add single-shot API for generating CMS Signed Encrypted Compressed FirmwarePkgData

.gitignore

@@ -175,6 +175,10 @@ pkcs7signedFirmwarePkgData_RSA_SHA256.der
 pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der
 pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der
 pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der
+pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der
+pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der
+pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der
+pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der
 diff
 sslSniffer/sslSnifferTest/tracefile.txt
 tracefile.txt

Makefile.am

@@ -113,7 +113,11 @@ CLEANFILES+= cert.der \
              pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der \
              pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der \
              pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der \
-             pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der
+             pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der \
+             pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der \
+             pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der \
+             pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der \
+             pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der
 
 exampledir = $(docdir)/example
 dist_example_DATA=

wolfcrypt/src/pkcs7.c

@@ -2003,16 +2003,16 @@ int wc_PKCS7_EncodeSignedEncryptedFPD(PKCS7* pkcs7, byte* encryptKey,
     /* save encryptedData, reset output buffer and struct */
     encrypted = (byte*)XMALLOC(encryptedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     if (encrypted == NULL) {
-        wc_PKCS7_Free(pkcs7);
+        ForceZero(output, outputSz);
         return MEMORY_E;
     }
-    XMEMSET(encrypted, 0, encryptedSz);
 
     XMEMCPY(encrypted, output, encryptedSz);
     ForceZero(output, outputSz);
 
     ret = wc_InitRng(&rng);
     if (ret != 0) {
+        ForceZero(encrypted, encryptedSz);
         XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return ret;
     }
@@ -2032,11 +2032,13 @@ int wc_PKCS7_EncodeSignedEncryptedFPD(PKCS7* pkcs7, byte* encryptKey,
     ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
     if (ret <= 0) {
         WOLFSSL_MSG("Error encoding CMS SignedData content type");
+        ForceZero(encrypted, encryptedSz);
         XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         wc_FreeRng(&rng);
         return ret;
     }
 
+    ForceZero(encrypted, encryptedSz);
     XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     wc_FreeRng(&rng);
 
@@ -2101,16 +2103,16 @@ int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7, byte* privateKey,
     /* save compressedData, reset output buffer and struct */
     compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     if (compressed == NULL) {
-        wc_PKCS7_Free(pkcs7);
+        ForceZero(output, outputSz);
         return MEMORY_E;
     }
-    XMEMSET(compressed, 0, compressedSz);
 
     XMEMCPY(compressed, output, compressedSz);
     ForceZero(output, outputSz);
 
     ret = wc_InitRng(&rng);
     if (ret != 0) {
+        ForceZero(compressed, compressedSz);
         XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return ret;
     }
@@ -2130,16 +2132,158 @@ int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7, byte* privateKey,
     ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
     if (ret <= 0) {
         WOLFSSL_MSG("Error encoding CMS SignedData content type");
+        ForceZero(compressed, compressedSz);
         XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         wc_FreeRng(&rng);
         return ret;
     }
 
+    ForceZero(compressed, compressedSz);
     XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     wc_FreeRng(&rng);
 
     return ret;
 }
+
+#ifndef NO_PKCS7_ENCRYPTED_DATA
+
+/* Single-shot API to generate a CMS SignedData bundle that encapsulates a
+ * CMS EncryptedData bundle, which then encapsulates a CMS CompressedData
+ * bundle. Content of inner CompressedData is set to that of FirmwarePkgData.
+ * Any recipient certificates should be loaded into the PKCS7 structure prior
+ * to calling this function, using wc_PKCS7_InitWithCert() and/or
+ * wc_PKCS7_AddCertificate().
+ *
+ * pkcs7                - pointer to initialized PKCS7 struct
+ * encryptKey           - encryption key used for encrypting EncryptedData
+ * encryptKeySz         - size of encryptKey, octets
+ * privateKey           - private RSA/ECC key, used for signing SignedData
+ * privateKeySz         - size of privateKey, octets
+ * encryptOID           - encryption algorithm OID, to be used as encryption
+ *                        algorithm for EncryptedData
+ * signOID              - public key algorithm OID, to be used for sign
+ *                        operation in SignedData generation
+ * hashOID              - hash algorithm OID, to be used for signature in
+ *                        SignedData generation
+ * content              - content to be encapsulated
+ * contentSz            - size of content, octets
+ * unprotectedAttribs   - optional unprotected attributes, for EncryptedData
+ * unprotectedAttribsSz - number of PKCS7Attrib members in unprotectedAttribs
+ * signedAttribs        - optional signed attributes, for SignedData
+ * signedAttribsSz      - number of PKCS7Attrib members in signedAttribs
+ * output               - output buffer for final bundle
+ * outputSz             - size of output buffer, octets
+ *
+ * Returns length of generated bundle on success, negative upon error. */
+int  wc_PKCS7_EncodeSignedEncryptedCompressedFPD(PKCS7* pkcs7, byte* encryptKey,
+                                       word32 encryptKeySz, byte* privateKey,
+                                       word32 privateKeySz, int encryptOID,
+                                       int signOID, int hashOID, byte* content,
+                                       word32 contentSz,
+                                       PKCS7Attrib* unprotectedAttribs,
+                                       word32 unprotectedAttribsSz,
+                                       PKCS7Attrib* signedAttribs,
+                                       word32 signedAttribsSz,
+                                       byte* output, word32 outputSz)
+{
+    int ret = 0, compressedSz = 0, encryptedSz = 0;
+    byte* compressed = NULL;
+    byte* encrypted = NULL;
+    WC_RNG rng;
+
+    if (pkcs7 == NULL || encryptKey == NULL || encryptKeySz == 0 ||
+        privateKey == NULL || privateKeySz == 0 || content == NULL ||
+        contentSz == 0 || output == NULL || outputSz == 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* 1: build up CompressedData using FirmwarePkgData type, use output
+     *    buffer as tmp for storage and to get size */
+    pkcs7->content = content;
+    pkcs7->contentSz = contentSz;
+    pkcs7->contentOID = FIRMWARE_PKG_DATA;
+
+    compressedSz = wc_PKCS7_EncodeCompressedData(pkcs7, output, outputSz);
+    if (compressedSz < 0) {
+        WOLFSSL_MSG("Error encoding CMS CompressedData content type");
+        return compressedSz;
+    }
+
+    /* save compressedData, reset output buffer and struct */
+    compressed = (byte*)XMALLOC(compressedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (compressed == NULL)
+        return MEMORY_E;
+
+    XMEMCPY(compressed, output, compressedSz);
+    ForceZero(output, outputSz);
+
+    /* 2: build up EncryptedData using CompressedData, use output
+     *    buffer as tmp for storage and to get size */
+    pkcs7->content = compressed;
+    pkcs7->contentSz = compressedSz;
+    pkcs7->contentOID = COMPRESSED_DATA;
+    pkcs7->encryptOID = encryptOID;
+    pkcs7->encryptionKey = encryptKey;
+    pkcs7->encryptionKeySz = encryptKeySz;
+    pkcs7->unprotectedAttribs = unprotectedAttribs;
+    pkcs7->unprotectedAttribsSz = unprotectedAttribsSz;
+
+    encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, output, outputSz);
+    if (encryptedSz < 0) {
+        WOLFSSL_MSG("Error encoding CMS EncryptedData content type");
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return encryptedSz;
+    }
+
+    /* save encryptedData, reset output buffer and struct */
+    encrypted = (byte*)XMALLOC(encryptedSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (encrypted == NULL) {
+        ForceZero(compressed, compressedSz);
+        XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return MEMORY_E;
+    }
+
+    XMEMCPY(encrypted, output, encryptedSz);
+    ForceZero(compressed, compressedSz);
+    XFREE(compressed, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    ForceZero(output, outputSz);
+
+    ret = wc_InitRng(&rng);
+    if (ret != 0) {
+        ForceZero(encrypted, encryptedSz);
+        XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        return ret;
+    }
+
+    /* 3: build up SignedData, encapsulating EncryptedData */
+    pkcs7->rng = &rng;
+    pkcs7->content = encrypted;
+    pkcs7->contentSz = encryptedSz;
+    pkcs7->contentOID = ENCRYPTED_DATA;
+    pkcs7->hashOID = hashOID;
+    pkcs7->encryptOID = signOID;
+    pkcs7->privateKey = privateKey;
+    pkcs7->privateKeySz = privateKeySz;
+    pkcs7->signedAttribs = signedAttribs;
+    pkcs7->signedAttribsSz = signedAttribsSz;
+
+    ret = wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz);
+    if (ret <= 0) {
+        WOLFSSL_MSG("Error encoding CMS SignedData content type");
+        ForceZero(encrypted, encryptedSz);
+        XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        wc_FreeRng(&rng);
+        return ret;
+    }
+
+    ForceZero(encrypted, encryptedSz);
+    XFREE(encrypted, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    wc_FreeRng(&rng);
+
+    return ret;
+}
+
+#endif /* !NO_PKCS7_ENCRYPTED_DATA */
 #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
 

wolfcrypt/test/test.c

@@ -21081,7 +21081,7 @@ static int pkcs7signed_run_SingleShotVectors(
          "pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der", 0, NULL,
          0, 0, 0, 0, NULL, 0, NULL, 0},
 
-    #ifdef WOLFSSL_AES_256
+    #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
         /* Signed Encrypted FirmwarePkgData, RSA, SHA256, no attribs */
         {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
          rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
@@ -21096,7 +21096,7 @@ static int pkcs7signed_run_SingleShotVectors(
          "pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der", 0,
          NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
-    #endif /* WOLFSSL_AES_256 */
+    #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
 
     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
         /* Signed Compressed FirmwarePkgData, RSA, SHA256, no attribs */
@@ -21112,6 +21112,26 @@ static int pkcs7signed_run_SingleShotVectors(
          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
          "pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der", 0,
          NULL, 0, 0, 0, 2, NULL, 0, NULL, 0},
+
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
+           no attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         NULL, 0,
+         "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL, 0},
+
+        /* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
+           attribs */
+        {data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
+         rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         "pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
+    #endif /* !NO_PKCS7_ENCRYPTED_DATA */
+
     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
     #endif /* NO_SHA256 */
@@ -21122,7 +21142,7 @@ static int pkcs7signed_run_SingleShotVectors(
         /* Signed FirmwarePkgData, ECDSA, SHA256, no attribs */
         {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
-         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+         NULL, 0,
          "pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
          0, 0, 0, 0, NULL, 0, NULL, 0},
 
@@ -21140,7 +21160,7 @@ static int pkcs7signed_run_SingleShotVectors(
          "pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der", 0, NULL,
          0, CMS_SKID, 0, 0, NULL, 0, NULL, 0},
 
-    #ifdef WOLFSSL_AES_256
+    #if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
         /* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, no attribs */
         {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
          eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
@@ -21155,7 +21175,7 @@ static int pkcs7signed_run_SingleShotVectors(
          "pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
          0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
-    #endif /* WOLFSSL_AES_256 */
+    #endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
 
     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
         /* Signed Compressed FirmwarePkgData, ECDSA, SHA256, no attribs */
@@ -21171,6 +21191,26 @@ static int pkcs7signed_run_SingleShotVectors(
          attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
          "pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
          0, 0, 0, 2, NULL, 0, NULL, 0},
+
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
+           no attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         NULL, 0,
+        "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL, 0},
+
+        /* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
+           attribs */
+        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
+         eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
+        "pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der",
+         0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
+         attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
+    #endif /* !NO_PKCS7_ENCRYPTED_DATA */
+
     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
     #endif /* NO_SHA256 */
@@ -21182,14 +21222,14 @@ static int pkcs7signed_run_SingleShotVectors(
     outSz = FOURK_BUF;
     out = (byte*)XMALLOC(outSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (out == NULL)
-        return -9510;
+        return -9550;
 
     XMEMSET(out, 0, outSz);
 
     ret = wc_PKCS7_PadData((byte*)data, sizeof(data), out, outSz, 16);
     if (ret < 0) {
         XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        return -9511;
+        return -9551;
     }
 
