ocicrypt: add feature "block-cipher"

Add feature "block-cipher" to make image layer encryption/decryption.

Signed-off-by: Jiang Liu <[email protected]>

.github/workflows/ci.yml

@@ -59,6 +59,12 @@ jobs:
           command: build
           args: --no-default-features
 
+      - name: Run cargo build - block cipher
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --no-default-features --features=block-cipher
+
       - name: Run cargo build - keywrap-jwe
         uses: actions-rs/cargo@v1
         with:

Cargo.toml

@@ -10,19 +10,19 @@ edition = "2018"
 
 [dependencies]
 anyhow = ">=1.0"
-aes = ">=0.8"
+aes = { version = ">=0.8", optional = true }
 base64 = "0.13"
-base64-serde = "0.6"
-ctr = ">=0.9"
-hmac = ">=0.12"
+base64-serde = { version = "0.6", optional = true }
+ctr = { version = ">=0.9", optional = true }
+hmac = { version = ">=0.12", optional = true }
 josekit = { version = ">=0.7", optional = true }
 lazy_static = ">=1.4"
-openssl = { version = ">=0.10", features = ["vendored"] }
-pin-project-lite = "0.2.9"
+openssl = { version = ">=0.10", features = ["vendored"], optional = true }
+pin-project-lite = { version = "0.2.9", optional = true }
 prost = { version = ">=0.11.0", optional = true }
 serde = { version = ">=1.0", features = ["derive"] }
 serde_json = ">=1.0"
-sha2 = ">=0.10"
+sha2 = { version = ">=0.10", optional = true }
 tokio = { version = "1.17.0", features = ["rt-multi-thread"], optional = true }
 tonic = { version = ">=0.8.0", optional = true }
 attestation_agent = { git = "https://github.com/confidential-containers/attestation-agent", rev = "b45b0f8", optional = true  }
@@ -34,9 +34,10 @@ tonic-build = {version = "0.8.0", optional = true }
 aes-gcm = { version = "0.10" }
 
 [features]
-default = ["keywrap-jwe", "keywrap-keyprovider-cmd"]
+default = ["block-cipher", "keywrap-jwe", "keywrap-keyprovider-cmd"]
 eaa_kbc = ["keywrap-keyprovider-native", "attestation_agent/eaa_kbc"]
 async-io = ["tokio"]
+block-cipher = ["aes", "base64-serde", "ctr", "hmac", "openssl", "pin-project-lite", "sha2"]
 keywrap-jwe = ["josekit"]
 keywrap-keyprovider = []
 keywrap-keyprovider-cmd = ["keywrap-keyprovider"]

src/encryption.rs

@@ -11,52 +11,10 @@ use crate::blockcipher::{
     PrivateLayerBlockCipherOptions, PublicLayerBlockCipherOptions, AES256CTR,
 };
 use crate::config::{DecryptConfig, EncryptConfig};
-#[cfg(feature = "keywrap-jwe")]
-use crate::keywrap::jwe::JweKeyWrapper;
-#[cfg(feature = "keywrap-keyprovider")]
-use crate::keywrap::keyprovider;
 use crate::keywrap::KeyWrapper;
+use crate::{get_key_wrapper, KEY_WRAPPERS_ANNOTATIONS};
 
 lazy_static! {
-    static ref KEY_WRAPPERS: HashMap<String, Box<dyn KeyWrapper>> = {
-        #[allow(unused_mut)]
-        let mut m = HashMap::new();
-
-        #[cfg(feature = "keywrap-jwe")]
-        {
-            m.insert(
-                "jwe".to_string(),
-                Box::new(JweKeyWrapper {}) as Box<dyn KeyWrapper>,
-            );
-        }
-
-        #[cfg(feature = "keywrap-keyprovider")]
-        {
-            let ocicrypt_config =
-                crate::config::OcicryptConfig::from_env(crate::config::OCICRYPT_ENVVARNAME)
-                    .expect("Unable to read ocicrypt config file");
-            if let Some(ocicrypt_config) = ocicrypt_config {
-                let key_providers = ocicrypt_config.key_providers;
-                for (provider_name, attrs) in key_providers.iter() {
-                    let key_wrapper = Box::new(keyprovider::KeyProviderKeyWrapper::new(
-                        provider_name.to_string(),
-                        attrs.clone(),
-                        None,
-                    )) as Box<dyn KeyWrapper>;
-                    m.insert("provider.".to_owned() + provider_name, key_wrapper);
-                }
-            }
-        }
-
-        m
-    };
-    static ref KEY_WRAPPERS_ANNOTATIONS: HashMap<String, String> = {
-        let mut m = HashMap::new();
-        for (scheme, key_wrapper) in KEY_WRAPPERS.iter() {
-            m.insert(key_wrapper.annotation_id().to_string(), scheme.clone());
-        }
-        m
-    };
     static ref DEFAULT_ANNOTATION_MAP: HashMap<String, String> = HashMap::new();
 }
 
