vendor: update containers/image

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-10-16 18:53:19 +08:00 · 2024-09-24 15:22:18 +02:00
parent c81c77109b
commit 7f29233a3f
62 changed files with 1244 additions and 814 deletions
--- a/vendor/github.com/letsencrypt/boulder/core/objects.go
+++ b/vendor/github.com/letsencrypt/boulder/core/objects.go
@ -157,58 +157,44 @@ type ValidationRecord struct {
 	UsedRSAKEX bool `json:"-"`
 }

-func looksLikeKeyAuthorization(str string) error {
-	parts := strings.Split(str, ".")
-	if len(parts) != 2 {
-		return fmt.Errorf("Invalid key authorization: does not look like a key authorization")
-	} else if !LooksLikeAToken(parts[0]) {
-		return fmt.Errorf("Invalid key authorization: malformed token")
-	} else if !LooksLikeAToken(parts[1]) {
-		// Thumbprints have the same syntax as tokens in boulder
-		// Both are base64-encoded and 32 octets
-		return fmt.Errorf("Invalid key authorization: malformed key thumbprint")
-	}
-	return nil
-}
-
 // Challenge is an aggregate of all data needed for any challenges.
 //
 // Rather than define individual types for different types of
 // challenge, we just throw all the elements into one bucket,
 // together with the common metadata elements.
 type Challenge struct {
-	// The type of challenge
+	// Type is the type of challenge encoded in this object.
 	Type AcmeChallenge `json:"type"`

-	// The status of this challenge
-	Status AcmeStatus `json:"status,omitempty"`
-
-	// Contains the error that occurred during challenge validation, if any
-	Error *probs.ProblemDetails `json:"error,omitempty"`
-
-	// A URI to which a response can be POSTed
-	URI string `json:"uri,omitempty"`
-
-	// For the V2 API the "URI" field is deprecated in favour of URL.
+	// URL is the URL to which a response can be posted. Required for all types.
 	URL string `json:"url,omitempty"`

-	// Used by http-01, tls-sni-01, tls-alpn-01 and dns-01 challenges
+	// Status is the status of this challenge. Required for all types.
+	Status AcmeStatus `json:"status,omitempty"`
+
+	// Validated is the time at which the server validated the challenge. Required
+	// if status is valid.
+	Validated *time.Time `json:"validated,omitempty"`
+
+	// Error contains the error that occurred during challenge validation, if any.
+	// If set, the Status must be "invalid".
+	Error *probs.ProblemDetails `json:"error,omitempty"`
+
+	// Token is a random value that uniquely identifies the challenge. It is used
+	// by all current challenges (http-01, tls-alpn-01, and dns-01).
 	Token string `json:"token,omitempty"`

-	// The expected KeyAuthorization for validation of the challenge. Populated by
-	// the RA prior to passing the challenge to the VA. For legacy reasons this
-	// field is called "ProvidedKeyAuthorization" because it was initially set by
-	// the content of the challenge update POST from the client. It is no longer
-	// set that way and should be renamed to "KeyAuthorization".
-	// TODO(@cpu): Rename `ProvidedKeyAuthorization` to `KeyAuthorization`.
+	// ProvidedKeyAuthorization used to carry the expected key authorization from
+	// the RA to the VA. However, since this field is never presented to the user
+	// via the ACME API, it should not be on this type.
+	//
+	// Deprecated: use vapb.PerformValidationRequest.ExpectedKeyAuthorization instead.
+	// TODO(#7514): Remove this.
 	ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"`

 	// Contains information about URLs used or redirected to and IPs resolved and
 	// used
 	ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"`
-	// The time at which the server validated the challenge. Required by
-	// RFC8555 if status is valid.
-	Validated *time.Time `json:"validated,omitempty"`
 }

 // ExpectedKeyAuthorization computes the expected KeyAuthorization value for
@ -273,43 +259,18 @@ func (ch Challenge) RecordsSane() bool {
 	return true
 }

-// CheckConsistencyForClientOffer checks the fields of a challenge object before it is
-// given to the client.
-func (ch Challenge) CheckConsistencyForClientOffer() error {
-	err := ch.checkConsistency()
-	if err != nil {
-		return err
-	}
-
-	// Before completion, the key authorization field should be empty
-	if ch.ProvidedKeyAuthorization != "" {
-		return fmt.Errorf("A response to this challenge was already submitted.")
-	}
-	return nil
-}
-
-// CheckConsistencyForValidation checks the fields of a challenge object before it is
-// given to the VA.
-func (ch Challenge) CheckConsistencyForValidation() error {
-	err := ch.checkConsistency()
-	if err != nil {
-		return err
-	}
-
-	// If the challenge is completed, then there should be a key authorization
-	return looksLikeKeyAuthorization(ch.ProvidedKeyAuthorization)
-}
-
-// checkConsistency checks the sanity of a challenge object before issued to the client.
-func (ch Challenge) checkConsistency() error {
+// CheckPending ensures that a challenge object is pending and has a token.
+// This is used before offering the challenge to the client, and before actually
+// validating a challenge.
+func (ch Challenge) CheckPending() error {
 	if ch.Status != StatusPending {
-		return fmt.Errorf("The challenge is not pending.")
+		return fmt.Errorf("challenge is not pending")
 	}

