fix(deps): update module github.com/containers/image/v5 to v5.33.0

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>

vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go

@@ -69,69 +69,69 @@ type Extensions struct {
 	// Deprecated
 	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2
+	GithubWorkflowTrigger string `json:"GithubWorkflowTrigger,omitempty" yaml:"github-workflow-trigger,omitempty"` // OID 1.3.6.1.4.1.57264.1.2
 
 	// Deprecated
 	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3
+	GithubWorkflowSHA string `json:"GithubWorkflowSHA,omitempty" yaml:"github-workflow-sha,omitempty"` // OID 1.3.6.1.4.1.57264.1.3
 
 	// Deprecated
 	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4
+	GithubWorkflowName string `json:"GithubWorkflowName,omitempty" yaml:"github-workflow-name,omitempty"` // OID 1.3.6.1.4.1.57264.1.4
 
 	// Deprecated
 	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5
+	GithubWorkflowRepository string `json:"GithubWorkflowRepository,omitempty" yaml:"github-workflow-repository,omitempty"` // OID 1.3.6.1.4.1.57264.1.5
 
 	// Deprecated
 	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
 	// from Github Actions
-	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
+	GithubWorkflowRef string `json:"GithubWorkflowRef,omitempty" yaml:"github-workflow-ref,omitempty"` // 1.3.6.1.4.1.57264.1.6
 
 	// Reference to specific build instructions that are responsible for signing.
-	BuildSignerURI string // 1.3.6.1.4.1.57264.1.9
+	BuildSignerURI string `json:"BuildSignerURI,omitempty" yaml:"build-signer-uri,omitempty"` // 1.3.6.1.4.1.57264.1.9
 
 	// Immutable reference to the specific version of the build instructions that is responsible for signing.
-	BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10
+	BuildSignerDigest string `json:"BuildSignerDigest,omitempty" yaml:"build-signer-digest,omitempty"` // 1.3.6.1.4.1.57264.1.10
 
 	// Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure.
-	RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11
+	RunnerEnvironment string `json:"RunnerEnvironment,omitempty" yaml:"runner-environment,omitempty"` // 1.3.6.1.4.1.57264.1.11
 
 	// Source repository URL that the build was based on.
-	SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12
+	SourceRepositoryURI string `json:"SourceRepositoryURI,omitempty" yaml:"source-repository-uri,omitempty"` // 1.3.6.1.4.1.57264.1.12
 
 	// Immutable reference to a specific version of the source code that the build was based upon.
-	SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13
+	SourceRepositoryDigest string `json:"SourceRepositoryDigest,omitempty" yaml:"source-repository-digest,omitempty"` // 1.3.6.1.4.1.57264.1.13
 
 	// Source Repository Ref that the build run was based upon.
-	SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14
+	SourceRepositoryRef string `json:"SourceRepositoryRef,omitempty" yaml:"source-repository-ref,omitempty"` // 1.3.6.1.4.1.57264.1.14
 
 	// Immutable identifier for the source repository the workflow was based upon.
-	SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15
+	SourceRepositoryIdentifier string `json:"SourceRepositoryIdentifier,omitempty" yaml:"source-repository-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.15
 
 	// Source repository owner URL of the owner of the source repository that the build was based on.
-	SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16
+	SourceRepositoryOwnerURI string `json:"SourceRepositoryOwnerURI,omitempty" yaml:"source-repository-owner-uri,omitempty"` // 1.3.6.1.4.1.57264.1.16
 
 	// Immutable identifier for the owner of the source repository that the workflow was based upon.
-	SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17
+	SourceRepositoryOwnerIdentifier string `json:"SourceRepositoryOwnerIdentifier,omitempty" yaml:"source-repository-owner-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.17
 
