Bump github.com/containers/ocicrypt from 1.0.3 to 1.1.0

Bumps [github.com/containers/ocicrypt](https://github.com/containers/ocicrypt) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/containers/ocicrypt/releases) - [Commits](https://github.com/containers/ocicrypt/compare/v1.0.3...v1.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-09-25 20:29:24 +00:00 · 2021-02-02 20:19:25 +00:00
parent e0ba05af59
commit aff1b6215b
224 changed files with 39198 additions and 1147 deletions
--- a/vendor/github.com/containers/ocicrypt/utils/ioutils.go
+++ b/vendor/github.com/containers/ocicrypt/utils/ioutils.go
@@ -17,7 +17,10 @@
 package utils

 import (
+	"bytes"
 	"io"
+	"os/exec"
+	"github.com/pkg/errors"
 )

 // FillBuffer fills the given buffer with as many bytes from the reader as possible. It returns
@@ -29,3 +32,25 @@ func FillBuffer(reader io.Reader, buffer []byte) (int, error) {
 	}
 	return n, err
 }
+
+// first argument is the command, like cat or echo,
+// the second is the list of args to pass to it
+type CommandExecuter interface {
+	Exec(string, []string, []byte) ([]byte, error)
+}
+
+type Runner struct{}
+
+// ExecuteCommand is used to execute a linux command line command and return the output of the command with an error if it exists.
+func (r Runner) Exec(cmdName string, args []string, input []byte) ([]byte, error) {
+	var out bytes.Buffer
+	stdInputBuffer := bytes.NewBuffer(input)
+	cmd := exec.Command(cmdName, args...)
+	cmd.Stdin = stdInputBuffer
+	cmd.Stdout = &out
+	err := cmd.Run()
+	if err != nil {
+		return nil, errors.Wrapf(err, "Error while running command: %s", cmdName)
+	}
+	return out.Bytes(), nil
+}
--- a/vendor/github.com/containers/ocicrypt/utils/keyprovider/keyprovider.pb.go
+++ b/vendor/github.com/containers/ocicrypt/utils/keyprovider/keyprovider.pb.go
@@ -0,0 +1,243 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// source: keyprovider.proto
+
+package keyprovider
+
+import (
+	context "context"
+	fmt "fmt"
+	proto "github.com/golang/protobuf/proto"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+
+type KeyProviderKeyWrapProtocolInput struct {
+	KeyProviderKeyWrapProtocolInput []byte   `protobuf:"bytes,1,opt,name=KeyProviderKeyWrapProtocolInput,proto3" json:"KeyProviderKeyWrapProtocolInput,omitempty"`
+	XXX_NoUnkeyedLiteral            struct{} `json:"-"`
+	XXX_unrecognized                []byte   `json:"-"`
+	XXX_sizecache                   int32    `json:"-"`
+}
+
+func (m *KeyProviderKeyWrapProtocolInput) Reset()         { *m = KeyProviderKeyWrapProtocolInput{} }
+func (m *KeyProviderKeyWrapProtocolInput) String() string { return proto.CompactTextString(m) }
+func (*KeyProviderKeyWrapProtocolInput) ProtoMessage()    {}
+func (*KeyProviderKeyWrapProtocolInput) Descriptor() ([]byte, []int) {
+	return fileDescriptor_da74c8e785ad390c, []int{0}
+}
+
+func (m *KeyProviderKeyWrapProtocolInput) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_KeyProviderKeyWrapProtocolInput.Unmarshal(m, b)
+}
+func (m *KeyProviderKeyWrapProtocolInput) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_KeyProviderKeyWrapProtocolInput.Marshal(b, m, deterministic)
+}
+func (m *KeyProviderKeyWrapProtocolInput) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_KeyProviderKeyWrapProtocolInput.Merge(m, src)
+}
+func (m *KeyProviderKeyWrapProtocolInput) XXX_Size() int {
+	return xxx_messageInfo_KeyProviderKeyWrapProtocolInput.Size(m)
+}
+func (m *KeyProviderKeyWrapProtocolInput) XXX_DiscardUnknown() {
+	xxx_messageInfo_KeyProviderKeyWrapProtocolInput.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_KeyProviderKeyWrapProtocolInput proto.InternalMessageInfo
+
+func (m *KeyProviderKeyWrapProtocolInput) GetKeyProviderKeyWrapProtocolInput() []byte {
+	if m != nil {
+		return m.KeyProviderKeyWrapProtocolInput
+	}
+	return nil
+}
+
+type KeyProviderKeyWrapProtocolOutput struct {