-	// There always needs to be a token
-	if !LooksLikeAToken(ch.Token) {
-		return fmt.Errorf("The token is missing.")
+	if !looksLikeAToken(ch.Token) {
+		return fmt.Errorf("token is missing or malformed")
 	}
+
 	return nil
 }

--- a/vendor/github.com/letsencrypt/boulder/core/util.go
+++ b/vendor/github.com/letsencrypt/boulder/core/util.go
@ -76,9 +76,9 @@ func NewToken() string {

 var tokenFormat = regexp.MustCompile(`^[\w-]{43}$`)

-// LooksLikeAToken checks whether a string represents a 32-octet value in
+// looksLikeAToken checks whether a string represents a 32-octet value in
 // the URL-safe base64 alphabet.
-func LooksLikeAToken(token string) bool {
+func looksLikeAToken(token string) bool {
 	return tokenFormat.MatchString(token)
 }

--- a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
+++ b/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go
@ -39,6 +39,9 @@ var (
 )

 type Config struct {
+	// AllowedKeys enables or disables specific key algorithms and sizes. If
+	// nil, defaults to just those keys allowed by the Let's Encrypt CPS.
+	AllowedKeys *AllowedKeys
 	// WeakKeyFile is the path to a JSON file containing truncated modulus hashes
 	// of known weak RSA keys. If this config value is empty, then RSA modulus
 	// hash checking will be disabled.
@ -54,6 +57,40 @@ type Config struct {
 	FermatRounds int
 }

+// AllowedKeys is a map of six specific key algorithm and size combinations to
+// booleans indicating whether keys of that type are considered good.
+type AllowedKeys struct {
+	// Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple
+	// of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes
+	// Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which
+	// have a known method to easily compute their private key, such as Debian Weak
+	// Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at
+	// common key sizes, so we restrict all issuance to those common key sizes.
+	RSA2048 bool
+	RSA3072 bool
+	RSA4096 bool
+	// Baseline Requirements, Section 6.1.5 requires that ECDSA keys be valid
+	// points on the NIST P-256, P-384, or P-521 elliptic curves.
+	ECDSAP256 bool
+	ECDSAP384 bool
+	ECDSAP521 bool
+}
+
+// LetsEncryptCPS encodes the five key algorithms and sizes allowed by the Let's
+// Encrypt CPS CV-SSL Subscriber Certificate Profile: RSA 2048, RSA 3076, RSA
+// 4096, ECDSA 256 and ECDSA P384.
+// https://github.com/letsencrypt/cp-cps/blob/main/CP-CPS.md#dv-ssl-subscriber-certificate
+// If this is ever changed, the CP/CPS MUST be changed first.
+func LetsEncryptCPS() AllowedKeys {
+	return AllowedKeys{
+		RSA2048:   true,
+		RSA3072:   true,
+		RSA4096:   true,
+		ECDSAP256: true,
+		ECDSAP384: true,
+	}
+}
+
 // ErrBadKey represents an error with a key. It is distinct from the various
 // ways in which an ACME request can have an erroneous key (BadPublicKeyError,
 // BadCSRError) because this library is used to check both JWS signing keys and
@ -74,28 +111,29 @@ type BlockedKeyCheckFunc func(ctx context.Context, keyHash []byte) (bool, error)
 // KeyPolicy determines which types of key may be used with various boulder
 // operations.
 type KeyPolicy struct {
-	AllowRSA           bool // Whether RSA keys should be allowed.
-	AllowECDSANISTP256 bool // Whether ECDSA NISTP256 keys should be allowed.
-	AllowECDSANISTP384 bool // Whether ECDSA NISTP384 keys should be allowed.
-	weakRSAList        *WeakRSAKeys
-	blockedList        *blockedKeys
-	fermatRounds       int
-	blockedCheck       BlockedKeyCheckFunc
+	allowedKeys  AllowedKeys
+	weakRSAList  *WeakRSAKeys
+	blockedList  *blockedKeys
+	fermatRounds int
+	blockedCheck BlockedKeyCheckFunc
 }

