Merge pull request #10904 from AkihiroSuda/imgcrypt-v2

go.mod: github.com/containerd/imgcrypt v2.0.0-rc-1

vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go

@@ -48,6 +48,7 @@ type ConsumeFuzzer struct {
 	NumberOfCalls        int
 	position             uint32
 	fuzzUnexportedFields bool
+	forceUTF8Strings     bool
 	curDepth             int
 	Funcs                map[reflect.Type]reflect.Value
 }
@@ -104,6 +105,14 @@ func (f *ConsumeFuzzer) DisallowUnexportedFields() {
 	f.fuzzUnexportedFields = false
 }
 
+func (f *ConsumeFuzzer) AllowNonUTF8Strings() {
+	f.forceUTF8Strings = false
+}
+
+func (f *ConsumeFuzzer) DisallowNonUTF8Strings() {
+	f.forceUTF8Strings = true
+}
+
 func (f *ConsumeFuzzer) GenerateStruct(targetStruct interface{}) error {
 	e := reflect.ValueOf(targetStruct).Elem()
 	return f.fuzzStruct(e, false)
@@ -224,6 +233,14 @@ func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error
 		if e.CanSet() {
 			e.Set(uu)
 		}
+	case reflect.Uint:
+		newInt, err := f.GetUint()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetUint(uint64(newInt))
+		}
 	case reflect.Uint16:
 		newInt, err := f.GetUint16()
 		if err != nil {
@@ -309,6 +326,14 @@ func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error
 		if e.CanSet() {
 			e.SetUint(uint64(b))
 		}
+	case reflect.Bool:
+		b, err := f.GetBool()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetBool(b)
+		}
 	}
 	return nil
 }
@@ -410,6 +435,23 @@ func (f *ConsumeFuzzer) GetUint64() (uint64, error) {
 	return binary.BigEndian.Uint64(u64), nil
 }
 
+func (f *ConsumeFuzzer) GetUint() (uint, error) {
+	var zero uint
+	size := int(unsafe.Sizeof(zero))
+	if size == 8 {
+		u64, err := f.GetUint64()
+		if err != nil {
+			return 0, err
+		}
+		return uint(u64), nil
+	}
+	u32, err := f.GetUint32()
+	if err != nil {
+		return 0, err
+	}
+	return uint(u32), nil
+}
+
 func (f *ConsumeFuzzer) GetBytes() ([]byte, error) {
 	var length uint32
 	var err error
@@ -461,7 +503,11 @@ func (f *ConsumeFuzzer) GetString() (string, error) {
 		return "nil", errors.New("numbers overflow")
 	}
 	f.position = byteBegin + length
-	return string(f.data[byteBegin:f.position]), nil
+	s := string(f.data[byteBegin:f.position])
+	if f.forceUTF8Strings {
+		s = strings.ToValidUTF8(s, "")
+	}
+	return s, nil
 }
 
