Skip to content

feat: add WASM encrypted layer media type support #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rodneyosodo wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add WASM encrypted layer media type support #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0e81679
feat(spec): add WASM encrypted layer media type support
rodneyosodo Jan 23, 2026
29caa5d
fix(spec): add wasm and encrypted wasm
rodneyosodo Jan 27, 2026
a2f0a9f
fix(encryption): add key provider scheme prefix as constant
rodneyosodo Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions encryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ import (
// the encrypted layer
type EncryptLayerFinalizer func() (map[string]string, error)

const keyProviderSchemePrefix = "provider."

func init() {
keyWrappers = make(map[string]keywrap.KeyWrapper)
keyWrapperAnnotations = make(map[string]string)
Expand All @@ -54,7 +56,7 @@ func init() {
log.Error(err)
} else if ic != nil {
for provider, attrs := range ic.KeyProviderConfig {
RegisterKeyWrapper("provider."+provider, keyprovider.NewKeyWrapper(provider, attrs))
RegisterKeyWrapper(keyProviderSchemePrefix+provider, keyprovider.NewKeyWrapper(provider, attrs))
}
}
}
Expand Down Expand Up @@ -213,6 +215,7 @@ func DecryptLayer(dc *config.DecryptConfig, encLayerReader io.Reader, desc ocisp

func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor) ([]byte, error) {
privKeyGiven := false
keyproviderTried := false
errs := ""
if len(keyWrapperAnnotations) == 0 {
return nil, errors.New("missing Annotations needed for decryption")
Expand All @@ -226,6 +229,11 @@ func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor)
continue
}

isKeyprovider := strings.HasPrefix(scheme, keyProviderSchemePrefix)
if isKeyprovider {
keyproviderTried = true
Copy link
Collaborator

@stefanberger stefanberger Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was actually 'tried'?

Copy link
Collaborator

@stefanberger stefanberger Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this supposed to be a fix to existing code? If so, you should send a commit description stating what was fixed. I am not sure from your patch descriptions how this relates to WASM, though.

}

if len(keywrapper.GetPrivateKeys(dc.Parameters)) > 0 {
privKeyGiven = true
}
Expand All @@ -242,7 +250,7 @@ func decryptLayerKeyOptsData(dc *config.DecryptConfig, desc ocispec.Descriptor)
return optsData, nil
}
}
if !privKeyGiven {
if !privKeyGiven && !keyproviderTried {
return nil, fmt.Errorf("missing private key needed for decryption:\n%s", errs)
}
return nil, fmt.Errorf("no suitable key unwrapper found or none of the private keys could be used for decryption:\n%s", errs)
Expand Down
52 changes: 52 additions & 0 deletions encryption_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,3 +141,55 @@ func TestEncryptLayer(t *testing.T) {
t.Fatalf("Expected %v, got %v", data, decLayer)
}
}

func TestWasmMediaTypeEncryption(t *testing.T) {
data := []byte("This is WASM module data!")
desc := ocispec.Descriptor{
Digest: digest.FromBytes(data),
Size: int64(len(data)),
MediaType: "application/vnd.wasm.content.layer.v1+wasm",
}

dataReader := bytes.NewReader(data)

encLayerReader, encLayerFinalizer, err := EncryptLayer(ec, dataReader, desc)
if err != nil {
t.Fatal(err)
}

encLayer := make([]byte, 1024)
encsize, err := encLayerReader.Read(encLayer)
if err != io.EOF {
t.Fatal("Expected EOF")
}
encLayerReaderAt := bytes.NewReader(encLayer[:encsize])

annotations, err := encLayerFinalizer()
if err != nil {
t.Fatal(err)
}

if len(annotations) == 0 {
t.Fatal("No keys created for annotations")
}

newDesc := ocispec.Descriptor{
Annotations: annotations,
MediaType: "application/vnd.wasm.content.layer.v1+wasm+encrypted",
}

decLayerReader, _, err := DecryptLayer(dc, encLayerReaderAt, newDesc, false)
if err != nil {
t.Fatal(err)
}

decLayer := make([]byte, 1024)
decsize, err := decLayerReader.Read(decLayer)
if err != nil && err != io.EOF {
t.Fatal(err)
}

if !reflect.DeepEqual(decLayer[:decsize], data) {
t.Fatalf("Expected %v, got %v", data, decLayer)
}
}
4 changes: 4 additions & 0 deletions spec/spec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,8 @@ const (
//
// Deprecated: Use [MediaTypeLayerNonDistributableZstdEnc].
MediaTypeLayerNonDistributableZsdtEnc = MediaTypeLayerNonDistributableZstdEnc
// MediaTypeWasmLayer is MIME type used for WASM layers.
MediaTypeWasmLayer = "application/vnd.wasm.content.layer.v1+wasm"
// MediaTypeWasmEnc is MIME type used for encrypted WASM layers.
MediaTypeWasmEnc = MediaTypeWasmLayer + "+encrypted"
)