Merge pull request #3452 from lumjjb/keybundles

Create CryptoConfig constructors to replace dcparameters
2019-07-25 14:57:59 -04:00
parent 2190c0e5f7 3d1fa69694
commit 7ff23438f6
8 changed files with 279 additions and 127 deletions
--- a/cmd/ctr/commands/images/crypt_utils.go
+++ b/cmd/ctr/commands/images/crypt_utils.go
@@ -191,10 +191,10 @@ func createGPGClient(context *cli.Context) (encryption.GPGClient, error) {
 	return encryption.NewGPGClient(context.String("gpg-version"), context.String("gpg-homedir"))
 }

-func getGPGPrivateKeys(context *cli.Context, gpgSecretKeyRingFiles [][]byte, descs []ocispec.Descriptor, mustFindKey bool, dcparameters map[string][][]byte) error {
+func getGPGPrivateKeys(context *cli.Context, gpgSecretKeyRingFiles [][]byte, descs []ocispec.Descriptor, mustFindKey bool) (gpgPrivKeys [][]byte, gpgPrivKeysPwds [][]byte, err error) {
 	gpgClient, err := createGPGClient(context)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}

 	var gpgVault encryption.GPGVault
@@ -202,10 +202,10 @@ func getGPGPrivateKeys(context *cli.Context, gpgSecretKeyRingFiles [][]byte, des
 		gpgVault = encryption.NewGPGVault()
 		err = gpgVault.AddSecretKeyRingDataArray(gpgSecretKeyRingFiles)
 		if err != nil {
-			return err
+			return nil, nil, err
 		}
 	}
-	return encryption.GPGGetPrivateKey(descs, gpgClient, gpgVault, mustFindKey, dcparameters)
+	return encryption.GPGGetPrivateKey(descs, gpgClient, gpgVault, mustFindKey)
 }

 func createLayerFilter(client *containerd.Client, ctx gocontext.Context, desc ocispec.Descriptor, layers []int32, platformList []ocispec.Platform) (imgenc.LayerFilter, error) {
@@ -359,20 +359,21 @@ func filterLayerDescriptors(alldescs []ocispec.Descriptor, layers []int32, pl []
 	return layerInfos, descs
 }

-// CreateDcParameters creates the decryption parameter map from command line options and possibly
+// CreateDecryptCryptoConfig creates the CryptoConfig object that contains the necessary
+// information to perform decryption from command line options and possibly
 // LayerInfos describing the image and helping us to query for the PGP decryption keys
-func CreateDcParameters(context *cli.Context, descs []ocispec.Descriptor) (map[string][][]byte, error) {
-	dcparameters := make(map[string][][]byte)
+func CreateDecryptCryptoConfig(context *cli.Context, descs []ocispec.Descriptor) (encconfig.CryptoConfig, error) {
+	ccs := []encconfig.CryptoConfig{}

 	// x509 cert is needed for PKCS7 decryption
 	_, _, x509s, err := processRecipientKeys(context.StringSlice("dec-recipient"))
 	if err != nil {
-		return nil, err
+		return encconfig.CryptoConfig{}, err
 	}

 	gpgSecretKeyRingFiles, gpgSecretKeyPasswords, privKeys, privKeysPasswords, err := processPrivateKeyFiles(context.StringSlice("key"))
 	if err != nil {
-		return nil, err
+		return encconfig.CryptoConfig{}, err
 	}

 	_, err = createGPGClient(context)
@@ -380,26 +381,40 @@ func CreateDcParameters(context *cli.Context, descs []ocispec.Descriptor) (map[s
 	if gpgInstalled {
 		if len(gpgSecretKeyRingFiles) == 0 && len(privKeys) == 0 && descs != nil {
 			// Get pgp private keys from keyring only if no private key was passed
-			err = getGPGPrivateKeys(context, gpgSecretKeyRingFiles, descs, true, dcparameters)
+			gpgPrivKeys, gpgPrivKeyPasswords, err := getGPGPrivateKeys(context, gpgSecretKeyRingFiles, descs, true)
 			if err != nil {
-				return nil, err
+				return encconfig.CryptoConfig{}, err
 			}
-		} else {
-			if len(gpgSecretKeyRingFiles) == 0 {
-				dcparameters["gpg-client"] = [][]byte{[]byte("1")}
-				dcparameters["gpg-client-version"] = [][]byte{[]byte(context.String("gpg-version"))}
-				dcparameters["gpg-client-homedir"] = [][]byte{[]byte(context.String("gpg-homedir"))}
-			} else {
-				dcparameters["gpg-privatekeys"] = gpgSecretKeyRingFiles
-				dcparameters["gpg-privatekeys-passwords"] = gpgSecretKeyPasswords
+
+			gpgCc, err := encconfig.DecryptWithGpgPrivKeys(gpgPrivKeys, gpgPrivKeyPasswords)
+			if err != nil {
+				return encconfig.CryptoConfig{}, err
 			}
+			ccs = append(ccs, gpgCc)
+
+		} else if len(gpgSecretKeyRingFiles) > 0 {
+			gpgCc, err := encconfig.DecryptWithGpgPrivKeys(gpgSecretKeyRingFiles, gpgSecretKeyPasswords)
+			if err != nil {
+				return encconfig.CryptoConfig{}, err
+			}
+			ccs = append(ccs, gpgCc)
+
 		}
 	}
-	dcparameters["privkeys"] = privKeys
-	dcparameters["privkeys-passwords"] = privKeysPasswords
-	dcparameters["x509s"] = x509s

