Besides the existing key with no 'alg' set, add 2 more RSA keys have
'alg' set to RSA-OAEP and RSA-OAEP-256. All of these are synonymous for
each other, meaning they use SHA256 and MGF1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Duplicate existing test with RSA key and use it for testing with EC key.
Key created on website: https://mkjwk.org/
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OpenSSL 3 did not maintain backwards compatibility with the key format
when for example RSA keys with passwords are created and in this case
one has to add -traditional to the command line to get the key in the
old format.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Create a reproducing test case for issue #69 by adding a test case
with a bash image that is only pulled for the local platform, so
without --all-platforms. The test case will likey work on amd64 but
does fail locally on a ppc64 host.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid errors when pulling images from docker hub, allow passing
pull credentials using IMAGE_PULL_CREDS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Update to the latest ocicrypt and adjust the code accordingly. Ocicrypt
now gets the user-provided configuration for pkcs11 only if a pkcs11 key
in yaml format is provided. This avoids unnecessary error messages if for
example an image is pulled but doesn't need pkcs11 configuration since
no keys are needed since it doesn't need to be decrypted. Also, the helper
functions ending in 'WithOpts' do not exist anymore and so we roll back some
of the previous changes.
Also, due to the changes, the config file is searched for in this order:
- ${OCICRYPT_CONFIG}="internal": use an internal allow-all policy
- ${OCICRYPT_CONFIG}
- ${XDG_CONFIG_HOME}/ocicrypt.conf
- ${HOME}/.config/ocicrypt.conf
- /etc/ocicrypt.conf
The previously used IMGCRYPT_CONFIG variable is not used anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the test script with a PKCS11 test case and adjust the Travis
config file to also install softhsm2, which require bionic for our needs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The mediatype we used before was only experimental:
application/vnd.docker.image.rootfs.diff.tar.gzip+enc
The newer one is
application/vnd.oci.image.layer.v1.tar+gzip+enc
Update to latest containerd and adjust code to it.
We need to update the mediatypes being used by GetImageLayerDescriptors,
so we move the function into our own directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Derek McGowan