From patchwork Fri Dec 15 14:19:43 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Glembotzki <m.glembo@gmail.com>
X-Patchwork-Id: 1876654
Return-Path: <swupdate+bncBDY5JUXLVIEBBTOC6GVQMGQEJ7VYZUA@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=googlegroups.com header.i=@googlegroups.com
 header.a=rsa-sha256 header.s=20230601 header.b=Xxi2Hc62;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=PffFtqoj;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com
 (client-ip=2a00:1450:4864:20::43a; helo=mail-wr1-x43a.google.com;
 envelope-from=swupdate+bncbdy5juxlviebbtoc6gvqmgqej7vyzua@googlegroups.com;
 receiver=patchwork.ozlabs.org)
Received: from mail-wr1-x43a.google.com (mail-wr1-x43a.google.com
 [IPv6:2a00:1450:4864:20::43a])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SsBJy1JHPz23nt
	for <incoming@patchwork.ozlabs.org>; Sat, 16 Dec 2023 01:23:13 +1100 (AEDT)
Received: by mail-wr1-x43a.google.com with SMTP id
 ffacd0b85a97d-3334286b720sf601043f8f.1
        for <incoming@patchwork.ozlabs.org>;
 Fri, 15 Dec 2023 06:23:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1702650190; cv=pass;
        d=google.com; s=arc-20160816;
        b=xb35QnTQI/ev+z8FYnla0TG+kTQXrc6PBL9iTRz9Kau3cbjHabD7EgekC/Aip5imSK
         hLlxd5XjFnQta8fgpQoUuBuM5WkaWfObd2031R9vXgmZdM6YfRqguah5KNVpoaMgxBpR
         IYJ5JVsr+rK5as40PIOPDRVUaDjA4czjCICq9fHnlK6dCfKZhb7vtqBP5ja0dGUT75fw
         6VfwJ+92uV6CWieq3YpD6pZ1+bLOso9c0yz3ykeSaOdqw7b63TmhgomASnkZFcJHrdaa
         Ru60oWA8QtJxpNo1BSCNwPC4kuYx/SqkoG+Ek0Sh7sFddr87EzLZ/nToTXZ+AqrKheUx
         C8lw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:dkim-signature
         :dkim-signature;
        bh=S9MNcdJSwlX6Fdg5+3EIlHnh1JmRl21CxqbVrVEWdqQ=;
        fh=zydHuzCQWrku2OPQyZfraJZFcOpEXLQ/YBcu3QNiBd0=;
        b=KuFWFd3TX5NqHHxBncAX272Rqm/9T4DqPiilp6yTsqfnrDBaKC0C9lI8MFjNKm0j9L
         uuTcizlPUoyeWKy8cqJW0UsJ+OPjIpQB+PcoXwvQJSDCzBgDi05yUNoBdfTj4jTE17P0
         WOCG40NTD1rb4G/ttqmbbtA+9jGTs3nCM1tBr4jZfognfiCmNOYyQqSLj3SMheecnoBF
         V/tnQqvY61tcq77w0WIo8b6LnmRE90HHigbwgoDctOck6n06bsq3L7BCQycG25AEL53V
         eF8JjPFrMpuBrLi2WODhmIuJaPBHwKdOQgCTJzhPuZJ8mv5tlWP1ex9m0v+DfbnXIWyQ
         1ijg==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=TtdkQ2yD;
       spf=pass (google.com: domain of m.glembo@gmail.com designates
 2a00:1450:4864:20::136 as permitted sender) smtp.mailfrom=m.glembo@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1702650190; x=1703254990;
 darn=patchwork.ozlabs.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=S9MNcdJSwlX6Fdg5+3EIlHnh1JmRl21CxqbVrVEWdqQ=;
        b=Xxi2Hc629Be0H1kPOfjNbtgcfLODc22k8+dxHdKnnObS0+q2Hx0e+bx9Y8C3jitF/6
         SQrSW5VBOn5hDpV5Pnl9B0b5r/77mkkDXaLpJwyJEAL0SrYsuM+iKwcLJ7lxEQRR6bI8
         91fBJkf7Ve8Nv36tJBiNonxMV3kZOWn6vMMYKACTQMrv+u+7x1zmQ0SJvs1s/lSZMYO6
         avlE4eYwxyAYv2KohOIwQqSqT8KipF89HYYNE6QZnYxnmJf1H5fdMM/NwwcFu4n7CGDW
         QdMqw1SkFHEFE9l0XW9hHSpxUOBB3TT1+erN1n/v/VTIJb3JaUEl6NqCAdiO8EdOY9Na
         pwlQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1702650190; x=1703254990;
 darn=patchwork.ozlabs.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=S9MNcdJSwlX6Fdg5+3EIlHnh1JmRl21CxqbVrVEWdqQ=;