 #ifndef HAVE_FIPS
@@ -21199,13 +21239,13 @@ static int pkcs7signed_run_SingleShotVectors(
 #endif
     if (ret != 0) {
         XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-        return -9512;
+        return -9552;
     }
 
     for (i = 0; i < testSz; i++) {
         pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
         if (pkcs7 == NULL)
-            return -9513;
+            return -9553;
 
         pkcs7->heap = HEAP_HINT;
         pkcs7->devId = INVALID_DEVID;
@@ -21215,7 +21255,7 @@ static int pkcs7signed_run_SingleShotVectors(
         if (ret != 0) {
             XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             wc_PKCS7_Free(pkcs7);
-            return -9514;
+            return -9554;
         }
 
         /* load CA certificate, if present */
@@ -21225,7 +21265,7 @@ static int pkcs7signed_run_SingleShotVectors(
             if (ret != 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9515;
+                return -9555;
             }
         }
 
@@ -21236,7 +21276,7 @@ static int pkcs7signed_run_SingleShotVectors(
             if (ret != 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9516;
+                return -9556;
             }
         }
 
@@ -21253,7 +21293,7 @@ static int pkcs7signed_run_SingleShotVectors(
             if (encodedSz < 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9517;
+                return -9557;
             }
 
         } else if (testVectors[i].encCompFlag == 1) {
@@ -21272,7 +21312,7 @@ static int pkcs7signed_run_SingleShotVectors(
             if (encodedSz <= 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9518;
+                return -9558;
             }
 
     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
@@ -21289,15 +21329,37 @@ static int pkcs7signed_run_SingleShotVectors(
             if (encodedSz <= 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9519;
+                return -9559;
             }
+
+        #ifndef NO_PKCS7_ENCRYPTED_DATA
+        } else if (testVectors[i].encCompFlag == 3) {
+
+            /* encode Signed Encrypted Compressed FirmwarePkgData */
+            encodedSz = wc_PKCS7_EncodeSignedEncryptedCompressedFPD(pkcs7,
+                    testVectors[i].encryptKey, testVectors[i].encryptKeySz,
+                    testVectors[i].privateKey, testVectors[i].privateKeySz,
+                    testVectors[i].encryptOID, testVectors[i].signOID,
+                    testVectors[i].hashOID, (byte*)testVectors[i].content,
+                    testVectors[i].contentSz, testVectors[i].unprotectedAttribs,
+                    testVectors[i].unprotectedAttribsSz,
+                    testVectors[i].signedAttribs,
+                    testVectors[i].signedAttribsSz, out, outSz);
+
+            if (encodedSz <= 0) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -9560;
+            }
+
+        #endif /* NO_PKCS7_ENCRYPTED_DATA */
     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
         } else {
             /* unsupported SignedData single-shot combination */
             XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             wc_PKCS7_Free(pkcs7);
-            return -9520;
+            return -9561;
         }
 
     #ifdef PKCS7_OUTPUT_TEST_BUNDLES
@@ -21306,14 +21368,14 @@ static int pkcs7signed_run_SingleShotVectors(
         if (!file) {
             XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             wc_PKCS7_Free(pkcs7);
-            return -9522;
+            return -9562;
         }
         ret = (int)fwrite(out, 1, encodedSz, file);
         fclose(file);
         if (ret != (int)encodedSz) {
             XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             wc_PKCS7_Free(pkcs7);
-            return -9526;
+            return -9563;
         }
     #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
 
@@ -21321,20 +21383,20 @@ static int pkcs7signed_run_SingleShotVectors(
 
         pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
         if (pkcs7 == NULL)
-            return -9527;
+            return -9564;
         wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
 
         ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
         if (ret < 0) {
             XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             wc_PKCS7_Free(pkcs7);
-            return -9528;
+            return -9565;
         }
 
         if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) {
             XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
             wc_PKCS7_Free(pkcs7);
-            return -9531;
+            return -9566;
         }
 
         if (testVectors[i].encCompFlag == 0) {
@@ -21344,7 +21406,7 @@ static int pkcs7signed_run_SingleShotVectors(
                         pkcs7->contentSz)) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9532;
+                return -9567;
             }
 
