diff --git a/.gitignore b/.gitignore index 5645c9762..b5d7e99d0 100644 --- a/.gitignore +++ b/.gitignore @@ -175,6 +175,10 @@ pkcs7signedFirmwarePkgData_RSA_SHA256.der pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der +pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der +pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der +pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der +pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der diff sslSniffer/sslSnifferTest/tracefile.txt tracefile.txt diff --git a/Makefile.am b/Makefile.am index 0f8ed7c78..8f97513cb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -113,7 +113,11 @@ CLEANFILES+= cert.der \ pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der \ pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der \ pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der \ - pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der + pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der \ + pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der \ + pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der \ + pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der \ + pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der exampledir = $(docdir)/example dist_example_DATA= diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index ce64e24b3..c38a2972d 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -2003,16 +2003,16 @@ int wc_PKCS7_EncodeSignedEncryptedFPD(PKCS7* pkcs7, byte* encryptKey, /* save encryptedData, reset output buffer and struct */ encrypted = (byte*)XMALLOC(encryptedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7); if (encrypted == NULL) { - wc_PKCS7_Free(pkcs7); + ForceZero(output, outputSz); return MEMORY_E; } - XMEMSET(encrypted, 0, encryptedSz); XMEMCPY(encrypted, output, encryptedSz); ForceZero(output, outputSz); ret = wc_InitRng(&rng); if (ret != 0) { + ForceZero(encrypted, encryptedSz); XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; } @@ -2032,11 +2032,13 @@ int wc_PKCS7_EncodeSignedEncryptedFPD(PKCS7* pkcs7, byte* encryptKey, ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz); if (ret <= 0) { WOLFSSL_MSG("Error encoding CMS SignedData content type"); + ForceZero(encrypted, encryptedSz); XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7); wc_FreeRng(&rng); return ret; } + ForceZero(encrypted, encryptedSz); XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7); wc_FreeRng(&rng); @@ -2101,16 +2103,16 @@ int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7, byte* privateKey, /* save compressedData, reset output buffer and struct */ compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7); if (compressed == NULL) { - wc_PKCS7_Free(pkcs7); + ForceZero(output, outputSz); return MEMORY_E; } - XMEMSET(compressed, 0, compressedSz); XMEMCPY(compressed, output, compressedSz); ForceZero(output, outputSz); ret = wc_InitRng(&rng); if (ret != 0) { + ForceZero(compressed, compressedSz); XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; } @@ -2130,16 +2132,158 @@ int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7, byte* privateKey, ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz); if (ret <= 0) { WOLFSSL_MSG("Error encoding CMS SignedData content type"); + ForceZero(compressed, compressedSz); XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7); wc_FreeRng(&rng); return ret; } + ForceZero(compressed, compressedSz); XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7); wc_FreeRng(&rng); return ret; } + +#ifndef NO_PKCS7_ENCRYPTED_DATA + +/* Single-shot API to generate a CMS SignedData bundle that encapsulates a + * CMS EncryptedData bundle, which then encapsulates a CMS CompressedData + * bundle. Content of inner CompressedData is set to that of FirmwarePkgData. + * Any recipient certificates should be loaded into the PKCS7 structure prior + * to calling this function, using wc_PKCS7_InitWithCert() and/or + * wc_PKCS7_AddCertificate(). + * + * pkcs7 - pointer to initialized PKCS7 struct + * encryptKey - encryption key used for encrypting EncryptedData + * encryptKeySz - size of encryptKey, octets + * privateKey - private RSA/ECC key, used for signing SignedData + * privateKeySz - size of privateKey, octets + * encryptOID - encryption algorithm OID, to be used as encryption + * algorithm for EncryptedData + * signOID - public key algorithm OID, to be used for sign + * operation in SignedData generation + * hashOID - hash algorithm OID, to be used for signature in + * SignedData generation + * content - content to be encapsulated + * contentSz - size of content, octets + * unprotectedAttribs - optional unprotected attributes, for EncryptedData + * unprotectedAttribsSz - number of PKCS7Attrib members in unprotectedAttribs + * signedAttribs - optional signed attributes, for SignedData + * signedAttribsSz - number of PKCS7Attrib members in signedAttribs + * output - output buffer for final bundle + * outputSz - size of output buffer, octets + * + * Returns length of