feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #2265 from JacobBarthelmeh/Testing

Browse Source 
fix check on ret value and add test case
This commit is contained in:
Chris Conlon
2019-06-27 14:02:01 -06:00
committed by GitHub
parent 8bea016d69 e7fd45537d
commit f51a8fffde
3 changed files with 129 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
tests/api.c
View File

@ -17245,7 +17245,7 @@ static void test_PKCS7_signed_enveloped(void)
AssertIntGT((envSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, env, envSz)), 0); AssertIntGT((envSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, env, envSz)), 0);
wc_PKCS7_Free(pkcs7); wc_PKCS7_Free(pkcs7);
/* create signed enveloped data */ /* create bad signed enveloped data */
sigSz = FOURK_BUF * 2; sigSz = FOURK_BUF * 2;
AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0)); AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
AssertIntEQ(wc_InitRng(&rng), 0); AssertIntEQ(wc_InitRng(&rng), 0);
@ -17266,11 +17266,32 @@ static void test_PKCS7_signed_enveloped(void)
AssertIntGT((sigSz = wc_PKCS7_EncodeSignedData(pkcs7, sig, sigSz)), 0); AssertIntGT((sigSz = wc_PKCS7_EncodeSignedData(pkcs7, sig, sigSz)), 0);
pkcs7->certList = (Pkcs7Cert*)pt; /* restore pointer for PKCS7 free call */ pkcs7->certList = (Pkcs7Cert*)pt; /* restore pointer for PKCS7 free call */
wc_PKCS7_Free(pkcs7); wc_PKCS7_Free(pkcs7);
/* check verify fails */
AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz), 0);
wc_PKCS7_Free(pkcs7);
/* create valid degenerate bundle */
sigSz = FOURK_BUF * 2;
AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
pkcs7->content = env;
pkcs7->contentSz = envSz;
pkcs7->contentOID = DATA;
pkcs7->privateKey = key;
pkcs7->privateKeySz = keySz;
pkcs7->encryptOID = RSAk;
pkcs7->hashOID = SHA256h;
pkcs7->rng = &rng;
AssertIntEQ(wc_PKCS7_SetSignerIdentifierType(pkcs7, DEGENERATE_SID), 0);
AssertIntGT((sigSz = wc_PKCS7_EncodeSignedData(pkcs7, sig, sigSz)), 0);
wc_FreeRng(&rng); wc_FreeRng(&rng);
wc_PKCS7_Free(pkcs7);
/* check verify */ /* check verify */
AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0)); AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0); AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, devId), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz), 0); AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz), 0);
AssertNotNull(pkcs7->content); AssertNotNull(pkcs7->content);

