k3s/vendor/github.com/containerd/imgcrypt/images/encryption/encryption.go

/*
   Copyright The containerd Authors.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package encryption

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"math/rand"

	"github.com/containerd/containerd/images"
	"github.com/containers/ocicrypt"
	encconfig "github.com/containers/ocicrypt/config"

	"github.com/containerd/containerd/content"
	"github.com/containerd/containerd/errdefs"
	"github.com/containerd/containerd/platforms"
	encocispec "github.com/containers/ocicrypt/spec"
	digest "github.com/opencontainers/go-digest"
	specs "github.com/opencontainers/image-spec/specs-go"
	"github.com/pkg/errors"

	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)

type cryptoOp int

const (
	cryptoOpEncrypt    cryptoOp = iota
	cryptoOpDecrypt             = iota
	cryptoOpUnwrapOnly          = iota
)

// LayerFilter allows to select Layers by certain criteria
type LayerFilter func(desc ocispec.Descriptor) bool

// IsEncryptedDiff returns true if mediaType is a known encrypted media type.
func IsEncryptedDiff(ctx context.Context, mediaType string) bool {
	switch mediaType {
	case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
		return true
	}
	return false
}

// HasEncryptedLayer returns true if any LayerInfo indicates that the layer is encrypted
func HasEncryptedLayer(ctx context.Context, layerInfos []ocispec.Descriptor) bool {
	for i := 0; i < len(layerInfos); i++ {
		if IsEncryptedDiff(ctx, layerInfos[i].MediaType) {
			return true
		}
	}
	return false
}

// encryptLayer encrypts the layer using the CryptoConfig and creates a new OCI Descriptor.
// A call to this function may also only manipulate the wrapped keys list.
// The caller is expected to store the returned encrypted data and OCI Descriptor
func encryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc ocispec.Descriptor) (ocispec.Descriptor, io.Reader, ocicrypt.EncryptLayerFinalizer, error) {
	var (
		size int64
		d    digest.Digest
		err  error
	)

	encLayerReader, encLayerFinalizer, err := ocicrypt.EncryptLayer(cc.EncryptConfig, ocicrypt.ReaderFromReaderAt(dataReader), desc)
	if err != nil {
		return ocispec.Descriptor{}, nil, nil, err
	}

	// were data touched ?
	if encLayerReader != nil {
		size = 0
		d = ""
	} else {
		size = desc.Size
		d = desc.Digest
	}

	newDesc := ocispec.Descriptor{
		Digest:   d,
		Size:     size,
		Platform: desc.Platform,
	}

	switch desc.MediaType {
	case images.MediaTypeDockerSchema2LayerGzip:
		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
	case images.MediaTypeDockerSchema2Layer:
		newDesc.MediaType = encocispec.MediaTypeLayerEnc
	case encocispec.MediaTypeLayerGzipEnc:
		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
	case encocispec.MediaTypeLayerEnc:
		newDesc.MediaType = encocispec.MediaTypeLayerEnc

	// TODO: Mediatypes to be added in ocispec
	case ocispec.MediaTypeImageLayerGzip:
		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
	case ocispec.MediaTypeImageLayer:
		newDesc.MediaType = encocispec.MediaTypeLayerEnc

	default:
		return ocispec.Descriptor{}, nil, nil, errors.Errorf("Encryption: unsupporter layer MediaType: %s\n", desc.MediaType)
	}

	return newDesc, encLayerReader, encLayerFinalizer, nil
}

// DecryptLayer decrypts the layer using the DecryptConfig and creates a new OCI Descriptor.
// The caller is expected to store the returned plain data and OCI Descriptor
func DecryptLayer(dc *encconfig.DecryptConfig, dataReader io.Reader, desc ocispec.Descriptor, unwrapOnly bool) (ocispec.Descriptor, io.Reader, digest.Digest, error) {
	resultReader, layerDigest, err := ocicrypt.DecryptLayer(dc, dataReader, desc, unwrapOnly)
	if err != nil || unwrapOnly {
		return ocispec.Descriptor{}, nil, "", err
	}

	newDesc := ocispec.Descriptor{
		Size:     0,
		Platform: desc.Platform,
	}

	switch desc.MediaType {
	case encocispec.MediaTypeLayerGzipEnc:
		newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip
	case encocispec.MediaTypeLayerEnc:
		newDesc.MediaType = images.MediaTypeDockerSchema2Layer
	default:
		return ocispec.Descriptor{}, nil, "", errors.Errorf("Decryption: unsupporter layer MediaType: %s\n", desc.MediaType)
	}
	return newDesc, resultReader, layerDigest, nil
}

