Merge pull request #2851 from containers/renovate/github.com-containers-ocicrypt-1.x

Update module github.com/containers/ocicrypt to v1.3.0
2026-05-04 10:22:34 +00:00 · 2026-04-16 20:57:46 +02:00
parent 61fbb9221f 0113070da2
commit 904ff20c4d
6 changed files with 129 additions and 40 deletions
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ go 1.25.6

 require (
 	github.com/Masterminds/semver/v3 v3.4.0
-	github.com/containers/ocicrypt v1.2.1
+	github.com/containers/ocicrypt v1.3.0
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/moby/sys/capability v0.4.0
 	github.com/opencontainers/go-digest v1.0.0
--- a/go.sum
+++ b/go.sum
@@ -24,8 +24,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz
 github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
-github.com/containers/ocicrypt v1.2.1 h1:0qIOTT9DoYwcKmxSt8QJt+VzMY18onl9jUXsxpVhSmM=
-github.com/containers/ocicrypt v1.2.1/go.mod h1:aD0AAqfMp0MtwqWgHM1bUwe1anx0VazI108CRrSKINQ=
+github.com/containers/ocicrypt v1.3.0 h1:ps3St6ZWNWhOQ/Kqld6K2wPHt01Mj3AqRTNCZLIWOfo=
+github.com/containers/ocicrypt v1.3.0/go.mod h1:PmfuGFpBwnGLnbqBm+QIy2nc8noDJ1Wt6B19la7VBFo=
 github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
 github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
--- a/vendor/github.com/containers/ocicrypt/.golangci.yml
+++ b/vendor/github.com/containers/ocicrypt/.golangci.yml
@@ -1,35 +1,47 @@
+version: "2"
 linters:
  enable:
    - depguard
-    - staticcheck
+    - misspell
+    - revive
    - unconvert
+  settings:
+    depguard:
+      rules:
+        main:
+          files:
+            - $all
+          deny:
+            - pkg: io/ioutil
+    revive:
+      severity: error
+      rules:
+        - name: indent-error-flow
+          severity: warning
+          disabled: false
+        - name: error-strings
+          disabled: false
+    staticcheck:
+      checks:
+        - -SA1019
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
    - gofmt
    - goimports
-    - revive
-    - ineffassign
-    - govet
-    - unused
-    - misspell
-
-linters-settings:
-  depguard:
-    rules:
-      main:
-        files:
-          - $all
-        deny:
-          - pkg: "io/ioutil"
-
-  revive:
-    severity: error
-    rules:
-      - name: indent-error-flow
-        severity: warning
-        disabled: false
-
-      - name: error-strings
-        disabled: false
-
-  staticcheck:
-    # Suppress reports of deprecated packages
-    checks: ["-SA1019"]
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go
+++ b/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go
@@ -29,10 +29,39 @@ type Command struct {
 	Args []string `json:"args,omitempty"`
 }

+// GrpcTLS describes the structure of TLS configuration for gRPC connection, it consist of CA certificate,
+// client certificate and client key
+type GrpcTLS struct {
+	// RootCAFile defines path to the PEM file with the set of root certificate authorities
+	// that clients use when verifying server certificates.
+	// If RootCAs is nil, TLS uses the host's root CA set.
+	RootCAFile string `json:"root-ca-file,omitempty"`
+
+	// CertFile contains the path to the x509 PEM encoded client certificate.
+	CertFile string `json:"cert-file,omitempty"`
+	// KeyFile contains the path to the PEM encoded client key.
+	KeyFile string `json:"key-file,omitempty"`
+
+	// ServerName is used to verify the hostname on the returned
+	// certificates unless InsecureSkipVerify is given. It is also included
+	// in the client's handshake to support virtual hosting unless it is
+	// an IP address.
+	ServerName string `json:"server-name,omitempty"`
+
+	// InsecureSkipVerify controls whether a client verifies the
+	// server's certificate chain and host name.
+	// If InsecureSkipVerify is true, TLS accepts any certificate
+	// presented by the server and any host name in that certificate.
+	// In this mode, TLS is susceptible to man-in-the-middle attacks.
+	// This should be used only for testing.
+	InsecureSkipVerify bool `json:"insecure-skip-verify,omitempty"`
+}
+
 // KeyProviderAttrs describes the structure of key provider, it defines the way of invocation to key provider
 type KeyProviderAttrs struct {
 	Command *Command `json:"cmd,omitempty"`
 	Grpc    string   `json:"grpc,omitempty"`
+	GrpcTLS *GrpcTLS `json:"grpc-tls,omitempty"`
 }

