wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-31 01:59:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2260 from JacobBarthelmeh/PKCS7

Browse Source 
PKSC7 firmware revision + callback / get SID
This commit is contained in:
Chris Conlon
2019-07-16 10:51:38 -06:00
committed by GitHub
parent 9f1aa1a27c 6e6c93624a
commit 2e308ea82c
8 changed files with 1312 additions and 260 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
tests/api.c
View File

@@ -17451,7 +17451,28 @@ static void test_PKCS7_signed_enveloped(void)
/* check verify fails */
AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz),
PKCS7_SIGNEEDS_CHECK);
/* try verifying the signature manually */
{
RsaKey rKey;
word32 idx = 0;
byte digest[MAX_SEQ_SZ + MAX_ALGO_SZ + MAX_OCTET_STR_SZ +
WC_MAX_DIGEST_SIZE];
int digestSz;
AssertIntEQ(wc_InitRsaKey(&rKey, HEAP_HINT), 0);
AssertIntEQ(wc_RsaPrivateKeyDecode(key, &idx, &rKey, keySz), 0);
digestSz = wc_RsaSSL_Verify(pkcs7->signature, pkcs7->signatureSz,
digest, sizeof(digest), &rKey);
AssertIntGT(digestSz, 0);
AssertIntEQ(digestSz, pkcs7->pkcs7DigestSz);
AssertIntEQ(XMEMCMP(digest, pkcs7->pkcs7Digest, digestSz), 0);
AssertIntEQ(wc_FreeRsaKey(&rKey), 0);
/* verify was success */
}
wc_PKCS7_Free(pkcs7);
/* create valid degenerate bundle */
@@ -17467,8 +17488,8 @@ static void test_PKCS7_signed_enveloped(void)
pkcs7->rng = &rng;
AssertIntEQ(wc_PKCS7_SetSignerIdentifierType(pkcs7, DEGENERATE_SID), 0);
AssertIntGT((sigSz = wc_PKCS7_EncodeSignedData(pkcs7, sig, sigSz)), 0);
wc_FreeRng(&rng);
wc_PKCS7_Free(pkcs7);
wc_FreeRng(&rng);
/* check verify */
AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));

8
wolfcrypt/src/asn.c
View File

@@ -281,6 +281,14 @@ WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
maxIdx);
}
WOLFSSL_LOCAL int GetSet_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check)
{
return GetASNHeader_ex(input, ASN_SET | ASN_CONSTRUCTED, inOutIdx, len,
maxIdx, check);
}
/* Get the DER/BER encoded ASN.1 NULL element.
* Ensure that the all fields are as expected and move index past the element.
*

3
wolfcrypt/src/error.c
View File

@@ -506,6 +506,9 @@ const char* wc_GetErrorString(int error)
case CRYPTOCB_UNAVAILABLE:
return "Crypto callback unavailable";
case PKCS7_SIGNEEDS_CHECK:
return "Signature found but no certificate to verify";
default:
return "unknown error number";

