Crypto library movement and changes to content helper interfaces

Signed-off-by: Derek McGowan <derek@mcgstyle.net>

pkg/encryption/keywrap/jwe/keywrapper_jwe.go

@@ -0,0 +1,132 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package jwe
+
+import (
+	"crypto/ecdsa"
+
+	"github.com/containerd/containerd/pkg/encryption/config"
+	"github.com/containerd/containerd/pkg/encryption/keywrap"
+	"github.com/containerd/containerd/pkg/encryption/utils"
+	"github.com/pkg/errors"
+	jose "gopkg.in/square/go-jose.v2"
+)
+
+type jweKeyWrapper struct {
+}
+
+func (kw *jweKeyWrapper) GetAnnotationID() string {
+	return "org.opencontainers.image.enc.keys.jwe"
+}
+
+// NewKeyWrapper returns a new key wrapping interface using jwe
+func NewKeyWrapper() keywrap.KeyWrapper {
+	return &jweKeyWrapper{}
+}
+
+// WrapKeys wraps the session key for recpients and encrypts the optsData, which
+// describe the symmetric key used for encrypting the layer
+func (kw *jweKeyWrapper) WrapKeys(ec *config.EncryptConfig, optsData []byte) ([]byte, error) {
+	var joseRecipients []jose.Recipient
+
+	err := addPubKeys(&joseRecipients, ec.Parameters["pubkeys"])
+	if err != nil {
+		return nil, err
+	}
+	// no recipients is not an error...
+	if len(joseRecipients) == 0 {
+		return nil, nil
+	}
+
+	encrypter, err := jose.NewMultiEncrypter(jose.A256GCM, joseRecipients, nil)
+	if err != nil {
+		return nil, errors.Wrapf(err, "jose.NewMultiEncrypter failed")
+	}
+	jwe, err := encrypter.Encrypt(optsData)
+	if err != nil {
+		return nil, errors.Wrapf(err, "JWE Encrypt failed")
+	}
+	return []byte(jwe.FullSerialize()), nil
+}
+
+func (kw *jweKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jweString []byte) ([]byte, error) {
+	jwe, err := jose.ParseEncrypted(string(jweString))
+	if err != nil {
+		return nil, errors.New("jose.ParseEncrypted failed")
+	}
+
+	privKeys := kw.GetPrivateKeys(dc.Parameters)
+	if len(privKeys) == 0 {
+		return nil, errors.New("No private keys found for JWE decryption")
+	}
+	privKeysPasswords := kw.getPrivateKeysPasswords(dc.Parameters)
+	if len(privKeysPasswords) != len(privKeys) {
+		return nil, errors.New("Private key password array length must be same as that of private keys")
+	}
+
+	for idx, privKey := range privKeys {
+		key, err := utils.ParsePrivateKey(privKey, privKeysPasswords[idx], "JWE")
+		if err != nil {
+			return nil, err
+		}
+		_, _, plain, err := jwe.DecryptMulti(key)
+		if err == nil {
+			return plain, nil
+		}
+	}
+	return nil, errors.New("JWE: No suitable private key found for decryption")
+}
+
+func (kw *jweKeyWrapper) GetPrivateKeys(dcparameters map[string][][]byte) [][]byte {
+	return dcparameters["privkeys"]
+}
+
+func (kw *jweKeyWrapper) getPrivateKeysPasswords(dcparameters map[string][][]byte) [][]byte {
+	return dcparameters["privkeys-passwords"]
+}
+
+func (kw *jweKeyWrapper) GetKeyIdsFromPacket(b64jwes string) ([]uint64, error) {
+	return nil, nil
+}
+
+func (kw *jweKeyWrapper) GetRecipients(b64jwes string) ([]string, error) {
+	return []string{"[jwe]"}, nil
+}
+
+func addPubKeys(joseRecipients *[]jose.Recipient, pubKeys [][]byte) error {
+	if len(pubKeys) == 0 {
+		return nil
+	}
+	for _, pubKey := range pubKeys {
+		key, err := utils.ParsePublicKey(pubKey, "JWE")
+		if err != nil {
+			return err
+		}
+
+		alg := jose.RSA_OAEP
+		switch key.(type) {
+		case *ecdsa.PublicKey:
+			alg = jose.ECDH_ES_A256KW
+		}
+
+		*joseRecipients = append(*joseRecipients, jose.Recipient{
+			Algorithm: alg,
+			Key:       key,
+		})
+	}
+	return nil
+}

