diff --git a/vendor.conf b/vendor.conf index 4106a3352..c275aa62d 100644 --- a/vendor.conf +++ b/vendor.conf @@ -89,7 +89,7 @@ github.com/containernetworking/cni 4cfb7b568922a3c79a23e438dc52fe537fc9687e # v0 github.com/containerd/go-cni 0d360c50b10b350b6bb23863fd4dfb1c232b01c9 # image decrypt depedencies -github.com/containerd/imgcrypt 99334633d4657af3f32670947eb1008250e564d9 -github.com/containers/ocicrypt 142388cb70de0fe8c7edd921df79e477ab8b3051 -gopkg.in/square/go-jose.v2 v2.3.1 https://github.com/square/go-jose.git -github.com/fullsailor/pkcs7 8306686428a5fe132eac8cb7c4848af725098bd4 +github.com/containerd/imgcrypt v1.0.1 +github.com/containers/ocicrypt v1.0.1 # from containerd/imgcrypt +gopkg.in/square/go-jose.v2 v2.3.1 https://github.com/square/go-jose.git # from containers/ocicrypt +github.com/fullsailor/pkcs7 8306686428a5fe132eac8cb7c4848af725098bd4 # from containers/ocicrypt diff --git a/vendor/github.com/containerd/imgcrypt/go.mod b/vendor/github.com/containerd/imgcrypt/go.mod index 41ac17ad9..b1df8ee4c 100644 --- a/vendor/github.com/containerd/imgcrypt/go.mod +++ b/vendor/github.com/containerd/imgcrypt/go.mod @@ -13,7 +13,7 @@ require ( github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda // indirect github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8 // indirect github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd - github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741 + github.com/containers/ocicrypt v1.0.1 github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b // indirect github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible // indirect github.com/docker/go-events v0.0.0-20170721190031-9461782956ad // indirect diff --git a/vendor/github.com/containers/ocicrypt/encryption.go b/vendor/github.com/containers/ocicrypt/encryption.go index 139ff5f93..3153b63d7 100644 --- a/vendor/github.com/containers/ocicrypt/encryption.go +++ b/vendor/github.com/containers/ocicrypt/encryption.go @@ -196,10 +196,13 @@ func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor) if b64Annotation != "" { keywrapper := GetKeyWrapper(scheme) - if len(keywrapper.GetPrivateKeys(dc.Parameters)) == 0 { + if keywrapper.NoPossibleKeys(dc.Parameters) { continue } - privKeyGiven = true + + if len(keywrapper.GetPrivateKeys(dc.Parameters)) > 0 { + privKeyGiven = true + } optsData, err := preUnwrapKey(keywrapper, dc, b64Annotation) if err != nil { diff --git a/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go b/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go index 5d1dde241..41d0f1b3a 100644 --- a/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go +++ b/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go @@ -91,6 +91,10 @@ func (kw *jweKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jweString []byte) ( return nil, errors.New("JWE: No suitable private key found for decryption") } +func (kw *jweKeyWrapper) NoPossibleKeys(dcparameters map[string][][]byte) bool { + return len(kw.GetPrivateKeys(dcparameters)) == 0 +} + func (kw *jweKeyWrapper) GetPrivateKeys(dcparameters map[string][][]byte) [][]byte { return dcparameters["privkeys"] } diff --git a/vendor/github.com/containers/ocicrypt/keywrap/keywrap.go b/vendor/github.com/containers/ocicrypt/keywrap/keywrap.go index 75fdf6886..ed25e7dac 100644 --- a/vendor/github.com/containers/ocicrypt/keywrap/keywrap.go +++ b/vendor/github.com/containers/ocicrypt/keywrap/keywrap.go @@ -26,15 +26,23 @@ type KeyWrapper interface { WrapKeys(ec *config.EncryptConfig, optsData []byte) ([]byte, error) UnwrapKey(dc *config.DecryptConfig, annotation []byte) ([]byte, error) GetAnnotationID() string + + // NoPossibleKeys returns true if there is no possibility of performing + // decryption for parameters provided. + NoPossibleKeys(dcparameters map[string][][]byte) bool + // GetPrivateKeys (optional) gets the array of private keys. It is an optional implementation // as in some key services, a private key may not be exportable (i.e. HSM) + // If not implemented, return nil GetPrivateKeys(dcparameters map[string][][]byte) [][]byte // GetKeyIdsFromPacket (optional) gets a list of key IDs. This is optional as some encryption // schemes may not have a notion of key IDs + // If not implemented, return the nil slice GetKeyIdsFromPacket(packet string) ([]uint64, error) // GetRecipients (optional) gets a list of recipients. It is optional due to the validity of // recipients in a particular encryptiong scheme + // If not implemented, return the nil slice GetRecipients(packet string) ([]string, error) } diff --git a/vendor/github.com/containers/ocicrypt/keywrap/pgp/keywrapper_gpg.go b/vendor/github.com/containers/ocicrypt/keywrap/pgp/keywrapper_gpg.go index ff70c2d65..275a3d8b9 100644 --- a/vendor/github.com/containers/ocicrypt/keywrap/pgp/keywrapper_gpg.go +++ b/vendor/github.com/containers/ocicrypt/keywrap/pgp/keywrapper_gpg.go @@ -191,6 +191,10 @@ func (kw *gpgKeyWrapper) GetRecipients(b64pgpPackets string) ([]string, error) { return array, nil } +func (kw *gpgKeyWrapper) NoPossibleKeys(dcparameters map[string][][]byte) bool { + return len(kw.GetPrivateKeys(dcparameters)) == 0 +} + func (kw *gpgKeyWrapper) GetPrivateKeys(dcparameters map[string][][]byte) [][]byte { return dcparameters["gpg-privatekeys"] } diff --git a/vendor/github.com/containers/ocicrypt/keywrap/pkcs7/keywrapper_pkcs7.go b/vendor/github.com/containers/ocicrypt/keywrap/pkcs7/keywrapper_pkcs7.go index 2762b9777..eeba64748 100644 --- a/vendor/github.com/containers/ocicrypt/keywrap/pkcs7/keywrapper_pkcs7.go +++ b/vendor/github.com/containers/ocicrypt/keywrap/pkcs7/keywrapper_pkcs7.go @@ -70,6 +70,10 @@ func collectX509s(x509s [][]byte) ([]*x509.Certificate, error) { return x509Certs, nil } +func (kw *pkcs7KeyWrapper) NoPossibleKeys(dcparameters map[string][][]byte) bool { + return len(kw.GetPrivateKeys(dcparameters)) == 0 +} + func (kw *pkcs7KeyWrapper) GetPrivateKeys(dcparameters map[string][][]byte) [][]byte { return dcparameters["privkeys"] }