mirror of
https://github.com/containers/skopeo.git
synced 2026-07-06 10:05:41 +00:00
Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
a6ee5f92f8 | ||
|
|
c4a14c6d01 | ||
|
|
fb0302daea | ||
|
|
f4c9af64cb | ||
|
|
45c0a85e35 | ||
|
|
bfd0850f06 | ||
|
|
582ee15bbb | ||
|
|
89cbcbf9c6 |
259
.cirrus.yml
259
.cirrus.yml
@@ -1,259 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
# Main collection of env. vars to set for all tasks and scripts.
|
|
||||||
env:
|
|
||||||
####
|
|
||||||
#### Global variables used for all tasks
|
|
||||||
####
|
|
||||||
# Name of the ultimate destination branch for this CI run, PR or post-merge.
|
|
||||||
DEST_BRANCH: "main"
|
|
||||||
# Overrides default location (/tmp/cirrus) for repo clone
|
|
||||||
GOPATH: &gopath "/var/tmp/go"
|
|
||||||
GOBIN: "${GOPATH}/bin"
|
|
||||||
GOCACHE: "${GOPATH}/cache"
|
|
||||||
GOSRC: &gosrc "/var/tmp/go/src/github.com/containers/skopeo"
|
|
||||||
# Required for consistency with containers/image CI
|
|
||||||
SKOPEO_PATH: *gosrc
|
|
||||||
CIRRUS_WORKING_DIR: *gosrc
|
|
||||||
# The default is 'sh' if unspecified
|
|
||||||
CIRRUS_SHELL: "/bin/bash"
|
|
||||||
# Save a little typing (path relative to $CIRRUS_WORKING_DIR)
|
|
||||||
SCRIPT_BASE: "./contrib/cirrus"
|
|
||||||
|
|
||||||
# Google-cloud VM Images
|
|
||||||
IMAGE_SUFFIX: "c20250131t121915z-f41f40d13"
|
|
||||||
FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
|
|
||||||
|
|
||||||
# Container FQIN's
|
|
||||||
FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
|
|
||||||
|
|
||||||
# Built along with the standard PR-based workflow in c/automation_images
|
|
||||||
SKOPEO_CIDEV_CONTAINER_FQIN: "quay.io/libpod/skopeo_cidev:${IMAGE_SUFFIX}"
|
|
||||||
|
|
||||||
|
|
||||||
# Default timeout for each task
|
|
||||||
timeout_in: 45m
|
|
||||||
|
|
||||||
|
|
||||||
gcp_credentials: ENCRYPTED[52d9e807b531b37ab14e958cb5a72499460663f04c8d73e22ad608c027a31118420f1c80f0be0882fbdf96f49d8f9ac0]
|
|
||||||
|
|
||||||
|
|
||||||
validate_task:
|
|
||||||
# The git-validation tool doesn't work well on branch or tag push,
|
|
||||||
# under Cirrus-CI, due to challenges obtaining the starting commit ID.
|
|
||||||
# Only do validation for PRs.
|
|
||||||
only_if: &is_pr $CIRRUS_PR != ''
|
|
||||||
container:
|
|
||||||
image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
|
|
||||||
cpu: 4
|
|
||||||
memory: 8
|
|
||||||
setup_script: |
|
|
||||||
make tools
|
|
||||||
test_script: |
|
|
||||||
make validate-local
|
|
||||||
make vendor && hack/tree_status.sh
|
|
||||||
|
|
||||||
doccheck_task:
|
|
||||||
only_if: *is_pr
|
|
||||||
depends_on:
|
|
||||||
- validate
|
|
||||||
container:
|
|
||||||
image: "${FEDORA_CONTAINER_FQIN}"
|
|
||||||
cpu: 4
|
|
||||||
memory: 8
|
|
||||||
env:
|
|
||||||
BUILDTAGS: &withopengpg 'btrfs_noversion libdm_no_deferred_remove containers_image_openpgp'
|
|
||||||
script: |
|
|
||||||
# TODO: Can't use 'runner.sh setup' inside container. However,
|
|
||||||
# removing the pre-installed package is the only necessary step
|
|
||||||
# at the time of this comment.
|
|
||||||
dnf remove -y skopeo # Guarantee non-interference
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck
|
|
||||||
|
|
||||||
osx_task:
|
|
||||||
# Don't run for docs-only builds.
|
|
||||||
# Also don't run on release-branches or their PRs,
|
|
||||||
# since base container-image is not version-constrained.
|
|
||||||
only_if: ¬_docs_or_release_branch >-
|
|
||||||
($CIRRUS_BASE_BRANCH == $CIRRUS_DEFAULT_BRANCH ||
|
|
||||||
$CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH ) &&
|
|
||||||
$CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
|
|
||||||
depends_on:
|
|
||||||
- validate
|
|
||||||
persistent_worker: &mac_pw
|
|
||||||
labels:
|
|
||||||
os: darwin
|
|
||||||
arch: arm64
|
|
||||||
purpose: prod
|
|
||||||
env:
|
|
||||||
CIRRUS_WORKING_DIR: "$HOME/ci/task-${CIRRUS_TASK_ID}"
|
|
||||||
# Prevent cache-pollution fron one task to the next.
|
|
||||||
GOPATH: "$CIRRUS_WORKING_DIR/.go"
|
|
||||||
GOCACHE: "$CIRRUS_WORKING_DIR/.go/cache"
|
|
||||||
GOENV: "$CIRRUS_WORKING_DIR/.go/support"
|
|
||||||
GOSRC: "$HOME/ci/task-${CIRRUS_TASK_ID}"
|
|
||||||
TMPDIR: "/private/tmp/ci"
|
|
||||||
# This host is/was shared with potentially many other CI tasks.
|
|
||||||
# The previous task may have been canceled or aborted.
|
|
||||||
prep_script: &mac_cleanup "contrib/cirrus/mac_cleanup.sh"
|
|
||||||
test_script:
|
|
||||||
- export PATH=$GOPATH/bin:$PATH
|
|
||||||
- go version
|
|
||||||
- go env
|
|
||||||
- make tools
|
|
||||||
- make validate-local test-unit-local bin/skopeo
|
|
||||||
- bin/skopeo -v
|
|
||||||
# This host is/was shared with potentially many other CI tasks.
|
|
||||||
# Ensure nothing is left running while waiting for the next task.
|
|
||||||
always:
|
|
||||||
task_cleanup_script: *mac_cleanup
|
|
||||||
|
|
||||||
|
|
||||||
cross_task:
|
|
||||||
alias: cross
|
|
||||||
only_if: >-
|
|
||||||
$CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
|
|
||||||
depends_on:
|
|
||||||
- validate
|
|
||||||
gce_instance: &standardvm
|
|
||||||
image_project: libpod-218412
|
|
||||||
zone: "us-central1-f"
|
|
||||||
cpu: 2
|
|
||||||
memory: "4Gb"
|
|
||||||
# Required to be 200gig, do not modify - has i/o performance impact
|
|
||||||
# according to gcloud CLI tool warning messages.
|
|
||||||
disk: 200
|
|
||||||
image_name: ${FEDORA_CACHE_IMAGE_NAME}
|
|
||||||
env:
|
|
||||||
BUILDTAGS: *withopengpg
|
|
||||||
setup_script: >-
|
|
||||||
"${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
|
|
||||||
cross_script: >-
|
|
||||||
"${GOSRC}/${SCRIPT_BASE}/runner.sh" cross
|
|
||||||
|
|
||||||
|
|
||||||
ostree-rs-ext_task:
|
|
||||||
alias: proxy_ostree_ext
|
|
||||||
only_if: *not_docs_or_release_branch
|
|
||||||
# WARNING: This task potentially performs a container image
|
|
||||||
# build (on change) with runtime package installs. Therefore,
|
|
||||||
# its behavior can be unpredictable and potentially flake-prone.
|
|
||||||
# In case of emergency, uncomment the next statement to bypass.
|
|
||||||
#
|
|
||||||
# skip: $CI == "true"
|
|
||||||
#
|
|
||||||
depends_on:
|
|
||||||
- validate
|
|
||||||
# Ref: https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
|
|
||||||
container:
|
|
||||||
# The runtime image will be rebuilt on change
|
|
||||||
dockerfile: contrib/cirrus/ostree_ext.dockerfile
|
|
||||||
docker_arguments: # required build-args
|
|
||||||
BASE_FQIN: quay.io/coreos-assembler/fcos-buildroot:testing-devel
|
|
||||||
CIRRUS_IMAGE_VERSION: 3
|
|
||||||
env:
|
|
||||||
EXT_REPO_NAME: ostree-rs-ext
|
|
||||||
EXT_REPO_HOME: $CIRRUS_WORKING_DIR/../$EXT_REPO_NAME
|
|
||||||
EXT_REPO: https://github.com/ostreedev/${EXT_REPO_NAME}.git
|
|
||||||
skopeo_build_script:
|
|
||||||
- dnf builddep -y skopeo
|
|
||||||
- make
|
|
||||||
- make install
|
|
||||||
proxy_ostree_ext_build_script:
|
|
||||||
- git clone --depth 1 $EXT_REPO $EXT_REPO_HOME
|
|
||||||
- cd $EXT_REPO_HOME
|
|
||||||
- cargo test --no-run
|
|
||||||
proxy_ostree_ext_test_script:
|
|
||||||
- cd $EXT_REPO_HOME
|
|
||||||
- cargo test -- --nocapture --quiet
|
|
||||||
|
|
||||||
|
|
||||||
#####
|
|
||||||
##### NOTE: This task is subtantially duplicated in the containers/image
|
|
||||||
##### repository's `.cirrus.yml`. Changes made here should be fully merged
|
|
||||||
##### prior to being manually duplicated and maintained in containers/image.
|
|
||||||
#####
|
|
||||||
test_skopeo_task:
