From 0113070da295afa3362fcede55e6e489c125df84 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 15:56:45 +0000 Subject: [PATCH] Update module github.com/containers/ocicrypt to v1.3.0 Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +- .../containers/ocicrypt/.golangci.yml | 70 +++++++++++-------- .../config/keyprovider-config/config.go | 29 ++++++++ .../keywrap/keyprovider/keyprovider.go | 60 ++++++++++++++-- vendor/modules.txt | 4 +- 6 files changed, 129 insertions(+), 40 deletions(-) diff --git a/go.mod b/go.mod index befdbd022..6ae8690e9 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ go 1.25.6 require ( github.com/Masterminds/semver/v3 v3.4.0 - github.com/containers/ocicrypt v1.2.1 + github.com/containers/ocicrypt v1.3.0 github.com/docker/distribution v2.8.3+incompatible github.com/moby/sys/capability v0.4.0 github.com/opencontainers/go-digest v1.0.0 diff --git a/go.sum b/go.sum index 4a5157f73..749783007 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.18.2 h1:yXkZFYIzz3eoLwlTUZKz github.com/containerd/stargz-snapshotter/estargz v0.18.2/go.mod h1:XyVU5tcJ3PRpkA9XS2T5us6Eg35yM0214Y+wvrZTBrY= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA= github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY= -github.com/containers/ocicrypt v1.2.1 h1:0qIOTT9DoYwcKmxSt8QJt+VzMY18onl9jUXsxpVhSmM= -github.com/containers/ocicrypt v1.2.1/go.mod h1:aD0AAqfMp0MtwqWgHM1bUwe1anx0VazI108CRrSKINQ= +github.com/containers/ocicrypt v1.3.0 h1:ps3St6ZWNWhOQ/Kqld6K2wPHt01Mj3AqRTNCZLIWOfo= +github.com/containers/ocicrypt v1.3.0/go.mod h1:PmfuGFpBwnGLnbqBm+QIy2nc8noDJ1Wt6B19la7VBFo= github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc= github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= diff --git a/vendor/github.com/containers/ocicrypt/.golangci.yml b/vendor/github.com/containers/ocicrypt/.golangci.yml index bf39af836..b77ab6d63 100644 --- a/vendor/github.com/containers/ocicrypt/.golangci.yml +++ b/vendor/github.com/containers/ocicrypt/.golangci.yml @@ -1,35 +1,47 @@ +version: "2" linters: enable: - depguard - - staticcheck + - misspell + - revive - unconvert + settings: + depguard: + rules: + main: + files: + - $all + deny: + - pkg: io/ioutil + revive: + severity: error + rules: + - name: indent-error-flow + severity: warning + disabled: false + - name: error-strings + disabled: false + staticcheck: + checks: + - -SA1019 + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - third_party$ + - builtin$ + - examples$ +formatters: + enable: - gofmt - goimports - - revive - - ineffassign - - govet - - unused - - misspell - -linters-settings: - depguard: - rules: - main: - files: - - $all - deny: - - pkg: "io/ioutil" - - revive: - severity: error - rules: - - name: indent-error-flow - severity: warning - disabled: false - - - name: error-strings - disabled: false - - staticcheck: - # Suppress reports of deprecated packages - checks: ["-SA1019"] + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go b/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go index 4785a831b..f4605d5f4 100644 --- a/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go +++ b/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go @@ -29,10 +29,39 @@ type Command struct { Args []string `json:"args,omitempty"` } +// GrpcTLS describes the structure of TLS configuration for gRPC connection, it consist of CA certificate, +// client certificate and client key +type GrpcTLS struct { + // RootCAFile defines path to the PEM file with the set of root certificate authorities + // that clients use when verifying server certificates. + // If RootCAs is nil, TLS uses the host's root CA set. + RootCAFile string `json:"root-ca-file,omitempty"` + + // CertFile contains the path to the x509 PEM encoded client certificate. + CertFile string `json:"cert-file,omitempty"` + // KeyFile contains the path to the PEM encoded client key. + KeyFile string `json:"key-file,omitempty"` + + // ServerName is used to verify the hostname on the returned + // certificates unless InsecureSkipVerify is given. It is also included + // in the client's handshake to support virtual hosting unless it is + // an IP address. + ServerName string `json:"server-name,omitempty"` + + // InsecureSkipVerify controls whether a client verifies the + // server's certificate chain and host name. + // If InsecureSkipVerify is true, TLS accepts any certificate + // presented by the server and any host name in that certificate. + // In this mode, TLS is susceptible to man-in-the-middle attacks. + // This should be used only for testing. + InsecureSkipVerify bool `json:"insecure-skip-verify,omitempty"` +} + // KeyProviderAttrs describes the structure of