+	KeyProviderKeyWrapProtocolOutput []byte   `protobuf:"bytes,1,opt,name=KeyProviderKeyWrapProtocolOutput,proto3" json:"KeyProviderKeyWrapProtocolOutput,omitempty"`
+	XXX_NoUnkeyedLiteral             struct{} `json:"-"`
+	XXX_unrecognized                 []byte   `json:"-"`
+	XXX_sizecache                    int32    `json:"-"`
+}
+
+func (m *KeyProviderKeyWrapProtocolOutput) Reset()         { *m = KeyProviderKeyWrapProtocolOutput{} }
+func (m *KeyProviderKeyWrapProtocolOutput) String() string { return proto.CompactTextString(m) }
+func (*KeyProviderKeyWrapProtocolOutput) ProtoMessage()    {}
+func (*KeyProviderKeyWrapProtocolOutput) Descriptor() ([]byte, []int) {
+	return fileDescriptor_da74c8e785ad390c, []int{1}
+}
+
+func (m *KeyProviderKeyWrapProtocolOutput) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_KeyProviderKeyWrapProtocolOutput.Unmarshal(m, b)
+}
+func (m *KeyProviderKeyWrapProtocolOutput) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_KeyProviderKeyWrapProtocolOutput.Marshal(b, m, deterministic)
+}
+func (m *KeyProviderKeyWrapProtocolOutput) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_KeyProviderKeyWrapProtocolOutput.Merge(m, src)
+}
+func (m *KeyProviderKeyWrapProtocolOutput) XXX_Size() int {
+	return xxx_messageInfo_KeyProviderKeyWrapProtocolOutput.Size(m)
+}
+func (m *KeyProviderKeyWrapProtocolOutput) XXX_DiscardUnknown() {
+	xxx_messageInfo_KeyProviderKeyWrapProtocolOutput.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_KeyProviderKeyWrapProtocolOutput proto.InternalMessageInfo
+
+func (m *KeyProviderKeyWrapProtocolOutput) GetKeyProviderKeyWrapProtocolOutput() []byte {
+	if m != nil {
+		return m.KeyProviderKeyWrapProtocolOutput
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*KeyProviderKeyWrapProtocolInput)(nil), "keyprovider.keyProviderKeyWrapProtocolInput")
+	proto.RegisterType((*KeyProviderKeyWrapProtocolOutput)(nil), "keyprovider.keyProviderKeyWrapProtocolOutput")
+}
+
+func init() {
+	proto.RegisterFile("keyprovider.proto", fileDescriptor_da74c8e785ad390c)
+}
+
+var fileDescriptor_da74c8e785ad390c = []byte{
+	// 169 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0x12, 0xcc, 0x4e, 0xad, 0x2c,
+	0x28, 0xca, 0x2f, 0xcb, 0x4c, 0x49, 0x2d, 0xd2, 0x03, 0x32, 0x4a, 0xf2, 0x85, 0xb8, 0x91, 0x84,
+	0x94, 0xb2, 0xb9, 0xe4, 0x81, 0xdc, 0x00, 0x28, 0xd7, 0x3b, 0xb5, 0x32, 0xbc, 0x28, 0xb1, 0x20,
+	0x00, 0xa4, 0x2e, 0x39, 0x3f, 0xc7, 0x33, 0xaf, 0xa0, 0xb4, 0x44, 0xc8, 0x83, 0x4b, 0xde, 0x1b,
+	0xbf, 0x12, 0x09, 0x46, 0x05, 0x46, 0x0d, 0x9e, 0x20, 0x42, 0xca, 0x94, 0xf2, 0xb8, 0x14, 0x70,
+	0x5b, 0xe6, 0x5f, 0x5a, 0x02, 0xb2, 0xcd, 0x8b, 0x4b, 0xc1, 0x9b, 0x80, 0x1a, 0xa8, 0x75, 0x04,
+	0xd5, 0x19, 0xbd, 0x62, 0xe4, 0x12, 0x42, 0x52, 0x14, 0x9c, 0x5a, 0x54, 0x96, 0x99, 0x9c, 0x2a,
+	0x94, 0xc1, 0xc5, 0x0e, 0x52, 0x0c, 0x94, 0x11, 0xd2, 0xd1, 0x43, 0x0e, 0x1f, 0x02, 0x21, 0x21,
+	0xa5, 0x4b, 0xa4, 0x6a, 0x88, 0xf5, 0x4a, 0x0c, 0x42, 0x59, 0x5c, 0x9c, 0xa1, 0x79, 0xf4, 0xb1,
+	0xcb, 0x89, 0x37, 0x0a, 0x39, 0x62, 0x93, 0xd8, 0xc0, 0x91, 0x6d, 0x0c, 0x08, 0x00, 0x00, 0xff,
+	0xff, 0x9a, 0x10, 0xcb, 0xf9, 0x01, 0x02, 0x00, 0x00,
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConnInterface
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion6
+
+// KeyProviderServiceClient is the client API for KeyProviderService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type KeyProviderServiceClient interface {
+	WrapKey(ctx context.Context, in *KeyProviderKeyWrapProtocolInput, opts ...grpc.CallOption) (*KeyProviderKeyWrapProtocolOutput, error)
+	UnWrapKey(ctx context.Context, in *KeyProviderKeyWrapProtocolInput, opts ...grpc.CallOption) (*KeyProviderKeyWrapProtocolOutput, error)
+}
+
+type keyProviderServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewKeyProviderServiceClient(cc grpc.ClientConnInterface) KeyProviderServiceClient {
+	return &keyProviderServiceClient{cc}
+}
+
+func (c *keyProviderServiceClient) WrapKey(ctx context.Context, in *KeyProviderKeyWrapProtocolInput, opts ...grpc.CallOption) (*KeyProviderKeyWrapProtocolOutput, error) {