|
|
||||||
alias: test_skopeo
|
|
||||||
# Don't test for [CI:DOCS], [CI:BUILD].
|
|
||||||
only_if: >-
|
|
||||||
$CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
|
|
||||||
$CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
|
|
||||||
depends_on:
|
|
||||||
- validate
|
|
||||||
gce_instance:
|
|
||||||
image_project: libpod-218412
|
|
||||||
zone: "us-central1-f"
|
|
||||||
cpu: 2
|
|
||||||
memory: "4Gb"
|
|
||||||
# Required to be 200gig, do not modify - has i/o performance impact
|
|
||||||
# according to gcloud CLI tool warning messages.
|
|
||||||
disk: 200
|
|
||||||
image_name: ${FEDORA_CACHE_IMAGE_NAME}
|
|
||||||
matrix:
|
|
||||||
- name: "Skopeo Test" # N/B: Name ref. by hack/get_fqin.sh
|
|
||||||
env:
|
|
||||||
BUILDTAGS: 'btrfs_noversion libdm_no_deferred_remove'
|
|
||||||
- name: "Skopeo Test w/ opengpg"
|
|
||||||
env:
|
|
||||||
BUILDTAGS: *withopengpg
|
|
||||||
setup_script: >-
|
|
||||||
"${GOSRC}/${SCRIPT_BASE}/runner.sh" setup
|
|
||||||
vendor_script: >-
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" vendor
|
|
||||||
build_script: >-
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
|
|
||||||
unit_script: >-
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" unit
|
|
||||||
integration_script: >-
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" integration
|
|
||||||
system_script: >
|
|
||||||
"${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system
|
|
||||||
|
|
||||||
|
|
||||||
# This task is critical. It updates the "last-used by" timestamp stored
|
|
||||||
# in metadata for all VM images. This mechanism functions in tandem with
|
|
||||||
# an out-of-band pruning operation to remove disused VM images.
|
|
||||||
meta_task:
|
|
||||||
name: "VM img. keepalive"
|
|
||||||
alias: meta
|
|
||||||
container: &smallcontainer
|
|
||||||
cpu: 2
|
|
||||||
memory: 2
|
|
||||||
image: quay.io/libpod/imgts:latest
|
|
||||||
env:
|
|
||||||
# Space-separated list of images used by this repository state
|
|
||||||
IMGNAMES: |
|
|
||||||
${FEDORA_CACHE_IMAGE_NAME}
|
|
||||||
build-push-${IMAGE_SUFFIX}
|
|
||||||
BUILDID: "${CIRRUS_BUILD_ID}"
|
|
||||||
REPOREF: "${CIRRUS_REPO_NAME}"
|
|
||||||
GCPJSON: ENCRYPTED[6867b5a83e960e7c159a98fe6c8360064567a071c6f4b5e7d532283ecd870aa65c94ccd74bdaa9bf7aadac9d42e20a67]
|
|
||||||
GCPNAME: ENCRYPTED[1cf558ae125e3c39ec401e443ad76452b25d790c45eb73d77c83eb059a0f7fd5085ef7e2f7e410b04ea6e83b0aab2eb1]
|
|
||||||
GCPPROJECT: libpod-218412
|
|
||||||
clone_script: &noop mkdir -p "$CIRRUS_WORKING_DIR"
|
|
||||||
script: /usr/local/bin/entrypoint.sh
|
|
||||||
|
|
||||||
|
|
||||||
# Status aggregator for all tests. This task simply ensures a defined
|
|
||||||
# set of tasks all passed, and allows confirming that based on the status
|
|
||||||
# of this task.
|
|
||||||
success_task:
|
|
||||||
name: "Total Success"
|
|
||||||
alias: success
|
|
||||||
# N/B: ALL tasks must be listed here, minus their '_task' suffix.
|
|
||||||
depends_on:
|
|
||||||
- validate
|
|
||||||
- doccheck
|
|
||||||
- osx
|
|
||||||
- cross
|
|
||||||
- proxy_ostree_ext
|
|
||||||
- test_skopeo
|
|
||||||
- meta
|
|
||||||
container: *smallcontainer
|
|
||||||
env:
|
|
||||||
CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
|
|
||||||
TEST_ENVIRON: container
|
|
||||||
clone_script: *noop
|
|
||||||
script: /bin/true
|
|
||||||
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@@ -0,0 +1 @@
|
|||||||
|
1
|
||||||
120
.packit.yaml
120
.packit.yaml
@@ -2,98 +2,64 @@
|
|||||||
# See the documentation for more information:
|
# See the documentation for more information:
|
||||||
# https://packit.dev/docs/configuration/
|
# https://packit.dev/docs/configuration/
|
||||||
|
|
||||||
# NOTE: The Packit copr_build tasks help to check if every commit builds on
|
|
||||||
# supported Fedora and CentOS Stream arches.
|
|
||||||
# They do not block the current Cirrus-based workflow.
|
|
||||||
|
|
||||||
downstream_package_name: skopeo
|
downstream_package_name: skopeo
|
||||||
upstream_tag_template: v{version}
|
upstream_tag_template: v{version}
|
||||||
|
|
||||||
packages:
|
specfile_path: skopeo.spec
|
||||||
skopeo-fedora:
|
|
||||||
pkg_tool: fedpkg
|
|
||||||
specfile_path: rpm/skopeo.spec
|
|
||||||
skopeo-centos:
|
|
||||||
pkg_tool: centpkg
|
|
||||||
specfile_path: rpm/skopeo.spec
|
|
||||||
skopeo-eln:
|
|
||||||
specfile_path: rpm/skopeo.spec
|
|
||||||
|
|
||||||
srpm_build_deps:
|
# Disable automatic merging for Copr builds (and subsequent Testing Farm)
|
||||||
- make
|
merge_pr_in_ci: false
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
- job: copr_build
|
- job: copr_build
|
||||||
trigger: pull_request
|
trigger: pull_request
|
||||||
packages: [skopeo-fedora]
|
notifications: &packit_failure_notification
|
||||||
notifications: &copr_build_failure_notification
|
|
||||||
failure_comment:
|
failure_comment:
|
||||||
message: "Ephemeral COPR build failed. @containers/packit-build please check."
|
message: "Packit jobs failed. @containers/packit-build please check."
|
||||||
targets:
|
|
||||||
- fedora-all-x86_64
|
|
||||||
- fedora-all-aarch64
|
|
||||||
enable_net: true
|
enable_net: true
|
||||||
|
targets:
|
||||||
|
- epel-10-x86_64
|
||||||
|
- epel-10-aarch64
|
||||||
|
actions:
|
||||||
|
post-upstream-clone: "curl --fail -O https://gitlab.com/redhat/centos-stream/rpms/skopeo/-/raw/c10s/skopeo.spec"
|
||||||
|
|
||||||
- job: copr_build
|
- job: copr_build
|
||||||
trigger: pull_request
|
trigger: pull_request
|
||||||
packages: [skopeo-eln]
|
notifications: *packit_failure_notification
|
||||||
notifications: *copr_build_failure_notification
|
|
||||||
targets:
|
|
||||||
fedora-eln-x86_64:
|
|
||||||
additional_repos:
|
|
||||||
- "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
|
|
||||||
fedora-eln-aarch64:
|
|
||||||
additional_repos:
|
|
||||||
- "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
|
|
||||||
enable_net: true
|
enable_net: true
|
||||||
|
targets:
|
||||||
|
- epel-9-x86_64
|
||||||
|
- epel-9-aarch64
|
||||||
|
actions:
|
||||||
|
post-upstream-clone: "curl --fail -O https://gitlab.com/redhat/centos-stream/rpms/skopeo/-/raw/c9s/skopeo.spec"
|
||||||
|
|
||||||
- job: copr_build
|
- job: tests
|
||||||
trigger: pull_request
|
trigger: pull_request
|
||||||
packages: [skopeo-centos]
|
use_internal_tf: true
|
||||||
notifications: *copr_build_failure_notification
|
notifications: *packit_failure_notification
|
||||||
targets:
|
targets:
|
||||||
- centos-stream-9-x86_64
|
epel-10-x86_64:
|
||||||
- centos-stream-9-aarch64
|
distros: [RHEL-10-Nightly,RHEL-10.0-Nightly]
|
||||||
- centos-stream-10-x86_64
|
epel-10-aarch64:
|
||||||
- centos-stream-10-aarch64
|
distros: [RHEL-10-Nightly,RHEL-10.0-Nightly]
|
||||||
enable_net: true
|
epel-9-x86_64:
|
||||||
|
distros: [RHEL-9-Nightly,RHEL-9.6.0-Nightly]
|
||||||
|
epel-9-aarch64:
|
||||||
|
distros: [RHEL-9-Nightly,RHEL-9.6.0-Nightly]
|
||||||
|
tmt_plan: "/plans/system"
|
||||||
|
identifier: "rpm"
|
||||||
|
|
||||||
# Run on commit to main branch
|
- job: tests
|
||||||
- job: copr_build
|
trigger: pull_request
|
||||||
trigger: commit
|
use_internal_tf: true
|
||||||
packages: [skopeo-fedora]
|
notifications: *packit_failure_notification
|
||||||
notifications:
|
skip_build: true
|
||||||
failure_comment:
|
targets:
|
||||||
message: "podman-next COPR build failed. @containers/packit-build please check."
