github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

go.mod: github.com/containerd/imgcrypt v2.0.0-rc-1

Browse Source 
https://github.com/containerd/imgcrypt/compare/v1.2.0-rc1...v2.0.0-rc.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2024-10-29 01:21:14 +09:00
parent a96eee7b1b
commit 0208cb58ca
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
31 changed files with 472 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
go.mod
View File

@ -4,8 +4,8 @@ go 1.22.0
require ( require (
dario.cat/mergo v1.0.1 dario.cat/mergo v1.0.1
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2
github.com/Microsoft/go-winio v0.6.2 github.com/Microsoft/go-winio v0.6.2
github.com/Microsoft/hcsshim v0.12.8 github.com/Microsoft/hcsshim v0.12.8
github.com/checkpoint-restore/checkpointctl v1.2.1 github.com/checkpoint-restore/checkpointctl v1.2.1
@ -20,7 +20,7 @@ require (
github.com/containerd/fifo v1.1.0 github.com/containerd/fifo v1.1.0
github.com/containerd/go-cni v1.1.10 github.com/containerd/go-cni v1.1.10
github.com/containerd/go-runc v1.1.0 github.com/containerd/go-runc v1.1.0
github.com/containerd/imgcrypt v1.2.0-rc1 github.com/containerd/imgcrypt/v2 v2.0.0-rc.1
github.com/containerd/log v0.1.0 github.com/containerd/log v0.1.0
github.com/containerd/nri v0.7.0 github.com/containerd/nri v0.7.0
github.com/containerd/otelttrpc v0.0.0-20240305015340-ea5083fda723 github.com/containerd/otelttrpc v0.0.0-20240305015340-ea5083fda723
@ -75,7 +75,7 @@ require (
golang.org/x/mod v0.21.0 golang.org/x/mod v0.21.0
golang.org/x/sync v0.8.0 golang.org/x/sync v0.8.0
golang.org/x/sys v0.26.0 golang.org/x/sys v0.26.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38
google.golang.org/grpc v1.67.1 google.golang.org/grpc v1.67.1
google.golang.org/protobuf v1.35.1 google.golang.org/protobuf v1.35.1
k8s.io/apimachinery v0.31.1 k8s.io/apimachinery v0.31.1
@ -99,7 +99,7 @@ require (
github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.2 // indirect github.com/go-jose/go-jose/v4 v4.0.4 // indirect
github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect
github.com/godbus/dbus/v5 v5.1.0 // indirect github.com/godbus/dbus/v5 v5.1.0 // indirect
@ -130,7 +130,7 @@ require (
github.com/vishvananda/netns v0.0.4 // indirect github.com/vishvananda/netns v0.0.4 // indirect
github.com/x448/float16 v0.8.4 // indirect github.com/x448/float16 v0.8.4 // indirect
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect go.mozilla.org/pkcs7 v0.9.0 // indirect
go.opencensus.io v0.24.0 // indirect go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/otel/metric v1.31.0 // indirect go.opentelemetry.io/otel/metric v1.31.0 // indirect
go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect

24
go.sum
View File

@ -597,10 +597,10 @@ dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 h1:dIScnXFlF784X79oi7MzVT6GWqr/W1uUt0pB5CsDs9M=
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
@ -685,8 +685,8 @@ github.com/containerd/go-cni v1.1.10 h1:c2U73nld7spSWfiJwSh/8W9DK+/qQwYM2rngIhCy
github.com/containerd/go-cni v1.1.10/go.mod h1:/Y/sL8yqYQn1ZG1om1OncJB1W4zN3YmjfP/ShCzG/OY= github.com/containerd/go-cni v1.1.10/go.mod h1:/Y/sL8yqYQn1ZG1om1OncJB1W4zN3YmjfP/ShCzG/OY=
github.com/containerd/go-runc v1.1.0 h1:OX4f+/i2y5sUT7LhmcJH7GYrjjhHa1QI4e8yO0gGleA= github.com/containerd/go-runc v1.1.0 h1:OX4f+/i2y5sUT7LhmcJH7GYrjjhHa1QI4e8yO0gGleA=
github.com/containerd/go-runc v1.1.0/go.mod h1:xJv2hFF7GvHtTJd9JqTS2UVxMkULUYw4JN5XAUZqH5U= github.com/containerd/go-runc v1.1.0/go.mod h1:xJv2hFF7GvHtTJd9JqTS2UVxMkULUYw4JN5XAUZqH5U=
github.com/containerd/imgcrypt v1.2.0-rc1 h1:XESaAcMqxrGlRjQIqLdzxqsO/ddNK4vwfe7MipXKVgg= github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 h1:7OMu5otk5Z2GeQs24JBPOmYbTc50+q6jo02qWNJc0p8=
github.com/containerd/imgcrypt v1.2.0-rc1/go.mod h1:F9roK2DzKlFnV+h+ZJy/r2FoS28bIvxKgdcoV7o8Sms= github.com/containerd/imgcrypt/v2 v2.0.0-rc.1/go.mod h1:3/Ab3iliBt/aBVNYOwecT1YagCqAiHidOmVsrjtHF1A=
github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
github.com/containerd/nri v0.7.0 h1:scGL9JiBqNaWnghLFFPOzp0GxxWAc1uQtQ7qx8PHdCs= github.com/containerd/nri v0.7.0 h1:scGL9JiBqNaWnghLFFPOzp0GxxWAc1uQtQ7qx8PHdCs=
@ -765,8 +765,8 @@ github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmn
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U= github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk= github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
@ -1141,8 +1141,8 @@ github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN
github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0= go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M= go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI=
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.mozilla.org/pkcs7 v0.9.0/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@ -1772,8 +1772,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:
google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc= google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI=
google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

4
internal/cri/server/images/image_pull.go
View File

@ -33,8 +33,8 @@ import (
"time" "time"
"github.com/containerd/errdefs" "github.com/containerd/errdefs"
"github.com/containerd/imgcrypt" "github.com/containerd/imgcrypt/v2"
"github.com/containerd/imgcrypt/images/encryption" "github.com/containerd/imgcrypt/v2/images/encryption"
"github.com/containerd/log" "github.com/containerd/log"
distribution "github.com/distribution/reference" distribution "github.com/distribution/reference"
imagespec "github.com/opencontainers/image-spec/specs-go/v1" imagespec "github.com/opencontainers/image-spec/specs-go/v1"

