From 2a60fbd7664796b8e964502aed0d65fea5fd3bca Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Tue, 14 Aug 2018 15:28:25 -0600 Subject: [PATCH] add support for SubjectKeyIdentifier in CMS SignedData SignerInfo --- Makefile.am | 2 + wolfcrypt/src/pkcs7.c | 143 ++++++++++++++++++++++++++++++++------ wolfcrypt/test/test.c | 83 ++++++++++++++-------- wolfssl/wolfcrypt/pkcs7.h | 10 +++ 4 files changed, 188 insertions(+), 50 deletions(-) diff --git a/Makefile.am b/Makefile.am index b9d60b6da..320115dbb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -60,6 +60,7 @@ CLEANFILES+= cert.der \ pkcs7signedData_RSA_SHA224.der \ pkcs7signedData_RSA_SHA256.der \ pkcs7signedData_RSA_SHA256_custom_contentType.der \ + pkcs7signedData_RSA_SHA256_SKID.der \ pkcs7signedData_RSA_SHA384.der \ pkcs7signedData_RSA_SHA512.der \ pkcs7signedData_ECDSA_SHA.der \ @@ -67,6 +68,7 @@ CLEANFILES+= cert.der \ pkcs7signedData_ECDSA_SHA224.der \ pkcs7signedData_ECDSA_SHA256.der \ pkcs7signedData_ECDSA_SHA256_custom_contentType.der \ + pkcs7signedData_ECDSA_SHA256_SKID.der \ pkcs7signedData_ECDSA_SHA384.der \ pkcs7signedData_ECDSA_SHA512.der diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 2d4f2cc45..da38e586e 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -327,6 +327,11 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) pkcs7->issuerSz = dCert->issuerRawLen; XMEMCPY(pkcs7->issuerSn, dCert->serial, dCert->serialSz); pkcs7->issuerSnSz = dCert->serialSz; + XMEMCPY(pkcs7->issuerSubjKeyId, dCert->extSubjKeyId, KEYID_SIZE); + + /* default to IssuerAndSerialNumber for SignerIdentifier */ + pkcs7->sidType = SID_ISSUER_AND_SERIAL_NUMBER; + FreeDecodedCert(dCert); #ifdef WOLFSSL_SMALL_STACK @@ -537,9 +542,13 @@ typedef struct ESD { byte signerInfoSet[MAX_SET_SZ]; byte signerInfoSeq[MAX_SEQ_SZ]; byte signerVersion[MAX_VERSION_SZ]; + /* issuerAndSerialNumber ...*/ byte issuerSnSeq[MAX_SEQ_SZ]; byte issuerName[MAX_SEQ_SZ]; byte issuerSn[MAX_SN_SZ]; + /* OR subjectKeyIdentifier */ + byte issuerSKIDSeq[MAX_SEQ_SZ]; + byte issuerSKID[MAX_OCTET_STR_SZ]; byte signerDigAlgoId[MAX_ALGO_SZ]; byte digEncAlgoId[MAX_ALGO_SZ]; byte signedAttribSet[MAX_SET_SZ]; @@ -549,8 +558,8 @@ typedef struct ESD { word32 outerSeqSz, outerContentSz, innerSeqSz, versionSz, digAlgoIdSetSz, singleDigAlgoIdSz, certsSetSz; word32 signerInfoSetSz, signerInfoSeqSz, signerVersionSz, - issuerSnSeqSz, issuerNameSz, issuerSnSz, - signerDigAlgoIdSz, digEncAlgoIdSz, signerDigestSz; + issuerSnSeqSz, issuerNameSz, issuerSnSz, issuerSKIDSz, + issuerSKIDSeqSz, signerDigAlgoIdSz, digEncAlgoIdSz, signerDigestSz; word32 encContentDigestSz, signedAttribsSz, signedAttribsCount, signedAttribSetSz; } ESD; @@ -1058,6 +1067,7 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd, int digEncAlgoId, digEncAlgoType; byte* flatSignedAttribs = NULL; word32 flatSignedAttribsSz = 0; + word32 innerOidSz = sizeof(innerOid); word32 outerOidSz = sizeof(outerOid); if (pkcs7 == NULL || pkcs7->contentSz == 0 || @@ -1101,14 +1111,34 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd, pkcs7->contentTypeSz + esd->innerContSeqSz, esd->contentInfoSeq); - esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz, - esd->issuerSn, MAX_SN_SZ); - signerInfoSz += esd->issuerSnSz; - esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName); - signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz; - esd->issuerSnSeqSz = SetSequence(signerInfoSz, esd->issuerSnSeq); - signerInfoSz += esd->issuerSnSeqSz; - esd->signerVersionSz = SetMyVersion(1, esd->signerVersion, 0); + /* SignerIdentifier */ + if (pkcs7->sidType == SID_ISSUER_AND_SERIAL_NUMBER) { + /* IssuerAndSerialNumber */ + esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz, + esd->issuerSn, MAX_SN_SZ); + signerInfoSz += esd->issuerSnSz; + esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName); + signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz; + esd->issuerSnSeqSz = SetSequence(signerInfoSz, esd->issuerSnSeq); + signerInfoSz += esd->issuerSnSeqSz; + + /* version MUST be 1 */ + esd->signerVersionSz = SetMyVersion(1, esd->signerVersion, 0); + + } else if (pkcs7->sidType == SID_SUBJECT_KEY_IDENTIFIER) { + /* SubjectKeyIdentifier */ + esd->issuerSKIDSz = SetOctetString(KEYID_SIZE, esd->issuerSKID); + esd->issuerSKIDSeqSz = SetExplicit(0, esd->issuerSKIDSz + KEYID_SIZE, + esd->issuerSKIDSeq); + signerInfoSz += (esd->issuerSKIDSz + esd->issuerSKIDSeqSz + + KEYID_SIZE); + + /* version MUST be 3 */ + esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0); + } else { + return SKID_E; + } + signerInfoSz += esd->signerVersionSz; esd->signerDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->signerDigAlgoId, oidHashType, 0); @@ -1250,14 +1280,28 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd, idx += esd->signerInfoSeqSz; XMEMCPY(output2 + idx, esd->signerVersion, esd->signerVersionSz); idx += esd->signerVersionSz; - XMEMCPY(output2 + idx, esd->issuerSnSeq, esd->issuerSnSeqSz); - idx += esd->issuerSnSeqSz; - XMEMCPY(output2 + idx, esd->issuerName, esd->issuerNameSz); - idx += esd->issuerNameSz; - XMEMCPY(output2 + idx, pkcs7->issuer, pkcs7->issuerSz); - idx += pkcs7->issuerSz; - XMEMCPY(output2 + idx, esd->issuerSn, esd->issuerSnSz); - idx += esd->issuerSnSz; + /* SignerIdentifier */ + if (pkcs7->sidType == SID_ISSUER_AND_SERIAL_NUMBER) { + /* IssuerAndSerialNumber */ + XMEMCPY(output2 + idx, esd->issuerSnSeq, esd->issuerSnSeqSz); + idx += esd->issuerSnSeqSz; + XMEMCPY(output2 + idx, esd->issuerName, esd->issuerNameSz); + idx += esd->issuerNameSz; + XMEMCPY(output2 + idx, pkcs7->issuer, pkcs7->issuerSz); + idx += pkcs7->issuerSz; + XMEMCPY(output2 + idx, esd->issuerSn, esd->issuerSnSz); + idx += esd->issuerSnSz; + } else if (pkcs7->sidType == SID_SUBJECT_KEY_IDENTIFIER) { + /* SubjectKeyIdentifier */ + XMEMCPY(output2 + idx, esd->issuerSKIDSeq, esd->issuerSKIDSeqSz); + idx += esd->issuerSKIDSeqSz; + XMEMCPY(output2 + idx, esd->issuerSKID, esd->issuerSKIDSz); + idx += esd->issuerSKIDSz; + XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE); + idx += KEYID_SIZE; + } else { + return SKID_E; + } XMEMCPY(output2 + idx, esd->signerDigAlgoId, esd->signerDigAlgoIdSz); idx += esd->signerDigAlgoIdSz; @@ -2048,7 +2092,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, /* Get the inner ContentInfo contentType */ { - word32 localIdx = idx; + localIdx = idx; if (GetASNObjectId(pkiMsg, &idx, &length, pkiMsgSz) != 0) return ASN_PARSE_E; @@ -2299,11 +2343,44 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, if (GetMyVersion(pkiMsg2, &idx, &version, pkiMsg2Sz) < 0) return ASN_PARSE_E; - if (version != 1) { - WOLFSSL_MSG("PKCS#7 signerInfo needs to be of version 1"); + if (version == 1) { + /* Get the sequence of IssuerAndSerialNumber */ + if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) + return