[release-1.14] Bump ocicrypt and go-jose CVE-2024-28180

Bump github.com/go-jose/go-jose to v3.0.0 and github.com/containers/ocicrypt to v1.1.10 Addresses: CVE-2024-28180 https://issues.redhat.com/browse/RHEL-28736 https://issues.redhat.com/browse/RHEL-28728 https://issues.redhat.com/browse/OCPBUGS-30723 Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
2025-09-21 09:57:19 +00:00 · 2024-04-11 11:20:14 -04:00
parent f14e9809e7
commit 528de2ba55
62 changed files with 646 additions and 306 deletions
--- a/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go
+++ b/vendor/github.com/containers/ocicrypt/keywrap/jwe/keywrapper_jwe.go
@@ -123,9 +123,24 @@ func addPubKeys(joseRecipients *[]jose.Recipient, pubKeys [][]byte) error {
 		}

 		alg := jose.RSA_OAEP
-		switch key.(type) {
+		switch key := key.(type) {
 		case *ecdsa.PublicKey:
 			alg = jose.ECDH_ES_A256KW
+		case *jose.JSONWebKey:
+			if key.Algorithm != "" {
+				alg = jose.KeyAlgorithm(key.Algorithm)
+				switch alg {
+				/* accepted algorithms */
+				case jose.RSA_OAEP:
+				case jose.RSA_OAEP_256:
+				case jose.ECDH_ES_A128KW:
+				case jose.ECDH_ES_A192KW:
+				case jose.ECDH_ES_A256KW:
+				/* all others are rejected */
+				default:
+					return fmt.Errorf("%s is an unsupported JWE key algorithm", alg)
+				}
+			}
 		}

 		*joseRecipients = append(*joseRecipients, jose.Recipient{
--- a/vendor/github.com/containers/ocicrypt/utils/testing.go
+++ b/vendor/github.com/containers/ocicrypt/utils/testing.go
@@ -38,6 +38,15 @@ func CreateRSAKey(bits int) (*rsa.PrivateKey, error) {
 	return key, nil
 }

+// CreateECDSAKey creates an elliptic curve key for the given curve
+func CreateECDSAKey(curve elliptic.Curve) (*ecdsa.PrivateKey, error) {
+	key, err := ecdsa.GenerateKey(curve, rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("ecdsa.GenerateKey failed: %w", err)
+	}
+	return key, nil
+}
+
 // CreateRSATestKey creates an RSA key of the given size and returns
 // the public and private key in PEM or DER format
 func CreateRSATestKey(bits int, password []byte, pemencode bool) ([]byte, []byte, error) {
@@ -85,9 +94,9 @@ func CreateRSATestKey(bits int, password []byte, pemencode bool) ([]byte, []byte
 // CreateECDSATestKey creates and elliptic curve key for the given curve and returns
 // the public and private key in DER format
 func CreateECDSATestKey(curve elliptic.Curve) ([]byte, []byte, error) {
-	key, err := ecdsa.GenerateKey(curve, rand.Reader)
+	key, err := CreateECDSAKey(curve)
 	if err != nil {
-		return nil, nil, fmt.Errorf("ecdsa.GenerateKey failed: %w", err)
+		return nil, nil, err
 	}

 	pubData, err := x509.MarshalPKIXPublicKey(&key.PublicKey)