diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2018-03-30 05:49:37 -0400 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-04-03 14:48:52 +0000 |
commit | 838df4eec4496868e772d5708e00f38bad478718 (patch) | |
tree | 89e72bb0b9668ff4005156d590465602589ec4c3 /vendor/gopkg.in/square/go-jose.v2/signing.go | |
parent | f41dc0b2580ae83129264edbe45b92231bd119a2 (diff) | |
download | podman-838df4eec4496868e772d5708e00f38bad478718.tar.gz podman-838df4eec4496868e772d5708e00f38bad478718.tar.bz2 podman-838df4eec4496868e772d5708e00f38bad478718.zip |
Vendor in latest containers/image
Some more features.
docker-archive generates docker legacy compatible images
Do not create $DiffID subdirectories for layers with no configs
Ensure the layer IDs in legacy docker/tarfile metadata are unique
docker-archive: repeated layers are symlinked in the tar file
sysregistries: remove all trailing slashes
Improve docker/* error messages
Fix failure to make auth directory
Create a new slice in Schema1.UpdateLayerInfos
Drop unused storageImageDestination.{image,systemContext}
Load a *storage.Image only once in storageImageSource
Support gzip for docker-archive files
Remove .tar extension from blob and config file names
ostree, src: support copy of compressed layers
ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size
image: fix docker schema v1 -> OCI conversion
Add /etc/containers/certs.d as default certs directory
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Closes: #569
Approved by: mheon
Diffstat (limited to 'vendor/gopkg.in/square/go-jose.v2/signing.go')
-rw-r--r-- | vendor/gopkg.in/square/go-jose.v2/signing.go | 343 |
1 files changed, 0 insertions, 343 deletions
diff --git a/vendor/gopkg.in/square/go-jose.v2/signing.go b/vendor/gopkg.in/square/go-jose.v2/signing.go deleted file mode 100644 index 13e956d66..000000000 --- a/vendor/gopkg.in/square/go-jose.v2/signing.go +++ /dev/null @@ -1,343 +0,0 @@ -/*- - * Copyright 2014 Square Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package jose - -import ( - "crypto/ecdsa" - "crypto/rsa" - "encoding/base64" - "errors" - "fmt" - - "golang.org/x/crypto/ed25519" - - "gopkg.in/square/go-jose.v2/json" -) - -// NonceSource represents a source of random nonces to go into JWS objects -type NonceSource interface { - Nonce() (string, error) -} - -// Signer represents a signer which takes a payload and produces a signed JWS object. -type Signer interface { - Sign(payload []byte) (*JSONWebSignature, error) - Options() SignerOptions -} - -// SigningKey represents an algorithm/key used to sign a message. -type SigningKey struct { - Algorithm SignatureAlgorithm - Key interface{} -} - -// SignerOptions represents options that can be set when creating signers. -type SignerOptions struct { - NonceSource NonceSource - EmbedJWK bool - - // Optional map of additional keys to be inserted into the protected header - // of a JWS object. Some specifications which make use of JWS like to insert - // additional values here. All values must be JSON-serializable. - ExtraHeaders map[HeaderKey]interface{} -} - -// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it -// if necessary. It returns itself and so can be used in a fluent style. -func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions { - if so.ExtraHeaders == nil { - so.ExtraHeaders = map[HeaderKey]interface{}{} - } - so.ExtraHeaders[k] = v - return so -} - -// WithContentType adds a content type ("cty") header and returns the updated -// SignerOptions. -func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions { - return so.WithHeader(HeaderContentType, contentType) -} - -// WithType adds a type ("typ") header and returns the updated SignerOptions. -func (so *SignerOptions) WithType(typ ContentType) *SignerOptions { - return so.WithHeader(HeaderType, typ) -} - -type payloadSigner interface { - signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) -} - -type payloadVerifier interface { - verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error -} - -type genericSigner struct { - recipients []recipientSigInfo - nonceSource NonceSource - embedJWK bool - extraHeaders map[HeaderKey]interface{} -} - -type recipientSigInfo struct { - sigAlg SignatureAlgorithm - publicKey *JSONWebKey - signer payloadSigner -} - -// NewSigner creates an appropriate signer based on the key type -func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error) { - return NewMultiSigner([]SigningKey{sig}, opts) -} - -// NewMultiSigner creates a signer for multiple recipients -func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) { - signer := &genericSigner{recipients: []recipientSigInfo{}} - - if opts != nil { - signer.nonceSource = opts.NonceSource - signer.embedJWK = opts.EmbedJWK - signer.extraHeaders = opts.ExtraHeaders - } - - for _, sig := range sigs { - err := signer.addRecipient(sig.Algorithm, sig.Key) - if err != nil { - return nil, err - } - } - - return signer, nil -} - -// newVerifier creates a verifier based on the key type -func newVerifier(verificationKey interface{}) (payloadVerifier, error) { - switch verificationKey := verificationKey.(type) { - case ed25519.PublicKey: - return &edEncrypterVerifier{ - publicKey: verificationKey, - }, nil - case *rsa.PublicKey: - return &rsaEncrypterVerifier{ - publicKey: verificationKey, - }, nil - case *ecdsa.PublicKey: - return &ecEncrypterVerifier{ - publicKey: verificationKey, - }, nil - case []byte: - return &symmetricMac{ - key: verificationKey, - }, nil - case JSONWebKey: - return newVerifier(verificationKey.Key) - case *JSONWebKey: - return newVerifier(verificationKey.Key) - default: - return nil, ErrUnsupportedKeyType - } -} - -func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error { - recipient, err := makeJWSRecipient(alg, signingKey) - if err != nil { - return err - } - - ctx.recipients = append(ctx.recipients, recipient) - return nil -} - -func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) { - switch signingKey := signingKey.(type) { - case ed25519.PrivateKey: - return newEd25519Signer(alg, signingKey) - case *rsa.PrivateKey: - return newRSASigner(alg, signingKey) - case *ecdsa.PrivateKey: - return newECDSASigner(alg, signingKey) - case []byte: - return newSymmetricSigner(alg, signingKey) - case JSONWebKey: - return newJWKSigner(alg, signingKey) - case *JSONWebKey: - return newJWKSigner(alg, *signingKey) - default: - return recipientSigInfo{}, ErrUnsupportedKeyType - } -} - -func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) { - recipient, err := makeJWSRecipient(alg, signingKey.Key) - if err != nil { - return recipientSigInfo{}, err - } - if recipient.publicKey != nil { - // recipient.publicKey is a JWK synthesized for embedding when recipientSigInfo - // was created for the inner key (such as a RSA or ECDSA public key). It contains - // the pub key for embedding, but doesn't have extra params like key id. - publicKey := signingKey - publicKey.Key = recipient.publicKey.Key - recipient.publicKey = &publicKey - - // This should be impossible, but let's check anyway. - if !recipient.publicKey.IsPublic() { - return recipientSigInfo{}, errors.New("square/go-jose: public key was unexpectedly not public") - } - } - return recipient, nil -} - -func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) { - obj := &JSONWebSignature{} - obj.payload = payload - obj.Signatures = make([]Signature, len(ctx.recipients)) - - for i, recipient := range ctx.recipients { - protected := map[HeaderKey]interface{}{ - headerAlgorithm: string(recipient.sigAlg), - } - - if recipient.publicKey != nil { - // We want to embed the JWK or set the kid header, but not both. Having a protected - // header that contains an embedded JWK while also simultaneously containing the kid - // header is confusing, and at least in ACME the two are considered to be mutually - // exclusive. The fact that both can exist at the same time is a somewhat unfortunate - // result of the JOSE spec. We've decided that this library will only include one or - // the other to avoid this confusion. - // - // See https://github.com/square/go-jose/issues/157 for more context. - if ctx.embedJWK { - protected[headerJWK] = recipient.publicKey - } else { - protected[headerKeyID] = recipient.publicKey.KeyID - } - } - - if ctx.nonceSource != nil { - nonce, err := ctx.nonceSource.Nonce() - if err != nil { - return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err) - } - protected[headerNonce] = nonce - } - - for k, v := range ctx.extraHeaders { - protected[k] = v - } - - serializedProtected := mustSerializeJSON(protected) - - input := []byte(fmt.Sprintf("%s.%s", - base64.RawURLEncoding.EncodeToString(serializedProtected), - base64.RawURLEncoding.EncodeToString(payload))) - - signatureInfo, err := recipient.signer.signPayload(input, recipient.sigAlg) - if err != nil { - return nil, err - } - - signatureInfo.protected = &rawHeader{} - for k, v := range protected { - b, err := json.Marshal(v) - if err != nil { - return nil, fmt.Errorf("square/go-jose: Error marshalling item %#v: %v", k, err) - } - (*signatureInfo.protected)[k] = makeRawMessage(b) - } - obj.Signatures[i] = signatureInfo - } - - return obj, nil -} - -func (ctx *genericSigner) Options() SignerOptions { - return SignerOptions{ - NonceSource: ctx.nonceSource, - EmbedJWK: ctx.embedJWK, - ExtraHeaders: ctx.extraHeaders, - } -} - -// Verify validates the signature on the object and returns the payload. -// This function does not support multi-signature, if you desire multi-sig -// verification use VerifyMulti instead. -// -// Be careful when verifying signatures based on embedded JWKs inside the -// payload header. You cannot assume that the key received in a payload is -// trusted. -func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) { - verifier, err := newVerifier(verificationKey) - if err != nil { - return nil, err - } - - if len(obj.Signatures) > 1 { - return nil, errors.New("square/go-jose: too many signatures in payload; expecting only one") - } - - signature := obj.Signatures[0] - headers := signature.mergedHeaders() - critical, err := headers.getCritical() - if err != nil { - return nil, err - } - if len(critical) > 0 { - // Unsupported crit header - return nil, ErrCryptoFailure - } - - input := obj.computeAuthData(&signature) - alg := headers.getSignatureAlgorithm() - err = verifier.verifyPayload(input, signature.Signature, alg) - if err == nil { - return obj.payload, nil - } - - return nil, ErrCryptoFailure -} - -// VerifyMulti validates (one of the multiple) signatures on the object and -// returns the index of the signature that was verified, along with the signature -// object and the payload. We return the signature and index to guarantee that -// callers are getting the verified value. -func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) { - verifier, err := newVerifier(verificationKey) - if err != nil { - return -1, Signature{}, nil, err - } - - for i, signature := range obj.Signatures { - headers := signature.mergedHeaders() - critical, err := headers.getCritical() - if err != nil { - continue - } - if len(critical) > 0 { - // Unsupported crit header - continue - } - - input := obj.computeAuthData(&signature) - alg := headers.getSignatureAlgorithm() - err = verifier.verifyPayload(input, signature.Signature, alg) - if err == nil { - return i, signature, obj.payload, nil - } - } - - return -1, Signature{}, nil, ErrCryptoFailure -} |