}
-	tempRoot := data.SignedRoot{}
-	if err := json.Unmarshal(rootBytes, &tempRoot); err != nil {
-		return nil, err
-	}
-
-	currRoot, err := tr.GetBaseRole(data.CanonicalRootRole)
-	if err != nil {
-		return nil, err
-	}
-
-	oldRootRoles := tr.getOldRootRoles()
-
-	var latestSavedRole data.BaseRole
-	rolesToSignWith := make([]data.BaseRole, 0, len(oldRootRoles))
-
-	if len(oldRootRoles) > 0 {
-		sort.Sort(oldRootRoles)
-		for _, vRole := range oldRootRoles {
-			rolesToSignWith = append(rolesToSignWith, vRole.BaseRole)
-		}
-		latest := rolesToSignWith[len(rolesToSignWith)-1]
-		latestSavedRole = data.BaseRole{
-			Name:      data.CanonicalRootRole,
-			Threshold: latest.Threshold,
-			Keys:      latest.Keys,
-		}
-	}
-
-	// If the root role (root keys or root threshold) has changed, save the
-	// previous role under the role name "root.<n>", such that the "n" is the
-	// latest root.json version for which previous root role was valid.
-	// Also, guard against re-saving the previous role if the latest
-	// saved role is the same (which should not happen).
-	// n   = root.json version of the originalRootRole (previous role)
-	// n+1 = root.json version of the currRoot (current role)
-	// n-m = root.json version of latestSavedRole (not necessarily n-1, because the
-	//       last root rotation could have happened several root.json versions ago
-	if !tr.originalRootRole.Equals(currRoot) && !tr.originalRootRole.Equals(latestSavedRole) {
-		rolesToSignWith = append(rolesToSignWith, tr.originalRootRole)
-		latestSavedRole = tr.originalRootRole
-
-		versionName := oldRootVersionName(tempRoot.Signed.Version)
-		tempRoot.Signed.Roles[versionName] = &data.RootRole{
-			KeyIDs: latestSavedRole.ListKeyIDs(), Threshold: latestSavedRole.Threshold}
-	}
-
-	tempRoot.Signed.Expires = expires
-	tempRoot.Signed.Version++
-	rolesToSignWith = append(rolesToSignWith, currRoot)
-
-	signed, err := tempRoot.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	signed, err = tr.sign(signed, rolesToSignWith, tr.getOptionalRootKeys(rolesToSignWith))
-	if err != nil {
-		return nil, err
-	}
-
-	tr.Root = &tempRoot
-	tr.Root.Signatures = signed.Signatures
-	tr.originalRootRole = currRoot
-	return signed, nil
-}
-
-// get all the saved previous roles < the current root version
-func (tr *Repo) getOldRootRoles() versionedRootRoles {
-	oldRootRoles := make(versionedRootRoles, 0, len(tr.Root.Signed.Roles))
-
-	// now go through the old roles
-	for roleName := range tr.Root.Signed.Roles {
-		// ensure that the rolename matches our format and that the version is
-		// not too high
-		if data.ValidRole(roleName) {
-			continue
-		}
-		nameTokens := strings.Split(roleName, ".")
-		if len(nameTokens) != 2 || nameTokens[0] != data.CanonicalRootRole {
-			continue
-		}
-		version, err := strconv.Atoi(nameTokens[1])
-		if err != nil || version >= tr.Root.Signed.Version {
-			continue
-		}
-
-		// ignore invalid roles, which shouldn't happen
-		oldRole, err := tr.Root.BuildBaseRole(roleName)
-		if err != nil {
-			continue
-		}
-
-		oldRootRoles = append(oldRootRoles, versionedRootRole{BaseRole: oldRole, version: version})
-	}
-
-	return oldRootRoles
-}
-
-// gets any extra optional root keys from the existing root.json signatures
-// (because older repositories that have already done root rotation may not
-// necessarily have older root roles)
-func (tr *Repo) getOptionalRootKeys(signingRoles []data.BaseRole) []data.PublicKey {
-	oldKeysMap := make(map[string]data.PublicKey)
-	for _, oldSig := range tr.Root.Signatures {
-		if k, ok := tr.Root.Signed.Keys[oldSig.KeyID]; ok {
-			oldKeysMap[k.ID()] = k
-		}
-	}
-	for _, role := range signingRoles {
-		for keyID := range role.Keys {
-			delete(oldKeysMap, keyID)
-		}
-	}
-
-	oldKeys := make([]data.PublicKey, 0, len(oldKeysMap))
-	for _, key := range oldKeysMap {
-		oldKeys = append(oldKeys, key)
-	}
-
-	return oldKeys
-}
-
-func oldRootVersionName(version int) string {
-	return fmt.Sprintf("%s.%v", data.CanonicalRootRole, version)
-}
-
-// SignTargets signs the targets file for the given top level or delegated targets role
-func (tr *Repo) SignTargets(role string, expires time.Time) (*data.Signed, error) {
-	logrus.Debugf("sign targets called for role %s", role)
-	if _, ok := tr.Targets[role]; !ok {
-		return nil, data.ErrInvalidRole{
-			Role:   role,
-			Reason: "SignTargets called with non-existent targets role",
-		}
-	}
-	tr.Targets[role].Signed.Expires = expires
-	tr.Targets[role].Signed.Version++
-	signed, err := tr.Targets[role].ToSigned()
-	if err != nil {
-		logrus.Debug("errored getting targets data.Signed object")
-		return nil, err
-	}
-
-	var targets data.BaseRole
-	if role == data.CanonicalTargetsRole {
-		targets, err = tr.GetBaseRole(role)
-	} else {
-		tr, err := tr.GetDelegationRole(role)
-		if err != nil {
-			return nil, err
-		}
-		targets = tr.BaseRole
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	signed, err = tr.sign(signed, []data.BaseRole{targets}, nil)
-	if err != nil {
-		logrus.Debug("errored signing ", role)
-		return nil, err
-	}
-	tr.Targets[role].Signatures = signed.Signatures
-	return signed, nil
-}
-
-// SignSnapshot updates the snapshot based on the current targets and root then signs it
-func (tr *Repo) SignSnapshot(expires time.Time) (*data.Signed, error) {
-	logrus.Debug("signing snapshot...")
-	signedRoot, err := tr.Root.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	err = tr.UpdateSnapshot(data.CanonicalRootRole, signedRoot)
-	if err != nil {
-		return nil, err
-	}
-	tr.Root.Dirty = false // root dirty until changes captures in snapshot
-	for role, targets := range tr.Targets {
-		signedTargets, err := targets.ToSigned()
-		if err != nil {
-			return nil, err
-		}
-		err = tr.UpdateSnapshot(role, signedTargets)
-		if err != nil {
-			return nil, err
-		}
-		targets.Dirty = false
-	}
-	tr.Snapshot.Signed.Expires = expires
-	tr.Snapshot.Signed.Version++
-	signed, err := tr.Snapshot.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	snapshot, err := tr.GetBaseRole(data.CanonicalSnapshotRole)
-	if err != nil {
-		return nil, err
-	}
-	signed, err = tr.sign(signed, []data.BaseRole{snapshot}, nil)
-	if err != nil {
-		return nil, err
-	}
-	tr.Snapshot.Signatures = signed.Signatures
-	return signed, nil
-}
-
-// SignTimestamp updates the timestamp based on the current snapshot then signs it
-func (tr *Repo) SignTimestamp(expires time.Time) (*data.Signed, error) {
-	logrus.Debug("SignTimestamp")
-	signedSnapshot, err := tr.Snapshot.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	err = tr.UpdateTimestamp(signedSnapshot)
-	if err != nil {
-		return nil, err
-	}
-	tr.Timestamp.Signed.Expires = expires
-	tr.Timestamp.Signed.Version++
-	signed, err := tr.Timestamp.ToSigned()
-	if err != nil {
-		return nil, err
-	}
-	timestamp, err := tr.GetBaseRole(data.CanonicalTimestampRole)
-	if err != nil {
-		return nil, err
-	}
-	signed, err = tr.sign(signed, []data.BaseRole{timestamp}, nil)
-	if err != nil {
-		return nil, err
-	}
-	tr.Timestamp.Signatures = signed.Signatures
-	tr.Snapshot.Dirty = false // snapshot is dirty until changes have been captured in timestamp
-	return signed, nil
-}
-
-func (tr Repo) sign(signedData *data.Signed, roles []data.BaseRole, optionalKeys []data.PublicKey) (*data.Signed, error) {
-	validKeys := optionalKeys
-	for _, r := range roles {
-		roleKeys := r.ListKeys()
-		validKeys = append(roleKeys, validKeys...)
-		if err := signed.Sign(tr.cryptoService, signedData, roleKeys, r.Threshold, validKeys); err != nil {
-			return nil, err
-		}
-	}
-	// Attempt to sign with the optional keys, but ignore any errors, because these keys are optional
-	signed.Sign(tr.cryptoService, signedData, optionalKeys, 0, validKeys)
-
-	return signedData, nil
-}

vendor/github.com/docker/notary/tuf/utils/role_sort.go

@@ -1,31 +0,0 @@
-package utils
-
-import (
-	"strings"
-)
-
-// RoleList is a list of roles
-type RoleList []string
-
-// Len returns the length of the list
-func (r RoleList) Len() int {
-	return len(r)
-}
-
-// Less returns true if the item at i should be sorted
-// before the item at j. It's an unstable partial ordering
-// based on the number of segments, separated by "/", in
-// the role name
-func (r RoleList) Less(i, j int) bool {
-	segsI := strings.Split(r[i], "/")
-	segsJ := strings.Split(r[j], "/")
-	if len(segsI) == len(segsJ) {
-		return r[i] < r[j]
-	}
-	return len(segsI) < len(segsJ)
-}
-
-// Swap the items at 2 locations in the list
-func (r RoleList) Swap(i, j int) {
-	r[i], r[j] = r[j], r[i]
-}

vendor/github.com/docker/notary/tuf/utils/stack.go

@@ -1,85 +0,0 @@
-package utils
-
-import (
-	"fmt"
-	"sync"
-)
-
-// ErrEmptyStack is used when an action that requires some
-// content is invoked and the stack is empty
-type ErrEmptyStack struct {
-	action string
-}
-
-func (err ErrEmptyStack) Error() string {
-	return fmt.Sprintf("attempted to %s with empty stack", err.action)
-}
-
-// ErrBadTypeCast is used by PopX functions when the item
-// cannot be typed to X
-type ErrBadTypeCast struct{}
-
-func (err ErrBadTypeCast) Error() string {
-	return "attempted to do a typed pop and item was not of type"
-}
-
-// Stack is a simple type agnostic stack implementation
-type Stack struct {
-	s []interface{}
-	l sync.Mutex
-}
-
-// NewStack create a new stack
-func NewStack() *Stack {
-	s := &Stack{
-		s: make([]interface{}, 0),
-	}
-	return s
-}
-
-// Push adds an item to the top of the stack.
-func (s *Stack) Push(item interface{}) {
-	s.l.Lock()
-	defer s.l.Unlock()
-	s.s = append(s.s, item)
-}
-
-// Pop removes and returns the top item on the stack, or returns
-// ErrEmptyStack if the stack has no content
-func (s *Stack) Pop() (interface{}, error) {
-	s.l.Lock()
-	defer s.l.Unlock()
-	l := len(s.s)
-	if l > 0 {
-		item := s.s[l-1]
-		s.s = s.s[:l-1]
-		return item, nil
-	}
-	return nil, ErrEmptyStack{action: "Pop"}
-}
-
-// PopString attempts to cast the top item on the stack to the string type.
-// If this succeeds, it removes and returns the top item. If the item
-// is not of the string type, ErrBadTypeCast is returned. If the stack
-// is empty, ErrEmptyStack is returned
-func (s *Stack) PopString() (string, error) {
-	s.l.Lock()
-	defer s.l.Unlock()
-	l := len(s.s)
-	if l > 0 {
-		item := s.s[l-1]
-		if item, ok := item.(string); ok {
-			s.s = s.s[:l-1]
-			return item, nil
-		}
-		return "", ErrBadTypeCast{}
-	}
-	return "", ErrEmptyStack{action: "PopString"}
-}
-
-// Empty returns true if the stack is empty
-func (s *Stack) Empty() bool {
-	s.l.Lock()
-	defer s.l.Unlock()
-	return len(s.s) == 0
-}

vendor/github.com/docker/notary/tuf/utils/utils.go

@@ -1,152 +0,0 @@
-package utils
-
-import (
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/tls"
-	"encoding/hex"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/docker/notary/tuf/data"
-)
-
-// Download does a simple download from a URL
-func Download(url url.URL) (*http.Response, error) {
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	return client.Get(url.String())
-}
-
-// Upload does a simple JSON upload to a URL
-func Upload(url string, body io.Reader) (*http.Response, error) {
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	return client.Post(url, "application/json", body)
-}
-
-// StrSliceContains checks if the given string appears in the slice
-func StrSliceContains(ss []string, s string) bool {
-	for _, v := range ss {
-		if v == s {
-			return true
-		}
-	}
-	return false
-}
-
-// StrSliceRemove removes the the given string from the slice, returning a new slice
-func StrSliceRemove(ss []string, s string) []string {
-	res := []string{}
-	for _, v := range ss {
-		if v != s {
-			res = append(res, v)
-		}
-	}
-	return res
-}
-
-// StrSliceContainsI checks if the given string appears in the slice
-// in a case insensitive manner
-func StrSliceContainsI(ss []string, s string) bool {
-	s = strings.ToLower(s)
-	for _, v := range ss {
-		v = strings.ToLower(v)
-		if v == s {
-			return true
-		}
-	}
-	return false
-}
-
-// FileExists returns true if a file (or dir) exists at the given path,
-// false otherwise
-func FileExists(path string) bool {
-	_, err := os.Stat(path)
-	return os.IsNotExist(err)
-}
-
-// NoopCloser is a simple Reader wrapper that does nothing when Close is
-// called
-type NoopCloser struct {
-	io.Reader
-}
-
-// Close does nothing for a NoopCloser
-func (nc *NoopCloser) Close() error {
-	return nil
-}
-
-// DoHash returns the digest of d using the hashing algorithm named
-// in alg
-func DoHash(alg string, d []byte) []byte {
-	switch alg {
-	case "sha256":
-		digest := sha256.Sum256(d)
-		return digest[:]
-	case "sha512":
-		digest := sha512.Sum512(d)
-		return digest[:]
-	}
-	return nil
-}
-
-// UnusedDelegationKeys prunes a list of keys, returning those that are no
-// longer in use for a given targets file
-func UnusedDelegationKeys(t data.SignedTargets) []string {
-	// compare ids to all still active key ids in all active roles
-	// with the targets file
-	found := make(map[string]bool)
-	for _, r := range t.Signed.Delegations.Roles {
-		for _, id := range r.KeyIDs {
-			found[id] = true
-		}
-	}
-	var discard []string
-	for id := range t.Signed.Delegations.Keys {
-		if !found[id] {
-			discard = append(discard, id)
-		}
-	}
-	return discard
-}
-
-// RemoveUnusedKeys determines which keys in the slice of IDs are no longer
-// used in the given targets file and removes them from the delegated keys
-// map
-func RemoveUnusedKeys(t *data.SignedTargets) {
-	unusedIDs := UnusedDelegationKeys(*t)
-	for _, id := range unusedIDs {
-		delete(t.Signed.Delegations.Keys, id)
-	}
-}
-
-// FindRoleIndex returns the index of the role named <name> or -1 if no
-// matching role is found.
-func FindRoleIndex(rs []*data.Role, name string) int {
-	for i, r := range rs {
-		if r.Name == name {
-			return i
-		}
-	}
-	return -1
-}
-
-// ConsistentName generates the appropriate HTTP URL path for the role,
-// based on whether the repo is marked as consistent. The RemoteStore
-// is responsible for adding file extensions.
-func ConsistentName(role string, hashSha256 []byte) string {
-	if len(hashSha256) > 0 {
-		hash := hex.EncodeToString(hashSha256)
-		return fmt.Sprintf("%s.%s", role, hash)
-	}
-	return role
-}

