Upgrade containerd/imgcrypt and opencontainers/image-spec

- Upgrade github.com/containerd/imgcrypt to prepare for typeurl upgrade
  (see https://github.com/containerd/imgcrypt/pull/72)
- Upgrade github.com/opencontainers/image-spec since imgcrypto needs at
  least 1.0.2.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>

vendor/github.com/containerd/imgcrypt/images/encryption/any.go

@@ -0,0 +1,42 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package encryption
+
+import "github.com/gogo/protobuf/types"
+
+type anyMap map[string]*types.Any
+
+type any interface {
+	GetTypeUrl() string
+	GetValue() []byte
+}
+
+func fromAny(from any) *types.Any {
+	if from == nil {
+		return nil
+	}
+
+	pbany, ok := from.(*types.Any)
+	if ok {
+		return pbany
+	}
+
+	return &types.Any{
+		TypeUrl: from.GetTypeUrl(),
+		Value:   from.GetValue(),
+	}
+}

vendor/github.com/containerd/imgcrypt/images/encryption/client.go

@@ -28,7 +28,6 @@ import (
 	"github.com/containerd/typeurl"
 
 	encconfig "github.com/containers/ocicrypt/config"
-	"github.com/gogo/protobuf/types"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -36,7 +35,7 @@ import (
 func WithDecryptedUnpack(data *imgcrypt.Payload) diff.ApplyOpt {
 	return func(_ context.Context, desc ocispec.Descriptor, c *diff.ApplyConfig) error {
 		if c.ProcessorPayloads == nil {
-			c.ProcessorPayloads = make(map[string]*types.Any)
+			c.ProcessorPayloads = make(anyMap)
 		}
 		data.Descriptor = desc
 		any, err := typeurl.MarshalAny(data)
@@ -44,8 +43,10 @@ func WithDecryptedUnpack(data *imgcrypt.Payload) diff.ApplyOpt {
 			return fmt.Errorf("failed to marshal payload: %w", err)
 		}
 
+		pbany := fromAny(any)
+
 		for _, id := range imgcrypt.PayloadToolIDs {
-			c.ProcessorPayloads[id] = any
+			c.ProcessorPayloads[id] = pbany
 		}
 		return nil
 	}

vendor/github.com/containerd/imgcrypt/images/encryption/encryption.go

@@ -50,6 +50,13 @@ const (
 // LayerFilter allows to select Layers by certain criteria
 type LayerFilter func(desc ocispec.Descriptor) bool
 
+// isLocalPlatform determines whether the given platform matches the local one
+func isLocalPlatform(platform *ocispec.Platform) bool {
+	matcher := platforms.NewMatcher(*platform)
+
+	return matcher.Match(platforms.DefaultSpec())
+}
+
 // IsEncryptedDiff returns true if mediaType is a known encrypted media type.
 func IsEncryptedDiff(ctx context.Context, mediaType string) bool {
 	switch mediaType {
@@ -380,6 +387,9 @@ func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descr
 	var newManifests []ocispec.Descriptor
 	modified := false
 	for _, manifest := range index.Manifests {
+		if cryptoOp == cryptoOpUnwrapOnly && !isLocalPlatform(manifest.Platform) {
+			continue
+		}
 		newManifest, m, err := cryptChildren(ctx, cs, manifest, cc, lf, cryptoOp, manifest.Platform)
 		if err != nil || cryptoOp == cryptoOpUnwrapOnly {
 			return ocispec.Descriptor{}, false, err
@@ -389,6 +399,9 @@ func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descr
 		}
 		newManifests = append(newManifests, newManifest)
 	}
+	if cryptoOp == cryptoOpUnwrapOnly {
+		return ocispec.Descriptor{}, false, fmt.Errorf("No manifest found for local platform")
+	}
 
 	if modified {
 		// we need to update the index