Update imgcrypt to v1.1.7

Signed-off-by: Derek McGowan <derek@mcg.dev>

vendor/github.com/containerd/imgcrypt/CHANGES

@@ -1,5 +1,21 @@
 CHANGES
 
+v1.1.7:
+  - Added support for zstd-compressed layers
+  - Update to ocicrypt v1.1.6 for zstd-related dependencies
+  - Update to containerd v1.6.8
+  - Sync'ed ctr-enc with upstream ctr changes to import command
+  - Add support for --all-platforms to encrypt command of ctr-enc
+
+v1.1.6:
+  - Update to ocicrypt v1.1.5 for yaml v3.0 dependency
+  - Update to containerd v1.6.6 for runc v1.1.2 dependency
+
+v1.1.5:
+  - Update to ocicrypt v1.1.4; sha256 is the default now for padding in OAEP
+    for pkcs11; Set OCICRYPT_OAEP_HASHALG=sha1 environment variable to force
+    sha1 usage, which is required for example for SoftHSM 2.6.1.
+
 v1.1.4:
   - Fixed issue in CheckAuthorization() callpath for images with a ManifestList
     - CVE-2022-24778

vendor/github.com/containerd/imgcrypt/README.md

@@ -4,7 +4,7 @@ Project `imgcrypt` is a non-core subproject of containerd.
 
 The `imgcrypt` library provides API exensions for containerd to support encrypted container images and implements
 the `ctd-decoder` command line tool for use by containerd to decrypt encrypted container images. An extended version
-of containerd's `ctr` tool (`ctr-enc') with support for encrypting and decrypting container images is also provided.
+of containerd's `ctr` tool (`ctr-enc`) with support for encrypting and decrypting container images is also provided.
 
 `imgcrypt` relies on the [`ocicrypt`](https://github.com/containers/ocicrypt) library for crypto functions on image layers.
 
@@ -37,6 +37,10 @@ state = "/tmp/run/containerd"
         accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
         returns = "application/vnd.oci.image.layer.v1.tar+gzip"
         path = "/usr/local/bin/ctd-decoder"
+    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"]
+        accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"]
+        returns = "application/vnd.oci.image.layer.v1.tar+zstd"
+        path = "/usr/local/bin/ctd-decoder"
     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
         accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
         returns = "application/vnd.oci.image.layer.v1.tar"

vendor/github.com/containerd/imgcrypt/images/encryption/any.go

@@ -18,12 +18,14 @@ package encryption
 
 import "github.com/gogo/protobuf/types"
 
-type any interface {
+// pbAny takes proto-generated Any type.
+// https://developers.google.com/protocol-buffers/docs/proto3#any
+type pbAny interface {
 	GetTypeUrl() string
 	GetValue() []byte
 }
 
-func fromAny(from any) *types.Any {
+func fromAny(from pbAny) *types.Any {
 	if from == nil {
 		return nil
 	}

vendor/github.com/containerd/imgcrypt/images/encryption/encryption.go

@@ -60,7 +60,7 @@ func isLocalPlatform(platform *ocispec.Platform) bool {
 // IsEncryptedDiff returns true if mediaType is a known encrypted media type.
 func IsEncryptedDiff(ctx context.Context, mediaType string) bool {
 	switch mediaType {
-	case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
+	case encocispec.MediaTypeLayerZstdEnc, encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
 		return true
 	}
 	return false
@@ -113,12 +113,16 @@ func encryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc
 		newDesc.MediaType = encocispec.MediaTypeLayerEnc
 	case encocispec.MediaTypeLayerGzipEnc:
 		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
+	case encocispec.MediaTypeLayerZstdEnc:
+		newDesc.MediaType = encocispec.MediaTypeLayerZstdEnc
 	case encocispec.MediaTypeLayerEnc:
 		newDesc.MediaType = encocispec.MediaTypeLayerEnc
 
 	// TODO: Mediatypes to be added in ocispec
 	case ocispec.MediaTypeImageLayerGzip:
 		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
+	case ocispec.MediaTypeImageLayerZstd:
+		newDesc.MediaType = encocispec.MediaTypeLayerZstdEnc
 	case ocispec.MediaTypeImageLayer:
 		newDesc.MediaType = encocispec.MediaTypeLayerEnc
 
@@ -145,6 +149,8 @@ func DecryptLayer(dc *encconfig.DecryptConfig, dataReader io.Reader, desc ocispe
 	switch desc.MediaType {
 	case encocispec.MediaTypeLayerGzipEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip
+	case encocispec.MediaTypeLayerZstdEnc:
+		newDesc.MediaType = ocispec.MediaTypeImageLayerZstd
 	case encocispec.MediaTypeLayerEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2Layer
 	default:
@@ -170,6 +176,8 @@ func decryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc
 	switch desc.MediaType {
 	case encocispec.MediaTypeLayerGzipEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip
+	case encocispec.MediaTypeLayerZstdEnc:
+		newDesc.MediaType = ocispec.MediaTypeImageLayerZstd
 	case encocispec.MediaTypeLayerEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2Layer
 	default:
@@ -284,7 +292,8 @@ func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descripto
 		case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
 			config = child
 		case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer,
-			ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer:
+			ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer,
+			ocispec.MediaTypeImageLayerZstd:
 			if cryptoOp == cryptoOpEncrypt && lf(child) {
 				nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)
 				if err != nil {
@@ -295,7 +304,7 @@ func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descripto
 			} else {
 				newLayers = append(newLayers, child)
 			}
-		case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
+		case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerZstdEnc, encocispec.MediaTypeLayerEnc:
 			// this one can be decrypted but also its recipients list changed
 			if lf(child) {
 				nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)

vendor/github.com/containerd/imgcrypt/images/encryption/payload.go

@@ -38,7 +38,7 @@ func clearProcessorPayloads(c *diff.ApplyConfig) {
 	reflect.ValueOf(&c.ProcessorPayloads).Elem().Set(empty)
 }
 
-func setProcessorPayload(c *diff.ApplyConfig, id string, value any) {
+func setProcessorPayload(c *diff.ApplyConfig, id string, value pbAny) {
 	if c.ProcessorPayloads == nil {
 		clearProcessorPayloads(c)
 	}