 // OcicryptConfig represents the format of an ocicrypt_provider.conf config file
--- a/vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go
+++ b/vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go
@@ -18,9 +18,12 @@ package keyprovider

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"

 	"github.com/containers/ocicrypt/config"
 	keyproviderconfig "github.com/containers/ocicrypt/config/keyprovider-config"
@@ -29,6 +32,7 @@ import (
 	keyproviderpb "github.com/containers/ocicrypt/utils/keyprovider"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )

 type keyProviderKeyWrapper struct {
@@ -118,7 +122,7 @@ func (kw *keyProviderKeyWrapper) WrapKeys(ec *config.EncryptConfig, optsData []b
 			}
 			return protocolOuput.KeyWrapResults.Annotation, nil
 		} else if kw.attrs.Grpc != "" {
-			protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, OpKeyWrap)
+			protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, kw.attrs.GrpcTLS, OpKeyWrap)
 			if err != nil {
 				return nil, fmt.Errorf("error while retrieving keyprovider protocol grpc output: %w", err)
 			}
@@ -154,7 +158,7 @@ func (kw *keyProviderKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jsonString

 		return protocolOuput.KeyUnwrapResults.OptsData, nil
 	} else if kw.attrs.Grpc != "" {
-		protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, OpKeyUnwrap)
+		protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, kw.attrs.GrpcTLS, OpKeyUnwrap)
 		if err != nil {
 			// If err is not nil, then ignore it and continue with rest of the given keyproviders
 			return nil, err
@@ -165,12 +169,56 @@ func (kw *keyProviderKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jsonString
 	return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 }

-func getProviderGRPCOutput(input []byte, connString string, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) {
+func getProviderGRPCOutput(input []byte, connString string, grpcTls *keyproviderconfig.GrpcTLS, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) {
 	var protocolOuput KeyProviderKeyWrapProtocolOutput
 	var grpcOutput *keyproviderpb.KeyProviderKeyWrapProtocolOutput
-	cc, err := grpc.Dial(connString, grpc.WithInsecure())
-	if err != nil {
-		return nil, fmt.Errorf("error while dialing rpc server: %w", err)
+
+	var cc *grpc.ClientConn
+	var err error
+
+	if grpcTls != nil {
+		var rootCAs *x509.CertPool
+		if grpcTls.RootCAFile != "" {
+			pem, err := os.ReadFile(grpcTls.RootCAFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load root CA certificates  error=%v", err)
+			}
+			rootCAs = x509.NewCertPool()
+			if !rootCAs.AppendCertsFromPEM(pem) {
+				return nil, fmt.Errorf("no root CA certs parsed from file ")
+			}
+		} else {
+			rootCAs, err = x509.SystemCertPool()
+			if err != nil {
+				return nil, fmt.Errorf("error reading SystemCertPool error=%v", err)
+			}
+		}
+
+		var clientCerts []tls.Certificate
+		if grpcTls.CertFile != "" && grpcTls.KeyFile != "" {
+			cert, err := tls.LoadX509KeyPair(grpcTls.CertFile, grpcTls.KeyFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load client certificate and key: %v", err)
+			}
+			clientCerts = []tls.Certificate{cert}
+		}
+
+		tlsConfig := &tls.Config{
+			RootCAs:            rootCAs,
+			ServerName:         grpcTls.ServerName,
+			InsecureSkipVerify: grpcTls.InsecureSkipVerify,
+			Certificates:       clientCerts,
+		}
+		creds := credentials.NewTLS(tlsConfig)
+		cc, err = grpc.Dial(connString, grpc.WithTransportCredentials(creds))
+		if err != nil {
+			return nil, fmt.Errorf("error while dialing TLS rpc server: %w", err)
+		}
+	} else {
+		cc, err = grpc.Dial(connString, grpc.WithInsecure())
+		if err != nil {
+			return nil, fmt.Errorf("error while dialing rpc server: %w", err)
+		}
 	}
 	defer func() {
 		derr := cc.Close()
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -47,8 +47,8 @@ github.com/containerd/stargz-snapshotter/estargz/errorutil
 # github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01
 ## explicit
 github.com/containers/libtrust
-# github.com/containers/ocicrypt v1.2.1
-## explicit; go 1.22
+# github.com/containers/ocicrypt v1.3.0
+## explicit; go 1.24.0
 github.com/containers/ocicrypt
 github.com/containers/ocicrypt/blockcipher
 github.com/containers/ocicrypt/config