986
wolfcrypt/src/pkcs7.c
View File

File diff suppressed because it is too large Load Diff

516
wolfcrypt/test/test.c
View File

@@ -365,6 +365,7 @@ int scrypt_test(void);
#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
int pkcs7authenveloped_test(void);
#endif
int pkcs7callback_test(byte* cert, word32 certSz, byte* key, word32 keySz);
#endif
#if !defined(NO_ASN_TIME) && !defined(NO_RSA) && defined(WOLFSSL_TEST_CERT) && \
!defined(NO_FILESYSTEM)
@@ -20785,6 +20786,117 @@ static int myOriDecryptCb(PKCS7* pkcs7, byte* oriType, word32 oriTypeSz,
}
/* returns 0 on success */
static int myDecryptionFunc(PKCS7* pkcs7, int encryptOID, byte* iv, int ivSz,
byte* aad, word32 aadSz, byte* authTag, word32 authTagSz,
byte* in, int inSz, byte* out, void* usrCtx)
{
int keyId = -1, ret, keySz;
word32 keyIdSz = 8;
const byte* key;
byte keyIdRaw[8];
Aes aes;
/* looking for KEY ID
* fwDecryptKeyID OID "1.2.840.113549.1.9.16.2.37
*/
const unsigned char OID[] = {
/* 0x06, 0x0B do not pass in tag and length */
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x09, 0x10, 0x02, 0x25
};
const byte defKey[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
const byte altKey[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
/* test user context passed in */
if (usrCtx == NULL || *(int*)usrCtx != 1) {
return -1;
}
/* if needing to find keyIdSz can call with NULL */
ret = wc_PKCS7_GetAttributeValue(pkcs7, OID, sizeof(OID), NULL,
&keyIdSz);
if (ret != LENGTH_ONLY_E) {
printf("Unexpected error %d when getting keyIdSz\n", ret);
printf("Possibly no KEY ID attribute set\n");
return -1;
}
else {
XMEMSET(keyIdRaw, 0, sizeof(keyIdRaw));
ret = wc_PKCS7_GetAttributeValue(pkcs7, OID, sizeof(OID), keyIdRaw,
&keyIdSz);
if (ret < 0) {
return ret;
}
if (keyIdSz < 3) {
printf("keyIdSz is smaller than expected\n");
return -1;
}
if (keyIdSz > 2 + sizeof(int)) {
printf("example case was only expecting a keyId of int size\n");
return -1;
}
/* keyIdRaw[0] OCTET TAG */
/* keyIdRaw[1] Length */
keyId = *(int*)(keyIdRaw + 2);
}
/* Use keyID here if found to select key and decrypt in HSM or in this
* example just select key and do software decryption */
if (keyId == 1) {
key = altKey;
keySz = sizeof(altKey);
}
else {
key = defKey;
keySz = sizeof(defKey);
}
switch (encryptOID) {
case AES256CBCb:
if ((keySz != 32 ) || (ivSz != AES_BLOCK_SIZE))
return BAD_FUNC_ARG;
break;
case AES128CBCb:
if ((keySz != 16 ) || (ivSz != AES_BLOCK_SIZE))
return BAD_FUNC_ARG;
break;
default:
printf("Unsupported content cipher type for example");
return ALGO_ID_E;
};
ret = wc_AesInit(&aes, HEAP_HINT, INVALID_DEVID);
if (ret == 0) {
ret = wc_AesSetKey(&aes, key, keySz, iv, AES_DECRYPTION);
if (ret == 0)
ret = wc_AesCbcDecrypt(&aes, out, in, inSz);
wc_AesFree(&aes);
}
(void)aad;
(void)aadSz;
(void)authTag;
(void)authTagSz;
return ret;
}
static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz,
byte* rsaPrivKey, word32 rsaPrivKeySz,
byte* eccCert, word32 eccCertSz,
@@ -21906,7 +22018,406 @@ int pkcs7authenveloped_test(void)
}
#endif /* HAVE_AESGCM || HAVE_AESCCM */
static const byte defKey[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
static const byte altKey[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId,
word32 keyIdSz, byte* orginKey, word32 orginKeySz,
byte* out, word32 outSz, int keyWrapAlgo, int type, int direction)
{
int ret;
if (cek == NULL || out == NULL)
return BAD_FUNC_ARG;
/* test case sanity checks */
if (keyIdSz != 1) {
return -1;
}
if (keyId[0] != 0x00) {
return -1;
}
if (type != (int)PKCS7_KEKRI) {
return -1;
}
switch (keyWrapAlgo) {
case AES256_WRAP:
ret = wc_AesKeyUnWrap(defKey, sizeof(defKey), cek, cekSz,
out, outSz, NULL);
if (ret <= 0)
return ret;
break;
default:
WOLFSSL_MSG("Unsupported key wrap algorithm in example");
return BAD_KEYWRAP_ALG_E;
};
(void)pkcs7;
(void)direction;
(void)orginKey; /* used with KAKRI */
(void)orginKeySz;
return ret;
}
/* returns key size on success */
