github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #3460 from lumjjb/ctrrecipients

Browse Source 
Specify protocols in ctr encrypt recipients
This commit is contained in:
Derek McGowan 2019-08-01 15:37:40 -07:00 committed by GitHub
commit adad947b77
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 40 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
cmd/ctr/commands/images/crypt_utils.go
View File

@ -90,17 +90,40 @@ func processRecipientKeys(recipients []string) ([][]byte, [][]byte, [][]byte, er
x509s [][]byte x509s [][]byte
) )
for _, recipient := range recipients { for _, recipient := range recipients {
tmp, err := ioutil.ReadFile(recipient)
if err != nil { idx := strings.Index(recipient, ":")
gpgRecipients = append(gpgRecipients, []byte(recipient)) if idx < 0 {
continue return nil, nil, nil, errors.New("Invalid recipient format")
}
protocol := recipient[:idx]
value := recipient[idx+1:]
switch protocol {
case "pgp":
gpgRecipients = append(gpgRecipients, []byte(value))
case "jwe":
tmp, err := ioutil.ReadFile(value)
if err != nil {
return nil, nil, nil, errors.Wrap(err, "Unable to read file")
}
if !encutils.IsPublicKey(tmp) {
return nil, nil, nil, errors.New("File provided is not a public key")
} }
if encutils.IsCertificate(tmp) {
x509s = append(x509s, tmp)
} else if encutils.IsPublicKey(tmp) {
pubkeys = append(pubkeys, tmp) pubkeys = append(pubkeys, tmp)
} else {
gpgRecipients = append(gpgRecipients, []byte(recipient)) case "pkcs7":
tmp, err := ioutil.ReadFile(value)
if err != nil {
return nil, nil, nil, errors.Wrap(err, "Unable to read file")
}
if !encutils.IsCertificate(tmp) {
return nil, nil, nil, errors.New("File provided is not an x509 cert")
}
x509s = append(x509s, tmp)
default:
return nil, nil, nil, errors.New("Provided protocol not recognized")
} }
} }
return gpgRecipients, pubkeys, x509s, nil return gpgRecipients, pubkeys, x509s, nil

7
cmd/ctr/commands/images/encrypt.go
View File

@ -41,10 +41,15 @@ var encryptCommand = cli.Command{
This tool also allows management of the recipients of the image through changes This tool also allows management of the recipients of the image through changes
to the list of recipients. to the list of recipients.
Once the image has been encrypted it may be pushed to a registry. Once the image has been encrypted it may be pushed to a registry.
Recipients are declared with the protocol prefix as follows:
- pgp:<email-address>
- jwe:<public-key-file-path>
- pkcs7:<x509-file-path>
`, `,
Flags: append(append(commands.RegistryFlags, cli.StringSliceFlag{ Flags: append(append(commands.RegistryFlags, cli.StringSliceFlag{
Name: "recipient", Name: "recipient",
Usage: "Recipient of the image is the person who can decrypt it", Usage: "Recipient of the image is the person who can decrypt it in the form specified above (i.e. jwe:/path/to/key)",
}, cli.IntSliceFlag{ }, cli.IntSliceFlag{
Name: "layer", Name: "layer",
Usage: "The layer to encrypt; this must be either the layer number or a negative number starting with -1 for topmost layer", Usage: "The layer to encrypt; this must be either the layer number or a negative number starting with -1 for topmost layer",

4
docs/encryption.md
View File

@ -25,8 +25,8 @@ The option `--layer -1` specifies the layer filter for encryption, -1 indicating
``` ```
$ ctr images encrypt \ $ ctr images encrypt \
--recipient /tmp/tmp.AGrSDkaSad/mypubkey.pem \ --recipient jwe:/tmp/tmp.AGrSDkaSad/mypubkey.pem \
--recipient /tmp/tmp.AGrSDkaSad/clientcert.pem \ --recipient pkcs7:/tmp/tmp.AGrSDkaSad/clientcert.pem \
--layer -1 \ --layer -1 \
docker.io/library/alpine:latest docker.io/library/alpine:enc docker.io/library/alpine:latest docker.io/library/alpine:enc