github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Implemented constructors for both encryption and decryption

Browse Source 
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
This commit is contained in:
Brandon Lum
2019-07-24 16:13:26 -04:00
parent 05a2b63e84
commit 3d1fa69694
8 changed files with 194 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/encryption/config/config.go
View File

@@ -40,8 +40,8 @@ type CryptoConfig struct {
}
// InitDecryption initialized a CryptoConfig object with parameters used for decryption
func InitDecryption(dcparameters map[string][][]byte) *CryptoConfig {
return &CryptoConfig{
func InitDecryption(dcparameters map[string][][]byte) CryptoConfig {
return CryptoConfig{
DecryptConfig: &DecryptConfig{
Parameters: dcparameters,
},
@@ -51,8 +51,8 @@ func InitDecryption(dcparameters map[string][][]byte) *CryptoConfig {
// InitEncryption initializes a CryptoConfig object with parameters used for encryption
// It also takes dcparameters that may be needed for decryption when adding a recipient
// to an already encrypted image
func InitEncryption(parameters, dcparameters map[string][][]byte) *CryptoConfig {
return &CryptoConfig{
func InitEncryption(parameters, dcparameters map[string][][]byte) CryptoConfig {
return CryptoConfig{
EncryptConfig: &EncryptConfig{
Parameters: parameters,
DecryptConfig: DecryptConfig{
@@ -94,6 +94,15 @@ func CombineCryptoConfigs(ccs []CryptoConfig) CryptoConfig {
}
// AttachDecryptConfig adds DecryptConfig to the field of EncryptConfig so that
// the decryption parameters can be used to add recipients to an existing image
// if the user is able to decrypt it.
func (ec *EncryptConfig) AttachDecryptConfig(dc *DecryptConfig) {
if dc != nil {
addToMap(ec.DecryptConfig.Parameters, dc.Parameters)
}
}
func addToMap(orig map[string][][]byte, add map[string][][]byte) {
for k, v := range add {
if ov, ok := orig[k]; ok {

139
pkg/encryption/config/constructors.go
View File

@@ -16,30 +16,13 @@
package config
// NewJweCryptoConfig returns a CryptoConfig that contains the required configuration for using
// the jwe keyunwrap interface
func NewJweCryptoConfig(pubKey *[]byte, privKey *[]byte, privKeyPassword *string) CryptoConfig {
pubKeys := [][]byte{}
privKeys := [][]byte{}
privKeysPasswords := [][]byte{}
if pubKey != nil {
pubKeys = append(pubKeys, *pubKey)
}
if privKey != nil {
privKeys = append(privKeys, *privKey)
}
if privKeyPassword != nil {
privKeysPasswords = append(privKeysPasswords, []byte(*privKeyPassword))
}
dc := DecryptConfig{
Parameters: map[string][][]byte{
"privkeys": privKeys,
"privkeys-passwords": privKeysPasswords,
},
}
import (
"github.com/pkg/errors"
)
// EncryptWithJwe returns a CryptoConfig to encrypt with jwe public keys
func EncryptWithJwe(pubKeys [][]byte) (CryptoConfig, error) {
dc := DecryptConfig{}
ep := map[string][][]byte{
"pubkeys": pubKeys,
}
@@ -50,32 +33,12 @@ func NewJweCryptoConfig(pubKey *[]byte, privKey *[]byte, privKeyPassword *string
DecryptConfig: dc,
},
DecryptConfig: &dc,
}
}, nil
}
// NewPkcs7CryptoConfig returns a CryptoConfig that contains the required configuration for using
// the pkcs7 keyunwrap interface
func NewPkcs7CryptoConfig(x509 *[]byte, privKey *[]byte, privKeyPassword *string) CryptoConfig {
x509s := [][]byte{}
privKeys := [][]byte{}
privKeysPasswords := [][]byte{}
if x509 != nil {
x509s = append(x509s, *x509)
}
if privKey != nil {
privKeys = append(privKeys, *privKey)
}
if privKeyPassword != nil {
privKeysPasswords = append(privKeysPasswords, []byte(*privKeyPassword))
}
dc := DecryptConfig{
Parameters: map[string][][]byte{
"privkeys": privKeys,
"privkeys-passwords": privKeysPasswords,
},
}
// EncryptWithPkcs7 returns a CryptoConfig to encrypt with pkcs7 x509 certs
func EncryptWithPkcs7(x509s [][]byte) (CryptoConfig, error) {
dc := DecryptConfig{}
ep := map[string][][]byte{
"x509s": x509s,
@@ -87,5 +50,85 @@ func NewPkcs7CryptoConfig(x509 *[]byte, privKey *[]byte, privKeyPassword *string
DecryptConfig: dc,
},
DecryptConfig: &dc,
}
}, nil
}
// EncryptWithGpg returns a CryptoConfig to encrypt with configured gpg parameters
func EncryptWithGpg(gpgRecipients [][]byte, gpgPubRingFile []byte) (CryptoConfig, error) {
dc := DecryptConfig{}
ep := map[string][][]byte{
"gpg-recipients": gpgRecipients,
"gpg-pubkeyringfile": {gpgPubRingFile},
}
return CryptoConfig{
EncryptConfig: &EncryptConfig{
Parameters: ep,
DecryptConfig: dc,
},
DecryptConfig: &dc,
}, nil
}
// DecryptWithPrivKeys returns a CryptoConfig to decrypt with configured private keys
func DecryptWithPrivKeys(privKeys [][]byte, privKeysPasswords [][]byte) (CryptoConfig, error) {
if len(privKeys) != len(privKeysPasswords) {
return CryptoConfig{}, errors.New("Length of privKeys should match length of privKeysPasswords")
}
dc := DecryptConfig{
Parameters: map[string][][]byte{
"privkeys": privKeys,
"privkeys-passwords": privKeysPasswords,
},
}
ep := map[string][][]byte{}
return CryptoConfig{
EncryptConfig: &EncryptConfig{
Parameters: ep,
DecryptConfig: dc,
},
DecryptConfig: &dc,
}, nil
}
// DecryptWithX509s returns a CryptoConfig to decrypt with configured x509 certs
func DecryptWithX509s(x509s [][]byte) (CryptoConfig, error) {
dc := DecryptConfig{
Parameters: map[string][][]byte{
"x509s": x509s,
},
}
ep := map[string][][]byte{}
return CryptoConfig{
EncryptConfig: &EncryptConfig{
Parameters: ep,
DecryptConfig: dc,
},
DecryptConfig: &dc,
}, nil
}
// DecryptWithGpgPrivKeys returns a CryptoConfig to decrypt with configured gpg private keys
func DecryptWithGpgPrivKeys(gpgPrivKeys, gpgPrivKeysPwds [][]byte) (CryptoConfig, error) {
dc := DecryptConfig{
Parameters: map[string][][]byte{
"gpg-privatekeys": gpgPrivKeys,
"gpg-privatekeys-passwords": gpgPrivKeysPwds,
},
}
ep := map[string][][]byte{}
return CryptoConfig{
EncryptConfig: &EncryptConfig{
Parameters: ep,
DecryptConfig: dc,
},
DecryptConfig: &dc,
}, nil
}

