Merge pull request containerd#3452 from lumjjb/keybundles

estesp · web-flow · commit 7ff23438f64c · 2019-07-25T14:57:59.000-04:00
Create CryptoConfig constructors to replace dcparameters
diff --git a/cmd/ctr/commands/images/crypt_utils.go b/cmd/ctr/commands/images/crypt_utils.go
@@ -191,21 +191,21 @@ func createGPGClient(context *cli.Context) (encryption.GPGClient, error) {
 	return encryption.NewGPGClient(context.String("gpg-version"), context.String("gpg-homedir"))
 }
 
-func getGPGPrivateKeys(context *cli.Context, gpgSecretKeyRingFiles [][]byte, descs []ocispec.Descriptor, mustFindKey bool, dcparameters map[string][][]byte) error {
+func getGPGPrivateKeys(context *cli.Context, gpgSecretKeyRingFiles [][]byte, descs []ocispec.Descriptor, mustFindKey bool) (gpgPrivKeys [][]byte, gpgPrivKeysPwds [][]byte, err error) {
 	gpgClient, err := createGPGClient(context)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}
 
 	var gpgVault encryption.GPGVault
 	if len(gpgSecretKeyRingFiles) > 0 {
 		gpgVault = encryption.NewGPGVault()
 		err = gpgVault.AddSecretKeyRingDataArray(gpgSecretKeyRingFiles)
 		if err != nil {
-			return err
+			return nil, nil, err
 		}
 	}
-	return encryption.GPGGetPrivateKey(descs, gpgClient, gpgVault, mustFindKey, dcparameters)
+	return encryption.GPGGetPrivateKey(descs, gpgClient, gpgVault, mustFindKey)
 }
 
 func createLayerFilter(client *containerd.Client, ctx gocontext.Context, desc ocispec.Descriptor, layers []int32, platformList []ocispec.Platform) (imgenc.LayerFilter, error) {
@@ -359,47 +359,62 @@ func filterLayerDescriptors(alldescs []ocispec.Descriptor, layers []int32, pl []
 	return layerInfos, descs
 }
 
-// CreateDcParameters creates the decryption parameter map from command line options and possibly
+// CreateDecryptCryptoConfig creates the CryptoConfig object that contains the necessary
+// information to perform decryption from command line options and possibly
 // LayerInfos describing the image and helping us to query for the PGP decryption keys
-func CreateDcParameters(context *cli.Context, descs []ocispec.Descriptor) (map[string][][]byte, error) {
-	dcparameters := make(map[string][][]byte)
+func CreateDecryptCryptoConfig(context *cli.Context, descs []ocispec.Descriptor) (encconfig.CryptoConfig, error) {
+	ccs := []encconfig.CryptoConfig{}
 
 	// x509 cert is needed for PKCS7 decryption
 	_, _, x509s, err := processRecipientKeys(context.StringSlice("dec-recipient"))
 	if err != nil {
-		return nil, err
+		return encconfig.CryptoConfig{}, err
 	}
 
 	gpgSecretKeyRingFiles, gpgSecretKeyPasswords, privKeys, privKeysPasswords, err := processPrivateKeyFiles(context.StringSlice("key"))
 	if err != nil {
-		return nil, err
+		return encconfig.CryptoConfig{}, err
 	}
 