|
# RHEL-N-Nightly can often have newer toolchain packages, breaking
|
||||||
branch: main
|
# vendoring. So, only test on N.Y here
|
||||||
owner: rhcontainerbot
|
epel-10-x86_64:
|
||||||
project: podman-next
|
distros: [RHEL-10.0-Nightly]
|
||||||
enable_net: true
|
epel-9-x86_64:
|
||||||
|
distros: [RHEL-9.6.0-Nightly]
|
||||||
# Sync to Fedora
|
tmt_plan: "/plans/no-rpm"
|
||||||
- job: propose_downstream
|
identifier: "no-rpm"
|
||||||
trigger: release
|
|
||||||
packages: [skopeo-fedora]
|
|
||||||
update_release: false
|
|
||||||
dist_git_branches: &fedora_targets
|
|
||||||
- fedora-all
|
|
||||||
|
|
||||||
# Sync to CentOS Stream
|
|
||||||
- job: propose_downstream
|
|
||||||
trigger: release
|
|
||||||
packages: [skopeo-centos]
|
|
||||||
update_release: false
|
|
||||||
dist_git_branches:
|
|
||||||
- c10s
|
|
||||||
|
|
||||||
# Fedora Koji build
|
|
||||||
- job: koji_build
|
|
||||||
trigger: commit
|
|
||||||
packages: [skopeo-fedora]
|
|
||||||
sidetag_group: podman-releases
|
|
||||||
# Dependents are not rpm dependencies, but the package whose bodhi update
|
|
||||||
# should include this package.
|
|
||||||
# Ref: https://packit.dev/docs/fedora-releases-guide/releasing-multiple-packages
|
|
||||||
dependents:
|
|
||||||
- podman
|
|
||||||
dist_git_branches: *fedora_targets
|
|
||||||
|
|||||||
4
Makefile
4
Makefile
@@ -70,7 +70,9 @@ export SKOPEO_CONTAINER_TESTS ?= $(if $(CI),1,0)
|
|||||||
# This is a compromise, we either use a container for this or require
|
# This is a compromise, we either use a container for this or require
|
||||||
# the local user to have a compatible python3 development environment.
|
# the local user to have a compatible python3 development environment.
|
||||||
# Define it as a "resolve on use" variable to avoid calling out when possible
|
# Define it as a "resolve on use" variable to avoid calling out when possible
|
||||||
SKOPEO_CIDEV_CONTAINER_FQIN ?= $(shell hack/get_fqin.sh)
|
#SKOPEO_CIDEV_CONTAINER_FQIN ?= $(shell hack/get_fqin.sh)
|
||||||
|
# FIXME: hack/get_fqin.sh depends on cirrus.yml so we hardcode SKOPEO_CIDEV_CONTAINER_FQIN here
|
||||||
|
SKOPEO_CIDEV_CONTAINER_FQIN ?= "quay.io/libpod/skopeo_cidev:c20250131t121915z-f41f40d13"
|
||||||
CONTAINER_CMD ?= ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" -e CI=$(CI) -e SKOPEO_CONTAINER_TESTS=1
|
CONTAINER_CMD ?= ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" -e CI=$(CI) -e SKOPEO_CONTAINER_TESTS=1
|
||||||
# if this session isn't interactive, then we don't want to allocate a
|
# if this session isn't interactive, then we don't want to allocate a
|
||||||
# TTY, which would fail, but if it is interactive, we do want to attach
|
# TTY, which would fail, but if it is interactive, we do want to attach
|
||||||
|
|||||||
6
go.mod
6
go.mod
@@ -1,7 +1,7 @@
|
|||||||
module github.com/containers/skopeo
|
module github.com/containers/skopeo
|
||||||
|
|
||||||
// Minimum required golang version
|
// Minimum required golang version
|
||||||
go 1.22.8
|
go 1.24.0
|
||||||
|
|
||||||
// Warning: Ensure the "go" and "toolchain" versions match exactly to prevent unwanted auto-updates
|
// Warning: Ensure the "go" and "toolchain" versions match exactly to prevent unwanted auto-updates
|
||||||
|
|
||||||
@@ -50,8 +50,8 @@ require (
|
|||||||
github.com/docker/go-units v0.5.0 // indirect
|
github.com/docker/go-units v0.5.0 // indirect
|
||||||
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
|
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
|
||||||
github.com/felixge/httpsnoop v1.0.4 // indirect
|
github.com/felixge/httpsnoop v1.0.4 // indirect
|
||||||
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
|
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
|
||||||
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
|
github.com/go-jose/go-jose/v4 v4.1.4 // indirect
|
||||||
github.com/go-logr/logr v1.4.2 // indirect
|
github.com/go-logr/logr v1.4.2 // indirect
|
||||||
github.com/go-logr/stdr v1.2.2 // indirect
|
github.com/go-logr/stdr v1.2.2 // indirect
|
||||||
github.com/go-openapi/analysis v0.23.0 // indirect
|
github.com/go-openapi/analysis v0.23.0 // indirect
|
||||||
|
|||||||
8
go.sum
8
go.sum
@@ -89,10 +89,10 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
|
|||||||
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
|
github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
|
||||||
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
|
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
|
||||||
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
||||||
github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
|
github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
|
||||||
github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
|
github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
|
||||||
github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
|
github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
|
||||||
github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
|
github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
|
||||||
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
||||||
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
|
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
|
||||||
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
|
||||||
|
|||||||
@@ -1,7 +1,10 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
STATUS=$(git status --porcelain)
|
# TMT breaks this so we only check go.* and vendor
|
||||||
|
# https://github.com/teemtee/tmt/issues/3800
|
||||||
|
# STATUS=$(git status --porcelain)
|
||||||
|
STATUS=$(git status --porcelain go.* vendor)
|
||||||
if [[ -z $STATUS ]]
|
if [[ -z $STATUS ]]
|
||||||
then
|
then
|
||||||
echo "tree is clean"
|
echo "tree is clean"
|
||||||
|
|||||||
23
plans/no-rpm.fmf
Normal file
23
plans/no-rpm.fmf
Normal file
@@ -0,0 +1,23 @@
|
|||||||
|
prepare:
|
||||||
|
- name: dependencies
|
||||||
|
how: install
|
||||||
|
package: [ golang, go-md2man, gpgme-devel, podman-docker ]
|
||||||
|
|
||||||
|
discover:
|
||||||
|
keep-git-metadata: true
|
||||||
|
how: shell
|
||||||
|
tests:
|
||||||
|
- name: /validate
|
||||||
|
test: >
|
||||||
|
make tools &&
|
||||||
|
make BUILDTAGS="exclude_graphdriver_btrfs" validate-local &&
|
||||||
|
make validate-docs &&
|
||||||
|
make vendor &&
|
||||||
|
hack/tree_status.sh
|
||||||
|
- name: /integration
|
||||||
|
test: make BUILDTAGS="exclude_graphdriver_btrfs" test-integration
|
||||||
|
- name: /unit
|
||||||
|
test: make BUILDTAGS="exclude_graphdriver_btrfs" test-unit-local
|
||||||
|
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
13
plans/system.fmf
Normal file
13
plans/system.fmf
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
discover:
|
||||||
|
how: fmf
|
||||||
|
filter: 'tag:system'
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
|
prepare:
|
||||||
|
- how: shell
|
||||||
|
script: |
|
||||||
|
BATS_VERSION=1.12.0
|
||||||
|
curl -L https://github.com/bats-core/bats-core/archive/refs/tags/v"$BATS_VERSION".tar.gz | tar -xz
|
||||||
|
cd bats-core-"$BATS_VERSION"
|
||||||
|
./install.sh /usr
|
||||||
|
order: 10
|
||||||
170
rpm/skopeo.spec
170
rpm/skopeo.spec
@@ -1,170 +0,0 @@
|
|||||||
%global with_debug 1
|
|
||||||
|
|
||||||
%if 0%{?with_debug}
|
|
||||||
%global _find_debuginfo_dwz_opts %{nil}
|
|
||||||
%global _dwz_low_mem_die_limit 0
|
|
||||||
%else
|
|
||||||
%global debug_package %{nil}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%global gomodulesmode GO111MODULE=on
|
|
||||||
|
|
||||||
# No btrfs on RHEL
|
|
||||||
%if %{defined fedora}
|
|
||||||
%define build_with_btrfs 1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{defined rhel}
|
|
||||||
%define fips 1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Only used in official koji builds