// decryptLayer decrypts the layer using the CryptoConfig and creates a new OCI Descriptor.
// The caller is expected to store the returned plain data and OCI Descriptor
func decryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc ocispec.Descriptor, unwrapOnly bool) (ocispec.Descriptor, io.Reader, error) {
	resultReader, d, err := ocicrypt.DecryptLayer(cc.DecryptConfig, ocicrypt.ReaderFromReaderAt(dataReader), desc, unwrapOnly)
	if err != nil || unwrapOnly {
		return ocispec.Descriptor{}, nil, err
	}

	newDesc := ocispec.Descriptor{
		Digest:   d,
		Size:     0,
		Platform: desc.Platform,
	}

	switch desc.MediaType {
	case encocispec.MediaTypeLayerGzipEnc:
		newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip
	case encocispec.MediaTypeLayerEnc:
		newDesc.MediaType = images.MediaTypeDockerSchema2Layer
	default:
		return ocispec.Descriptor{}, nil, errors.Errorf("Decryption: unsupporter layer MediaType: %s\n", desc.MediaType)
	}
	return newDesc, resultReader, nil
}

// cryptLayer handles the changes due to encryption or decryption of a layer
func cryptLayer(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, cryptoOp cryptoOp) (ocispec.Descriptor, error) {
	var (
		resultReader      io.Reader
		newDesc           ocispec.Descriptor
		encLayerFinalizer ocicrypt.EncryptLayerFinalizer
	)

	dataReader, err := cs.ReaderAt(ctx, desc)
	if err != nil {
		return ocispec.Descriptor{}, err
	}
	defer dataReader.Close()

	if cryptoOp == cryptoOpEncrypt {
		newDesc, resultReader, encLayerFinalizer, err = encryptLayer(cc, dataReader, desc)
	} else {
		newDesc, resultReader, err = decryptLayer(cc, dataReader, desc, cryptoOp == cryptoOpUnwrapOnly)
	}
	if err != nil || cryptoOp == cryptoOpUnwrapOnly {
		return ocispec.Descriptor{}, err
	}

	newDesc.Annotations = ocicrypt.FilterOutAnnotations(desc.Annotations)

	// some operations, such as changing recipients, may not touch the layer at all
	if resultReader != nil {
		var ref string
		// If we have the digest, write blob with checks
		haveDigest := newDesc.Digest.String() != ""
		if haveDigest {
			ref = fmt.Sprintf("layer-%s", newDesc.Digest.String())
		} else {
			ref = fmt.Sprintf("blob-%d-%d", rand.Int(), rand.Int())
		}

		if haveDigest {
			if err := content.WriteBlob(ctx, cs, ref, resultReader, newDesc); err != nil {
				return ocispec.Descriptor{}, errors.Wrap(err, "failed to write config")
			}
		} else {
			newDesc.Digest, newDesc.Size, err = ingestReader(ctx, cs, ref, resultReader)
			if err != nil {
				return ocispec.Descriptor{}, err
			}
		}
	}

	// After performing encryption, call finalizer to get annotations
	if encLayerFinalizer != nil {
		annotations, err := encLayerFinalizer()
		if err != nil {
			return ocispec.Descriptor{}, errors.Wrap(err, "Error getting annotations from encLayer finalizer")
		}
		for k, v := range annotations {
			newDesc.Annotations[k] = v
		}
	}
	return newDesc, err
}

func ingestReader(ctx context.Context, cs content.Ingester, ref string, r io.Reader) (digest.Digest, int64, error) {
	cw, err := content.OpenWriter(ctx, cs, content.WithRef(ref))
	if err != nil {
		return "", 0, errors.Wrap(err, "failed to open writer")
	}
	defer cw.Close()

	if _, err := content.CopyReader(cw, r); err != nil {
		return "", 0, errors.Wrap(err, "copy failed")
	}

	st, err := cw.Status()
	if err != nil {
		return "", 0, errors.Wrap(err, "failed to get state")
	}

	if err := cw.Commit(ctx, st.Offset, ""); err != nil {
		if !errdefs.IsAlreadyExists(err) {
			return "", 0, errors.Wrapf(err, "failed commit on ref %q", ref)
		}
	}