 	_, err = createGPGClient(context)
 	gpgInstalled := err == nil
 	if gpgInstalled {
 		if len(gpgSecretKeyRingFiles) == 0 && len(privKeys) == 0 && descs != nil {
 			// Get pgp private keys from keyring only if no private key was passed
-			err = getGPGPrivateKeys(context, gpgSecretKeyRingFiles, descs, true, dcparameters)
+			gpgPrivKeys, gpgPrivKeyPasswords, err := getGPGPrivateKeys(context, gpgSecretKeyRingFiles, descs, true)
 			if err != nil {
-				return nil, err
+				return encconfig.CryptoConfig{}, err
 			}
-		} else {
-			if len(gpgSecretKeyRingFiles) == 0 {
-				dcparameters["gpg-client"] = [][]byte{[]byte("1")}
-				dcparameters["gpg-client-version"] = [][]byte{[]byte(context.String("gpg-version"))}
-				dcparameters["gpg-client-homedir"] = [][]byte{[]byte(context.String("gpg-homedir"))}
-			} else {
-				dcparameters["gpg-privatekeys"] = gpgSecretKeyRingFiles
-				dcparameters["gpg-privatekeys-passwords"] = gpgSecretKeyPasswords
+
+			gpgCc, err := encconfig.DecryptWithGpgPrivKeys(gpgPrivKeys, gpgPrivKeyPasswords)
+			if err != nil {
+				return encconfig.CryptoConfig{}, err
+			}
+			ccs = append(ccs, gpgCc)
+
+		} else if len(gpgSecretKeyRingFiles) > 0 {
+			gpgCc, err := encconfig.DecryptWithGpgPrivKeys(gpgSecretKeyRingFiles, gpgSecretKeyPasswords)
+			if err != nil {
+				return encconfig.CryptoConfig{}, err
 			}
+			ccs = append(ccs, gpgCc)
+
 		}
 	}
-	dcparameters["privkeys"] = privKeys
-	dcparameters["privkeys-passwords"] = privKeysPasswords
-	dcparameters["x509s"] = x509s
 
-	return dcparameters, nil
+	x509sCc, err := encconfig.DecryptWithX509s(x509s)
+	if err != nil {
+		return encconfig.CryptoConfig{}, err
+	}
+	ccs = append(ccs, x509sCc)
+
+	privKeysCc, err := encconfig.DecryptWithPrivKeys(privKeys, privKeysPasswords)
+	if err != nil {
+		return encconfig.CryptoConfig{}, err
+	}
+	ccs = append(ccs, privKeysCc)
+
+	return encconfig.CombineCryptoConfigs(ccs), nil
 }
 
 // parsePlatformArray parses an array of specifiers and converts them into an array of specs.Platform
diff --git a/cmd/ctr/commands/images/decrypt.go b/cmd/ctr/commands/images/decrypt.go
@@ -21,7 +21,6 @@ import (
 
 	"github.com/containerd/containerd/cmd/ctr/commands"
 	imgenc "github.com/containerd/containerd/images/encryption"
-	encconfig "github.com/containerd/containerd/pkg/encryption/config"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 )
@@ -83,14 +82,12 @@ var decryptCommand = cli.Command{
 			return nil
 		}
 
-		dcparameters, err := CreateDcParameters(context, descs)
+		cc, err := CreateDecryptCryptoConfig(context, descs)
 		if err != nil {
 			return err
 		}
 
-		cc := encconfig.InitDecryption(dcparameters)
-
-		_, err = decryptImage(client, ctx, local, newName, cc, layers32, context.StringSlice("platform"))
+		_, err = decryptImage(client, ctx, local, newName, &cc, layers32, context.StringSlice("platform"))
 
 		return err
 	},
diff --git a/cmd/ctr/commands/images/encrypt.go b/cmd/ctr/commands/images/encrypt.go
@@ -77,45 +77,21 @@ var encryptCommand = cli.Command{
 
 		layers32 := commands.IntToInt32Array(context.IntSlice("layer"))
 
-		gpgSecretKeyRingFiles, _, privKeys, privKeysPasswords, err := processPrivateKeyFiles(context.StringSlice("key"))
-		if err != nil {
-			return err
-		}
-
 		gpgRecipients, pubKeys, x509s, err := processRecipientKeys(recipients)
 		if err != nil {
 			return err
 		}
 
-		_, _, decX509s, err := processRecipientKeys(context.StringSlice("dec-recipient"))
-		if err != nil {
-			return err
-		}
-
-		dcparameters := make(map[string][][]byte)
-		parameters := make(map[string][][]byte)
-
-		parameters["pubkeys"] = pubKeys
-		parameters["x509s"] = x509s
-
 		_, descs, err := getImageLayerInfos(client, ctx, local, layers32, context.StringSlice("platform"))
 		if err != nil {
 			return err
 		}
 
