summaryrefslogtreecommitdiff
path: root/vendor/gopkg.in/square/go-jose.v2/jws.go
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-03-30 05:49:37 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-04-03 14:48:52 +0000
commit838df4eec4496868e772d5708e00f38bad478718 (patch)
tree89e72bb0b9668ff4005156d590465602589ec4c3 /vendor/gopkg.in/square/go-jose.v2/jws.go
parentf41dc0b2580ae83129264edbe45b92231bd119a2 (diff)
downloadpodman-838df4eec4496868e772d5708e00f38bad478718.tar.gz
podman-838df4eec4496868e772d5708e00f38bad478718.tar.bz2
podman-838df4eec4496868e772d5708e00f38bad478718.zip
Vendor in latest containers/image
Some more features. docker-archive generates docker legacy compatible images Do not create $DiffID subdirectories for layers with no configs Ensure the layer IDs in legacy docker/tarfile metadata are unique docker-archive: repeated layers are symlinked in the tar file sysregistries: remove all trailing slashes Improve docker/* error messages Fix failure to make auth directory Create a new slice in Schema1.UpdateLayerInfos Drop unused storageImageDestination.{image,systemContext} Load a *storage.Image only once in storageImageSource Support gzip for docker-archive files Remove .tar extension from blob and config file names ostree, src: support copy of compressed layers ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size image: fix docker schema v1 -> OCI conversion Add /etc/containers/certs.d as default certs directory Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #569 Approved by: mheon
Diffstat (limited to 'vendor/gopkg.in/square/go-jose.v2/jws.go')
-rw-r--r--vendor/gopkg.in/square/go-jose.v2/jws.go282
1 files changed, 0 insertions, 282 deletions
diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
deleted file mode 100644
index 5e23a91b0..000000000
--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
+++ /dev/null
@@ -1,282 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "encoding/base64"
- "errors"
- "fmt"
- "strings"
-
- "gopkg.in/square/go-jose.v2/json"
-)
-
-// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
-type rawJSONWebSignature struct {
- Payload *byteBuffer `json:"payload,omitempty"`
- Signatures []rawSignatureInfo `json:"signatures,omitempty"`
- Protected *byteBuffer `json:"protected,omitempty"`
- Header *rawHeader `json:"header,omitempty"`
- Signature *byteBuffer `json:"signature,omitempty"`
-}
-
-// rawSignatureInfo represents a single JWS signature over the JWS payload and protected header.
-type rawSignatureInfo struct {
- Protected *byteBuffer `json:"protected,omitempty"`
- Header *rawHeader `json:"header,omitempty"`
- Signature *byteBuffer `json:"signature,omitempty"`
-}
-
-// JSONWebSignature represents a signed JWS object after parsing.
-type JSONWebSignature struct {
- payload []byte
- // Signatures attached to this object (may be more than one for multi-sig).
- // Be careful about accessing these directly, prefer to use Verify() or
- // VerifyMulti() to ensure that the data you're getting is verified.
- Signatures []Signature
-}
-
-// Signature represents a single signature over the JWS payload and protected header.
-type Signature struct {
- // Header fields, such as the signature algorithm
- Header Header
-
- // The actual signature value
- Signature []byte
-
- protected *rawHeader
- header *rawHeader
- original *rawSignatureInfo
-}
-
-// ParseSigned parses a signed message in compact or full serialization format.
-func ParseSigned(input string) (*JSONWebSignature, error) {
- input = stripWhitespace(input)
- if strings.HasPrefix(input, "{") {
- return parseSignedFull(input)
- }
-
- return parseSignedCompact(input)
-}
-
-// Get a header value
-func (sig Signature) mergedHeaders() rawHeader {
- out := rawHeader{}
- out.merge(sig.protected)
- out.merge(sig.header)
- return out
-}
-
-// Compute data to be signed
-func (obj JSONWebSignature) computeAuthData(signature *Signature) []byte {
- var serializedProtected string
-
- if signature.original != nil && signature.original.Protected != nil {
- serializedProtected = signature.original.Protected.base64()
- } else if signature.protected != nil {
- serializedProtected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON(signature.protected))
- } else {
- serializedProtected = ""
- }
-
- return []byte(fmt.Sprintf("%s.%s",
- serializedProtected,
- base64.RawURLEncoding.EncodeToString(obj.payload)))
-}
-
-// parseSignedFull parses a message in full format.
-func parseSignedFull(input string) (*JSONWebSignature, error) {
- var parsed rawJSONWebSignature
- err := json.Unmarshal([]byte(input), &parsed)
- if err != nil {
- return nil, err
- }
-
- return parsed.sanitized()
-}
-
-// sanitized produces a cleaned-up JWS object from the raw JSON.