2
script/setup/imgcrypt-version
View File

@ -1 +1 @@
v1.2.0-rc1 v2.0.0-rc.1

48
vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go generated vendored
View File

@ -48,6 +48,7 @@ type ConsumeFuzzer struct {
NumberOfCalls int NumberOfCalls int
position uint32 position uint32
fuzzUnexportedFields bool fuzzUnexportedFields bool
forceUTF8Strings bool
curDepth int curDepth int
Funcs map[reflect.Type]reflect.Value Funcs map[reflect.Type]reflect.Value
} }
@ -104,6 +105,14 @@ func (f *ConsumeFuzzer) DisallowUnexportedFields() {
f.fuzzUnexportedFields = false f.fuzzUnexportedFields = false
} }
func (f *ConsumeFuzzer) AllowNonUTF8Strings() {
f.forceUTF8Strings = false
}
func (f *ConsumeFuzzer) DisallowNonUTF8Strings() {
f.forceUTF8Strings = true
}
func (f *ConsumeFuzzer) GenerateStruct(targetStruct interface{}) error { func (f *ConsumeFuzzer) GenerateStruct(targetStruct interface{}) error {
e := reflect.ValueOf(targetStruct).Elem() e := reflect.ValueOf(targetStruct).Elem()
return f.fuzzStruct(e, false) return f.fuzzStruct(e, false)
@ -224,6 +233,14 @@ func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error
if e.CanSet() { if e.CanSet() {
e.Set(uu) e.Set(uu)
} }
case reflect.Uint:
newInt, err := f.GetUint()
if err != nil {
return err
}
if e.CanSet() {
e.SetUint(uint64(newInt))
}
case reflect.Uint16: case reflect.Uint16:
newInt, err := f.GetUint16() newInt, err := f.GetUint16()
if err != nil { if err != nil {
@ -309,6 +326,14 @@ func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error
if e.CanSet() { if e.CanSet() {
e.SetUint(uint64(b)) e.SetUint(uint64(b))
} }
case reflect.Bool:
b, err := f.GetBool()
if err != nil {
return err
}
if e.CanSet() {
e.SetBool(b)
}
} }
return nil return nil
} }
@ -410,6 +435,23 @@ func (f *ConsumeFuzzer) GetUint64() (uint64, error) {
return binary.BigEndian.Uint64(u64), nil return binary.BigEndian.Uint64(u64), nil
} }
func (f *ConsumeFuzzer) GetUint() (uint, error) {
var zero uint
size := int(unsafe.Sizeof(zero))
if size == 8 {
u64, err := f.GetUint64()
if err != nil {
return 0, err
}
return uint(u64), nil
}
u32, err := f.GetUint32()
if err != nil {
return 0, err
}
return uint(u32), nil
}
func (f *ConsumeFuzzer) GetBytes() ([]byte, error) { func (f *ConsumeFuzzer) GetBytes() ([]byte, error) {
var length uint32 var length uint32
var err error var err error
@ -461,7 +503,11 @@ func (f *ConsumeFuzzer) GetString() (string, error) {
return "nil", errors.New("numbers overflow") return "nil", errors.New("numbers overflow")
} }
f.position = byteBegin + length f.position = byteBegin + length
return string(f.data[byteBegin:f.position]), nil s := string(f.data[byteBegin:f.position])
if f.forceUTF8Strings {
s = strings.ToValidUTF8(s, "")
}
return s, nil
} }
func (f *ConsumeFuzzer) GetBool() (bool, error) { func (f *ConsumeFuzzer) GetBool() (bool, error) {

88
vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/f.go generated vendored
View File