pkg/encryption/keywrap/jwe/keywrapper_jwe_test.go

@@ -0,0 +1,345 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package jwe
+
+import (
+	"crypto/elliptic"
+	"testing"
+
+	"github.com/containerd/containerd/pkg/encryption/config"
+	"github.com/containerd/containerd/pkg/encryption/utils"
+	jose "gopkg.in/square/go-jose.v2"
+)
+
+var oneEmpty []byte
+
+func createValidJweCcs() ([]*config.CryptoConfig, error) {
+
+	jwePubKeyPem, jwePrivKeyPem, err := utils.CreateRSATestKey(2048, oneEmpty, true)
+	if err != nil {
+		return nil, err
+	}
+
+	jwePubKey2Pem, jwePrivKey2Pem, err := utils.CreateRSATestKey(1024, oneEmpty, true)
+	if err != nil {
+		return nil, err
+	}
+
+	jwePrivKey3Password := []byte("password")
+	jwePubKey3Pem, jwePrivKey3PassPem, err := utils.CreateRSATestKey(2048, jwePrivKey3Password, true)
+	if err != nil {
+		return nil, err
+	}
+
+	jwePubKeyDer, jwePrivKeyDer, err := utils.CreateRSATestKey(2048, oneEmpty, false)
+	if err != nil {
+		return nil, err
+	}
+
+	jweEcPubKeyDer, jweEcPrivKeyDer, err := utils.CreateECDSATestKey(elliptic.P521())
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := utils.CreateRSAKey(2048)
+	if err != nil {
+		return nil, err
+	}
+
+	jwePrivKeyJwk, err := jose.JSONWebKey{Key: key}.MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+
+	jwePubKeyJwk, err := jose.JSONWebKey{Key: &key.PublicKey}.MarshalJSON()
+	if err != nil {
+		return nil, err
+	}
+
+	validJweCcs := []*config.CryptoConfig{
+		// Key 1
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyPem},
+				},
+				DecryptConfig: config.DecryptConfig{
+					Parameters: map[string][][]byte{
+						"privkeys":           {jwePrivKeyPem},
+						"privkeys-passwords": {oneEmpty},
+					},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKeyPem},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+
+		// Key 2
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKey2Pem},
+				},
+				DecryptConfig: config.DecryptConfig{
+					Parameters: map[string][][]byte{
+						"privkeys":           {jwePrivKey2Pem},
+						"privkeys-passwords": {oneEmpty},
+					},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKey2Pem},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+
+		// Key 1 without enc private key
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyPem},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKeyPem},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+
+		// Key 2 without enc private key
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKey2Pem},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKey2Pem},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+
+		// Key 3 with enc private key
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKey3Pem},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKey3PassPem},
+					"privkeys-passwords": {jwePrivKey3Password},
+				},
+			},
+		},
+
+		// Key (DER format)
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyDer},
+				},
+				DecryptConfig: config.DecryptConfig{
+					Parameters: map[string][][]byte{
+						"privkeys":           {jwePrivKeyDer},
+						"privkeys-passwords": {oneEmpty},
+					},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKeyDer},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+		// Key (JWK format)
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyJwk},
+				},
+				DecryptConfig: config.DecryptConfig{
+					Parameters: map[string][][]byte{
+						"privkeys":           {jwePrivKeyJwk},
+						"privkeys-passwords": {oneEmpty},
+					},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePrivKeyJwk},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+		// EC Key (DER format)
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jweEcPubKeyDer},
+				},
+				DecryptConfig: config.DecryptConfig{
+					Parameters: map[string][][]byte{
+						"privkeys":           {jweEcPrivKeyDer},
+						"privkeys-passwords": {oneEmpty},
+					},
+				},
+			},
+
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jweEcPrivKeyDer},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+	}
+	return validJweCcs, nil
+}
+
+func createInvalidJweCcs() ([]*config.CryptoConfig, error) {
+
+	jwePubKeyPem, _, err := utils.CreateRSATestKey(2048, oneEmpty, true)
+	if err != nil {
+		return nil, err
+	}
+
+	jwePubKey2Pem, _, err := utils.CreateRSATestKey(2048, oneEmpty, true)
+	if err != nil {
+		return nil, err
+	}
+
+	invalidJweCcs := []*config.CryptoConfig{
+		// Client key 1 public with client 2 private decrypt
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyPem},
+				},
+			},
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePubKey2Pem},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+
+		// Client key 1 public with no private key
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyPem},
+				},
+			},
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{},
+			},
+		},
+
+		// Invalid Client key 1 private key
+		{
+			EncryptConfig: &config.EncryptConfig{
+				Parameters: map[string][][]byte{
+					"pubkeys": {jwePubKeyPem},
+				},
+			},
+			DecryptConfig: &config.DecryptConfig{
+				Parameters: map[string][][]byte{
+					"privkeys":           {jwePubKeyPem},
+					"privkeys-passwords": {oneEmpty},
+				},
+			},
+		},
+	}
+	return invalidJweCcs, nil
+}
+
+func TestKeyWrapJweSuccess(t *testing.T) {
+	validJweCcs, err := createValidJweCcs()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, cc := range validJweCcs {
+		kw := NewKeyWrapper()
+
+		data := []byte("This is some secret text")
+
+		wk, err := kw.WrapKeys(cc.EncryptConfig, data)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		ud, err := kw.UnwrapKey(cc.DecryptConfig, wk)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if string(data) != string(ud) {
+			t.Fatal("Strings don't match")
+		}
+	}
+}
+
+func TestKeyWrapJweInvalid(t *testing.T) {
+	invalidJweCcs, err := createInvalidJweCcs()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, cc := range invalidJweCcs {
+		kw := NewKeyWrapper()
+
+		data := []byte("This is some secret text")
+
+		wk, err := kw.WrapKeys(cc.EncryptConfig, data)
+		if err != nil {
+			return
+		}
+
+		ud, err := kw.UnwrapKey(cc.DecryptConfig, wk)
+		if err != nil {
+			return
+		}
+
+		if string(data) != string(ud) {
+			return
+		}
+
+		t.Fatal("Successfully wrap for invalid crypto config")
+	}
+}