[crypto] Support decryption of images via CMS envelopes

Add support for decrypting images containing detached encrypted data using a cipher key obtained from a separate CMS envelope image (in DER or PEM format). Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-02-03 22:49:29 +03:00 · 2024-08-23 12:28:21 +01:00
parent 49404bfea9
commit 486b15b3c1
3 changed files with 529 additions and 17 deletions
--- a/src/include/ipxe/asn1.h
+++ b/src/include/ipxe/asn1.h
@@ -309,6 +309,19 @@ struct asn1_builder_header {
 	ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ),	\
 	ASN1_OID_SINGLE ( 7 ), ASN1_OID_SINGLE ( 2 )

+/** ASN.1 OID for id-envelopedData (1.2.840.113549.1.7.3) */
+#define ASN1_OID_ENVELOPEDDATA					\
+	ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ),	\
+	ASN1_OID_SINGLE ( 7 ), ASN1_OID_SINGLE ( 3 )
+
+/** ASN.1 OID for id-authEnvelopedData (1.2.840.113549.1.9.16.1.23) */
+#define ASN1_OID_AUTHENVELOPEDDATA					\
+	ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ),	\
+	ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ),	\
+	ASN1_OID_SINGLE ( 9 ), ASN1_OID_SINGLE ( 16 ),		\
+	ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 23 )
+
 /** ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1) */
 #define ASN1_OID_AUTHORITYINFOACCESS				\
 	ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ),	\
--- a/src/include/ipxe/cms.h
+++ b/src/include/ipxe/cms.h
@@ -64,6 +64,13 @@ struct cms_message {
 	struct x509_chain *certificates;
 	/** List of participant information blocks */
 	struct list_head participants;
+
+	/** Cipher algorithm */
+	struct cipher_algorithm *cipher;
+	/** Cipher initialization vector */
+	struct asn1_cursor iv;
+	/** Cipher authentication tag */
+	struct asn1_cursor mac;
 };

 /**
@@ -101,9 +108,24 @@ cms_is_signature ( struct cms_message *cms ) {
 	return ( cms->certificates != NULL );
 }

+/**
+ * Check if CMS message is an encrypted message
+ *
+ * @v cms		CMS message
+ * @ret is_encrypted	Message is an encrypted message
+ */
+static inline __attribute__ (( always_inline )) int
+cms_is_encrypted ( struct cms_message *cms ) {
+
+	/* CMS encrypted messages have a cipher algorithm */
+	return ( cms->cipher != NULL );
+}
+
 extern int cms_message ( struct image *image, struct cms_message **cms );
 extern int cms_verify ( struct cms_message *cms, struct image *image,
 			const char *name, time_t time, struct x509_chain *store,
 			struct x509_root *root );
+extern int cms_decrypt ( struct cms_message *cms, struct image *image,
+			 const char *name, struct private_key *private_key );

 #endif /* _IPXE_CMS_H */