@ -41,147 +41,119 @@ func (f *F) Fuzz(ff any) {
args := []reflect.Value{reflect.ValueOf(f.T)} args := []reflect.Value{reflect.ValueOf(f.T)}
fuzzConsumer := fuzz.NewConsumer(f.Data) fuzzConsumer := fuzz.NewConsumer(f.Data)
for _, v := range types { for _, v := range types {
//fmt.Printf("arg %v\n", v)
newElem := reflect.New(v).Elem()
switch v.String() { switch v.String() {
case "[]uint8": case "[]uint8":
b, err := fuzzConsumer.GetBytes() b, err := fuzzConsumer.GetBytes()
if err != nil { if err != nil {
return return
} }
newBytes := reflect.New(v) newElem.SetBytes(b)
newBytes.Elem().SetBytes(b)
args = append(args, newBytes.Elem())
case "string": case "string":
s, err := fuzzConsumer.GetString() s, err := fuzzConsumer.GetString()
if err != nil { if err != nil {
return return
} }
newString := reflect.New(v) newElem.SetString(s)
newString.Elem().SetString(s)
args = append(args, newString.Elem())
case "int": case "int":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetUint64()
if err != nil { if err != nil {
return return
} }
newInt := reflect.New(v) newElem.SetInt(int64(int(randInt)))
newInt.Elem().SetInt(int64(randInt))
args = append(args, newInt.Elem())
case "int8": case "int8":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetByte()
if err != nil { if err != nil {
return return
} }
newInt := reflect.New(v) newElem.SetInt(int64(randInt))
newInt.Elem().SetInt(int64(randInt))
args = append(args, newInt.Elem())
case "int16": case "int16":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetUint16()
if err != nil { if err != nil {
return return
} }
newInt := reflect.New(v) newElem.SetInt(int64(randInt))
newInt.Elem().SetInt(int64(randInt))
args = append(args, newInt.Elem())
case "int32": case "int32":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetUint32()
if err != nil { if err != nil {
return return
} }
newInt := reflect.New(v) newElem.SetInt(int64(int32(randInt)))
newInt.Elem().SetInt(int64(randInt))
args = append(args, newInt.Elem())
case "int64": case "int64":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetUint64()
if err != nil { if err != nil {
return return
} }
newInt := reflect.New(v) newElem.SetInt(int64(randInt))
newInt.Elem().SetInt(int64(randInt))
args = append(args, newInt.Elem())
case "uint": case "uint":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetUint64()
if err != nil { if err != nil {
return return
} }
newUint := reflect.New(v) newElem.SetUint(uint64(uint(randInt)))
newUint.Elem().SetUint(uint64(randInt))
args = append(args, newUint.Elem())
case "uint8": case "uint8":
randInt, err := fuzzConsumer.GetInt() randInt, err := fuzzConsumer.GetByte()
if err != nil { if err != nil {
return return
} }
newUint := reflect.New(v) newElem.SetUint(uint64(randInt))
newUint.Elem().SetUint(uint64(randInt))
args = append(args, newUint.Elem())
case "uint16": case "uint16":
randInt, err := fuzzConsumer.GetUint16() randInt, err := fuzzConsumer.GetUint16()
if err != nil { if err != nil {
return return
} }
newUint16 := reflect.New(v) newElem.SetUint(uint64(randInt))
newUint16.Elem().SetUint(uint64(randInt))
args = append(args, newUint16.Elem())
case "uint32": case "uint32":
randInt, err := fuzzConsumer.GetUint32() randInt, err := fuzzConsumer.GetUint32()
if err != nil { if err != nil {
return return
} }
newUint32 := reflect.New(v) newElem.SetUint(uint64(randInt))
newUint32.Elem().SetUint(uint64(randInt))
args = append(args, newUint32.Elem())
case "uint64": case "uint64":
randInt, err := fuzzConsumer.GetUint64() randInt, err := fuzzConsumer.GetUint64()
if err != nil { if err != nil {
return return
} }
newUint64 := reflect.New(v) newElem.SetUint(uint64(randInt))
newUint64.Elem().SetUint(uint64(randInt))
args = append(args, newUint64.Elem())
case "rune": case "rune":
randRune, err := fuzzConsumer.GetRune() randRune, err := fuzzConsumer.GetRune()
if err != nil { if err != nil {
return return
} }
newRune := reflect.New(v) newElem.Set(reflect.ValueOf(randRune))
newRune.Elem().Set(reflect.ValueOf(randRune))
args = append(args, newRune.Elem())
case "float32": case "float32":
randFloat, err := fuzzConsumer.GetFloat32() randFloat, err := fuzzConsumer.GetFloat32()
if err != nil { if err != nil {
return return
} }
newFloat := reflect.New(v) newElem.Set(reflect.ValueOf(randFloat))
newFloat.Elem().Set(reflect.ValueOf(randFloat))
args = append(args, newFloat.Elem())
case "float64": case "float64":
randFloat, err := fuzzConsumer.GetFloat64() randFloat, err := fuzzConsumer.GetFloat64()
if err != nil { if err != nil {
return return
} }
newFloat := reflect.New(v) newElem.Set(reflect.ValueOf(randFloat))
newFloat.Elem().Set(reflect.ValueOf(randFloat))
args = append(args, newFloat.Elem())
case "bool": case "bool":
randBool, err := fuzzConsumer.GetBool() randBool, err := fuzzConsumer.GetBool()
if err != nil { if err != nil {
return return
} }
newBool := reflect.New(v) newElem.Set(reflect.ValueOf(randBool))
newBool.Elem().Set(reflect.ValueOf(randBool))
args = append(args, newBool.Elem())
default: default:
fmt.Println(v.String()) panic(fmt.Sprintf("unsupported type: %s", v.String()))
} }
args = append(args, newElem)
} }
fn.Call(args) fn.Call(args)
} }
func (f *F) Helper() {} func (f *F) Helper() {}
func (c *F) Log(args ...any) { func (c *F) Log(args ...any) {
fmt.Println(args...) fmt.Print(args...)
} }
func (c *F) Logf(format string, args ...any) { func (c *F) Logf(format string, args ...any) {
fmt.Println(format, args) fmt.Println(fmt.Sprintf(format, args...))
} }
func (c *F) Name() string { return "libFuzzer" } func (c *F) Name() string { return "libFuzzer" }
func (c *F) Setenv(key, value string) {} func (c *F) Setenv(key, value string) {}

0
vendor/github.com/containerd/imgcrypt/.gitignore → vendor/github.com/containerd/imgcrypt/v2/.gitignore generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/.golangci.yml → vendor/github.com/containerd/imgcrypt/v2/.golangci.yml generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/CHANGES → vendor/github.com/containerd/imgcrypt/v2/CHANGES generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/LICENSE → vendor/github.com/containerd/imgcrypt/v2/LICENSE generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/MAINTAINERS → vendor/github.com/containerd/imgcrypt/v2/MAINTAINERS generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/Makefile → vendor/github.com/containerd/imgcrypt/v2/Makefile generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/README.md → vendor/github.com/containerd/imgcrypt/v2/README.md generated vendored
View File

3
vendor/github.com/containerd/imgcrypt/images/encryption/client.go → vendor/github.com/containerd/imgcrypt/v2/images/encryption/client.go generated vendored
View File

@ -24,9 +24,10 @@ import (
"github.com/containerd/containerd/v2/core/containers" "github.com/containerd/containerd/v2/core/containers"
"github.com/containerd/containerd/v2/core/diff" "github.com/containerd/containerd/v2/core/diff"
"github.com/containerd/errdefs" "github.com/containerd/errdefs"
"github.com/containerd/imgcrypt"
"github.com/containerd/typeurl/v2" "github.com/containerd/typeurl/v2"
"github.com/containerd/imgcrypt/v2"
encconfig "github.com/containers/ocicrypt/config" encconfig "github.com/containers/ocicrypt/config"
ocispec "github.com/opencontainers/image-spec/specs-go/v1" ocispec "github.com/opencontainers/image-spec/specs-go/v1"
) )

0
vendor/github.com/containerd/imgcrypt/images/encryption/encryption.go → vendor/github.com/containerd/imgcrypt/v2/images/encryption/encryption.go generated vendored
View File

0
vendor/github.com/containerd/imgcrypt/payload.go → vendor/github.com/containerd/imgcrypt/v2/payload.go generated vendored
View File

