Look for signing and validation keys in user and source directories

Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>

lib/inspec/exceptions.rb

@@ -9,5 +9,6 @@ module Inspec
     class ResourceSkipped < StandardError; end
     class SecretsBackendNotFound < ArgumentError; end
     class ProfileValidationKeyNotFound < ArgumentError; end
+    class ProfileSigningKeyNotFound < ArgumentError; end
   end
 end

lib/inspec/iaf_file.rb

@@ -14,6 +14,30 @@ module Inspec
     VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1, INSPEC_PROFILE_VERSION_2]
     VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]
 
+    def self.find_validation_key(keyname)
+      [
+        ".",
+        File.join(Inspec.config_dir, "keys"),
+        File.join(Inspec.src_root, "etc", "keys"),
+      ].each do |path|
+        filename = File.join(path, "#{keyname}.pem.pub")
+        return filename if File.exist?(filename)
+      end
+
+      # TODO
+      # Check https://github.com/inspec/inspec/ and download to user keys directory
+
+      raise Inspec::Exceptions::ProfileValidationKeyNotFound.new("#{keyname} not found")
+    end
+
+    def self.find_signing_key(keyname)
+      [".", File.join(Inspec.config_dir, "keys")].each do |path|
+        filename = File.join(path, "#{keyname}.pem.key")
+        return filename if File.exist?(filename)
+      end
+      raise Inspec::Exceptions::ProfileSigningKeyNotFound.new("#{keyname} not found")
+    end
+
     def initialize(path)
       @path = path
     end
@@ -54,15 +78,13 @@ module Inspec
         valid = false
       end
 
-      unless File.exist?("#{header[1]}.pem.pub")
+      validation_key_path = Inspec::IafFile.find_validation_key(header[1])
-        raise Inspec::Exceptions::ProfileValidationKeyNotFound, "Profile validation key not found."
-      end
 
       unless valid_header?(header)
         valid = false
       end
 
-      verification_key = KEY_ALG.new File.read "#{header[1]}.pem.pub"
+      verification_key = KEY_ALG.new File.read validation_key_path
       signature = Base64.decode64(header[3])
       digest = ARTIFACT_DIGEST.new
       unless verification_key.verify digest, signature, content

lib/plugins/inspec-sign/lib/inspec-sign/base.rb

@@ -31,11 +31,15 @@ module InspecPlugins
 
       def self.keygen(options)
         key = KEY_ALG.new KEY_BITS
-        puts "Generating private key"
+
+        path = File.join(Inspec.config_dir, "keys")
+        FileUtils.mkdir_p(path)
+
+        puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
         open "#{options["keyname"]}.pem.key", "w" do |io|
           io.write key.to_pem
         end
-        puts "Generating public key"
+        puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
         open "#{options["keyname"]}.pem.pub", "w" do |io|
           io.write key.public_key.to_pem
         end
@@ -46,6 +50,7 @@ module InspecPlugins
         path_to_profile = options["profile"]
 
         puts "Signing #{options["profile"]} with key #{options["keyname"]}"
+        keypath = Inspec::IafFile.find_signing_key(options["keyname"])
 
         # Read name and version from metadata and use them to form the filename
         profile_md = artifact.read_profile_metadata(path_to_profile)
@@ -58,7 +63,7 @@ module InspecPlugins
         FileUtils.rm(tarfile)
 
         # Generate the signature
-        signing_key = KEY_ALG.new File.read "#{options["keyname"]}.pem.key"
+        signing_key = KEY_ALG.new File.read keypath
         sha = ARTIFACT_DIGEST.new
         signature = signing_key.sign sha, tar_content
         # convert the signature to Base64