vendor/github.com/docker/notary/tuf/utils/x509.go

@@ -1,551 +0,0 @@
-package utils
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"math/big"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/agl/ed25519"
-	"github.com/docker/notary"
-	"github.com/docker/notary/tuf/data"
-)
-
-// CanonicalKeyID returns the ID of the public bytes version of a TUF key.
-// On regular RSA/ECDSA TUF keys, this is just the key ID.  On X509 RSA/ECDSA
-// TUF keys, this is the key ID of the public key part of the key in the leaf cert
-func CanonicalKeyID(k data.PublicKey) (string, error) {
-	switch k.Algorithm() {
-	case data.ECDSAx509Key, data.RSAx509Key:
-		return X509PublicKeyID(k)
-	default:
-		return k.ID(), nil
-	}
-}
-
-// LoadCertFromPEM returns the first certificate found in a bunch of bytes or error
-// if nothing is found. Taken from https://golang.org/src/crypto/x509/cert_pool.go#L85.
-func LoadCertFromPEM(pemBytes []byte) (*x509.Certificate, error) {
-	for len(pemBytes) > 0 {
-		var block *pem.Block
-		block, pemBytes = pem.Decode(pemBytes)
-		if block == nil {
-			return nil, errors.New("no certificates found in PEM data")
-		}
-		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
-			continue
-		}
-
-		cert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			continue
-		}
-
-		return cert, nil
-	}
-
-	return nil, errors.New("no certificates found in PEM data")
-}
-
-// X509PublicKeyID returns a public key ID as a string, given a
-// data.PublicKey that contains an X509 Certificate
-func X509PublicKeyID(certPubKey data.PublicKey) (string, error) {
-	// Note that this only loads the first certificate from the public key
-	cert, err := LoadCertFromPEM(certPubKey.Public())
-	if err != nil {
-		return "", err
-	}
-	pubKeyBytes, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
-	if err != nil {
-		return "", err
-	}
-
-	var key data.PublicKey
-	switch certPubKey.Algorithm() {
-	case data.ECDSAx509Key:
-		key = data.NewECDSAPublicKey(pubKeyBytes)
-	case data.RSAx509Key:
-		key = data.NewRSAPublicKey(pubKeyBytes)
-	}
-
-	return key.ID(), nil
-}
-
-// ParsePEMPrivateKey returns a data.PrivateKey from a PEM encoded private key. It
-// only supports RSA (PKCS#1) and attempts to decrypt using the passphrase, if encrypted.
-func ParsePEMPrivateKey(pemBytes []byte, passphrase string) (data.PrivateKey, error) {
-	block, _ := pem.Decode(pemBytes)
-	if block == nil {
-		return nil, errors.New("no valid private key found")
-	}
-
-	var privKeyBytes []byte
-	var err error
-	if x509.IsEncryptedPEMBlock(block) {
-		privKeyBytes, err = x509.DecryptPEMBlock(block, []byte(passphrase))
-		if err != nil {
-			return nil, errors.New("could not decrypt private key")
-		}
-	} else {
-		privKeyBytes = block.Bytes
-	}
-
-	switch block.Type {
-	case "RSA PRIVATE KEY":
-		rsaPrivKey, err := x509.ParsePKCS1PrivateKey(privKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse DER encoded key: %v", err)
-		}
-
-		tufRSAPrivateKey, err := RSAToPrivateKey(rsaPrivKey)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert rsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufRSAPrivateKey, nil
-	case "EC PRIVATE KEY":
-		ecdsaPrivKey, err := x509.ParseECPrivateKey(privKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse DER encoded private key: %v", err)
-		}
-
-		tufECDSAPrivateKey, err := ECDSAToPrivateKey(ecdsaPrivKey)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert ecdsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufECDSAPrivateKey, nil
-	case "ED25519 PRIVATE KEY":
-		// We serialize ED25519 keys by concatenating the private key
-		// to the public key and encoding with PEM. See the
-		// ED25519ToPrivateKey function.
-		tufECDSAPrivateKey, err := ED25519ToPrivateKey(privKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not convert ecdsa.PrivateKey to data.PrivateKey: %v", err)
-		}
-
-		return tufECDSAPrivateKey, nil
-
-	default:
-		return nil, fmt.Errorf("unsupported key type %q", block.Type)
-	}
-}
-
-// CertToPEM is a utility function returns a PEM encoded x509 Certificate
-func CertToPEM(cert *x509.Certificate) []byte {
-	pemCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
-
-	return pemCert
-}
-
-// CertChainToPEM is a utility function returns a PEM encoded chain of x509 Certificates, in the order they are passed
-func CertChainToPEM(certChain []*x509.Certificate) ([]byte, error) {
-	var pemBytes bytes.Buffer
-	for _, cert := range certChain {
-		if err := pem.Encode(&pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}); err != nil {
-			return nil, err
-		}
-	}
-	return pemBytes.Bytes(), nil
-}
-
-// LoadCertFromFile loads the first certificate from the file provided. The
-// data is expected to be PEM Encoded and contain one of more certificates
-// with PEM type "CERTIFICATE"
-func LoadCertFromFile(filename string) (*x509.Certificate, error) {
-	certs, err := LoadCertBundleFromFile(filename)
-	if err != nil {
-		return nil, err
-	}
-	return certs[0], nil
-}
-
-// LoadCertBundleFromFile loads certificates from the []byte provided. The
-// data is expected to be PEM Encoded and contain one of more certificates
-// with PEM type "CERTIFICATE"
-func LoadCertBundleFromFile(filename string) ([]*x509.Certificate, error) {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, err
-	}
-
-	return LoadCertBundleFromPEM(b)
-}
-
-// LoadCertBundleFromPEM loads certificates from the []byte provided. The
-// data is expected to be PEM Encoded and contain one of more certificates
-// with PEM type "CERTIFICATE"
-func LoadCertBundleFromPEM(pemBytes []byte) ([]*x509.Certificate, error) {
-	certificates := []*x509.Certificate{}
-	var block *pem.Block
-	block, pemBytes = pem.Decode(pemBytes)
-	for ; block != nil; block, pemBytes = pem.Decode(pemBytes) {
-		if block.Type == "CERTIFICATE" {
-			cert, err := x509.ParseCertificate(block.Bytes)
-			if err != nil {
-				return nil, err
-			}
-			certificates = append(certificates, cert)
-		} else {
-			return nil, fmt.Errorf("invalid pem block type: %s", block.Type)
-		}
-	}
-
-	if len(certificates) == 0 {
-		return nil, fmt.Errorf("no valid certificates found")
-	}
-
-	return certificates, nil
-}
-
-// GetLeafCerts parses a list of x509 Certificates and returns all of them
-// that aren't CA
-func GetLeafCerts(certs []*x509.Certificate) []*x509.Certificate {
-	var leafCerts []*x509.Certificate
-	for _, cert := range certs {
-		if cert.IsCA {
-			continue
-		}
-		leafCerts = append(leafCerts, cert)
-	}
-	return leafCerts
-}
-
-// GetIntermediateCerts parses a list of x509 Certificates and returns all of the
-// ones marked as a CA, to be used as intermediates
-func GetIntermediateCerts(certs []*x509.Certificate) []*x509.Certificate {
-	var intCerts []*x509.Certificate
-	for _, cert := range certs {
-		if cert.IsCA {
-			intCerts = append(intCerts, cert)
-		}
-	}
-	return intCerts
-}
-
-// ParsePEMPublicKey returns a data.PublicKey from a PEM encoded public key or certificate.
-func ParsePEMPublicKey(pubKeyBytes []byte) (data.PublicKey, error) {
-	pemBlock, _ := pem.Decode(pubKeyBytes)
-	if pemBlock == nil {
-		return nil, errors.New("no valid public key found")
-	}
-
-	switch pemBlock.Type {
-	case "CERTIFICATE":
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse provided certificate: %v", err)
-		}
-		err = ValidateCertificate(cert, true)
-		if err != nil {
-			return nil, fmt.Errorf("invalid certificate: %v", err)
-		}
-		return CertToKey(cert), nil
-	default:
-		return nil, fmt.Errorf("unsupported PEM block type %q, expected certificate", pemBlock.Type)
-	}
-}
-
-// ValidateCertificate returns an error if the certificate is not valid for notary
-// Currently this is only ensuring the public key has a large enough modulus if RSA,
-// using a non SHA1 signature algorithm, and an optional time expiry check
-func ValidateCertificate(c *x509.Certificate, checkExpiry bool) error {
-	if (c.NotBefore).After(c.NotAfter) {
-		return fmt.Errorf("certificate validity window is invalid")
-	}
-	// Can't have SHA1 sig algorithm
-	if c.SignatureAlgorithm == x509.SHA1WithRSA || c.SignatureAlgorithm == x509.DSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA1 {
-		return fmt.Errorf("certificate with CN %s uses invalid SHA1 signature algorithm", c.Subject.CommonName)
-	}
-	// If we have an RSA key, make sure it's long enough
-	if c.PublicKeyAlgorithm == x509.RSA {
-		rsaKey, ok := c.PublicKey.(*rsa.PublicKey)
-		if !ok {
-			return fmt.Errorf("unable to parse RSA public key")
-		}
-		if rsaKey.N.BitLen() < notary.MinRSABitSize {
-			return fmt.Errorf("RSA bit length is too short")
-		}
-	}
-	if checkExpiry {
-		now := time.Now()
-		tomorrow := now.AddDate(0, 0, 1)
-		// Give one day leeway on creation "before" time, check "after" against today
-		if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
-			return data.ErrCertExpired{CN: c.Subject.CommonName}
-		}
-		// If this certificate is expiring within 6 months, put out a warning
-		if (c.NotAfter).Before(time.Now().AddDate(0, 6, 0)) {
-			logrus.Warnf("certificate with CN %s is near expiry", c.Subject.CommonName)
-		}
-	}
-	return nil
-}
-
-// GenerateRSAKey generates an RSA private key and returns a TUF PrivateKey
-func GenerateRSAKey(random io.Reader, bits int) (data.PrivateKey, error) {
-	rsaPrivKey, err := rsa.GenerateKey(random, bits)
-	if err != nil {
-		return nil, fmt.Errorf("could not generate private key: %v", err)
-	}
-
-	tufPrivKey, err := RSAToPrivateKey(rsaPrivKey)
-	if err != nil {
-		return nil, err
-	}
-
-	logrus.Debugf("generated RSA key with keyID: %s", tufPrivKey.ID())
-
-	return tufPrivKey, nil
-}
-
-// RSAToPrivateKey converts an rsa.Private key to a TUF data.PrivateKey type
-func RSAToPrivateKey(rsaPrivKey *rsa.PrivateKey) (data.PrivateKey, error) {
-	// Get a DER-encoded representation of the PublicKey
-	rsaPubBytes, err := x509.MarshalPKIXPublicKey(&rsaPrivKey.PublicKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal public key: %v", err)
-	}
-
-	// Get a DER-encoded representation of the PrivateKey
-	rsaPrivBytes := x509.MarshalPKCS1PrivateKey(rsaPrivKey)
-
-	pubKey := data.NewRSAPublicKey(rsaPubBytes)
-	return data.NewRSAPrivateKey(pubKey, rsaPrivBytes)
-}
-
-// GenerateECDSAKey generates an ECDSA Private key and returns a TUF PrivateKey
-func GenerateECDSAKey(random io.Reader) (data.PrivateKey, error) {
-	ecdsaPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), random)
-	if err != nil {
-		return nil, err
-	}
-
-	tufPrivKey, err := ECDSAToPrivateKey(ecdsaPrivKey)
-	if err != nil {
-		return nil, err
-	}
-
-	logrus.Debugf("generated ECDSA key with keyID: %s", tufPrivKey.ID())
-
-	return tufPrivKey, nil
-}
-
-// GenerateED25519Key generates an ED25519 private key and returns a TUF
-// PrivateKey. The serialization format we use is just the public key bytes
-// followed by the private key bytes
-func GenerateED25519Key(random io.Reader) (data.PrivateKey, error) {
-	pub, priv, err := ed25519.GenerateKey(random)
-	if err != nil {
-		return nil, err
-	}
-
-	var serialized [ed25519.PublicKeySize + ed25519.PrivateKeySize]byte
-	copy(serialized[:], pub[:])
-	copy(serialized[ed25519.PublicKeySize:], priv[:])
-
-	tufPrivKey, err := ED25519ToPrivateKey(serialized[:])
-	if err != nil {
-		return nil, err
-	}
-
-	logrus.Debugf("generated ED25519 key with keyID: %s", tufPrivKey.ID())
-
-	return tufPrivKey, nil
-}
-
-// ECDSAToPrivateKey converts an ecdsa.Private key to a TUF data.PrivateKey type
-func ECDSAToPrivateKey(ecdsaPrivKey *ecdsa.PrivateKey) (data.PrivateKey, error) {
-	// Get a DER-encoded representation of the PublicKey
-	ecdsaPubBytes, err := x509.MarshalPKIXPublicKey(&ecdsaPrivKey.PublicKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal public key: %v", err)
-	}
-
-	// Get a DER-encoded representation of the PrivateKey
-	ecdsaPrivKeyBytes, err := x509.MarshalECPrivateKey(ecdsaPrivKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to marshal private key: %v", err)
-	}
-
-	pubKey := data.NewECDSAPublicKey(ecdsaPubBytes)
-	return data.NewECDSAPrivateKey(pubKey, ecdsaPrivKeyBytes)
-}
-
-// ED25519ToPrivateKey converts a serialized ED25519 key to a TUF
-// data.PrivateKey type
-func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error) {
-	if len(privKeyBytes) != ed25519.PublicKeySize+ed25519.PrivateKeySize {
-		return nil, errors.New("malformed ed25519 private key")
-	}
-
-	pubKey := data.NewED25519PublicKey(privKeyBytes[:ed25519.PublicKeySize])
-	return data.NewED25519PrivateKey(*pubKey, privKeyBytes)
-}
-
-func blockType(k data.PrivateKey) (string, error) {
-	switch k.Algorithm() {
-	case data.RSAKey, data.RSAx509Key:
-		return "RSA PRIVATE KEY", nil
-	case data.ECDSAKey, data.ECDSAx509Key:
-		return "EC PRIVATE KEY", nil
-	case data.ED25519Key:
-		return "ED25519 PRIVATE KEY", nil
-	default:
-		return "", fmt.Errorf("algorithm %s not supported", k.Algorithm())
-	}
-}
-
-// KeyToPEM returns a PEM encoded key from a Private Key
-func KeyToPEM(privKey data.PrivateKey, role string) ([]byte, error) {
-	bt, err := blockType(privKey)
-	if err != nil {
-		return nil, err
-	}
-
-	headers := map[string]string{}
-	if role != "" {
-		headers = map[string]string{
-			"role": role,
-		}
-	}
-
-	block := &pem.Block{
-		Type:    bt,
-		Headers: headers,
-		Bytes:   privKey.Private(),
-	}
-
-	return pem.EncodeToMemory(block), nil
-}
-
-// EncryptPrivateKey returns an encrypted PEM key given a Privatekey
-// and a passphrase
-func EncryptPrivateKey(key data.PrivateKey, role, gun, passphrase string) ([]byte, error) {
-	bt, err := blockType(key)
-	if err != nil {
-		return nil, err
-	}
-
-	password := []byte(passphrase)
-	cipherType := x509.PEMCipherAES256
-
-	encryptedPEMBlock, err := x509.EncryptPEMBlock(rand.Reader,
-		bt,
-		key.Private(),
-		password,
-		cipherType)
-	if err != nil {
-		return nil, err
-	}
-
-	if encryptedPEMBlock.Headers == nil {
-		return nil, fmt.Errorf("unable to encrypt key - invalid PEM file produced")
-	}
-	encryptedPEMBlock.Headers["role"] = role
-
-	if gun != "" {
-		encryptedPEMBlock.Headers["gun"] = gun
-	}
-
-	return pem.EncodeToMemory(encryptedPEMBlock), nil
-}
-
-// ReadRoleFromPEM returns the value from the role PEM header, if it exists
-func ReadRoleFromPEM(pemBytes []byte) string {
-	pemBlock, _ := pem.Decode(pemBytes)
-	if pemBlock == nil || pemBlock.Headers == nil {
-		return ""
-	}
-	role, ok := pemBlock.Headers["role"]
-	if !ok {
-		return ""
-	}
-	return role
-}
-
-// CertToKey transforms a single input certificate into its corresponding
-// PublicKey
-func CertToKey(cert *x509.Certificate) data.PublicKey {
-	block := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
-	pemdata := pem.EncodeToMemory(&block)
-
-	switch cert.PublicKeyAlgorithm {
-	case x509.RSA:
-		return data.NewRSAx509PublicKey(pemdata)
-	case x509.ECDSA:
-		return data.NewECDSAx509PublicKey(pemdata)
-	default:
-		logrus.Debugf("Unknown key type parsed from certificate: %v", cert.PublicKeyAlgorithm)
-		return nil
-	}
-}
-
-// CertsToKeys transforms each of the input certificate chains into its corresponding
-// PublicKey
-func CertsToKeys(leafCerts map[string]*x509.Certificate, intCerts map[string][]*x509.Certificate) map[string]data.PublicKey {
-	keys := make(map[string]data.PublicKey)
-	for id, leafCert := range leafCerts {
-		if key, err := CertBundleToKey(leafCert, intCerts[id]); err == nil {
-			keys[key.ID()] = key
-		}
-	}
-	return keys
-}
-
-// CertBundleToKey creates a TUF key from a leaf certs and a list of
-// intermediates
-func CertBundleToKey(leafCert *x509.Certificate, intCerts []*x509.Certificate) (data.PublicKey, error) {
-	certBundle := []*x509.Certificate{leafCert}
-	certBundle = append(certBundle, intCerts...)
-	certChainPEM, err := CertChainToPEM(certBundle)
-	if err != nil {
-		return nil, err
-	}
-	var newKey data.PublicKey
-	// Use the leaf cert's public key algorithm for typing
-	switch leafCert.PublicKeyAlgorithm {
-	case x509.RSA:
-		newKey = data.NewRSAx509PublicKey(certChainPEM)
-	case x509.ECDSA:
-		newKey = data.NewECDSAx509PublicKey(certChainPEM)
-	default:
-		logrus.Debugf("Unknown key type parsed from certificate: %v", leafCert.PublicKeyAlgorithm)
-		return nil, x509.ErrUnsupportedAlgorithm
-	}
-	return newKey, nil
-}
-
-// NewCertificate returns an X509 Certificate following a template, given a GUN and validity interval.
-func NewCertificate(gun string, startTime, endTime time.Time) (*x509.Certificate, error) {
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate new certificate: %v", err)
-	}
-
-	return &x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: gun,
-		},
-		NotBefore: startTime,
-		NotAfter:  endTime,
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
-		BasicConstraintsValid: true,
-	}, nil
-}