 	// Build Config URL to the top-level/initiating build instructions.
-	BuildConfigURI string // 1.3.6.1.4.1.57264.1.18
+	BuildConfigURI string `json:"BuildConfigURI,omitempty" yaml:"build-config-uri,omitempty"` // 1.3.6.1.4.1.57264.1.18
 
 	// Immutable reference to the specific version of the top-level/initiating build instructions.
-	BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19
+	BuildConfigDigest string `json:"BuildConfigDigest,omitempty" yaml:"build-config-digest,omitempty"` // 1.3.6.1.4.1.57264.1.19
 
 	// Event or action that initiated the build.
-	BuildTrigger string // 1.3.6.1.4.1.57264.1.20
+	BuildTrigger string `json:"BuildTrigger,omitempty" yaml:"build-trigger,omitempty"` // 1.3.6.1.4.1.57264.1.20
 
 	// Run Invocation URL to uniquely identify the build execution.
-	RunInvocationURI string // 1.3.6.1.4.1.57264.1.21
+	RunInvocationURI string `json:"RunInvocationURI,omitempty" yaml:"run-invocation-uri,omitempty"` // 1.3.6.1.4.1.57264.1.21
 
 	// Source repository visibility at the time of signing the certificate.
-	SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22
+	SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22
 }
 
 func (e Extensions) Render() ([]pkix.Extension, error) {

vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go

@@ -20,7 +20,6 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
-	"crypto/elliptic"
 	"crypto/rsa"
 	"crypto/sha1" // nolint:gosec
 	"crypto/x509"
@@ -104,15 +103,15 @@ func EqualKeys(first, second crypto.PublicKey) error {
 	switch pub := first.(type) {
 	case *rsa.PublicKey:
 		if !pub.Equal(second) {
-			return fmt.Errorf(genErrMsg(first, second, "rsa"))
+			return errors.New(genErrMsg(first, second, "rsa"))
 		}
 	case *ecdsa.PublicKey:
 		if !pub.Equal(second) {
-			return fmt.Errorf(genErrMsg(first, second, "ecdsa"))
+			return errors.New(genErrMsg(first, second, "ecdsa"))
 		}
 	case ed25519.PublicKey:
 		if !pub.Equal(second) {
-			return fmt.Errorf(genErrMsg(first, second, "ed25519"))
+			return errors.New(genErrMsg(first, second, "ed25519"))
 		}
 	default:
 		return errors.New("unsupported key type")
@@ -137,47 +136,50 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string {
 
 // ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key.
 func ValidatePubKey(pub crypto.PublicKey) error {
+	// goodkey policy enforces:
+	// * RSA
+	//   * Size of key: 2048 <= size <= 4096, size % 8 = 0
+	//   * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
+	//   * Small primes check for modulus
+	//   * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
+	//   * Key is easily factored with Fermat's factorization method
+	// * EC
+	//   * Public key Q is not the identity element (Ø)
+	//   * Public key Q's x and y are within [0, p-1]
+	//   * Public key Q is on the curve
+	//   * Public key Q's order matches the subgroups (nQ = Ø)
+	allowedKeys := &goodkey.AllowedKeys{
+		RSA2048:   true,
+		RSA3072:   true,
+		RSA4096:   true,
+		ECDSAP256: true,
+		ECDSAP384: true,
+		ECDSAP521: true,
+	}
+	cfg := &goodkey.Config{
+		FermatRounds: 100,
+		AllowedKeys:  allowedKeys,
+	}
+	p, err := goodkey.NewPolicy(cfg, nil)
+	if err != nil {
+		// Should not occur, only chances to return errors are if fermat rounds
+		// are <0 or when loading blocked/weak keys from disk (not used here)
+		return errors.New("unable to initialize key policy")
+	}
+
 	switch pk := pub.(type) {
 	case *rsa.PublicKey:
-		// goodkey policy enforces:
-		// * Size of key: 2048 <= size <= 4096, size % 8 = 0
-		// * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
-		// * Small primes check for modulus
-		// * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
-		// * Key is easily factored with Fermat's factorization method
-		p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil)
-		if err != nil {
-			// Should not occur, only chances to return errors are if fermat rounds
-			// are <0 or when loading blocked/weak keys from disk (not used here)
-			return errors.New("unable to initialize key policy")
-		}
 		// ctx is unused
 		return p.GoodKey(context.Background(), pub)
 	case *ecdsa.PublicKey:
-		// Unable to use goodkey policy because P-521 curve is not supported
-		return validateEcdsaKey(pk)
+		// ctx is unused
+		return p.GoodKey(context.Background(), pub)
 	case ed25519.PublicKey:
 		return validateEd25519Key(pk)
 	}
 	return errors.New("unsupported public key type")
 }
 