	return cw.Digest(), st.Offset, nil
}

// Encrypt or decrypt all the Children of a given descriptor
func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp, thisPlatform *ocispec.Platform) (ocispec.Descriptor, bool, error) {
	children, err := images.Children(ctx, cs, desc)
	if err != nil {
		if errdefs.IsNotFound(err) {
			return desc, false, nil
		}
		return ocispec.Descriptor{}, false, err
	}

	var newLayers []ocispec.Descriptor
	var config ocispec.Descriptor
	modified := false

	for _, child := range children {
		// we only encrypt child layers and have to update their parents if encryption happened
		switch child.MediaType {
		case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
			config = child
		case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer,
			ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer:
			if cryptoOp == cryptoOpEncrypt && lf(child) {
				nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)
				if err != nil {
					return ocispec.Descriptor{}, false, err
				}
				modified = true
				newLayers = append(newLayers, nl)
			} else {
				newLayers = append(newLayers, child)
			}
		case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
			// this one can be decrypted but also its recipients list changed
			if lf(child) {
				nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)
				if err != nil || cryptoOp == cryptoOpUnwrapOnly {
					return ocispec.Descriptor{}, false, err
				}
				modified = true
				newLayers = append(newLayers, nl)
			} else {
				newLayers = append(newLayers, child)
			}
		case images.MediaTypeDockerSchema2LayerForeign, images.MediaTypeDockerSchema2LayerForeignGzip:
			// never encrypt/decrypt
			newLayers = append(newLayers, child)
		default:
			return ocispec.Descriptor{}, false, errors.Errorf("bad/unhandled MediaType %s in encryptChildren\n", child.MediaType)
		}
	}

	if modified && len(newLayers) > 0 {
		newManifest := ocispec.Manifest{
			Versioned: specs.Versioned{
				SchemaVersion: 2,
			},
			Config: config,
			Layers: newLayers,
		}

		mb, err := json.MarshalIndent(newManifest, "", "   ")
		if err != nil {
			return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to marshal image")
		}

		newDesc := ocispec.Descriptor{
			MediaType: ocispec.MediaTypeImageManifest,
			Size:      int64(len(mb)),
			Digest:    digest.Canonical.FromBytes(mb),
			Platform:  desc.Platform,
		}

		labels := map[string]string{}
		labels["containerd.io/gc.ref.content.0"] = newManifest.Config.Digest.String()
		for i, ch := range newManifest.Layers {
			labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i+1)] = ch.Digest.String()
		}

		ref := fmt.Sprintf("manifest-%s", newDesc.Digest.String())

		if err := content.WriteBlob(ctx, cs, ref, bytes.NewReader(mb), newDesc, content.WithLabels(labels)); err != nil {
			return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to write config")
		}
		return newDesc, true, nil
	}

	return desc, modified, nil
}

// cryptManifest encrypts or decrypts the children of a top level manifest
func cryptManifest(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp) (ocispec.Descriptor, bool, error) {
	p, err := content.ReadBlob(ctx, cs, desc)
	if err != nil {
		return ocispec.Descriptor{}, false, err
	}
	var manifest ocispec.Manifest
	if err := json.Unmarshal(p, &manifest); err != nil {
		return ocispec.Descriptor{}, false, err
	}
	platform := platforms.DefaultSpec()
	newDesc, modified, err := cryptChildren(ctx, cs, desc, cc, lf, cryptoOp, &platform)
	if err != nil || cryptoOp == cryptoOpUnwrapOnly {
		return ocispec.Descriptor{}, false, err
	}
	return newDesc, modified, nil
}

// cryptManifestList encrypts or decrypts the children of a top level manifest list
func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp) (ocispec.Descriptor, bool, error) {
	// read the index; if any layer is encrypted and any manifests change we will need to rewrite it
	b, err := content.ReadBlob(ctx, cs, desc)
	if err != nil {
		return ocispec.Descriptor{}, false, err
	}

	var index ocispec.Index
	if err := json.Unmarshal(b, &index); err != nil {
		return ocispec.Descriptor{}, false, err
	}

	var newManifests []ocispec.Descriptor
	modified := false
	for _, manifest := range index.Manifests {
		newManifest, m, err := cryptChildren(ctx, cs, manifest, cc, lf, cryptoOp, manifest.Platform)
		if err != nil || cryptoOp == cryptoOpUnwrapOnly {
			return ocispec.Descriptor{}, false, err
		}
		if m {
			modified = true
		}
		newManifests = append(newManifests, newManifest)
	}

	if modified {
		// we need to update the index
		newIndex := ocispec.Index{
			Versioned: index.Versioned,
			Manifests: newManifests,
		}

		mb, err := json.MarshalIndent(newIndex, "", "   ")
		if err != nil {
			return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to marshal index")
		}

		newDesc := ocispec.Descriptor{
			MediaType: ocispec.MediaTypeImageIndex,
			Size:      int64(len(mb)),
			Digest:    digest.Canonical.FromBytes(mb),
		}

		labels := map[string]string{}
		for i, m := range newIndex.Manifests {
			labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i)] = m.Digest.String()
		}

		ref := fmt.Sprintf("index-%s", newDesc.Digest.String())

		if err = content.WriteBlob(ctx, cs, ref, bytes.NewReader(mb), newDesc, content.WithLabels(labels)); err != nil {
			return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to write index")
		}
		return newDesc, true, nil
	}

	return desc, false, nil
}

// cryptImage is the dispatcher to encrypt/decrypt an image; it accepts either an OCI descriptor
// representing a manifest list or a single manifest
func cryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp) (ocispec.Descriptor, bool, error) {
	if cc == nil {
		return ocispec.Descriptor{}, false, errors.Wrapf(errdefs.ErrInvalidArgument, "CryptoConfig must not be nil")
	}
	switch desc.MediaType {
	case ocispec.MediaTypeImageIndex, images.MediaTypeDockerSchema2ManifestList:
		return cryptManifestList(ctx, cs, desc, cc, lf, cryptoOp)
	case ocispec.MediaTypeImageManifest, images.MediaTypeDockerSchema2Manifest:
		return cryptManifest(ctx, cs, desc, cc, lf, cryptoOp)
	default:
		return ocispec.Descriptor{}, false, errors.Errorf("CryptImage: Unhandled media type: %s", desc.MediaType)
	}
}

// EncryptImage encrypts an image; it accepts either an OCI descriptor representing a manifest list or a single manifest
func EncryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter) (ocispec.Descriptor, bool, error) {
	return cryptImage(ctx, cs, desc, cc, lf, cryptoOpEncrypt)
}

// DecryptImage decrypts an image; it accepts either an OCI descriptor representing a manifest list or a single manifest
func DecryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter) (ocispec.Descriptor, bool, error) {
	return cryptImage(ctx, cs, desc, cc, lf, cryptoOpDecrypt)
}

// CheckAuthorization checks whether a user has the right keys to be allowed to access an image (every layer)
// It takes decrypting of the layers only as far as decrypting the asymmetrically encrypted data
// The decryption is only done for the current platform
func CheckAuthorization(ctx context.Context, cs content.Store, desc ocispec.Descriptor, dc *encconfig.DecryptConfig) error {
	cc := encconfig.InitDecryption(dc.Parameters)

	lf := func(desc ocispec.Descriptor) bool {
		return true
	}

	_, _, err := cryptImage(ctx, cs, desc, &cc, lf, cryptoOpUnwrapOnly)
	if err != nil {
		return errors.Wrapf(err, "you are not authorized to use this image")
	}
	return nil
}
Update go.mod for k8s 1.19 2020-08-10 17:43:49 +00:00			`/*`
			`Copyright The containerd Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package encryption`

			`import (`
			`"bytes"`
			`"context"`
			`"encoding/json"`
			`"fmt"`
			`"io"`
			`"math/rand"`

			`"github.com/containerd/containerd/images"`
			`"github.com/containers/ocicrypt"`
			`encconfig "github.com/containers/ocicrypt/config"`

			`"github.com/containerd/containerd/content"`
			`"github.com/containerd/containerd/errdefs"`
			`"github.com/containerd/containerd/platforms"`
			`encocispec "github.com/containers/ocicrypt/spec"`
			`digest "github.com/opencontainers/go-digest"`
			`specs "github.com/opencontainers/image-spec/specs-go"`
			`"github.com/pkg/errors"`

			`ocispec "github.com/opencontainers/image-spec/specs-go/v1"`
			`)`

			`type cryptoOp int`

			`const (`
			`cryptoOpEncrypt cryptoOp = iota`
			`cryptoOpDecrypt = iota`
			`cryptoOpUnwrapOnly = iota`
			`)`

			`// LayerFilter allows to select Layers by certain criteria`
			`type LayerFilter func(desc ocispec.Descriptor) bool`

