Affected by GO-2022-0344 and 6 other vulnerabilities

GO-2022-0344: containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd

GO-2022-0360: Ambiguous OCI manifest parsing in github.com/containerd/containerd

GO-2022-0482: containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd

GO-2022-0784: containerd-shim API Exposed to Host Network Containers in github.com/containerd/containerd

GO-2022-0921: Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd

GO-2022-0938: Insufficiently restricted permissions on plugin directories in github.com/containerd/containerd

GO-2022-1147: containerd CRI stream server vulnerable to host memory exhaustion via terminal in github.com/containerd/containerd

The highest tagged major version is v2.

encryption

package

v1.3.0-beta.0 Latest Latest Go to latest Published: Jul 31, 2019 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/containerd/containerd

Documentation ¶

Index ¶

func DecryptLayer(dc *config.DecryptConfig, encLayerReader io.Reader, desc ocispec.Descriptor, ...) (io.Reader, digest.Digest, error)
func EncryptLayer(ec *config.EncryptConfig, encOrPlainLayerReader io.Reader, ...) (io.Reader, map[string]string, error)
func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault GPGVault, ...) (gpgPrivKeys [][]byte, gpgPrivKeysPwds [][]byte, err error)
func GetKeyWrapper(scheme string) keywrap.KeyWrapper
func GetWrappedKeysMap(desc ocispec.Descriptor) map[string]string
func ReaderFromReaderAt(r io.ReaderAt) io.Reader
func RegisterKeyWrapper(scheme string, iface keywrap.KeyWrapper)
type GPGClient
- func NewGPGClient(gpgVersion, gpgHomeDir string) (GPGClient, error)
type GPGVault
- func NewGPGVault() GPGVault
type GPGVersion
- func GuessGPGVersion() GPGVersion

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func DecryptLayer ¶

func DecryptLayer(dc *config.DecryptConfig, encLayerReader io.Reader, desc ocispec.Descriptor, unwrapOnly bool) (io.Reader, digest.Digest, error)

DecryptLayer decrypts a layer trying one keywrap.KeyWrapper after the other to see whether it can apply the provided private key If unwrapOnly is set we will only try to decrypt the layer encryption key and return

func EncryptLayer ¶

func EncryptLayer(ec *config.EncryptConfig, encOrPlainLayerReader io.Reader, desc ocispec.Descriptor) (io.Reader, map[string]string, error)

EncryptLayer encrypts the layer by running one encryptor after the other

func GPGGetPrivateKey ¶

func GPGGetPrivateKey(descs []ocispec.Descriptor, gpgClient GPGClient, gpgVault GPGVault, mustFindKey bool) (gpgPrivKeys [][]byte, gpgPrivKeysPwds [][]byte, err error)

GPGGetPrivateKey walks the list of layerInfos and tries to decrypt the wrapped symmetric keys. For this it determines whether a private key is in the GPGVault or on this system and prompts for the passwords for those that are available. If we do not find a private key on the system for getting to the symmetric key of a layer then an error is generated.

func GetKeyWrapper ¶

func GetKeyWrapper(scheme string) keywrap.KeyWrapper

GetKeyWrapper looks up the encryptor interface given an encryption scheme (gpg, jwe)

func GetWrappedKeysMap ¶

func GetWrappedKeysMap(desc ocispec.Descriptor) map[string]string

GetWrappedKeysMap returns a map of wrappedKeys as values in a map with the encryption scheme(s) as the key(s)

func ReaderFromReaderAt ¶

func ReaderFromReaderAt(r io.ReaderAt) io.Reader

ReaderFromReaderAt takes an io.ReaderAt and returns an io.Reader

func RegisterKeyWrapper ¶

func RegisterKeyWrapper(scheme string, iface keywrap.KeyWrapper)

RegisterKeyWrapper allows to register key wrappers by their encryption scheme

Types ¶

type GPGClient ¶

type GPGClient interface {
	// ReadGPGPubRingFile gets the byte sequence of the gpg public keyring
	ReadGPGPubRingFile() ([]byte, error)
	// GetGPGPrivateKey gets the private key bytes of a keyid given a passphrase
	GetGPGPrivateKey(keyid uint64, passphrase string) ([]byte, error)
	// GetSecretKeyDetails gets the details of a secret key
	GetSecretKeyDetails(keyid uint64) ([]byte, bool, error)
	// GetKeyDetails gets the details of a public key
	GetKeyDetails(keyid uint64) ([]byte, bool, error)
	// ResolveRecipients resolves PGP key ids to user names
	ResolveRecipients([]string) []string
}

GPGClient defines an interface for wrapping the gpg command line tools

func NewGPGClient ¶

func NewGPGClient(gpgVersion, gpgHomeDir string) (GPGClient, error)

NewGPGClient creates a new GPGClient object representing the given version and using the given home directory

type GPGVault ¶

type GPGVault interface {
	// AddSecretKeyRingData adds a secret keyring via its raw byte array
	AddSecretKeyRingData(gpgSecretKeyRingData []byte) error
	// AddSecretKeyRingDataArray adds secret keyring via its raw byte arrays
	AddSecretKeyRingDataArray(gpgSecretKeyRingDataArray [][]byte) error
	// AddSecretKeyRingFiles adds secret keyrings given their filenames
	AddSecretKeyRingFiles(filenames []string) error
	// GetGPGPrivateKey gets the private key bytes of a keyid given a passphrase
	GetGPGPrivateKey(keyid uint64) ([]openpgp.Key, []byte)
}

GPGVault defines an interface for wrapping multiple secret key rings

func NewGPGVault ¶

func NewGPGVault() GPGVault

NewGPGVault creates an empty GPGVault

type GPGVersion ¶

type GPGVersion int

GPGVersion enum representing the GPG client version to use.

const (
	// GPGv2 signifies gpgv2+
	GPGv2 GPGVersion = iota
	// GPGv1 signifies gpgv1+
	GPGv1
	// GPGVersionUndetermined signifies gpg client version undetermined
	GPGVersionUndetermined
)

func GuessGPGVersion ¶

func GuessGPGVersion() GPGVersion

GuessGPGVersion guesses the version of gpg. Defaults to gpg2 if exists, if not defaults to regular gpg.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
blockcipher
config
keywrap
jwe
pgp
pkcs7
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL