Merge pull request #2164 from JacobBarthelmeh/PKCS7

adjust location of where PKCS7 content is saved
2025-07-29 18:27:29 +02:00 · 2019-03-15 09:40:17 -07:00
parent 6ff2039b1f 45b6a3b67d
commit 0ef4b7e933
2 changed files with 63 additions and 23 deletions
--- a/tests/api.c
+++ b/tests/api.c
@ -16639,17 +16639,20 @@ static void test_PKCS7_signed_enveloped(void)
 #if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) && !defined(NO_RSA)
    XFILE  f;
    PKCS7* pkcs7;
+    PKCS7* inner;
    void*  pt;
    WC_RNG rng;
    unsigned char key[FOURK_BUF/2];
    unsigned char cert[FOURK_BUF/2];
-    unsigned char env[FOURK_BUF/2];
-    int envSz  = FOURK_BUF/2;
+    unsigned char env[FOURK_BUF];
+    int envSz  = FOURK_BUF;
    int keySz;
    int certSz;

-    unsigned char sig[FOURK_BUF];
-    int sigSz = FOURK_BUF;
+    unsigned char sig[FOURK_BUF * 2];
+    int sigSz = FOURK_BUF * 2;
+    unsigned char decoded[FOURK_BUF];
+    int decodedSz = FOURK_BUF;

    printf(testingFmt, "PKCS7_signed_enveloped");

@ -16664,11 +16667,27 @@ static void test_PKCS7_signed_enveloped(void)
    XFCLOSE(f);
    keySz = wolfSSL_KeyPemToDer(key, keySz, key, keySz, NULL);

+    /* sign cert for envelope */
+    AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
+    AssertIntEQ(wc_InitRng(&rng), 0);
+    AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
+    pkcs7->content    = cert;
+    pkcs7->contentSz  = certSz;
+    pkcs7->contentOID = DATA;
+    pkcs7->privateKey   = key;
+    pkcs7->privateKeySz = keySz;
+    pkcs7->encryptOID   = RSAk;
+    pkcs7->hashOID      = SHA256h;
+    pkcs7->rng          = &rng;
+    AssertIntGT((sigSz = wc_PKCS7_EncodeSignedData(pkcs7, sig, sigSz)), 0);
+    wc_PKCS7_Free(pkcs7);
+    wc_FreeRng(&rng);
+
    /* create envelope */
    AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
    AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
-    pkcs7->content   = cert;
-    pkcs7->contentSz = certSz;
+    pkcs7->content   = sig;
+    pkcs7->contentSz = sigSz;
    pkcs7->contentOID = DATA;
    pkcs7->encryptOID = AES256CBCb;
    pkcs7->privateKey   = key;
@ -16677,13 +16696,13 @@ static void test_PKCS7_signed_enveloped(void)
    wc_PKCS7_Free(pkcs7);

    /* create signed enveloped data */
+    sigSz = FOURK_BUF * 2;
    AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
    AssertIntEQ(wc_InitRng(&rng), 0);
    AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
-    pkcs7->content   = env;
-    pkcs7->contentSz = envSz;
+    pkcs7->content    = env;
+    pkcs7->contentSz  = envSz;
    pkcs7->contentOID = DATA;
-    pkcs7->encryptOID = AES256CBCb;
    pkcs7->privateKey   = key;
    pkcs7->privateKeySz = keySz;
    pkcs7->encryptOID   = RSAk;
@ -16703,7 +16722,26 @@ static void test_PKCS7_signed_enveloped(void)
    AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
    AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
    AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz), 0);
+    AssertNotNull(pkcs7->content);
+
+    /* check decode */
+    AssertNotNull(inner = wc_PKCS7_New(NULL, 0));
+    AssertIntEQ(wc_PKCS7_InitWithCert(inner, cert, certSz), 0);
+    inner->privateKey   = key;
+    inner->privateKeySz = keySz;
+    AssertIntGT((decodedSz = wc_PKCS7_DecodeEnvelopedData(inner, pkcs7->content,
+                   pkcs7->contentSz, decoded, decodedSz)), 0);
+    wc_PKCS7_Free(inner);
    wc_PKCS7_Free(pkcs7);
+
+    /* check cert set */
+    AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
+    AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+    AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, decoded, decodedSz), 0);
+    AssertNotNull(pkcs7->singleCert);
+    AssertIntNE(pkcs7->singleCertSz, 0);
+    wc_PKCS7_Free(pkcs7);
+
    printf(resultFmt, passed);

 #endif
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@ -3884,20 +3884,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                ret = 0; /* reset ret state on degenerate case */
            }

-            /* Get the implicit[0] set of certificates */
-            if (ret == 0 && idx >= pkiMsg2Sz)
-                ret = BUFFER_E;
-
-            length = 0; /* set length to 0 to check if reading in any certs */
-            if (ret == 0 && pkiMsg2[idx] ==
-                    (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
-                idx++;
-                if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
-                    ret = ASN_PARSE_E;
-
-                if (ret != 0) {
-                    break;
-                }
        #ifndef NO_PKCS7_STREAM
            /* save content */
            if (detached == 1) {
@ -3919,7 +3905,23 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                    pkcs7->stream->contentSz = contentSz;
                }
            }
+        #endif /* !NO_PKCS7_STREAM */

+            /* Get the implicit[0] set of certificates */
+            if (ret == 0 && idx >= pkiMsg2Sz)
+                ret = BUFFER_E;
+
+            length = 0; /* set length to 0 to check if reading in any certs */
+            if (ret == 0 && pkiMsg2[idx] ==
+                    (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
+                idx++;
+                if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
+                    ret = ASN_PARSE_E;
+
+                if (ret != 0) {
+                    break;
+                }
+        #ifndef NO_PKCS7_STREAM
            if (content != NULL && pkcs7->stream->flagOne) {
                stateIdx = idx; /* case where all data was read from in2 */
            }