			`// IsEncryptedDiff returns true if mediaType is a known encrypted media type.`
			`func IsEncryptedDiff(ctx context.Context, mediaType string) bool {`
			`switch mediaType {`
			`case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:`
			`return true`
			`}`
			`return false`
			`}`

			`// HasEncryptedLayer returns true if any LayerInfo indicates that the layer is encrypted`
			`func HasEncryptedLayer(ctx context.Context, layerInfos []ocispec.Descriptor) bool {`
			`for i := 0; i < len(layerInfos); i++ {`
			`if IsEncryptedDiff(ctx, layerInfos[i].MediaType) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`// encryptLayer encrypts the layer using the CryptoConfig and creates a new OCI Descriptor.`
			`// A call to this function may also only manipulate the wrapped keys list.`
			`// The caller is expected to store the returned encrypted data and OCI Descriptor`
			`func encryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc ocispec.Descriptor) (ocispec.Descriptor, io.Reader, ocicrypt.EncryptLayerFinalizer, error) {`
			`var (`
			`size int64`
			`d digest.Digest`
			`err error`
			`)`

			`encLayerReader, encLayerFinalizer, err := ocicrypt.EncryptLayer(cc.EncryptConfig, ocicrypt.ReaderFromReaderAt(dataReader), desc)`
			`if err != nil {`
			`return ocispec.Descriptor{}, nil, nil, err`
			`}`

			`// were data touched ?`
			`if encLayerReader != nil {`
			`size = 0`
			`d = ""`
			`} else {`
			`size = desc.Size`
			`d = desc.Digest`
			`}`

			`newDesc := ocispec.Descriptor{`
			`Digest: d,`
			`Size: size,`
			`Platform: desc.Platform,`
			`}`

			`switch desc.MediaType {`
			`case images.MediaTypeDockerSchema2LayerGzip:`
			`newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc`
			`case images.MediaTypeDockerSchema2Layer:`
			`newDesc.MediaType = encocispec.MediaTypeLayerEnc`
			`case encocispec.MediaTypeLayerGzipEnc:`
			`newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc`
			`case encocispec.MediaTypeLayerEnc:`
			`newDesc.MediaType = encocispec.MediaTypeLayerEnc`

			`// TODO: Mediatypes to be added in ocispec`
			`case ocispec.MediaTypeImageLayerGzip:`
			`newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc`
			`case ocispec.MediaTypeImageLayer:`
			`newDesc.MediaType = encocispec.MediaTypeLayerEnc`

			`default:`
			`return ocispec.Descriptor{}, nil, nil, errors.Errorf("Encryption: unsupporter layer MediaType: %s\n", desc.MediaType)`
			`}`

			`return newDesc, encLayerReader, encLayerFinalizer, nil`
			`}`

			`// DecryptLayer decrypts the layer using the DecryptConfig and creates a new OCI Descriptor.`
			`// The caller is expected to store the returned plain data and OCI Descriptor`
			`func DecryptLayer(dc *encconfig.DecryptConfig, dataReader io.Reader, desc ocispec.Descriptor, unwrapOnly bool) (ocispec.Descriptor, io.Reader, digest.Digest, error) {`
			`resultReader, layerDigest, err := ocicrypt.DecryptLayer(dc, dataReader, desc, unwrapOnly)`
			`if err != nil \|\| unwrapOnly {`
			`return ocispec.Descriptor{}, nil, "", err`
			`}`

			`newDesc := ocispec.Descriptor{`
			`Size: 0,`
			`Platform: desc.Platform,`
			`}`

			`switch desc.MediaType {`
			`case encocispec.MediaTypeLayerGzipEnc:`
			`newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip`
			`case encocispec.MediaTypeLayerEnc:`
			`newDesc.MediaType = images.MediaTypeDockerSchema2Layer`
			`default:`
			`return ocispec.Descriptor{}, nil, "", errors.Errorf("Decryption: unsupporter layer MediaType: %s\n", desc.MediaType)`
			`}`
			`return newDesc, resultReader, layerDigest, nil`
			`}`

			`// decryptLayer decrypts the layer using the CryptoConfig and creates a new OCI Descriptor.`
			`// The caller is expected to store the returned plain data and OCI Descriptor`
			`func decryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc ocispec.Descriptor, unwrapOnly bool) (ocispec.Descriptor, io.Reader, error) {`
			`resultReader, d, err := ocicrypt.DecryptLayer(cc.DecryptConfig, ocicrypt.ReaderFromReaderAt(dataReader), desc, unwrapOnly)`
			`if err != nil \|\| unwrapOnly {`
			`return ocispec.Descriptor{}, nil, err`
			`}`