+	out := new(KeyProviderKeyWrapProtocolOutput)
+	err := c.cc.Invoke(ctx, "/keyprovider.KeyProviderService/WrapKey", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *keyProviderServiceClient) UnWrapKey(ctx context.Context, in *KeyProviderKeyWrapProtocolInput, opts ...grpc.CallOption) (*KeyProviderKeyWrapProtocolOutput, error) {
+	out := new(KeyProviderKeyWrapProtocolOutput)
+	err := c.cc.Invoke(ctx, "/keyprovider.KeyProviderService/UnWrapKey", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// KeyProviderServiceServer is the server API for KeyProviderService service.
+type KeyProviderServiceServer interface {
+	WrapKey(context.Context, *KeyProviderKeyWrapProtocolInput) (*KeyProviderKeyWrapProtocolOutput, error)
+	UnWrapKey(context.Context, *KeyProviderKeyWrapProtocolInput) (*KeyProviderKeyWrapProtocolOutput, error)
+}
+
+// UnimplementedKeyProviderServiceServer can be embedded to have forward compatible implementations.
+type UnimplementedKeyProviderServiceServer struct {
+}
+
+func (*UnimplementedKeyProviderServiceServer) WrapKey(ctx context.Context, req *KeyProviderKeyWrapProtocolInput) (*KeyProviderKeyWrapProtocolOutput, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method WrapKey not implemented")
+}
+func (*UnimplementedKeyProviderServiceServer) UnWrapKey(ctx context.Context, req *KeyProviderKeyWrapProtocolInput) (*KeyProviderKeyWrapProtocolOutput, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UnWrapKey not implemented")
+}
+
+func RegisterKeyProviderServiceServer(s *grpc.Server, srv KeyProviderServiceServer) {
+	s.RegisterService(&_KeyProviderService_serviceDesc, srv)
+}
+
+func _KeyProviderService_WrapKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(KeyProviderKeyWrapProtocolInput)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KeyProviderServiceServer).WrapKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/keyprovider.KeyProviderService/WrapKey",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KeyProviderServiceServer).WrapKey(ctx, req.(*KeyProviderKeyWrapProtocolInput))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _KeyProviderService_UnWrapKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(KeyProviderKeyWrapProtocolInput)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(KeyProviderServiceServer).UnWrapKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/keyprovider.KeyProviderService/UnWrapKey",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(KeyProviderServiceServer).UnWrapKey(ctx, req.(*KeyProviderKeyWrapProtocolInput))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _KeyProviderService_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "keyprovider.KeyProviderService",
+	HandlerType: (*KeyProviderServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "WrapKey",
+			Handler:    _KeyProviderService_WrapKey_Handler,
+		},
+		{
+			MethodName: "UnWrapKey",
+			Handler:    _KeyProviderService_UnWrapKey_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "keyprovider.proto",
+}
--- a/vendor/github.com/containers/ocicrypt/utils/keyprovider/keyprovider.proto
+++ b/vendor/github.com/containers/ocicrypt/utils/keyprovider/keyprovider.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package keyprovider;
+option go_package = "keyprovider";
+
+message keyProviderKeyWrapProtocolInput {
+    bytes KeyProviderKeyWrapProtocolInput = 1;
+}
+
+message keyProviderKeyWrapProtocolOutput {
+    bytes KeyProviderKeyWrapProtocolOutput = 1;
+}
+
+service KeyProviderService {
+    rpc WrapKey(keyProviderKeyWrapProtocolInput) returns (keyProviderKeyWrapProtocolOutput) {};
+    rpc UnWrapKey(keyProviderKeyWrapProtocolInput) returns (keyProviderKeyWrapProtocolOutput) {};
+}
--- a/vendor/github.com/containers/ocicrypt/utils/utils.go
+++ b/vendor/github.com/containers/ocicrypt/utils/utils.go
@@ -24,6 +24,8 @@ import (
 	"fmt"
 	"strings"

