Skip to content

Commit adad947

Browse files
dmcgowandmcgowan
authored
Merge pull request #3460 from lumjjb/ctrrecipients
Specify protocols in ctr encrypt recipients
2 parents 053853f + 8cd480c commit adad947

3 files changed

Lines changed: 40 additions & 12 deletions

File tree

cmd/ctr/commands/images/crypt_utils.go

Lines changed: 32 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -90,17 +90,40 @@ func processRecipientKeys(recipients []string) ([][]byte, [][]byte, [][]byte, er
9090
x509s [][]byte
9191
)
9292
for _, recipient := range recipients {
93-
tmp, err := ioutil.ReadFile(recipient)
94-
if err != nil {
95-
gpgRecipients = append(gpgRecipients, []byte(recipient))
96-
continue
93+
94+
idx := strings.Index(recipient, ":")
95+
if idx < 0 {
96+
return nil, nil, nil, errors.New("Invalid recipient format")
9797
}
98-
if encutils.IsCertificate(tmp) {
99-
x509s = append(x509s, tmp)
100-
} else if encutils.IsPublicKey(tmp) {
98+
99+
protocol := recipient[:idx]
100+
value := recipient[idx+1:]
101+
102+
switch protocol {
103+
case "pgp":
104+
gpgRecipients = append(gpgRecipients, []byte(value))
105+
case "jwe":
106+
tmp, err := ioutil.ReadFile(value)
107+
if err != nil {
108+
return nil, nil, nil, errors.Wrap(err, "Unable to read file")
109+
}
110+
if !encutils.IsPublicKey(tmp) {
111+
return nil, nil, nil, errors.New("File provided is not a public key")
112+
}
101113
pubkeys = append(pubkeys, tmp)
102-
} else {
103-
gpgRecipients = append(gpgRecipients, []byte(recipient))
114+
115+
case "pkcs7":
116+
tmp, err := ioutil.ReadFile(value)
117+
if err != nil {
118+
return nil, nil, nil, errors.Wrap(err, "Unable to read file")
119+
}
120+
if !encutils.IsCertificate(tmp) {
121+
return nil, nil, nil, errors.New("File provided is not an x509 cert")
122+
}
123+
x509s = append(x509s, tmp)
124+
125+
default:
126+
return nil, nil, nil, errors.New("Provided protocol not recognized")
104127
}
105128
}
106129
return gpgRecipients, pubkeys, x509s, nil

cmd/ctr/commands/images/encrypt.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,15 @@ var encryptCommand = cli.Command{
4141
This tool also allows management of the recipients of the image through changes
4242
to the list of recipients.
4343
Once the image has been encrypted it may be pushed to a registry.
44+
45+
Recipients are declared with the protocol prefix as follows:
46+
- pgp:<email-address>
47+
- jwe:<public-key-file-path>
48+
- pkcs7:<x509-file-path>
4449
`,
4550
Flags: append(append(commands.RegistryFlags, cli.StringSliceFlag{
4651
Name: "recipient",
47-
Usage: "Recipient of the image is the person who can decrypt it",
52+
Usage: "Recipient of the image is the person who can decrypt it in the form specified above (i.e. jwe:/path/to/key)",
4853
}, cli.IntSliceFlag{
4954
Name: "layer",
5055
Usage: "The layer to encrypt; this must be either the layer number or a negative number starting with -1 for topmost layer",

docs/encryption.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,8 @@ The option `--layer -1` specifies the layer filter for encryption, -1 indicating
2525

2626
```
2727
$ ctr images encrypt \
28-
--recipient /tmp/tmp.AGrSDkaSad/mypubkey.pem \
29-
--recipient /tmp/tmp.AGrSDkaSad/clientcert.pem \
28+
--recipient jwe:/tmp/tmp.AGrSDkaSad/mypubkey.pem \
29+
--recipient pkcs7:/tmp/tmp.AGrSDkaSad/clientcert.pem \
3030
--layer -1 \
3131
docker.io/library/alpine:latest docker.io/library/alpine:enc
3232

0 commit comments

Comments
 (0)