-func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
- if parsed.Payload == nil {
- return nil, fmt.Errorf("square/go-jose: missing payload in JWS message")
- }
-
- obj := &JSONWebSignature{
- payload: parsed.Payload.bytes(),
- Signatures: make([]Signature, len(parsed.Signatures)),
- }
-
- if len(parsed.Signatures) == 0 {
- // No signatures array, must be flattened serialization
- signature := Signature{}
- if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
- signature.protected = &rawHeader{}
- err := json.Unmarshal(parsed.Protected.bytes(), signature.protected)
- if err != nil {
- return nil, err
- }
- }
-
- // Check that there is not a nonce in the unprotected header
- if parsed.Header != nil && parsed.Header.getNonce() != "" {
- return nil, ErrUnprotectedNonce
- }
-
- signature.header = parsed.Header
- signature.Signature = parsed.Signature.bytes()
- // Make a fake "original" rawSignatureInfo to store the unprocessed
- // Protected header. This is necessary because the Protected header can
- // contain arbitrary fields not registered as part of the spec. See
- // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
- // If we unmarshal Protected into a rawHeader with its explicit list of fields,
- // we cannot marshal losslessly. So we have to keep around the original bytes.
- // This is used in computeAuthData, which will first attempt to use
- // the original bytes of a protected header, and fall back on marshaling the
- // header struct only if those bytes are not available.
- signature.original = &rawSignatureInfo{
- Protected: parsed.Protected,
- Header: parsed.Header,
- Signature: parsed.Signature,
- }
-
- var err error
- signature.Header, err = signature.mergedHeaders().sanitized()
- if err != nil {
- return nil, err
- }
-
- // As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
- jwk := signature.Header.JSONWebKey
- if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
- return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
- }
-
- obj.Signatures = append(obj.Signatures, signature)
- }
-
- for i, sig := range parsed.Signatures {
- if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
- obj.Signatures[i].protected = &rawHeader{}
- err := json.Unmarshal(sig.Protected.bytes(), obj.Signatures[i].protected)
- if err != nil {
- return nil, err
- }
- }
-
- // Check that there is not a nonce in the unprotected header
- if sig.Header != nil && sig.Header.getNonce() != "" {
- return nil, ErrUnprotectedNonce
- }
-
- var err error
- obj.Signatures[i].Header, err = obj.Signatures[i].mergedHeaders().sanitized()
- if err != nil {
- return nil, err
- }
-
- obj.Signatures[i].Signature = sig.Signature.bytes()
-
- // As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
- jwk := obj.Signatures[i].Header.JSONWebKey
- if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
- return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
- }
-
- // Copy value of sig
- original := sig
-
- obj.Signatures[i].header = sig.Header
- obj.Signatures[i].original = &original
- }
-
- return obj, nil
-}
-
-// parseSignedCompact parses a message in compact format.
-func parseSignedCompact(input string) (*JSONWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
- return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
- }
-
- rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
- if err != nil {
- return nil, err
- }
-
- payload, err := base64.RawURLEncoding.DecodeString(parts[1])
- if err != nil {
- return nil, err
- }
-
- signature, err := base64.RawURLEncoding.DecodeString(parts[2])
- if err != nil {
- return nil, err
- }
-
- raw := &rawJSONWebSignature{
- Payload: newBuffer(payload),
- Protected: newBuffer(rawProtected),
- Signature: newBuffer(signature),
- }
- return raw.sanitized()
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JSONWebSignature) CompactSerialize() (string, error) {
- if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil {
- return "", ErrNotSupported
- }
-
- serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
-
- return fmt.Sprintf(
- "%s.%s.%s",
- base64.RawURLEncoding.EncodeToString(serializedProtected),
- base64.RawURLEncoding.EncodeToString(obj.payload),
- base64.RawURLEncoding.EncodeToString(obj.Signatures[0].Signature)), nil
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JSONWebSignature) FullSerialize() string {
- raw := rawJSONWebSignature{
- Payload: newBuffer(obj.payload),
- }
-
- if len(obj.Signatures) == 1 {
- if obj.Signatures[0].protected != nil {
- serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
- raw.Protected = newBuffer(serializedProtected)
- }
- raw.Header = obj.Signatures[0].header
- raw.Signature = newBuffer(obj.Signatures[0].Signature)
- } else {
- raw.Signatures = make([]rawSignatureInfo, len(obj.Signatures))
- for i, signature := range obj.Signatures {
- raw.Signatures[i] = rawSignatureInfo{
- Header: signature.header,
- Signature: newBuffer(signature.Signature),
- }
-
- if signature.protected != nil {
- raw.Signatures[i].Protected = newBuffer(mustSerializeJSON(signature.protected))
- }
- }
- }
-
- return string(mustSerializeJSON(raw))
-}