+	"github.com/containers/ocicrypt/crypto/pkcs11"
+
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/openpgp"
 	json "gopkg.in/square/go-jose.v2"
@@ -55,6 +57,18 @@ func parseJWKPublicKey(privKey []byte, prefix string) (interface{}, error) {
 	return &jwk, nil
 }

+// parsePkcs11PrivateKeyYaml parses the input byte array as pkcs11 key file yaml format)
+func parsePkcs11PrivateKeyYaml(yaml []byte, prefix string) (*pkcs11.Pkcs11KeyFileObject, error) {
+	// if the URI does not have enough attributes, we will throw an error when decrypting
+	return pkcs11.ParsePkcs11KeyFile(yaml)
+}
+
+// parsePkcs11URIPublicKey parses the input byte array as a pkcs11 key file yaml
+func parsePkcs11PublicKeyYaml(yaml []byte, prefix string) (*pkcs11.Pkcs11KeyFileObject, error) {
+	// if the URI does not have enough attributes, we will throw an error when decrypting
+	return pkcs11.ParsePkcs11KeyFile(yaml)
+}
+
 // IsPasswordError checks whether an error is related to a missing or wrong
 // password
 func IsPasswordError(err error) bool {
@@ -102,6 +116,9 @@ func ParsePrivateKey(privKey, privKeyPassword []byte, prefix string) (interface{
 			}
 		} else {
 			key, err = parseJWKPrivateKey(privKey, prefix)
+			if err != nil {
+				key, err = parsePkcs11PrivateKeyYaml(privKey, prefix)
+			}
 		}
 	}
 	return key, err
@@ -114,6 +131,11 @@ func IsPrivateKey(data []byte, password []byte) (bool, error) {
 	return err == nil, err
 }

+// IsPkcs11PrivateKey returns true in case the given byte array represents a pkcs11 private key
+func IsPkcs11PrivateKey(data []byte) bool {
+	return pkcs11.IsPkcs11PrivateKey(data)
+}
+
 // ParsePublicKey tries to parse a public key in DER format first and
 // PEM format after, returning an error if the parsing failed
 func ParsePublicKey(pubKey []byte, prefix string) (interface{}, error) {
@@ -127,6 +149,9 @@ func ParsePublicKey(pubKey []byte, prefix string) (interface{}, error) {
 			}
 		} else {
 			key, err = parseJWKPublicKey(pubKey, prefix)
+			if err != nil {
+				key, err = parsePkcs11PublicKeyYaml(pubKey, prefix)
+			}
 		}
 	}
 	return key, err
@@ -138,6 +163,11 @@ func IsPublicKey(data []byte) bool {
 	return err == nil
 }

+// IsPkcs11PublicKey returns true in case the given byte array represents a pkcs11 public key
+func IsPkcs11PublicKey(data []byte) bool {
+	return pkcs11.IsPkcs11PublicKey(data)
+}
+
 // ParseCertificate tries to parse a public key in DER format first and
 // PEM format after, returning an error if the parsing failed
 func ParseCertificate(certBytes []byte, prefix string) (*x509.Certificate, error) {