static int getFirmwareKey(PKCS7* pkcs7, byte* key, word32 keySz)
{
int ret;
word32 atrSz;
byte atr[256];
/* Additionally can look for fwWrappedFirmwareKey
* 1.2.840.113529.1.9.16.1.16 */
const unsigned char fwWrappedFirmwareKey[] = {
/* 0x06, 0x0B */
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x09, 0x10, 0x02, 0x27
};
/* find keyID in fwWrappedFirmwareKey */
ret = wc_PKCS7_GetAttributeValue(pkcs7, fwWrappedFirmwareKey,
sizeof(fwWrappedFirmwareKey), NULL, &atrSz);
if (ret == LENGTH_ONLY_E) {
XMEMSET(atr, 0, sizeof(atr));
ret = wc_PKCS7_GetAttributeValue(pkcs7, fwWrappedFirmwareKey,
sizeof(fwWrappedFirmwareKey), atr, &atrSz);
/* keyIdRaw[0] OCTET TAG */
/* keyIdRaw[1] Length */
if (ret > 0) {
PKCS7* envPkcs7;
envPkcs7 = wc_PKCS7_New(NULL, 0);
if (envPkcs7 == NULL) {
return MEMORY_E;
}
wc_PKCS7_Init(envPkcs7, NULL, 0);
ret = wc_PKCS7_SetWrapCEKCb(envPkcs7, myCEKwrapFunc);
if (ret == 0) {
/* expecting FIRMWARE_PKG_DATA content */
envPkcs7->contentOID = FIRMWARE_PKG_DATA;
ret = wc_PKCS7_DecodeEnvelopedData(envPkcs7, atr, atrSz,
key, keySz);
}
wc_PKCS7_Free(envPkcs7);
}
}
return ret;
}
/* create a KEKRI enveloped data
* return size on success */
static int envelopedData_encrypt(byte* in, word32 inSz, byte* out,
word32 outSz)
{
int ret;
PKCS7* pkcs7;
const byte keyId[] = { 0x00 };
pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
if (pkcs7 == NULL)
return -1;
pkcs7->content = in;
pkcs7->contentSz = inSz;
pkcs7->contentOID = FIRMWARE_PKG_DATA;
pkcs7->encryptOID = AES256CBCb;
pkcs7->ukm = NULL;
pkcs7->ukmSz = 0;
/* add recipient (KEKRI type) */
ret = wc_PKCS7_AddRecipient_KEKRI(pkcs7, AES256_WRAP, (byte*)defKey,
sizeof(defKey), (byte*)keyId,
sizeof(keyId), NULL, NULL, 0, NULL, 0, 0);
if (ret < 0) {
printf("wc_PKCS7_AddRecipient_KEKRI() failed, ret = %d\n", ret);
wc_PKCS7_Free(pkcs7);
return -1;
}
/* encode envelopedData, returns size */
ret = wc_PKCS7_EncodeEnvelopedData(pkcs7, out, outSz);
if (ret <= 0) {
printf("wc_PKCS7_EncodeEnvelopedData() failed, ret = %d\n", ret);
wc_PKCS7_Free(pkcs7);
return -1;
}
wc_PKCS7_Free(pkcs7);
return ret;
}
/*
* keyHint is the KeyID to be set in the fwDecryptKeyID attribute
* returns size of buffer output on success
*/
static int generateBundle(byte* out, word32 *outSz, const byte* encryptKey,
word32 encryptKeySz, byte keyHint, byte* cert, word32 certSz,
byte* key, word32 keySz)
{
int ret, attribNum = 1;
PKCS7* pkcs7;
/* KEY ID
* fwDecryptKeyID OID 1.2.840.113549.1.9.16.2.37
*/
const unsigned char fwDecryptKeyID[] = {
0x06, 0x0B,
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x09, 0x10, 0x02, 0x25
};
/* fwWrappedFirmwareKey 1.2.840.113529.1.9.16.1.16 */
const unsigned char fwWrappedFirmwareKey[] = {
0x06, 0x0B, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x09, 0x10, 0x02, 0x27
};
byte keyID[] = { 0x04, 0x01, 0x00 };
byte env[256];
char data[] = "Test of wolfSSL PKCS7 decrypt callback";
PKCS7Attrib attribs[] =
{
{ fwDecryptKeyID, sizeof(fwDecryptKeyID), keyID, sizeof(keyID) },
{ fwWrappedFirmwareKey, sizeof(fwWrappedFirmwareKey), env, 0 }
};
keyID[2] = keyHint;
/* If using keyHint 0 then create a bundle with fwWrappedFirmwareKey */
if (keyHint == 0) {
ret = envelopedData_encrypt((byte*)defKey, sizeof(defKey), env,
sizeof(env));
if (ret <= 0) {
return ret;
}
attribs[1].valueSz = ret;
attribNum++;
}
/* init PKCS7 */
pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
if (pkcs7 == NULL)
return -1;
ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
if (ret != 0) {
printf("ERROR: wc_PKCS7_InitWithCert() failed, ret = %d\n", ret);
wc_PKCS7_Free(pkcs7);
return -1;
}
ret = wc_PKCS7_SetSignerIdentifierType(pkcs7, CMS_SKID);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return -1;
}
/* encode Signed Encrypted FirmwarePkgData */
if (encryptKeySz == 16) {
ret = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7, (byte*)encryptKey,
encryptKeySz, key, keySz, AES128CBCb, RSAk, SHA256h,
(byte*)data, sizeof(data), NULL, 0,
attribs, attribNum, out, *outSz);
}
else {
