[crypto] Support decryption of images via CMS envelopes

Add support for decrypting images containing detached encrypted data
using a cipher key obtained from a separate CMS envelope image (in DER
or PEM format).

Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 22 insertions, 0 deletions

diff --git a/src/include/ipxe/cms.h b/src/include/ipxe/cms.h
index bffb06bfe..6d4a78d48 100644
--- a/src/include/ipxe/cms.h
+++ b/src/include/ipxe/cms.h
@@ -64,6 +64,13 @@ struct cms_message {
 	struct x509_chain *certificates;
 	/** List of participant information blocks */
 	struct list_head participants;
+
+	/** Cipher algorithm */
+	struct cipher_algorithm *cipher;
+	/** Cipher initialization vector */
+	struct asn1_cursor iv;
+	/** Cipher authentication tag */
+	struct asn1_cursor mac;
 };
 
 /**
@@ -101,9 +108,24 @@ cms_is_signature ( struct cms_message *cms ) {
 	return ( cms->certificates != NULL );
 }
 
+/**
+ * Check if CMS message is an encrypted message
+ *
+ * @v cms		CMS message
+ * @ret is_encrypted	Message is an encrypted message
+ */
+static inline __attribute__ (( always_inline )) int
+cms_is_encrypted ( struct cms_message *cms ) {
+
+	/* CMS encrypted messages have a cipher algorithm */
+	return ( cms->cipher != NULL );
+}
+
 extern int cms_message ( struct image *image, struct cms_message **cms );
 extern int cms_verify ( struct cms_message *cms, struct image *image,
 			const char *name, time_t time, struct x509_chain *store,
 			struct x509_root *root );
+extern int cms_decrypt ( struct cms_message *cms, struct image *image,
+			 const char *name, struct private_key *private_key );
 
 #endif /* _IPXE_CMS_H */