|
|
||||||
# Copr builds set a separate epoch for all environments
|
|
||||||
%if %{defined fedora}
|
|
||||||
%define conditional_epoch 1
|
|
||||||
%else
|
|
||||||
%define conditional_epoch 2
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Name: skopeo
|
|
||||||
%if %{defined copr_username}
|
|
||||||
Epoch: 102
|
|
||||||
%else
|
|
||||||
Epoch: %{conditional_epoch}
|
|
||||||
%endif
|
|
||||||
# DO NOT TOUCH the Version string!
|
|
||||||
# The TRUE source of this specfile is:
|
|
||||||
# https://github.com/containers/skopeo/blob/main/rpm/skopeo.spec
|
|
||||||
# If that's what you're reading, Version must be 0, and will be updated by Packit for
|
|
||||||
# copr and koji builds.
|
|
||||||
# If you're reading this on dist-git, the version is automatically filled in by Packit.
|
|
||||||
Version: 0
|
|
||||||
# The `AND` needs to be uppercase in the License for SPDX compatibility
|
|
||||||
License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
|
|
||||||
Release: %autorelease
|
|
||||||
%if %{defined golang_arches_future}
|
|
||||||
ExclusiveArch: %{golang_arches_future}
|
|
||||||
%else
|
|
||||||
ExclusiveArch: aarch64 ppc64le s390x x86_64
|
|
||||||
%endif
|
|
||||||
Summary: Inspect container images and repositories on registries
|
|
||||||
URL: https://github.com/containers/%{name}
|
|
||||||
# Tarball fetched from upstream
|
|
||||||
Source0: %{url}/archive/v%{version}.tar.gz
|
|
||||||
BuildRequires: %{_bindir}/go-md2man
|
|
||||||
%if %{defined build_with_btrfs}
|
|
||||||
BuildRequires: btrfs-progs-devel
|
|
||||||
%endif
|
|
||||||
BuildRequires: git-core
|
|
||||||
BuildRequires: golang
|
|
||||||
%if !%{defined gobuild}
|
|
||||||
BuildRequires: go-rpm-macros
|
|
||||||
%endif
|
|
||||||
BuildRequires: gpgme-devel
|
|
||||||
BuildRequires: libassuan-devel
|
|
||||||
BuildRequires: ostree-devel
|
|
||||||
BuildRequires: glib2-devel
|
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: shadow-utils-subid-devel
|
|
||||||
Requires: containers-common >= 4:1-21
|
|
||||||
|
|
||||||
%description
|
|
||||||
Command line utility to inspect images and repositories directly on Docker
|
|
||||||
registries without the need to pull them
|
|
||||||
|
|
||||||
%package tests
|
|
||||||
Summary: Tests for %{name}
|
|
||||||
|
|
||||||
Requires: %{name} = %{epoch}:%{version}-%{release}
|
|
||||||
%if %{defined fedora}
|
|
||||||
Requires: bats
|
|
||||||
Requires: fakeroot
|
|
||||||
%endif
|
|
||||||
Requires: gnupg
|
|
||||||
Requires: jq
|
|
||||||
Requires: golang
|
|
||||||
Requires: podman
|
|
||||||
Requires: crun
|
|
||||||
Requires: httpd-tools
|
|
||||||
Requires: openssl
|
|
||||||
Requires: squashfs-tools
|
|
||||||
|
|
||||||
%description tests
|
|
||||||
%{summary}
|
|
||||||
|
|
||||||
This package contains system tests for %{name}
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -Sgit %{name}-%{version}
|
|
||||||
# The %%install stage should not rebuild anything but only install what's
|
|
||||||
# built in the %%build stage. So, remove any dependency on build targets.
|
|
||||||
sed -i 's/^install-binary: bin\/%{name}.*/install-binary:/' Makefile
|
|
||||||
sed -i 's/^completions: bin\/%{name}.*/completions:/' Makefile
|
|
||||||
sed -i 's/^install-docs: docs.*/install-docs:/' Makefile
|
|
||||||
|
|
||||||
%build
|
|
||||||
%set_build_flags
|
|
||||||
export CGO_CFLAGS=$CFLAGS
|
|
||||||
|
|
||||||
# These extra flags present in $CFLAGS have been skipped for now as they break the build
|
|
||||||
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
|
|
||||||
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
|
|
||||||
CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
|
|
||||||
|
|
||||||
%ifarch x86_64
|
|
||||||
export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic -fcf-protection=full"
|
|
||||||
%endif
|
|
||||||
|
|
||||||
BASEBUILDTAGS="$(hack/libsubid_tag.sh)"
|
|
||||||
%if %{defined build_with_btrfs}
|
|
||||||
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_tag.sh) $(hack/btrfs_installed_tag.sh)"
|
|
||||||
%else
|
|
||||||
export BUILDTAGS="$BASEBUILDTAGS btrfs_noversion exclude_graphdriver_btrfs"
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{defined fips}
|
|
||||||
export BUILDTAGS="$BUILDTAGS libtrust_openssl"
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# unset LDFLAGS earlier set from set_build_flags
|
|
||||||
LDFLAGS=''
|
|
||||||
|
|
||||||
%gobuild -o bin/%{name} ./cmd/%{name}
|
|
||||||
%{__make} docs
|
|
||||||
|
|
||||||
%install
|
|
||||||
make \
|
|
||||||
DESTDIR=%{buildroot} \
|
|
||||||
PREFIX=%{_prefix} \
|
|
||||||
install-binary install-docs install-completions
|
|
||||||
|
|
||||||
# system tests
|
|
||||||
install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
|
|
||||||
cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
|
|
||||||
|
|
||||||
#define license tag if not already defined
|
|
||||||
%{!?_licensedir:%global license %doc}
|
|
||||||
|
|
||||||
# Include this to silence rpmlint.
|
|
||||||
# Especially annoying if you use syntastic vim plugin.
|
|
||||||
%check
|
|
||||||
|
|
||||||
%files
|
|
||||||
%license LICENSE
|
|
||||||
%doc README.md
|
|
||||||
%{_bindir}/%{name}
|
|
||||||
%{_mandir}/man1/%{name}*
|
|
||||||
%dir %{_datadir}/bash-completion
|
|
||||||
%dir %{_datadir}/bash-completion/completions
|
|
||||||
%{_datadir}/bash-completion/completions/%{name}
|
|
||||||
%dir %{_datadir}/fish/vendor_completions.d
|
|
||||||
%{_datadir}/fish/vendor_completions.d/%{name}.fish
|
|
||||||
%dir %{_datadir}/zsh/site-functions
|
|
||||||
%{_datadir}/zsh/site-functions/_%{name}
|
|
||||||
|
|
||||||
%files tests
|
|
||||||
%license LICENSE vendor/modules.txt
|
|
||||||
%{_datadir}/%{name}/test
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
%autochangelog
|
|
||||||
10
systemtest/tmt/main.fmf
Normal file
10
systemtest/tmt/main.fmf
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
require:
|
||||||
|
- skopeo-tests
|
||||||
|
|
||||||
|
environment:
|
||||||
|
SKOPEO_BINARY: /usr/bin/skopeo
|
||||||
|
|
||||||
|
summary: System test
|
||||||
|
test: bash ./test.sh
|
||||||
|
duration: 60m
|
||||||
|
tag: [ system ]
|
||||||
12
systemtest/tmt/test.sh
Normal file
12
systemtest/tmt/test.sh
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -exo pipefail
|
||||||
|
|
||||||
|
uname -r
|
||||||
|
|
||||||
|
rpm -q \
|
||||||
|
containers-common \
|
||||||
|
skopeo \
|
||||||
|
skopeo-tests \
|
||||||
|
|
||||||
|
bats /usr/share/skopeo/test/system
|
||||||
5
vendor/github.com/go-jose/go-jose/v3/jwe.go
generated
vendored
5
vendor/github.com/go-jose/go-jose/v3/jwe.go
generated
vendored
@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
|
|||||||
|
|
||||||
// parseEncryptedCompact parses a message in compact format.
|
// parseEncryptedCompact parses a message in compact format.
|
||||||
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
|
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
|
||||||
parts := strings.Split(input, ".")
|
// Five parts is four separators
|
||||||
if len(parts) != 5 {
|
if strings.Count(input, ".") != 4 {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
|
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
|
||||||
}
|
}
|
||||||
|
parts := strings.SplitN(input, ".", 5)
|
||||||
|
|
||||||
rawProtected, err := base64URLDecode(parts[0])
|
rawProtected, err := base64URLDecode(parts[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
5
vendor/github.com/go-jose/go-jose/v3/jws.go
generated
vendored
5
vendor/github.com/go-jose/go-jose/v3/jws.go
generated
vendored
@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
|
|||||||
|
|
||||||
// parseSignedCompact parses a message in compact format.
|
// parseSignedCompact parses a message in compact format.
|
||||||
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
|
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
|
||||||
parts := strings.Split(input, ".")
|
// Three parts is two separators
|
||||||
if len(parts) != 3 {
|
if strings.Count(input, ".") != 2 {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
||||||
}
|
}
|
||||||
|
parts := strings.SplitN(input, ".", 3)
|
||||||
|
|
||||||
if parts[1] != "" && payload != nil {
|
if parts[1] != "" && payload != nil {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
|
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
|
||||||
|
|||||||
96
vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
generated
vendored
96
vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
generated
vendored
@@ -1,96 +0,0 @@
|
|||||||
# v4.0.4
|
|
||||||
|
|
||||||
## Fixed
|
|
||||||
|
|
||||||
- Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
|
|
||||||
breaking change. See #136 / #137.
|
|
||||||
|
|
||||||
# v4.0.3
|
|
||||||
|
|
||||||
## Changed
|
|
||||||
|
|
||||||
- Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
|
|
||||||
- Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
|
|
||||||
- Dependency updates
|
|
||||||
|
|
||||||
# v4.0.2
|
|
||||||
|
|
||||||
## Changed
|
|
||||||
|
|
||||||
- Improved documentation of Verify() to note that JSONWebKeySet is a supported
|
|
||||||
argument type (#104)
|
|
||||||
- Defined exported error values for missing x5c header and unsupported elliptic
|
|
||||||
curves error cases (#117)
|
|
||||||
|
|
||||||
# v4.0.1
|
|
||||||
|
|
||||||
## Fixed
|
|
||||||
|
|
||||||
- An attacker could send a JWE containing compressed data that used large
|
|
||||||
amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
|
|
||||||
Those functions now return an error if the decompressed data would exceed
|
|
||||||
250kB or 10x the compressed size (whichever is larger). Thanks to
|
|
||||||
Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
|
|
||||||
for reporting.
|
|
||||||
|
|
||||||
# v4.0.0
|
|
||||||
|
|
||||||
This release makes some breaking changes in order to more thoroughly
|
|
||||||
address the vulnerabilities discussed in [Three New Attacks Against JSON Web
|
|
||||||
Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
|
|
||||||
token".
|
|
||||||
|
|
||||||
## Changed
|
|
||||||
|
|
||||||
- Limit JWT encryption types (exclude password or public key types) (#78)
|
|
||||||
- Enforce minimum length for HMAC keys (#85)
|
|
||||||
- jwt: match any audience in a list, rather than requiring all audiences (#81)
|
|
||||||
- jwt: accept only Compact Serialization (#75)
|
|
||||||
- jws: Add expected algorithms for signatures (#74)
|
|
||||||
- Require specifying expected algorithms for ParseEncrypted,
|
|
||||||
ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
|
|
||||||
jwt.ParseSignedAndEncrypted (#69, #74)
|
|
||||||
- Usually there is a small, known set of appropriate algorithms for a program
|
|
||||||
to use and it's a mistake to allow unexpected algorithms. For instance the
|
|
||||||
"billion hash attack" relies in part on programs accepting the PBES2
|
|
||||||
encryption algorithm and doing the necessary work even if they weren't
|
|
||||||
specifically configured to allow PBES2.
|
|
||||||
- Revert "Strip padding off base64 strings" (#82)
|
|
||||||
- The specs require base64url encoding without padding.
|
|
||||||
- Minimum supported Go version is now 1.21
|
|
||||||
|
|
||||||
## Added
|
|
||||||
|
|
||||||
- ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
|
|
||||||
- These allow parsing a specific serialization, as opposed to ParseSigned and
|
|
||||||
ParseEncrypted, which try to automatically detect which serialization was
|
|
||||||
provided. It's common to require a specific serialization for a specific
|
|
||||||
protocol - for instance JWT requires Compact serialization.