ret = wc_PKCS7_EncodeSignedEncryptedFPD(pkcs7, (byte*)encryptKey,
encryptKeySz, key, keySz, AES256CBCb, RSAk, SHA256h,
(byte*)data, sizeof(data), NULL, 0,
attribs, attribNum, out, *outSz);
}
if (ret <= 0) {
printf("ERROR: wc_PKCS7_EncodeSignedEncryptedFPD() failed, "
"ret = %d\n", ret);
wc_PKCS7_Free(pkcs7);
return -1;
} else {
*outSz = ret;
}
wc_PKCS7_Free(pkcs7);
return ret;
}
/* test verification and decryption of PKCS7 bundle
* return 0 on success
*/
static int verifyBundle(byte* derBuf, word32 derSz, int keyHint)
{
int ret = 0;
int usrCtx = 1; /* test value to pass as user context to callback */
PKCS7* pkcs7;
byte* sid;
word32 sidSz;
byte key[256];
word32 keySz = sizeof(key);
byte decoded[FOURK_BUF/2];
int decodedSz = FOURK_BUF/2;
const byte expectedSid[] = {
0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18,
0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26,
0xD7, 0x85, 0x65, 0xC0
};
pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
if (pkcs7 == NULL) {
return MEMORY_E;
}
/* Test verify */
ret = wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
ret = wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
ret = wc_PKCS7_VerifySignedData(pkcs7, derBuf, derSz);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
/* Get size of SID and print it out */
ret = wc_PKCS7_GetSignerSID(pkcs7, NULL, &sidSz);
if (ret != LENGTH_ONLY_E) {
wc_PKCS7_Free(pkcs7);
return ret;
}
sid = (byte*)XMALLOC(sidSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
if (sid == NULL) {
wc_PKCS7_Free(pkcs7);
return ret;
}
ret = wc_PKCS7_GetSignerSID(pkcs7, sid, &sidSz);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
XFREE(sid, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
ret = XMEMCMP(sid, expectedSid, sidSz);
XFREE(sid, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
/* get expected fwWrappedFirmwareKey */
if (keyHint == 0) {
ret = getFirmwareKey(pkcs7, key, keySz);
if (ret < 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
pkcs7->encryptionKey = key;
pkcs7->encryptionKeySz = ret;
}
else {
decodedSz = sizeof(decoded);
ret = wc_PKCS7_SetDecodeEncryptedCb(pkcs7, myDecryptionFunc);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
ret = wc_PKCS7_SetDecodeEncryptedCtx(pkcs7, (void*)&usrCtx);
if (ret != 0) {
wc_PKCS7_Free(pkcs7);
return ret;
}
}
decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, pkcs7->content,
pkcs7->contentSz, decoded, decodedSz);
if (decodedSz < 0) {
ret = decodedSz;
wc_PKCS7_Free(pkcs7);
return ret;
}
wc_PKCS7_Free(pkcs7);
return 0;
}
int pkcs7callback_test(byte* cert, word32 certSz, byte* key, word32 keySz)
{
int ret = 0;
byte derBuf[FOURK_BUF/2];
word32 derSz = FOURK_BUF/2;
/* Doing default generation and verify */
ret = generateBundle(derBuf, &derSz, defKey, sizeof(defKey), 0, cert,
certSz, key, keySz);
if (ret <= 0) {
return -10000;
}
ret = verifyBundle(derBuf, derSz, 0);
if (ret != 0) {
return -10001;
}
/* test choosing other key with keyID */
derSz = FOURK_BUF/2;
ret = generateBundle(derBuf, &derSz, altKey, sizeof(altKey), 1,
cert, certSz, key, keySz);
if (ret <= 0) {
return -10002;
}
ret = verifyBundle(derBuf, derSz, 1);
if (ret != 0) {
return -10003;
}
/* test fail case with wrong keyID */
derSz = FOURK_BUF/2;
ret = generateBundle(derBuf, &derSz, defKey, sizeof(defKey), 1,
cert, certSz, key, keySz);
if (ret <= 0) {
return -10004;
}
ret = verifyBundle(derBuf, derSz, 1);
if (ret == 0) {
return -10005;
}
return 0;
}
#ifndef NO_PKCS7_ENCRYPTED_DATA
@@ -23469,6 +23980,11 @@ int pkcs7signed_test(void)
eccClientCertBuf, (word32)eccClientCertBufSz,
eccClientPrivKeyBuf, (word32)eccClientPrivKeyBufSz);
if (ret >= 0)
ret = pkcs7callback_test(
rsaClientCertBuf, (word32)rsaClientCertBufSz,
rsaClientPrivKeyBuf, (word32)rsaClientPrivKeyBufSz);
XFREE(rsaClientCertBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(rsaClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(rsaServerCertBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);

