Search code examples
nginxencryptionopensslwebserver

Decrypt OpenSSL binary through NGINX as it is received ( on the fly )

I have a small embedded Linux device that has 128 MB flash storage available to work with as a scratchpad. This device runs an NGINX web server. In order to do a firmware update - the system receives an encrypted binary file as an HTTPS POST through NGINX to the scratchpad. The system then decrypts the file and flashes a different QSPI flash device in order to complete the update.

The firmware binary is encrypted outside the device like this:

openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER yourSslCertificate.pem

The firmware binary is decrypted, after being received through NGINX, on the device like this:

openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private.key -passin pass:your_password

I'd really like to decrypt the binary as it is received ( on the fly ) through NGINX, so that it appears on the flash scratchpad in it's decrypted form.

I've been unable to find any existing NGINX modules on Google that would do this. How might I accomplish this? Thanks.

Solution

  • First of all, you need to understand one thing. While nginx will decrypt file - all other request will be blocked. That's why nginx does not support CGI, only FastCGI.

    If it ok for you (for example, nginx used only for update purposes), you can use perl or lua extension: http://nginx.org/en/docs/http/ngx_http_perl_module.html, https://github.com/openresty/lua-nginx-module

    Using this modules you can exec shell. For access uploaded file need to set client_body_in_file_only directive - https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_in_file_only

    Example for perl module (untested):

    location /upload {
  client_body_in_file_only clean;
  perl 'sub {
    my $r = shift;
    if ($r->request_body_file) {
       system("openssl smime -decrypt -binary -in ".$r->request_body_file." -inform DER -out /tmp/decrypted.zip -inkey private.key -passin pass:your_password");
    }
  }';
}

    But much better to use fastcgi. You can use light fastcgi wraper for it, for example, fcgiwrap https://www.nginx.com/resources/wiki/start/topics/examples/fcgiwrap/