From a75b95facc280245df54f553e6df70ec9bdd9653 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 16 Jan 2014 13:29:37 -0700 Subject: [PATCH] more comments to PKCS#7 files --- ctaocrypt/src/pkcs7.c | 23 ++++++++++++++++++----- cyassl/ctaocrypt/pkcs7.h | 7 ++++--- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/ctaocrypt/src/pkcs7.c b/ctaocrypt/src/pkcs7.c index 2dc3bcd3c..7705a92be 100644 --- a/ctaocrypt/src/pkcs7.c +++ b/ctaocrypt/src/pkcs7.c @@ -39,9 +39,12 @@ } #endif + +/* placed ASN.1 contentType OID into *output, return idx on success, + * 0 upon failure */ CYASSL_LOCAL int SetContentType(int pkcs7TypeOID, byte* output) { - /* PKCS#7 content types */ + /* PKCS#7 content types, RFC 2315, section 14 */ static const byte pkcs7[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07 }; static const byte data[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, @@ -114,6 +117,8 @@ CYASSL_LOCAL int SetContentType(int pkcs7TypeOID, byte* output) } + +/* get ASN.1 contentType OID sum, return 0 on success, <0 on failure */ int GetContentType(const byte* input, word32* inOutIdx, word32* oid, word32 maxIdx) { @@ -142,6 +147,7 @@ int GetContentType(const byte* input, word32* inOutIdx, word32* oid, } +/* init PKCS7 struct with recipient cert, decode into DecodedCert */ int PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) { int ret = 0; @@ -172,6 +178,7 @@ int PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) } +/* build PKCS#7 data content type */ int PKCS7_EncodeData(PKCS7* pkcs7, byte* output, word32 outputSz) { static const byte oid[] = @@ -301,6 +308,7 @@ static int FlattenAttributes(byte* output, EncodedAttrib* ea, int eaSz) } +/* build PKCS#7 signedData content type */ int PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) { static const byte outerOid[] = @@ -641,6 +649,7 @@ CYASSL_LOCAL int CreateRecipientInfo(const byte* cert, word32 certSz, } +/* build PKCS#7 envelopedData content type, return enveloped size */ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) { int i, idx = 0; @@ -680,6 +689,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) if (output == NULL || outputSz == 0) return BAD_FUNC_ARG; + /* PKCS#7 only supports DES, 3DES for now */ switch (pkcs7->encryptOID) { case DESb: blockKeySz = DES_KEYLEN; @@ -697,7 +707,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) /* outer content type */ outerContentTypeSz = SetContentType(ENVELOPED_DATA, outerContentType); - /* version */ + /* version, defined as 0 in RFC 2315 */ verSz = SetMyVersion(0, ver, 0); /* generate random content encryption key */ @@ -726,7 +736,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) if (contentEncAlgoSz == 0) return BAD_FUNC_ARG; - /* allocate memory for encrypted content, pad if necessary */ + /* allocate encrypted content buffer, pad if necessary, PKCS#7 padding */ padSz = DES_BLOCK_SIZE - (pkcs7->contentSz % DES_BLOCK_SIZE); desOutSz = pkcs7->contentSz + padSz; @@ -839,6 +849,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) return idx; } +/* unwrap and decrypt PKCS#7 envelopedData object, return decoded size */ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, byte* output, word32 outputSz) @@ -890,7 +901,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, idx = 0; - /* read past ContentInfo, verify type */ + /* read past ContentInfo, verify type is envelopedData */ if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; @@ -908,7 +919,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; - /* remove EnvelopedData */ + /* remove EnvelopedData and version */ if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; @@ -960,6 +971,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetNameHash(pkiMsg, &idx, issuerHash, pkiMsgSz) < 0) return ASN_PARSE_E; + /* if we found correct recipient, issuer hashes will match */ if (XMEMCMP(issuerHash, decoded.issuerHash, SHA_DIGEST_SIZE) == 0) { recipFound = 1; } @@ -970,6 +982,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) return ASN_PARSE_E; + /* key encryption algorithm must be RSA for now */ if (encOID != RSAk) return ALGO_ID_E; diff --git a/cyassl/ctaocrypt/pkcs7.h b/cyassl/ctaocrypt/pkcs7.h index 73fc96b4e..8dad31748 100644 --- a/cyassl/ctaocrypt/pkcs7.h +++ b/cyassl/ctaocrypt/pkcs7.h @@ -35,8 +35,9 @@ extern "C" { #endif +/* PKCS#7 content types, ref RFC 2315 (Section 14) */ enum PKCS7_TYPES { - PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */ + PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */ DATA = 651, /* 1.2.840.113549.1.7.1 */ SIGNED_DATA = 652, /* 1.2.840.113549.1.7.2 */ ENVELOPED_DATA = 653, /* 1.2.840.113549.1.7.3 */ @@ -46,8 +47,8 @@ enum PKCS7_TYPES { }; enum Pkcs7_Misc { - MAX_ENCRYPTED_KEY_SZ = 512, /* max enc. key size, RSA <= 4096 */ - MAX_CONTENT_KEY_LEN = DES3_KEYLEN, + MAX_ENCRYPTED_KEY_SZ = 512, /* max enc. key size, RSA <= 4096 */ + MAX_CONTENT_KEY_LEN = DES3_KEYLEN, /* highest current cipher is 3DES */ MAX_RECIP_SZ = MAX_VERSION_SZ + MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ + MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