24
vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md generated vendored
View File

@ -1,3 +1,27 @@
# v4.0.4
## Fixed
- Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
breaking change. See #136 / #137.
# v4.0.3
## Changed
- Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
- Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
- Dependency updates
# v4.0.2
## Changed
- Improved documentation of Verify() to note that JSONWebKeySet is a supported
argument type (#104)
- Defined exported error values for missing x5c header and unsupported elliptic
curves error cases (#117)
# v4.0.1 # v4.0.1
## Fixed ## Fixed

10
vendor/github.com/go-jose/go-jose/v4/crypter.go generated vendored
View File

@ -459,7 +459,10 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header") return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
} }
key := tryJWKS(decryptionKey, obj.Header) key, err := tryJWKS(decryptionKey, obj.Header)
if err != nil {
return nil, err
}
decrypter, err := newDecrypter(key) decrypter, err := newDecrypter(key)
if err != nil { if err != nil {
return nil, err return nil, err
@ -529,7 +532,10 @@ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Heade
return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header") return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
} }
key := tryJWKS(decryptionKey, obj.Header) key, err := tryJWKS(decryptionKey, obj.Header)
if err != nil {
return -1, Header{}, nil, err
}
decrypter, err := newDecrypter(key) decrypter, err := newDecrypter(key)
if err != nil { if err != nil {
return -1, Header{}, nil, err return -1, Header{}, nil, err

21
vendor/github.com/go-jose/go-jose/v4/jwk.go generated vendored
View File

@ -779,7 +779,13 @@ func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
return key.K.bytes(), nil return key.K.bytes(), nil
} }
func tryJWKS(key interface{}, headers ...Header) interface{} { var (
// ErrJWKSKidNotFound is returned when a JWKS does not contain a JWK with a
// key ID which matches one in the provided tokens headers.
ErrJWKSKidNotFound = errors.New("go-jose/go-jose: JWK with matching kid not found in JWK Set")
)
func tryJWKS(key interface{}, headers ...Header) (interface{}, error) {
var jwks JSONWebKeySet var jwks JSONWebKeySet
switch jwksType := key.(type) { switch jwksType := key.(type) {
@ -788,9 +794,11 @@ func tryJWKS(key interface{}, headers ...Header) interface{} {
case JSONWebKeySet: case JSONWebKeySet:
jwks = jwksType jwks = jwksType
default: default:
return key // If the specified key is not a JWKS, return as is.
return key, nil
} }
// Determine the KID to search for from the headers.
var kid string var kid string
for _, header := range headers { for _, header := range headers {
if header.KeyID != "" { if header.KeyID != "" {
@ -799,14 +807,17 @@ func tryJWKS(key interface{}, headers ...Header) interface{} {
} }
} }
// If no KID is specified in the headers, reject.
if kid == "" { if kid == "" {
return key return nil, ErrJWKSKidNotFound
} }
// Find the JWK with the matching KID. If no JWK with the specified KID is
// found, reject.
keys := jwks.Key(kid) keys := jwks.Key(kid)
if len(keys) == 0 { if len(keys) == 0 {
return key return nil, ErrJWKSKidNotFound
} }
return keys[0].Key return keys[0].Key, nil
} }

3
vendor/github.com/go-jose/go-jose/v4/opaque.go generated vendored
View File

@ -83,6 +83,9 @@ func (o *opaqueVerifier) verifyPayload(payload []byte, signature []byte, alg Sig
} }
// OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key. // OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
//
// Note: this cannot currently be implemented outside this package because of its
// unexported method.
type OpaqueKeyEncrypter interface { type OpaqueKeyEncrypter interface {
// KeyID returns the kid // KeyID returns the kid
KeyID() string KeyID() string

10
vendor/github.com/go-jose/go-jose/v4/signing.go generated vendored
View File

@ -390,7 +390,10 @@ func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
// The verificationKey argument must have one of the types allowed for the // The verificationKey argument must have one of the types allowed for the
// verificationKey argument of JSONWebSignature.Verify(). // verificationKey argument of JSONWebSignature.Verify().
func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error { func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
key := tryJWKS(verificationKey, obj.headers()...) key, err := tryJWKS(verificationKey, obj.headers()...)
if err != nil {
return err
}
verifier, err := newVerifier(key) verifier, err := newVerifier(key)
if err != nil { if err != nil {
return err return err
@ -455,7 +458,10 @@ func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signa
// The verificationKey argument must have one of the types allowed for the // The verificationKey argument must have one of the types allowed for the
// verificationKey argument of JSONWebSignature.Verify(). // verificationKey argument of JSONWebSignature.Verify().
func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) { func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
key := tryJWKS(verificationKey, obj.headers()...) key, err := tryJWKS(verificationKey, obj.headers()...)
if err != nil {
return -1, Signature{}, err
}
verifier, err := newVerifier(key) verifier, err := newVerifier(key)
if err != nil { if err != nil {
return -1, Signature{}, err return -1, Signature{}, err

2
vendor/go.mozilla.org/pkcs7/.gitignore generated vendored
View File

@ -22,3 +22,5 @@ _testmain.go
*.exe *.exe
*.test *.test
*.prof *.prof
coverage.out

10
vendor/go.mozilla.org/pkcs7/.travis.yml generated vendored
View File

@ -1,10 +0,0 @@
language: go
go:
- "1.11"
- "1.12"
- "1.13"
- tip
before_install:
- make gettools
script:
- make

2
vendor/go.mozilla.org/pkcs7/Makefile generated vendored
View File

@ -1,7 +1,7 @@
all: vet staticcheck test all: vet staticcheck test
test: test:
go test -covermode=count -coverprofile=coverage.out . go test -race -covermode=atomic -count=1 -coverprofile=coverage.out .
showcoverage: test showcoverage: test
go tool cover -html=coverage.out go tool cover -html=coverage.out

2
vendor/go.mozilla.org/pkcs7/README.md generated vendored
View File

@ -1,7 +1,7 @@
# pkcs7 # pkcs7
[![GoDoc](https://godoc.org/go.mozilla.org/pkcs7?status.svg)](https://godoc.org/go.mozilla.org/pkcs7) [![GoDoc](https://godoc.org/go.mozilla.org/pkcs7?status.svg)](https://godoc.org/go.mozilla.org/pkcs7)
[![Build Status](https://travis-ci.org/mozilla-services/pkcs7.svg?branch=master)](https://travis-ci.org/mozilla-services/pkcs7) [![Build Status](https://github.com/mozilla-services/pkcs7/workflows/CI/badge.svg?branch=master&event=push)](https://github.com/mozilla-services/pkcs7/actions/workflows/ci.yml?query=branch%3Amaster+event%3Apush)
pkcs7 implements parsing and creating signed and enveloped messages. pkcs7 implements parsing and creating signed and enveloped messages.