vendor/github.com/docker/notary/tuf/validation/errors.go

@@ -1,126 +0,0 @@
-package validation
-
-import (
-	"encoding/json"
-	"fmt"
-)
-
-// VALIDATION ERRORS
-
-// ErrValidation represents a general validation error
-type ErrValidation struct {
-	Msg string
-}
-
-func (err ErrValidation) Error() string {
-	return fmt.Sprintf("An error occurred during validation: %s", err.Msg)
-}
-
-// ErrBadHierarchy represents missing metadata.  Currently: a missing snapshot
-// at this current time. When delegations are implemented it will also
-// represent a missing delegation parent
-type ErrBadHierarchy struct {
-	Missing string
-	Msg     string
-}
-
-func (err ErrBadHierarchy) Error() string {
-	return fmt.Sprintf("Metadata hierarchy is incomplete: %s", err.Msg)
-}
-
-// ErrBadRoot represents a failure validating the root
-type ErrBadRoot struct {
-	Msg string
-}
-
-func (err ErrBadRoot) Error() string {
-	return fmt.Sprintf("The root metadata is invalid: %s", err.Msg)
-}
-
-// ErrBadTargets represents a failure to validate a targets (incl delegations)
-type ErrBadTargets struct {
-	Msg string
-}
-
-func (err ErrBadTargets) Error() string {
-	return fmt.Sprintf("The targets metadata is invalid: %s", err.Msg)
-}
-
-// ErrBadSnapshot represents a failure to validate the snapshot
-type ErrBadSnapshot struct {
-	Msg string
-}
-
-func (err ErrBadSnapshot) Error() string {
-	return fmt.Sprintf("The snapshot metadata is invalid: %s", err.Msg)
-}
-
-// END VALIDATION ERRORS
-
-// SerializableError is a struct that can be used to serialize an error as JSON
-type SerializableError struct {
-	Name  string
-	Error error
-}
-
-// UnmarshalJSON attempts to unmarshal the error into the right type
-func (s *SerializableError) UnmarshalJSON(text []byte) (err error) {
-	var x struct{ Name string }
-	err = json.Unmarshal(text, &x)
-	if err != nil {
-		return
-	}
-	var theError error
-	switch x.Name {
-	case "ErrValidation":
-		var e struct{ Error ErrValidation }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadHierarchy":
-		var e struct{ Error ErrBadHierarchy }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadRoot":
-		var e struct{ Error ErrBadRoot }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadTargets":
-		var e struct{ Error ErrBadTargets }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	case "ErrBadSnapshot":
-		var e struct{ Error ErrBadSnapshot }
-		err = json.Unmarshal(text, &e)
-		theError = e.Error
-	default:
-		err = fmt.Errorf("do not know how to unmarshal %s", x.Name)
-		return
-	}
-	if err != nil {
-		return
-	}
-	s.Name = x.Name
-	s.Error = theError
-	return nil
-}
-
-// NewSerializableError serializes one of the above errors into JSON
-func NewSerializableError(err error) (*SerializableError, error) {
-	// make sure it's one of our errors
-	var name string
-	switch err.(type) {
-	case ErrValidation:
-		name = "ErrValidation"
-	case ErrBadHierarchy:
-		name = "ErrBadHierarchy"
-	case ErrBadRoot:
-		name = "ErrBadRoot"
-	case ErrBadTargets:
-		name = "ErrBadTargets"
-	case ErrBadSnapshot:
-		name = "ErrBadSnapshot"
-	default:
-		return nil, fmt.Errorf("does not support serializing non-validation errors")
-	}
-	return &SerializableError{Name: name, Error: err}, nil
-}

vendor/github.com/flynn-archive/go-shlex/COPYING

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/flynn-archive/go-shlex/README.md

@@ -1,2 +0,0 @@
-go-shlex is a simple lexer for go that supports shell-style quoting,
-commenting, and escaping.

vendor/github.com/flynn-archive/go-shlex/shlex.go

@@ -1,457 +0,0 @@
-/*
-Copyright 2012 Google Inc. All Rights Reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package shlex
-
-/*
-Package shlex implements a simple lexer which splits input in to tokens using
-shell-style rules for quoting and commenting.
-*/
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"io"
-	"strings"
-)
-
-/*
-A TokenType is a top-level token; a word, space, comment, unknown.
-*/
-type TokenType int
-
-/*
-A RuneTokenType is the type of a UTF-8 character; a character, quote, space, escape.
-*/
-type RuneTokenType int
-
-type lexerState int
-
-type Token struct {
-	tokenType TokenType
-	value     string
-}
-
-/*
-Two tokens are equal if both their types and values are equal. A nil token can
-never equal another token.
-*/
-func (a *Token) Equal(b *Token) bool {
-	if a == nil || b == nil {
-		return false
-	}
-	if a.tokenType != b.tokenType {
-		return false
-	}
-	return a.value == b.value
-}
-
-const (
-	RUNE_CHAR              string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-,/@$*()+=><:;&^%~|!?[]{}"
-	RUNE_SPACE             string = " \t\r\n"
-	RUNE_ESCAPING_QUOTE    string = "\""
-	RUNE_NONESCAPING_QUOTE string = "'"
-	RUNE_ESCAPE                   = "\\"
-	RUNE_COMMENT                  = "#"
-
-	RUNETOKEN_UNKNOWN           RuneTokenType = 0
-	RUNETOKEN_CHAR              RuneTokenType = 1
-	RUNETOKEN_SPACE             RuneTokenType = 2
-	RUNETOKEN_ESCAPING_QUOTE    RuneTokenType = 3
-	RUNETOKEN_NONESCAPING_QUOTE RuneTokenType = 4
-	RUNETOKEN_ESCAPE            RuneTokenType = 5
-	RUNETOKEN_COMMENT           RuneTokenType = 6
-	RUNETOKEN_EOF               RuneTokenType = 7
-
-	TOKEN_UNKNOWN TokenType = 0
-	TOKEN_WORD    TokenType = 1
-	TOKEN_SPACE   TokenType = 2
-	TOKEN_COMMENT TokenType = 3
-
-	STATE_START           lexerState = 0
-	STATE_INWORD          lexerState = 1
-	STATE_ESCAPING        lexerState = 2
-	STATE_ESCAPING_QUOTED lexerState = 3
-	STATE_QUOTED_ESCAPING lexerState = 4
-	STATE_QUOTED          lexerState = 5
-	STATE_COMMENT         lexerState = 6
-
-	INITIAL_TOKEN_CAPACITY int = 100
-)
-
-/*
-A type for classifying characters. This allows for different sorts of
-classifiers - those accepting extended non-ascii chars, or strict posix
-compatibility, for example.
-*/
-type TokenClassifier struct {
-	typeMap map[int32]RuneTokenType
-}
-
-func addRuneClass(typeMap *map[int32]RuneTokenType, runes string, tokenType RuneTokenType) {
-	for _, rune := range runes {
-		(*typeMap)[int32(rune)] = tokenType
-	}
-}
-
-/*
-Create a new classifier for basic ASCII characters.
-*/
-func NewDefaultClassifier() *TokenClassifier {
-	typeMap := map[int32]RuneTokenType{}
-	addRuneClass(&typeMap, RUNE_CHAR, RUNETOKEN_CHAR)
-	addRuneClass(&typeMap, RUNE_SPACE, RUNETOKEN_SPACE)
-	addRuneClass(&typeMap, RUNE_ESCAPING_QUOTE, RUNETOKEN_ESCAPING_QUOTE)
-	addRuneClass(&typeMap, RUNE_NONESCAPING_QUOTE, RUNETOKEN_NONESCAPING_QUOTE)
-	addRuneClass(&typeMap, RUNE_ESCAPE, RUNETOKEN_ESCAPE)
-	addRuneClass(&typeMap, RUNE_COMMENT, RUNETOKEN_COMMENT)
-	return &TokenClassifier{
-		typeMap: typeMap}
-}
-
-func (classifier *TokenClassifier) ClassifyRune(rune int32) RuneTokenType {
-	return classifier.typeMap[rune]
-}
-
-/*
-A type for turning an input stream in to a sequence of strings. Whitespace and
-comments are skipped.
-*/
-type Lexer struct {
-	tokenizer *Tokenizer
-}
-
-/*
-Create a new lexer.
-*/
-func NewLexer(r io.Reader) (*Lexer, error) {
-
-	tokenizer, err := NewTokenizer(r)
-	if err != nil {
-		return nil, err
-	}
-	lexer := &Lexer{tokenizer: tokenizer}
-	return lexer, nil
-}
-
-/*
-Return the next word, and an error value. If there are no more words, the error
-will be io.EOF.
-*/
-func (l *Lexer) NextWord() (string, error) {
-	var token *Token
-	var err error
-	for {
-		token, err = l.tokenizer.NextToken()
-		if err != nil {
-			return "", err
-		}
-		switch token.tokenType {
-		case TOKEN_WORD:
-			{
-				return token.value, nil
-			}
-		case TOKEN_COMMENT:
-			{
-				// skip comments
-			}
-		default:
-			{
-				panic(fmt.Sprintf("Unknown token type: %v", token.tokenType))
-			}
-		}
-	}
-	return "", io.EOF
-}
-
-/*
-A type for turning an input stream in to a sequence of typed tokens.
-*/
-type Tokenizer struct {
-	input      *bufio.Reader
-	classifier *TokenClassifier
-}
-
-/*
-Create a new tokenizer.
-*/
-func NewTokenizer(r io.Reader) (*Tokenizer, error) {
-	input := bufio.NewReader(r)
-	classifier := NewDefaultClassifier()
-	tokenizer := &Tokenizer{
-		input:      input,
-		classifier: classifier}
-	return tokenizer, nil
-}
-
-/*
-Scan the stream for the next token.
-
-This uses an internal state machine. It will panic if it encounters a character
-which it does not know how to handle.
-*/
-func (t *Tokenizer) scanStream() (*Token, error) {
-	state := STATE_START
-	var tokenType TokenType
-	value := make([]int32, 0, INITIAL_TOKEN_CAPACITY)
-	var (
-		nextRune     int32
-		nextRuneType RuneTokenType
-		err          error
-	)
-SCAN:
-	for {
-		nextRune, _, err = t.input.ReadRune()
-		nextRuneType = t.classifier.ClassifyRune(nextRune)
-		if err != nil {
-			if err == io.EOF {
-				nextRuneType = RUNETOKEN_EOF
-				err = nil
-			} else {
-				return nil, err
-			}
-		}
-		switch state {
-		case STATE_START: // no runes read yet
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						return nil, io.EOF
-					}
-				case RUNETOKEN_CHAR:
-					{
-						tokenType = TOKEN_WORD
-						value = append(value, nextRune)
-						state = STATE_INWORD
-					}
-				case RUNETOKEN_SPACE:
-					{
-					}
-				case RUNETOKEN_ESCAPING_QUOTE:
-					{
-						tokenType = TOKEN_WORD
-						state = STATE_QUOTED_ESCAPING
-					}
-				case RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						tokenType = TOKEN_WORD
-						state = STATE_QUOTED
-					}
-				case RUNETOKEN_ESCAPE:
-					{
-						tokenType = TOKEN_WORD
-						state = STATE_ESCAPING
-					}
-				case RUNETOKEN_COMMENT:
-					{
-						tokenType = TOKEN_COMMENT
-						state = STATE_COMMENT
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Unknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_INWORD: // in a regular word
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_COMMENT:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_SPACE:
-					{
-						t.input.UnreadRune()
-						break SCAN
-					}
-				case RUNETOKEN_ESCAPING_QUOTE:
-					{
-						state = STATE_QUOTED_ESCAPING
-					}
-				case RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						state = STATE_QUOTED
-					}
-				case RUNETOKEN_ESCAPE:
-					{
-						state = STATE_ESCAPING
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_ESCAPING: // the next rune after an escape character
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found after escape character")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_SPACE, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_NONESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT:
-					{
-						state = STATE_INWORD
-						value = append(value, nextRune)
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_ESCAPING_QUOTED: // the next rune after an escape character, in double quotes
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found after escape character")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_SPACE, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_NONESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT:
-					{
-						state = STATE_QUOTED_ESCAPING
-						value = append(value, nextRune)
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_QUOTED_ESCAPING: // in escaping double quotes
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found when expecting closing quote.")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_UNKNOWN, RUNETOKEN_SPACE, RUNETOKEN_NONESCAPING_QUOTE, RUNETOKEN_COMMENT:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_ESCAPING_QUOTE:
-					{
-						state = STATE_INWORD
-					}
-				case RUNETOKEN_ESCAPE:
-					{
-						state = STATE_ESCAPING_QUOTED
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_QUOTED: // in non-escaping single quotes
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						err = errors.New("EOF found when expecting closing quote.")
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_UNKNOWN, RUNETOKEN_SPACE, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						state = STATE_INWORD
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		case STATE_COMMENT:
-			{
-				switch nextRuneType {
-				case RUNETOKEN_EOF:
-					{
-						break SCAN
-					}
-				case RUNETOKEN_CHAR, RUNETOKEN_UNKNOWN, RUNETOKEN_ESCAPING_QUOTE, RUNETOKEN_ESCAPE, RUNETOKEN_COMMENT, RUNETOKEN_NONESCAPING_QUOTE:
-					{
-						value = append(value, nextRune)
-					}
-				case RUNETOKEN_SPACE:
-					{
-						if nextRune == '\n' {
-							state = STATE_START
-							break SCAN
-						} else {
-							value = append(value, nextRune)
-						}
-					}
-				default:
-					{
-						return nil, errors.New(fmt.Sprintf("Uknown rune: %v", nextRune))
-					}
-				}
-			}
-		default:
-			{
-				panic(fmt.Sprintf("Unexpected state: %v", state))
-			}
-		}
-	}
-	token := &Token{
-		tokenType: tokenType,
-		value:     string(value)}
-	return token, err
-}
-
-/*
-Return the next token in the stream, and an error value. If there are no more
-tokens available, the error value will be io.EOF.
-*/
-func (t *Tokenizer) NextToken() (*Token, error) {
-	return t.scanStream()
-}
-
-/*
-Split a string in to a slice of strings, based upon shell-style rules for
-quoting, escaping, and spaces.
-*/
-func Split(s string) ([]string, error) {
-	l, err := NewLexer(strings.NewReader(s))
-	if err != nil {
-		return nil, err
-	}
-	subStrings := []string{}
-	for {
-		word, err := l.NextWord()
-		if err != nil {
-			if err == io.EOF {
-				return subStrings, nil
-			}
-			return subStrings, err
-		}
-		subStrings = append(subStrings, word)
-	}
-	return subStrings, nil
-}