ASN_PARSE_E; + + /* Skip it */ + idx += length; + + } else if (version == 3) { + /* Get the sequence of SubjectKeyIdentifier */ + if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) { + ret = ASN_PARSE_E; + } + + if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) <= 0) { + ret = ASN_PARSE_E; + } + + if (ret == 0 && pkiMsg[idx++] != ASN_OCTET_STRING) + ret = ASN_PARSE_E; + + if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) + ret = ASN_PARSE_E; + + /* Skip it */ + idx += length; + + } else { + WOLFSSL_MSG("PKCS#7 signerInfo version must be 1 or 3"); return ASN_VERSION_E; } + /* Get the sequence of digestAlgorithm */ + if (GetAlgoId(pkiMsg2, &idx, &hashOID, oidHashType, pkiMsg2Sz) < 0) { + return ASN_PARSE_E; + } + pkcs7->hashOID = (int)hashOID; + /* Get the sequence of IssuerAndSerialNumber */ if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0) return ASN_PARSE_E; @@ -3559,6 +3636,30 @@ static int wc_PKCS7_GenerateIV(PKCS7* pkcs7, WC_RNG* rng, byte* iv, word32 ivSz) } +/* Set SignerIdentifier type to be used in SignedData encoding. Is either + * IssuerAndSerialNumber or SubjectKeyIdentifier. SignedData encoding + * defaults to using IssuerAndSerialNumber unless set with this function. + * + * pkcs7 - pointer to initialized PKCS7 structure + * type - either SID_ISSUER_AND_SERIAL_NUMBER or SID_SUBJECT_KEY_IDENTIFIER + * + * return 0 on success, negative upon error */ +int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type) +{ + if (pkcs7 == NULL) + return BAD_FUNC_ARG; + + if (type != SID_ISSUER_AND_SERIAL_NUMBER && + type != SID_SUBJECT_KEY_IDENTIFIER) { + return BAD_FUNC_ARG; + } + + pkcs7->sidType = type; + + return 0; +} + + /* Set custom contentType, currently supported with SignedData type * * pkcs7 - pointer to initialized PKCS7 structure diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index ff72d3f27..1a9efe39a 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -19300,6 +19300,7 @@ typedef struct { const char* outFileName; byte* contentType; word32 contentTypeSz; + int sidType; } pkcs7SignedVector; @@ -19362,42 +19363,48 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, /* RSA with SHA */ {data, (word32)sizeof(data), SHAh, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_RSA_SHA.der", NULL, 0}, + "pkcs7signedData_RSA_SHA.der", NULL, 0, 0}, /* RSA with SHA, no signed attributes */ {data, (word32)sizeof(data), SHAh, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, NULL, 0, - "pkcs7signedData_RSA_SHA_noattr.der", NULL, 0}, + "pkcs7signedData_RSA_SHA_noattr.der", NULL, 0, 0}, #endif #ifdef WOLFSSL_SHA224 /* RSA with SHA224 */ {data, (word32)sizeof(data), SHA224h, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_RSA_SHA224.der", NULL, 0}, + "pkcs7signedData_RSA_SHA224.der", NULL, 0, 0}, #endif #ifndef NO_SHA256 /* RSA with SHA256 */ {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_RSA_SHA256.der", NULL, 0}, + "pkcs7signedData_RSA_SHA256.der", NULL, 0, 0}, + + /* RSA with SHA256 and SubjectKeyIdentifier in SignerIdentifier */ + {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz, + rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), + "pkcs7signedData_RSA_SHA256_SKID.der", NULL, 0, + SID_SUBJECT_KEY_IDENTIFIER}, /* RSA with SHA256 and custom contentType */ {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), "pkcs7signedData_RSA_SHA256_custom_contentType.der", customContentType, - sizeof(customContentType)}, + sizeof(customContentType), 