From 3cd43cf692821f7e81ed2f4a38a64928fb944f83 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 22 Jun 2021 21:33:12 +0700 Subject: [PATCH] fix for keyid with ktri cms --- certs/renewcerts.sh | 11 +++++++++ certs/test/include.am | 1 + certs/test/ktri-keyid-cms.msg | Bin 0 -> 379 bytes tests/api.c | 28 +++++++++++++++++++++++ wolfcrypt/src/pkcs7.c | 41 +++++++++++++++++----------------- 5 files changed, 61 insertions(+), 20 deletions(-) create mode 100644 certs/test/ktri-keyid-cms.msg diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index 100c8ab30..c4b999143 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -599,6 +599,17 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" ############################################################ + ###### generate cms bundles in test directory ############## + ############################################################ + echo "Generating CMS bundle" + echo "" + cd ./test || { echo "Failed to switch to dir ./test"; exit 1; } + echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts + check_result $? "generate ktri-keyid-cms.msg" + cd ../ || exit 1 + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ########## generate ocsp certs ###################### ############################################################ echo "Changing directory to ocsp..." diff --git a/certs/test/include.am b/certs/test/include.am index 795dfd135..1aaa1c0b8 100644 --- a/certs/test/include.am +++ b/certs/test/include.am @@ -48,6 +48,7 @@ EXTRA_DIST += \ certs/test/server-badaltname.pem \ certs/test/server-localhost.der \ certs/test/server-localhost.pem \ + certs/test/ktri-keyid-cms.msg \ certs/test/smime-test.p7s \ certs/test/smime-test-canon.p7s \ certs/test/smime-test-multipart.p7s \ diff --git a/certs/test/ktri-keyid-cms.msg b/certs/test/ktri-keyid-cms.msg new file mode 100644 index 0000000000000000000000000000000000000000..6418c523e860926cca82c417d3b64b7bde121689 GIT binary patch literal 379 zcmXqLVk~Fl)N1o+`_9YA&b*+BF~gvVF@=ed$*_shz@Ujyhl!D?LB#lmYufdUc8R(W z-U9WB$JMU4rXDchg==JFWMyD!Vr1C()%EDS6WU*u_DnyysDN(K2(6V^(ImNs*W&a}thtj?^x{lK|n6QkC` zl)i}zB--|=8r3fNc5dEeU#ZE_-!#~aT~zq@md!;F-JDRq0qEnPP_?77cycJiSBdt2`3O!Kej%kv)K<^Emv z?4XhCeentV+EkzI(%iLGW>MOs@6P%P{y(2Y@LpQ+)bF@~Hatk!84X0(I3NMb%+A8$ X%+JudP^<1q1BcGn-DhW8Jdp+f&}gR| literal 0 HcmV?d00001 diff --git a/tests/api.c b/tests/api.c index ef029386b..0105454f5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -25238,6 +25238,34 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void) wc_FreeRng(&rng); #endif +#ifdef USE_CERT_BUFFERS_2048 + { + byte out[7]; + byte *cms; + word32 cmsSz; + XFILE cmsFile; + + XMEMSET(out, 0, sizeof(out)); + AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId)); + cmsFile = XFOPEN("./certs/test/ktri-keyid-cms.msg", "rb"); + AssertTrue(cmsFile != XBADFILE); + cmsSz = (word32)FOURK_BUF; + AssertNotNull(cms = + (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER)); + cmsSz = (word32)XFREAD(cms, 1, cmsSz, cmsFile); + XFCLOSE(cmsFile); + + AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048, + sizeof_client_cert_der_2048), 0); + pkcs7->privateKey = (byte*)client_key_der_2048; + pkcs7->privateKeySz = sizeof_client_key_der_2048; + AssertIntGT(wc_PKCS7_DecodeEnvelopedData(pkcs7, cms, cmsSz, out, + sizeof(out)), 0); + XFREE(cms, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + AssertIntEQ(XMEMCMP(out, "test", 4), 0); + wc_PKCS7_Free(pkcs7); + } +#endif /* USE_CERT_BUFFERS_2048 */ #endif /* HAVE_PKCS7 */ } /* END test_wc_PKCS7_EncodeEnvelopedData() */ diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index e257bb8f2..ef1478579 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -6273,9 +6273,8 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz, byte issuerSeq[MAX_SEQ_SZ]; byte encKeyOctetStr[MAX_OCTET_STR_SZ]; - byte issuerSKIDSeq[MAX_SEQ_SZ]; - byte issuerSKID[MAX_OCTET_STR_SZ]; - word32 issuerSKIDSeqSz = 0, issuerSKIDSz = 0; + byte issuerSKID[MAX_LENGTH_SZ]; + word32 issuerSKIDSz = 0; #ifdef WOLFSSL_SMALL_STACK byte* serial; @@ -6430,9 +6429,7 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz, verSz = SetMyVersion(2, ver, 0); recip->recipVersion = 2; - issuerSKIDSz = SetOctetString(KEYID_SIZE, issuerSKID); - issuerSKIDSeqSz = SetExplicit(0, issuerSKIDSz + KEYID_SIZE, - issuerSKIDSeq); + issuerSKIDSz = SetLength(KEYID_SIZE, issuerSKID); } else { FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK @@ -6591,11 +6588,11 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz, } } else { - recipSeqSz = SetSequence(verSz + issuerSKIDSeqSz + issuerSKIDSz + + recipSeqSz = SetSequence(verSz + ASN_TAG_SZ + issuerSKIDSz + KEYID_SIZE + keyEncAlgSz + encKeyOctetStrSz + encryptedKeySz, recipSeq); - if (recipSeqSz + verSz + issuerSKIDSeqSz + issuerSKIDSz + KEYID_SIZE + + if (recipSeqSz + verSz + ASN_TAG_SZ + issuerSKIDSz + KEYID_SIZE + keyEncAlgSz + encKeyOctetStrSz + encryptedKeySz > MAX_RECIP_SZ) { WOLFSSL_MSG("RecipientInfo output buffer too small"); FreeDecodedCert(decoded); @@ -6625,8 +6622,8 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz, XMEMCPY(recip->recip + idx, serial, snSz); idx += snSz; } else { - XMEMCPY(recip->recip + idx, issuerSKIDSeq, issuerSKIDSeqSz); - idx += issuerSKIDSeqSz; + recip->recip[idx] = ASN_CONTEXT_SPECIFIC; + idx += ASN_TAG_SZ; XMEMCPY(recip->recip + idx, issuerSKID, issuerSKIDSz); idx += issuerSKIDSz; XMEMCPY(recip->recip + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE); @@ -8420,21 +8417,25 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz, #endif } else { - /* remove SubjectKeyIdentifier */ - if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) - return ASN_PARSE_E; - - if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) - return ASN_PARSE_E; - - if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) - return ASN_PARSE_E; + /* parse SubjectKeyIdentifier + * RFC 5652 lists SubjectKeyIdentifier as [0] followed by + * simple type of octet string + * + * RecipientIdentifier ::= CHOICE { + * issuerAndSerialNumber IssuerAndSerialNumber, + * subjectKeyIdentifier [0] SubjectKeyIdentifier } + * + * The choice of subjectKeyIdentifer (where version was 2) is + * context specific with tag number 0 within the class. + */ if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) return ASN_PARSE_E; - if (tag != ASN_OCTET_STRING) + /* should be context specific and tag number 0: [0] (0x80) */ + if (tag != ASN_CONTEXT_SPECIFIC) { return ASN_PARSE_E; + } if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E;