vendor/github.com/mitchellh/mapstructure/LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2013 Mitchell Hashimoto
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

vendor/github.com/mitchellh/mapstructure/README.md

@@ -1,46 +0,0 @@
-# mapstructure
-
-mapstructure is a Go library for decoding generic map values to structures
-and vice versa, while providing helpful error handling.
-
-This library is most useful when decoding values from some data stream (JSON,
-Gob, etc.) where you don't _quite_ know the structure of the underlying data
-until you read a part of it. You can therefore read a `map[string]interface{}`
-and use this library to decode it into the proper underlying native Go
-structure.
-
-## Installation
-
-Standard `go get`:
-
-```
-$ go get github.com/mitchellh/mapstructure
-```
-
-## Usage & Example
-
-For usage and examples see the [Godoc](http://godoc.org/github.com/mitchellh/mapstructure).
-
-The `Decode` function has examples associated with it there.
-
-## But Why?!
-
-Go offers fantastic standard libraries for decoding formats such as JSON.
-The standard method is to have a struct pre-created, and populate that struct
-from the bytes of the encoded format. This is great, but the problem is if
-you have configuration or an encoding that changes slightly depending on
-specific fields. For example, consider this JSON:
-
-```json
-{
-  "type": "person",
-  "name": "Mitchell"
-}
-```
-
-Perhaps we can't populate a specific structure without first reading
-the "type" field from the JSON. We could always do two passes over the
-decoding of the JSON (reading the "type" first, and the rest later).
-However, it is much simpler to just decode this into a `map[string]interface{}`
-structure, read the "type" key, then use something like this library
-to decode it into the proper structure.

vendor/github.com/mitchellh/mapstructure/decode_hooks.go

@@ -1,154 +0,0 @@
-package mapstructure
-
-import (
-	"errors"
-	"reflect"
-	"strconv"
-	"strings"
-	"time"
-)
-
-// typedDecodeHook takes a raw DecodeHookFunc (an interface{}) and turns
-// it into the proper DecodeHookFunc type, such as DecodeHookFuncType.
-func typedDecodeHook(h DecodeHookFunc) DecodeHookFunc {
-	// Create variables here so we can reference them with the reflect pkg
-	var f1 DecodeHookFuncType
-	var f2 DecodeHookFuncKind
-
-	// Fill in the variables into this interface and the rest is done
-	// automatically using the reflect package.
-	potential := []interface{}{f1, f2}
-
-	v := reflect.ValueOf(h)
-	vt := v.Type()
-	for _, raw := range potential {
-		pt := reflect.ValueOf(raw).Type()
-		if vt.ConvertibleTo(pt) {
-			return v.Convert(pt).Interface()
-		}
-	}
-
-	return nil
-}
-
-// DecodeHookExec executes the given decode hook. This should be used
-// since it'll naturally degrade to the older backwards compatible DecodeHookFunc
-// that took reflect.Kind instead of reflect.Type.
-func DecodeHookExec(
-	raw DecodeHookFunc,
-	from reflect.Type, to reflect.Type,
-	data interface{}) (interface{}, error) {
-	// Build our arguments that reflect expects
-	argVals := make([]reflect.Value, 3)
-	argVals[0] = reflect.ValueOf(from)
-	argVals[1] = reflect.ValueOf(to)
-	argVals[2] = reflect.ValueOf(data)
-
-	switch f := typedDecodeHook(raw).(type) {
-	case DecodeHookFuncType:
-		return f(from, to, data)
-	case DecodeHookFuncKind:
-		return f(from.Kind(), to.Kind(), data)
-	default:
-		return nil, errors.New("invalid decode hook signature")
-	}
-}
-
-// ComposeDecodeHookFunc creates a single DecodeHookFunc that
-// automatically composes multiple DecodeHookFuncs.
-//
-// The composed funcs are called in order, with the result of the
-// previous transformation.
-func ComposeDecodeHookFunc(fs ...DecodeHookFunc) DecodeHookFunc {
-	return func(
-		f reflect.Type,
-		t reflect.Type,
-		data interface{}) (interface{}, error) {
-		var err error
-		for _, f1 := range fs {
-			data, err = DecodeHookExec(f1, f, t, data)
-			if err != nil {
-				return nil, err
-			}
-
-			// Modify the from kind to be correct with the new data
-			f = nil
-			if val := reflect.ValueOf(data); val.IsValid() {
-				f = val.Type()
-			}
-		}
-
-		return data, nil
-	}
-}
-
-// StringToSliceHookFunc returns a DecodeHookFunc that converts
-// string to []string by splitting on the given sep.
-func StringToSliceHookFunc(sep string) DecodeHookFunc {
-	return func(
-		f reflect.Kind,
-		t reflect.Kind,
-		data interface{}) (interface{}, error) {
-		if f != reflect.String || t != reflect.Slice {
-			return data, nil
-		}
-
-		raw := data.(string)
-		if raw == "" {
-			return []string{}, nil
-		}
-
-		return strings.Split(raw, sep), nil
-	}
-}
-
-// StringToTimeDurationHookFunc returns a DecodeHookFunc that converts
-// strings to time.Duration.
-func StringToTimeDurationHookFunc() DecodeHookFunc {
-	return func(
-		f reflect.Type,
-		t reflect.Type,
-		data interface{}) (interface{}, error) {
-		if f.Kind() != reflect.String {
-			return data, nil
-		}
-		if t != reflect.TypeOf(time.Duration(5)) {
-			return data, nil
-		}
-
-		// Convert it by parsing
-		return time.ParseDuration(data.(string))
-	}
-}
-
-func WeaklyTypedHook(
-	f reflect.Kind,
-	t reflect.Kind,
-	data interface{}) (interface{}, error) {
-	dataVal := reflect.ValueOf(data)
-	switch t {
-	case reflect.String:
-		switch f {
-		case reflect.Bool:
-			if dataVal.Bool() {
-				return "1", nil
-			} else {
-				return "0", nil
-			}
-		case reflect.Float32:
-			return strconv.FormatFloat(dataVal.Float(), 'f', -1, 64), nil
-		case reflect.Int:
-			return strconv.FormatInt(dataVal.Int(), 10), nil
-		case reflect.Slice:
-			dataType := dataVal.Type()
-			elemKind := dataType.Elem().Kind()
-			if elemKind == reflect.Uint8 {
-				return string(dataVal.Interface().([]uint8)), nil
-			}
-		case reflect.Uint:
-			return strconv.FormatUint(dataVal.Uint(), 10), nil
-		}
-	}
-
-	return data, nil
-}

vendor/github.com/mitchellh/mapstructure/error.go

@@ -1,50 +0,0 @@
-package mapstructure
-
-import (
-	"errors"
-	"fmt"
-	"sort"
-	"strings"
-)
-
-// Error implements the error interface and can represents multiple
-// errors that occur in the course of a single decode.
-type Error struct {
-	Errors []string
-}
-
-func (e *Error) Error() string {
-	points := make([]string, len(e.Errors))
-	for i, err := range e.Errors {
-		points[i] = fmt.Sprintf("* %s", err)
-	}
-
-	sort.Strings(points)
-	return fmt.Sprintf(
-		"%d error(s) decoding:\n\n%s",
-		len(e.Errors), strings.Join(points, "\n"))
-}
-
-// WrappedErrors implements the errwrap.Wrapper interface to make this
-// return value more useful with the errwrap and go-multierror libraries.
-func (e *Error) WrappedErrors() []error {
-	if e == nil {
-		return nil
-	}
-
-	result := make([]error, len(e.Errors))
-	for i, e := range e.Errors {
-		result[i] = errors.New(e)
-	}
-
-	return result
-}
-
-func appendErrors(errors []string, err error) []string {
-	switch e := err.(type) {
-	case *Error:
-		return append(errors, e.Errors...)
-	default:
-		return append(errors, e.Error())
-	}
-}