2
wolfssl/wolfcrypt/asn.h
View File

@@ -1025,6 +1025,8 @@ WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check);
WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
WOLFSSL_LOCAL int GetSet_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check);
WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
int* version, word32 maxIdx);
WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,

3
wolfssl/wolfcrypt/error-crypt.h
View File

@@ -225,8 +225,9 @@ enum {
WC_PKCS7_WANT_READ_E= -270, /* PKCS7 operations wants more input */
CRYPTOCB_UNAVAILABLE= -271, /* Crypto callback unavailable */
PKCS7_SIGNEEDS_CHECK= -272, /* signature needs verified by caller */
WC_LAST_E = -271, /* Update this to indicate last error */
WC_LAST_E = -272, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes

29
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -198,6 +198,7 @@ typedef struct PKCS7State PKCS7State;
typedef struct Pkcs7Cert Pkcs7Cert;
typedef struct Pkcs7EncodedRecip Pkcs7EncodedRecip;
typedef struct PKCS7 PKCS7;
typedef struct PKCS7SignerInfo PKCS7SignerInfo;
/* OtherRecipientInfo decrypt callback prototype */
typedef int (*CallbackOriDecrypt)(PKCS7* pkcs7, byte* oriType, word32 oriTypeSz,
@@ -208,6 +209,15 @@ typedef int (*CallbackOriEncrypt)(PKCS7* pkcs7, byte* cek, word32 cekSz,
byte* oriType, word32* oriTypeSz,
byte* oriValue, word32* oriValueSz,
void* ctx);
typedef int (*CallbackDecryptContent)(PKCS7* pkcs7, int encryptOID,
byte* iv, int ivSz, byte* aad, word32 aadSz,
byte* authTag, word32 authTagSz, byte* in,
int inSz, byte* out, void* ctx);
typedef int (*CallbackWrapCEK)(PKCS7* pkcs7, byte* cek, word32 cekSz,
byte* keyId, word32 keyIdSz,
byte* originKey, word32 originKeySz,
byte* out, word32 outSz,
int keyWrapAlgo, int type, int dir);
/* Public Structure Warning:
* Existing members must not be changed to maintain backwards compatibility!
@@ -295,6 +305,18 @@ struct PKCS7 {
word16 skipDefaultSignedAttribs:1; /* skip adding default signed attribs */
byte version; /* 1 for RFC 2315 and 3 for RFC 4108 */
PKCS7SignerInfo* signerInfo;
CallbackDecryptContent decryptionCb;
CallbackWrapCEK wrapCEKCb;
void* decryptionCtx;
byte* signature;
byte* plainDigest;
byte* pkcs7Digest;
word32 signatureSz;
word32 plainDigestSz;
word32 pkcs7DigestSz;
/* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
};
@@ -337,6 +359,8 @@ WOLFSSL_API int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
word32 pkiMsgHeadSz, byte* pkiMsgFoot,
word32 pkiMsgFootSz);
WOLFSSL_API int wc_PKCS7_GetSignerSID(PKCS7* pkcs7, byte* out, word32* outSz);
/* CMS single-shot API for Signed FirmwarePkgData */
WOLFSSL_API int wc_PKCS7_EncodeSignedFPD(PKCS7* pkcs7, byte* privateKey,
word32 privateKeySz, int signOID,
@@ -412,6 +436,8 @@ WOLFSSL_API int wc_PKCS7_SetOriDecryptCtx(PKCS7* pkcs7, void* ctx);
WOLFSSL_API int wc_PKCS7_SetOriDecryptCb(PKCS7* pkcs7, CallbackOriDecrypt cb);
WOLFSSL_API int wc_PKCS7_AddRecipient_ORI(PKCS7* pkcs7, CallbackOriEncrypt cb,
int options);
WOLFSSL_API int wc_PKCS7_SetWrapCEKCb(PKCS7* pkcs7,
CallbackWrapCEK wrapCEKCb);
/* CMS/PKCS#7 EnvelopedData */
WOLFSSL_API int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7,
@@ -434,6 +460,9 @@ WOLFSSL_API int wc_PKCS7_EncodeEncryptedData(PKCS7* pkcs7,
WOLFSSL_API int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
WOLFSSL_API int wc_PKCS7_SetDecodeEncryptedCb(PKCS7* pkcs7,
CallbackDecryptContent decryptionCb);
WOLFSSL_API int wc_PKCS7_SetDecodeEncryptedCtx(PKCS7* pkcs7, void* ctx);
#endif /* NO_PKCS7_ENCRYPTED_DATA */
/* CMS/PKCS#7 CompressedData */