From patchwork Mon Dec 4 10:05:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Glembotzki X-Patchwork-Id: 1871480 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20230601 header.b=l5xz3AkF; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=A+YFtXUJ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::23d; helo=mail-lj1-x23d.google.com; envelope-from=swupdate+bncbdy5juxlviebbkojw2vqmgqe6xn5y3a@googlegroups.com; receiver=patchwork.ozlabs.org) Received: from mail-lj1-x23d.google.com (mail-lj1-x23d.google.com [IPv6:2a00:1450:4864:20::23d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkK7z08G0z1yST for ; Mon, 4 Dec 2023 21:06:38 +1100 (AEDT) Received: by mail-lj1-x23d.google.com with SMTP id 38308e7fff4ca-2c9f975784fsf9602421fa.2 for ; Mon, 04 Dec 2023 02:06:38 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1701684395; cv=pass; d=google.com; s=arc-20160816; b=yahhBpJh3TJxEmM1oN86foezPpnWqXQVH3+3dPa3O7ngstvJqhKeSXVwWqpipaDE8g ibois32jzCb+JdzjVaPvf4d1fm6Y3+qgvu9gqfiS+pE3o0ZXC2oAiuALND7NMVEAZ2m+ DiE9s3oaMbigIpC/lvGWvGMPpfrBB7f7e3NlW2TcqtfZv1zja+JBGsCo8smvxzWzFlm8 Jk3IOkq1wKSRREXwNtQjZNIzuywUxcuBnkeAh0qFRyp2l+CXXfud08CfvfIQiFSvLn3Z jKVt4qZKTwVLcoxIUDHjG/uhbdCcaKTSRZQ928n79kGtIKlUSJFnaz0WbQuZuGwk6IEF tjUg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:dkim-signature :dkim-signature; bh=AoWzXQ0Ga/uCUjwQYRlaYgVoJa9qnQKoRGrwsjCVKcc=; fh=zydHuzCQWrku2OPQyZfraJZFcOpEXLQ/YBcu3QNiBd0=; b=as0rIHXtLIC1Xw/NNIIGiO7Ef+A2H1W24N3aECaOJBe6+mWpWC8BdljYC7bjrdvRvF 5smqzTCrrfw/RSmoAZMgqNRUahOBXXhz0yK6B9Jyky208G8Av4jCluMCjcHopMckradH aPyqu5jwgAoL5BJN+LjXgewYg/cysf2xkVJb1BAg0Qt8DGdyUGtmIWisOlv3RndoWIcH kbyUIcRNvAJDeXcx0OiI32YmMcV2lWw60K4+SJoHJl/XHgnTsTJO5qSieUJY9jrZadMa QKvgGSEOfTN2MMVl/DoySUbYyS9uwJiJAmlXuPNZnUbvPN5aim4+EgIXw493P0l24/WQ 9q8Q== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Dr0MIpZE; spf=pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) smtp.mailfrom=m.glembo@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1701684395; x=1702289195; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:sender:from:to:cc:subject:date:message-id :reply-to; bh=AoWzXQ0Ga/uCUjwQYRlaYgVoJa9qnQKoRGrwsjCVKcc=; b=l5xz3AkFvK+rYxq9nz6kR8MpR7oUOLx/7xIrZl/o8biSE3EpeyooWAVE1QITgmY/ph 8H4OXGW9VMDNBz6x/9AjFqdiyU2JqWyzXo0jutfGilaJBw5F2E7ARgQfpoGQb01SoXma MamThXiR05U8PwGSeipqLgBAxZm/we1+UlZCw45wbVAQJRvHBP5gs6zXaLiCl4FSf1em gedSrkTQZWoaonXtcPoS6t3FW4WLGH1z6xB1+ZxpBh7a0X3gdZyB95THqnr35xmYyE9Z UaLREocKQtNCjGpNAPxEshAd9Xw8CY5rt+t3aebMu6KYtK06+PdQ91gPVcpjpl/cQOkX HH4Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701684395; x=1702289195; darn=patchwork.ozlabs.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=AoWzXQ0Ga/uCUjwQYRlaYgVoJa9qnQKoRGrwsjCVKcc=; b=A+YFtXUJ1iGtCcXIWIFR0PFbgGFs73mjqybjjOk+vas5TRCaKMaNoV7Hlu4AGP081C tlR7l6YhwmD54w1OrqcdpBfSe/I7nSe8wHC1Pqt7sSU6yCLgO+1Lk0I5IDeFSRBRANUK HWEMr8+5M50I+AA8dLlPMS/qj+t+BPQ301nWiwMHw3TnUqtVkkiAi8W7CqzH82pmf3hR Iln9hVoQSMHEr+YBMgt8fz+Z/Z1d2bTaja6K0BUS7ExXMEffuPzORepdWZv81s9pWKje goV2zI8SsQlSZGzYH9RTXDIUz8UeZbjR6Rt3DRk3WsS57WIN3SEK9ifwcSiC56Tzzcya vXfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701684395; x=1702289195; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=AoWzXQ0Ga/uCUjwQYRlaYgVoJa9qnQKoRGrwsjCVKcc=; b=Bzy5WgsxqrCLRRRg+QM6sK8x4FivbdGXpbobu1q/sNRnSclnlcJENWnyGkKpHvLNLj ijfoUsRETYJ6QAbve8otGYTd2wj9p8GHImGHKQSmmkVnhijx0GlCBNn3fpUncDiqiFLs Dh8PRtB/oB9eZbuVBvPKoUeSRoaLWtNKXcGwU4EmmdoXPT/vO4MzPtOpFd8/k2Gek/VP TThBDaJ4+85gc1vD2Tgo3XQPf4sotMAcQV8UFrXbEzrZ6BmekRF6AULrDdFKTkiXmPe+ kynO2ppoV3/KEHdyMh/ujvQOKILe8rVSF59WFbbj3gk0XF2oVTb/+kT8q0bWysh6HjtP 56Ow== Sender: swupdate@googlegroups.com X-Gm-Message-State: AOJu0YzZZMPcpGYIdNQ4ULF0jojIVAh3bFzDCv1kFPinmUZctImrCTOe 3unaMHzbVLzi6VbSU+dlPhE= X-Google-Smtp-Source: AGHT+IFDiTRu3WSeHmyycDgx+93zLlOsJh96fSZoTz+YGfIANGd4Mv7Ny+EFZy/7kpZScBdF3RmPKg== X-Received: by 2002:a05:651c:b27:b0:2c9:c6c3:444c with SMTP id b39-20020a05651c0b2700b002c9c6c3444cmr3341116ljr.16.1701684393636; Mon, 04 Dec 2023 02:06:33 -0800 (PST) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a2e:bcc3:0:b0:2c9:c5dc:451a with SMTP id z3-20020a2ebcc3000000b002c9c5dc451als181567ljp.0.-pod-prod-07-eu; Mon, 04 Dec 2023 02:06:31 -0800 (PST) X-Received: by 2002:a05:6512:743:b0:50b:f0b2:70d8 with SMTP id c3-20020a056512074300b0050bf0b270d8mr791365lfs.101.1701684391284; Mon, 04 Dec 2023 02:06:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701684391; cv=none; d=google.com; s=arc-20160816; b=MGq7o+/ptKOvXTGqGETRxOrS9/DLrTaEMhEGzw+Eh70AEt+oAhIU9LzfgLOp71oFK6 MiUIdPRN8B7FDlMjyER2ukqADUwnLy7U1Xa0UMXm+JIULMPfe/o8DvQ4cxYQKXRyYCVd kVpvvq05ITSEqZWNL3/2sCAbhRX6I1utZmUzB+doFa2uXkvQ1zCuKPUMNWUuSCSc6IVp 1CqCBmwzM/R6NyP2XetlhqUMVUublUzi4sVHQkeXS63+PCHc9bsyVxNIwilx2PnycQDj GtNzxFRSxn7xt/achtVuTt5s2IgpAc6ZO1Ty4gWWDI4NM3JhbBVz3uozYjsdnvbQlbgJ s9eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=hL8cK+tr1S2RJO257uxfSfvnLFrtloFkPLcC1QEnT4Y=; fh=zydHuzCQWrku2OPQyZfraJZFcOpEXLQ/YBcu3QNiBd0=; b=emj3PG+htPC/q20jmE9iaJqyK/RAXvmDuvU7K+GzjsncwiG/xIelxfgm1dbvs3kGhb CCvawV6zcCCNEdXNYyljJGGP9NR6OeRfp7W+hUsl5ihT0O7PfnFdiv+t5kaBIpn+1o/b qhW93CgLrd6oSAP+SFeFKDI4bQ3NfInzJ0L1sW+30THJZ4b5QaUd9VyTzex9g51jOsmi cWV+EMMQYueVveJo8HF1Ih6p8c5KnaKLDBD/FNj7TZ+7PkpToOIos9tS7hWhKjw9BAAF TKRiGwtlFpv51usdv/iuzk/MkyILCTpmdZeQBlRY08bVOTYZ3+vgXlm2oGDNF118Hby6 eeQw== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Dr0MIpZE; spf=pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) smtp.mailfrom=m.glembo@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com. [2a00:1450:4864:20::12d]) by gmr-mx.google.com with ESMTPS id o12-20020ac24bcc000000b0050be62d2e04si261727lfq.7.2023.12.04.02.06.31 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Dec 2023 02:06:31 -0800 (PST) Received-SPF: pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) client-ip=2a00:1450:4864:20::12d; Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-50be3611794so2367519e87.0 for ; Mon, 04 Dec 2023 02:06:31 -0800 (PST) X-Received: by 2002:a2e:9b8e:0:b0:2ca:ad:8811 with SMTP id z14-20020a2e9b8e000000b002ca00ad8811mr684932lji.57.1701684390319; Mon, 04 Dec 2023 02:06:30 -0800 (PST) Received: from PC-2635.irisgmbh.local (dslb-002-203-161-041.002.203.pools.vodafone-ip.de. [2.203.161.41]) by smtp.gmail.com with ESMTPSA id js22-20020a17090797d600b00a1b32663d7csm2032919ejc.102.2023.12.04.02.06.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 02:06:29 -0800 (PST) From: Michael Glembotzki To: swupdate@googlegroups.com Cc: Michael Glembotzki Subject: [swupdate] [V2][PATCH 06/10] Add support for asymmetric file decryption with CMS Date: Mon, 4 Dec 2023 11:05:38 +0100 Message-ID: <20231204100620.27789-7-Michael.Glembotzki@iris-sensing.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231204100620.27789-1-Michael.Glembotzki@iris-sensing.com> References: <20231204100620.27789-1-Michael.Glembotzki@iris-sensing.com> MIME-Version: 1.0 X-Original-Sender: m.glembo@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Dr0MIpZE; spf=pass (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) smtp.mailfrom=m.glembo@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Signed-off-by: Michael Glembotzki --- corelib/Makefile | 3 + corelib/swupdate_cms_decrypt.c | 112 +++++++++++++++++++++++++++++++++ include/sslapi.h | 5 ++ 3 files changed, 120 insertions(+) create mode 100644 corelib/swupdate_cms_decrypt.c diff --git a/corelib/Makefile b/corelib/Makefile index c9ca4aa..06690d8 100644 --- a/corelib/Makefile +++ b/corelib/Makefile @@ -18,6 +18,9 @@ endif lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify.o lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify.o endif +ifeq ($(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION),y) +lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_cms_decrypt.o +endif ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y) lib-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify.o endif diff --git a/corelib/swupdate_cms_decrypt.c b/corelib/swupdate_cms_decrypt.c new file mode 100644 index 0000000..5af2508 --- /dev/null +++ b/corelib/swupdate_cms_decrypt.c @@ -0,0 +1,112 @@ +/* + * (C) Copyright 2023 + * Michael Glembotzki, iris-GmbH infrared & intelligent sensors, michael.glembotzki@iris-sensing.com. + * + * SPDX-License-Identifier: GPL-2.0-only + * + * Code mostly taken from openssl examples + */ +#include +#include "swupdate.h" +#include "sslapi.h" +#include "util.h" + +int swupdate_dgst_add_recipient_keypair(struct swupdate_cfg *sw, const char *keypair_file) { + X509 *rcert = NULL; + EVP_PKEY *rkey = NULL; + struct swupdate_digest *dgst = sw->dgst; + int ret = 0; + + if (!dgst) { + dgst = calloc(1, sizeof(*dgst)); + if (!dgst) { + ret = 1; + goto err; + } + } + + BIO *tbio = BIO_new_file(keypair_file, "r"); + if (!tbio) { + ERROR("%s cannot be opened", keypair_file); + ret = 1; + goto err; + } + + rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL); + if (!rcert) { + WARN("Recipient cert not found"); + } + BIO_reset(tbio); + + rkey = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL); + BIO_free(tbio); + if (!rkey) { + ERROR("Recipient private key not found"); + ret = 1; + goto err; + } + + dgst->rcert = rcert; + dgst->rkey = rkey; + + return ret; + +err: + if (dgst) { + free(dgst); + } + return ret; +} + +int swupdate_decrypt_file(struct swupdate_digest *dgst, const char *infile, const char *outfile) { + BIO *in = NULL, *out = NULL; + CMS_ContentInfo *cms = NULL; + int ret = 0; + + if (!dgst || !infile || !outfile) { + return 1; + } + + /* Open CMS message to decrypt */ + in = BIO_new_file(infile, "rb"); + if (!in) { + ERROR("%s cannot be opened", infile); + ret = 1; + goto err; + } + + /* Parse message */ + cms = d2i_CMS_bio(in, NULL); + if (!cms) { + ERROR("%s cannot be parsed as DER-encoded CMS blob", infile); + ret = 1; + goto err; + } + + out = BIO_new_file(outfile, "wb"); + if (!out) { + ERROR("%s cannot be opened", outfile); + ret = 1; + goto err; + } + + if (chmod(outfile, S_IRUSR | S_IWUSR)) { + ERROR("Setting file permissions"); + ret = 1; + goto err; + } + + /* Decrypt CMS message */ + if (!CMS_decrypt(cms, dgst->rkey, dgst->rcert, NULL, out, 0)) { + ERR_print_errors_fp(stderr); + ERROR("Decrypting %s failed", infile); + ret = 1; + goto err; + } + +err: + BIO_free(in); + BIO_free(out); + CMS_ContentInfo_free(cms); + return ret; +} diff --git a/include/sslapi.h b/include/sslapi.h index de86695..0330b31 100644 --- a/include/sslapi.h +++ b/include/sslapi.h @@ -221,6 +221,11 @@ UNUSED static inline struct swupdate_digest *swupdate_DECRYPT_init( #define swupdate_DECRYPT_cleanup(p) #endif +#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION +int swupdate_dgst_add_recipient_keypair(struct swupdate_cfg *sw, const char *keypair_file); +int swupdate_decrypt_file(struct swupdate_digest *dgst, const char *infile, const char *outfile); +#endif + #ifndef SSL_PURPOSE_DEFAULT #define SSL_PURPOSE_EMAIL_PROT -1 #define SSL_PURPOSE_CODE_SIGN -1