vendor/github.com/mitchellh/mapstructure/mapstructure.go

@@ -1,782 +0,0 @@
-// The mapstructure package exposes functionality to convert an
-// abitrary map[string]interface{} into a native Go structure.
-//
-// The Go structure can be arbitrarily complex, containing slices,
-// other structs, etc. and the decoder will properly decode nested
-// maps and so on into the proper structures in the native Go struct.
-// See the examples to see what the decoder is capable of.
-package mapstructure
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"reflect"
-	"sort"
-	"strconv"
-	"strings"
-)
-
-// DecodeHookFunc is the callback function that can be used for
-// data transformations. See "DecodeHook" in the DecoderConfig
-// struct.
-//
-// The type should be DecodeHookFuncType or DecodeHookFuncKind.
-// Either is accepted. Types are a superset of Kinds (Types can return
-// Kinds) and are generally a richer thing to use, but Kinds are simpler
-// if you only need those.
-//
-// The reason DecodeHookFunc is multi-typed is for backwards compatibility:
-// we started with Kinds and then realized Types were the better solution,
-// but have a promise to not break backwards compat so we now support
-// both.
-type DecodeHookFunc interface{}
-
-type DecodeHookFuncType func(reflect.Type, reflect.Type, interface{}) (interface{}, error)
-type DecodeHookFuncKind func(reflect.Kind, reflect.Kind, interface{}) (interface{}, error)
-
-// DecoderConfig is the configuration that is used to create a new decoder
-// and allows customization of various aspects of decoding.
-type DecoderConfig struct {
-	// DecodeHook, if set, will be called before any decoding and any
-	// type conversion (if WeaklyTypedInput is on). This lets you modify
-	// the values before they're set down onto the resulting struct.
-	//
-	// If an error is returned, the entire decode will fail with that
-	// error.
-	DecodeHook DecodeHookFunc
-
-	// If ErrorUnused is true, then it is an error for there to exist
-	// keys in the original map that were unused in the decoding process
-	// (extra keys).
-	ErrorUnused bool
-
-	// ZeroFields, if set to true, will zero fields before writing them.
-	// For example, a map will be emptied before decoded values are put in
-	// it. If this is false, a map will be merged.
-	ZeroFields bool
-
-	// If WeaklyTypedInput is true, the decoder will make the following
-	// "weak" conversions:
-	//
-	//   - bools to string (true = "1", false = "0")
-	//   - numbers to string (base 10)
-	//   - bools to int/uint (true = 1, false = 0)
-	//   - strings to int/uint (base implied by prefix)
-	//   - int to bool (true if value != 0)
-	//   - string to bool (accepts: 1, t, T, TRUE, true, True, 0, f, F,
-	//     FALSE, false, False. Anything else is an error)
-	//   - empty array = empty map and vice versa
-	//   - negative numbers to overflowed uint values (base 10)
-	//   - slice of maps to a merged map
-	//
-	WeaklyTypedInput bool
-
-	// Metadata is the struct that will contain extra metadata about
-	// the decoding. If this is nil, then no metadata will be tracked.
-	Metadata *Metadata
-
-	// Result is a pointer to the struct that will contain the decoded
-	// value.
-	Result interface{}
-
-	// The tag name that mapstructure reads for field names. This
-	// defaults to "mapstructure"
-	TagName string
-}
-
-// A Decoder takes a raw interface value and turns it into structured
-// data, keeping track of rich error information along the way in case
-// anything goes wrong. Unlike the basic top-level Decode method, you can
-// more finely control how the Decoder behaves using the DecoderConfig
-// structure. The top-level Decode method is just a convenience that sets
-// up the most basic Decoder.
-type Decoder struct {
-	config *DecoderConfig
-}
-
-// Metadata contains information about decoding a structure that
-// is tedious or difficult to get otherwise.
-type Metadata struct {
-	// Keys are the keys of the structure which were successfully decoded
-	Keys []string
-
-	// Unused is a slice of keys that were found in the raw value but
-	// weren't decoded since there was no matching field in the result interface
-	Unused []string
-}
-
-// Decode takes a map and uses reflection to convert it into the
-// given Go native structure. val must be a pointer to a struct.
-func Decode(m interface{}, rawVal interface{}) error {
-	config := &DecoderConfig{
-		Metadata: nil,
-		Result:   rawVal,
-	}
-
-	decoder, err := NewDecoder(config)
-	if err != nil {
-		return err
-	}
-
-	return decoder.Decode(m)
-}
-
-// WeakDecode is the same as Decode but is shorthand to enable
-// WeaklyTypedInput. See DecoderConfig for more info.
-func WeakDecode(input, output interface{}) error {
-	config := &DecoderConfig{
-		Metadata:         nil,
-		Result:           output,
-		WeaklyTypedInput: true,
-	}
-
-	decoder, err := NewDecoder(config)
-	if err != nil {
-		return err
-	}
-
-	return decoder.Decode(input)
-}
-
-// NewDecoder returns a new decoder for the given configuration. Once
-// a decoder has been returned, the same configuration must not be used
-// again.
-func NewDecoder(config *DecoderConfig) (*Decoder, error) {
-	val := reflect.ValueOf(config.Result)
-	if val.Kind() != reflect.Ptr {
-		return nil, errors.New("result must be a pointer")
-	}
-
-	val = val.Elem()
-	if !val.CanAddr() {
-		return nil, errors.New("result must be addressable (a pointer)")
-	}
-
-	if config.Metadata != nil {
-		if config.Metadata.Keys == nil {
-			config.Metadata.Keys = make([]string, 0)
-		}
-
-		if config.Metadata.Unused == nil {
-			config.Metadata.Unused = make([]string, 0)
-		}
-	}
-
-	if config.TagName == "" {
-		config.TagName = "mapstructure"
-	}
-
-	result := &Decoder{
-		config: config,
-	}
-
-	return result, nil
-}
-
-// Decode decodes the given raw interface to the target pointer specified
-// by the configuration.
-func (d *Decoder) Decode(raw interface{}) error {
-	return d.decode("", raw, reflect.ValueOf(d.config.Result).Elem())
-}
-
-// Decodes an unknown data type into a specific reflection value.
-func (d *Decoder) decode(name string, data interface{}, val reflect.Value) error {
-	if data == nil {
-		// If the data is nil, then we don't set anything.
-		return nil
-	}
-
-	dataVal := reflect.ValueOf(data)
-	if !dataVal.IsValid() {
-		// If the data value is invalid, then we just set the value
-		// to be the zero value.
-		val.Set(reflect.Zero(val.Type()))
-		return nil
-	}
-
-	if d.config.DecodeHook != nil {
-		// We have a DecodeHook, so let's pre-process the data.
-		var err error
-		data, err = DecodeHookExec(
-			d.config.DecodeHook,
-			dataVal.Type(), val.Type(), data)
-		if err != nil {
-			return err
-		}
-	}
-
-	var err error
-	dataKind := getKind(val)
-	switch dataKind {
-	case reflect.Bool:
-		err = d.decodeBool(name, data, val)
-	case reflect.Interface:
-		err = d.decodeBasic(name, data, val)
-	case reflect.String:
-		err = d.decodeString(name, data, val)
-	case reflect.Int:
-		err = d.decodeInt(name, data, val)
-	case reflect.Uint:
-		err = d.decodeUint(name, data, val)
-	case reflect.Float32:
-		err = d.decodeFloat(name, data, val)
-	case reflect.Struct:
-		err = d.decodeStruct(name, data, val)
-	case reflect.Map:
-		err = d.decodeMap(name, data, val)
-	case reflect.Ptr:
-		err = d.decodePtr(name, data, val)
-	case reflect.Slice:
-		err = d.decodeSlice(name, data, val)
-	default:
-		// If we reached this point then we weren't able to decode it
-		return fmt.Errorf("%s: unsupported type: %s", name, dataKind)
-	}
-
-	// If we reached here, then we successfully decoded SOMETHING, so
-	// mark the key as used if we're tracking metadata.
-	if d.config.Metadata != nil && name != "" {
-		d.config.Metadata.Keys = append(d.config.Metadata.Keys, name)
-	}
-
-	return err
-}
-
-// This decodes a basic type (bool, int, string, etc.) and sets the
-// value to "data" of that type.
-func (d *Decoder) decodeBasic(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.ValueOf(data)
-	if !dataVal.IsValid() {
-		dataVal = reflect.Zero(val.Type())
-	}
-
-	dataValType := dataVal.Type()
-	if !dataValType.AssignableTo(val.Type()) {
-		return fmt.Errorf(
-			"'%s' expected type '%s', got '%s'",
-			name, val.Type(), dataValType)
-	}
-
-	val.Set(dataVal)
-	return nil
-}
-
-func (d *Decoder) decodeString(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.ValueOf(data)
-	dataKind := getKind(dataVal)
-
-	converted := true
-	switch {
-	case dataKind == reflect.String:
-		val.SetString(dataVal.String())
-	case dataKind == reflect.Bool && d.config.WeaklyTypedInput:
-		if dataVal.Bool() {
-			val.SetString("1")
-		} else {
-			val.SetString("0")
-		}
-	case dataKind == reflect.Int && d.config.WeaklyTypedInput:
-		val.SetString(strconv.FormatInt(dataVal.Int(), 10))
-	case dataKind == reflect.Uint && d.config.WeaklyTypedInput:
-		val.SetString(strconv.FormatUint(dataVal.Uint(), 10))
-	case dataKind == reflect.Float32 && d.config.WeaklyTypedInput:
-		val.SetString(strconv.FormatFloat(dataVal.Float(), 'f', -1, 64))
-	case dataKind == reflect.Slice && d.config.WeaklyTypedInput:
-		dataType := dataVal.Type()
-		elemKind := dataType.Elem().Kind()
-		switch {
-		case elemKind == reflect.Uint8:
-			val.SetString(string(dataVal.Interface().([]uint8)))
-		default:
-			converted = false
-		}
-	default:
-		converted = false
-	}
-
-	if !converted {
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s'",
-			name, val.Type(), dataVal.Type())
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodeInt(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.ValueOf(data)
-	dataKind := getKind(dataVal)
-	dataType := dataVal.Type()
-
-	switch {
-	case dataKind == reflect.Int:
-		val.SetInt(dataVal.Int())
-	case dataKind == reflect.Uint:
-		val.SetInt(int64(dataVal.Uint()))
-	case dataKind == reflect.Float32:
-		val.SetInt(int64(dataVal.Float()))
-	case dataKind == reflect.Bool && d.config.WeaklyTypedInput:
-		if dataVal.Bool() {
-			val.SetInt(1)
-		} else {
-			val.SetInt(0)
-		}
-	case dataKind == reflect.String && d.config.WeaklyTypedInput:
-		i, err := strconv.ParseInt(dataVal.String(), 0, val.Type().Bits())
-		if err == nil {
-			val.SetInt(i)
-		} else {
-			return fmt.Errorf("cannot parse '%s' as int: %s", name, err)
-		}
-	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
-		jn := data.(json.Number)
-		i, err := jn.Int64()
-		if err != nil {
-			return fmt.Errorf(
-				"error decoding json.Number into %s: %s", name, err)
-		}
-		val.SetInt(i)
-	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s'",
-			name, val.Type(), dataVal.Type())
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodeUint(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.ValueOf(data)
-	dataKind := getKind(dataVal)
-
-	switch {
-	case dataKind == reflect.Int:
-		i := dataVal.Int()
-		if i < 0 && !d.config.WeaklyTypedInput {
-			return fmt.Errorf("cannot parse '%s', %d overflows uint",
-				name, i)
-		}
-		val.SetUint(uint64(i))
-	case dataKind == reflect.Uint:
-		val.SetUint(dataVal.Uint())
-	case dataKind == reflect.Float32:
-		f := dataVal.Float()
-		if f < 0 && !d.config.WeaklyTypedInput {
-			return fmt.Errorf("cannot parse '%s', %f overflows uint",
-				name, f)
-		}
-		val.SetUint(uint64(f))
-	case dataKind == reflect.Bool && d.config.WeaklyTypedInput:
-		if dataVal.Bool() {
-			val.SetUint(1)
-		} else {
-			val.SetUint(0)
-		}
-	case dataKind == reflect.String && d.config.WeaklyTypedInput:
-		i, err := strconv.ParseUint(dataVal.String(), 0, val.Type().Bits())
-		if err == nil {
-			val.SetUint(i)
-		} else {
-			return fmt.Errorf("cannot parse '%s' as uint: %s", name, err)
-		}
-	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s'",
-			name, val.Type(), dataVal.Type())
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodeBool(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.ValueOf(data)
-	dataKind := getKind(dataVal)
-
-	switch {
-	case dataKind == reflect.Bool:
-		val.SetBool(dataVal.Bool())
-	case dataKind == reflect.Int && d.config.WeaklyTypedInput:
-		val.SetBool(dataVal.Int() != 0)
-	case dataKind == reflect.Uint && d.config.WeaklyTypedInput:
-		val.SetBool(dataVal.Uint() != 0)
-	case dataKind == reflect.Float32 && d.config.WeaklyTypedInput:
-		val.SetBool(dataVal.Float() != 0)
-	case dataKind == reflect.String && d.config.WeaklyTypedInput:
-		b, err := strconv.ParseBool(dataVal.String())
-		if err == nil {
-			val.SetBool(b)
-		} else if dataVal.String() == "" {
-			val.SetBool(false)
-		} else {
-			return fmt.Errorf("cannot parse '%s' as bool: %s", name, err)
-		}
-	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s'",
-			name, val.Type(), dataVal.Type())
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodeFloat(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.ValueOf(data)
-	dataKind := getKind(dataVal)
-	dataType := dataVal.Type()
-
-	switch {
-	case dataKind == reflect.Int:
-		val.SetFloat(float64(dataVal.Int()))
-	case dataKind == reflect.Uint:
-		val.SetFloat(float64(dataVal.Uint()))
-	case dataKind == reflect.Float32:
-		val.SetFloat(float64(dataVal.Float()))
-	case dataKind == reflect.Bool && d.config.WeaklyTypedInput:
-		if dataVal.Bool() {
-			val.SetFloat(1)
-		} else {
-			val.SetFloat(0)
-		}
-	case dataKind == reflect.String && d.config.WeaklyTypedInput:
-		f, err := strconv.ParseFloat(dataVal.String(), val.Type().Bits())
-		if err == nil {
-			val.SetFloat(f)
-		} else {
-			return fmt.Errorf("cannot parse '%s' as float: %s", name, err)
-		}
-	case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
-		jn := data.(json.Number)
-		i, err := jn.Float64()
-		if err != nil {
-			return fmt.Errorf(
-				"error decoding json.Number into %s: %s", name, err)
-		}
-		val.SetFloat(i)
-	default:
-		return fmt.Errorf(
-			"'%s' expected type '%s', got unconvertible type '%s'",
-			name, val.Type(), dataVal.Type())
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodeMap(name string, data interface{}, val reflect.Value) error {
-	valType := val.Type()
-	valKeyType := valType.Key()
-	valElemType := valType.Elem()
-
-	// By default we overwrite keys in the current map
-	valMap := val
-
-	// If the map is nil or we're purposely zeroing fields, make a new map
-	if valMap.IsNil() || d.config.ZeroFields {
-		// Make a new map to hold our result
-		mapType := reflect.MapOf(valKeyType, valElemType)
-		valMap = reflect.MakeMap(mapType)
-	}
-
-	// Check input type
-	dataVal := reflect.Indirect(reflect.ValueOf(data))
-	if dataVal.Kind() != reflect.Map {
-		// In weak mode, we accept a slice of maps as an input...
-		if d.config.WeaklyTypedInput {
-			switch dataVal.Kind() {
-			case reflect.Array, reflect.Slice:
-				// Special case for BC reasons (covered by tests)
-				if dataVal.Len() == 0 {
-					val.Set(valMap)
-					return nil
-				}
-
-				for i := 0; i < dataVal.Len(); i++ {
-					err := d.decode(
-						fmt.Sprintf("%s[%d]", name, i),
-						dataVal.Index(i).Interface(), val)
-					if err != nil {
-						return err
-					}
-				}
-
-				return nil
-			}
-		}
-
-		return fmt.Errorf("'%s' expected a map, got '%s'", name, dataVal.Kind())
-	}
-
-	// Accumulate errors
-	errors := make([]string, 0)
-
-	for _, k := range dataVal.MapKeys() {
-		fieldName := fmt.Sprintf("%s[%s]", name, k)
-
-		// First decode the key into the proper type
-		currentKey := reflect.Indirect(reflect.New(valKeyType))
-		if err := d.decode(fieldName, k.Interface(), currentKey); err != nil {
-			errors = appendErrors(errors, err)
-			continue
-		}
-
-		// Next decode the data into the proper type
-		v := dataVal.MapIndex(k).Interface()
-		currentVal := reflect.Indirect(reflect.New(valElemType))
-		if err := d.decode(fieldName, v, currentVal); err != nil {
-			errors = appendErrors(errors, err)
-			continue
-		}
-
-		valMap.SetMapIndex(currentKey, currentVal)
-	}
-
-	// Set the built up map to the value
-	val.Set(valMap)
-
-	// If we had errors, return those
-	if len(errors) > 0 {
-		return &Error{errors}
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodePtr(name string, data interface{}, val reflect.Value) error {
-	// Create an element of the concrete (non pointer) type and decode
-	// into that. Then set the value of the pointer to this type.
-	valType := val.Type()
-	valElemType := valType.Elem()
-	realVal := reflect.New(valElemType)
-	if err := d.decode(name, data, reflect.Indirect(realVal)); err != nil {
-		return err
-	}
-
-	val.Set(realVal)
-	return nil
-}
-
-func (d *Decoder) decodeSlice(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.Indirect(reflect.ValueOf(data))
-	dataValKind := dataVal.Kind()
-	valType := val.Type()
-	valElemType := valType.Elem()
-	sliceType := reflect.SliceOf(valElemType)
-
-	// Check input type
-	if dataValKind != reflect.Array && dataValKind != reflect.Slice {
-		// Accept empty map instead of array/slice in weakly typed mode
-		if d.config.WeaklyTypedInput && dataVal.Kind() == reflect.Map && dataVal.Len() == 0 {
-			val.Set(reflect.MakeSlice(sliceType, 0, 0))
-			return nil
-		} else {
-			return fmt.Errorf(
-				"'%s': source data must be an array or slice, got %s", name, dataValKind)
-		}
-	}
-
-	// Make a new slice to hold our result, same size as the original data.
-	valSlice := reflect.MakeSlice(sliceType, dataVal.Len(), dataVal.Len())
-
-	// Accumulate any errors
-	errors := make([]string, 0)
-
-	for i := 0; i < dataVal.Len(); i++ {
-		currentData := dataVal.Index(i).Interface()
-		currentField := valSlice.Index(i)
-
-		fieldName := fmt.Sprintf("%s[%d]", name, i)
-		if err := d.decode(fieldName, currentData, currentField); err != nil {
-			errors = appendErrors(errors, err)
-		}
-	}
-
-	// Finally, set the value to the slice we built up
-	val.Set(valSlice)
-
-	// If there were errors, we return those
-	if len(errors) > 0 {
-		return &Error{errors}
-	}
-
-	return nil
-}
-
-func (d *Decoder) decodeStruct(name string, data interface{}, val reflect.Value) error {
-	dataVal := reflect.Indirect(reflect.ValueOf(data))
-
-	// If the type of the value to write to and the data match directly,
-	// then we just set it directly instead of recursing into the structure.
-	if dataVal.Type() == val.Type() {
-		val.Set(dataVal)
-		return nil
-	}
-
-	dataValKind := dataVal.Kind()
-	if dataValKind != reflect.Map {
-		return fmt.Errorf("'%s' expected a map, got '%s'", name, dataValKind)
-	}
-
-	dataValType := dataVal.Type()
-	if kind := dataValType.Key().Kind(); kind != reflect.String && kind != reflect.Interface {
-		return fmt.Errorf(
-			"'%s' needs a map with string keys, has '%s' keys",
-			name, dataValType.Key().Kind())
-	}
-
-	dataValKeys := make(map[reflect.Value]struct{})
-	dataValKeysUnused := make(map[interface{}]struct{})
-	for _, dataValKey := range dataVal.MapKeys() {
-		dataValKeys[dataValKey] = struct{}{}
-		dataValKeysUnused[dataValKey.Interface()] = struct{}{}
-	}
-
-	errors := make([]string, 0)
-
-	// This slice will keep track of all the structs we'll be decoding.
-	// There can be more than one struct if there are embedded structs
-	// that are squashed.
-	structs := make([]reflect.Value, 1, 5)
-	structs[0] = val
-
-	// Compile the list of all the fields that we're going to be decoding
-	// from all the structs.
-	fields := make(map[*reflect.StructField]reflect.Value)
-	for len(structs) > 0 {
-		structVal := structs[0]
-		structs = structs[1:]
-
-		structType := structVal.Type()
-
-		for i := 0; i < structType.NumField(); i++ {
-			fieldType := structType.Field(i)
-			fieldKind := fieldType.Type.Kind()
-
-			// If "squash" is specified in the tag, we squash the field down.
-			squash := false
-			tagParts := strings.Split(fieldType.Tag.Get(d.config.TagName), ",")
-			for _, tag := range tagParts[1:] {
-				if tag == "squash" {
-					squash = true
-					break
-				}
-			}
-
-			if squash {
-				if fieldKind != reflect.Struct {
-					errors = appendErrors(errors,
-						fmt.Errorf("%s: unsupported type for squash: %s", fieldType.Name, fieldKind))
-				} else {
-					structs = append(structs, val.FieldByName(fieldType.Name))
-				}
-				continue
-			}
-
-			// Normal struct field, store it away
-			fields[&fieldType] = structVal.Field(i)
-		}
-	}
-
-	for fieldType, field := range fields {
-		fieldName := fieldType.Name
-
-		tagValue := fieldType.Tag.Get(d.config.TagName)
-		tagValue = strings.SplitN(tagValue, ",", 2)[0]
-		if tagValue != "" {
-			fieldName = tagValue
-		}
-
-		rawMapKey := reflect.ValueOf(fieldName)
-		rawMapVal := dataVal.MapIndex(rawMapKey)
-		if !rawMapVal.IsValid() {
-			// Do a slower search by iterating over each key and
-			// doing case-insensitive search.
-			for dataValKey := range dataValKeys {
-				mK, ok := dataValKey.Interface().(string)
-				if !ok {
-					// Not a string key
-					continue
-				}
-
-				if strings.EqualFold(mK, fieldName) {
-					rawMapKey = dataValKey
-					rawMapVal = dataVal.MapIndex(dataValKey)
-					break
-				}
-			}
-
-			if !rawMapVal.IsValid() {
-				// There was no matching key in the map for the value in
-				// the struct. Just ignore.
-				continue
-			}
-		}
-
-		// Delete the key we're using from the unused map so we stop tracking
-		delete(dataValKeysUnused, rawMapKey.Interface())
-
-		if !field.IsValid() {
-			// This should never happen
-			panic("field is not valid")
-		}
-
-		// If we can't set the field, then it is unexported or something,
-		// and we just continue onwards.
-		if !field.CanSet() {
-			continue
-		}
-
-		// If the name is empty string, then we're at the root, and we
-		// don't dot-join the fields.
-		if name != "" {
-			fieldName = fmt.Sprintf("%s.%s", name, fieldName)
-		}
-
-		if err := d.decode(fieldName, rawMapVal.Interface(), field); err != nil {
-			errors = appendErrors(errors, err)
-		}
-	}
-
-	if d.config.ErrorUnused && len(dataValKeysUnused) > 0 {
-		keys := make([]string, 0, len(dataValKeysUnused))
-		for rawKey := range dataValKeysUnused {
-			keys = append(keys, rawKey.(string))
-		}
-		sort.Strings(keys)
-
-		err := fmt.Errorf("'%s' has invalid keys: %s", name, strings.Join(keys, ", "))
-		errors = appendErrors(errors, err)
-	}
-
-	if len(errors) > 0 {
-		return &Error{errors}
-	}
-
-	// Add the unused keys to the list of unused keys if we're tracking metadata
-	if d.config.Metadata != nil {
-		for rawKey := range dataValKeysUnused {
-			key := rawKey.(string)
-			if name != "" {
-				key = fmt.Sprintf("%s.%s", name, key)
-			}
-
-			d.config.Metadata.Unused = append(d.config.Metadata.Unused, key)
-		}
-	}
-
-	return nil
-}
-
-func getKind(val reflect.Value) reflect.Kind {
-	kind := val.Kind()
-
-	switch {
-	case kind >= reflect.Int && kind <= reflect.Int64:
-		return reflect.Int
-	case kind >= reflect.Uint && kind <= reflect.Uint64:
-		return reflect.Uint
-	case kind >= reflect.Float32 && kind <= reflect.Float64:
-		return reflect.Float32
-	default:
-		return kind
-	}
-}