|
|
||||||
|
|
||||||
[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
|
|
||||||
|
|
||||||
# v3.0.2
|
|
||||||
|
|
||||||
## Fixed
|
|
||||||
|
|
||||||
- DecryptMulti: handle decompression error (#19)
|
|
||||||
|
|
||||||
## Changed
|
|
||||||
|
|
||||||
- jwe/CompactSerialize: improve performance (#67)
|
|
||||||
- Increase the default number of PBKDF2 iterations to 600k (#48)
|
|
||||||
- Return the proper algorithm for ECDSA keys (#45)
|
|
||||||
|
|
||||||
## Added
|
|
||||||
|
|
||||||
- Add Thumbprint support for opaque signers (#38)
|
|
||||||
|
|
||||||
# v3.0.1
|
|
||||||
|
|
||||||
## Fixed
|
|
||||||
|
|
||||||
- Security issue: an attacker specifying a large "p2c" value can cause
|
|
||||||
JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
|
|
||||||
amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
|
|
||||||
disclosure and to Tom Tervoort for originally publishing the category of attack.
|
|
||||||
https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
|
|
||||||
6
vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
generated
vendored
6
vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
generated
vendored
@@ -7,9 +7,3 @@ When submitting code, please make every effort to follow existing conventions
|
|||||||
and style in order to keep the code as readable as possible. Please also make
|
and style in order to keep the code as readable as possible. Please also make
|
||||||
sure all tests pass by running `go test`, and format your code with `go fmt`.
|
sure all tests pass by running `go test`, and format your code with `go fmt`.
|
||||||
We also recommend using `golint` and `errcheck`.
|
We also recommend using `golint` and `errcheck`.
|
||||||
|
|
||||||
Before your code can be accepted into the project you must also sign the
|
|
||||||
Individual Contributor License Agreement. We use [cla-assistant.io][1] and you
|
|
||||||
will be prompted to sign once a pull request is opened.
|
|
||||||
|
|
||||||
[1]: https://cla-assistant.io/
|
|
||||||
|
|||||||
86
vendor/github.com/go-jose/go-jose/v4/README.md
generated
vendored
86
vendor/github.com/go-jose/go-jose/v4/README.md
generated
vendored
@@ -3,20 +3,11 @@
|
|||||||
[](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
|
[](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
|
||||||
[](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
|
[](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
|
||||||
[](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
|
[](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
|
||||||
[](https://github.com/go-jose/go-jose/actions)
|
|
||||||
|
|
||||||
Package jose aims to provide an implementation of the Javascript Object Signing
|
Package jose aims to provide an implementation of the Javascript Object Signing
|
||||||
and Encryption set of standards. This includes support for JSON Web Encryption,
|
and Encryption set of standards. This includes support for JSON Web Encryption,
|
||||||
JSON Web Signature, and JSON Web Token standards.
|
JSON Web Signature, and JSON Web Token standards.
|
||||||
|
|
||||||
**Disclaimer**: This library contains encryption software that is subject to
|
|
||||||
the U.S. Export Administration Regulations. You may not export, re-export,
|
|
||||||
transfer or download this code or any part of it in violation of any United
|
|
||||||
States law, directive or regulation. In particular this software may not be
|
|
||||||
exported or re-exported in any form or on any media to Iran, North Sudan,
|
|
||||||
Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
|
|
||||||
US maintained blocked list.
|
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
The implementation follows the
|
The implementation follows the
|
||||||
@@ -37,17 +28,20 @@ libraries in other languages.
|
|||||||
|
|
||||||
### Versions
|
### Versions
|
||||||
|
|
||||||
[Version 4](https://github.com/go-jose/go-jose)
|
The forthcoming Version 5 will be released with several breaking API changes,
|
||||||
([branch](https://github.com/go-jose/go-jose/tree/main),
|
and will require Golang's `encoding/json/v2`, which is currently requires
|
||||||
[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
|
Go 1.25 built with GOEXPERIMENT=jsonv2.
|
||||||
|
|
||||||
|
Version 4 is the current stable version:
|
||||||
|
|
||||||
import "github.com/go-jose/go-jose/v4"
|
import "github.com/go-jose/go-jose/v4"
|
||||||
|
|
||||||
The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
|
It supports at least the current and previous Golang release. Currently it
|
||||||
are still useable but not actively developed anymore.
|
requires Golang 1.24.
|
||||||
|
|
||||||
Version 3, in this repo, is still receiving security fixes but not functionality
|
Version 3 is only receiving critical security updates. Migration to Version 4 is recommended.
|
||||||
updates.
|
|
||||||
|
Versions 1 and 2 are obsolete, but can be found in the old repository, [square/go-jose](https://github.com/square/go-jose).
|
||||||
|
|
||||||
### Supported algorithms
|
### Supported algorithms
|
||||||
|
|
||||||
@@ -55,36 +49,36 @@ See below for a table of supported algorithms. Algorithm identifiers match
|
|||||||
the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)
|
the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)
|
||||||
standard where possible. The Godoc reference has a list of constants.
|
standard where possible. The Godoc reference has a list of constants.
|
||||||
|
|
||||||
Key encryption | Algorithm identifier(s)
|
| Key encryption | Algorithm identifier(s) |
|
||||||
:------------------------- | :------------------------------
|
|:-----------------------|:-----------------------------------------------|
|
||||||
RSA-PKCS#1v1.5 | RSA1_5
|
| RSA-PKCS#1v1.5 | RSA1_5 |
|
||||||
RSA-OAEP | RSA-OAEP, RSA-OAEP-256
|
| RSA-OAEP | RSA-OAEP, RSA-OAEP-256 |
|
||||||
AES key wrap | A128KW, A192KW, A256KW
|
| AES key wrap | A128KW, A192KW, A256KW |
|
||||||
AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW
|
| AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW |
|
||||||
ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
|
| ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW |
|
||||||
ECDH-ES (direct) | ECDH-ES<sup>1</sup>
|
| ECDH-ES (direct) | ECDH-ES<sup>1</sup> |
|
||||||
Direct encryption | dir<sup>1</sup>
|
| Direct encryption | dir<sup>1</sup> |
|
||||||
|
|
||||||
<sup>1. Not supported in multi-recipient mode</sup>
|
<sup>1. Not supported in multi-recipient mode</sup>
|
||||||
|
|
||||||
Signing / MAC | Algorithm identifier(s)
|
| Signing / MAC | Algorithm identifier(s) |
|
||||||
:------------------------- | :------------------------------
|
|:------------------|:------------------------|
|
||||||
RSASSA-PKCS#1v1.5 | RS256, RS384, RS512
|
| RSASSA-PKCS#1v1.5 | RS256, RS384, RS512 |
|
||||||
RSASSA-PSS | PS256, PS384, PS512
|
| RSASSA-PSS | PS256, PS384, PS512 |
|
||||||
HMAC | HS256, HS384, HS512
|
| HMAC | HS256, HS384, HS512 |
|
||||||
ECDSA | ES256, ES384, ES512
|
| ECDSA | ES256, ES384, ES512 |
|
||||||
Ed25519 | EdDSA<sup>2</sup>
|
| Ed25519 | EdDSA<sup>2</sup> |
|
||||||
|
|
||||||
<sup>2. Only available in version 2 of the package</sup>
|
<sup>2. Only available in version 2 of the package</sup>
|
||||||
|
|
||||||
Content encryption | Algorithm identifier(s)
|
| Content encryption | Algorithm identifier(s) |
|
||||||
:------------------------- | :------------------------------
|
|:-------------------|:--------------------------------------------|
|
||||||
AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
|
| AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |
|
||||||
AES-GCM | A128GCM, A192GCM, A256GCM
|
| AES-GCM | A128GCM, A192GCM, A256GCM |
|
||||||
|
|
||||||
Compression | Algorithm identifiers(s)
|
| Compression | Algorithm identifiers(s) |
|
||||||
:------------------------- | -------------------------------
|
|:-------------------|--------------------------|
|
||||||
DEFLATE (RFC 1951) | DEF
|
| DEFLATE (RFC 1951) | DEF |
|
||||||
|
|
||||||
### Supported key types
|
### Supported key types
|
||||||
|
|
||||||
@@ -93,12 +87,12 @@ library, and can be passed to corresponding functions such as `NewEncrypter` or
|
|||||||
`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
|
`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
|
||||||
allows attaching a key id.
|
allows attaching a key id.
|
||||||
|
|
||||||
Algorithm(s) | Corresponding types
|
| Algorithm(s) | Corresponding types |
|
||||||
:------------------------- | -------------------------------
|
|:------------------|--------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey)
|
| RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey) |
|
||||||
ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey)
|
| ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey) |
|
||||||
EdDSA<sup>1</sup> | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey)
|
| EdDSA<sup>1</sup> | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey) |
|
||||||
AES, HMAC | []byte
|
| AES, HMAC | []byte |
|
||||||
|
|
||||||
<sup>1. Only available in version 2 or later of the package</sup>
|
<sup>1. Only available in version 2 or later of the package</sup>
|
||||||
|
|
||||||
@@ -109,6 +103,6 @@ allows attaching a key id.
|
|||||||
|
|
||||||
Examples can be found in the Godoc
|
Examples can be found in the Godoc
|
||||||
reference for this package. The
|
reference for this package. The
|
||||||
[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
|
[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)
|
||||||
subdirectory also contains a small command-line utility which might be useful
|
subdirectory also contains a small command-line utility which might be useful
|
||||||
as an example as well.
|
as an example as well.
|
||||||
|
|||||||
10
vendor/github.com/go-jose/go-jose/v4/asymmetric.go
generated
vendored
10
vendor/github.com/go-jose/go-jose/v4/asymmetric.go
generated
vendored
@@ -414,6 +414,9 @@ func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
|
|||||||
|
|
||||||
// Decrypt the given payload and return the content encryption key.
|
// Decrypt the given payload and return the content encryption key.