generated bundle on success, negative upon error. */ +int wc_PKCS7_EncodeSignedEncryptedCompressedFPD(PKCS7* pkcs7, byte* encryptKey, + word32 encryptKeySz, byte* privateKey, + word32 privateKeySz, int encryptOID, + int signOID, int hashOID, byte* content, + word32 contentSz, + PKCS7Attrib* unprotectedAttribs, + word32 unprotectedAttribsSz, + PKCS7Attrib* signedAttribs, + word32 signedAttribsSz, + byte* output, word32 outputSz) +{ + int ret = 0, compressedSz = 0, encryptedSz = 0; + byte* compressed = NULL; + byte* encrypted = NULL; + WC_RNG rng; + + if (pkcs7 == NULL || encryptKey == NULL || encryptKeySz == 0 || + privateKey == NULL || privateKeySz == 0 || content == NULL || + contentSz == 0 || output == NULL || outputSz == 0) { + return BAD_FUNC_ARG; + } + + /* 1: build up CompressedData using FirmwarePkgData type, use output + * buffer as tmp for storage and to get size */ + pkcs7->content = content; + pkcs7->contentSz = contentSz; + pkcs7->contentOID = FIRMWARE_PKG_DATA; + + compressedSz = wc_PKCS7_EncodeCompressedData(pkcs7, output, outputSz); + if (compressedSz < 0) { + WOLFSSL_MSG("Error encoding CMS CompressedData content type"); + return compressedSz; + } + + /* save compressedData, reset output buffer and struct */ + compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + if (compressed == NULL) + return MEMORY_E; + + XMEMCPY(compressed, output, compressedSz); + ForceZero(output, outputSz); + + /* 2: build up EncryptedData using CompressedData, use output + * buffer as tmp for storage and to get size */ + pkcs7->content = compressed; + pkcs7->contentSz = compressedSz; + pkcs7->contentOID = COMPRESSED_DATA; + pkcs7->encryptOID = encryptOID; + pkcs7->encryptionKey = encryptKey; + pkcs7->encryptionKeySz = encryptKeySz; + pkcs7->unprotectedAttribs = unprotectedAttribs; + pkcs7->unprotectedAttribsSz = unprotectedAttribsSz; + + encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, output, outputSz); + if (encryptedSz < 0) { + WOLFSSL_MSG("Error encoding CMS EncryptedData content type"); + XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + return encryptedSz; + } + + /* save encryptedData, reset output buffer and struct */ + encrypted = (byte*)XMALLOC(encryptedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + if (encrypted == NULL) { + ForceZero(compressed, compressedSz); + XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + return MEMORY_E; + } + + XMEMCPY(encrypted, output, encryptedSz); + ForceZero(compressed, compressedSz); + XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + ForceZero(output, outputSz); + + ret = wc_InitRng(&rng); + if (ret != 0) { + ForceZero(encrypted, encryptedSz); + XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + return ret; + } + + /* 3: build up SignedData, encapsulating EncryptedData */ + pkcs7->rng = &rng; + pkcs7->content = encrypted; + pkcs7->contentSz = encryptedSz; + pkcs7->contentOID = ENCRYPTED_DATA; + pkcs7->hashOID = hashOID; + pkcs7->encryptOID = signOID; + pkcs7->privateKey = privateKey; + pkcs7->privateKeySz = privateKeySz; + pkcs7->signedAttribs = signedAttribs; + pkcs7->signedAttribsSz = signedAttribsSz; + + ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz); + if (ret <= 0) { + WOLFSSL_MSG("Error encoding CMS SignedData content type"); + ForceZero(encrypted, encryptedSz); + XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + wc_FreeRng(&rng); + return ret; + } + + ForceZero(encrypted, encryptedSz); + XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + wc_FreeRng(&rng); + + return ret; +} + +#endif /* !NO_PKCS7_ENCRYPTED_DATA */ #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index c23697f5b..6d96b274e 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -21081,7 +21081,7 @@ static int pkcs7signed_run_SingleShotVectors( "pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0}, - #ifdef WOLFSSL_AES_256 + #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA) /* Signed Encrypted FirmwarePkgData, RSA, SHA256, no attribs */ {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf, rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0, @@ -21096,7 +21096,7 @@ static int pkcs7signed_run_SingleShotVectors( "pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der", 0, NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))}, - #endif /* WOLFSSL_AES_256 */ + #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */ #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA) /* Signed Compressed FirmwarePkgData, RSA, SHA256, no attribs */ @@ -21112,6 +21112,26 @@ static int pkcs7signed_run_SingleShotVectors( attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), "pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 2, NULL, 0, NULL, 0}, + + #ifndef NO_PKCS7_ENCRYPTED_DATA + /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256, + no attribs */ + {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf, + rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0, + NULL, 0, + "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der", + 