 func (f *ConsumeFuzzer) GetBool() (bool, error) {

vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/f.go

@@ -41,147 +41,119 @@ func (f *F) Fuzz(ff any) {
 	args := []reflect.Value{reflect.ValueOf(f.T)}
 	fuzzConsumer := fuzz.NewConsumer(f.Data)
 	for _, v := range types {
+		//fmt.Printf("arg %v\n", v)
+		newElem := reflect.New(v).Elem()
 		switch v.String() {
 		case "[]uint8":
 			b, err := fuzzConsumer.GetBytes()
 			if err != nil {
 				return
 			}
-			newBytes := reflect.New(v)
-			newBytes.Elem().SetBytes(b)
-			args = append(args, newBytes.Elem())
+			newElem.SetBytes(b)
 		case "string":
 			s, err := fuzzConsumer.GetString()
 			if err != nil {
 				return
 			}
-			newString := reflect.New(v)
-			newString.Elem().SetString(s)
-			args = append(args, newString.Elem())
+			newElem.SetString(s)
 		case "int":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetUint64()
 			if err != nil {
 				return
 			}
-			newInt := reflect.New(v)
-			newInt.Elem().SetInt(int64(randInt))
-			args = append(args, newInt.Elem())
+			newElem.SetInt(int64(int(randInt)))
 		case "int8":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetByte()
 			if err != nil {
 				return
 			}
-			newInt := reflect.New(v)
-			newInt.Elem().SetInt(int64(randInt))
-			args = append(args, newInt.Elem())
+			newElem.SetInt(int64(randInt))
 		case "int16":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetUint16()
 			if err != nil {
 				return
 			}
-			newInt := reflect.New(v)
-			newInt.Elem().SetInt(int64(randInt))
-			args = append(args, newInt.Elem())
+			newElem.SetInt(int64(randInt))
 		case "int32":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetUint32()
 			if err != nil {
 				return
 			}
-			newInt := reflect.New(v)
-			newInt.Elem().SetInt(int64(randInt))
-			args = append(args, newInt.Elem())
+			newElem.SetInt(int64(int32(randInt)))
 		case "int64":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetUint64()
 			if err != nil {
 				return
 			}
-			newInt := reflect.New(v)
-			newInt.Elem().SetInt(int64(randInt))
-			args = append(args, newInt.Elem())
+			newElem.SetInt(int64(randInt))
 		case "uint":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetUint64()
 			if err != nil {
 				return
 			}
-			newUint := reflect.New(v)
-			newUint.Elem().SetUint(uint64(randInt))
-			args = append(args, newUint.Elem())
+			newElem.SetUint(uint64(uint(randInt)))
 		case "uint8":
-			randInt, err := fuzzConsumer.GetInt()
+			randInt, err := fuzzConsumer.GetByte()
 			if err != nil {
 				return
 			}
-			newUint := reflect.New(v)
-			newUint.Elem().SetUint(uint64(randInt))
-			args = append(args, newUint.Elem())
+			newElem.SetUint(uint64(randInt))
 		case "uint16":
 			randInt, err := fuzzConsumer.GetUint16()
 			if err != nil {
 				return
 			}
-			newUint16 := reflect.New(v)
-			newUint16.Elem().SetUint(uint64(randInt))
-			args = append(args, newUint16.Elem())
+			newElem.SetUint(uint64(randInt))
 		case "uint32":
 			randInt, err := fuzzConsumer.GetUint32()
 			if err != nil {
 				return
 			}
-			newUint32 := reflect.New(v)
-			newUint32.Elem().SetUint(uint64(randInt))
-			args = append(args, newUint32.Elem())
+			newElem.SetUint(uint64(randInt))
 		case "uint64":
 			randInt, err := fuzzConsumer.GetUint64()
 			if err != nil {
 				return
 			}
-			newUint64 := reflect.New(v)
-			newUint64.Elem().SetUint(uint64(randInt))
-			args = append(args, newUint64.Elem())
+			newElem.SetUint(uint64(randInt))
 		case "rune":
 			randRune, err := fuzzConsumer.GetRune()
 			if err != nil {
 				return
 			}
-			newRune := reflect.New(v)
-			newRune.Elem().Set(reflect.ValueOf(randRune))
-			args = append(args, newRune.Elem())
+			newElem.Set(reflect.ValueOf(randRune))
 		case "float32":
 			randFloat, err := fuzzConsumer.GetFloat32()
 			if err != nil {
 				return
 			}
-			newFloat := reflect.New(v)
-			newFloat.Elem().Set(reflect.ValueOf(randFloat))
-			args = append(args, newFloat.Elem())
+			newElem.Set(reflect.ValueOf(randFloat))
 		case "float64":
 			randFloat, err := fuzzConsumer.GetFloat64()
 			if err != nil {
 				return
 			}
-			newFloat := reflect.New(v)
-			newFloat.Elem().Set(reflect.ValueOf(randFloat))
-			args = append(args, newFloat.Elem())
+			newElem.Set(reflect.ValueOf(randFloat))
 		case "bool":
 			randBool, err := fuzzConsumer.GetBool()
 			if err != nil {
 				return
 			}
-			newBool := reflect.New(v)
-			newBool.Elem().Set(reflect.ValueOf(randBool))
-			args = append(args, newBool.Elem())
+			newElem.Set(reflect.ValueOf(randBool))
 		default:
-			fmt.Println(v.String())
+			panic(fmt.Sprintf("unsupported type: %s", v.String()))
 		}
+		args = append(args, newElem)
+
 	}
 	fn.Call(args)
 }
 func (f *F) Helper() {}
 func (c *F) Log(args ...any) {
-	fmt.Println(args...)
+	fmt.Print(args...)
 }
 func (c *F) Logf(format string, args ...any) {
-	fmt.Println(format, args)
+	fmt.Println(fmt.Sprintf(format, args...))
 }
 func (c *F) Name() string             { return "libFuzzer" }
 func (c *F) Setenv(key, value string) {}

vendor/github.com/containerd/imgcrypt/v2/images/encryption/client.go

@@ -24,9 +24,10 @@ import (
 	"github.com/containerd/containerd/v2/core/containers"
 	"github.com/containerd/containerd/v2/core/diff"
 	"github.com/containerd/errdefs"
-	"github.com/containerd/imgcrypt"
 	"github.com/containerd/typeurl/v2"
 
