@@ -702,8 +702,8 @@ testLocalKeys() {
702702
703703 echo " Testing JWE and PKCS11 type of encryption with local unpack keys"
704704
705- # Remove original images
706- $CTR images rm --sync ${ALPINE_ENC} ${ALPINE_DEC} ${NGINX_ENC} ${NGINX_DEC} & > /dev/null
705+ # Remove existing images
706+ $CTR images rm --sync ${ALPINE_ENC} ${ALPINE_DEC} ${NGINX_ENC} ${NGINX_DEC} ${BASH_ENC} & > /dev/null
707707
708708 local recipient1=jwe:${PUBKEYPEM}
709709 local recipient2=pkcs11:${SOFTHSM_KEY}
@@ -773,6 +773,65 @@ testLocalKeys() {
773773
774774 echo " PASS: JWE and PKCS11 type of encryption with local unpack keys"
775775 echo
776+
777+ rm -f ${LOCAL_KEYS_PATH} /*
778+
779+ echo " Testing creation of container from encrypted image with local key (JWK)"
780+
781+ recipient=jwe:${PUBKEYJWK}
782+ $CTR images encrypt \
783+ --recipient ${recipient} \
784+ ${BASH} ${BASH_ENC}
785+ failExit $? " Image encryption with JWE failed; public key: ${recipient} "
786+
787+ MSG=$( $CTR container rm testcontainer1 2>&1 )
788+ MSG=$( $CTR snapshot rm testcontainer1 2>&1 )
789+
790+ # Create testcontainer1 from encrypted bash image ${BASH_ENC}
791+ # Creating the container without providing (right) key must fail
792+ MSG=$( sudo $CTR container create ${BASH_ENC} testcontainer1 2>&1 )
793+ if [ $? -eq 0 ]; then
794+ MSG=$( $CTR container rm testcontainer1 2>&1 )
795+ MSG=$( $CTR snapshot rm testcontainer1 2>&1 )
796+ failExit 1 " Should not have been able to create a container from encrypted image when JWK key file is not available"
797+ fi
798+ MSG=$( $CTR snapshot rm testcontainer1 2>&1 )
799+
800+ # creating the container when providing right key must work
801+ cp ${PRIVKEYJWK} ${LOCAL_KEYS_PATH} /.
802+ MSG=$( sudo bash -c " $CTR container create --skip-decrypt-auth ${BASH_ENC} testcontainer1 2>&1" )
803+ failExit $? " Should have been able to create a container from encrypted image when JWK key file is available\n${MSG} "
804+ MSG=$( $CTR container rm testcontainer1 2>&1 )
805+ MSG=$( $CTR snapshot rm testcontainer1 2>&1 )
806+
807+ # Running the container without providing (right) key must fail.
808+ # If we were not to pass --skip-decrypt-auth then this test would fail since then
809+ # authorization will fail since no keys are provided via command line that ctr-enc
810+ # could do authorization with (on client side!). To make running the image fail we
811+ # don't pass --skip-decrypt-auth.
812+ rm -f ${LOCAL_KEYS_PATH} /*
813+ MSG=$( sudo bash -c " $CTR run \
814+ --rm \
815+ ${BASH_ENC} testcontainer1 echo 'Hello world'" 2>&1 )
816+ if [ $? -eq 0 ]; then
817+ MSG=$( $CTR snapshot rm testcontainer1 2>&1 )
818+ failExit 1 " Should not have been able to run a container from encrypted image when JWK key file is not available"
819+ fi
820+ MSG=$( $CTR snapshot rm testcontainer1 2>&1 )
821+
822+ # Running the container when providing right key must work
823+ # This only works if --skip-decrypt-auth is passed since no keys are provided
824+ # on the command line and ctr-enc would otherwise do authorization
825+ cp ${PRIVKEYJWK} ${LOCAL_KEYS_PATH} /.
826+ MSG=$( sudo bash -c " $CTR run \
827+ --rm \
828+ --skip-decrypt-auth \
829+ ${BASH_ENC} testcontainer1 echo 'Hello world'" 2>&1 )
830+ failExit $? " Should have been able to run a container from encrypted image when JWK key file is available\n${MSG} "
831+
832+ $CTR images rm --sync ${BASH_ENC} & > /dev/null
833+
834+ echo " PASS: Creation of container from encrypted image with local JWK key"
776835}
777836
778837setupPKCS7 () {
0 commit comments