+		encryptCcs := []encconfig.CryptoConfig{}
 		_, err = createGPGClient(context)
 		gpgInstalled := err == nil
-		if len(privKeys) == 0 && gpgInstalled {
-			// Get pgp private keys from keyring only if no private key was passed
-			err = getGPGPrivateKeys(context, gpgSecretKeyRingFiles, descs, true, dcparameters)
-			if err != nil {
-				return err
-			}
-		}
 
 		if len(gpgRecipients) > 0 && gpgInstalled {
-			parameters["gpg-recipients"] = gpgRecipients
-
 			gpgClient, err := createGPGClient(context)
 			if err != nil {
 				return err
@@ -126,16 +102,38 @@ var encryptCommand = cli.Command{
 				return err
 			}
 
-			parameters["gpg-pubkeyringfile"] = [][]byte{gpgPubRingFile}
+			gpgCc, err := encconfig.EncryptWithGpg(gpgRecipients, gpgPubRingFile)
+			if err != nil {
+				return err
+			}
+			encryptCcs = append(encryptCcs, gpgCc)
+
 		}
 
-		dcparameters["privkeys"] = privKeys
-		dcparameters["privkeys-passwords"] = privKeysPasswords
-		dcparameters["x509s"] = decX509s
+		// Create Encryption Crypto Config
+		pkcs7Cc, err := encconfig.EncryptWithPkcs7(x509s)
+		if err != nil {
+			return err
+		}
+		encryptCcs = append(encryptCcs, pkcs7Cc)
 
-		cc := encconfig.InitEncryption(parameters, dcparameters)
+		jweCc, err := encconfig.EncryptWithJwe(pubKeys)
+		if err != nil {
+			return err
+		}
+		encryptCcs = append(encryptCcs, jweCc)
+
+		cc := encconfig.CombineCryptoConfigs(encryptCcs)
+
+		// Create Decryption CryptoConfig for use in adding recipients to
+		// existing image if decryptable.
+		decryptCc, err := CreateDecryptCryptoConfig(context, descs)
+		if err != nil {
+			return err
+		}
+		cc.EncryptConfig.AttachDecryptConfig(decryptCc.DecryptConfig)
 
-		_, err = encryptImage(client, ctx, local, newName, cc, layers32, context.StringSlice("platform"))
+		_, err = encryptImage(client, ctx, local, newName, &cc, layers32, context.StringSlice("platform"))
 
 		return err
 	},
diff --git a/image_enc_test.go b/image_enc_test.go
@@ -122,17 +122,13 @@ func TestImageEncryption(t *testing.T) {
 		return false
 	}
 
-	dcparameters := make(map[string][][]byte)
-	parameters := make(map[string][][]byte)
-
-	parameters["pubkeys"] = [][]byte{publicKey}
-	dcparameters["privkeys"] = [][]byte{privateKey}
-	dcparameters["privkeys-passwords"] = [][]byte{{}}
-
-	cc := encconfig.InitEncryption(parameters, dcparameters)
+	cc, err := encconfig.EncryptWithJwe([][]byte{publicKey})
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	// Perform encryption of image
-	encSpec, modified, err := imgenc.EncryptImage(ctx, client.ContentStore(), image.Target, cc, lf)
+	encSpec, modified, err := imgenc.EncryptImage(ctx, client.ContentStore(), image.Target, &cc, lf)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -149,7 +145,10 @@ func TestImageEncryption(t *testing.T) {
 		t.Fatalf("Unable to create image: %v", err)
 	}
 
-	cc = encconfig.InitDecryption(dcparameters)
+	cc, err = encconfig.DecryptWithPrivKeys([][]byte{privateKey}, [][]byte{{}})
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	// Clean up function cancels lease before deleting the image so the images are
 	// properly deleted
@@ -164,7 +163,7 @@ func TestImageEncryption(t *testing.T) {
 		return true
 	}
 
-	decSpec, modified, err := imgenc.DecryptImage(ctx, client.ContentStore(), encSpec, cc, lf)
+	decSpec, modified, err := imgenc.DecryptImage(ctx, client.ContentStore(), encSpec, &cc, lf)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/images/encryption/encryption.go b/images/encryption/encryption.go
@@ -421,7 +421,7 @@ func CheckAuthorization(ctx context.Context, cs content.Store, desc ocispec.Desc
 		return true
 	}
 
