go.mod: update github.com/containers/image/v5

Version 5.22 introduced a new option to /etc/containers/policy.json called keyPaths, see https://github.com/containers/image/pull/1609 EL9 immediately took advantage of this new feature and started using it, see 04645c4a84 This quickly became an issue in our code: The go library (containers/image) parses the configuration file very strictly and refuses to create a client when policy.json with an unknown key is present on the filesystem. As we used 5.21.1 that doesn't know the new key, our unit tests started to failing when containers-common was present. Reproducer: podman run --pull=always --rm -it centos:stream9 dnf install -y dnf-plugins-core dnf config-manager --set-enabled crb dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core git clone https://github.com/osbuild/osbuild-composer cd osbuild-composer # install the new containers-common and run the test dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm go test -count 1 ./... # this returns: --- FAIL: TestClientResolve (0.00s) client_test.go:31: Error Trace: client_test.go:31 Error: Received unexpected error: Unknown key "keyPaths" invalid policy in "/etc/containers/policy.json" github.com/containers/image/v5/signature.NewPolicyFromFile /osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88 github.com/osbuild/osbuild-composer/internal/container.NewClient /osbuild-composer/internal/container/client.go:123 github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve /osbuild-composer/internal/container/client_test.go:29 testing.tRunner /usr/lib/golang/src/testing/testing.go:1439 runtime.goexit /usr/lib/golang/src/runtime/asm_amd64.s:1571 Test: TestClientResolve client_test.go:32: Error Trace: client_test.go:32 Error: Expected value not to be nil. Test: TestClientResolve When run with an older containers-common, it succeeds: dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm go test -count 1 ./... PASS To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0. Unfortunately, this wasn't so simple, see go get github.com/containers/image/v5@latest go: github.com/containers/image/v5@v5.22.0 requires github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires github.com/honeycombio/beeline-go@v1.1.1 requires github.com/gobuffalo/pop/v5@v5.3.1 requires github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3 It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this broke a ton of packages depending on it. I was able to fix it by adding exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible to our go.mod, see https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657 After adding it, go get github.com/containers/image/v5@latest succeeded and tools/prepare-source.sh took care of the rest. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-08-28 20:29:14 +02:00 · 2022-08-28 20:29:14 +02:00 · 29f66a251f
commit 29f66a251f
parent fa514c5326
694 changed files with 90636 additions and 50426 deletions
--- a/vendor/github.com/titanous/rocacheck/LICENSE
+++ b/vendor/github.com/titanous/rocacheck/LICENSE
@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2017, Jonathan Rudenberg
+Copyright (c) 2017, CRoCS, EnigmaBridge Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/vendor/github.com/titanous/rocacheck/README.md
+++ b/vendor/github.com/titanous/rocacheck/README.md
@ -0,0 +1,7 @@
+# rocacheck [![GoDoc](https://godoc.org/github.com/titanous/rocacheck?status.svg)](https://godoc.org/github.com/titanous/rocacheck)
+
+Package rocacheck is a Go implementation of the [key fingerprint
+algorithm](https://github.com/crocs-muni/roca) that checks if an RSA key was
+generated by broken Infineon code and is vulnerable to factorization via the
+[Return of Coppersmith's Attack
+(ROCA)](https://crocs.fi.muni.cz/public/papers/rsa_ccs17) / CVE-2017-15361.
--- a/vendor/github.com/titanous/rocacheck/rocacheck.go
+++ b/vendor/github.com/titanous/rocacheck/rocacheck.go
@ -0,0 +1,52 @@
+// Package rocacheck checks if a key was generated by broken Infineon code and
+// is vulnerable to factorization via the Return of Coppersmith's Attack (ROCA)
+// / CVE-2017-15361.
+package rocacheck
+
+import (
+	"crypto/rsa"
+	"math/big"
+)
+
+type test struct {
+	Prime        *big.Int
+	Fingerprints map[int64]struct{}
+}
+
+var tests = make([]test, 17)
+
+func init() {
+	bigOne := big.NewInt(1)
+	n := &big.Int{}
+	// relations table from https://github.com/crocs-muni/roca/pull/40
+	for i, r := range [][2]int64{
+		{2, 11}, {6, 13}, {8, 17}, {9, 19}, {3, 37}, {26, 53}, {20, 61},
+		{35, 71}, {24, 73}, {13, 79}, {6, 97}, {51, 103}, {53, 107},
+		{54, 109}, {42, 127}, {50, 151}, {78, 157},
+	} {
+		fps := make(map[int64]struct{})
+		bp := big.NewInt(r[1])
+		br := big.NewInt(r[0])
+		for j := int64(0); j < r[1]; j++ {
+			if n.Exp(big.NewInt(j), br, bp).Cmp(bigOne) == 0 {
+				fps[j] = struct{}{}
+			}
+		}
+		tests[i] = test{
+			Prime:        big.NewInt(r[1]),
+			Fingerprints: fps,
+		}
+	}
+}
+
+// IsWeak returns true if a RSA public key is vulnerable to Return of
+// Coppersmith's Attack (ROCA).
+func IsWeak(k *rsa.PublicKey) bool {
+	tmp := &big.Int{}
+	for _, t := range tests {
+		if _, ok := t.Fingerprints[tmp.Mod(k.N, t.Prime).Int64()]; !ok {
+			return false
+		}
+	}
+	return true
+}