188
wolfcrypt/src/pkcs7.c
View File

@ -1890,19 +1890,21 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
} }
signedDataOidSz = ret; signedDataOidSz = ret;
esd->hashType = wc_OidGetHash(pkcs7->hashOID); if (pkcs7->sidType != DEGENERATE_SID) {
if (wc_HashGetDigestSize(esd->hashType) != (int)hashSz) { esd->hashType = wc_OidGetHash(pkcs7->hashOID);
WOLFSSL_MSG("hashSz did not match hashOID"); if (wc_HashGetDigestSize(esd->hashType) != (int)hashSz) {
#ifdef WOLFSSL_SMALL_STACK WOLFSSL_MSG("hashSz did not match hashOID");
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #ifdef WOLFSSL_SMALL_STACK
#endif XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
return BUFFER_E; #endif
} return BUFFER_E;
}
/* include hash */ /* include hash */
esd->contentDigest[0] = ASN_OCTET_STRING; esd->contentDigest[0] = ASN_OCTET_STRING;
esd->contentDigest[1] = (byte)hashSz; esd->contentDigest[1] = (byte)hashSz;
XMEMCPY(&esd->contentDigest[2], hashBuf, hashSz); XMEMCPY(&esd->contentDigest[2], hashBuf, hashSz);
}
if (pkcs7->detached == 1) { if (pkcs7->detached == 1) {
/* do not include content if generating detached signature */ /* do not include content if generating detached signature */
@ -1943,6 +1945,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
/* version MUST be 3 */ /* version MUST be 3 */
esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0); esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0);
} else if (pkcs7->sidType == DEGENERATE_SID) {
/* no signer info added */
} else { } else {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
@ -1950,78 +1954,80 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
return SKID_E; return SKID_E;
} }
signerInfoSz += esd->signerVersionSz; if (pkcs7->sidType != DEGENERATE_SID) {
esd->signerDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->signerDigAlgoId, signerInfoSz += esd->signerVersionSz;
oidHashType, 0); esd->signerDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->signerDigAlgoId,
signerInfoSz += esd->signerDigAlgoIdSz; oidHashType, 0);
signerInfoSz += esd->signerDigAlgoIdSz;
/* set signatureAlgorithm */ /* set signatureAlgorithm */
ret = wc_PKCS7_SignedDataGetEncAlgoId(pkcs7, &digEncAlgoId, ret = wc_PKCS7_SignedDataGetEncAlgoId(pkcs7, &digEncAlgoId,
&digEncAlgoType); &digEncAlgoType);
if (ret < 0) { if (ret < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret;
}
esd->digEncAlgoIdSz = SetAlgoID(digEncAlgoId, esd->digEncAlgoId,
digEncAlgoType, 0);
signerInfoSz += esd->digEncAlgoIdSz;
/* build up signed attributes, include contentType, signingTime, and
messageDigest by default */
ret = wc_PKCS7_BuildSignedAttributes(pkcs7, esd, pkcs7->contentType,
pkcs7->contentTypeSz,
contentTypeOid, sizeof(contentTypeOid),
messageDigestOid, sizeof(messageDigestOid),
signingTimeOid, sizeof(signingTimeOid),
signingTime, sizeof(signingTime));
if (ret < 0) {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif #endif
return ret; return ret;
} }
esd->digEncAlgoIdSz = SetAlgoID(digEncAlgoId, esd->digEncAlgoId,
digEncAlgoType, 0);
signerInfoSz += esd->digEncAlgoIdSz;
if (esd->signedAttribsSz > 0) { /* build up signed attributes, include contentType, signingTime, and
flatSignedAttribs = (byte*)XMALLOC(esd->signedAttribsSz, pkcs7->heap, messageDigest by default */
DYNAMIC_TYPE_PKCS7); ret = wc_PKCS7_BuildSignedAttributes(pkcs7, esd, pkcs7->contentType,
flatSignedAttribsSz = esd->signedAttribsSz; pkcs7->contentTypeSz,
if (flatSignedAttribs == NULL) { contentTypeOid, sizeof(contentTypeOid),
messageDigestOid, sizeof(messageDigestOid),
signingTimeOid, sizeof(signingTimeOid),
signingTime, sizeof(signingTime));
if (ret < 0) {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif #endif
return MEMORY_E; return ret;
} }
FlattenAttributes(flatSignedAttribs, if (esd->signedAttribsSz > 0) {
esd->signedAttribs, esd->signedAttribsCount); flatSignedAttribs = (byte*)XMALLOC(esd->signedAttribsSz, pkcs7->heap,
esd->signedAttribSetSz = SetImplicit(ASN_SET, 0, esd->signedAttribsSz, DYNAMIC_TYPE_PKCS7);
esd->signedAttribSet); flatSignedAttribsSz = esd->signedAttribsSz;
} else { if (flatSignedAttribs == NULL) {
esd->signedAttribSetSz = 0; #ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return MEMORY_E;
}
FlattenAttributes(flatSignedAttribs,
esd->signedAttribs, esd->signedAttribsCount);
esd->signedAttribSetSz = SetImplicit(ASN_SET, 0, esd->signedAttribsSz,
esd->signedAttribSet);
} else {
esd->signedAttribSetSz = 0;
}
/* Calculate the final hash and encrypt it. */
ret = wc_PKCS7_SignedDataBuildSignature(pkcs7, flatSignedAttribs,
flatSignedAttribsSz, esd);
if (ret < 0) {
if (pkcs7->signedAttribsSz != 0)
XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret;
}
signerInfoSz += flatSignedAttribsSz + esd->signedAttribSetSz;
esd->signerDigestSz = SetOctetString(esd->encContentDigestSz,
esd->signerDigest);
signerInfoSz += esd->signerDigestSz + esd->encContentDigestSz;
esd->signerInfoSeqSz = SetSequence(signerInfoSz, esd->signerInfoSeq);
signerInfoSz += esd->signerInfoSeqSz;
} }
/* Calculate the final hash and encrypt it. */
ret = wc_PKCS7_SignedDataBuildSignature(pkcs7, flatSignedAttribs,
flatSignedAttribsSz, esd);