-// Enforce that the ECDSA key curve is one of:
-// * NIST P-256 (secp256r1, prime256v1)
-// * NIST P-384
-// * NIST P-521.
-// Other EC curves, like secp256k1, are not supported by Go.
-func validateEcdsaKey(pub *ecdsa.PublicKey) error {
-	switch pub.Curve {
-	case elliptic.P224():
-		return fmt.Errorf("unsupported ec curve, expected NIST P-256, P-384, or P-521")
-	case elliptic.P256(), elliptic.P384(), elliptic.P521():
-		return nil
-	default:
-		return fmt.Errorf("unexpected ec curve")
-	}
-}
-
 // No validations currently, ED25519 supports only one key size.
 func validateEd25519Key(_ ed25519.PublicKey) error {
 	return nil

vendor/github.com/sigstore/sigstore/pkg/oauthflow/device.go

@@ -135,8 +135,9 @@ func (d *DeviceFlowTokenGetter) deviceFlow(p *oidc.Provider, clientID, redirectU
 		// Some providers use a secret here, we don't need for sigstore oauth one so leave it off.
 		data := url.Values{
 			"grant_type":    []string{"urn:ietf:params:oauth:grant-type:device_code"},
+			"client_id":     []string{clientID},
 			"device_code":   []string{parsed.DeviceCode},
-			"scope":         []string{"openid", "email"},
+			"scope":         []string{"openid email"},
 			"code_verifier": []string{pkce.Value},
 		}
 

vendor/github.com/sigstore/sigstore/pkg/oauthflow/flow.go

@@ -114,10 +114,24 @@ func OIDConnect(issuer, id, secret, redirectURL string, tg TokenGetter) (*OIDCID
 	return tg.GetIDToken(provider, config)
 }
 
+type stringAsBool bool
+
+func (sb *stringAsBool) UnmarshalJSON(b []byte) error {
+	switch string(b) {
+	case "true", `"true"`, "True", `"True"`:
+		*sb = true
+	case "false", `"false"`, "False", `"False"`:
+		*sb = false
+	default:
+		return errors.New("invalid value for boolean")
+	}
+	return nil
+}
+
 type claims struct {
-	Email    string `json:"email"`
-	Verified bool   `json:"email_verified"`
-	Subject  string `json:"sub"`
+	Email    string       `json:"email"`
+	Verified stringAsBool `json:"email_verified"`
+	Subject  string       `json:"sub"`
 }
 
 // SubjectFromToken extracts the subject claim from an OIDC Identity Token
@@ -129,6 +143,16 @@ func SubjectFromToken(tok *oidc.IDToken) (string, error) {
 	return subjectFromClaims(claims)
 }
 
+// SubjectFromUnverifiedToken extracts the subject claim from the raw bytes of
+// an OIDC identity token.
+func SubjectFromUnverifiedToken(tok []byte) (string, error) {
+	claims := claims{}
+	if err := json.Unmarshal(tok, &claims); err != nil {
+		return "", err
+	}
+	return subjectFromClaims(claims)
+}
+
 func subjectFromClaims(c claims) (string, error) {
 	if c.Email != "" {
 		if !c.Verified {