vendor/github.com/xeipuuv/gojsonpointer/LICENSE-APACHE-2.0.txt

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2015 xeipuuv
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/xeipuuv/gojsonpointer/README.md

@@ -1,8 +0,0 @@
-# gojsonpointer
-An implementation of JSON Pointer - Go language
-
-## References
-http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-07
-
-### Note
-The 4.Evaluation part of the previous reference, starting with 'If the currently referenced value is a JSON array, the reference token MUST contain either...' is not implemented.

vendor/github.com/xeipuuv/gojsonpointer/pointer.go

@@ -1,217 +0,0 @@
-// Copyright 2015 xeipuuv ( https://github.com/xeipuuv )
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author  			xeipuuv
-// author-github 	https://github.com/xeipuuv
-// author-mail		xeipuuv@gmail.com
-//
-// repository-name	gojsonpointer
-// repository-desc	An implementation of JSON Pointer - Go language
-//
-// description		Main and unique file.
-//
-// created      	25-02-2013
-
-package gojsonpointer
-
-import (
-	"errors"
-	"fmt"
-	"reflect"
-	"strconv"
-	"strings"
-)
-
-const (
-	const_empty_pointer     = ``
-	const_pointer_separator = `/`
-
-	const_invalid_start = `JSON pointer must be empty or start with a "` + const_pointer_separator + `"`
-)
-
-type implStruct struct {
-	mode string // "SET" or "GET"
-
-	inDocument interface{}
-
-	setInValue interface{}
-
-	getOutNode interface{}
-	getOutKind reflect.Kind
-	outError   error
-}
-
-func NewJsonPointer(jsonPointerString string) (JsonPointer, error) {
-
-	var p JsonPointer
-	err := p.parse(jsonPointerString)
-	return p, err
-
-}
-
-type JsonPointer struct {
-	referenceTokens []string
-}
-
-// "Constructor", parses the given string JSON pointer
-func (p *JsonPointer) parse(jsonPointerString string) error {
-
-	var err error
-
-	if jsonPointerString != const_empty_pointer {
-		if !strings.HasPrefix(jsonPointerString, const_pointer_separator) {
-			err = errors.New(const_invalid_start)
-		} else {
-			referenceTokens := strings.Split(jsonPointerString, const_pointer_separator)
-			for _, referenceToken := range referenceTokens[1:] {
-				p.referenceTokens = append(p.referenceTokens, referenceToken)
-			}
-		}
-	}
-
-	return err
-}
-
-// Uses the pointer to retrieve a value from a JSON document
-func (p *JsonPointer) Get(document interface{}) (interface{}, reflect.Kind, error) {
-
-	is := &implStruct{mode: "GET", inDocument: document}
-	p.implementation(is)
-	return is.getOutNode, is.getOutKind, is.outError
-
-}
-
-// Uses the pointer to update a value from a JSON document
-func (p *JsonPointer) Set(document interface{}, value interface{}) (interface{}, error) {
-
-	is := &implStruct{mode: "SET", inDocument: document, setInValue: value}
-	p.implementation(is)
-	return document, is.outError
-
-}
-
-// Both Get and Set functions use the same implementation to avoid code duplication
-func (p *JsonPointer) implementation(i *implStruct) {
-
-	kind := reflect.Invalid
-
-	// Full document when empty
-	if len(p.referenceTokens) == 0 {
-		i.getOutNode = i.inDocument
-		i.outError = nil
-		i.getOutKind = kind
-		i.outError = nil
-		return
-	}
-
-	node := i.inDocument
-
-	for ti, token := range p.referenceTokens {
-
-		decodedToken := decodeReferenceToken(token)
-		isLastToken := ti == len(p.referenceTokens)-1
-
-		rValue := reflect.ValueOf(node)
-		kind = rValue.Kind()
-
-		switch kind {
-
-		case reflect.Map:
-			m := node.(map[string]interface{})
-			if _, ok := m[decodedToken]; ok {
-				node = m[decodedToken]
-				if isLastToken && i.mode == "SET" {
-					m[decodedToken] = i.setInValue
-				}
-			} else {
-				i.outError = errors.New(fmt.Sprintf("Object has no key '%s'", token))
-				i.getOutKind = kind
-				i.getOutNode = nil
-				return
-			}
-
-		case reflect.Slice:
-			s := node.([]interface{})
-			tokenIndex, err := strconv.Atoi(token)
-			if err != nil {
-				i.outError = errors.New(fmt.Sprintf("Invalid array index '%s'", token))
-				i.getOutKind = kind
-				i.getOutNode = nil
-				return
-			}
-			sLength := len(s)
-			if tokenIndex < 0 || tokenIndex >= sLength {
-				i.outError = errors.New(fmt.Sprintf("Out of bound array[0,%d] index '%d'", sLength, tokenIndex))
-				i.getOutKind = kind
-				i.getOutNode = nil
-				return
-			}
-
-			node = s[tokenIndex]
-			if isLastToken && i.mode == "SET" {
-				s[tokenIndex] = i.setInValue
-			}
-
-		default:
-			i.outError = errors.New(fmt.Sprintf("Invalid token reference '%s'", token))
-			i.getOutKind = kind
-			i.getOutNode = nil
-			return
-		}
-
-	}
-
-	rValue := reflect.ValueOf(node)
-	kind = rValue.Kind()
-
-	i.getOutNode = node
-	i.getOutKind = kind
-	i.outError = nil
-}
-
-// Pointer to string representation function
-func (p *JsonPointer) String() string {
-
-	if len(p.referenceTokens) == 0 {
-		return const_empty_pointer
-	}
-
-	pointerString := const_pointer_separator + strings.Join(p.referenceTokens, const_pointer_separator)
-
-	return pointerString
-}
-
-// Specific JSON pointer encoding here
-// ~0 => ~
-// ~1 => /
-// ... and vice versa
-
-const (
-	const_encoded_reference_token_0 = `~0`
-	const_encoded_reference_token_1 = `~1`
-	const_decoded_reference_token_0 = `~`
-	const_decoded_reference_token_1 = `/`
-)
-
-func decodeReferenceToken(token string) string {
-	step1 := strings.Replace(token, const_encoded_reference_token_1, const_decoded_reference_token_1, -1)
-	step2 := strings.Replace(step1, const_encoded_reference_token_0, const_decoded_reference_token_0, -1)
-	return step2
-}
-
-func encodeReferenceToken(token string) string {
-	step1 := strings.Replace(token, const_decoded_reference_token_1, const_encoded_reference_token_1, -1)
-	step2 := strings.Replace(step1, const_decoded_reference_token_0, const_encoded_reference_token_0, -1)
-	return step2
-}

vendor/github.com/xeipuuv/gojsonreference/LICENSE-APACHE-2.0.txt

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2015 xeipuuv
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/xeipuuv/gojsonreference/README.md

@@ -1,10 +0,0 @@
-# gojsonreference
-An implementation of JSON Reference - Go language
-
-## Dependencies
-https://github.com/xeipuuv/gojsonpointer
-
-## References
-http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-07
-
-http://tools.ietf.org/html/draft-pbryan-zyp-json-ref-03

vendor/github.com/xeipuuv/gojsonreference/reference.go

@@ -1,141 +0,0 @@
-// Copyright 2015 xeipuuv ( https://github.com/xeipuuv )
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author  			xeipuuv
-// author-github 	https://github.com/xeipuuv
-// author-mail		xeipuuv@gmail.com
-//
-// repository-name	gojsonreference
-// repository-desc	An implementation of JSON Reference - Go language
-//
-// description		Main and unique file.
-//
-// created      	26-02-2013
-
-package gojsonreference
-
-import (
-	"errors"
-	"github.com/xeipuuv/gojsonpointer"
-	"net/url"
-	"path/filepath"
-	"runtime"
-	"strings"
-)
-
-const (
-	const_fragment_char = `#`
-)
-
-func NewJsonReference(jsonReferenceString string) (JsonReference, error) {
-
-	var r JsonReference
-	err := r.parse(jsonReferenceString)
-	return r, err
-
-}
-
-type JsonReference struct {
-	referenceUrl     *url.URL
-	referencePointer gojsonpointer.JsonPointer
-
-	HasFullUrl      bool
-	HasUrlPathOnly  bool
-	HasFragmentOnly bool
-	HasFileScheme   bool
-	HasFullFilePath bool
-}
-
-func (r *JsonReference) GetUrl() *url.URL {
-	return r.referenceUrl
-}
-
-func (r *JsonReference) GetPointer() *gojsonpointer.JsonPointer {
-	return &r.referencePointer
-}
-
-func (r *JsonReference) String() string {
-
-	if r.referenceUrl != nil {
-		return r.referenceUrl.String()
-	}
-
-	if r.HasFragmentOnly {
-		return const_fragment_char + r.referencePointer.String()
-	}
-
-	return r.referencePointer.String()
-}
-
-func (r *JsonReference) IsCanonical() bool {
-	return (r.HasFileScheme && r.HasFullFilePath) || (!r.HasFileScheme && r.HasFullUrl)
-}
-
-// "Constructor", parses the given string JSON reference
-func (r *JsonReference) parse(jsonReferenceString string) (err error) {
-
-	r.referenceUrl, err = url.Parse(jsonReferenceString)
-	if err != nil {
-		return
-	}
-	refUrl := r.referenceUrl
-
-	if refUrl.Scheme != "" && refUrl.Host != "" {
-		r.HasFullUrl = true
-	} else {
-		if refUrl.Path != "" {
-			r.HasUrlPathOnly = true
-		} else if refUrl.RawQuery == "" && refUrl.Fragment != "" {
-			r.HasFragmentOnly = true
-		}
-	}
-
-	r.HasFileScheme = refUrl.Scheme == "file"
-	if runtime.GOOS == "windows" {
-		// on Windows, a file URL may have an extra leading slash, and if it
-		// doesn't then its first component will be treated as the host by the
-		// Go runtime
-		if refUrl.Host == "" && strings.HasPrefix(refUrl.Path, "/") {
-			r.HasFullFilePath = filepath.IsAbs(refUrl.Path[1:])
-		} else {
-			r.HasFullFilePath = filepath.IsAbs(refUrl.Host + refUrl.Path)
-		}
-	} else {
-		r.HasFullFilePath = filepath.IsAbs(refUrl.Path)
-	}
-
-	// invalid json-pointer error means url has no json-pointer fragment. simply ignore error
-	r.referencePointer, _ = gojsonpointer.NewJsonPointer(refUrl.Fragment)
-
-	return
-}
-
-// Creates a new reference from a parent and a child
-// If the child cannot inherit from the parent, an error is returned
-func (r *JsonReference) Inherits(child JsonReference) (*JsonReference, error) {
-	childUrl := child.GetUrl()
-	parentUrl := r.GetUrl()
-	if childUrl == nil {
-		return nil, errors.New("childUrl is nil!")
-	}
-	if parentUrl == nil {
-		return nil, errors.New("parentUrl is nil!")
-	}
-
-	ref, err := NewJsonReference(parentUrl.ResolveReference(childUrl).String())
-	if err != nil {
-		return nil, err
-	}
-	return &ref, err
-}

vendor/github.com/xeipuuv/gojsonschema/LICENSE-APACHE-2.0.txt

@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2015 xeipuuv
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/github.com/xeipuuv/gojsonschema/README.md

