feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

add storing sig/digest if no certs in bundle

Browse Source
This commit is contained in:
Jacob Barthelmeh
2019-06-03 09:50:03 +07:00
parent d7a86de969
commit f79a119c82
4 changed files with 74 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
wolfcrypt/src/error.c
View File

@@ -506,6 +506,9 @@ const char* wc_GetErrorString(int error)
case CRYPTOCB_UNAVAILABLE: case CRYPTOCB_UNAVAILABLE:
return "Crypto callback unavailable"; return "Crypto callback unavailable";
case PKCS7_SIGNEEDS_CHECK:
return "Signature found but no certificate to verify";
default: default:
return "unknown error number"; return "unknown error number";

69
wolfcrypt/src/pkcs7.c
View File

@@ -1159,6 +1159,17 @@ void wc_PKCS7_Free(PKCS7* pkcs7)
pkcs7->isDynamic = 0; pkcs7->isDynamic = 0;
XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
} }
if (pkcs7->signature) {
XFREE(pkcs7->signature, pkcs7->heap, DYNAMIC_TYPE_SIGANTURE);
pkcs7->signature = NULL;
pkcs7->signatureSz = 0;
}
if (pkcs7->plainDigest) {
XFREE(pkcs7->plainDigest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
pkcs7->plainDigest = NULL;
pkcs7->plainDigestSz = 0;
}
} }
@@ -3282,6 +3293,58 @@ static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig,
return ret; return ret;
} }
/* If no certificates are available then store the signature and hash for
* user to verify. Make sure that different return value than success is
* returned because the signature was not verified here. */
if (ret == 0) {
byte haveCert = 0;
int i;
for (i = 0; i < MAX_PKCS7_CERTS; i++) {
if (pkcs7->certSz[i] == 0)
continue;
haveCert = 1;
}
if (!haveCert) {
WOLFSSL_MSG("No certificates in bundle to verify signature");
/* store signature */
XFREE(pkcs7->signature, pkcs7->heap, DYNAMIC_TYPE_SIGANTURE);
pkcs7->signature = NULL;
pkcs7->signatureSz = 0;
pkcs7->signature = (byte*)XMALLOC(sigSz, pkcs7->heap,
DYNAMIC_TYPE_SIGNATURE);
if (pkcs7->signature == NULL) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return MEMORY_E;
}
XMEMCPY(pkcs7->signature, sig, sigSz);
pkcs7->signatureSz = sigSz;
/* store digest */
XFREE(pkcs7->plainDigest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
pkcs7->plainDigest = NULL;
pkcs7->plainDigestSz = 0;
pkcs7->plainDigest = (byte*)XMALLOC(sigSz, pkcs7->heap,
DYNAMIC_TYPE_DIGEST);
if (pkcs7->plainDigest == NULL) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return MEMORY_E;
}
XMEMCPY(pkcs7->plainDigest, plainDigest, plainDigestSz);
pkcs7->plainDigestSz = plainDigestSz;
return PKCS7_SIGNEEDS_CHECK;
}
}
switch (pkcs7->publicKeyOID) { switch (pkcs7->publicKeyOID) {
#ifndef NO_RSA #ifndef NO_RSA
@@ -4461,10 +4524,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
ret = wc_PKCS7_ParseSignerInfo(pkcs7, pkiMsg2, pkiMsg2Sz, &idx, ret = wc_PKCS7_ParseSignerInfo(pkcs7, pkiMsg2, pkiMsg2Sz, &idx,
degenerate, &signedAttrib, &signedAttribSz); degenerate, &signedAttrib, &signedAttribSz);
/* @TODO if version 3 with RFC 4108 there must be exactly 1
SignerInfo*/
/* parse out the signature if present and verify it */ /* parse out the signature if present and verify it */
if (ret == 0 && length > 0 && degenerate == 0) { if (ret == 0 && length > 0 && degenerate == 0) {
WOLFSSL_MSG("Parsing signature and verifying"); WOLFSSL_MSG("Parsing signature and verifying");
@@ -7203,7 +7262,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz)
int ret, idx = 0; int ret, idx = 0;
int totalSz, padSz, encryptedOutSz; int totalSz, padSz, encryptedOutSz;
int contentInfoSeqSz, outerContentTypeSz = 0, outerContentSz; int contentInfoSeqSz = 0, outerContentTypeSz = 0, outerContentSz;
byte contentInfoSeq[MAX_SEQ_SZ]; byte contentInfoSeq[MAX_SEQ_SZ];
byte outerContentType[MAX_ALGO_SZ]; byte outerContentType[MAX_ALGO_SZ];
byte outerContent[MAX_SEQ_SZ]; byte outerContent[MAX_SEQ_SZ];

3
wolfssl/wolfcrypt/error-crypt.h
View File

@@ -225,8 +225,9 @@ enum {
WC_PKCS7_WANT_READ_E= -270, /* PKCS7 operations wants more input */ WC_PKCS7_WANT_READ_E= -270, /* PKCS7 operations wants more input */
CRYPTOCB_UNAVAILABLE= -271, /* Crypto callback unavailable */ CRYPTOCB_UNAVAILABLE= -271, /* Crypto callback unavailable */
PKCS7_SIGNEEDS_CHECK= -272, /* signature needs verified by caller */
WC_LAST_E = -271, /* Update this to indicate last error */ WC_LAST_E = -272, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */ MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes /* add new companion error id strings for any new error codes

5
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -308,6 +308,11 @@ struct PKCS7 {
CallbackDecryptContent decryptionCb; CallbackDecryptContent decryptionCb;
CallbackWrapCEK wrapCEKCb; CallbackWrapCEK wrapCEKCb;
void* decryptionCtx; void* decryptionCtx;
byte* signature;
byte* plainDigest;
word32 signatureSz;
word32 plainDigestSz;
/* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
}; };