if (ret < 0) {
if (pkcs7->signedAttribsSz != 0)
XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret;
}
signerInfoSz += flatSignedAttribsSz + esd->signedAttribSetSz;
esd->signerDigestSz = SetOctetString(esd->encContentDigestSz,
esd->signerDigest);
signerInfoSz += esd->signerDigestSz + esd->encContentDigestSz;
esd->signerInfoSeqSz = SetSequence(signerInfoSz, esd->signerInfoSeq);
signerInfoSz += esd->signerInfoSeqSz;
esd->signerInfoSetSz = SetSet(signerInfoSz, esd->signerInfoSet); esd->signerInfoSetSz = SetSet(signerInfoSz, esd->signerInfoSet);
signerInfoSz += esd->signerInfoSetSz; signerInfoSz += esd->signerInfoSetSz;
@ -2037,11 +2043,12 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
if (certSetSz > 0) if (certSetSz > 0)
esd->certsSetSz = SetImplicit(ASN_SET, 0, certSetSz, esd->certsSet); esd->certsSetSz = SetImplicit(ASN_SET, 0, certSetSz, esd->certsSet);
esd->singleDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->singleDigAlgoId, if (pkcs7->sidType != DEGENERATE_SID) {
esd->singleDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->singleDigAlgoId,
oidHashType, 0); oidHashType, 0);
}
esd->digAlgoIdSetSz = SetSet(esd->singleDigAlgoIdSz, esd->digAlgoIdSet); esd->digAlgoIdSetSz = SetSet(esd->singleDigAlgoIdSz, esd->digAlgoIdSet);
esd->versionSz = SetMyVersion(1, esd->version, 0); esd->versionSz = SetMyVersion(1, esd->version, 0);
totalSz = esd->versionSz + esd->singleDigAlgoIdSz + esd->digAlgoIdSetSz + totalSz = esd->versionSz + esd->singleDigAlgoIdSz + esd->digAlgoIdSetSz +
@ -2162,6 +2169,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
idx += esd->issuerSKIDSz; idx += esd->issuerSKIDSz;
XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE); XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE);
idx += KEYID_SIZE; idx += KEYID_SIZE;
} else if (pkcs7->sidType == DEGENERATE_SID) {
/* no signer infos in degenerate case */
} else { } else {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
@ -3913,12 +3922,13 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
idx++; idx++;
if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0) if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
}
if (ret != 0) { if (ret != 0) {
break; break;
} }
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if (content != NULL && pkcs7->stream->flagOne) { if (content != NULL && pkcs7->stream->flagOne && length > 0) {
stateIdx = idx; /* case where all data was read from in2 */ stateIdx = idx; /* case where all data was read from in2 */
} }
@ -3931,6 +3941,11 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
} }
else { else {
pkcs7->stream->expected = MAX_SEQ_SZ; pkcs7->stream->expected = MAX_SEQ_SZ;
if (pkcs7->stream->expected > (pkcs7->stream->maxLen -
pkcs7->stream->totalRd) + pkcs7->stream->length) {
pkcs7->stream->expected = (pkcs7->stream->maxLen -
pkcs7->stream->totalRd) + pkcs7->stream->length;
}
} }
#endif #endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE4); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_VERIFY_STAGE4);
@ -4049,7 +4064,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
} }
} }
idx += length; idx += length;
}
if (!detached) { if (!detached) {
/* set content and size after init of PKCS7 structure */ /* set content and size after init of PKCS7 structure */
@ -4290,6 +4304,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("Failed to set public key OID from signature"); WOLFSSL_MSG("Failed to set public key OID from signature");
} }
else {
/* if previous return was positive then was success */
ret = 0;
}
} }
if (idx >= pkiMsg2Sz) if (idx >= pkiMsg2Sz)
@ -6035,8 +6053,11 @@ static int wc_PKCS7_GenerateBlock(PKCS7* pkcs7, WC_RNG* rng, byte* out,
* IssuerAndSerialNumber unless set with this function or explicitly * IssuerAndSerialNumber unless set with this function or explicitly
* overriden via options when adding RecipientInfo type. * overriden via options when adding RecipientInfo type.
* *
* Using the type DEGENERATE_SID skips over signer information. In degenerate
* cases there are no signers.
*
* pkcs7 - pointer to initialized PKCS7 structure * pkcs7 - pointer to initialized PKCS7 structure
* type - either CMS_ISSUER_AND_SERIAL_NUMBER or CMS_SKID * type - either CMS_ISSUER_AND_SERIAL_NUMBER, CMS_SKID or DEGENERATE_SID
* *
* return 0 on success, negative upon error */ * return 0 on success, negative upon error */
int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type) int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type)
@ -6045,7 +6066,8 @@ int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
if (type != CMS_ISSUER_AND_SERIAL_NUMBER && if (type != CMS_ISSUER_AND_SERIAL_NUMBER &&
type != CMS_SKID) { type != CMS_SKID &&
type != DEGENERATE_SID) {
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }

1
wolfssl/wolfcrypt/pkcs7.h
View File

@ -167,6 +167,7 @@ enum Cms_Options {
CMS_SKID = 1, CMS_SKID = 1,
CMS_ISSUER_AND_SERIAL_NUMBER = 2, CMS_ISSUER_AND_SERIAL_NUMBER = 2,
}; };
#define DEGENERATE_SID 3
/* CMS/PKCS#7 RecipientInfo types, RFC 5652, Section 6.2 */ /* CMS/PKCS#7 RecipientInfo types, RFC 5652, Section 6.2 */
enum Pkcs7_RecipientInfo_Types { enum Pkcs7_RecipientInfo_Types {