open-eid · lauris71 · Nov 25, 2025 · Nov 13, 2025 · Nov 13, 2025
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,7 +14,7 @@ jobs:
     container: ubuntu:${{ matrix.container }}
     strategy:
       matrix:
-        container: ['22.04', '24.04', '25.04']
+        container: ['22.04', '24.04', '25.10']
         arch: ['amd64', 'arm64']
     env:
       DEBIAN_FRONTEND: noninteractive
@@ -24,7 +24,7 @@ jobs:
     - name: Install dependencies
       run: apt update -qq && apt install --no-install-recommends -y lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-17-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Setup changelog
       run: |
         export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}")
@@ -37,7 +37,7 @@ jobs:
     - name: Lintian
       run: lintian *.deb;
     - name: Archive artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ubuntu_${{ matrix.container }}_${{ matrix.arch }}
         path: libcdoc*.*
@@ -55,7 +55,7 @@ jobs:
           triplet: x64-android
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Expose Android NDK env
       shell: bash
       run: |
@@ -65,7 +65,7 @@ jobs:
       uses: actions/cache@v4
       with:
         path: ${{ github.workspace }}/vcpkg_cache
-        key: vcpkg-${{ matrix.target }}-${{ hashFiles('.github/workflows/*', 'vcpkg.json', 'CMakeLists.txt', '**/CMakeLists.txt', 'CMakePresets.json') }}
+        key: vcpkg-${{ matrix.target }}-${{ hashFiles('vcpkg.json') }}
     - name: Prepare vcpkg
       uses: lukka/run-vcpkg@v11
       with:
@@ -80,7 +80,7 @@ jobs:
         cmake --build --preset ${{ matrix.target }}
         cmake --build --preset ${{ matrix.target }} --target install/strip
     - name: Archive artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ${{ matrix.target }}
         path: |
@@ -100,7 +100,7 @@ jobs:
       DEST: ${{ github.workspace }}/${{ matrix.target }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Install dependencies
       run: |
         brew update
@@ -110,7 +110,7 @@ jobs:
       uses: actions/cache@v4
       with:
         path: ${{ github.workspace }}/vcpkg_cache
-        key: vcpkg-${{ matrix.target }}-${{ hashFiles('.github/workflows/*', 'vcpkg.json', 'CMakeLists.txt', '**/CMakeLists.txt', 'CMakePresets.json') }}
+        key: vcpkg-${{ matrix.target }}-${{ hashFiles('vcpkg.json') }}
     - name: Prepare vcpkg
       if: matrix.target != 'macos'
       uses: lukka/run-vcpkg@v11
@@ -130,7 +130,7 @@ jobs:
     - name: Install
       run: cmake --build --preset ${{ matrix.target }} --target install/strip
     - name: Archive artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ${{ matrix.target }}
         path: ${{ env.DEST }}
@@ -147,12 +147,12 @@ jobs:
       VCPKG_DEFAULT_TRIPLET: ${{ matrix.platform }}-windows-static-md
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Cache vcpkg
       uses: actions/cache@v4
       with:
         path: ${{ github.workspace }}/vcpkg_cache
-        key: vcpkg-${{ matrix.image }}-${{ matrix.platform }}-${{ hashFiles('.github/workflows/*', 'vcpkg.json', 'CMakeLists.txt', '**/CMakeLists.txt', 'CMakePresets.json') }}
+        key: vcpkg-${{ matrix.image }}-${{ matrix.platform }}-${{ hashFiles('vcpkg.json') }}
     - name: Prepare vcpkg
       uses: lukka/run-vcpkg@v11
       with:
@@ -181,7 +181,7 @@ jobs:
         ctest -V -C RelWithDebInfo --test-dir build
         cmake --install build --config RelWithDebInfo --prefix ${{ env.DEST }}
     - name: Archive artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ${{ matrix.image }}_${{ matrix.platform }}
         path: ${{ env.DEST }}
@@ -193,7 +193,7 @@ jobs:
       contents: write
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y doxygen ${UBUNTU_DEPS}
     - name: Build docs
@@ -215,7 +215,7 @@ jobs:
       PROJECTNAME: ${{ github.repository }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y curl ca-certificates ${UBUNTU_DEPS}
     - name: Download Coverity Build Tool
@@ -250,7 +250,7 @@ jobs:
       security-events: write
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS}
     - name: Initialize CodeQL

diff --git a/cdoc/CDoc1Reader.cpp b/cdoc/CDoc1Reader.cpp
@@ -384,6 +384,7 @@ result_t CDoc1Reader::decryptData(const std::vector<uint8_t>& fmk, std::string&
         return result;
     }
 
+    std::vector<unsigned char> b64;
     XMLReader reader(d->dsrc, false);
     int skipKeyInfo = 0;
     while (reader.read()) {
@@ -397,26 +398,31 @@ result_t CDoc1Reader::decryptData(const std::vector<uint8_t>& fmk, std::string&
         // EncryptedData/CipherData/CipherValue
         else if(reader.isElement("CipherValue"))
         {
-            data = libcdoc::Crypto::decrypt(d->method, fmk, reader.readBase64());
+            b64 = reader.readBase64();
             break;
         }
     }
 