@@ -1,236 +0,0 @@
-[![Build Status](https://travis-ci.org/xeipuuv/gojsonschema.svg)](https://travis-ci.org/xeipuuv/gojsonschema)
-
-# gojsonschema
-
-## Description
-
-An implementation of JSON Schema, based on IETF's draft v4 - Go language
-
-References :
-
-* http://json-schema.org
-* http://json-schema.org/latest/json-schema-core.html
-* http://json-schema.org/latest/json-schema-validation.html
-
-## Installation
-
-```
-go get github.com/xeipuuv/gojsonschema
-```
-
-Dependencies :
-* [github.com/xeipuuv/gojsonpointer](https://github.com/xeipuuv/gojsonpointer)
-* [github.com/xeipuuv/gojsonreference](https://github.com/xeipuuv/gojsonreference)
-* [github.com/stretchr/testify/assert](https://github.com/stretchr/testify#assert-package)
-
-## Usage
-
-### Example
-
-```go
-
-package main
-
-import (
-    "fmt"
-    "github.com/xeipuuv/gojsonschema"
-)
-
-func main() {
-
-    schemaLoader := gojsonschema.NewReferenceLoader("file:///home/me/schema.json")
-    documentLoader := gojsonschema.NewReferenceLoader("file:///home/me/document.json")
-
-    result, err := gojsonschema.Validate(schemaLoader, documentLoader)
-    if err != nil {
-        panic(err.Error())
-    }
-
-    if result.Valid() {
-        fmt.Printf("The document is valid\n")
-    } else {
-        fmt.Printf("The document is not valid. see errors :\n")
-        for _, desc := range result.Errors() {
-            fmt.Printf("- %s\n", desc)
-        }
-    }
-
-}
-
-
-```
-
-#### Loaders
-
-There are various ways to load your JSON data.
-In order to load your schemas and documents,
-first declare an appropriate loader :
-
-* Web / HTTP, using a reference :
-
-```go
-loader := gojsonschema.NewReferenceLoader("http://www.some_host.com/schema.json")
-```
-
-* Local file, using a reference :
-
-```go
-loader := gojsonschema.NewReferenceLoader("file:///home/me/schema.json")
-```
-
-References use the URI scheme, the prefix (file://) and a full path to the file are required.
-
-* JSON strings :
-
-```go
-loader := gojsonschema.NewStringLoader(`{"type": "string"}`)
-```
-
-* Custom Go types :
-
-```go
-m := map[string]interface{}{"type": "string"}
-loader := gojsonschema.NewGoLoader(m)
-```
-
-And
-
-```go
-type Root struct {
-	Users []User `json:"users"`
-}
-
-type User struct {
-	Name string `json:"name"`
-}
-
-...
-
-data := Root{}
-data.Users = append(data.Users, User{"John"})
-data.Users = append(data.Users, User{"Sophia"})
-data.Users = append(data.Users, User{"Bill"})
-
-loader := gojsonschema.NewGoLoader(data)
-```
-
-#### Validation
-
-Once the loaders are set, validation is easy :
-
-```go
-result, err := gojsonschema.Validate(schemaLoader, documentLoader)
-```
-
-Alternatively, you might want to load a schema only once and process to multiple validations :
-
-```go
-schema, err := gojsonschema.NewSchema(schemaLoader)
-...
-result1, err := schema.Validate(documentLoader1)
-...
-result2, err := schema.Validate(documentLoader2)
-...
-// etc ...
-```
-
-To check the result :
-
-```go
-    if result.Valid() {
-    	fmt.Printf("The document is valid\n")
-    } else {
-        fmt.Printf("The document is not valid. see errors :\n")
-        for _, err := range result.Errors() {
-        	// Err implements the ResultError interface
-            fmt.Printf("- %s\n", err)
-        }
-    }
-```
-
-## Working with Errors
-
-The library handles string error codes which you can customize by creating your own gojsonschema.locale and setting it
-```go
-gojsonschema.Locale = YourCustomLocale{}
-```
-
-However, each error contains additional contextual information.
-
-**err.Type()**: *string* Returns the "type" of error that occurred. Note you can also type check. See below
-
-Note: An error of RequiredType has an err.Type() return value of "required"
-
-    "required": RequiredError
-    "invalid_type": InvalidTypeError
-    "number_any_of": NumberAnyOfError
-    "number_one_of": NumberOneOfError
-    "number_all_of": NumberAllOfError
-    "number_not": NumberNotError
-    "missing_dependency": MissingDependencyError
-    "internal": InternalError
-    "enum": EnumError
-    "array_no_additional_items": ArrayNoAdditionalItemsError
-    "array_min_items": ArrayMinItemsError
-    "array_max_items": ArrayMaxItemsError
-    "unique": ItemsMustBeUniqueError
-    "array_min_properties": ArrayMinPropertiesError
-    "array_max_properties": ArrayMaxPropertiesError
-    "additional_property_not_allowed": AdditionalPropertyNotAllowedError
-    "invalid_property_pattern": InvalidPropertyPatternError
-    "string_gte": StringLengthGTEError
-    "string_lte": StringLengthLTEError
-    "pattern": DoesNotMatchPatternError
-    "multiple_of": MultipleOfError
-    "number_gte": NumberGTEError
-    "number_gt": NumberGTError
-    "number_lte": NumberLTEError
-    "number_lt": NumberLTError
-
-**err.Value()**: *interface{}* Returns the value given
-
-**err.Context()**: *gojsonschema.jsonContext* Returns the context. This has a String() method that will print something like this: (root).firstName
-
-**err.Field()**: *string* Returns the fieldname in the format firstName, or for embedded properties, person.firstName. This returns the same as the String() method on *err.Context()* but removes the (root). prefix.
-
-**err.Description()**: *string* The error description. This is based on the locale you are using. See the beginning of this section for overwriting the locale with a custom implementation.
-
-**err.Details()**: *gojsonschema.ErrorDetails* Returns a map[string]interface{} of additional error details specific to the error. For example, GTE errors will have a "min" value, LTE will have a "max" value. See errors.go for a full description of all the error details. Every error always contains a "field" key that holds the value of *err.Field()*
-
-Note in most cases, the err.Details() will be used to generate replacement strings in your locales. and not used directly i.e.
-```
-%field% must be greater than or equal to %min%
-```
-
-## Formats
-JSON Schema allows for optional "format" property to validate strings against well-known formats. gojsonschema ships with all of the formats defined in the spec that you can use like this:
-````json
-{"type": "string", "format": "email"}
-````
-Available formats: date-time, hostname, email, ipv4, ipv6, uri.
-
-For repetitive or more complex formats, you can create custom format checkers and add them to gojsonschema like this:
-
-```go
-// Define the format checker
-type RoleFormatChecker struct {}
-
-// Ensure it meets the gojsonschema.FormatChecker interface
-func (f RoleFormatChecker) IsFormat(input string) bool {
-    return strings.HasPrefix("ROLE_", input)
-}
-
-// Add it to the library
-gojsonschema.FormatCheckers.Add("role", RoleFormatChecker{})
-````
-
-Now to use in your json schema:
-````json
-{"type": "string", "format": "role"}
-````
-
-## Uses
-
-gojsonschema uses the following test suite :
-
-https://github.com/json-schema/JSON-Schema-Test-Suite

vendor/github.com/xeipuuv/gojsonschema/errors.go

@@ -1,242 +0,0 @@
-package gojsonschema
-
-import (
-	"fmt"
-	"strings"
-)
-
-type (
-	// RequiredError. ErrorDetails: property string
-	RequiredError struct {
-		ResultErrorFields
-	}
-
-	// InvalidTypeError. ErrorDetails: expected, given
-	InvalidTypeError struct {
-		ResultErrorFields
-	}
-
-	// NumberAnyOfError. ErrorDetails: -
-	NumberAnyOfError struct {
-		ResultErrorFields
-	}
-
-	// NumberOneOfError. ErrorDetails: -
-	NumberOneOfError struct {
-		ResultErrorFields
-	}
-
-	// NumberAllOfError. ErrorDetails: -
-	NumberAllOfError struct {
-		ResultErrorFields
-	}
-
-	// NumberNotError. ErrorDetails: -
-	NumberNotError struct {
-		ResultErrorFields
-	}
-
-	// MissingDependencyError. ErrorDetails: dependency
-	MissingDependencyError struct {
-		ResultErrorFields
-	}
-
-	// InternalError. ErrorDetails: error
-	InternalError struct {
-		ResultErrorFields
-	}
-
-	// EnumError. ErrorDetails: allowed
-	EnumError struct {
-		ResultErrorFields
-	}
-
-	// ArrayNoAdditionalItemsError. ErrorDetails: -
-	ArrayNoAdditionalItemsError struct {
-		ResultErrorFields
-	}
-
-	// ArrayMinItemsError. ErrorDetails: min
-	ArrayMinItemsError struct {
-		ResultErrorFields
-	}
-
-	// ArrayMaxItemsError. ErrorDetails: max
-	ArrayMaxItemsError struct {
-		ResultErrorFields
-	}
-
-	// ItemsMustBeUniqueError. ErrorDetails: type
-	ItemsMustBeUniqueError struct {
-		ResultErrorFields
-	}
-
-	// ArrayMinPropertiesError. ErrorDetails: min
-	ArrayMinPropertiesError struct {
-		ResultErrorFields
-	}
-
-	// ArrayMaxPropertiesError. ErrorDetails: max
-	ArrayMaxPropertiesError struct {
-		ResultErrorFields
-	}
-
-	// AdditionalPropertyNotAllowedError. ErrorDetails: property
-	AdditionalPropertyNotAllowedError struct {
-		ResultErrorFields
-	}
-
-	// InvalidPropertyPatternError. ErrorDetails: property, pattern
-	InvalidPropertyPatternError struct {
-		ResultErrorFields
-	}
-
-	// StringLengthGTEError. ErrorDetails: min
-	StringLengthGTEError struct {
-		ResultErrorFields
-	}
-
-	// StringLengthLTEError. ErrorDetails: max
-	StringLengthLTEError struct {
-		ResultErrorFields
-	}
-
-	// DoesNotMatchPatternError. ErrorDetails: pattern
-	DoesNotMatchPatternError struct {
-		ResultErrorFields
-	}
-
-	// DoesNotMatchFormatError. ErrorDetails: format
-	DoesNotMatchFormatError struct {
-		ResultErrorFields
-	}
-
-	// MultipleOfError. ErrorDetails: multiple
-	MultipleOfError struct {
-		ResultErrorFields
-	}
-
-	// NumberGTEError. ErrorDetails: min
-	NumberGTEError struct {
-		ResultErrorFields
-	}
-
-	// NumberGTError. ErrorDetails: min
-	NumberGTError struct {
-		ResultErrorFields
-	}
-
-	// NumberLTEError. ErrorDetails: max
-	NumberLTEError struct {
-		ResultErrorFields
-	}
-
-	// NumberLTError. ErrorDetails: max
-	NumberLTError struct {
-		ResultErrorFields
-	}
-)
-
-// newError takes a ResultError type and sets the type, context, description, details, value, and field
-func newError(err ResultError, context *jsonContext, value interface{}, locale locale, details ErrorDetails) {
-	var t string
-	var d string
-	switch err.(type) {
-	case *RequiredError:
-		t = "required"
-		d = locale.Required()
-	case *InvalidTypeError:
-		t = "invalid_type"
-		d = locale.InvalidType()
-	case *NumberAnyOfError:
-		t = "number_any_of"
-		d = locale.NumberAnyOf()
-	case *NumberOneOfError:
-		t = "number_one_of"
-		d = locale.NumberOneOf()
-	case *NumberAllOfError:
-		t = "number_all_of"
-		d = locale.NumberAllOf()
-	case *NumberNotError:
-		t = "number_not"
-		d = locale.NumberNot()
-	case *MissingDependencyError:
-		t = "missing_dependency"
-		d = locale.MissingDependency()
-	case *InternalError:
-		t = "internal"
-		d = locale.Internal()
-	case *EnumError:
-		t = "enum"
-		d = locale.Enum()
-	case *ArrayNoAdditionalItemsError:
-		t = "array_no_additional_items"
-		d = locale.ArrayNoAdditionalItems()
-	case *ArrayMinItemsError:
-		t = "array_min_items"
-		d = locale.ArrayMinItems()
-	case *ArrayMaxItemsError:
-		t = "array_max_items"
-		d = locale.ArrayMaxItems()
-	case *ItemsMustBeUniqueError:
-		t = "unique"
-		d = locale.Unique()
-	case *ArrayMinPropertiesError:
-		t = "array_min_properties"
-		d = locale.ArrayMinProperties()
-	case *ArrayMaxPropertiesError:
-		t = "array_max_properties"
-		d = locale.ArrayMaxProperties()
-	case *AdditionalPropertyNotAllowedError:
-		t = "additional_property_not_allowed"
-		d = locale.AdditionalPropertyNotAllowed()
-	case *InvalidPropertyPatternError:
-		t = "invalid_property_pattern"
-		d = locale.InvalidPropertyPattern()
-	case *StringLengthGTEError:
-		t = "string_gte"
-		d = locale.StringGTE()
-	case *StringLengthLTEError:
-		t = "string_lte"
-		d = locale.StringLTE()
-	case *DoesNotMatchPatternError:
-		t = "pattern"
-		d = locale.DoesNotMatchPattern()
-	case *DoesNotMatchFormatError:
-		t = "format"
-		d = locale.DoesNotMatchFormat()
-	case *MultipleOfError:
-		t = "multiple_of"
-		d = locale.MultipleOf()
-	case *NumberGTEError:
-		t = "number_gte"
-		d = locale.NumberGTE()
-	case *NumberGTError:
-		t = "number_gt"
-		d = locale.NumberGT()
-	case *NumberLTEError:
-		t = "number_lte"
-		d = locale.NumberLTE()
-	case *NumberLTError:
-		t = "number_lt"
-		d = locale.NumberLT()
-	}
-
-	err.SetType(t)
-	err.SetContext(context)
-	err.SetValue(value)
-	err.SetDetails(details)
-	details["field"] = err.Field()
-	err.SetDescription(formatErrorDescription(d, details))
-}
-
-// formatErrorDescription takes a string in this format: %field% is required
-// and converts it to a string with replacements. The fields come from
-// the ErrorDetails struct and vary for each type of error.
-func formatErrorDescription(s string, details ErrorDetails) string {
-	for name, val := range details {
-		s = strings.Replace(s, "%"+strings.ToLower(name)+"%", fmt.Sprintf("%v", val), -1)
-	}
-
-	return s
-}