53
vendor/go.mozilla.org/pkcs7/ber.go generated vendored
View File

@ -5,8 +5,6 @@ import (
"errors" "errors"
) )
var encodeIndent = 0
type asn1Object interface { type asn1Object interface {
EncodeTo(writer *bytes.Buffer) error EncodeTo(writer *bytes.Buffer) error
} }
@ -17,8 +15,6 @@ type asn1Structured struct {
} }
func (s asn1Structured) EncodeTo(out *bytes.Buffer) error { func (s asn1Structured) EncodeTo(out *bytes.Buffer) error {
//fmt.Printf("%s--> tag: % X\n", strings.Repeat("| ", encodeIndent), s.tagBytes)
encodeIndent++
inner := new(bytes.Buffer) inner := new(bytes.Buffer)
for _, obj := range s.content { for _, obj := range s.content {
err := obj.EncodeTo(inner) err := obj.EncodeTo(inner)
@ -26,7 +22,6 @@ func (s asn1Structured) EncodeTo(out *bytes.Buffer) error {
return err return err
} }
} }
encodeIndent--
out.Write(s.tagBytes) out.Write(s.tagBytes)
encodeLength(out, inner.Len()) encodeLength(out, inner.Len())
out.Write(inner.Bytes()) out.Write(inner.Bytes())
@ -47,10 +42,7 @@ func (p asn1Primitive) EncodeTo(out *bytes.Buffer) error {
if err = encodeLength(out, p.length); err != nil { if err = encodeLength(out, p.length); err != nil {
return err return err
} }
//fmt.Printf("%s--> tag: % X length: %d\n", strings.Repeat("| ", encodeIndent), p.tagBytes, p.length)
//fmt.Printf("%s--> content length: %d\n", strings.Repeat("| ", encodeIndent), len(p.content))
out.Write(p.content) out.Write(p.content)
return nil return nil
} }
@ -58,7 +50,6 @@ func ber2der(ber []byte) ([]byte, error) {
if len(ber) == 0 { if len(ber) == 0 {
return nil, errors.New("ber2der: input ber is empty") return nil, errors.New("ber2der: input ber is empty")
} }
//fmt.Printf("--> ber2der: Transcoding %d bytes\n", len(ber))
out := new(bytes.Buffer) out := new(bytes.Buffer)
obj, _, err := readObject(ber, 0) obj, _, err := readObject(ber, 0)
@ -175,7 +166,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
if offset > berLen { if offset > berLen {
return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached") return nil, 0, errors.New("ber2der: cannot move offset forward, end of ber data reached")
} }
hack := 0 indefinite := false
if l > 0x80 { if l > 0x80 {
numberOfBytes := (int)(l & 0x7F) numberOfBytes := (int)(l & 0x7F)
if numberOfBytes > 4 { // int is only guaranteed to be 32bit if numberOfBytes > 4 { // int is only guaranteed to be 32bit
@ -197,14 +188,7 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
} }
} }
} else if l == 0x80 { } else if l == 0x80 {
// find length by searching content indefinite = true
markerIndex := bytes.LastIndex(ber[offset:], []byte{0x0, 0x0})
if markerIndex == -1 {
return nil, 0, errors.New("ber2der: Invalid BER format")
}
length = markerIndex
hack = 2
debugprint("--> (compute length) marker found at offset: %d\n", markerIndex+offset)
} else { } else {
length = (int)(l) length = (int)(l)
} }
@ -220,6 +204,9 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
debugprint("--> content end : %d\n", contentEnd) debugprint("--> content end : %d\n", contentEnd)
debugprint("--> content : % X\n", ber[offset:contentEnd]) debugprint("--> content : % X\n", ber[offset:contentEnd])
var obj asn1Object var obj asn1Object
if indefinite && kind == 0 {
return nil, 0, errors.New("ber2der: Indefinite form tag must have constructed encoding")
}
if kind == 0 { if kind == 0 {
obj = asn1Primitive{ obj = asn1Primitive{
tagBytes: ber[tagStart:tagEnd], tagBytes: ber[tagStart:tagEnd],
@ -228,14 +215,25 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
} }
} else { } else {
var subObjects []asn1Object var subObjects []asn1Object
for offset < contentEnd { for (offset < contentEnd) || indefinite {
var subObj asn1Object var subObj asn1Object
var err error var err error
subObj, offset, err = readObject(ber[:contentEnd], offset) subObj, offset, err = readObject(ber, offset)
if err != nil { if err != nil {
return nil, 0, err return nil, 0, err
} }
subObjects = append(subObjects, subObj) subObjects = append(subObjects, subObj)
if indefinite {
terminated, err := isIndefiniteTermination(ber, offset)
if err != nil {
return nil, 0, err
}
if terminated {
break
}
}
} }
obj = asn1Structured{ obj = asn1Structured{
tagBytes: ber[tagStart:tagEnd], tagBytes: ber[tagStart:tagEnd],
@ -243,7 +241,20 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
} }
} }
return obj, contentEnd + hack, nil // Apply indefinite form length with 0x0000 terminator.
if indefinite {
contentEnd = offset + 2
}
return obj, contentEnd, nil
}
func isIndefiniteTermination(ber []byte, offset int) (bool, error) {
if len(ber) - offset < 2 {
return false, errors.New("ber2der: Invalid BER format")
}
return bytes.Index(ber[offset:], []byte{0x0, 0x0}) == 0, nil
} }
func debugprint(format string, a ...interface{}) { func debugprint(format string, a ...interface{}) {