@@ -116,28 +74,6 @@ impl EncLayerFinalizer {
     }
 }
 
-/// get_key_wrapper looks up the encryptor interface given an encryption scheme (gpg, jwe)
-#[allow(clippy::borrowed_box)]
-pub fn get_key_wrapper(scheme: &str) -> Result<&Box<dyn KeyWrapper>> {
-    KEY_WRAPPERS
-        .get(scheme)
-        .ok_or_else(|| anyhow!("key wrapper not supported!"))
-}
-
-/// get_wrapped_keys_map returns a option contains map of wrapped_keys
-/// as values and the encryption scheme(s) as the key(s)
-pub fn get_wrapped_keys_map(annotations: &HashMap<String, String>) -> HashMap<String, String> {
-    let mut wrapped_keys_map = HashMap::new();
-
-    for (annotations_id, scheme) in KEY_WRAPPERS_ANNOTATIONS.iter() {
-        if let Some(value) = annotations.get(annotations_id) {
-            wrapped_keys_map.insert(scheme.clone(), value.clone());
-        }
-    }
-
-    wrapped_keys_map
-}
-
 // pre_wrap_keys calls wrap_keys and handles the base64 encoding and
 // concatenation of the annotation data.
 fn pre_wrap_key(

src/keywrap/keyprovider.rs

@@ -496,8 +496,8 @@ mod tests {
         feature = "keywrap-keyprovider-grpc"
     ))]
     mod cmd_grpc {
-        use aes::{Aes256Dec, Aes256Enc};
         use aes_gcm::aead::{Aead, KeyInit};
+        use aes_gcm::aes::{Aes256Dec, Aes256Enc};
         use aes_gcm::{Aes256Gcm, Key, Nonce};
         use anyhow::{anyhow, Result};
 

src/lib.rs

@@ -6,10 +6,82 @@ extern crate serde;
 #[macro_use]
 extern crate lazy_static;
 
-pub mod blockcipher;
+use crate::keywrap::KeyWrapper;
+use anyhow::{anyhow, Result};
+use std::collections::HashMap;
+
 pub mod config;
-pub mod encryption;
 pub mod helpers;
 pub mod keywrap;
 pub mod spec;
 pub mod utils;
+
+#[cfg(feature = "block-cipher")]
+pub mod blockcipher;
+#[cfg(feature = "block-cipher")]
+pub mod encryption;
+
+lazy_static! {
+    pub static ref KEY_WRAPPERS: HashMap<String, Box<dyn KeyWrapper>> = {
+        #[allow(unused_mut)]
+        let mut m = HashMap::new();
+
+        #[cfg(feature = "keywrap-jwe")]
+        {
+            m.insert(
+                "jwe".to_string(),
+                Box::new(crate::keywrap::jwe::JweKeyWrapper {}) as Box<dyn KeyWrapper>,
+            );
+        }
+
+        #[cfg(feature = "keywrap-keyprovider")]
+        {
+            let ocicrypt_config =
+                crate::config::OcicryptConfig::from_env(crate::config::OCICRYPT_ENVVARNAME)
+                    .expect("Unable to read ocicrypt config file");
+            if let Some(ocicrypt_config) = ocicrypt_config {
+                let key_providers = ocicrypt_config.key_providers;
+                for (provider_name, attrs) in key_providers.iter() {
+                    let key_wrapper =
+                        Box::new(crate::keywrap::keyprovider::KeyProviderKeyWrapper::new(
+                            provider_name.to_string(),
+                            attrs.clone(),
+                            None,
+                        )) as Box<dyn KeyWrapper>;
+                    m.insert("provider.".to_owned() + provider_name, key_wrapper);
+                }
+            }
+        }
+
+        m
+    };
+    static ref KEY_WRAPPERS_ANNOTATIONS: HashMap<String, String> = {
+        let mut m = HashMap::new();
+        for (scheme, key_wrapper) in KEY_WRAPPERS.iter() {
+            m.insert(key_wrapper.annotation_id().to_string(), scheme.clone());
+        }
+        m
+    };
+}
+
+/// get_key_wrapper looks up the encryptor interface given an encryption scheme (gpg, jwe)
+#[allow(clippy::borrowed_box)]
+pub fn get_key_wrapper(scheme: &str) -> Result<&Box<dyn KeyWrapper>> {
+    KEY_WRAPPERS
+        .get(scheme)
+        .ok_or_else(|| anyhow!("key wrapper not supported!"))
+}
+
+/// get_wrapped_keys_map returns a option contains map of wrapped_keys
+/// as values and the encryption scheme(s) as the key(s)
+pub fn get_wrapped_keys_map(annotations: &HashMap<String, String>) -> HashMap<String, String> {
+    let mut wrapped_keys_map = HashMap::new();
+
+    for (annotations_id, scheme) in KEY_WRAPPERS_ANNOTATIONS.iter() {
+        if let Some(value) = annotations.get(annotations_id) {
+            wrapped_keys_map.insert(scheme.clone(), value.clone());
+        }
+    }
+
+    wrapped_keys_map
+}