...

10 months ago · 3625f392f9
parent 6f6bc95706
commit 3625f392f9
3 changed files with 30 additions and 5 deletions
--- a/format.md
+++ b/format.md
@ -37,8 +37,8 @@ The distribution archive is encrypted with the distribution key.
 ## distribution key

 The distribution key is the AES<256> key, with which the distribution archive
-is encrypted using EAX<AES>. DIST.KEY contains the distribution key signed with
-the deployment key, then encrypted with the provisioning key.
+is encrypted using EAX<AES>. DIST.KEY contains the distribution key encrypted
+with the provisioning key using RSA-OAEP.

 ## distribution signature

--- a/src/unpack.cc
+++ b/src/unpack.cc
@ -153,14 +153,29 @@ namespace SignedPackage {
        return false;
    }

+    void decrypt_archive(
+            std::filesystem::path archive,
+            std::filesystem::path key,
+            CryptoPP::PrivateKey& provisioning_key
+        )
+    {
+
+    }
+
    std::filesystem::path extract_deployment_archive(
            CryptoPP::PublicKey& deployment_key,
+            CryptoPP::PrivateKey& provisioning_key,
            std::string pkg_path
        )
    {
        std::filesystem::path target_path = mktempdir();
-        extract_archive(pkg_path, target_path, { "DIST.A", "DIST.KEY", "DIST.SIG" });
-        check_signature(target_path / "DIST.A", target_path / "DIST.SIG", deployment_key);
+
+        extract_archive(pkg_path, target_path, { "DIST.A", "DIST.KEY",
+                "DIST.SIG" });
+        check_signature(target_path / "DIST.A", target_path / "DIST.SIG",
+                deployment_key);
+        decrypt_archive(target_path / "DIST.A", target_path / "DIST.KEY",
+                provisioning_key);

        return target_path;
    }
@ -172,8 +187,11 @@ namespace SignedPackage {
            std::string target_path
        )
    {
-        std::string tmp_path = extract_deployment_archive(deployment_key, pkg_path);
+        std::string tmp_path = extract_deployment_archive(deployment_key,
+                provisioning_key, pkg_path);
        ensure_target_path(target_path);
+
+        std::filesystem::remove_all(tmp_path);
    }

    void provision_system(
--- a/src/unpack.hh
+++ b/src/unpack.hh
@ -29,8 +29,15 @@ namespace SignedPackage {
            CryptoPP::PublicKey& key
        );

+    void decrypt_archive(
+            std::filesystem::path archive,
+            std::filesystem::path key,
+            CryptoPP::PrivateKey& provisioning_key
+        );
+
    std::filesystem::path extract_deployment_archive(
            CryptoPP::PublicKey& deployment_key,
+            CryptoPP::PrivateKey& provisioning_key,
            std::string pkg_path
        );