2
vendor/go.mozilla.org/pkcs7/encrypt.go generated vendored
View File

@ -35,7 +35,7 @@ type recipientInfo struct {
type encryptedContentInfo struct { type encryptedContentInfo struct {
ContentType asn1.ObjectIdentifier ContentType asn1.ObjectIdentifier
ContentEncryptionAlgorithm pkix.AlgorithmIdentifier ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
EncryptedContent asn1.RawValue `asn1:"tag:0,optional,explicit"` EncryptedContent asn1.RawValue `asn1:"tag:0,optional"`
} }
const ( const (

8
vendor/go.mozilla.org/pkcs7/sign.go generated vendored
View File

@ -124,10 +124,10 @@ func (sd *SignedData) AddSigner(ee *x509.Certificate, pkey crypto.PrivateKey, co
// The signature algorithm used to hash the data is the one of the end-entity // The signature algorithm used to hash the data is the one of the end-entity
// certificate. // certificate.
func (sd *SignedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate, config SignerInfoConfig) error { func (sd *SignedData) AddSignerChain(ee *x509.Certificate, pkey crypto.PrivateKey, parents []*x509.Certificate, config SignerInfoConfig) error {
// Following RFC 2315, 9.2 SignerInfo type, the distinguished name of // Following RFC 2315, 9.2 SignerInfo type, the distinguished name of
// the issuer of the end-entity signer is stored in the issuerAndSerialNumber // the issuer of the end-entity signer is stored in the issuerAndSerialNumber
// section of the SignedData.SignerInfo, alongside the serial number of // section of the SignedData.SignerInfo, alongside the serial number of
// the end-entity. // the end-entity.
var ias issuerAndSerial var ias issuerAndSerial
ias.SerialNumber = ee.SerialNumber ias.SerialNumber = ee.SerialNumber
if len(parents) == 0 { if len(parents) == 0 {

85
vendor/go.mozilla.org/pkcs7/verify.go generated vendored
View File

@ -18,8 +18,12 @@ func (p7 *PKCS7) Verify() (err error) {
} }
// VerifyWithChain checks the signatures of a PKCS7 object. // VerifyWithChain checks the signatures of a PKCS7 object.
// If truststore is not nil, it also verifies the chain of trust of the end-entity //
// signer cert to one of the root in the truststore. // If truststore is not nil, it also verifies the chain of trust of
// the end-entity signer cert to one of the roots in the
// truststore. When the PKCS7 object includes the signing time
// authenticated attr verifies the chain at that time and UTC now
// otherwise.
func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error) { func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error) {
if len(p7.Signers) == 0 { if len(p7.Signers) == 0 {
return errors.New("pkcs7: Message has no signers") return errors.New("pkcs7: Message has no signers")
@ -32,6 +36,81 @@ func (p7 *PKCS7) VerifyWithChain(truststore *x509.CertPool) (err error) {
return nil return nil
} }
// VerifyWithChainAtTime checks the signatures of a PKCS7 object.
//
// If truststore is not nil, it also verifies the chain of trust of
// the end-entity signer cert to a root in the truststore at
// currentTime. It does not use the signing time authenticated
// attribute.
func (p7 *PKCS7) VerifyWithChainAtTime(truststore *x509.CertPool, currentTime time.Time) (err error) {
if len(p7.Signers) == 0 {
return errors.New("pkcs7: Message has no signers")
}
for _, signer := range p7.Signers {
if err := verifySignatureAtTime(p7, signer, truststore, currentTime); err != nil {
return err
}
}
return nil
}
func verifySignatureAtTime(p7 *PKCS7, signer signerInfo, truststore *x509.CertPool, currentTime time.Time) (err error) {
signedData := p7.Content
ee := getCertFromCertsByIssuerAndSerial(p7.Certificates, signer.IssuerAndSerialNumber)
if ee == nil {
return errors.New("pkcs7: No certificate for signer")
}
if len(signer.AuthenticatedAttributes) > 0 {
// TODO(fullsailor): First check the content type match
var (
digest []byte
signingTime time.Time
)
err := unmarshalAttribute(signer.AuthenticatedAttributes, OIDAttributeMessageDigest, &digest)
if err != nil {
return err
}
hash, err := getHashForOID(signer.DigestAlgorithm.Algorithm)
if err != nil {
return err
}
h := hash.New()
h.Write(p7.Content)
computed := h.Sum(nil)
if subtle.ConstantTimeCompare(digest, computed) != 1 {
return &MessageDigestMismatchError{
ExpectedDigest: digest,
ActualDigest: computed,
}
}
signedData, err = marshalAttributes(signer.AuthenticatedAttributes)
if err != nil {
return err
}
err = unmarshalAttribute(signer.AuthenticatedAttributes, OIDAttributeSigningTime, &signingTime)
if err == nil {
// signing time found, performing validity check
if signingTime.After(ee.NotAfter) || signingTime.Before(ee.NotBefore) {
return fmt.Errorf("pkcs7: signing time %q is outside of certificate validity %q to %q",
signingTime.Format(time.RFC3339),
ee.NotBefore.Format(time.RFC3339),
ee.NotAfter.Format(time.RFC3339))
}
}
}
if truststore != nil {
_, err = verifyCertChain(ee, p7.Certificates, truststore, currentTime)
if err != nil {
return err
}
}
sigalg, err := getSignatureAlgorithm(signer.DigestEncryptionAlgorithm, signer.DigestAlgorithm)
if err != nil {
return err
}
return ee.CheckSignature(sigalg, signedData, signer.EncryptedDigest)
}
func verifySignature(p7 *PKCS7, signer signerInfo, truststore *x509.CertPool) (err error) { func verifySignature(p7 *PKCS7, signer signerInfo, truststore *x509.CertPool) (err error) {
signedData := p7.Content signedData := p7.Content
ee := getCertFromCertsByIssuerAndSerial(p7.Certificates, signer.IssuerAndSerialNumber) ee := getCertFromCertsByIssuerAndSerial(p7.Certificates, signer.IssuerAndSerialNumber)
@ -70,7 +149,7 @@ func verifySignature(p7 *PKCS7, signer signerInfo, truststore *x509.CertPool) (e
return fmt.Errorf("pkcs7: signing time %q is outside of certificate validity %q to %q", return fmt.Errorf("pkcs7: signing time %q is outside of certificate validity %q to %q",
signingTime.Format(time.RFC3339), signingTime.Format(time.RFC3339),
ee.NotBefore.Format(time.RFC3339), ee.NotBefore.Format(time.RFC3339),
ee.NotBefore.Format(time.RFC3339)) ee.NotAfter.Format(time.RFC3339))
} }
} }
} }

