Merge pull request #1881 from SparkiDev/pkcs7_no_si

Return error when attempting to verify signed data without signers

wolfcrypt/src/error.c

@@ -497,6 +497,9 @@ const char* wc_GetErrorString(int error)
     case ZLIB_DECOMPRESS_ERROR:
         return "zlib decompress error";
 
+    case PKCS7_NO_SIGNER_E:
+        return "No signer in PKCS#7 signed data";
+
     default:
         return "unknown error number";
 

wolfcrypt/src/pkcs7.c

@@ -2223,7 +2223,9 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
     if (GetSet(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
         return ASN_PARSE_E;
 
-    if (length > 0) {
+    if (length == 0)
+        return PKCS7_NO_SIGNER_E;
+
     /* Get the sequence of the first signerInfo */
     if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
         return ASN_PARSE_E;
@@ -2303,7 +2305,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                                              hashBuf, hashSz);
     if (ret < 0)
         return ret;
-    }
 
     return 0;
 }

wolfssl/wolfcrypt/error-crypt.h

@@ -220,7 +220,9 @@ enum {
     ZLIB_COMPRESS_ERROR = -267,   /* zlib compression error  */
     ZLIB_DECOMPRESS_ERROR = -268,  /* zlib decompression error  */
 
-    WC_LAST_E           = -268,  /* Update this to indicate last error */
+    PKCS7_NO_SIGNER_E   = -269,  /* No signer in PKCS#7 signed data msg */
+
+    WC_LAST_E           = -269,  /* Update this to indicate last error */
     MIN_CODE_E          = -300   /* errors -101 - -299 */
 
     /* add new companion error id strings for any new error codes