-    if(data.empty()) {
+    if(b64.empty()) {
+        setLastError("Failed to decode base64 data");
+        return libcdoc::IO_ERROR;
+    }
+    VectorSource src(b64);
+    libcdoc::DecryptionSource dec(src, d->method, fmk);
+    if(dec.isError()) {
         setLastError("Failed to decrypt data, verify if FMK is correct");
-        return libcdoc::CRYPTO_ERROR;
+        return CRYPTO_ERROR;
     }
+    libcdoc::VectorConsumer out(data);
     setLastError({});
     if (d->mime == MIME_ZLIB) {
-        libcdoc::VectorSource vsrc(data);
-        libcdoc::ZSource zsrc(&vsrc);
-        std::vector<uint8_t> tmp;
-        libcdoc::VectorConsumer vcons(tmp);
-        vcons.writeAll(zsrc);
-        data = std::move(tmp);
+        libcdoc::ZSource zsrc(&dec);
+        out.writeAll(zsrc);
         mime = d->properties["OriginalMimeType"];
     }
-    else
+    else {
         mime = d->mime;
-    return libcdoc::OK;
+        out.writeAll(dec);
+    }
+    return dec.close();
 }
diff --git a/cdoc/CDoc2Reader.cpp b/cdoc/CDoc2Reader.cpp
@@ -83,11 +83,9 @@ struct CDoc2Reader::Private {
 
     std::vector<Lock> locks;
 
-    std::unique_ptr<libcdoc::Crypto::Cipher> cipher;
-    std::unique_ptr<TaggedSource> tgs;
+    std::unique_ptr<libcdoc::DecryptionSource> dec;
     std::unique_ptr<libcdoc::ZSource> zsrc;
     std::unique_ptr<libcdoc::TarSource> tar;
-
 };
 
 CDoc2Reader::~CDoc2Reader()
@@ -389,29 +387,19 @@ CDoc2Reader::beginDecryption(const std::vector<uint8_t>& fmk)
     }
     priv->_at_nonce = false;
     std::vector<uint8_t> cek = libcdoc::Crypto::expand(fmk, std::vector<uint8_t>(libcdoc::CDoc2::CEK.cbegin(), libcdoc::CDoc2::CEK.cend()));
-    std::vector<uint8_t> nonce(libcdoc::CDoc2::NONCE_LEN);
-    if (priv->_src->read(nonce.data(), libcdoc::CDoc2::NONCE_LEN) != libcdoc::CDoc2::NONCE_LEN) {
-        setLastError("Error reading nonce");
-        LOG_ERROR("{}", last_error);
-        return libcdoc::IO_ERROR;
-    }
-
     LOG_TRACE_KEY("cek: {}", cek);
-    LOG_TRACE_KEY("nonce: {}", nonce);
 
-    priv->cipher = std::make_unique<libcdoc::Crypto::Cipher>(EVP_chacha20_poly1305(), cek, nonce, false);
+    priv->dec = std::make_unique<libcdoc::DecryptionSource>(*priv->_src, EVP_chacha20_poly1305(), cek, libcdoc::CDoc2::NONCE_LEN);
     std::vector<uint8_t> aad(libcdoc::CDoc2::PAYLOAD.cbegin(), libcdoc::CDoc2::PAYLOAD.cend());
     aad.insert(aad.end(), priv->header_data.cbegin(), priv->header_data.cend());
     aad.insert(aad.end(), priv->headerHMAC.cbegin(), priv->headerHMAC.cend());
-    if(!priv->cipher->updateAAD(aad)) {
+    if(priv->dec->updateAAD(aad) != OK) {
         setLastError("Wrong decryption key (FMK)");
         LOG_ERROR("{}", last_error);
         return libcdoc::WRONG_KEY;
     }
 
-    priv->tgs = std::make_unique<TaggedSource>(priv->_src, false, 16);
-    libcdoc::CipherSource *csrc = new libcdoc::CipherSource(priv->tgs.get(), false, priv->cipher.get());
-    priv->zsrc = std::make_unique<libcdoc::ZSource>(csrc, true);
+    priv->zsrc = std::make_unique<libcdoc::ZSource>(priv->dec.get(), false);
     priv->tar = std::make_unique<libcdoc::TarSource>(priv->zsrc.get(), false);
 
     return libcdoc::OK;
@@ -455,21 +443,15 @@ CDoc2Reader::finishDecryption()
         LOG_WARN("{}", last_error);
     }
 
-    LOG_TRACE_KEY("tag: {}", priv->tgs->tag);
-
-    priv->cipher->setTag(priv->tgs->tag);
-    if (!priv->cipher->result()) {
-        setLastError("Stream tag is invalid");
-        LOG_ERROR("{}", last_error);
-        return HASH_MISMATCH;
-    }
     setLastError({});
-    priv->tgs.reset();
     priv->zsrc.reset();
     priv->tar.reset();
-    priv->cipher->clear();
-    priv->cipher.reset();
-    return OK;
+    auto rv = priv->dec->close();
+    priv->dec.reset();
+    if (rv != OK) {
+        setLastError("Crypto payload integrity check failed");
+    }
+    return rv;
 }
 
 CDoc2Reader::CDoc2Reader(libcdoc::DataSource *src, bool take_ownership)