182
vendor/go.mozilla.org/pkcs7/verify_test_dsa.go generated vendored Normal file
View File

@ -0,0 +1,182 @@
// +build go1.11 go1.12 go1.13 go1.14 go1.15
package pkcs7
import (
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"os"
"os/exec"
"testing"
)
func TestVerifyEC2(t *testing.T) {
fixture := UnmarshalDSATestFixture(EC2IdentityDocumentFixture)
p7, err := Parse(fixture.Input)
if err != nil {
t.Errorf("Parse encountered unexpected error: %v", err)
}
p7.Certificates = []*x509.Certificate{fixture.Certificate}
if err := p7.Verify(); err != nil {
t.Errorf("Verify failed with error: %v", err)
}
}
var EC2IdentityDocumentFixture = `
-----BEGIN PKCS7-----
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCA
JIAEggGmewogICJwcml2YXRlSXAiIDogIjE3Mi4zMC4wLjI1MiIsCiAgImRldnBh
eVByb2R1Y3RDb2RlcyIgOiBudWxsLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1
cy1lYXN0LTFhIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3Rh
bmNlSWQiIDogImktZjc5ZmU1NmMiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVs
bCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIg
OiAiMTIxNjU5MDE0MzM0IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwK
ICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDhUMDM6MDE6MzhaIiwKICAiYXJj
aGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJy
YW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAA
AAAxggEYMIIBFAIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5n
dG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2Vi
IFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDgwMzAxNDRaMCMG
CSqGSIb3DQEJBDEWBBTuUc28eBXmImAautC+wOjqcFCBVjAJBgcqhkjOOAQDBC8w
LQIVAKA54NxGHWWCz5InboDmY/GHs33nAhQ6O/ZI86NwjA9Vz3RNMUJrUPU5tAAA
AAAAAA==
-----END PKCS7-----
-----BEGIN CERTIFICATE-----
MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw
FwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYD
VQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0xMjAxMDUxMjU2MTJaFw0z
ODAxMDUxMjU2MTJaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9u
IFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNl
cnZpY2VzIExMQzCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQCjkvcS2bb1VQ4yt/5e
ih5OO6kK/n1Lzllr7D8ZwtQP8fOEpp5E2ng+D6Ud1Z1gYipr58Kj3nssSNpI6bX3
VyIQzK7wLclnd/YozqNNmgIyZecN7EglK9ITHJLP+x8FtUpt3QbyYXJdmVMegN6P
hviYt5JH/nYl4hh3Pa1HJdskgQIVALVJ3ER11+Ko4tP6nwvHwh6+ERYRAoGBAI1j
k+tkqMVHuAFcvAGKocTgsjJem6/5qomzJuKDmbJNu9Qxw3rAotXau8Qe+MBcJl/U
hhy1KHVpCGl9fueQ2s6IL0CaO/buycU1CiYQk40KNHCcHfNiZbdlx1E9rpUp7bnF
lRa2v1ntMX3caRVDdbtPEWmdxSCYsYFDk4mZrOLBA4GEAAKBgEbmeve5f8LIE/Gf
MNmP9CM5eovQOGx5ho8WqD+aTebs+k2tn92BBPqeZqpWRa5P/+jrdKml1qx4llHW
MXrs3IgIb6+hUIB+S8dz8/mmO0bpr76RoZVCXYab2CZedFut7qc3WUH9+EUAH5mw
vSeDCOUMYQR7R9LINYwouHIziqQYMAkGByqGSM44BAMDLwAwLAIUWXBlk40xTwSw
7HX32MxXYruse9ACFBNGmdX2ZBrVNGrN9N2f6ROk0k9K
-----END CERTIFICATE-----`
func TestDSASignWithOpenSSLAndVerify(t *testing.T) {
content := []byte(`
A ship in port is safe,
but that's not what ships are built for.
-- Grace Hopper`)
// write the content to a temp file
tmpContentFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_content")
if err != nil {
t.Fatal(err)
}
ioutil.WriteFile(tmpContentFile.Name(), content, 0755)
// write the signer cert to a temp file
tmpSignerCertFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_signer")
if err != nil {
t.Fatal(err)
}
ioutil.WriteFile(tmpSignerCertFile.Name(), dsaPublicCert, 0755)
// write the signer key to a temp file
tmpSignerKeyFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_key")
if err != nil {
t.Fatal(err)
}
ioutil.WriteFile(tmpSignerKeyFile.Name(), dsaPrivateKey, 0755)
tmpSignedFile, err := ioutil.TempFile("", "TestDSASignWithOpenSSLAndVerify_signature")
if err != nil {
t.Fatal(err)
}
// call openssl to sign the content
opensslCMD := exec.Command("openssl", "smime", "-sign", "-nodetach", "-md", "sha1",
"-in", tmpContentFile.Name(), "-out", tmpSignedFile.Name(),
"-signer", tmpSignerCertFile.Name(), "-inkey", tmpSignerKeyFile.Name(),
"-certfile", tmpSignerCertFile.Name(), "-outform", "PEM")
out, err := opensslCMD.CombinedOutput()
if err != nil {
t.Fatalf("openssl command failed with %s: %s", err, out)
}
// verify the signed content
pemSignature, err := ioutil.ReadFile(tmpSignedFile.Name())
if err != nil {
t.Fatal(err)
}
fmt.Printf("%s\n", pemSignature)
derBlock, _ := pem.Decode(pemSignature)
if derBlock == nil {
t.Fatalf("failed to read DER block from signature PEM %s", tmpSignedFile.Name())
}
p7, err := Parse(derBlock.Bytes)
if err != nil {
t.Fatalf("Parse encountered unexpected error: %v", err)
}
if err := p7.Verify(); err != nil {
t.Fatalf("Verify failed with error: %v", err)
}
os.Remove(tmpSignerCertFile.Name()) // clean up
os.Remove(tmpSignerKeyFile.Name()) // clean up
os.Remove(tmpContentFile.Name()) // clean up
}
var dsaPrivateKey = []byte(`-----BEGIN PRIVATE KEY-----
MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS
PO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVCl
pJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith
1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7L
vKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3
zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImo
g9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoEFgIUfW4aPdQBn9gJZp2KuNpzgHzvfsE=
-----END PRIVATE KEY-----`)
var dsaPublicCert = []byte(`-----BEGIN CERTIFICATE-----
MIIDOjCCAvWgAwIBAgIEPCY/UDANBglghkgBZQMEAwIFADBsMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
VQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3du
MB4XDTE4MTAyMjEzNDMwN1oXDTQ2MDMwOTEzNDMwN1owbDEQMA4GA1UEBhMHVW5r
bm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UE
ChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCC
AbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADD
Hj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gE
exAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/Ii
Axmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4
V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI
puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4Vrl
nwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDCriMPbEVBoRK4SOUeFwg7+VRf4TTp
rcOQC9IVVoCjXzuWEGrp3ZI7YWJSpFnSch4lk29RH8O0HpI/NOzKnOBtnKr782pt
1k/bJVMH9EaLd6MKnAVjrCDMYBB0MhebZ8QHY2elZZCWoqDYAcIDOsEx+m4NLErT
ypPnjS5M0jm1PKMhMB8wHQYDVR0OBBYEFC0Yt5XdM0Kc95IX8NQ8XRssGPx7MA0G
CWCGSAFlAwQDAgUAAzAAMC0CFQCIgQtrZZ9hdZG1ROhR5hc8nYEmbgIUAIlgC688
qzy/7yePTlhlpj+ahMM=
-----END CERTIFICATE-----`)
type DSATestFixture struct {
Input []byte
Certificate *x509.Certificate
}
func UnmarshalDSATestFixture(testPEMBlock string) DSATestFixture {
var result DSATestFixture
var derBlock *pem.Block
var pemBlock = []byte(testPEMBlock)
for {
derBlock, pemBlock = pem.Decode(pemBlock)
if derBlock == nil {
break
}
switch derBlock.Type {
case "PKCS7":
result.Input = derBlock.Bytes
case "CERTIFICATE":
result.Certificate, _ = x509.ParseCertificate(derBlock.Bytes)
}
}
return result
}