62
pkg/encryption/gpg.go
View File

@@ -322,7 +322,7 @@ func uint64ToStringArray(format string, in []uint64) []string {
// in the GPGVault or on this system and prompts for the passwords for those
// that are available. If we do not find a private key on the system for
// getting to the symmetric key of a layer then an error is generated.
func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault GPGVault, mustFindKey bool, dcparameters map[string][][]byte) error {
func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault GPGVault, mustFindKey bool) (gpgPrivKeys [][]byte, gpgPrivKeysPwds [][]byte, err error) {
// PrivateKeyData describes a private key
type PrivateKeyData struct {
KeyData []byte
@@ -338,11 +338,11 @@ func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault
}
keywrapper := GetKeyWrapper(scheme)
if keywrapper == nil {
return errors.Errorf("could not get KeyWrapper for %s\n", scheme)
return nil, nil, errors.Errorf("could not get KeyWrapper for %s\n", scheme)
}
keyIds, err := keywrapper.GetKeyIdsFromPacket(b64pgpPackets)
if err != nil {
return err
return nil, nil, err
}
found := false
@@ -376,11 +376,11 @@ func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault
password, err := terminal.ReadPassword(int(os.Stdin.Fd()))
fmt.Printf("\n")
if err != nil {
return err
return nil, nil, err
}
keydata, err := gpgClient.GetGPGPrivateKey(keyid, string(password))
if err != nil {
return err
return nil, nil, err
}
pkd = PrivateKeyData{
KeyData: keydata,
@@ -391,63 +391,21 @@ func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault
}
break
} else {
return errors.Wrapf(errdefs.ErrInvalidArgument, "no GPGVault or GPGClient passed.")
return nil, nil, errors.Wrapf(errdefs.ErrInvalidArgument, "no GPGVault or GPGClient passed.")
}
}
if !found && len(b64pgpPackets) > 0 && mustFindKey {
ids := uint64ToStringArray("0x%x", keyIds)
return errors.Wrapf(errdefs.ErrNotFound, "missing key for decryption of layer %x of %s. Need one of the following keys: %s", desc.Digest, desc.Platform, strings.Join(ids, ", "))
return nil, nil, errors.Wrapf(errdefs.ErrNotFound, "missing key for decryption of layer %x of %s. Need one of the following keys: %s", desc.Digest, desc.Platform, strings.Join(ids, ", "))
}
}
}
var (
privKeys [][]byte
privKeysPwd [][]byte
)
for _, pkd := range keyIDPasswordMap {
privKeys = append(privKeys, pkd.KeyData)
privKeysPwd = append(privKeysPwd, pkd.KeyDataPassword)
gpgPrivKeys = append(gpgPrivKeys, pkd.KeyData)
gpgPrivKeysPwds = append(gpgPrivKeysPwds, pkd.KeyDataPassword)
}
dcparameters["gpg-privatekeys"] = privKeys
dcparameters["gpg-privatekeys-passwords"] = privKeysPwd
return nil
}
// GPGSetupPrivateKeys uses the gpg specific parameters in the dcparameters map
// to get the private keys needed for decryption the give layers
func GPGSetupPrivateKeys(dcparameters map[string][][]byte, descs []ocispec.Descriptor) error {
/* we have to find a GPG key until we also get other private keys passed */
var (
gpgVault GPGVault
gpgClient GPGClient
gpgVersion string
gpgHomeDir string
err error
)
gpgPrivateKeys := dcparameters["gpg-privatekeys"]
if len(gpgPrivateKeys) > 0 {
gpgVault = NewGPGVault()
gpgVault.AddSecretKeyRingDataArray(gpgPrivateKeys)
}
haveGPGClient := dcparameters["gpg-client"]
if len(haveGPGClient) > 0 {
item := dcparameters["gpg-client-version"]
if len(item) == 1 {
gpgVersion = string(item[0])
}
item = dcparameters["gpg-client-homedir"]
if len(item) == 1 {
gpgHomeDir = string(item[0])
}
gpgClient, err = NewGPGClient(gpgVersion, gpgHomeDir)
if err != nil {
return err
}
}
return GPGGetPrivateKey(descs, gpgClient, gpgVault, false, dcparameters)
return gpgPrivKeys, gpgPrivKeysPwds, nil
}