        b=PffFtqojjwmcNjsRCMAGIsKPPiW9qdT3kzXDddxRv1vnsw+NXfH9zTyO1MYdeyqWYI
         k5xdMfL2ysFkXmORnInTswVgizOHl50aw55aaqmO1CmUK783Q1zPyqrMAULp0NWH6CTn
         rO5Z+HaO6y2vQLQIliOjJINVW62ZlVkmoPJpXcg0rhzGw8fO2yTnK3ZWmbCKEX+hozWp
         s42lawVQtne1OlPbJqLSjtQ+C2DZz+LS9lYed55OyVWyPjbZVqylQJxqLOrWkit6W4Mm
         LY4csrPoo7Y5Y6ppjz3xBn9AjP5k+n/+/LnXpk3Ctayoxsfopn/c+h6ZyVFrqymrJp59
         B3hQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1702650190; x=1703254990;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence
         :x-original-authentication-results:x-original-sender:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=S9MNcdJSwlX6Fdg5+3EIlHnh1JmRl21CxqbVrVEWdqQ=;
        b=ii+qrsxdoeerDjNDJM6iKopggzvz6yqPABbBU1Ic2xJkGrJLywFnG1uR+Tb0/0lJP2
         a1f+gU9vsDkkwiIl5spIZnocS2+2mUraZLgZGWHzZjYTZ7i0cSF14HUzDJ+fdE8l+bMz
         KtY5AVR4/SSntURDRlcSRzGN7SjIgHekLKilCyAei0Sjgb7c+s+MKUy9Y1id+l2cUcCG
         jMbO+PonvdHpb/VhLx9NLIlbdkgFoECTtE0qKlGKG+vlxaHt9qhRjir6nF9AdAoE9uN2
         LGmbD6pCSq88cIPApcmgLLw/8wTc6YbbA7mFWusspGTv9d2Rb9a87POabnufkBShVFGR
         IULw==
Sender: swupdate@googlegroups.com
X-Gm-Message-State: AOJu0Yw4LiuF8sqwANh+XWXVATaGbwbsaMi9CTJPemZ/91V2NEaHD71i
	YHeyTCUqtdJwWnVvkxrhCE4=
X-Google-Smtp-Source: 
 AGHT+IFkYwCYdmYQ2H+sHxmjhmEbIaDNLlan1EqvLQIU5aJstqHQ/CxSuDgSIFE+aTwLSiypj3Kr4A==
X-Received: by 2002:a05:600c:4d8f:b0:40c:2c3f:580c with SMTP id
 v15-20020a05600c4d8f00b0040c2c3f580cmr2793432wmp.73.1702650190342;
        Fri, 15 Dec 2023 06:23:10 -0800 (PST)
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a05:600c:3c95:b0:40c:26cc:3705 with SMTP id
 bg21-20020a05600c3c9500b0040c26cc3705ls208872wmb.2.-pod-prod-08-eu; Fri, 15
 Dec 2023 06:23:08 -0800 (PST)
X-Received: by 2002:a05:600c:a3af:b0:40c:251a:1017 with SMTP id
 hn47-20020a05600ca3af00b0040c251a1017mr2963169wmb.321.1702650188324;
        Fri, 15 Dec 2023 06:23:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702650188; cv=none;
        d=google.com; s=arc-20160816;
        b=W1p69dfIuJR2wjTYkmlwWRCld9hqpLrLuZKCqvAzfb0tYCjUMS7VPa8cDvKLZnswy/
         P6uQeslosg8bdzCF/Zzy47oKFkSDYUuTJNDic11uS95MV6ENDqf2/LTHefjNeC9alXzp
         /8Ge562l4lhA4FgjXPXHiJH0Hbrnfc5pMXghgYAZD8iybmGpfjB9wpZLa4fn/vtP9Wdf
         lMywbu5/g39f4XYG/ZRsuvmIkNsfvHqw7tVotQ97Fz77Vrr8wsYfeyODVaMot2jasibq
         EgVJJ4MZBBzXHLPVJ7dEU+Z28D8BluhmhFo6FtdZksDIPPjTng+QcVQS0zkFlTyQIXJd
         Al1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=HAIv7a6PfqFC8gWSC1HF6jCv5Maq4YRu42YY0ypxqGU=;
        fh=zydHuzCQWrku2OPQyZfraJZFcOpEXLQ/YBcu3QNiBd0=;
        b=oeyqHg+HZ8fZAcxJQaJ5qP+npR3SDOTH2tFZSpPlqbI4G/bVWE6WV8OjKlMzjK6S5X
         wySijj37I53H18yDOUxoxKx/1+DRw6BFhpvYRe52sviCe7zUJJXFl1M0duFNAlCnBBdH
         omsdei4+ltTXn8WB0Equ7x/DevjEmmaUIFJT+RoVN4v+vExrHCDnj9e/0H760aGjzOiP
         7aAgz64mxfCWFQeSsXLzdyi8P6PP96YdKTn+5Q+b9pXr2walXfBPzU8AEY3vWCy+SP6Q
         YJj9KM3Sv7jp0CGmoNmnpYH5Vcm/pW5493V1zAA7Fidsz/jwOhuGeGcjsPtGpQJp7OxN
         bvhA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=TtdkQ2yD;
       spf=pass (google.com: domain of m.glembo@gmail.com designates
 2a00:1450:4864:20::136 as permitted sender) smtp.mailfrom=m.glembo@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com.
 [2a00:1450:4864:20::136])
        by gmr-mx.google.com with ESMTPS id
 fl6-20020a05600c0b8600b0040b47a6405bsi919602wmb.1.2023.12.15.06.23.08
        for <swupdate@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 15 Dec 2023 06:23:08 -0800 (PST)
Received-SPF: pass (google.com: domain of m.glembo@gmail.com designates
 2a00:1450:4864:20::136 as permitted sender) client-ip=2a00:1450:4864:20::136;
Received: by mail-lf1-x136.google.com with SMTP id
 2adb3069b0e04-50bf3efe2cbso769459e87.2
        for <swupdate@googlegroups.com>; Fri, 15 Dec 2023 06:23:08 -0800 (PST)
X-Received: by 2002:ac2:47e8:0:b0:50e:20f6:4ec1 with SMTP id
 b8-20020ac247e8000000b0050e20f64ec1mr89752lfp.146.1702650187102;
        Fri, 15 Dec 2023 06:23:07 -0800 (PST)
Received: from PC-2635.irisgmbh.local
 (dslb-002-203-161-041.002.203.pools.vodafone-ip.de. [2.203.161.41])
        by smtp.gmail.com with ESMTPSA id
 vx6-20020a170907a78600b00a1e852ab3f0sm10944029ejc.15.2023.12.15.06.23.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Dec 2023 06:23:06 -0800 (PST)
From: Michael Glembotzki <m.glembo@gmail.com>
To: swupdate@googlegroups.com
Cc: Michael Glembotzki <Michael.Glembotzki@iris-sensing.com>
Subject: [swupdate] [V3][PATCH 06/10] Add support for asymmetric file
 decryption with CMS
Date: Fri, 15 Dec 2023 15:19:43 +0100
Message-ID: <20231215142251.52393-7-Michael.Glembotzki@iris-sensing.com>
X-Mailer: git-send-email 2.42.0
In-Reply-To: <20231215142251.52393-1-Michael.Glembotzki@iris-sensing.com>
References: <20231215142251.52393-1-Michael.Glembotzki@iris-sensing.com>
MIME-Version: 1.0
X-Original-Sender: m.glembo@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@gmail.com header.s=20230601 header.b=TtdkQ2yD;       spf=pass
 (google.com: domain of m.glembo@gmail.com designates 2a00:1450:4864:20::136
 as permitted sender) smtp.mailfrom=m.glembo@gmail.com;       dmarc=pass
 (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
 <mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
 <mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/swupdate/subscribe>

Signed-off-by: Michael Glembotzki <Michael.Glembotzki@iris-sensing.com>
---
 corelib/Makefile               |   3 +
 corelib/swupdate_cms_decrypt.c | 112 +++++++++++++++++++++++++++++++++
 include/sslapi.h               |   5 ++
 3 files changed, 120 insertions(+)
 create mode 100644 corelib/swupdate_cms_decrypt.c

diff --git a/corelib/Makefile b/corelib/Makefile
index c9ca4aa..06690d8 100644
--- a/corelib/Makefile
+++ b/corelib/Makefile
@@ -18,6 +18,9 @@ endif
 lib-$(CONFIG_SIGALG_RAWRSA)	+= swupdate_rsa_verify.o
 lib-$(CONFIG_SIGALG_RSAPSS)	+= swupdate_rsa_verify.o
 endif
+ifeq ($(CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION),y)
+lib-$(CONFIG_ENCRYPTED_IMAGES)	+= swupdate_cms_decrypt.o
+endif
 ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
 lib-$(CONFIG_SIGALG_CMS)	+= swupdate_cms_verify.o
 endif
diff --git a/corelib/swupdate_cms_decrypt.c b/corelib/swupdate_cms_decrypt.c
new file mode 100644
index 0000000..5af2508
--- /dev/null
+++ b/corelib/swupdate_cms_decrypt.c
@@ -0,0 +1,112 @@
+/*
+ * (C) Copyright 2023
+ * Michael Glembotzki, iris-GmbH infrared & intelligent sensors, michael.glembotzki@iris-sensing.com.