16
vendor/modules.txt vendored
View File

@ -1,10 +1,10 @@
# dario.cat/mergo v1.0.1 # dario.cat/mergo v1.0.1
## explicit; go 1.13 ## explicit; go 1.13
dario.cat/mergo dario.cat/mergo
# github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 # github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
## explicit; go 1.20 ## explicit; go 1.20
github.com/AdaLogics/go-fuzz-headers github.com/AdaLogics/go-fuzz-headers
# github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 # github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2
## explicit; go 1.18 ## explicit; go 1.18
github.com/AdamKorcz/go-118-fuzz-build/testing github.com/AdamKorcz/go-118-fuzz-build/testing
# github.com/Microsoft/go-winio v0.6.2 # github.com/Microsoft/go-winio v0.6.2
@ -163,10 +163,10 @@ github.com/containerd/go-cni
# github.com/containerd/go-runc v1.1.0 # github.com/containerd/go-runc v1.1.0
## explicit; go 1.18 ## explicit; go 1.18
github.com/containerd/go-runc github.com/containerd/go-runc
# github.com/containerd/imgcrypt v1.2.0-rc1 # github.com/containerd/imgcrypt/v2 v2.0.0-rc.1
## explicit; go 1.22.0 ## explicit; go 1.22.0
github.com/containerd/imgcrypt github.com/containerd/imgcrypt/v2
github.com/containerd/imgcrypt/images/encryption github.com/containerd/imgcrypt/v2/images/encryption
# github.com/containerd/log v0.1.0 # github.com/containerd/log v0.1.0
## explicit; go 1.20 ## explicit; go 1.20
github.com/containerd/log github.com/containerd/log
@ -272,7 +272,7 @@ github.com/fsnotify/fsnotify
# github.com/fxamacker/cbor/v2 v2.7.0 # github.com/fxamacker/cbor/v2 v2.7.0
## explicit; go 1.17 ## explicit; go 1.17
github.com/fxamacker/cbor/v2 github.com/fxamacker/cbor/v2
# github.com/go-jose/go-jose/v4 v4.0.2 # github.com/go-jose/go-jose/v4 v4.0.4
## explicit; go 1.21 ## explicit; go 1.21
github.com/go-jose/go-jose/v4 github.com/go-jose/go-jose/v4
github.com/go-jose/go-jose/v4/cipher github.com/go-jose/go-jose/v4/cipher
@ -489,7 +489,7 @@ github.com/xrash/smetrics
# go.etcd.io/bbolt v1.3.11 # go.etcd.io/bbolt v1.3.11
## explicit; go 1.22 ## explicit; go 1.22
go.etcd.io/bbolt go.etcd.io/bbolt
# go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 # go.mozilla.org/pkcs7 v0.9.0
## explicit; go 1.11 ## explicit; go 1.11
go.mozilla.org/pkcs7 go.mozilla.org/pkcs7
# go.opencensus.io v0.24.0 # go.opencensus.io v0.24.0
@ -632,7 +632,7 @@ golang.org/x/time/rate
# google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 # google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9
## explicit; go 1.21 ## explicit; go 1.21
google.golang.org/genproto/googleapis/api/httpbody google.golang.org/genproto/googleapis/api/httpbody
# google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 # google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38
## explicit; go 1.21 ## explicit; go 1.21
google.golang.org/genproto/googleapis/rpc/code google.golang.org/genproto/googleapis/rpc/code
google.golang.org/genproto/googleapis/rpc/errdetails google.golang.org/genproto/googleapis/rpc/errdetails