-// NewKeyPolicy returns a KeyPolicy that allows RSA, ECDSA256 and ECDSA384.
-// weakKeyFile contains the path to a JSON file containing truncated modulus
-// hashes of known weak RSA keys. If this argument is empty RSA modulus hash
-// checking will be disabled. blockedKeyFile contains the path to a YAML file
-// containing Base64 encoded SHA256 hashes of pkix subject public keys that
-// should be blocked. If this argument is empty then no blocked key checking is
-// performed.
-func NewKeyPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) {
+// NewPolicy returns a key policy based on the given configuration, with sane
+// defaults. If the config's AllowedKeys is nil, the LetsEncryptCPS AllowedKeys
+// is used. If the config's WeakKeyFile or BlockedKeyFile paths are empty, those
+// checks are disabled. If the config's FermatRounds is 0, Fermat Factorization
+// is disabled.
+func NewPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) {
+	if config == nil {
+		config = &Config{}
+	}
 	kp := KeyPolicy{
-		AllowRSA:           true,
-		AllowECDSANISTP256: true,
-		AllowECDSANISTP384: true,
-		blockedCheck:       bkc,
+		blockedCheck: bkc,
+	}
+	if config.AllowedKeys == nil {
+		kp.allowedKeys = LetsEncryptCPS()
+	} else {
+		kp.allowedKeys = *config.AllowedKeys
 	}
 	if config.WeakKeyFile != "" {
 		keyList, err := LoadWeakRSASuffixes(config.WeakKeyFile)
@ -264,42 +302,28 @@ func (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) {
 	// Simply use a whitelist for now.
 	params := c.Params()
 	switch {
-	case policy.AllowECDSANISTP256 && params == elliptic.P256().Params():
+	case policy.allowedKeys.ECDSAP256 && params == elliptic.P256().Params():
 		return nil
-	case policy.AllowECDSANISTP384 && params == elliptic.P384().Params():
+	case policy.allowedKeys.ECDSAP384 && params == elliptic.P384().Params():
+		return nil
+	case policy.allowedKeys.ECDSAP521 && params == elliptic.P521().Params():
 		return nil
 	default:
 		return badKey("ECDSA curve %v not allowed", params.Name)
 	}
 }

-// Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple
-// of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes
-// Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which
-// have a known method to easily compute their private key, such as Debian Weak
-// Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at
-// common key sizes, so we restrict all issuance to those common key sizes.
-var acceptableRSAKeySizes = map[int]bool{
-	2048: true,
-	3072: true,
-	4096: true,
-}
-
 // GoodKeyRSA determines if a RSA pubkey meets our requirements
-func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) (err error) {
-	if !policy.AllowRSA {
-		return badKey("RSA keys are not allowed")
-	}
-	if policy.weakRSAList != nil && policy.weakRSAList.Known(key) {
-		return badKey("key is on a known weak RSA key list")
-	}
-
+func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) error {
 	modulus := key.N

-	// See comment on acceptableRSAKeySizes above.
-	modulusBitLen := modulus.BitLen()
-	if !acceptableRSAKeySizes[modulusBitLen] {
-		return badKey("key size not supported: %d", modulusBitLen)
+	err := policy.goodRSABitLen(key)
+	if err != nil {
+		return err
+	}
+
+	if policy.weakRSAList != nil && policy.weakRSAList.Known(key) {
+		return badKey("key is on a known weak RSA key list")
 	}

 	// Rather than support arbitrary exponents, which significantly increases
@ -341,6 +365,21 @@ func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) (err error) {
 	return nil
 }

+func (policy *KeyPolicy) goodRSABitLen(key *rsa.PublicKey) error {
+	// See comment on AllowedKeys above.
+	modulusBitLen := key.N.BitLen()
+	switch {
+	case modulusBitLen == 2048 && policy.allowedKeys.RSA2048:
+		return nil
+	case modulusBitLen == 3072 && policy.allowedKeys.RSA3072:
+		return nil
+	case modulusBitLen == 4096 && policy.allowedKeys.RSA4096:
+		return nil
+	default:
+		return badKey("key size not supported: %d", modulusBitLen)
+	}
+}
+
 // Returns true iff integer i is divisible by any of the primes in smallPrimes.
 //
 // Short circuits; execution time is dependent on i. Do not use this on secret
@ -400,7 +439,7 @@ func checkPrimeFactorsTooClose(n *big.Int, rounds int) error {
 	b2 := new(big.Int)
 	b2.Mul(a, a).Sub(b2, n)

-	for i := 0; i < rounds; i++ {
+	for range rounds {
 		// To see if b2 is a perfect square, we take its square root, square that,
 		// and check to see if we got the same result back.
 		bb.Sqrt(b2).Mul(bb, bb)