			`newDesc := ocispec.Descriptor{`
			`Digest: d,`
			`Size: 0,`
			`Platform: desc.Platform,`
			`}`

			`switch desc.MediaType {`
			`case encocispec.MediaTypeLayerGzipEnc:`
			`newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip`
			`case encocispec.MediaTypeLayerEnc:`
			`newDesc.MediaType = images.MediaTypeDockerSchema2Layer`
			`default:`
			`return ocispec.Descriptor{}, nil, errors.Errorf("Decryption: unsupporter layer MediaType: %s\n", desc.MediaType)`
			`}`
			`return newDesc, resultReader, nil`
			`}`

			`// cryptLayer handles the changes due to encryption or decryption of a layer`
			`func cryptLayer(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, cryptoOp cryptoOp) (ocispec.Descriptor, error) {`
			`var (`
			`resultReader io.Reader`
			`newDesc ocispec.Descriptor`
			`encLayerFinalizer ocicrypt.EncryptLayerFinalizer`
			`)`

			`dataReader, err := cs.ReaderAt(ctx, desc)`
			`if err != nil {`
			`return ocispec.Descriptor{}, err`
			`}`
			`defer dataReader.Close()`

			`if cryptoOp == cryptoOpEncrypt {`
			`newDesc, resultReader, encLayerFinalizer, err = encryptLayer(cc, dataReader, desc)`
			`} else {`
			`newDesc, resultReader, err = decryptLayer(cc, dataReader, desc, cryptoOp == cryptoOpUnwrapOnly)`
			`}`
			`if err != nil \|\| cryptoOp == cryptoOpUnwrapOnly {`
			`return ocispec.Descriptor{}, err`
			`}`

			`newDesc.Annotations = ocicrypt.FilterOutAnnotations(desc.Annotations)`

			`// some operations, such as changing recipients, may not touch the layer at all`
			`if resultReader != nil {`
			`var ref string`
			`// If we have the digest, write blob with checks`
			`haveDigest := newDesc.Digest.String() != ""`
			`if haveDigest {`
			`ref = fmt.Sprintf("layer-%s", newDesc.Digest.String())`
			`} else {`
			`ref = fmt.Sprintf("blob-%d-%d", rand.Int(), rand.Int())`
			`}`

			`if haveDigest {`
			`if err := content.WriteBlob(ctx, cs, ref, resultReader, newDesc); err != nil {`
			`return ocispec.Descriptor{}, errors.Wrap(err, "failed to write config")`
			`}`
			`} else {`
			`newDesc.Digest, newDesc.Size, err = ingestReader(ctx, cs, ref, resultReader)`
			`if err != nil {`
			`return ocispec.Descriptor{}, err`
			`}`
			`}`
			`}`

			`// After performing encryption, call finalizer to get annotations`
			`if encLayerFinalizer != nil {`
			`annotations, err := encLayerFinalizer()`
			`if err != nil {`
			`return ocispec.Descriptor{}, errors.Wrap(err, "Error getting annotations from encLayer finalizer")`
			`}`
			`for k, v := range annotations {`
			`newDesc.Annotations[k] = v`
			`}`
			`}`
			`return newDesc, err`
			`}`

			`func ingestReader(ctx context.Context, cs content.Ingester, ref string, r io.Reader) (digest.Digest, int64, error) {`
			`cw, err := content.OpenWriter(ctx, cs, content.WithRef(ref))`
			`if err != nil {`
			`return "", 0, errors.Wrap(err, "failed to open writer")`
			`}`
			`defer cw.Close()`

			`if _, err := content.CopyReader(cw, r); err != nil {`
			`return "", 0, errors.Wrap(err, "copy failed")`
			`}`

			`st, err := cw.Status()`
			`if err != nil {`
			`return "", 0, errors.Wrap(err, "failed to get state")`
			`}`

			`if err := cw.Commit(ctx, st.Offset, ""); err != nil {`
			`if !errdefs.IsAlreadyExists(err) {`
			`return "", 0, errors.Wrapf(err, "failed commit on ref %q", ref)`
			`}`
			`}`