vendor/github.com/xeipuuv/gojsonschema/format_checkers.go

@@ -1,178 +0,0 @@
-package gojsonschema
-
-import (
-	"net"
-	"net/url"
-	"reflect"
-	"regexp"
-	"strings"
-	"time"
-)
-
-type (
-	// FormatChecker is the interface all formatters added to FormatCheckerChain must implement
-	FormatChecker interface {
-		IsFormat(input string) bool
-	}
-
-	// FormatCheckerChain holds the formatters
-	FormatCheckerChain struct {
-		formatters map[string]FormatChecker
-	}
-
-	// EmailFormatter verifies email address formats
-	EmailFormatChecker struct{}
-
-	// IPV4FormatChecker verifies IP addresses in the ipv4 format
-	IPV4FormatChecker struct{}
-
-	// IPV6FormatChecker verifies IP addresses in the ipv6 format
-	IPV6FormatChecker struct{}
-
-	// DateTimeFormatChecker verifies date/time formats per RFC3339 5.6
-	//
-	// Valid formats:
-	// 		Partial Time: HH:MM:SS
-	//		Full Date: YYYY-MM-DD
-	// 		Full Time: HH:MM:SSZ-07:00
-	//		Date Time: YYYY-MM-DDTHH:MM:SSZ-0700
-	//
-	// 	Where
-	//		YYYY = 4DIGIT year
-	//		MM = 2DIGIT month ; 01-12
-	//		DD = 2DIGIT day-month ; 01-28, 01-29, 01-30, 01-31 based on month/year
-	//		HH = 2DIGIT hour ; 00-23
-	//		MM = 2DIGIT ; 00-59
-	//		SS = 2DIGIT ; 00-58, 00-60 based on leap second rules
-	//		T = Literal
-	//		Z = Literal
-	//
-	//	Note: Nanoseconds are also suported in all formats
-	//
-	// http://tools.ietf.org/html/rfc3339#section-5.6
-	DateTimeFormatChecker struct{}
-
-	// URIFormatCheckers validates a URI with a valid Scheme per RFC3986
-	URIFormatChecker struct{}
-
-	// HostnameFormatChecker validates a hostname is in the correct format
-	HostnameFormatChecker struct{}
-
-	// UUIDFormatChecker validates a UUID is in the correct format
-	UUIDFormatChecker struct{}
-)
-
-var (
-	// Formatters holds the valid formatters, and is a public variable
-	// so library users can add custom formatters
-	FormatCheckers = FormatCheckerChain{
-		formatters: map[string]FormatChecker{
-			"date-time": DateTimeFormatChecker{},
-			"hostname":  HostnameFormatChecker{},
-			"email":     EmailFormatChecker{},
-			"ipv4":      IPV4FormatChecker{},
-			"ipv6":      IPV6FormatChecker{},
-			"uri":       URIFormatChecker{},
-			"uuid":      UUIDFormatChecker{},
-		},
-	}
-
-	// Regex credit: https://github.com/asaskevich/govalidator
-	rxEmail = regexp.MustCompile("^(((([a-zA-Z]|\\d|[!#\\$%&'\\*\\+\\-\\/=\\?\\^_`{\\|}~]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])+(\\.([a-zA-Z]|\\d|[!#\\$%&'\\*\\+\\-\\/=\\?\\^_`{\\|}~]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])+)*)|((\\x22)((((\\x20|\\x09)*(\\x0d\\x0a))?(\\x20|\\x09)+)?(([\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f]|\\x21|[\\x23-\\x5b]|[\\x5d-\\x7e]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(\\([\\x01-\\x09\\x0b\\x0c\\x0d-\\x7f]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}]))))*(((\\x20|\\x09)*(\\x0d\\x0a))?(\\x20|\\x09)+)?(\\x22)))@((([a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(([a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])([a-zA-Z]|\\d|-|\\.|_|~|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])*([a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])))\\.)+(([a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(([a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])([a-zA-Z]|\\d|-|\\.|_|~|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])*([a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])))\\.?$")
-
-	// Regex credit: https://www.socketloop.com/tutorials/golang-validate-hostname
-	rxHostname = regexp.MustCompile(`^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$`)
-
-	rxUUID = regexp.MustCompile("^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$")
-)
-
-// Add adds a FormatChecker to the FormatCheckerChain
-// The name used will be the value used for the format key in your json schema
-func (c *FormatCheckerChain) Add(name string, f FormatChecker) *FormatCheckerChain {
-	c.formatters[name] = f
-
-	return c
-}
-
-// Remove deletes a FormatChecker from the FormatCheckerChain (if it exists)
-func (c *FormatCheckerChain) Remove(name string) *FormatCheckerChain {
-	delete(c.formatters, name)
-
-	return c
-}
-
-// Has checks to see if the FormatCheckerChain holds a FormatChecker with the given name
-func (c *FormatCheckerChain) Has(name string) bool {
-	_, ok := c.formatters[name]
-
-	return ok
-}
-
-// IsFormat will check an input against a FormatChecker with the given name
-// to see if it is the correct format
-func (c *FormatCheckerChain) IsFormat(name string, input interface{}) bool {
-	f, ok := c.formatters[name]
-
-	if !ok {
-		return false
-	}
-
-	if !isKind(input, reflect.String) {
-		return false
-	}
-
-	inputString := input.(string)
-
-	return f.IsFormat(inputString)
-}
-
-func (f EmailFormatChecker) IsFormat(input string) bool {
-	return rxEmail.MatchString(input)
-}
-
-// Credit: https://github.com/asaskevich/govalidator
-func (f IPV4FormatChecker) IsFormat(input string) bool {
-	ip := net.ParseIP(input)
-	return ip != nil && strings.Contains(input, ".")
-}
-
-// Credit: https://github.com/asaskevich/govalidator
-func (f IPV6FormatChecker) IsFormat(input string) bool {
-	ip := net.ParseIP(input)
-	return ip != nil && strings.Contains(input, ":")
-}
-
-func (f DateTimeFormatChecker) IsFormat(input string) bool {
-	formats := []string{
-		"15:04:05",
-		"15:04:05Z07:00",
-		"2006-01-02",
-		time.RFC3339,
-		time.RFC3339Nano,
-	}
-
-	for _, format := range formats {
-		if _, err := time.Parse(format, input); err == nil {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (f URIFormatChecker) IsFormat(input string) bool {
-	u, err := url.Parse(input)
-	if err != nil || u.Scheme == "" {
-		return false
-	}
-
-	return true
-}
-
-func (f HostnameFormatChecker) IsFormat(input string) bool {
-	return rxHostname.MatchString(input) && len(input) < 256
-}
-
-func (f UUIDFormatChecker) IsFormat(input string) bool {
-	return rxUUID.MatchString(input)
-}

vendor/github.com/xeipuuv/gojsonschema/internalLog.go

@@ -1,37 +0,0 @@
-// Copyright 2015 xeipuuv ( https://github.com/xeipuuv )
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author           xeipuuv
-// author-github    https://github.com/xeipuuv
-// author-mail      xeipuuv@gmail.com
-//
-// repository-name  gojsonschema
-// repository-desc  An implementation of JSON Schema, based on IETF's draft v4 - Go language.
-//
-// description      Very simple log wrapper.
-//					Used for debugging/testing purposes.
-//
-// created          01-01-2015
-
-package gojsonschema
-
-import (
-	"log"
-)
-
-const internalLogEnabled = false
-
-func internalLog(format string, v ...interface{}) {
-	log.Printf(format, v...)
-}

vendor/github.com/xeipuuv/gojsonschema/jsonContext.go

@@ -1,72 +0,0 @@
-// Copyright 2013 MongoDB, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author           tolsen
-// author-github    https://github.com/tolsen
-//
-// repository-name  gojsonschema
-// repository-desc  An implementation of JSON Schema, based on IETF's draft v4 - Go language.
-//
-// description      Implements a persistent (immutable w/ shared structure) singly-linked list of strings for the purpose of storing a json context
-//
-// created          04-09-2013
-
-package gojsonschema
-
-import "bytes"
-
-// jsonContext implements a persistent linked-list of strings
-type jsonContext struct {
-	head string
-	tail *jsonContext
-}
-
-func newJsonContext(head string, tail *jsonContext) *jsonContext {
-	return &jsonContext{head, tail}
-}
-
-// String displays the context in reverse.
-// This plays well with the data structure's persistent nature with
-// Cons and a json document's tree structure.
-func (c *jsonContext) String(del ...string) string {
-	byteArr := make([]byte, 0, c.stringLen())
-	buf := bytes.NewBuffer(byteArr)
-	c.writeStringToBuffer(buf, del)
-
-	return buf.String()
-}
-
-func (c *jsonContext) stringLen() int {
-	length := 0
-	if c.tail != nil {
-		length = c.tail.stringLen() + 1 // add 1 for "."
-	}
-
-	length += len(c.head)
-	return length
-}
-
-func (c *jsonContext) writeStringToBuffer(buf *bytes.Buffer, del []string) {
-	if c.tail != nil {
-		c.tail.writeStringToBuffer(buf, del)
-
-		if len(del) > 0 {
-			buf.WriteString(del[0])
-		} else {
-			buf.WriteString(".")
-		}
-	}
-
-	buf.WriteString(c.head)
-}

vendor/github.com/xeipuuv/gojsonschema/jsonLoader.go

@@ -1,286 +0,0 @@
-// Copyright 2015 xeipuuv ( https://github.com/xeipuuv )
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// author           xeipuuv
-// author-github    https://github.com/xeipuuv
-// author-mail      xeipuuv@gmail.com
-//
-// repository-name  gojsonschema
-// repository-desc  An implementation of JSON Schema, based on IETF's draft v4 - Go language.
-//
-// description		Different strategies to load JSON files.
-// 					Includes References (file and HTTP), JSON strings and Go types.
-//
-// created          01-02-2015
-
-package gojsonschema
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	"github.com/xeipuuv/gojsonreference"
-)
-
-// JSON loader interface
-
-type JSONLoader interface {
-	jsonSource() interface{}
-	loadJSON() (interface{}, error)
-	loadSchema() (*Schema, error)
-}
-
-// JSON Reference loader
-// references are used to load JSONs from files and HTTP
-
-type jsonReferenceLoader struct {
-	source string
-}
-
-func (l *jsonReferenceLoader) jsonSource() interface{} {
-	return l.source
-}
-
-func NewReferenceLoader(source string) *jsonReferenceLoader {
-	return &jsonReferenceLoader{source: source}
-}
-
-func (l *jsonReferenceLoader) loadJSON() (interface{}, error) {
-
-	var err error
-
-	reference, err := gojsonreference.NewJsonReference(l.jsonSource().(string))
-	if err != nil {
-		return nil, err
-	}
-
-	refToUrl := reference
-	refToUrl.GetUrl().Fragment = ""
-
-	var document interface{}
-
-	if reference.HasFileScheme {
-
-		filename := strings.Replace(refToUrl.String(), "file://", "", -1)
-		if runtime.GOOS == "windows" {
-			// on Windows, a file URL may have an extra leading slash, use slashes
-			// instead of backslashes, and have spaces escaped
-			if strings.HasPrefix(filename, "/") {
-				filename = filename[1:]
-			}
-			filename = filepath.FromSlash(filename)
-			filename = strings.Replace(filename, "%20", " ", -1)
-		}
-
-		document, err = l.loadFromFile(filename)
-		if err != nil {
-			return nil, err
-		}
-
-	} else {
-
-		document, err = l.loadFromHTTP(refToUrl.String())
-		if err != nil {
-			return nil, err
-		}
-
-	}
-
-	return document, nil
-
-}
-
-func (l *jsonReferenceLoader) loadSchema() (*Schema, error) {
-
-	var err error
-
-	d := Schema{}
-	d.pool = newSchemaPool()
-	d.referencePool = newSchemaReferencePool()
-
-	d.documentReference, err = gojsonreference.NewJsonReference(l.jsonSource().(string))
-	if err != nil {
-		return nil, err
-	}
-
-	spd, err := d.pool.GetDocument(d.documentReference)
-	if err != nil {
-		return nil, err
-	}
-
-	err = d.parse(spd.Document)
-	if err != nil {
-		return nil, err
-	}
-
-	return &d, nil
-
-}
-
-func (l *jsonReferenceLoader) loadFromHTTP(address string) (interface{}, error) {
-
-	resp, err := http.Get(address)
-	if err != nil {
-		return nil, err
-	}
-
-	// must return HTTP Status 200 OK
-	if resp.StatusCode != http.StatusOK {
-		return nil, errors.New(formatErrorDescription(Locale.httpBadStatus(), ErrorDetails{"status": resp.Status}))
-	}
-
-	bodyBuff, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	return decodeJsonUsingNumber(bytes.NewReader(bodyBuff))
-
-}
-
-func (l *jsonReferenceLoader) loadFromFile(path string) (interface{}, error) {
-
-	bodyBuff, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return decodeJsonUsingNumber(bytes.NewReader(bodyBuff))
-
-}
-
-// JSON string loader
-
-type jsonStringLoader struct {
-	source string
-}
-
-func (l *jsonStringLoader) jsonSource() interface{} {
-	return l.source
-}
-
-func NewStringLoader(source string) *jsonStringLoader {
-	return &jsonStringLoader{source: source}
-}
-
-func (l *jsonStringLoader) loadJSON() (interface{}, error) {
-
-	return decodeJsonUsingNumber(strings.NewReader(l.jsonSource().(string)))
-
-}
-
-func (l *jsonStringLoader) loadSchema() (*Schema, error) {
-
-	var err error
-
-	document, err := l.loadJSON()
-	if err != nil {
-		return nil, err
-	}
-
-	d := Schema{}
-	d.pool = newSchemaPool()
-	d.referencePool = newSchemaReferencePool()
-	d.documentReference, err = gojsonreference.NewJsonReference("#")
-	d.pool.SetStandaloneDocument(document)
-	if err != nil {
-		return nil, err
-	}
-
-	err = d.parse(document)
-	if err != nil {
-		return nil, err
-	}
-
-	return &d, nil
-
-}
-
-// JSON Go (types) loader
-// used to load JSONs from the code as maps, interface{}, structs ...
-
-type jsonGoLoader struct {
-	source interface{}
-}
-
-func (l *jsonGoLoader) jsonSource() interface{} {
-	return l.source
-}
-
-func NewGoLoader(source interface{}) *jsonGoLoader {
-	return &jsonGoLoader{source: source}
-}
-
-func (l *jsonGoLoader) loadJSON() (interface{}, error) {
-
-	// convert it to a compliant JSON first to avoid types "mismatches"
-
-	jsonBytes, err := json.Marshal(l.jsonSource())
-	if err != nil {
-		return nil, err
-	}
-
-	return decodeJsonUsingNumber(bytes.NewReader(jsonBytes))
-
-}
-
-func (l *jsonGoLoader) loadSchema() (*Schema, error) {
-
-	var err error
-
-	document, err := l.loadJSON()
-	if err != nil {
-		return nil, err
-	}
-
-	d := Schema{}
-	d.pool = newSchemaPool()
-	d.referencePool = newSchemaReferencePool()
-	d.documentReference, err = gojsonreference.NewJsonReference("#")
-	d.pool.SetStandaloneDocument(document)
-	if err != nil {
-		return nil, err
-	}
-
-	err = d.parse(document)
-	if err != nil {
-		return nil, err
-	}
-
-	return &d, nil
-
-}
-
-func decodeJsonUsingNumber(r io.Reader) (interface{}, error) {
-
-	var document interface{}
-
-	decoder := json.NewDecoder(r)
-	decoder.UseNumber()
-
-	err := decoder.Decode(&document)
-	if err != nil {
-		return nil, err
-	}
-
-	return document, nil
-
-}