encryption: Use keyprovider from OCICRYPT_KEYPROVIDER_CONFIG during d…

…ecryption During decryption, ignore keyprovider name in annotations and use the keyprovider defined in OCICRYPT_KEYPROVIDER_CONFIG. Fixes: #33 Signed-off-by: Wang, Arron <[email protected]>
confidential-containers · Oct 26, 2022 · 54236bb · 54236bb
1 parent 96458c8
commit 54236bb
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/src/config.rs b/src/config.rs
@@ -8,6 +8,9 @@ use std::io::BufReader;
 use anyhow::{anyhow, Result};
 use serde::{de, Deserializer, Serialize, Serializer};
 
+/// OCICRYPT_ENVVARNAME is the environment name for ocicrypt provider config file,
+/// the key will be "OCICRYPT_KEYPROVIDER_CONFIG" and format is defined at:
+/// <https://github.com/containers/ocicrypt/blob/main/docs/keyprovider.md>
 pub const OCICRYPT_ENVVARNAME: &str = "OCICRYPT_KEYPROVIDER_CONFIG";
 
 /// DecryptConfig wraps the Parameters map that holds the decryption key
@@ -84,7 +87,9 @@ pub struct KeyProviderAttrs {
     pub native: Option<String>,
 }
 
-/// OcicryptConfig represents the format of an ocicrypt_provider.conf config file
+/// OcicryptConfig represents the format of an ocicrypt_provider.conf config file.
+/// Detail ocicrypt keyprovider protocol and config file format is defined at:
+/// <https://github.com/containers/ocicrypt/blob/main/docs/keyprovider.md>
 #[derive(Deserialize)]
 pub struct OcicryptConfig {
     #[serde(rename = "key-providers")]

diff --git a/src/encryption.rs b/src/encryption.rs
@@ -211,12 +211,37 @@ fn get_layer_pub_opts(desc: &OciDescriptor) -> Result<Vec<u8>> {
     )
 }
 
+fn get_layer_key_opts(
+    annotations_id: &str,
+    annotations: &HashMap<String, String>,
+) -> Option<String> {
+    if annotations_id
+        .strip_prefix("org.opencontainers.image.enc.keys.provider")
+        .is_some()
+    {
+        annotations.iter().find_map(|(k, v)| {
+            // During decryption, ignore keyprovider name in annotations and use the
+            // keyprovider defined in OCICRYPT_KEYPROVIDER_CONFIG.
+            if k.strip_prefix("org.opencontainers.image.enc.keys.provider")
+                .is_some()
+            {
+                Some(v)
+            } else {
+                None
+            }
+        })
+    } else {
+        annotations.get(annotations_id)
+    }
+    .cloned()
+}
+
 fn decrypt_layer_key_opts_data(dc: &DecryptConfig, desc: &OciDescriptor) -> Result<Vec<u8>> {
     let mut priv_key_given = false;
 
     for (annotations_id, scheme) in KEY_WRAPPERS_ANNOTATIONS.iter() {
         if let Some(annotations) = desc.annotations.as_ref() {
-            if let Some(b64_annotation) = annotations.get(annotations_id) {
+            if let Some(b64_annotation) = get_layer_key_opts(annotations_id, annotations) {
                 let keywrapper = get_key_wrapper(scheme)?;
                 if !keywrapper.probe(&dc.param) {
                     continue;
@@ -226,7 +251,7 @@ fn decrypt_layer_key_opts_data(dc: &DecryptConfig, desc: &OciDescriptor) -> Resu
                     priv_key_given = true;
                 }
 
-                if let Ok(opts_data) = pre_unwrap_key(keywrapper, dc, b64_annotation) {
+                if let Ok(opts_data) = pre_unwrap_key(keywrapper, dc, &b64_annotation) {
                     if !opts_data.is_empty() {
                         return Ok(opts_data);
                     }