key provider, it defines the way of invocation to key provider type KeyProviderAttrs struct { Command *Command `json:"cmd,omitempty"` Grpc string `json:"grpc,omitempty"` + GrpcTLS *GrpcTLS `json:"grpc-tls,omitempty"` } // OcicryptConfig represents the format of an ocicrypt_provider.conf config file diff --git a/vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go b/vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go index 6ac0fcb95..838f7ef88 100644 --- a/vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go +++ b/vendor/github.com/containers/ocicrypt/keywrap/keyprovider/keyprovider.go @@ -18,9 +18,12 @@ package keyprovider import ( "context" + "crypto/tls" + "crypto/x509" "encoding/json" "errors" "fmt" + "os" "github.com/containers/ocicrypt/config" keyproviderconfig "github.com/containers/ocicrypt/config/keyprovider-config" @@ -29,6 +32,7 @@ import ( keyproviderpb "github.com/containers/ocicrypt/utils/keyprovider" log "github.com/sirupsen/logrus" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" ) type keyProviderKeyWrapper struct { @@ -118,7 +122,7 @@ func (kw *keyProviderKeyWrapper) WrapKeys(ec *config.EncryptConfig, optsData []b } return protocolOuput.KeyWrapResults.Annotation, nil } else if kw.attrs.Grpc != "" { - protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, OpKeyWrap) + protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, kw.attrs.GrpcTLS, OpKeyWrap) if err != nil { return nil, fmt.Errorf("error while retrieving keyprovider protocol grpc output: %w", err) } @@ -154,7 +158,7 @@ func (kw *keyProviderKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jsonString return protocolOuput.KeyUnwrapResults.OptsData, nil } else if kw.attrs.Grpc != "" { - protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, OpKeyUnwrap) + protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, kw.attrs.GrpcTLS, OpKeyUnwrap) if err != nil { // If err is not nil, then ignore it and continue with rest of the given keyproviders return nil, err @@ -165,12 +169,56 @@ func (kw *keyProviderKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jsonString return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd") } -func getProviderGRPCOutput(input []byte, connString string, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) { +func getProviderGRPCOutput(input []byte, connString string, grpcTls *keyproviderconfig.GrpcTLS, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) { var protocolOuput KeyProviderKeyWrapProtocolOutput var grpcOutput *keyproviderpb.KeyProviderKeyWrapProtocolOutput - cc, err := grpc.Dial(connString, grpc.WithInsecure()) - if err != nil { - return nil, fmt.Errorf("error while dialing rpc server: %w", err) + + var cc *grpc.ClientConn + var err error + + if grpcTls != nil { + var rootCAs *x509.CertPool + if grpcTls.RootCAFile != "" { + pem, err := os.ReadFile(grpcTls.RootCAFile) + if err != nil { + return nil, fmt.Errorf("failed to load root CA certificates error=%v", err) + } + rootCAs = x509.NewCertPool() + if !rootCAs.AppendCertsFromPEM(pem) { + return nil, fmt.Errorf("no root CA certs parsed from file ") + } + } else { + rootCAs, err = x509.SystemCertPool() + if err != nil { + return nil, fmt.Errorf("error reading SystemCertPool error=%v", err) + } + } + + var clientCerts []tls.Certificate + if grpcTls.CertFile != "" && grpcTls.KeyFile != "" { + cert, err := tls.LoadX509KeyPair(grpcTls.CertFile, grpcTls.KeyFile) + if err != nil { + return nil, fmt.Errorf("failed to load client certificate and key: %v", err) + } + clientCerts = []tls.Certificate{cert} + } + + tlsConfig := &tls.Config{ + RootCAs: rootCAs, + ServerName: grpcTls.ServerName, + InsecureSkipVerify: grpcTls.InsecureSkipVerify, + Certificates: clientCerts, + } + creds := credentials.NewTLS(tlsConfig) + cc, err = grpc.Dial(connString, grpc.WithTransportCredentials(creds)) + if err != nil { + return nil, fmt.Errorf("error while dialing TLS rpc server: %w", err) + } + } else { + cc, err = grpc.Dial(connString, grpc.WithInsecure()) + if err != nil { + return nil, fmt.Errorf("error while dialing rpc server: %w", err) + } } defer func() { derr := cc.Close() diff --git a/vendor/modules.txt b/vendor/modules.txt index 15fe587c9..eba087dab 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -47,8 +47,8 @@ github.com/containerd/stargz-snapshotter/estargz/errorutil # github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 ## explicit github.com/containers/libtrust -# github.com/containers/ocicrypt v1.2.1 -## explicit; go 1.22 +# github.com/containers/ocicrypt v1.3.0 +## explicit; go 1.24.0 github.com/containers/ocicrypt github.com/containers/ocicrypt/blockcipher github.com/containers/ocicrypt/config