         } else if (testVectors[i].encCompFlag == 1) {
@@ -21358,7 +21420,7 @@ static int pkcs7signed_run_SingleShotVectors(
             if (ret < 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9533;
+                return -9568;
             }
 
             /* compare decrypted to expected */
@@ -21366,7 +21428,7 @@ static int pkcs7signed_run_SingleShotVectors(
                 XMEMCMP(out, testVectors[i].content, ret)) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9534;
+                return -9569;
             }
         }
     #if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
@@ -21378,7 +21440,7 @@ static int pkcs7signed_run_SingleShotVectors(
             if (ret < 0) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9535;
+                return -9570;
             }
 
             /* compare decompressed to expected */
@@ -21386,9 +21448,62 @@ static int pkcs7signed_run_SingleShotVectors(
                 XMEMCMP(out, testVectors[i].content, ret)) {
                 XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 wc_PKCS7_Free(pkcs7);
-                return -9536;
+                return -9571;
             }
         }
+    #ifndef NO_PKCS7_ENCRYPTED_DATA
+        else if (testVectors[i].encCompFlag == 3) {
+
+            byte* encryptedTmp;
+            int encryptedTmpSz;
+
+            encryptedTmpSz = FOURK_BUF;
+            encryptedTmp = (byte*)XMALLOC(encryptedTmpSz, HEAP_HINT,
+                                          DYNAMIC_TYPE_TMP_BUFFER);
+            if (encryptedTmp == NULL) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -9572;
+            }
+
+            XMEMSET(encryptedTmp, 0, encryptedTmpSz);
+
+            /* decrypt inner encryptedData */
+            pkcs7->encryptionKey = testVectors[i].encryptKey;
+            pkcs7->encryptionKeySz = testVectors[i].encryptKeySz;
+
+            encryptedTmpSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
+                                               pkcs7->contentSz, encryptedTmp,
+                                               encryptedTmpSz);
+
+            if (encryptedTmpSz < 0) {
+                XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -9573;
+            }
+
+            /* decompress inner compressedData */
+            ret = wc_PKCS7_DecodeCompressedData(pkcs7, encryptedTmp,
+                                                encryptedTmpSz, out, outSz);
+            if (ret < 0) {
+                XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -9574;
+            }
+
+            XFREE(encryptedTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+
+            /* compare decompressed to expected */
+            if (((word32)ret != testVectors[i].contentSz) ||
+                XMEMCMP(out, testVectors[i].content, ret)) {
+                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+                wc_PKCS7_Free(pkcs7);
+                return -9575;
+            }
+        }
+    #endif /* NO_PKCS7_ENCRYPTED_DATA */
     #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
         wc_PKCS7_Free(pkcs7);

wolfssl/wolfcrypt/pkcs7.h

@@ -308,6 +308,21 @@ WOLFSSL_API int  wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7,
                                           PKCS7Attrib* signedAttribs,
                                           word32 signedAttribsSz, byte* output,
                                           word32 outputSz);
+
+#ifndef NO_PKCS7_ENCRYPTED_DATA
+/* CMS single-shot API for Signed Encrypted Compressed FirmwarePkgData */
+WOLFSSL_API int  wc_PKCS7_EncodeSignedEncryptedCompressedFPD(PKCS7* pkcs7,
+                                          byte* encryptKey, word32 encryptKeySz,
+                                          byte* privateKey, word32 privateKeySz,
+                                          int encryptOID, int signOID,
+                                          int hashOID, byte* content,
+                                          word32 contentSz,
+                                          PKCS7Attrib* unprotectedAttribs,
+                                          word32 unprotectedAttribsSz,
+                                          PKCS7Attrib* signedAttribs,
+                                          word32 signedAttribsSz,
+                                          byte* output, word32 outputSz);
+#endif /* !NO_PKCS7_ENCRYPTED_DATA */
 #endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
 
 /* EnvelopedData and AuthEnvelopedData RecipientInfo functions */