-	_, _, err := cryptImage(ctx, cs, desc, cc, lf, cryptoOpUnwrapOnly)
+	_, _, err := cryptImage(ctx, cs, desc, &cc, lf, cryptoOpUnwrapOnly)
 	if err != nil {
 		return errors.Wrapf(err, "you are not authorized to use this image")
 	}
diff --git a/pkg/encryption/config/config.go b/pkg/encryption/config/config.go
@@ -40,8 +40,8 @@ type CryptoConfig struct {
 }
 
 // InitDecryption initialized a CryptoConfig object with parameters used for decryption
-func InitDecryption(dcparameters map[string][][]byte) *CryptoConfig {
-	return &CryptoConfig{
+func InitDecryption(dcparameters map[string][][]byte) CryptoConfig {
+	return CryptoConfig{
 		DecryptConfig: &DecryptConfig{
 			Parameters: dcparameters,
 		},
@@ -51,8 +51,8 @@ func InitDecryption(dcparameters map[string][][]byte) *CryptoConfig {
 // InitEncryption initializes a CryptoConfig object with parameters used for encryption
 // It also takes dcparameters that may be needed for decryption when adding a recipient
 // to an already encrypted image
-func InitEncryption(parameters, dcparameters map[string][][]byte) *CryptoConfig {
-	return &CryptoConfig{
+func InitEncryption(parameters, dcparameters map[string][][]byte) CryptoConfig {
+	return CryptoConfig{
 		EncryptConfig: &EncryptConfig{
 			Parameters: parameters,
 			DecryptConfig: DecryptConfig{
@@ -61,3 +61,54 @@ func InitEncryption(parameters, dcparameters map[string][][]byte) *CryptoConfig
 		},
 	}
 }
+
+// CombineCryptoConfigs takes a CryptoConfig list and creates a single CryptoConfig
+// containing the crypto configuration of all the key bundles
+func CombineCryptoConfigs(ccs []CryptoConfig) CryptoConfig {
+	ecparam := map[string][][]byte{}
+	ecdcparam := map[string][][]byte{}
+	dcparam := map[string][][]byte{}
+
+	for _, cc := range ccs {
+		if ec := cc.EncryptConfig; ec != nil {
+			addToMap(ecparam, ec.Parameters)
+			addToMap(ecdcparam, ec.DecryptConfig.Parameters)
+		}
+
+		if dc := cc.DecryptConfig; dc != nil {
+			addToMap(dcparam, dc.Parameters)
+		}
+	}
+
+	return CryptoConfig{
+		EncryptConfig: &EncryptConfig{
+			Parameters: ecparam,
+			DecryptConfig: DecryptConfig{
+				Parameters: ecdcparam,
+			},
+		},
+		DecryptConfig: &DecryptConfig{
+			Parameters: dcparam,
+		},
+	}
+
+}
+
+// AttachDecryptConfig adds DecryptConfig to the field of EncryptConfig so that
+// the decryption parameters can be used to add recipients to an existing image
+// if the user is able to decrypt it.
+func (ec *EncryptConfig) AttachDecryptConfig(dc *DecryptConfig) {
+	if dc != nil {
+		addToMap(ec.DecryptConfig.Parameters, dc.Parameters)
+	}
+}
+
+func addToMap(orig map[string][][]byte, add map[string][][]byte) {
+	for k, v := range add {
+		if ov, ok := orig[k]; ok {
+			orig[k] = append(ov, v...)
+		} else {
+			orig[k] = v
+		}
+	}
+}
diff --git a/pkg/encryption/config/constructors.go b/pkg/encryption/config/constructors.go
diff --git a/pkg/encryption/gpg.go b/pkg/encryption/gpg.go

Original file line number	Diff line number	Diff line change
`@@ -421,7 +421,7 @@ func CheckAuthorization(ctx context.Context, cs content.Store, desc ocispec.Desc`
`421`	`421`	`return true`
`422`	`422`	`}`
`423`	`423`
`424`		`- _, _, err := cryptImage(ctx, cs, desc, cc, lf, cryptoOpUnwrapOnly)`
	`424`	`+ _, _, err := cryptImage(ctx, cs, desc, &cc, lf, cryptoOpUnwrapOnly)`
`425`	`425`	`if err != nil {`
`426`	`426`	`return errors.Wrapf(err, "you are not authorized to use this image")`
`427`	`427`	`}`