diff options
| author | Michael Brown <mcb30@ipxe.org> | 2024-08-23 12:28:21 +0100 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2024-08-29 14:47:13 +0100 |
| commit | 486b15b3c11692af4325cd7d0220cdb72ec27586 (patch) | |
| tree | e1da90eda839e8a387bc44dc45e5f7c2be6d2e4f /src/include | |
| parent | 49404bfea99f68f4c364ea30a9ad3ea6ffb7e5f6 (diff) | |
| download | ipxe-486b15b3c11692af4325cd7d0220cdb72ec27586.tar.gz | |
[crypto] Support decryption of images via CMS envelopes
Add support for decrypting images containing detached encrypted data
using a cipher key obtained from a separate CMS envelope image (in DER
or PEM format).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ipxe/asn1.h | 13 | ||||
| -rw-r--r-- | src/include/ipxe/cms.h | 22 |
2 files changed, 35 insertions, 0 deletions
diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h index fac94c52e..752b423b9 100644 --- a/src/include/ipxe/asn1.h +++ b/src/include/ipxe/asn1.h @@ -309,6 +309,19 @@ struct asn1_builder_header { ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ), \ ASN1_OID_SINGLE ( 7 ), ASN1_OID_SINGLE ( 2 ) +/** ASN.1 OID for id-envelopedData (1.2.840.113549.1.7.3) */ +#define ASN1_OID_ENVELOPEDDATA \ + ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ + ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ), \ + ASN1_OID_SINGLE ( 7 ), ASN1_OID_SINGLE ( 3 ) + +/** ASN.1 OID for id-authEnvelopedData (1.2.840.113549.1.9.16.1.23) */ +#define ASN1_OID_AUTHENVELOPEDDATA \ + ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ + ASN1_OID_TRIPLE ( 113549 ), ASN1_OID_SINGLE ( 1 ), \ + ASN1_OID_SINGLE ( 9 ), ASN1_OID_SINGLE ( 16 ), \ + ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 23 ) + /** ASN.1 OID for id-pe-authorityInfoAccess (1.3.6.1.5.5.7.1.1) */ #define ASN1_OID_AUTHORITYINFOACCESS \ ASN1_OID_INITIAL ( 1, 3 ), ASN1_OID_SINGLE ( 6 ), \ diff --git a/src/include/ipxe/cms.h b/src/include/ipxe/cms.h index bffb06bfe..6d4a78d48 100644 --- a/src/include/ipxe/cms.h +++ b/src/include/ipxe/cms.h @@ -64,6 +64,13 @@ struct cms_message { struct x509_chain *certificates; /** List of participant information blocks */ struct list_head participants; + + /** Cipher algorithm */ + struct cipher_algorithm *cipher; + /** Cipher initialization vector */ + struct asn1_cursor iv; + /** Cipher authentication tag */ + struct asn1_cursor mac; }; /** @@ -101,9 +108,24 @@ cms_is_signature ( struct cms_message *cms ) { return ( cms->certificates != NULL ); } +/** + * Check if CMS message is an encrypted message + * + * @v cms CMS message + * @ret is_encrypted Message is an encrypted message + */ +static inline __attribute__ (( always_inline )) int +cms_is_encrypted ( struct cms_message *cms ) { + + /* CMS encrypted messages have a cipher algorithm */ + return ( cms->cipher != NULL ); +} + extern int cms_message ( struct image *image, struct cms_message **cms ); extern int cms_verify ( struct cms_message *cms, struct image *image, const char *name, time_t time, struct x509_chain *store, struct x509_root *root ); +extern int cms_decrypt ( struct cms_message *cms, struct image *image, + const char *name, struct private_key *private_key ); #endif /* _IPXE_CMS_H */ |