|
||||||
func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
|
func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
|
||||||
|
if recipient == nil {
|
||||||
|
return nil, errors.New("go-jose/go-jose: missing recipient")
|
||||||
|
}
|
||||||
epk, err := headers.getEPK()
|
epk, err := headers.getEPK()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.New("go-jose/go-jose: invalid epk header")
|
return nil, errors.New("go-jose/go-jose: invalid epk header")
|
||||||
@@ -461,13 +464,18 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI
|
|||||||
return nil, ErrUnsupportedAlgorithm
|
return nil, ErrUnsupportedAlgorithm
|
||||||
}
|
}
|
||||||
|
|
||||||
|
encryptedKey := recipient.encryptedKey
|
||||||
|
if len(encryptedKey) == 0 {
|
||||||
|
return nil, errors.New("go-jose/go-jose: missing JWE Encrypted Key")
|
||||||
|
}
|
||||||
|
|
||||||
key := deriveKey(string(algorithm), keySize)
|
key := deriveKey(string(algorithm), keySize)
|
||||||
block, err := aes.NewCipher(key)
|
block, err := aes.NewCipher(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return josecipher.KeyUnwrap(block, recipient.encryptedKey)
|
return josecipher.KeyUnwrap(block, encryptedKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
|
func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
|
||||||
|
|||||||
10
vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
generated
vendored
10
vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
generated
vendored
@@ -66,12 +66,20 @@ func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
|
// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
|
||||||
|
//
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc7518#section-4.4
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc7518#section-4.6
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc7518#section-4.8
|
||||||
func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
|
func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
|
||||||
|
n := (len(ciphertext) / 8) - 1
|
||||||
|
if n <= 0 {
|
||||||
|
return nil, errors.New("go-jose/go-jose: JWE Encrypted Key too short")
|
||||||
|
}
|
||||||
|
|
||||||
if len(ciphertext)%8 != 0 {
|
if len(ciphertext)%8 != 0 {
|
||||||
return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
|
return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
|
||||||
}
|
}
|
||||||
|
|
||||||
n := (len(ciphertext) / 8) - 1
|
|
||||||
r := make([][]byte, n)
|
r := make([][]byte, n)
|
||||||
|
|
||||||
for i := range r {
|
for i := range r {
|
||||||
|
|||||||
20
vendor/github.com/go-jose/go-jose/v4/crypter.go
generated
vendored
20
vendor/github.com/go-jose/go-jose/v4/crypter.go
generated
vendored
@@ -286,6 +286,10 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey
|
|||||||
return newSymmetricRecipient(alg, encryptionKey)
|
return newSymmetricRecipient(alg, encryptionKey)
|
||||||
case string:
|
case string:
|
||||||
return newSymmetricRecipient(alg, []byte(encryptionKey))
|
return newSymmetricRecipient(alg, []byte(encryptionKey))
|
||||||
|
case JSONWebKey:
|
||||||
|
recipient, err := makeJWERecipient(alg, encryptionKey.Key)
|
||||||
|
recipient.keyID = encryptionKey.KeyID
|
||||||
|
return recipient, err
|
||||||
case *JSONWebKey:
|
case *JSONWebKey:
|
||||||
recipient, err := makeJWERecipient(alg, encryptionKey.Key)
|
recipient, err := makeJWERecipient(alg, encryptionKey.Key)
|
||||||
recipient.keyID = encryptionKey.KeyID
|
recipient.keyID = encryptionKey.KeyID
|
||||||
@@ -450,13 +454,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
|
|||||||
return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
|
return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
|
||||||
}
|
}
|
||||||
|
|
||||||
critical, err := headers.getCritical()
|
err := headers.checkNoCritical()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
|
return nil, err
|
||||||
}
|
|
||||||
|
|
||||||
if len(critical) > 0 {
|
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
key, err := tryJWKS(decryptionKey, obj.Header)
|
key, err := tryJWKS(decryptionKey, obj.Header)
|
||||||
@@ -523,13 +523,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
|
|||||||
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
|
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
|
||||||
globalHeaders := obj.mergedHeaders(nil)
|
globalHeaders := obj.mergedHeaders(nil)
|
||||||
|
|
||||||
critical, err := globalHeaders.getCritical()
|
err := globalHeaders.checkNoCritical()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
|
return -1, Header{}, nil, err
|
||||||
}
|
|
||||||
|
|
||||||
if len(critical) > 0 {
|
|
||||||
return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
key, err := tryJWKS(decryptionKey, obj.Header)
|
key, err := tryJWKS(decryptionKey, obj.Header)
|
||||||
|
|||||||
18
vendor/github.com/go-jose/go-jose/v4/jwe.go
generated
vendored
18
vendor/github.com/go-jose/go-jose/v4/jwe.go
generated
vendored
@@ -274,7 +274,7 @@ func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncr
|
|||||||
if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
|
if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
|
||||||
return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
|
return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
|
||||||
}
|
}
|
||||||
if alg != "" && !containsContentEncryption(contentEncryption, enc) {
|
if enc != "" && !containsContentEncryption(contentEncryption, enc) {
|
||||||
return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
|
return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
@@ -288,10 +288,20 @@ func ParseEncryptedCompact(
|
|||||||
keyAlgorithms []KeyAlgorithm,
|
keyAlgorithms []KeyAlgorithm,
|
||||||
contentEncryption []ContentEncryption,
|
contentEncryption []ContentEncryption,
|
||||||
) (*JSONWebEncryption, error) {
|
) (*JSONWebEncryption, error) {
|
||||||
parts := strings.Split(input, ".")
|
var parts [5]string
|
||||||
if len(parts) != 5 {
|
var ok bool
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
|
|
||||||
|
for i := range 4 {
|
||||||
|
parts[i], input, ok = strings.Cut(input, ".")
|
||||||
|
if !ok {
|
||||||
|
return nil, errors.New("go-jose/go-jose: compact JWE format must have five parts")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
// Validate that the last part does not contain more dots
|
||||||
|
if strings.ContainsRune(input, '.') {
|
||||||
|
return nil, errors.New("go-jose/go-jose: compact JWE format must have five parts")
|
||||||
|
}
|
||||||
|
parts[4] = input
|
||||||
|
|
||||||
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
|
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
59
vendor/github.com/go-jose/go-jose/v4/jwk.go
generated
vendored
59
vendor/github.com/go-jose/go-jose/v4/jwk.go
generated
vendored
@@ -175,6 +175,8 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// UnmarshalJSON reads a key from its JSON representation.
|
// UnmarshalJSON reads a key from its JSON representation.
|
||||||
|
//
|
||||||
|
// Returns ErrUnsupportedKeyType for unrecognized or unsupported "kty" header values.
|
||||||
func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
|
func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
|
||||||
var raw rawJSONWebKey
|
var raw rawJSONWebKey
|
||||||
err = json.Unmarshal(data, &raw)
|
err = json.Unmarshal(data, &raw)
|
||||||
@@ -228,7 +230,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
|
|||||||
}
|
}
|
||||||
key, err = raw.symmetricKey()
|
key, err = raw.symmetricKey()
|
||||||
case "OKP":
|
case "OKP":
|
||||||
if raw.Crv == "Ed25519" && raw.X != nil {
|
if raw.Crv == "Ed25519" {
|
||||||
if raw.D != nil {
|
if raw.D != nil {
|
||||||
key, err = raw.edPrivateKey()
|
key, err = raw.edPrivateKey()
|
||||||
if err == nil {
|
if err == nil {
|
||||||
@@ -238,17 +240,27 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
|
|||||||
key, err = raw.edPublicKey()
|
key, err = raw.edPublicKey()
|
||||||
keyPub = key
|
keyPub = key
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
|
|
||||||
}
|
}
|
||||||
default:
|
case "":
|
||||||
err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
|
// kty MUST be present
|
||||||
|
err = fmt.Errorf("go-jose/go-jose: missing json web key type")
|
||||||
}
|
}
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if key == nil {
|
||||||
|
// RFC 7517:
|
||||||
|
// 5. JWK Set Format
|
||||||
|
// ...
|
||||||
|
// Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
|
||||||
|
// (key type) values that are not understood by them, that are missing
|
||||||
|
// required members, or for which values are out of the supported
|
||||||
|
// ranges.
|
||||||
|
return ErrUnsupportedKeyType
|
||||||
|
}
|
||||||
|
|
||||||
if certPub != nil && keyPub != nil {
|
if certPub != nil && keyPub != nil {
|
||||||
if !reflect.DeepEqual(certPub, keyPub) {
|
if !reflect.DeepEqual(certPub, keyPub) {
|
||||||
return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
|
return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
|
||||||
@@ -581,10 +593,10 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
|
|||||||
|
|
||||||
func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
|
func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
|
||||||
var missing []string
|
var missing []string
|
||||||
switch {
|
if key.D == nil {
|
||||||
case key.D == nil:
|
|
||||||
missing = append(missing, "D")
|
missing = append(missing, "D")
|
||||||
case key.X == nil:
|
}
|
||||||
|
if key.X == nil {
|
||||||
missing = append(missing, "X")
|
missing = append(missing, "X")
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -611,19 +623,21 @@ func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
|
|||||||
|
|
||||||
func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
|
func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
|
||||||
var missing []string
|
var missing []string
|
||||||
switch {
|
if key.N == nil {
|
||||||
case key.N == nil:
|
|
||||||
missing = append(missing, "N")
|
missing = append(missing, "N")
|
||||||
case key.E == nil:
|
}
|
||||||
|
if key.E == nil {
|
||||||
missing = append(missing, "E")
|
missing = append(missing, "E")
|
||||||
case key.D == nil:
|
}
|
||||||
|
if key.D == nil {
|
||||||
missing = append(missing, "D")
|
missing = append(missing, "D")
|
||||||
case key.P == nil:
|
}
|
||||||
|
if key.P == nil {
|
||||||
missing = append(missing, "P")
|
missing = append(missing, "P")
|
||||||
case key.Q == nil:
|
}
|
||||||
|
if key.Q == nil {
|
||||||
missing = append(missing, "Q")
|
missing = append(missing, "Q")
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(missing) > 0 {
|
if len(missing) > 0 {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
|
return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
|
||||||
}
|
}
|
||||||
@@ -698,8 +712,19 @@ func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
|
|||||||
return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
|
return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
|
||||||
}
|
}
|
||||||
|
|
||||||
if key.X == nil || key.Y == nil || key.D == nil {
|
var missing []string
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
|
if key.X == nil {
|
||||||
|
missing = append(missing, "X")
|
||||||
|
}
|
||||||
|
if key.Y == nil {
|
||||||
|
missing = append(missing, "Y")
|
||||||
|
}
|
||||||
|
if key.D == nil {
|
||||||
|
missing = append(missing, "D")
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(missing) > 0 {
|
||||||
|
return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing %s value(s)", strings.Join(missing, ", "))
|
||||||
}
|
}
|
||||||
|
|
||||||
// The length of this octet string MUST be the full size of a coordinate for
|
// The length of this octet string MUST be the full size of a coordinate for
|
||||||
|
|||||||
73
vendor/github.com/go-jose/go-jose/v4/jws.go
generated
vendored
73
vendor/github.com/go-jose/go-jose/v4/jws.go
generated
vendored
@@ -75,7 +75,14 @@ type Signature struct {
|
|||||||
original *rawSignatureInfo
|
original *rawSignatureInfo
|
||||||
}
|
}
|
||||||
|
|
||||||
// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
|
// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization. Validation fails if
|
||||||
|
// the JWS is signed with an algorithm that isn't in the provided list of signature algorithms.