0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL, 0}, + + /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256, + attribs */ + {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf, + rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0, + attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), + "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der", + 0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), + attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))}, + #endif /* !NO_PKCS7_ENCRYPTED_DATA */ + #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */ #endif /* NO_SHA256 */ @@ -21122,7 +21142,7 @@ static int pkcs7signed_run_SingleShotVectors( /* Signed FirmwarePkgData, ECDSA, SHA256, no attribs */ {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf, eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0, - attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), + NULL, 0, "pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0}, @@ -21140,7 +21160,7 @@ static int pkcs7signed_run_SingleShotVectors( "pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0, NULL, 0, NULL, 0}, - #ifdef WOLFSSL_AES_256 + #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA) /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, no attribs */ {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf, eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0, @@ -21155,7 +21175,7 @@ static int pkcs7signed_run_SingleShotVectors( "pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))}, - #endif /* WOLFSSL_AES_256 */ + #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */ #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA) /* Signed Compressed FirmwarePkgData, ECDSA, SHA256, no attribs */ @@ -21171,6 +21191,26 @@ static int pkcs7signed_run_SingleShotVectors( attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), "pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL, 0, 0, 0, 2, NULL, 0, NULL, 0}, + + #ifndef NO_PKCS7_ENCRYPTED_DATA + /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256, + no attribs */ + {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf, + eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0, + NULL, 0, + "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der", + 0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL, 0}, + + /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256, + attribs */ + {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf, + eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0, + attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), + "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der", + 0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), + attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))}, + #endif /* !NO_PKCS7_ENCRYPTED_DATA */ + #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */ #endif /* NO_SHA256 */ @@ -21182,14 +21222,14 @@ static int pkcs7signed_run_SingleShotVectors( outSz = FOURK_BUF; out = (byte*)XMALLOC(outSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (out == NULL) - return -9510; + return -9550; XMEMSET(out, 0, outSz); ret = wc_PKCS7_PadData((byte*)data, sizeof(data), out, outSz, 16); if (ret < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -9511; + return -9551; } #ifndef HAVE_FIPS @@ -21199,13 +21239,13 @@ static int pkcs7signed_run_SingleShotVectors( #endif if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -9512; + return -9552; } for (i = 0; i < testSz; i++) { pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID); if (pkcs7 == NULL) - return -9513; + return -9553; pkcs7->heap = HEAP_HINT; pkcs7->devId = INVALID_DEVID; @@ -21215,7 +21255,7 @@ static int pkcs7signed_run_SingleShotVectors( if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9514; + return -9554; } /* load CA certificate, if present */ @@ -21225,7 +21265,7 @@ static int pkcs7signed_run_SingleShotVectors( if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9515; + return -9555; } } @@ -21236,7 +21276,7 @@ static int pkcs7signed_run_SingleShotVectors( if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9516; + return -9556; } } @@ -21253,7 +21293,7 @@ static int pkcs7signed_run_SingleShotVectors( if (encodedSz < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9517; + return -9557; } } else if (testVectors[i].encCompFlag == 1) { @@ -21272,7 +21312,7 @@ static int pkcs7signed_run_SingleShotVectors( if (encodedSz <= 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9518; + return -9558; } #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA) @@ -21289,15 +21329,37 @@ static int pkcs7signed_run_SingleShotVectors( if (encodedSz <= 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9519; + return -9559; } + + #ifndef NO_PKCS7_ENCRYPTED_DATA + } else if (testVectors[i].encCompFlag == 3) { + + /* encode Signed Encrypted Compressed FirmwarePkgData */ + encodedSz = wc_PKCS7_EncodeSignedEncryptedCompressedFPD(pkcs7, + testVectors[i].encryptKey, testVectors[i].encryptKeySz, + testVectors[i].privateKey, testVectors[i].privateKeySz, + testVectors[i].encryptOID, testVectors[i].signOID, + testVectors[i].hashOID, (byte*)testVectors[i].content, + testVectors[i].contentSz, testVectors[i].unprotectedAttribs, + testVectors[i].unprotectedAttribsSz, + testVectors[i].signedAttribs, + testVectors[i].signedAttribsSz, out, outSz); + + if (encodedSz <= 0) { + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); + return -9560; + } + + #endif /* NO_PKCS7_ENCRYPTED_DATA */ #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */ } else { /* unsupported SignedData single-shot combination */ XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9520; + return -9561; } #ifdef PKCS7_OUTPUT_TEST_BUNDLES @@ -21306,14 +21368,14 @@ static int pkcs7signed_run_SingleShotVectors( if (!file) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9522; + return -9562; } ret = (int)fwrite(out, 1, encodedSz, file); fclose(file); if (ret != (int)encodedSz) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9526; + return -9563; } #endif /* PKCS7_OUTPUT_TEST_BUNDLES */ @@ -21321,20 +21383,20 @@ static int pkcs7signed_run_SingleShotVectors( pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID); if (pkcs7 == NULL) - return -9527; + return -9564; wc_PKCS7_InitWithCert(pkcs7, NULL, 0); ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz); if (ret < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9528; + return -9565; } if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9531; + return -9566; } if (testVectors[i].encCompFlag == 0) { @@ -21344,7 +21406,7 @@ static int pkcs7signed_run_SingleShotVectors( pkcs7->contentSz)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9532; + return -9567; } } else if (testVectors[i].encCompFlag == 1) { @@ -21358,7 +21420,7 @@ static int pkcs7signed_run_SingleShotVectors( if (ret < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9533; + return -9568; } /* compare decrypted to expected */ @@ -21366,7 +21428,7 @@ static int pkcs7signed_run_SingleShotVectors( XMEMCMP(out, testVectors[i].content, ret)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9534; + return -9569; } } #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA) @@ -21378,7 +21440,7 @@ static int pkcs7signed_run_SingleShotVectors( if (ret < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9535; + return -9570; } /* compare decompressed to expected */ @@ -21386,9 +21448,62 @@ static int pkcs7signed_run_SingleShotVectors( XMEMCMP(out, testVectors[i].content, ret)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9536; + return -9571; } } + #ifndef NO_PKCS7_ENCRYPTED_DATA + else if (testVectors[i].encCompFlag == 3) { + + byte* encryptedTmp; + int encryptedTmpSz; + + encryptedTmpSz = FOURK_BUF; + encryptedTmp = (byte*)XMALLOC(encryptedTmpSz, HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER); + if (encryptedTmp == NULL) { + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); + return -9572; + } + + XMEMSET(encryptedTmp, 0, encryptedTmpSz); + + /* decrypt inner encryptedData */ + pkcs7->encryptionKey = testVectors[i].encryptKey; + pkcs7->encryptionKeySz = testVectors[i].encryptKeySz; + + encryptedTmpSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content, + pkcs7->contentSz, encryptedTmp, + encryptedTmpSz); + + if (encryptedTmpSz < 0) { + XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); + return -9573; + } + + /* decompress inner compressedData */ + ret = wc_PKCS7_DecodeCompressedData(pkcs7, encryptedTmp, + encryptedTmpSz, out, outSz); + if (ret < 0) { + XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); + return -9574; + } + + XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + /* compare decompressed to expected */ + if (((word32)ret != testVectors[i].contentSz) || + XMEMCMP(out, testVectors[i].content, ret)) { + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); + return -9575; + } + } + #endif /* NO_PKCS7_ENCRYPTED_DATA */ #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */ wc_PKCS7_Free(pkcs7); diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index 9244f2314..4a5c052da 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -308,6 +308,21 @@ WOLFSSL_API int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7, PKCS7Attrib* signedAttribs, word32 signedAttribsSz, byte* output, word32 outputSz); + +#ifndef NO_PKCS7_ENCRYPTED_DATA +/* CMS single-shot API for Signed Encrypted Compressed FirmwarePkgData */ +WOLFSSL_API int wc_PKCS7_EncodeSignedEncryptedCompressedFPD(PKCS7* pkcs7, + byte* encryptKey, word32 encryptKeySz, + byte* privateKey, word32 privateKeySz, + int encryptOID, int signOID, + int hashOID, byte* content, + word32 contentSz, + PKCS7Attrib* unprotectedAttribs, + word32 unprotectedAttribsSz, + PKCS7Attrib* signedAttribs, + word32 signedAttribsSz, + byte* output, word32 outputSz); +#endif /* !NO_PKCS7_ENCRYPTED_DATA */ #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */ /* EnvelopedData and AuthEnvelopedData RecipientInfo functions */