0}, #endif #if defined(WOLFSSL_SHA384) /* RSA with SHA384 */ {data, (word32)sizeof(data), SHA384h, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_RSA_SHA384.der", NULL, 0}, + "pkcs7signedData_RSA_SHA384.der", NULL, 0, 0}, #endif #if defined(WOLFSSL_SHA512) /* RSA with SHA512 */ {data, (word32)sizeof(data), SHA512h, RSAk, rsaPrivKey, rsaPrivKeySz, rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_RSA_SHA512.der", NULL, 0}, + "pkcs7signedData_RSA_SHA512.der", NULL, 0, 0}, #endif #endif /* NO_RSA */ @@ -19406,42 +19413,48 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, /* ECDSA with SHA */ {data, (word32)sizeof(data), SHAh, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_ECDSA_SHA.der", NULL, 0}, + "pkcs7signedData_ECDSA_SHA.der", NULL, 0, 0}, /* ECDSA with SHA, no signed attributes */ {data, (word32)sizeof(data), SHAh, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, NULL, 0, - "pkcs7signedData_ECDSA_SHA_noattr.der", NULL, 0}, + "pkcs7signedData_ECDSA_SHA_noattr.der", NULL, 0, 0}, #endif #ifdef WOLFSSL_SHA224 /* ECDSA with SHA224 */ {data, (word32)sizeof(data), SHA224h, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_ECDSA_SHA224.der", NULL, 0}, + "pkcs7signedData_ECDSA_SHA224.der", NULL, 0, 0}, #endif #ifndef NO_SHA256 /* ECDSA with SHA256 */ {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_ECDSA_SHA256.der", NULL, 0}, + "pkcs7signedData_ECDSA_SHA256.der", NULL, 0, 0}, + + /* ECDSA with SHA256 and SubjectKeyIdentifier in SigherIdentifier */ + {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz, + eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), + "pkcs7signedData_ECDSA_SHA256_SKID.der", NULL, 0, + SID_SUBJECT_KEY_IDENTIFIER}, /* ECDSA with SHA256 and custom contentType */ {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), "pkcs7signedData_ECDSA_SHA256_custom_contentType.der", - customContentType, sizeof(customContentType)}, + customContentType, sizeof(customContentType), 0}, #endif #ifdef WOLFSSL_SHA384 /* ECDSA with SHA384 */ {data, (word32)sizeof(data), SHA384h, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_ECDSA_SHA384.der", NULL, 0}, + "pkcs7signedData_ECDSA_SHA384.der", NULL, 0, 0}, #endif #ifdef WOLFSSL_SHA512 /* ECDSA with SHA512 */ {data, (word32)sizeof(data), SHA512h, ECDSAk, eccPrivKey, eccPrivKeySz, eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), - "pkcs7signedData_ECDSA_SHA512.der", NULL, 0}, + "pkcs7signedData_ECDSA_SHA512.der", NULL, 0, 0}, #endif #endif /* HAVE_ECC */ }; @@ -19506,6 +19519,18 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, } } + /* set SignerIdentifier to use SubjectKeyIdentifier if desired, + default is IssuerAndSerialNumber */ + if (testVectors[i].sidType == SID_SUBJECT_KEY_IDENTIFIER) { + ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, + SID_SUBJECT_KEY_IDENTIFIER); + if (ret != 0) { + XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); + return -9412; + } + } + /* generate senderNonce */ { senderNonce[0] = 0x04; @@ -19515,7 +19540,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9412; + return -9413; } } @@ -19538,7 +19563,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9413; + return -9414; } wc_ShaUpdate(&sha, pkcs7->publicKey, pkcs7->publicKeySz); wc_ShaFinal(&sha, digest); @@ -19548,7 +19573,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9414; + return -9415; } wc_Sha256Update(&sha, pkcs7->publicKey, pkcs7->publicKeySz); wc_Sha256Final(&sha, digest); @@ -19564,7 +19589,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (encodedSz < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9415; + return -9416; } #ifdef PKCS7_OUTPUT_TEST_BUNDLES @@ -19573,14 +19598,14 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (!file) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9416; + return -9417; } ret = (int)fwrite(out, 1, encodedSz, file); fclose(file); if (ret != (int)encodedSz) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9417; + return -9418; } #endif /* PKCS7_OUTPUT_TEST_BUNDLES */ @@ -19588,23 +19613,23 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID); if (pkcs7 == NULL) - return -9418; + return -9419; wc_PKCS7_InitWithCert(pkcs7, NULL, 0); ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz); if (ret < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9419; + return -9420; } /* verify contentType extracted successfully for custom content types */ if (testVectors[i].contentTypeSz > 0) { if (pkcs7->contentTypeSz != testVectors[i].contentTypeSz) { - return -9420; + return -9421; } else if (XMEMCMP(pkcs7->contentType, testVectors[i].contentType, pkcs7->contentTypeSz) != 0) { - return -9421; + return -9422; } } @@ -19612,7 +19637,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9422; + return -9423; } { @@ -19631,13 +19656,13 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, NULL, (word32*)&bufSz) != LENGTH_ONLY_E) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9423; + return -9424; } if (bufSz > (int)sizeof(buf)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9424; + return -9425; } bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz, @@ -19646,7 +19671,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, (testVectors[i].signedAttribs == NULL && bufSz > 0)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9425; + return -9426; } } @@ -19655,7 +19680,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, if (!file) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); wc_PKCS7_Free(pkcs7); - return -9426; + return -9427; } ret = (int)fwrite(pkcs7->singleCert, 1, pkcs7->singleCertSz, file); fclose(file); diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index 43f7a22ad..6353e14de 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -77,6 +77,10 @@ enum Pkcs7_Misc { MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ }; +enum Pkcs7_SignerIdentifier_Types { + SID_ISSUER_AND_SERIAL_NUMBER = 0, + SID_SUBJECT_KEY_IDENTIFIER = 1 +}; typedef struct PKCS7Attrib { const byte* oid; @@ -150,6 +154,11 @@ typedef struct PKCS7 { byte contentType[MAX_OID_SZ]; /* custom contentType byte array */ word32 contentTypeSz; /* size of contentType, bytes */ + int sidType; /* SignerIdentifier type to use, of type + Pkcs7_SignerIdentifier_Types, default to + SID_ISSUER_AND_SERIAL_NUMBER */ + byte issuerSubjKeyId[KEYID_SIZE]; /* SubjectKeyIdentifier of singleCert */ + /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ } PKCS7; @@ -180,6 +189,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, byte* output, word32 outputSz); +WOLFSSL_API int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type); WOLFSSL_API int wc_PKCS7_SetContentType(PKCS7* pkcs7, byte* contentType, word32 sz); WOLFSSL_API int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz);