feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #8520 from JacobBarthelmeh/pkcs7_verify_stream

Browse Source 
PKCS7 verify and decode indefinite length support
This commit is contained in:
Daniel Pouzzner
2025-03-07 18:47:30 -06:00
committed by GitHub
parent 27ed748867 8dd614430a
commit c3f24568ff
7 changed files with 920 additions and 401 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
certs/include.am
View File

@@ -53,6 +53,7 @@ EXTRA_DIST += \
certs/wolfssl-website-ca.pem \ certs/wolfssl-website-ca.pem \
certs/test-degenerate.p7b \ certs/test-degenerate.p7b \
certs/test-stream-sign.p7b \ certs/test-stream-sign.p7b \
certs/test-stream-dec.p7b \
certs/test-ber-exp02-05-2022.p7b \ certs/test-ber-exp02-05-2022.p7b \
certs/test-servercert.p12 \ certs/test-servercert.p12 \
certs/test-servercert-rc2.p12 \ certs/test-servercert-rc2.p12 \

5
certs/renewcerts.sh
View File

@@ -858,6 +858,11 @@ run_renewcerts(){
openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem
check_result $? "" check_result $? ""
echo "Creating test-stream-dec.p7b..."
echo ""
openssl cms -encrypt -in ca-cert.pem -recip client-cert.pem -out test-stream-dec.p7b -outform DER -stream
check_result $? ""
echo "End of section" echo "End of section"
echo "---------------------------------------------------------------------" echo "---------------------------------------------------------------------"

BIN
certs/test-stream-dec.p7b Normal file
View File

Binary file not shown.

90
tests/api.c
View File

@@ -39219,6 +39219,95 @@ static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId,
#endif /* HAVE_PKCS7 && !NO_AES && HAVE_AES_CBC && !NO_AES_256 */ #endif /* HAVE_PKCS7 && !NO_AES && HAVE_AES_CBC && !NO_AES_256 */
#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER)
#define MAX_TEST_DECODE_SIZE 6000
static int test_wc_PKCS7_DecodeEnvelopedData_stream_decrypt_cb(wc_PKCS7* pkcs7,
const byte* output, word32 outputSz, void* ctx) {
WOLFSSL_BUFFER_INFO* out = (WOLFSSL_BUFFER_INFO*)ctx;
if (out == NULL) {
return -1;
}
if (outputSz + out->length > MAX_TEST_DECODE_SIZE) {
printf("Example buffer size needs increased");
}
/* printf("Decoded in %d bytes\n", outputSz);
* for (word32 z = 0; z < outputSz; z++) printf("%02X", output[z]);
* printf("\n");
*/
XMEMCPY(out->buffer + out->length, output, outputSz);
out->length += outputSz;
(void)pkcs7;
return 0;
}
#endif /* HAVE_PKCS7 && ASN_BER_TO_DER */
/*
* Testing wc_PKCS7_DecodeEnvelopedData with streaming
*/
static int test_wc_PKCS7_DecodeEnvelopedData_stream(void)
{
#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER)
EXPECT_DECLS;
PKCS7* pkcs7 = NULL;
int ret = 0;
XFILE f = XBADFILE;
const char* testStream = "./certs/test-stream-dec.p7b";
byte testStreamBuffer[100];
size_t testStreamBufferSz = 0;
byte decodedData[MAX_TEST_DECODE_SIZE]; /* large enough to hold result of decode, which is ca-cert.pem */
WOLFSSL_BUFFER_INFO out;
out.length = 0;
out.buffer = decodedData;
ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
sizeof_client_cert_der_2048), 0);
ExpectIntEQ(wc_PKCS7_SetKey(pkcs7, (byte*)client_key_der_2048,
sizeof_client_key_der_2048), 0);
ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, NULL,
test_wc_PKCS7_DecodeEnvelopedData_stream_decrypt_cb, (void*)&out), 0);
ExpectTrue((f = XFOPEN(testStream, "rb")) != XBADFILE);
if (EXPECT_SUCCESS()) {
do {
testStreamBufferSz = XFREAD(testStreamBuffer, 1,
sizeof(testStreamBuffer), f);
if (testStreamBufferSz == 0) {
break;
}
ret = wc_PKCS7_DecodeEnvelopedData(pkcs7, testStreamBuffer,
(word32)testStreamBufferSz, NULL, 0);
if (testStreamBufferSz < sizeof(testStreamBuffer)) {
break;
}
} while (ret == WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E));
#ifdef NO_DES3
ExpectIntEQ(ret, ALGO_ID_E);
#else
ExpectIntGT(ret, 0);
#endif
}
if (f != XBADFILE) {
XFCLOSE(f);
f = XBADFILE;
}
wc_PKCS7_Free(pkcs7);
return EXPECT_RESULT();
#else
return TEST_SKIPPED;
#endif
} /* END test_wc_PKCS7_DecodeEnvelopedData_stream() */
/* /*
* Testing wc_PKCS7_EncodeEnvelopedData() * Testing wc_PKCS7_EncodeEnvelopedData()
*/ */
@@ -89473,6 +89562,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wc_PKCS7_EncodeSignedData_ex), TEST_DECL(test_wc_PKCS7_EncodeSignedData_ex),
TEST_DECL(test_wc_PKCS7_VerifySignedData_RSA), TEST_DECL(test_wc_PKCS7_VerifySignedData_RSA),
TEST_DECL(test_wc_PKCS7_VerifySignedData_ECC), TEST_DECL(test_wc_PKCS7_VerifySignedData_ECC),
TEST_DECL(test_wc_PKCS7_DecodeEnvelopedData_stream),
TEST_DECL(test_wc_PKCS7_EncodeDecodeEnvelopedData), TEST_DECL(test_wc_PKCS7_EncodeDecodeEnvelopedData),
TEST_DECL(test_wc_PKCS7_EncodeEncryptedData), TEST_DECL(test_wc_PKCS7_EncodeEncryptedData),
TEST_DECL(test_wc_PKCS7_Degenerate), TEST_DECL(test_wc_PKCS7_Degenerate),

1202
wolfcrypt/src/pkcs7.c
View File

File diff suppressed because it is too large Load Diff

8
wolfcrypt/test/test.c
View File

@@ -53195,7 +53195,8 @@ static wc_test_ret_t verifyBundle(byte* derBuf, word32 derSz, int keyHint)
#endif /* !NO_SHA */ #endif /* !NO_SHA */
}; };
decoded = (byte *)XMALLOC(decodedSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); decoded = (byte *)XMALLOC((word32)decodedSz, HEAP_HINT,
DYNAMIC_TYPE_TMP_BUFFER);
if (decoded == NULL) { if (decoded == NULL) {
ret = MEMORY_E; ret = MEMORY_E;
goto out; goto out;
@@ -53353,7 +53354,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7encrypted_test(void)
{ {
wc_test_ret_t ret = 0; wc_test_ret_t ret = 0;
int i, testSz; int i, testSz;
int encryptedSz, decodedSz, attribIdx; int encryptedSz, decodedSz;
word32 attribIdx;
wc_PKCS7* pkcs7; wc_PKCS7* pkcs7;
byte *encrypted; byte *encrypted;
byte *decoded; byte *decoded;
@@ -54721,7 +54723,7 @@ static wc_test_ret_t pkcs7signed_run_SingleShotVectors(
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
/* compare decrypted to expected */ /* compare decrypted to expected */
if (((word32)ret != testVectors[i].contentSz) || if (((word32)ret != testVectors[i].contentSz) ||
XMEMCMP(out, testVectors[i].content, ret)) XMEMCMP(out, testVectors[i].content, (word32)ret))
ERROR_OUT(WC_TEST_RET_ENC_NC, out); ERROR_OUT(WC_TEST_RET_ENC_NC, out);
} }
#endif #endif

15
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -243,6 +243,7 @@ typedef int (*CallbackRsaSignRawDigest)(wc_PKCS7* pkcs7, byte* digest,
int devId, int hashOID); int devId, int hashOID);
#endif #endif
/* Public Structure Warning: /* Public Structure Warning:
* Existing members must not be changed to maintain backwards compatibility! * Existing members must not be changed to maintain backwards compatibility!
*/ */
@@ -258,6 +259,7 @@ struct wc_PKCS7 {
#ifdef ASN_BER_TO_DER #ifdef ASN_BER_TO_DER
byte* der; /* DER encoded version of message */ byte* der; /* DER encoded version of message */
word32 derSz; word32 derSz;
byte indefDepth;
CallbackGetContent getContentCb; CallbackGetContent getContentCb;
CallbackStreamOut streamOutCb; CallbackStreamOut streamOutCb;
void* streamCtx; /* passed to getcontentCb and streamOutCb */ void* streamCtx; /* passed to getcontentCb and streamOutCb */
@@ -372,6 +374,19 @@ struct wc_PKCS7 {
byte* customSKID; byte* customSKID;
word16 customSKIDSz; word16 customSKIDSz;
#if !defined(NO_DES3) || !defined(NO_AES)
union {
#ifndef NO_AES
Aes* aes;
#endif
#ifndef NO_DES3
Des* des;
Des3* des3;
#endif
} decryptKey;
#endif
/* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
}; };