Merge pull request #7272 from JacobBarthelmeh/pkcs7-enc

IO callbacks for content and output with PKCS7 bundle sign/encrypt
2024-03-08 07:18:11 +10:00
parent 28e8228744 c24b187a88
commit 5daf5fff86
4 changed files with 1025 additions and 252 deletions
--- a/tests/api.c
+++ b/tests/api.c
@ -26871,6 +26871,43 @@ static int rsaSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
 }
 #endif
 #if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER)
 typedef struct encodeSignedDataStream {
    byte out[FOURK_BUF*3];
    int  idx;
    word32 outIdx;
 } encodeSignedDataStream;
 /* content is 8k of partially created bundle */
 static int GetContentCB(PKCS7* pkcs7, byte** content, void* ctx)
 {
    int ret = 0;
    encodeSignedDataStream* strm = (encodeSignedDataStream*)ctx;
    if (strm->outIdx  < pkcs7->contentSz) {
        ret = (pkcs7->contentSz > strm->outIdx + FOURK_BUF)?
                FOURK_BUF : pkcs7->contentSz - strm->outIdx;
        *content = strm->out + strm->outIdx;
        strm->outIdx += ret;
    }
    (void)pkcs7;
    return ret;
 }
 static int StreamOutputCB(PKCS7* pkcs7, const byte* output, word32 outputSz,
    void* ctx)
 {
    encodeSignedDataStream* strm = (encodeSignedDataStream*)ctx;
    XMEMCPY(strm->out + strm->idx, output, outputSz);
    strm->idx += outputSz;
    (void)pkcs7;
    return 0;
 }
 #endif
 /*
 * Testing wc_PKCS7_EncodeSignedData()
@ -26999,6 +27036,7 @@ static int test_wc_PKCS7_EncodeSignedData(void)
    /* reinitialize and test setting stream mode */
    {
        int signedSz;
        encodeSignedDataStream strm;
        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
        ExpectIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
@ -27019,8 +27057,9 @@ static int test_wc_PKCS7_EncodeSignedData(void)
            pkcs7->rng = &rng;
        }
        ExpectIntEQ(wc_PKCS7_GetStreamMode(pkcs7), 0);
-        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1), 0);
+        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, NULL, NULL, NULL), 0);
-        ExpectIntEQ(wc_PKCS7_SetStreamMode(NULL, 1), BAD_FUNC_ARG);
+        ExpectIntEQ(wc_PKCS7_SetStreamMode(NULL, 1, NULL, NULL, NULL),
            BAD_FUNC_ARG);
        ExpectIntEQ(wc_PKCS7_GetStreamMode(pkcs7), 1);
        ExpectIntGT(signedSz = wc_PKCS7_EncodeSignedData(pkcs7, output,
@ -27033,6 +27072,39 @@ static int test_wc_PKCS7_EncodeSignedData(void)
        /* use exact signed buffer size since BER encoded */
        ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, signedSz), 0);
        wc_PKCS7_Free(pkcs7);
        /* now try with using callbacks for IO */
        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
        ExpectIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
        if (pkcs7 != NULL) {
            pkcs7->contentSz  = FOURK_BUF*2;
            pkcs7->privateKey = key;
            pkcs7->privateKeySz = (word32)sizeof(key);
            pkcs7->encryptOID = RSAk;
        #ifdef NO_SHA
            pkcs7->hashOID = SHA256h;
        #else
            pkcs7->hashOID = SHAh;
        #endif
            pkcs7->rng = &rng;
        }
        XMEMSET(&strm, 0, sizeof(strm));
        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, GetContentCB,
            StreamOutputCB, (void*)&strm), 0);
        ExpectIntGT(signedSz = wc_PKCS7_EncodeSignedData(pkcs7, NULL, 0), 0);
        wc_PKCS7_Free(pkcs7);
        pkcs7 = NULL;
        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
        /* use exact signed buffer size since BER encoded */
        ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7, strm.out, signedSz), 0);
    }
 #endif
 #ifndef NO_PKCS7_STREAM
@ -28594,7 +28666,9 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
    testSz = (int)sizeof(testVectors)/(int)sizeof(pkcs7EnvelopedVector);
    for (i = 0; i < testSz; i++) {
    #ifdef ASN_BER_TO_DER
-        /* test setting stream mode */
+        encodeSignedDataStream strm;
        /* test setting stream mode, the first one using IO callbacks */
        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (testVectors + i)->cert,
                                    (word32)(testVectors + i)->certSz), 0);
        if (pkcs7 != NULL) {
@ -28602,7 +28676,8 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
            pkcs7->rng = &rng;
        #endif
-            pkcs7->content       = (byte*)(testVectors + i)->content;
+            if (i != 0)
                pkcs7->content       = (byte*)(testVectors + i)->content;
            pkcs7->contentSz     = (testVectors + i)->contentSz;
            pkcs7->contentOID    = (testVectors + i)->contentOID;
            pkcs7->encryptOID    = (testVectors + i)->encryptOID;
@ -28611,16 +28686,61 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
            pkcs7->privateKey    = (testVectors + i)->privateKey;
            pkcs7->privateKeySz  = (testVectors + i)->privateKeySz;
        }
        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1), 0);
-        ExpectIntGE(encodedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, output,
+        if (i == 0) {
-            (word32)sizeof(output)), 0);
+            XMEMSET(&strm, 0, sizeof(strm));
            ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, GetContentCB,
                StreamOutputCB, (void*)&strm), 0);
            encodedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, NULL, 0);
        }
        else {
            ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, NULL, NULL, NULL), 0);
            encodedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, output,
                (word32)sizeof(output));
        }
-        decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
+        switch ((testVectors + i)->encryptOID) {
-            (word32)encodedSz, decoded, (word32)sizeof(decoded));
+        #ifndef NO_DES3
-        ExpectIntGE(decodedSz, 0);
+            case DES3b:
-        /* Verify the size of each buffer. */
+            case DESb:
-        ExpectIntEQ((word32)sizeof(input)/sizeof(char), decodedSz);
+                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
                break;
        #endif
        #ifdef HAVE_AESCCM
        #ifdef WOLFSSL_AES_128
            case AES128CCMb:
                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
                break;
        #endif
        #ifdef WOLFSSL_AES_192
            case AES192CCMb:
                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
                break;
        #endif
        #ifdef WOLFSSL_AES_256
            case AES256CCMb:
                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
                break;
        #endif
        #endif
            default:
                ExpectIntGE(encodedSz, 0);
        }
        if (encodedSz > 0) {
            if (i == 0) {
                decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7,
                    strm.out, (word32)encodedSz, decoded,
                    (word32)sizeof(decoded));
            }
            else {
                decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
                    (word32)encodedSz, decoded, (word32)sizeof(decoded));
            }
            ExpectIntGE(decodedSz, 0);
            /* Verify the size of each buffer. */
            ExpectIntEQ((word32)sizeof(input)/sizeof(char), decodedSz);
        }
        wc_PKCS7_Free(pkcs7);
        pkcs7 = NULL;
        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -3465,7 +3465,9 @@ word32 SetBitString(word32 len, byte unusedBits, byte* output)
 #ifdef ASN_BER_TO_DER
-#define BER_OCTET_LENGTH 4096
+#ifndef BER_OCTET_LENGTH
    #define BER_OCTET_LENGTH 4096
 #endif
 /* sets the terminating 0x00 0x00 at the end of an indefinite length
 * returns the number of bytes written */
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@ -225,6 +225,11 @@ typedef int (*CallbackWrapCEK)(PKCS7* pkcs7, byte* cek, word32 cekSz,
                                  byte* out, word32 outSz,
                                  int keyWrapAlgo, int type, int dir);
 /* Callbacks for supporting different stream cases */
 typedef int (*CallbackGetContent)(PKCS7* pkcs7, byte** content, void* ctx);
 typedef int (*CallbackStreamOut)(PKCS7* pkcs7, const byte* output,
        word32 outputSz, void* ctx);
 #if defined(HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK) && !defined(NO_RSA)
 /* RSA sign raw digest callback, user builds DigestInfo */
 typedef int (*CallbackRsaSignRawDigest)(PKCS7* pkcs7, byte* digest,
@ -248,6 +253,9 @@ struct PKCS7 {
 #ifdef ASN_BER_TO_DER
    byte*  der;                   /* DER encoded version of message       */
    word32 derSz;
    CallbackGetContent getContentCb;
    CallbackStreamOut  streamOutCb;
    void*  streamCtx; /* passed to getcontentCb and streamOutCb */
 #endif
    byte   encodeStream:1;        /* use BER when encoding */
    byte   noCerts:1;             /* if certificates should be added into bundle
@ -499,7 +507,11 @@ WOLFSSL_API int  wc_PKCS7_SetDecodeEncryptedCb(PKCS7* pkcs7,
 WOLFSSL_API int  wc_PKCS7_SetDecodeEncryptedCtx(PKCS7* pkcs7, void* ctx);
 #endif /* NO_PKCS7_ENCRYPTED_DATA */
-WOLFSSL_API int wc_PKCS7_SetStreamMode(PKCS7* pkcs7, byte flag);
+/* stream and certs */
 WOLFSSL_LOCAL int wc_PKCS7_WriteOut(PKCS7* pkcs7, byte* output,
    const byte* input, word32 inputSz);
 WOLFSSL_API int wc_PKCS7_SetStreamMode(PKCS7* pkcs7, byte flag,
    CallbackGetContent getContentCb, CallbackStreamOut streamOutCb, void* ctx);
 WOLFSSL_API int wc_PKCS7_GetStreamMode(PKCS7* pkcs7);
 WOLFSSL_API int wc_PKCS7_SetNoCerts(PKCS7* pkcs7, byte flag);
 WOLFSSL_API int wc_PKCS7_GetNoCerts(PKCS7* pkcs7);