commit b38d036819f61cf6a822122e33becd0cd816acb7
author Asim Shankar <ashankar@google.com> Wed Jun 11 12:47:46 2014 -0700
committer Asim Shankar <ashankar@google.com> Wed Jun 11 12:47:48 2014 -0700
tree 7cb5f2b3db2735eb67947fbe0ff1ce71cec4156c
parent 3a93e703464de2b0eaf2ac68c968ac9d371f8a28

veyron2/security: Remove PrivateKey accessor from PrivateID interface.

We imagine that private keys are stored in secure storage - like a TPM
or some other simpler factotum service like an ssh-agent. Not keeping
the private keys in memory of the process makes attacks to reveal the
private key significantly harder.

This change modifies the interface so that only a "Sign" method
is exposed. Subsequent changes that introduce the TPM/ssh-agent etc.
will provide identity implementations that do not store the private key
in memory at all but defer to the TPM/agent for signatures.

Change-Id: I1a02694a819177d934590b66854e4ad0253772e0

runtimes/google/security/identity_set.go

diff --git a/runtimes/google/security/identity_set.go b/runtimes/google/security/identity_set.go
index 85bdbad..0b2bd89 100644
--- a/runtimes/google/security/identity_set.go
+++ b/runtimes/google/security/identity_set.go
@@ -146,8 +146,9 @@
 	case 1:
 		return ids[0], nil
 	default:
+		pub := ids[0].PublicID().PublicKey()
 		for i := 1; i < len(ids); i++ {
-			if !reflect.DeepEqual(ids[0].PrivateKey(), ids[i].PrivateKey()) {
+			if !reflect.DeepEqual(pub, ids[i].PublicID().PublicKey()) {
 				return nil, errMismatchedKeys
 			}
 		}
@@ -164,7 +165,7 @@
 	return &set
 }
 
-func (s setPrivateID) PrivateKey() *ecdsa.PrivateKey { return s[0].PrivateKey() }
+func (s setPrivateID) Sign(message []byte) (security.Signature, error) { return s[0].Sign(message) }
 
 func (s setPrivateID) Bless(blessee security.PublicID, blessingName string, duration time.Duration, caveats []security.ServiceCaveat) (security.PublicID, error) {
 	pubs := make([]security.PublicID, len(s))
@@ -178,15 +179,12 @@
 }
 
 func (s setPrivateID) Derive(pub security.PublicID) (security.PrivateID, error) {
-	if !reflect.DeepEqual(pub.PublicKey(), &s.PrivateKey().PublicKey) {
-		return nil, errDeriveMismatch
-	}
-	var err error
 	switch p := pub.(type) {
 	case *chainPublicID:
 		return s[0].Derive(p)
 	case *setPublicID:
 		privs := make([]security.PrivateID, len(*p))
+		var err error
 		for ix, ip := range *p {
 			if privs[ix], err = s.Derive(ip); err != nil {
 				return nil, fmt.Errorf("Derive failed for %d of %d id in set", ix, len(*p))