+	"github.com/containerd/imgcrypt/v2"
+
 	encconfig "github.com/containers/ocicrypt/config"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md

@@ -1,3 +1,27 @@
+# v4.0.4
+
+## Fixed
+
+ - Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
+   breaking change. See #136 / #137.
+
+# v4.0.3
+
+## Changed
+
+ - Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
+ - Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
+ - Dependency updates
+
+# v4.0.2
+
+## Changed
+
+ - Improved documentation of Verify() to note that JSONWebKeySet is a supported
+   argument type (#104)
+ - Defined exported error values for missing x5c header and unsupported elliptic
+   curves error cases (#117)
+
 # v4.0.1
 
 ## Fixed

vendor/github.com/go-jose/go-jose/v4/crypter.go

@@ -459,7 +459,10 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
 		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
 	}
 
-	key := tryJWKS(decryptionKey, obj.Header)
+	key, err := tryJWKS(decryptionKey, obj.Header)
+	if err != nil {
+		return nil, err
+	}
 	decrypter, err := newDecrypter(key)
 	if err != nil {
 		return nil, err
@@ -529,7 +532,10 @@ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Heade
 		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
 	}
 
-	key := tryJWKS(decryptionKey, obj.Header)
+	key, err := tryJWKS(decryptionKey, obj.Header)
+	if err != nil {
+		return -1, Header{}, nil, err
+	}
 	decrypter, err := newDecrypter(key)
 	if err != nil {
 		return -1, Header{}, nil, err

vendor/github.com/go-jose/go-jose/v4/jwk.go

@@ -779,7 +779,13 @@ func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
 	return key.K.bytes(), nil
 }
 
-func tryJWKS(key interface{}, headers ...Header) interface{} {
+var (
+	// ErrJWKSKidNotFound is returned when a JWKS does not contain a JWK with a
+	// key ID which matches one in the provided tokens headers.
+	ErrJWKSKidNotFound = errors.New("go-jose/go-jose: JWK with matching kid not found in JWK Set")
+)
+
+func tryJWKS(key interface{}, headers ...Header) (interface{}, error) {
 	var jwks JSONWebKeySet
 
 	switch jwksType := key.(type) {
@@ -788,9 +794,11 @@ func tryJWKS(key interface{}, headers ...Header) interface{} {
 	case JSONWebKeySet:
 		jwks = jwksType
 	default:
-		return key
+		// If the specified key is not a JWKS, return as is.
+		return key, nil
 	}
 
+	// Determine the KID to search for from the headers.
 	var kid string
 	for _, header := range headers {
 		if header.KeyID != "" {
@@ -799,14 +807,17 @@ func tryJWKS(key interface{}, headers ...Header) interface{} {
 		}
 	}
 
+	// If no KID is specified in the headers, reject.
 	if kid == "" {
-		return key
+		return nil, ErrJWKSKidNotFound
 	}
 
+	// Find the JWK with the matching KID. If no JWK with the specified KID is
+	// found, reject.
 	keys := jwks.Key(kid)
 	if len(keys) == 0 {
-		return key
+		return nil, ErrJWKSKidNotFound
 	}
 
-	return keys[0].Key
+	return keys[0].Key, nil
 }

vendor/github.com/go-jose/go-jose/v4/opaque.go

@@ -83,6 +83,9 @@ func (o *opaqueVerifier) verifyPayload(payload []byte, signature []byte, alg Sig
 }
 
 // OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
+//
+// Note: this cannot currently be implemented outside this package because of its
+// unexported method.
 type OpaqueKeyEncrypter interface {
 	// KeyID returns the kid
 	KeyID() string

vendor/github.com/go-jose/go-jose/v4/signing.go

@@ -390,7 +390,10 @@ func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
 // The verificationKey argument must have one of the types allowed for the
 // verificationKey argument of JSONWebSignature.Verify().
 func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
-	key := tryJWKS(verificationKey, obj.headers()...)
+	key, err := tryJWKS(verificationKey, obj.headers()...)
+	if err != nil {
+		return err
+	}
 	verifier, err := newVerifier(key)
 	if err != nil {
 		return err
@@ -455,7 +458,10 @@ func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signa
 // The verificationKey argument must have one of the types allowed for the
 // verificationKey argument of JSONWebSignature.Verify().
 func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
-	key := tryJWKS(verificationKey, obj.headers()...)
+	key, err := tryJWKS(verificationKey, obj.headers()...)
+	if err != nil {
+		return -1, Signature{}, err
+	}
 	verifier, err := newVerifier(key)
 	if err != nil {
 		return -1, Signature{}, err