Update to newest imgcrypt, aufs and zfs
Older versions transitively dragged in k8s.io/kubernetes, the newer versions do not. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
28
vendor/github.com/containers/ocicrypt/encryption.go
generated
vendored
28
vendor/github.com/containers/ocicrypt/encryption.go
generated
vendored
@@ -19,6 +19,9 @@ package ocicrypt
|
||||
import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
keyproviderconfig "github.com/containers/ocicrypt/config/keyprovider-config"
|
||||
"github.com/containers/ocicrypt/keywrap/keyprovider"
|
||||
"io"
|
||||
"strings"
|
||||
|
||||
@@ -27,8 +30,10 @@ import (
|
||||
"github.com/containers/ocicrypt/keywrap"
|
||||
"github.com/containers/ocicrypt/keywrap/jwe"
|
||||
"github.com/containers/ocicrypt/keywrap/pgp"
|
||||
"github.com/containers/ocicrypt/keywrap/pkcs11"
|
||||
"github.com/containers/ocicrypt/keywrap/pkcs7"
|
||||
"github.com/opencontainers/go-digest"
|
||||
log "github.com/sirupsen/logrus"
|
||||
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
@@ -43,6 +48,15 @@ func init() {
|
||||
RegisterKeyWrapper("pgp", pgp.NewKeyWrapper())
|
||||
RegisterKeyWrapper("jwe", jwe.NewKeyWrapper())
|
||||
RegisterKeyWrapper("pkcs7", pkcs7.NewKeyWrapper())
|
||||
RegisterKeyWrapper("pkcs11", pkcs11.NewKeyWrapper())
|
||||
ic, err := keyproviderconfig.GetConfiguration()
|
||||
if err != nil {
|
||||
log.Error(err)
|
||||
} else if ic != nil {
|
||||
for provider, attrs := range ic.KeyProviderConfig {
|
||||
RegisterKeyWrapper("provider."+provider, keyprovider.NewKeyWrapper(provider, attrs))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var keyWrappers map[string]keywrap.KeyWrapper
|
||||
@@ -128,6 +142,7 @@ func EncryptLayer(ec *config.EncryptConfig, encOrPlainLayerReader io.Reader, des
|
||||
}
|
||||
|
||||
newAnnotations := make(map[string]string)
|
||||
keysWrapped := false
|
||||
for annotationsID, scheme := range keyWrapperAnnotations {
|
||||
b64Annotations := desc.Annotations[annotationsID]
|
||||
keywrapper := GetKeyWrapper(scheme)
|
||||
@@ -136,10 +151,14 @@ func EncryptLayer(ec *config.EncryptConfig, encOrPlainLayerReader io.Reader, des
|
||||
return nil, err
|
||||
}
|
||||
if b64Annotations != "" {
|
||||
keysWrapped = true
|
||||
newAnnotations[annotationsID] = b64Annotations
|
||||
}
|
||||
}
|
||||
|
||||
if !keysWrapped {
|
||||
return nil, errors.New("no wrapped keys produced by encryption")
|
||||
}
|
||||
newAnnotations["org.opencontainers.image.enc.pubopts"] = base64.StdEncoding.EncodeToString(pubOptsData)
|
||||
|
||||
if len(newAnnotations) == 0 {
|
||||
@@ -191,6 +210,7 @@ func DecryptLayer(dc *config.DecryptConfig, encLayerReader io.Reader, desc ocisp
|
||||
|
||||
func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor) ([]byte, error) {
|
||||
privKeyGiven := false
|
||||
errs := ""
|
||||
for annotationsID, scheme := range keyWrapperAnnotations {
|
||||
b64Annotation := desc.Annotations[annotationsID]
|
||||
if b64Annotation != "" {
|
||||
@@ -203,10 +223,10 @@ func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor)
|
||||
if len(keywrapper.GetPrivateKeys(dc.Parameters)) > 0 {
|
||||
privKeyGiven = true
|
||||
}
|
||||
|
||||
optsData, err := preUnwrapKey(keywrapper, dc, b64Annotation)
|
||||
if err != nil {
|
||||
// try next keywrap.KeyWrapper
|
||||
errs += fmt.Sprintf("%s\n", err)
|
||||
continue
|
||||
}
|
||||
if optsData == nil {
|
||||
@@ -219,7 +239,7 @@ func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor)
|
||||
if !privKeyGiven {
|
||||
return nil, errors.New("missing private key needed for decryption")
|
||||
}
|
||||
return nil, errors.Errorf("no suitable key unwrapper found or none of the private keys could be used for decryption")
|
||||
return nil, errors.Errorf("no suitable key unwrapper found or none of the private keys could be used for decryption:\n%s", errs)
|
||||
}
|
||||
|
||||
func getLayerPubOpts(desc ocispec.Descriptor) ([]byte, error) {
|
||||
@@ -237,6 +257,7 @@ func preUnwrapKey(keywrapper keywrap.KeyWrapper, dc *config.DecryptConfig, b64An
|
||||
if b64Annotations == "" {
|
||||
return nil, nil
|
||||
}
|
||||
errs := ""
|
||||
for _, b64Annotation := range strings.Split(b64Annotations, ",") {
|
||||
annotation, err := base64.StdEncoding.DecodeString(b64Annotation)
|
||||
if err != nil {
|
||||
@@ -244,11 +265,12 @@ func preUnwrapKey(keywrapper keywrap.KeyWrapper, dc *config.DecryptConfig, b64An
|
||||
}
|
||||
optsData, err := keywrapper.UnwrapKey(dc, annotation)
|
||||
if err != nil {
|
||||
errs += fmt.Sprintf("- %s\n", err)
|
||||
continue
|
||||
}
|
||||
return optsData, nil
|
||||
}
|
||||
return nil, errors.New("no suitable key found for decrypting layer key")
|
||||
return nil, errors.Errorf("no suitable key found for decrypting layer key:\n%s", errs)
|
||||
}
|
||||
|
||||
// commonEncryptLayer is a function to encrypt the plain layer using a new random
|
||||
|
||||
Reference in New Issue
Block a user