Added support for building and using PKCS7 without RSA (assuming ECC is enabled).

This commit is contained in:
David Garske
2018-04-03 09:26:57 -07:00
parent adb817e8d2
commit c288d0815d
3 changed files with 127 additions and 13 deletions

View File

@@ -3907,8 +3907,9 @@ AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
# checks for pkcs7 needed enables # checks for pkcs7 needed enables
AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \ AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
test "x$ENABLED_RSA" = "xno"], test "x$ENABLED_RSA" = "xno" && \
[AC_MSG_ERROR([please enable rsa if enabling pkcs7.])]) test "x$ENABLED_ECC" = "xno"],
[AC_MSG_ERROR([please enable ecc or rsa if enabling pkcs7.])])
AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \ AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
test "x$ENABLED_SHA" = "xno"], test "x$ENABLED_SHA" = "xno"],

View File

@@ -307,6 +307,9 @@
#ifndef USE_CERT_BUFFERS_2048 #ifndef USE_CERT_BUFFERS_2048
#define USE_CERT_BUFFERS_2048 #define USE_CERT_BUFFERS_2048
#endif #endif
#ifndef USE_CERT_BUFFERS_256
#define USE_CERT_BUFFERS_256
#endif
#include <wolfssl/certs_test.h> #include <wolfssl/certs_test.h>
typedef struct testVector { typedef struct testVector {
@@ -13918,6 +13921,7 @@ static void test_wc_PKCS7_InitWithCert (void)
#if defined(HAVE_PKCS7) #if defined(HAVE_PKCS7)
PKCS7 pkcs7; PKCS7 pkcs7;
#ifndef NO_RSA
#if defined(USE_CERT_BUFFERS_2048) #if defined(USE_CERT_BUFFERS_2048)
unsigned char cert[sizeof_client_cert_der_2048]; unsigned char cert[sizeof_client_cert_der_2048];
int certSz = (int)sizeof(cert); int certSz = (int)sizeof(cert);
@@ -13932,14 +13936,33 @@ static void test_wc_PKCS7_InitWithCert (void)
unsigned char cert[ONEK_BUF]; unsigned char cert[ONEK_BUF];
FILE* fp; FILE* fp;
int certSz; int certSz;
fp = fopen("./certs/client_cert_der_1024", "rb"); fp = fopen("./certs/1024/client-cert.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp);
fclose(fp); fclose(fp);
#endif #endif
#elif defined(HAVE_ECC)
#if defined(USE_CERT_BUFFERS_256)
unsigned char cert[sizeof_cliecc_cert_der_256];
int certSz = (int)sizeof(cert);
XMEMSET(cert, 0, certSz);
XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256);
#else
unsigned char cert[ONEK_BUF];
FILE* fp;
int certSz;
fp = fopen("./certs/client-ecc-cert.der", "rb");
AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp);
fclose(fp);
#endif
#else
#error PKCS7 requires ECC or RSA
#endif
printf(testingFmt, "wc_PKCS7_InitWithCert()"); printf(testingFmt, "wc_PKCS7_InitWithCert()");
/* If initialization is not successful, it's free'd in init func. */ /* If initialization is not successful, it's free'd in init func. */
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, (word32)certSz), 0); AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, (word32)certSz), 0);
@@ -13972,6 +13995,7 @@ static void test_wc_PKCS7_EncodeData (void)
byte output[FOURK_BUF]; byte output[FOURK_BUF];
byte data[] = "My encoded DER cert."; byte data[] = "My encoded DER cert.";
#ifndef NO_RSA
#if defined(USE_CERT_BUFFERS_2048) #if defined(USE_CERT_BUFFERS_2048)
unsigned char cert[sizeof_client_cert_der_2048]; unsigned char cert[sizeof_client_cert_der_2048];
unsigned char key[sizeof_client_key_der_2048]; unsigned char key[sizeof_client_key_der_2048];
@@ -13998,16 +14022,43 @@ static void test_wc_PKCS7_EncodeData (void)
int certSz; int certSz;
int keySz; int keySz;
fp = fopen("./certs/client_cert_der_1024", "rb"); fp = fopen("./certs/1024/client-cert.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp);
fclose(fp); fclose(fp);
fp = fopen("./certs/client_key_der_1024", "rb"); fp = fopen("./certs/1024/client-key.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
keySz = fread(key, 1, sizeof_client_key_der_1024, fp); keySz = fread(key, 1, sizeof_client_key_der_1024, fp);
fclose(fp); fclose(fp);
#endif #endif
#elif defined(HAVE_ECC)
#if defined(USE_CERT_BUFFERS_256)
unsigned char cert[sizeof_cliecc_cert_der_256];
unsigned char key[sizeof_ecc_clikey_der_256];
int certSz = (int)sizeof(cert);
int keySz = (int)sizeof(key);
XMEMSET(cert, 0, certSz);
XMEMSET(key, 0, keySz);
XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256);
XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256);
#else
unsigned char cert[ONEK_BUF];
unsigned char key[ONEK_BUF];
FILE* fp;
int certSz, keySz;
fp = fopen("./certs/client-ecc-cert.der", "rb");
AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp);
fclose(fp);
fp = fopen("./certs/client-ecc-key.der", "rb");
AssertNotNull(fp);
keySz = fread(key, 1, sizeof_ecc_clikey_der_256, fp);
fclose(fp);
#endif
#endif
XMEMSET(output, 0, sizeof(output)); XMEMSET(output, 0, sizeof(output));
@@ -14049,6 +14100,7 @@ static void test_wc_PKCS7_EncodeSignedData (void)
word32 badOutSz = (word32)sizeof(badOut); word32 badOutSz = (word32)sizeof(badOut);
byte data[] = "Test data to encode."; byte data[] = "Test data to encode.";
#ifndef NO_RSA
#if defined(USE_CERT_BUFFERS_2048) #if defined(USE_CERT_BUFFERS_2048)
byte key[sizeof_client_key_der_2048]; byte key[sizeof_client_key_der_2048];
byte cert[sizeof_client_cert_der_2048]; byte cert[sizeof_client_cert_der_2048];
@@ -14074,16 +14126,43 @@ static void test_wc_PKCS7_EncodeSignedData (void)
int certSz; int certSz;
int keySz; int keySz;
fp = fopen("./certs/client_cert_der_1024", "rb"); fp = fopen("./certs/1024/client-cert.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp);
fclose(fp); fclose(fp);
fp = fopen("./certs/client_key_der_1024", "rb"); fp = fopen("./certs/1024/client-key.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
keySz = fread(key, 1, sizeof_client_key_der_1024, fp); keySz = fread(key, 1, sizeof_client_key_der_1024, fp);
fclose(fp); fclose(fp);
#endif #endif
#elif defined(HAVE_ECC)
#if defined(USE_CERT_BUFFERS_256)
unsigned char cert[sizeof_cliecc_cert_der_256];
unsigned char key[sizeof_ecc_clikey_der_256];
int certSz = (int)sizeof(cert);
int keySz = (int)sizeof(key);
XMEMSET(cert, 0, certSz);
XMEMSET(key, 0, keySz);
XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256);
XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256);
#else
unsigned char cert[ONEK_BUF];
unsigned char key[ONEK_BUF];
FILE* fp;
int certSz, keySz;
fp = fopen("./certs/client-ecc-cert.der", "rb");
AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp);
fclose(fp);
fp = fopen("./certs/client-ecc-key.der", "rb");
AssertNotNull(fp);
keySz = fread(key, 1, sizeof_ecc_clikey_der_256, fp);
fclose(fp);
#endif
#endif
XMEMSET(output, 0, outputSz); XMEMSET(output, 0, outputSz);
AssertIntEQ(wc_InitRng(&rng), 0); AssertIntEQ(wc_InitRng(&rng), 0);
@@ -14135,6 +14214,7 @@ static void test_wc_PKCS7_VerifySignedData(void)
word32 badOutSz = (word32)sizeof(badOut); word32 badOutSz = (word32)sizeof(badOut);
byte data[] = "Test data to encode."; byte data[] = "Test data to encode.";
#ifndef NO_RSA
#if defined(USE_CERT_BUFFERS_2048) #if defined(USE_CERT_BUFFERS_2048)
byte key[sizeof_client_key_der_2048]; byte key[sizeof_client_key_der_2048];
byte cert[sizeof_client_cert_der_2048]; byte cert[sizeof_client_cert_der_2048];
@@ -14160,16 +14240,43 @@ static void test_wc_PKCS7_VerifySignedData(void)
int certSz; int certSz;
int keySz; int keySz;
fp = fopen("./certs/client_cert_der_1024", "rb"); fp = fopen("./certs/1024/client-cert.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp);
fclose(fp); fclose(fp);
fp = fopen("./certs/client_key_der_1024", "rb"); fp = fopen("./certs/1024/client-key.der", "rb");
AssertNotNull(fp); AssertNotNull(fp);
keySz = fread(key, 1, sizeof_client_key_der_1024, fp); keySz = fread(key, 1, sizeof_client_key_der_1024, fp);
fclose(fp); fclose(fp);
#endif #endif
#elif defined(HAVE_ECC)
#if defined(USE_CERT_BUFFERS_256)
unsigned char cert[sizeof_cliecc_cert_der_256];
unsigned char key[sizeof_ecc_clikey_der_256];
int certSz = (int)sizeof(cert);
int keySz = (int)sizeof(key);
XMEMSET(cert, 0, certSz);
XMEMSET(key, 0, keySz);
XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256);
XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256);
#else
unsigned char cert[ONEK_BUF];
unsigned char key[ONEK_BUF];
FILE* fp;
int certSz, keySz;
fp = fopen("./certs/client-ecc-cert.der", "rb");
AssertNotNull(fp);
certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp);
fclose(fp);
fp = fopen("./certs/client-ecc-key.der", "rb");
AssertNotNull(fp);
keySz = fread(key, 1, sizeof_ecc_clikey_der_256, fp);
fclose(fp);
#endif
#endif
XMEMSET(output, 0, outputSz); XMEMSET(output, 0, outputSz);
AssertIntEQ(wc_InitRng(&rng), 0); AssertIntEQ(wc_InitRng(&rng), 0);

View File

@@ -2908,6 +2908,7 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert,
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
#ifndef NO_RSA
/* create ASN.1 formatted RecipientInfo structure, returns sequence size */ /* create ASN.1 formatted RecipientInfo structure, returns sequence size */
static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, static int wc_CreateRecipientInfo(const byte* cert, word32 certSz,
@@ -3128,6 +3129,7 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz,
return totalSz; return totalSz;
} }
#endif /* !NO_RSA */
/* encrypt content using encryptOID algo */ /* encrypt content using encryptOID algo */
@@ -3457,7 +3459,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
/* build RecipientInfo, only handle 1 for now */ /* build RecipientInfo, only handle 1 for now */
switch (pkcs7->publicKeyOID) { switch (pkcs7->publicKeyOID) {
#ifndef NO_RSA
case RSAk: case RSAk:
recipSz = wc_CreateRecipientInfo(pkcs7->singleCert, recipSz = wc_CreateRecipientInfo(pkcs7->singleCert,
pkcs7->singleCertSz, pkcs7->singleCertSz,
@@ -3466,7 +3468,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
contentKeyEnc, &contentKeyEncSz, recip, contentKeyEnc, &contentKeyEncSz, recip,
MAX_RECIP_SZ, pkcs7->heap); MAX_RECIP_SZ, pkcs7->heap);
break; break;
#endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
case ECDSAk: case ECDSAk:
recipSz = wc_CreateKeyAgreeRecipientInfo(pkcs7, pkcs7->singleCert, recipSz = wc_CreateKeyAgreeRecipientInfo(pkcs7, pkcs7->singleCert,
@@ -3656,7 +3658,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
return idx; return idx;
} }
#ifndef NO_RSA
/* decode KeyTransRecipientInfo (ktri), return 0 on success, <0 on error */ /* decode KeyTransRecipientInfo (ktri), return 0 on success, <0 on error */
static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
word32* idx, byte* decryptedKey, word32* idx, byte* decryptedKey,
@@ -3819,7 +3821,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
return 0; return 0;
} }
#endif /* !NO_RSA */
#ifdef HAVE_ECC #ifdef HAVE_ECC
@@ -4353,12 +4355,16 @@ static int wc_PKCS7_DecodeRecipientInfos(PKCS7* pkcs7, byte* pkiMsg,
if (version != 0) if (version != 0)
return ASN_VERSION_E; return ASN_VERSION_E;
#ifndef NO_RSA
/* found ktri */ /* found ktri */
ret = wc_PKCS7_DecodeKtri(pkcs7, pkiMsg, pkiMsgSz, idx, ret = wc_PKCS7_DecodeKtri(pkcs7, pkiMsg, pkiMsgSz, idx,
decryptedKey, decryptedKeySz, decryptedKey, decryptedKeySz,
recipFound); recipFound);
if (ret != 0) if (ret != 0)
return ret; return ret;
#else
return NOT_COMPILED_IN;
#endif
} }
else { else {
/* kari is IMPLICIT[1] */ /* kari is IMPLICIT[1] */