			`return cw.Digest(), st.Offset, nil`
			`}`

			`// Encrypt or decrypt all the Children of a given descriptor`
			`func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp, thisPlatform ocispec.Platform) (ocispec.Descriptor, bool, error) {`
			`children, err := images.Children(ctx, cs, desc)`
			`if err != nil {`
			`if errdefs.IsNotFound(err) {`
			`return desc, false, nil`
			`}`
			`return ocispec.Descriptor{}, false, err`
			`}`

			`var newLayers []ocispec.Descriptor`
			`var config ocispec.Descriptor`
			`modified := false`

			`for _, child := range children {`
			`// we only encrypt child layers and have to update their parents if encryption happened`
			`switch child.MediaType {`
			`case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:`
			`config = child`
			`case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer,`
			`ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer:`
			`if cryptoOp == cryptoOpEncrypt && lf(child) {`
			`nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)`
			`if err != nil {`
			`return ocispec.Descriptor{}, false, err`
			`}`
			`modified = true`
			`newLayers = append(newLayers, nl)`
			`} else {`
			`newLayers = append(newLayers, child)`
			`}`
			`case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:`
			`// this one can be decrypted but also its recipients list changed`
			`if lf(child) {`
			`nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)`
			`if err != nil \|\| cryptoOp == cryptoOpUnwrapOnly {`
			`return ocispec.Descriptor{}, false, err`
			`}`
			`modified = true`
			`newLayers = append(newLayers, nl)`
			`} else {`
			`newLayers = append(newLayers, child)`
			`}`
			`case images.MediaTypeDockerSchema2LayerForeign, images.MediaTypeDockerSchema2LayerForeignGzip:`
			`// never encrypt/decrypt`
			`newLayers = append(newLayers, child)`
			`default:`
			`return ocispec.Descriptor{}, false, errors.Errorf("bad/unhandled MediaType %s in encryptChildren\n", child.MediaType)`
			`}`
			`}`

			`if modified && len(newLayers) > 0 {`
			`newManifest := ocispec.Manifest{`
			`Versioned: specs.Versioned{`
			`SchemaVersion: 2,`
			`},`
			`Config: config,`
			`Layers: newLayers,`
			`}`

			`mb, err := json.MarshalIndent(newManifest, "", " ")`
			`if err != nil {`
			`return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to marshal image")`
			`}`

			`newDesc := ocispec.Descriptor{`
			`MediaType: ocispec.MediaTypeImageManifest,`
			`Size: int64(len(mb)),`
			`Digest: digest.Canonical.FromBytes(mb),`
			`Platform: desc.Platform,`
			`}`

			`labels := map[string]string{}`
			`labels["containerd.io/gc.ref.content.0"] = newManifest.Config.Digest.String()`
			`for i, ch := range newManifest.Layers {`
			`labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i+1)] = ch.Digest.String()`
			`}`

			`ref := fmt.Sprintf("manifest-%s", newDesc.Digest.String())`

			`if err := content.WriteBlob(ctx, cs, ref, bytes.NewReader(mb), newDesc, content.WithLabels(labels)); err != nil {`
			`return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to write config")`
			`}`
			`return newDesc, true, nil`
			`}`

			`return desc, modified, nil`
			`}`

			`// cryptManifest encrypts or decrypts the children of a top level manifest`
			`func cryptManifest(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp) (ocispec.Descriptor, bool, error) {`
			`p, err := content.ReadBlob(ctx, cs, desc)`
			`if err != nil {`
			`return ocispec.Descriptor{}, false, err`
			`}`
			`var manifest ocispec.Manifest`
			`if err := json.Unmarshal(p, &manifest); err != nil {`
			`return ocispec.Descriptor{}, false, err`
			`}`
			`platform := platforms.DefaultSpec()`
			`newDesc, modified, err := cryptChildren(ctx, cs, desc, cc, lf, cryptoOp, &platform)`
			`if err != nil \|\| cryptoOp == cryptoOpUnwrapOnly {`
			`return ocispec.Descriptor{}, false, err`
			`}`
			`return newDesc, modified, nil`
			`}`

			`// cryptManifestList encrypts or decrypts the children of a top level manifest list`
			`func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp) (ocispec.Descriptor, bool, error) {`
			`// read the index; if any layer is encrypted and any manifests change we will need to rewrite it`
			`b, err := content.ReadBlob(ctx, cs, desc)`
			`if err != nil {`
			`return ocispec.Descriptor{}, false, err`
			`}`