|
||||||
|
// Applications should decide for themselves which signature algorithms are acceptable. If you're
|
||||||
|
// not sure which signature algorithms your application might receive, consult the documentation of
|
||||||
|
// the program which provides them or the protocol that you are implementing. You can also try
|
||||||
|
// getting an example JWS and decoding it with a tool like https://jwt.io to see what its "alg"
|
||||||
|
// header parameter indicates. The signature on the JWS does not get validated during parsing. Call
|
||||||
|
// Verify() after parsing to validate the signature and obtain the payload.
|
||||||
//
|
//
|
||||||
// https://datatracker.ietf.org/doc/html/rfc7515#section-7
|
// https://datatracker.ietf.org/doc/html/rfc7515#section-7
|
||||||
func ParseSigned(
|
func ParseSigned(
|
||||||
@@ -90,7 +97,14 @@ func ParseSigned(
|
|||||||
return parseSignedCompact(signature, nil, signatureAlgorithms)
|
return parseSignedCompact(signature, nil, signatureAlgorithms)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ParseSignedCompact parses a message in JWS Compact Serialization.
|
// ParseSignedCompact parses a message in JWS Compact Serialization. Validation fails if the JWS is
|
||||||
|
// signed with an algorithm that isn't in the provided list of signature algorithms. Applications
|
||||||
|
// should decide for themselves which signature algorithms are acceptable.If you're not sure which
|
||||||
|
// signature algorithms your application might receive, consult the documentation of the program
|
||||||
|
// which provides them or the protocol that you are implementing. You can also try getting an
|
||||||
|
// example JWS and decoding it with a tool like https://jwt.io to see what its "alg" header
|
||||||
|
// parameter indicates. The signature on the JWS does not get validated during parsing. Call
|
||||||
|
// Verify() after parsing to validate the signature and obtain the payload.
|
||||||
//
|
//
|
||||||
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
|
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
|
||||||
func ParseSignedCompact(
|
func ParseSignedCompact(
|
||||||
@@ -101,6 +115,15 @@ func ParseSignedCompact(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// ParseDetached parses a signed message in compact serialization format with detached payload.
|
// ParseDetached parses a signed message in compact serialization format with detached payload.
|
||||||
|
// Validation fails if the JWS is signed with an algorithm that isn't in the provided list of
|
||||||
|
// signature algorithms. Applications should decide for themselves which signature algorithms are
|
||||||
|
// acceptable. If you're not sure which signature algorithms your application might receive, consult
|
||||||
|
// the documentation of the program which provides them or the protocol that you are implementing.
|
||||||
|
// You can also try getting an example JWS and decoding it with a tool like https://jwt.io to see
|
||||||
|
// what its "alg" header parameter indicates. The signature on the JWS does not get validated during
|
||||||
|
// parsing. Call Verify() after parsing to validate the signature and obtain the payload.
|
||||||
|
//
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc7515#appendix-F
|
||||||
func ParseDetached(
|
func ParseDetached(
|
||||||
signature string,
|
signature string,
|
||||||
payload []byte,
|
payload []byte,
|
||||||
@@ -181,6 +204,25 @@ func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureA
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ErrUnexpectedSignatureAlgorithm is returned when the signature algorithm in
|
||||||
|
// the JWS header does not match one of the expected algorithms.
|
||||||
|
type ErrUnexpectedSignatureAlgorithm struct {
|
||||||
|
// Got is the signature algorithm found in the JWS header.
|
||||||
|
Got SignatureAlgorithm
|
||||||
|
expected []SignatureAlgorithm
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *ErrUnexpectedSignatureAlgorithm) Error() string {
|
||||||
|
return fmt.Sprintf("unexpected signature algorithm %q; expected %q", e.Got, e.expected)
|
||||||
|
}
|
||||||
|
|
||||||
|
func newErrUnexpectedSignatureAlgorithm(got SignatureAlgorithm, expected []SignatureAlgorithm) error {
|
||||||
|
return &ErrUnexpectedSignatureAlgorithm{
|
||||||
|
Got: got,
|
||||||
|
expected: expected,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// sanitized produces a cleaned-up JWS object from the raw JSON.
|
// sanitized produces a cleaned-up JWS object from the raw JSON.
|
||||||
func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
|
func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
|
||||||
if len(signatureAlgorithms) == 0 {
|
if len(signatureAlgorithms) == 0 {
|
||||||
@@ -236,8 +278,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
|
|||||||
|
|
||||||
alg := SignatureAlgorithm(signature.Header.Algorithm)
|
alg := SignatureAlgorithm(signature.Header.Algorithm)
|
||||||
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
|
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
|
return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
|
||||||
alg, signatureAlgorithms)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if signature.header != nil {
|
if signature.header != nil {
|
||||||
@@ -285,8 +326,7 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
|
|||||||
|
|
||||||
alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
|
alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
|
||||||
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
|
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
|
return nil, newErrUnexpectedSignatureAlgorithm(alg, signatureAlgorithms)
|
||||||
alg, signatureAlgorithms)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if obj.Signatures[i].header != nil {
|
if obj.Signatures[i].header != nil {
|
||||||
@@ -321,34 +361,43 @@ func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgo
|
|||||||
return obj, nil
|
return obj, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const tokenDelim = "."
|
||||||
|
|
||||||
// parseSignedCompact parses a message in compact format.
|
// parseSignedCompact parses a message in compact format.
|
||||||
func parseSignedCompact(
|
func parseSignedCompact(
|
||||||
input string,
|
input string,
|
||||||
payload []byte,
|
payload []byte,
|
||||||
signatureAlgorithms []SignatureAlgorithm,
|
signatureAlgorithms []SignatureAlgorithm,
|
||||||
) (*JSONWebSignature, error) {
|
) (*JSONWebSignature, error) {
|
||||||
parts := strings.Split(input, ".")
|
protected, s, ok := strings.Cut(input, tokenDelim)
|
||||||
if len(parts) != 3 {
|
if !ok { // no period found
|
||||||
|
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
||||||
|
}
|
||||||
|
claims, sig, ok := strings.Cut(s, tokenDelim)
|
||||||
|
if !ok { // only one period found
|
||||||
|
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
||||||
|
}
|
||||||
|
if strings.ContainsRune(sig, '.') { // too many periods found
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
|
||||||
}
|
}
|
||||||
|
|
||||||
if parts[1] != "" && payload != nil {
|
if claims != "" && payload != nil {
|
||||||
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
|
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
|
||||||
}
|
}
|
||||||
|
|
||||||
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
|
rawProtected, err := base64.RawURLEncoding.DecodeString(protected)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if payload == nil {
|
if payload == nil {
|
||||||
payload, err = base64.RawURLEncoding.DecodeString(parts[1])
|
payload, err = base64.RawURLEncoding.DecodeString(claims)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
signature, err := base64.RawURLEncoding.DecodeString(parts[2])
|
signature, err := base64.RawURLEncoding.DecodeString(sig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
33
vendor/github.com/go-jose/go-jose/v4/shared.go
generated
vendored
33
vendor/github.com/go-jose/go-jose/v4/shared.go
generated
vendored
@@ -77,6 +77,9 @@ var (
|
|||||||
|
|
||||||
// ErrUnsupportedEllipticCurve indicates unsupported or unknown elliptic curve has been found.
|
// ErrUnsupportedEllipticCurve indicates unsupported or unknown elliptic curve has been found.
|
||||||
ErrUnsupportedEllipticCurve = errors.New("go-jose/go-jose: unsupported/unknown elliptic curve")
|
ErrUnsupportedEllipticCurve = errors.New("go-jose/go-jose: unsupported/unknown elliptic curve")
|
||||||
|
|
||||||
|
// ErrUnsupportedCriticalHeader is returned when a header is marked critical but not supported by go-jose.
|
||||||
|
ErrUnsupportedCriticalHeader = errors.New("go-jose/go-jose: unsupported critical header")
|
||||||
)
|
)
|
||||||
|
|
||||||
// Key management algorithms
|
// Key management algorithms
|
||||||
@@ -167,8 +170,8 @@ const (
|
|||||||
)
|
)
|
||||||
|
|
||||||
// supportedCritical is the set of supported extensions that are understood and processed.
|
// supportedCritical is the set of supported extensions that are understood and processed.
|
||||||
var supportedCritical = map[string]bool{
|
var supportedCritical = map[string]struct{}{
|
||||||
headerB64: true,
|
headerB64: {},
|
||||||
}
|
}
|
||||||
|
|
||||||
// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
|
// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
|
||||||
@@ -346,6 +349,32 @@ func (parsed rawHeader) getCritical() ([]string, error) {
|
|||||||
return q, nil
|
return q, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// checkNoCritical verifies there are no critical headers present.