-	return dcparameters, nil
+	x509sCc, err := encconfig.DecryptWithX509s(x509s)
+	if err != nil {
+		return encconfig.CryptoConfig{}, err
+	}
+	ccs = append(ccs, x509sCc)
+
+	privKeysCc, err := encconfig.DecryptWithPrivKeys(privKeys, privKeysPasswords)
+	if err != nil {
+		return encconfig.CryptoConfig{}, err
+	}
+	ccs = append(ccs, privKeysCc)
+
+	return encconfig.CombineCryptoConfigs(ccs), nil
 }

 // parsePlatformArray parses an array of specifiers and converts them into an array of specs.Platform
--- a/cmd/ctr/commands/images/decrypt.go
+++ b/cmd/ctr/commands/images/decrypt.go
@@ -21,7 +21,6 @@ import (

 	"github.com/containerd/containerd/cmd/ctr/commands"
 	imgenc "github.com/containerd/containerd/images/encryption"
-	encconfig "github.com/containerd/containerd/pkg/encryption/config"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 )
@@ -83,14 +82,12 @@ var decryptCommand = cli.Command{
 			return nil
 		}

-		dcparameters, err := CreateDcParameters(context, descs)
+		cc, err := CreateDecryptCryptoConfig(context, descs)
 		if err != nil {
 			return err
 		}

-		cc := encconfig.InitDecryption(dcparameters)
-
-		_, err = decryptImage(client, ctx, local, newName, cc, layers32, context.StringSlice("platform"))
+		_, err = decryptImage(client, ctx, local, newName, &cc, layers32, context.StringSlice("platform"))

 		return err
 	},
--- a/cmd/ctr/commands/images/encrypt.go
+++ b/cmd/ctr/commands/images/encrypt.go
@@ -77,45 +77,21 @@ var encryptCommand = cli.Command{

 		layers32 := commands.IntToInt32Array(context.IntSlice("layer"))

-		gpgSecretKeyRingFiles, _, privKeys, privKeysPasswords, err := processPrivateKeyFiles(context.StringSlice("key"))
-		if err != nil {
-			return err
-		}
-
 		gpgRecipients, pubKeys, x509s, err := processRecipientKeys(recipients)
 		if err != nil {
 			return err
 		}

-		_, _, decX509s, err := processRecipientKeys(context.StringSlice("dec-recipient"))
-		if err != nil {
-			return err
-		}
-
-		dcparameters := make(map[string][][]byte)
-		parameters := make(map[string][][]byte)
-
-		parameters["pubkeys"] = pubKeys
-		parameters["x509s"] = x509s
-
 		_, descs, err := getImageLayerInfos(client, ctx, local, layers32, context.StringSlice("platform"))
 		if err != nil {
 			return err
 		}

+		encryptCcs := []encconfig.CryptoConfig{}
 		_, err = createGPGClient(context)
 		gpgInstalled := err == nil
-		if len(privKeys) == 0 && gpgInstalled {
-			// Get pgp private keys from keyring only if no private key was passed
-			err = getGPGPrivateKeys(context, gpgSecretKeyRingFiles, descs, true, dcparameters)
-			if err != nil {
-				return err
-			}
-		}

 		if len(gpgRecipients) > 0 && gpgInstalled {
-			parameters["gpg-recipients"] = gpgRecipients
-
 			gpgClient, err := createGPGClient(context)
 			if err != nil {
 				return err
@@ -126,16 +102,38 @@ var encryptCommand = cli.Command{
 				return err
 			}

-			parameters["gpg-pubkeyringfile"] = [][]byte{gpgPubRingFile}
+			gpgCc, err := encconfig.EncryptWithGpg(gpgRecipients, gpgPubRingFile)
+			if err != nil {
+				return err
+			}
+			encryptCcs = append(encryptCcs, gpgCc)
+
 		}

-		dcparameters["privkeys"] = privKeys
-		dcparameters["privkeys-passwords"] = privKeysPasswords
-		dcparameters["x509s"] = decX509s
+		// Create Encryption Crypto Config
+		pkcs7Cc, err := encconfig.EncryptWithPkcs7(x509s)
+		if err != nil {
+			return err
+		}
+		encryptCcs = append(encryptCcs, pkcs7Cc)

-		cc := encconfig.InitEncryption(parameters, dcparameters)
+		jweCc, err := encconfig.EncryptWithJwe(pubKeys)
+		if err != nil {
+			return err
+		}
+		encryptCcs = append(encryptCcs, jweCc)

-		_, err = encryptImage(client, ctx, local, newName, cc, layers32, context.StringSlice("platform"))
+		cc := encconfig.CombineCryptoConfigs(encryptCcs)
+
+		// Create Decryption CryptoConfig for use in adding recipients to
+		// existing image if decryptable.
+		decryptCc, err := CreateDecryptCryptoConfig(context, descs)
+		if err != nil {
+			return err
+		}
+		cc.EncryptConfig.AttachDecryptConfig(decryptCc.DecryptConfig)
+
+		_, err = encryptImage(client, ctx, local, newName, &cc, layers32, context.StringSlice("platform"))

 		return err
 	},