Merge branch 'main' into maven/access

cmds/ocm/commands/common/options/keyoption/option.go

@@ -47,7 +47,7 @@ func (o *Option) AddFlags(fs *pflag.FlagSet) {
 	fs.StringArrayVarP(&o.publicKeys, "public-key", "k", nil, "public key setting")
 	fs.StringArrayVarP(&o.privateKeys, "private-key", "K", nil, "private key setting")
 	fs.StringArrayVarP(&o.issuers, "issuer", "I", nil, "issuer name or distinguished name (DN) (optionally for dedicated signature) ([<name>:=]<dn>")
-	fs.StringArrayVarP(&o.rootCAs, "ca-cert", "", nil, "additional root certificate authorities")
+	fs.StringArrayVarP(&o.rootCAs, "ca-cert", "", nil, "additional root certificate authorities (for signing certificates)")
 }
 
 func (o *Option) Configure(ctx clictx.Context) error {

cmds/ocm/commands/misccmds/hash/sign/cmd.go

@@ -5,6 +5,7 @@
 package sign
 
 import (
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
 	"strings"
@@ -36,6 +37,7 @@ type Command struct {
 
 	pubFile  string
 	rootFile string
+	rootCAs  []string
 
 	stype string
 	priv  signutils.GenericPrivateKey
@@ -72,7 +74,9 @@ $ ocm sign hash key.priv SHA-256:810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6c
 func (o *Command) AddFlags(set *pflag.FlagSet) {
 	set.StringVarP(&o.stype, "algorithm", "S", rsa.Algorithm, "signature algorithm")
 	set.StringVarP(&o.pubFile, "publicKey", "", "", "public key certificate file")
-	set.StringVarP(&o.rootFile, "rootCerts", "", "", "root certificates file")
+	set.StringVarP(&o.rootFile, "rootCerts", "", "", "root certificates file (deprecated)")
+	set.StringArrayVarP(&o.rootCAs, "ca-cert", "", nil, "additional root certificate authorities (for signing certificates)")
+
 }
 
 func (o *Command) Complete(args []string) error {
@@ -109,6 +113,28 @@ func (o *Command) Complete(args []string) error {
 		}
 	}
 
+	if len(o.rootCAs) > 0 {
+		var list []*x509.Certificate
+		for _, r := range o.rootCAs {
+			data, err := utils2.ReadFile(r, o.FileSystem())
+			if err != nil {
+				return errors.Wrapf(err, "root CA")
+			}
+			certs, err := signutils.GetCertificateChain(data, false)
+			if err != nil {
+				return errors.Wrapf(err, "root CA")
+			}
+			list = append(list, certs...)
+		}
+		if o.roots != nil {
+			for _, c := range list {
+				o.roots.(*x509.CertPool).AddCert(c)
+			}
+		} else {
+			o.roots = list
+		}
+	}
+
 	o.priv, err = utils2.ReadFile(args[0], o.FileSystem())
 	if err != nil {
 		return err

cmds/ocm/commands/ocmcmds/common/addhdlrs/rscs/elements.go

@@ -166,16 +166,5 @@ func (r *ResourceSpec) Validate(ctx clictx.Context, input *addhdlrs.ResourceInpu
 	if err := compdescv2.ValidateResource(fldPath, rsc, false); err != nil {
 		allErrs = append(allErrs, err...)
 	}
-
-	if input.Access != nil {
-		if r.Relation == metav1.LocalRelation {
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("relation"), "access requires external relation"))
-		}
-	}
-	if input.Input != nil {
-		if r.Relation != metav1.LocalRelation {
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("relation"), "input requires local relation"))
-		}
-	}
 	return allErrs.ToAggregate()
 }

docs/reference/ocm.md

@@ -10,7 +10,7 @@ ocm [<options>] <sub command> ...
 
 ```
   -X, --attribute stringArray     attribute setting
-      --ca-cert stringArray       additional root certificate authorities
+      --ca-cert stringArray       additional root certificate authorities (for signing certificates)
       --config stringArray        configuration file
       --config-set strings        apply configuration set
   -C, --cred stringArray          credential setting

docs/reference/ocm_add_componentversions.md

@@ -149,7 +149,7 @@ script with the <code>script</code> option family.
 
 
 <pre>
-$ ocm add componentversions &dash;&dash;file ctf &dash;&dash;version 1.0 component-constructor.yaml
+$ ocm add componentversions &dash;&dash;file ctf &dash;&dash;version 1.0 component&dash;constructor.yaml
 </pre>
 
 

docs/reference/ocm_sign_componentversions.md

@@ -16,7 +16,7 @@ componentversions, componentversion, cv, components, component, comps, comp, c
 
 ```
   -S, --algorithm string          signature handler (default "RSASSA-PKCS1-V1_5")
-      --ca-cert stringArray       additional root certificate authorities
+      --ca-cert stringArray       additional root certificate authorities (for signing certificates)
   -c, --constraints constraints   version constraint
   -H, --hash string               hash algorithm (default "SHA-256")
   -h, --help                      help for componentversions

docs/reference/ocm_sign_hash.md

@@ -9,10 +9,11 @@ ocm sign hash <private key file> <hash> [<issuer>]
 ### Options
 
 ```
-  -S, --algorithm string   signature algorithm (default "RSASSA-PKCS1-V1_5")
-  -h, --help               help for hash
-      --publicKey string   public key certificate file
-      --rootCerts string   root certificates file
+  -S, --algorithm string      signature algorithm (default "RSASSA-PKCS1-V1_5")
+      --ca-cert stringArray   additional root certificate authorities (for signing certificates)
+  -h, --help                  help for hash
+      --publicKey string      public key certificate file
+      --rootCerts string      root certificates file (deprecated)
 ```
 
 ### Description

docs/reference/ocm_verify_componentversions.md

@@ -15,7 +15,7 @@ componentversions, componentversion, cv, components, component, comps, comp, c
 ### Options
 
 ```
-      --ca-cert stringArray       additional root certificate authorities
+      --ca-cert stringArray       additional root certificate authorities (for signing certificates)
   -c, --constraints constraints   version constraint
   -h, --help                      help for componentversions
   -I, --issuer stringArray        issuer name or distinguished name (DN) (optionally for dedicated signature) ([<name>:=]<dn>