|
||||||
|
func (parsed rawHeader) checkNoCritical() error {
|
||||||
|
if _, ok := parsed[headerCritical]; ok {
|
||||||
|
return ErrUnsupportedCriticalHeader
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkSupportedCritical verifies there are no unsupported critical headers.
|
||||||
|
// Supported headers are passed in as a set: map of names to empty structs
|
||||||
|
func (parsed rawHeader) checkSupportedCritical(supported map[string]struct{}) error {
|
||||||
|
crit, err := parsed.getCritical()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, name := range crit {
|
||||||
|
if _, ok := supported[name]; !ok {
|
||||||
|
return ErrUnsupportedCriticalHeader
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// getS2C extracts parsed "p2c" from the raw JSON.
|
// getS2C extracts parsed "p2c" from the raw JSON.
|
||||||
func (parsed rawHeader) getP2C() (int, error) {
|
func (parsed rawHeader) getP2C() (int, error) {
|
||||||
v := parsed[headerP2C]
|
v := parsed[headerP2C]
|
||||||
|
|||||||
44
vendor/github.com/go-jose/go-jose/v4/signing.go
generated
vendored
44
vendor/github.com/go-jose/go-jose/v4/signing.go
generated
vendored
@@ -404,15 +404,23 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
|
|||||||
}
|
}
|
||||||
|
|
||||||
signature := obj.Signatures[0]
|
signature := obj.Signatures[0]
|
||||||
headers := signature.mergedHeaders()
|
|
||||||
critical, err := headers.getCritical()
|
if signature.header != nil {
|
||||||
if err != nil {
|
// Per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11,
|
||||||
return err
|
// 4.1.11. "crit" (Critical) Header Parameter
|
||||||
|
// "When used, this Header Parameter MUST be integrity
|
||||||
|
// protected; therefore, it MUST occur only within the JWS
|
||||||
|
// Protected Header."
|
||||||
|
err = signature.header.checkNoCritical()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, name := range critical {
|
if signature.protected != nil {
|
||||||
if !supportedCritical[name] {
|
err = signature.protected.checkSupportedCritical(supportedCritical)
|
||||||
return ErrCryptoFailure
|
if err != nil {
|
||||||
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -421,6 +429,7 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
|
|||||||
return ErrCryptoFailure
|
return ErrCryptoFailure
|
||||||
}
|
}
|
||||||
|
|
||||||
|
headers := signature.mergedHeaders()
|
||||||
alg := headers.getSignatureAlgorithm()
|
alg := headers.getSignatureAlgorithm()
|
||||||
err = verifier.verifyPayload(input, signature.Signature, alg)
|
err = verifier.verifyPayload(input, signature.Signature, alg)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
@@ -469,14 +478,22 @@ func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey
|
|||||||
|
|
||||||
outer:
|
outer:
|
||||||
for i, signature := range obj.Signatures {
|
for i, signature := range obj.Signatures {
|
||||||
headers := signature.mergedHeaders()
|
if signature.header != nil {
|
||||||
critical, err := headers.getCritical()
|
// Per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11,
|
||||||
if err != nil {
|
// 4.1.11. "crit" (Critical) Header Parameter
|
||||||
continue
|
// "When used, this Header Parameter MUST be integrity
|
||||||
|
// protected; therefore, it MUST occur only within the JWS
|
||||||
|
// Protected Header."
|
||||||
|
err = signature.header.checkNoCritical()
|
||||||
|
if err != nil {
|
||||||
|
continue outer
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, name := range critical {
|
if signature.protected != nil {
|
||||||
if !supportedCritical[name] {
|
// Check for only supported critical headers
|
||||||
|
err = signature.protected.checkSupportedCritical(supportedCritical)
|
||||||
|
if err != nil {
|
||||||
continue outer
|
continue outer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -486,6 +503,7 @@ outer:
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
headers := signature.mergedHeaders()
|
||||||
alg := headers.getSignatureAlgorithm()
|
alg := headers.getSignatureAlgorithm()
|
||||||
err = verifier.verifyPayload(input, signature.Signature, alg)
|
err = verifier.verifyPayload(input, signature.Signature, alg)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
|
|||||||
39
vendor/github.com/go-jose/go-jose/v4/symmetric.go
generated
vendored
39
vendor/github.com/go-jose/go-jose/v4/symmetric.go
generated
vendored
@@ -21,6 +21,7 @@ import (
|
|||||||
"crypto/aes"
|
"crypto/aes"
|
||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
"crypto/hmac"
|
"crypto/hmac"
|
||||||
|
"crypto/pbkdf2"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/sha512"
|
"crypto/sha512"
|
||||||
@@ -30,8 +31,6 @@ import (
|
|||||||
"hash"
|
"hash"
|
||||||
"io"
|
"io"
|
||||||
|
|
||||||
"golang.org/x/crypto/pbkdf2"
|
|
||||||
|
|
||||||
josecipher "github.com/go-jose/go-jose/v4/cipher"
|
josecipher "github.com/go-jose/go-jose/v4/cipher"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -330,7 +329,10 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
|
|||||||
|
|
||||||
// derive key
|
// derive key
|
||||||
keyLen, h := getPbkdf2Params(alg)
|
keyLen, h := getPbkdf2Params(alg)
|
||||||
key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
|
key, err := pbkdf2.Key(h, string(ctx.key), salt, ctx.p2c, keyLen)
|
||||||
|
if err != nil {
|
||||||
|
return recipientInfo{}, nil
|
||||||
|
}
|
||||||
|
|
||||||
// use AES cipher with derived key
|
// use AES cipher with derived key
|
||||||
block, err := aes.NewCipher(key)
|
block, err := aes.NewCipher(key)
|
||||||
@@ -364,11 +366,21 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
|
|||||||
|
|
||||||
// Decrypt the content encryption key.
|
// Decrypt the content encryption key.
|
||||||
func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
|
func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
|
||||||
switch headers.getAlgorithm() {
|
if recipient == nil {
|
||||||
case DIRECT:
|
return nil, fmt.Errorf("go-jose/go-jose: missing recipient")
|
||||||
cek := make([]byte, len(ctx.key))
|
}
|
||||||
copy(cek, ctx.key)
|
|
||||||
return cek, nil
|
alg := headers.getAlgorithm()
|
||||||
|
if alg == DIRECT {
|
||||||
|
return bytes.Clone(ctx.key), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
encryptedKey := recipient.encryptedKey
|
||||||
|
if len(encryptedKey) == 0 {
|
||||||
|
return nil, fmt.Errorf("go-jose/go-jose: missing JWE Encrypted Key")
|
||||||
|
}
|
||||||
|
|
||||||
|
switch alg {
|
||||||
case A128GCMKW, A192GCMKW, A256GCMKW:
|
case A128GCMKW, A192GCMKW, A256GCMKW:
|
||||||
aead := newAESGCM(len(ctx.key))
|
aead := newAESGCM(len(ctx.key))
|
||||||
|
|
||||||
@@ -383,7 +395,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
|
|||||||
|
|
||||||
parts := &aeadParts{
|
parts := &aeadParts{
|
||||||
iv: iv.bytes(),
|
iv: iv.bytes(),
|
||||||
ciphertext: recipient.encryptedKey,
|
ciphertext: encryptedKey,
|
||||||
tag: tag.bytes(),
|
tag: tag.bytes(),
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -399,7 +411,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
|
cek, err := josecipher.KeyUnwrap(block, encryptedKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@@ -432,7 +444,10 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
|
|||||||
|
|
||||||
// derive key
|
// derive key
|
||||||
keyLen, h := getPbkdf2Params(alg)
|
keyLen, h := getPbkdf2Params(alg)
|
||||||
key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
|
key, err := pbkdf2.Key(h, string(ctx.key), salt, p2c, keyLen)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
// use AES cipher with derived key
|
// use AES cipher with derived key
|
||||||
block, err := aes.NewCipher(key)
|
block, err := aes.NewCipher(key)
|
||||||
@@ -440,7 +455,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
|
cek, err := josecipher.KeyUnwrap(block, encryptedKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
6
vendor/modules.txt
vendored
6
vendor/modules.txt
vendored
@@ -282,13 +282,13 @@ github.com/docker/go-units
|
|||||||
# github.com/felixge/httpsnoop v1.0.4
|
# github.com/felixge/httpsnoop v1.0.4
|
||||||
## explicit; go 1.13
|
## explicit; go 1.13
|
||||||
github.com/felixge/httpsnoop
|
github.com/felixge/httpsnoop
|
||||||
# github.com/go-jose/go-jose/v3 v3.0.3
|
# github.com/go-jose/go-jose/v3 v3.0.4
|
||||||
## explicit; go 1.12
|
## explicit; go 1.12
|
||||||
github.com/go-jose/go-jose/v3
|
github.com/go-jose/go-jose/v3
|
||||||
github.com/go-jose/go-jose/v3/cipher
|
github.com/go-jose/go-jose/v3/cipher
|
||||||
github.com/go-jose/go-jose/v3/json
|
github.com/go-jose/go-jose/v3/json
|
||||||
# github.com/go-jose/go-jose/v4 v4.0.4
|
# github.com/go-jose/go-jose/v4 v4.1.4
|
||||||
## explicit; go 1.21
|
## explicit; go 1.24.0
|
||||||
github.com/go-jose/go-jose/v4
|
github.com/go-jose/go-jose/v4
|
||||||
github.com/go-jose/go-jose/v4/cipher
|
github.com/go-jose/go-jose/v4/cipher
|
||||||
github.com/go-jose/go-jose/v4/json
|
github.com/go-jose/go-jose/v4/json
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
package version
|
package version
|
||||||
|
|
||||||
// Version is the version of the build.
|
// Version is the version of the build.
|
||||||
const Version = "1.18.0"
|
const Version = "1.18.2"
|
||||||
|
|||||||
Reference in New Issue
Block a user