+ *
+ * SPDX-License-Identifier:     GPL-2.0-only
+ *
+ * Code mostly taken from openssl examples
+ */
+#include <sys/stat.h>
+#include "swupdate.h"
+#include "sslapi.h"
+#include "util.h"
+
+int swupdate_dgst_add_recipient_keypair(struct swupdate_cfg *sw, const char *keypair_file) {
+	X509 *rcert = NULL;
+	EVP_PKEY *rkey = NULL;
+	struct swupdate_digest *dgst = sw->dgst;
+	int ret = 0;
+
+	if (!dgst) {
+		dgst = calloc(1, sizeof(*dgst));
+		if (!dgst) {
+			ret = 1;
+			goto err;
+		}
+	}
+
+	BIO *tbio = BIO_new_file(keypair_file, "r");
+	if (!tbio) {
+		ERROR("%s cannot be opened", keypair_file);
+		ret = 1;
+		goto err;
+	}
+
+	rcert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
+	if (!rcert) {
+		WARN("Recipient cert not found");
+	}
+	BIO_reset(tbio);
+
+	rkey = PEM_read_bio_PrivateKey(tbio, NULL, 0, NULL);
+	BIO_free(tbio);
+	if (!rkey) {
+		ERROR("Recipient private key not found");
+		ret = 1;
+		goto err;
+	}
+
+	dgst->rcert = rcert;
+	dgst->rkey = rkey;
+
+	return ret;
+
+err:
+	if (dgst) {
+		free(dgst);
+	}
+	return ret;
+}
+
+int swupdate_decrypt_file(struct swupdate_digest *dgst, const char *infile, const char *outfile) {
+	BIO *in = NULL, *out = NULL;
+	CMS_ContentInfo *cms = NULL;
+	int ret = 0;
+
+	if (!dgst || !infile || !outfile) {
+		return 1;
+	}
+
+	/* Open CMS message to decrypt */
+	in = BIO_new_file(infile, "rb");
+	if (!in) {
+		ERROR("%s cannot be opened", infile);
+		ret = 1;
+		goto err;
+	}
+
+	/* Parse message */
+	cms = d2i_CMS_bio(in, NULL);
+	if (!cms) {
+		ERROR("%s cannot be parsed as DER-encoded CMS blob", infile);
+		ret = 1;
+		goto err;
+	}
+
+	out = BIO_new_file(outfile, "wb");
+	if (!out) {
+		ERROR("%s cannot be opened", outfile);
+		ret = 1;
+		goto err;
+	}
+
+	if (chmod(outfile, S_IRUSR | S_IWUSR)) {
+		ERROR("Setting file permissions");
+		ret = 1;
+		goto err;
+	}
+
+	/* Decrypt CMS message */
+	if (!CMS_decrypt(cms, dgst->rkey, dgst->rcert, NULL, out, 0)) {
+		ERR_print_errors_fp(stderr);
+		ERROR("Decrypting %s failed", infile);
+		ret = 1;
+		goto err;
+	}
+
+err:
+	BIO_free(in);
+	BIO_free(out);
+	CMS_ContentInfo_free(cms);
+	return ret;
+}
diff --git a/include/sslapi.h b/include/sslapi.h
index de86695..0330b31 100644
--- a/include/sslapi.h
+++ b/include/sslapi.h
@@ -221,6 +221,11 @@ UNUSED static inline struct swupdate_digest *swupdate_DECRYPT_init(
 #define swupdate_DECRYPT_cleanup(p)
 #endif
 
+#ifdef CONFIG_ASYM_ENCRYPTED_SW_DESCRIPTION
+int swupdate_dgst_add_recipient_keypair(struct swupdate_cfg *sw, const char *keypair_file);
+int swupdate_decrypt_file(struct swupdate_digest *dgst, const char *infile, const char *outfile);
+#endif
+
 #ifndef SSL_PURPOSE_DEFAULT
 #define SSL_PURPOSE_EMAIL_PROT -1
 #define SSL_PURPOSE_CODE_SIGN  -1