fix(deps): update module github.com/containers/image/v5 to v5.25.0

Signed-off-by: Renovate Bot <bot@renovateapp.com>
2025-09-03 15:46:42 +00:00 · 2023-04-05 16:14:44 +00:00
parent c4dac7632c
commit b0d339f0fd
52 changed files with 940 additions and 389 deletions
--- a/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go
+++ b/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go
@@ -18,16 +18,40 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
+	"fmt"
 )

 var (
-	OIDIssuer                   = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}
-	OIDGitHubWorkflowTrigger    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}
-	OIDGitHubWorkflowSHA        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}
-	OIDGitHubWorkflowName       = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
+	// Deprecated: Use OIDIssuerV2
+	OIDIssuer = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}
+	// Deprecated: Use OIDBuildTrigger
+	OIDGitHubWorkflowTrigger = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}
+	// Deprecated: Use OIDSourceRepositoryDigest
+	OIDGitHubWorkflowSHA = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}
+	// Deprecated: Use OIDBuildConfigURI or OIDBuildConfigDigest
+	OIDGitHubWorkflowName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
+	// Deprecated: Use SourceRepositoryURI
 	OIDGitHubWorkflowRepository = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}
-	OIDGitHubWorkflowRef        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
-	OIDOtherName                = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
+	// Deprecated: Use OIDSourceRepositoryRef
+	OIDGitHubWorkflowRef = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
+
+	OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
+	OIDIssuerV2  = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 8}
+
+	// CI extensions
+	OIDBuildSignerURI                  = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 9}
+	OIDBuildSignerDigest               = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 10}
+	OIDRunnerEnvironment               = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 11}
+	OIDSourceRepositoryURI             = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 12}
+	OIDSourceRepositoryDigest          = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 13}
+	OIDSourceRepositoryRef             = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 14}
+	OIDSourceRepositoryIdentifier      = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 15}
+	OIDSourceRepositoryOwnerURI        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 16}
+	OIDSourceRepositoryOwnerIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 17}
+	OIDBuildConfigURI                  = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 18}
+	OIDBuildConfigDigest               = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 19}
+	OIDBuildTrigger                    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 20}
+	OIDRunInvocationURI                = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 21}
 )

 // Extensions contains all custom x509 extensions defined by Fulcio
@@ -39,33 +63,79 @@ type Extensions struct {
 	// a federated login like Dex it should match the issuer URL of the
 	// upstream issuer. The issuer is not set the extensions are invalid and
 	// will fail to render.
-	Issuer string // OID 1.3.6.1.4.1.57264.1.1
+	Issuer string // OID 1.3.6.1.4.1.57264.1.8 and 1.3.6.1.4.1.57264.1.1 (Deprecated)

+	// Deprecated
 	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
 	// tokens from Github Actions
 	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2

+	// Deprecated
 	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
 	// tokens from Github Actions
 	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3

+	// Deprecated
 	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
 	// tokens from Github Actions
 	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4

+	// Deprecated
 	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
 	// tokens from Github Actions
 	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5

+	// Deprecated
 	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
 	// from Github Actions
 	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
+
+	// Reference to specific build instructions that are responsible for signing.
+	BuildSignerURI string // 1.3.6.1.4.1.57264.1.9
+
+	// Immutable reference to the specific version of the build instructions that is responsible for signing.
+	BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10
+
+	// Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure.
+	RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11
+
+	// Source repository URL that the build was based on.
+	SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12
+
+	// Immutable reference to a specific version of the source code that the build was based upon.
+	SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13
+
+	// Source Repository Ref that the build run was based upon.
+	SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14
+
+	// Immutable identifier for the source repository the workflow was based upon.
+	SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15
+
+	// Source repository owner URL of the owner of the source repository that the build was based on.
+	SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16
+
+	// Immutable identifier for the owner of the source repository that the workflow was based upon.
+	SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17
+
+	// Build Config URL to the top-level/initiating build instructions.
+	BuildConfigURI string // 1.3.6.1.4.1.57264.1.18
+
+	// Immutable reference to the specific version of the top-level/initiating build instructions.
+	BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19
+
+	// Event or action that initiated the build.
+	BuildTrigger string // 1.3.6.1.4.1.57264.1.20
+
+	// Run Invocation URL to uniquely identify the build execution.
+	RunInvocationURI string // 1.3.6.1.4.1.57264.1.21
 }

 func (e Extensions) Render() ([]pkix.Extension, error) {
 	var exts []pkix.Extension