			`var index ocispec.Index`
			`if err := json.Unmarshal(b, &index); err != nil {`
			`return ocispec.Descriptor{}, false, err`
			`}`

			`var newManifests []ocispec.Descriptor`
			`modified := false`
			`for _, manifest := range index.Manifests {`
			`newManifest, m, err := cryptChildren(ctx, cs, manifest, cc, lf, cryptoOp, manifest.Platform)`
			`if err != nil \|\| cryptoOp == cryptoOpUnwrapOnly {`
			`return ocispec.Descriptor{}, false, err`
			`}`
			`if m {`
			`modified = true`
			`}`
			`newManifests = append(newManifests, newManifest)`
			`}`

			`if modified {`
			`// we need to update the index`
			`newIndex := ocispec.Index{`
			`Versioned: index.Versioned,`
			`Manifests: newManifests,`
			`}`

			`mb, err := json.MarshalIndent(newIndex, "", " ")`
			`if err != nil {`
			`return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to marshal index")`
			`}`

			`newDesc := ocispec.Descriptor{`
			`MediaType: ocispec.MediaTypeImageIndex,`
			`Size: int64(len(mb)),`
			`Digest: digest.Canonical.FromBytes(mb),`
			`}`

			`labels := map[string]string{}`
			`for i, m := range newIndex.Manifests {`
			`labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i)] = m.Digest.String()`
			`}`

			`ref := fmt.Sprintf("index-%s", newDesc.Digest.String())`

			`if err = content.WriteBlob(ctx, cs, ref, bytes.NewReader(mb), newDesc, content.WithLabels(labels)); err != nil {`
			`return ocispec.Descriptor{}, false, errors.Wrap(err, "failed to write index")`
			`}`
			`return newDesc, true, nil`
			`}`

			`return desc, false, nil`
			`}`

			`// cryptImage is the dispatcher to encrypt/decrypt an image; it accepts either an OCI descriptor`
			`// representing a manifest list or a single manifest`
			`func cryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter, cryptoOp cryptoOp) (ocispec.Descriptor, bool, error) {`
			`if cc == nil {`
			`return ocispec.Descriptor{}, false, errors.Wrapf(errdefs.ErrInvalidArgument, "CryptoConfig must not be nil")`
			`}`
			`switch desc.MediaType {`
			`case ocispec.MediaTypeImageIndex, images.MediaTypeDockerSchema2ManifestList:`
			`return cryptManifestList(ctx, cs, desc, cc, lf, cryptoOp)`
			`case ocispec.MediaTypeImageManifest, images.MediaTypeDockerSchema2Manifest:`
			`return cryptManifest(ctx, cs, desc, cc, lf, cryptoOp)`
			`default:`
			`return ocispec.Descriptor{}, false, errors.Errorf("CryptImage: Unhandled media type: %s", desc.MediaType)`
			`}`
			`}`

			`// EncryptImage encrypts an image; it accepts either an OCI descriptor representing a manifest list or a single manifest`
			`func EncryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter) (ocispec.Descriptor, bool, error) {`
			`return cryptImage(ctx, cs, desc, cc, lf, cryptoOpEncrypt)`
			`}`

			`// DecryptImage decrypts an image; it accepts either an OCI descriptor representing a manifest list or a single manifest`
			`func DecryptImage(ctx context.Context, cs content.Store, desc ocispec.Descriptor, cc *encconfig.CryptoConfig, lf LayerFilter) (ocispec.Descriptor, bool, error) {`
			`return cryptImage(ctx, cs, desc, cc, lf, cryptoOpDecrypt)`
			`}`

			`// CheckAuthorization checks whether a user has the right keys to be allowed to access an image (every layer)`
			`// It takes decrypting of the layers only as far as decrypting the asymmetrically encrypted data`
			`// The decryption is only done for the current platform`
			`func CheckAuthorization(ctx context.Context, cs content.Store, desc ocispec.Descriptor, dc *encconfig.DecryptConfig) error {`
			`cc := encconfig.InitDecryption(dc.Parameters)`

			`lf := func(desc ocispec.Descriptor) bool {`
			`return true`
			`}`

			`_, _, err := cryptImage(ctx, cs, desc, &cc, lf, cryptoOpUnwrapOnly)`
			`if err != nil {`
			`return errors.Wrapf(err, "you are not authorized to use this image")`
			`}`
			`return nil`
			`}`