Combine non-first bootstrap logic with TOFUs, cleanup style

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
notaryproject · Jul 29, 2016 · 12529db · 12529db
1 parent 1011ebd
commit 12529db
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 18 deletions.
diff --git a/trustpinning/certs_test.go b/trustpinning/certs_test.go
@@ -889,7 +889,7 @@ func TestValidateRootRotationTrustPinning(t *testing.T) {
 }
 
 // TestValidateRootRotationTrustPinningInvalidCA runs a full root certificate rotation but ensures that
-// the specified trust pinning rejectas the new root for not being signed by the specified CA
+// the specified trust pinning rejects the new root for not being signed by the specified CA
 func TestValidateRootRotationTrustPinningInvalidCA(t *testing.T) {
 	gun := "notary-signer"
 	keyAlg := data.RSAKey
@@ -898,13 +898,13 @@ func TestValidateRootRotationTrustPinningInvalidCA(t *testing.T) {
 	defer os.RemoveAll(tempBaseDir)
 	require.NoError(t, err, "failed to create a temporary directory: %s", err)
 
-	leafCert, err := trustmanager.LoadCertFromFile("../fixtures/notary-signer.crt")
+	leafCert, err := utils.LoadCertFromFile("../fixtures/notary-signer.crt")
 	require.NoError(t, err)
 
-	intermediateCert, err := trustmanager.LoadCertFromFile("../fixtures/intermediate-ca.crt")
+	intermediateCert, err := utils.LoadCertFromFile("../fixtures/intermediate-ca.crt")
 	require.NoError(t, err)
 
-	pemChainBytes, err := trustmanager.CertChainToPEM([]*x509.Certificate{leafCert, intermediateCert})
+	pemChainBytes, err := utils.CertChainToPEM([]*x509.Certificate{leafCert, intermediateCert})
 	require.NoError(t, err)
 
 	origRootKey := data.NewPublicKey(data.RSAx509Key, pemChainBytes)
@@ -924,11 +924,9 @@ func TestValidateRootRotationTrustPinningInvalidCA(t *testing.T) {
 	testRoot.Signed.Version = 1
 	require.NoError(t, err, "Failed to create new root")
 
-	keyReader, err := os.Open("../fixtures/notary-signer.key")
-	require.NoError(t, err, "could not open key file")
-	pemBytes, err := ioutil.ReadAll(keyReader)
+	pemBytes, err := ioutil.ReadFile("../fixtures/notary-signer.key")
 	require.NoError(t, err, "could not read key file")
-	privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, "")
+	privKey, err := utils.ParsePEMPrivateKey(pemBytes, "")
 	require.NoError(t, err)
 
 	store, err := trustmanager.NewKeyFileStore(tempBaseDir, passphraseRetriever)

diff --git a/trustpinning/trustpin.go b/trustpinning/trustpin.go
@@ -62,16 +62,10 @@ func NewTrustPinChecker(trustPinConfig TrustPinConfig, gun string, firstBootstra
 		return t.caCheck, nil
 	}
 
-	if !trustPinConfig.DisableTOFU {
-		logrus.Debugf("trust-pinning: using TOFU")
-		return t.tofusCheck, nil
-	}
-
-	// If we already have previous trusted root data for this GUN, disabling TOFUs should not change trust
-	// At this point, we assume that we have already trusted previous root data and so will not perform any
-	// additional trust pinning checks on this new certificate
-	if !firstBootstrap {
-		logrus.Debug("TOFU is disabled but previous root data exists, skipping disable TOFU restriction")
+	// If TOFUs is not disabled or we already have previous trusted root data for this GUN (even with TOFUs disabled),
+	// use TOFUs.  It's ok if we have previous root data with TOFUs disabled because we've already
+	// bootstrapped the first use of trust
+	if !trustPinConfig.DisableTOFU || !firstBootstrap {
 		return t.tofusCheck, nil
 	}
 	return nil, fmt.Errorf("invalid trust pinning specified")