diff --git a/certs/include.am b/certs/include.am index 637b6b2d7..de8d2edf0 100644 --- a/certs/include.am +++ b/certs/include.am @@ -51,6 +51,7 @@ EXTRA_DIST += \ certs/server-revoked-key.pem \ certs/wolfssl-website-ca.pem \ certs/test-degenerate.p7b \ + certs/test-stream-sign.p7b \ certs/test-ber-exp02-05-2022.p7b \ certs/test-servercert.p12 \ certs/test-servercert-rc2.p12 \ diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 5485656b6..d2482f510 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -854,6 +854,10 @@ run_renewcerts(){ echo "" openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER check_result $? "" + + openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem + check_result $? "" + echo "End of section" echo "---------------------------------------------------------------------" diff --git a/certs/test-stream-sign.p7b b/certs/test-stream-sign.p7b new file mode 100644 index 000000000..05f6643c1 Binary files /dev/null and b/certs/test-stream-sign.p7b differ diff --git a/tests/api.c b/tests/api.c index 6bf2cb801..1dc77fa83 100644 --- a/tests/api.c +++ b/tests/api.c @@ -26945,7 +26945,7 @@ static int test_wc_PKCS7_EncodeSignedData(void) int certSz; int keySz; - ExpectTrue((fp = XOPEN("./certs/client-ecc-cert.der", "rb")) != + ExpectTrue((fp = XFOPEN("./certs/client-ecc-cert.der", "rb")) != XBADFILE); ExpectIntGT(certSz = (int)XFREAD(cert, 1, ONEK_BUF, fp), 0); if (fp != XBADFILE) { @@ -27099,6 +27099,7 @@ static int test_wc_PKCS7_EncodeSignedData(void) wc_PKCS7_Free(pkcs7); DoExpectIntEQ(wc_FreeRng(&rng), 0); + #endif return EXPECT_RESULT(); } /* END test_wc_PKCS7_EncodeSignedData */ @@ -28008,6 +28009,83 @@ static int test_wc_PKCS7_VerifySignedData_RSA(void) #endif /* !NO_PKCS7_STREAM */ #endif /* !NO_RSA */ +#if defined(ASN_BER_TO_DER) && !defined(NO_PKCS7_STREAM) && \ + !defined(NO_FILESYSTEM) + { + XFILE signedBundle = XBADFILE; + int signedBundleSz = 0; + int chunkSz = 1; + int i, rc; + byte* buf = NULL; + + ExpectTrue((signedBundle = XFOPEN("./certs/test-stream-sign.p7b", + "rb")) != XBADFILE); + ExpectTrue(XFSEEK(signedBundle, 0, XSEEK_END) == 0); + ExpectIntGT(signedBundleSz = (int)XFTELL(signedBundle), 0); + ExpectTrue(XFSEEK(signedBundle, 0, XSEEK_SET) == 0); + ExpectNotNull(buf = (byte*)XMALLOC(signedBundleSz, HEAP_HINT, + DYNAMIC_TYPE_FILE)); + if (buf != NULL) { + ExpectIntEQ(XFREAD(buf, 1, signedBundleSz, signedBundle), + signedBundleSz); + } + if (signedBundle != XBADFILE) { + XFCLOSE(signedBundle); + signedBundle = XBADFILE; + } + + if (buf != NULL) { + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0); + for (i = 0; i < signedBundleSz;) { + int sz = (i + chunkSz > signedBundleSz)? signedBundleSz - i : + chunkSz; + rc = wc_PKCS7_VerifySignedData(pkcs7, buf + i, sz); + if (rc < 0 ) { + if (rc == WC_PKCS7_WANT_READ_E) { + i += sz; + continue; + } + break; + } + else { + break; + } + } + ExpectIntEQ(rc, PKCS7_SIGNEEDS_CHECK); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + } + + /* now try with malformed bundle */ + if (buf != NULL) { + ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId)); + ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0); + buf[signedBundleSz - 2] = buf[signedBundleSz - 2] + 1; + for (i = 0; i < signedBundleSz;) { + int sz = (i + chunkSz > signedBundleSz)? signedBundleSz - i : + chunkSz; + rc = wc_PKCS7_VerifySignedData(pkcs7, buf + i, sz); + if (rc < 0 ) { + if (rc == WC_PKCS7_WANT_READ_E) { + i += sz; + continue; + } + break; + } + else { + break; + } + } + ExpectIntEQ(rc, ASN_PARSE_E); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; + } + + if (buf != NULL) + XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE); + } +#endif /* BER and stream */ #endif return EXPECT_RESULT(); } /* END test_wc_PKCS7_VerifySignedData()_RSA */ diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 5cfdfe809..130560919 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -6012,12 +6012,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, } } - if (ret < 0) - break; - #ifndef NO_PKCS7_STREAM /* make sure that terminating zero's follow */ - if (ret >= 0 && pkcs7->stream->indefLen == 1) { + if ((ret == PKCS7_SIGNEEDS_CHECK || ret >= 0) && + pkcs7->stream->indefLen == 1) { int i; for (i = 0; i < 3 * ASN_INDEF_END_SZ; i++) { if (pkiMsg2[idx + i] != 0) { @@ -6026,9 +6024,11 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, } } } + #endif /* NO_PKCS7_STREAM */ + if (ret < 0) break; - #endif /* NO_PKCS7_STREAM */ + ret = 0; /* success */ #ifndef NO_PKCS7_STREAM