addressing riyaz's review

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)

trustpinning/certs_test.go

@@ -364,7 +364,7 @@ func TestValidateRootWithPinnedCertAndIntermediates(t *testing.T) {
 	}
 	require.Equal(t, typedSignedRoot, validatedRoot)
 
-	// test is also works with a wildcarded gun in certs
+	// test it also works with a wildcarded gun in certs
 	validatedRoot, err = trustpinning.ValidateRoot(
 		nil,
 		signedRoot,
@@ -383,6 +383,56 @@ func TestValidateRootWithPinnedCertAndIntermediates(t *testing.T) {
 		}
 	}
 	require.Equal(t, typedSignedRoot, validatedRoot)
+
+	// incorrect key id on wildcard match should fail
+	_, err = trustpinning.ValidateRoot(
+		nil,
+		signedRoot,
+		"docker.io/notary/test",
+		trustpinning.TrustPinConfig{
+			Certs: map[string][]string{
+				"docker.io/notar*": {"badID"},
+			},
+			DisableTOFU: true,
+		},
+	)
+	require.Error(t, err, "failed to validate certID with intermediate")
+
+	// exact match should take precedence even if it fails validation
+	_, err = trustpinning.ValidateRoot(
+		nil,
+		signedRoot,
+		"docker.io/notary/test",
+		trustpinning.TrustPinConfig{
+			Certs: map[string][]string{
+				"docker.io/notary/test": {"badID"},
+				"docker.io/notar*":      {ecdsax509Key.ID()},
+			},
+			DisableTOFU: true,
+		},
+	)
+	require.Error(t, err, "failed to validate certID with intermediate")
+
+	// exact match should take precedence
+	validatedRoot, err = trustpinning.ValidateRoot(
+		nil,
+		signedRoot,
+		"docker.io/notary/test",
+		trustpinning.TrustPinConfig{
+			Certs: map[string][]string{
+				"docker.io/notary/test": {ecdsax509Key.ID()},
+				"docker.io/notar*":      {"badID"},
+			},
+			DisableTOFU: true,
+		},
+	)
+	require.NoError(t, err, "failed to validate certID with intermediate")
+	for idx, sig := range typedSignedRoot.Signatures {
+		if sig.KeyID == ecdsax509Key.ID() {
+			typedSignedRoot.Signatures[idx].IsValid = true
+		}
+	}
+	require.Equal(t, typedSignedRoot, validatedRoot)
 }
 
 func TestValidateRootFailuresWithPinnedCert(t *testing.T) {

trustpinning/trustpin.go

@@ -136,11 +136,11 @@ func wildcardMatch(gun data.GUN, certs map[string][]string) ([]string, bool) {
 		longest = ""
 		ids     []string
 	)
-	for k, v := range certs {
-		if strings.HasSuffix(k, "*") {
-			if strings.HasPrefix(gun.String(), k[:len(k)-1]) && len(k) > len(longest) {
-				longest = k
-				ids = v
+	for gunPrefix, keyIDs := range certs {
+		if strings.HasSuffix(gunPrefix, "*") {
+			if strings.HasPrefix(gun.String(), gunPrefix[:len(gunPrefix)-1]) && len(gunPrefix) > len(longest) {
+				longest = gunPrefix
+				ids = keyIDs
 			}
 		}
 	}