+	// BEGIN: Deprecated
 	if e.Issuer != "" {
+		// deprecated issuer extension due to incorrect encoding
 		exts = append(exts, pkix.Extension{
 			Id:    OIDIssuer,
 			Value: []byte(e.Issuer),
@@ -103,14 +173,163 @@ func (e Extensions) Render() ([]pkix.Extension, error) {
 			Value: []byte(e.GithubWorkflowRef),
 		})
 	}
+	// END: Deprecated
+
+	// duplicate issuer with correct RFC 5280 encoding
+	if e.Issuer != "" {
+		// construct DER encoding of issuer string
+		val, err := asn1.MarshalWithParams(e.Issuer, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDIssuerV2,
+			Value: val,
+		})
+	} else {
+		return nil, errors.New("extensions must have a non-empty issuer url")
+	}
+
+	if e.BuildSignerURI != "" {
+		val, err := asn1.MarshalWithParams(e.BuildSignerURI, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDBuildSignerURI,
+			Value: val,
+		})
+	}
+	if e.BuildSignerDigest != "" {
+		val, err := asn1.MarshalWithParams(e.BuildSignerDigest, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDBuildSignerDigest,
+			Value: val,
+		})
+	}
+	if e.RunnerEnvironment != "" {
+		val, err := asn1.MarshalWithParams(e.RunnerEnvironment, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDRunnerEnvironment,
+			Value: val,
+		})
+	}
+	if e.SourceRepositoryURI != "" {
+		val, err := asn1.MarshalWithParams(e.SourceRepositoryURI, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDSourceRepositoryURI,
+			Value: val,
+		})
+	}
+	if e.SourceRepositoryDigest != "" {
+		val, err := asn1.MarshalWithParams(e.SourceRepositoryDigest, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDSourceRepositoryDigest,
+			Value: val,
+		})
+	}
+	if e.SourceRepositoryRef != "" {
+		val, err := asn1.MarshalWithParams(e.SourceRepositoryRef, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDSourceRepositoryRef,
+			Value: val,
+		})
+	}
+	if e.SourceRepositoryIdentifier != "" {
+		val, err := asn1.MarshalWithParams(e.SourceRepositoryIdentifier, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDSourceRepositoryIdentifier,
+			Value: val,
+		})
+	}
+	if e.SourceRepositoryOwnerURI != "" {
+		val, err := asn1.MarshalWithParams(e.SourceRepositoryOwnerURI, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDSourceRepositoryOwnerURI,
+			Value: val,
+		})
+	}
+	if e.SourceRepositoryOwnerIdentifier != "" {
+		val, err := asn1.MarshalWithParams(e.SourceRepositoryOwnerIdentifier, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDSourceRepositoryOwnerIdentifier,
+			Value: val,
+		})
+	}
+	if e.BuildConfigURI != "" {
+		val, err := asn1.MarshalWithParams(e.BuildConfigURI, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDBuildConfigURI,
+			Value: val,
+		})
+	}
+	if e.BuildConfigDigest != "" {
+		val, err := asn1.MarshalWithParams(e.BuildConfigDigest, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDBuildConfigDigest,
+			Value: val,
+		})
+	}
+	if e.BuildTrigger != "" {
+		val, err := asn1.MarshalWithParams(e.BuildTrigger, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDBuildTrigger,
+			Value: val,
+		})
+	}
+	if e.RunInvocationURI != "" {
+		val, err := asn1.MarshalWithParams(e.RunInvocationURI, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDRunInvocationURI,
+			Value: val,
+		})
+	}
+
 	return exts, nil
 }

-func ParseExtensions(ext []pkix.Extension) (Extensions, error) {
+func parseExtensions(ext []pkix.Extension) (Extensions, error) {
 	out := Extensions{}

 	for _, e := range ext {
 		switch {
+		// BEGIN: Deprecated
 		case e.Id.Equal(OIDIssuer):
 			out.Issuer = string(e.Value)
 		case e.Id.Equal(OIDGitHubWorkflowTrigger):
@@ -123,6 +342,63 @@ func ParseExtensions(ext []pkix.Extension) (Extensions, error) {
 			out.GithubWorkflowRepository = string(e.Value)
 		case e.Id.Equal(OIDGitHubWorkflowRef):
 			out.GithubWorkflowRef = string(e.Value)
+		// END: Deprecated
+		case e.Id.Equal(OIDIssuerV2):
+			if err := parseDERString(e.Value, &out.Issuer); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDBuildSignerURI):
+			if err := parseDERString(e.Value, &out.BuildSignerURI); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDBuildSignerDigest):
+			if err := parseDERString(e.Value, &out.BuildSignerDigest); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDRunnerEnvironment):
+			if err := parseDERString(e.Value, &out.RunnerEnvironment); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDSourceRepositoryURI):
+			if err := parseDERString(e.Value, &out.SourceRepositoryURI); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDSourceRepositoryDigest):
+			if err := parseDERString(e.Value, &out.SourceRepositoryDigest); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDSourceRepositoryRef):
+			if err := parseDERString(e.Value, &out.SourceRepositoryRef); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDSourceRepositoryIdentifier):
+			if err := parseDERString(e.Value, &out.SourceRepositoryIdentifier); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDSourceRepositoryOwnerURI):
+			if err := parseDERString(e.Value, &out.SourceRepositoryOwnerURI); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDSourceRepositoryOwnerIdentifier):
+			if err := parseDERString(e.Value, &out.SourceRepositoryOwnerIdentifier); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDBuildConfigURI):
+			if err := parseDERString(e.Value, &out.BuildConfigURI); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDBuildConfigDigest):
+			if err := parseDERString(e.Value, &out.BuildConfigDigest); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDBuildTrigger):
+			if err := parseDERString(e.Value, &out.BuildTrigger); err != nil {
+				return Extensions{}, err
+			}
+		case e.Id.Equal(OIDRunInvocationURI):
+			if err := parseDERString(e.Value, &out.RunInvocationURI); err != nil {
+				return Extensions{}, err
+			}
 		}
 	}

@@ -130,3 +406,16 @@ func ParseExtensions(ext []pkix.Extension) (Extensions, error) {
 	// more complex parsing of fields in a backwards compatible way if needed.
 	return out, nil
 }
+
+// parseDERString decodes a DER-encoded string and puts the value in parsedVal.
+// Rerturns an error if the unmarshalling fails or if there are trailing bytes in the encoding.
+func parseDERString(val []byte, parsedVal *string) error {
+	rest, err := asn1.Unmarshal(val, parsedVal)
+	if err != nil {
+		return fmt.Errorf("unexpected error unmarshalling DER-encoded string: %v", err)
+	}
+	if len(rest) != 0 {
+		return errors.New("unexpected trailing bytes in DER-encoded string")
+	}
+	return nil
+}