wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 03:07:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix for keyid with ktri cms

Browse Source
This commit is contained in:
Jacob Barthelmeh
2021-06-22 21:33:12 +07:00
parent c4ea64b7fc
commit 3cd43cf692
5 changed files with 61 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
certs/renewcerts.sh
View File

@ -599,6 +599,17 @@ run_renewcerts(){
echo "End of section" echo "End of section"
echo "---------------------------------------------------------------------" echo "---------------------------------------------------------------------"
############################################################ ############################################################
###### generate cms bundles in test directory ##############
############################################################
echo "Generating CMS bundle"
echo ""
cd ./test || { echo "Failed to switch to dir ./test"; exit 1; }
echo "test" | openssl cms -encrypt -binary -keyid -out ktri-keyid-cms.msg -outform der -recip ../client-cert.pem -nocerts
check_result $? "generate ktri-keyid-cms.msg"
cd ../ || exit 1
echo "End of section"
echo "---------------------------------------------------------------------"
############################################################
########## generate ocsp certs ###################### ########## generate ocsp certs ######################
############################################################ ############################################################
echo "Changing directory to ocsp..." echo "Changing directory to ocsp..."

1
certs/test/include.am
View File

@ -48,6 +48,7 @@ EXTRA_DIST += \
certs/test/server-badaltname.pem \ certs/test/server-badaltname.pem \
certs/test/server-localhost.der \ certs/test/server-localhost.der \
certs/test/server-localhost.pem \ certs/test/server-localhost.pem \
certs/test/ktri-keyid-cms.msg \
certs/test/smime-test.p7s \ certs/test/smime-test.p7s \
certs/test/smime-test-canon.p7s \ certs/test/smime-test-canon.p7s \
certs/test/smime-test-multipart.p7s \ certs/test/smime-test-multipart.p7s \

BIN
certs/test/ktri-keyid-cms.msg Normal file
View File

Binary file not shown.

28
tests/api.c
View File

@ -25238,6 +25238,34 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
wc_FreeRng(&rng); wc_FreeRng(&rng);
#endif #endif
#ifdef USE_CERT_BUFFERS_2048
{
byte out[7];
byte *cms;
word32 cmsSz;
XFILE cmsFile;
XMEMSET(out, 0, sizeof(out));
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
cmsFile = XFOPEN("./certs/test/ktri-keyid-cms.msg", "rb");
AssertTrue(cmsFile != XBADFILE);
cmsSz = (word32)FOURK_BUF;
AssertNotNull(cms =
(byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
cmsSz = (word32)XFREAD(cms, 1, cmsSz, cmsFile);
XFCLOSE(cmsFile);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
sizeof_client_cert_der_2048), 0);
pkcs7->privateKey = (byte*)client_key_der_2048;
pkcs7->privateKeySz = sizeof_client_key_der_2048;
AssertIntGT(wc_PKCS7_DecodeEnvelopedData(pkcs7, cms, cmsSz, out,
sizeof(out)), 0);
XFREE(cms, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
AssertIntEQ(XMEMCMP(out, "test", 4), 0);
wc_PKCS7_Free(pkcs7);
}
#endif /* USE_CERT_BUFFERS_2048 */
#endif /* HAVE_PKCS7 */ #endif /* HAVE_PKCS7 */
} /* END test_wc_PKCS7_EncodeEnvelopedData() */ } /* END test_wc_PKCS7_EncodeEnvelopedData() */

41
wolfcrypt/src/pkcs7.c
View File

@ -6273,9 +6273,8 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
byte issuerSeq[MAX_SEQ_SZ]; byte issuerSeq[MAX_SEQ_SZ];
byte encKeyOctetStr[MAX_OCTET_STR_SZ]; byte encKeyOctetStr[MAX_OCTET_STR_SZ];
byte issuerSKIDSeq[MAX_SEQ_SZ]; byte issuerSKID[MAX_LENGTH_SZ];
byte issuerSKID[MAX_OCTET_STR_SZ]; word32 issuerSKIDSz = 0;
word32 issuerSKIDSeqSz = 0, issuerSKIDSz = 0;
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
byte* serial; byte* serial;
@ -6430,9 +6429,7 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
verSz = SetMyVersion(2, ver, 0); verSz = SetMyVersion(2, ver, 0);
recip->recipVersion = 2; recip->recipVersion = 2;
issuerSKIDSz = SetOctetString(KEYID_SIZE, issuerSKID); issuerSKIDSz = SetLength(KEYID_SIZE, issuerSKID);
issuerSKIDSeqSz = SetExplicit(0, issuerSKIDSz + KEYID_SIZE,
issuerSKIDSeq);
} else { } else {
FreeDecodedCert(decoded); FreeDecodedCert(decoded);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
@ -6591,11 +6588,11 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
} }
} else { } else {
recipSeqSz = SetSequence(verSz + issuerSKIDSeqSz + issuerSKIDSz + recipSeqSz = SetSequence(verSz + ASN_TAG_SZ + issuerSKIDSz +
KEYID_SIZE + keyEncAlgSz + encKeyOctetStrSz + KEYID_SIZE + keyEncAlgSz + encKeyOctetStrSz +
encryptedKeySz, recipSeq); encryptedKeySz, recipSeq);
if (recipSeqSz + verSz + issuerSKIDSeqSz + issuerSKIDSz + KEYID_SIZE + if (recipSeqSz + verSz + ASN_TAG_SZ + issuerSKIDSz + KEYID_SIZE +
keyEncAlgSz + encKeyOctetStrSz + encryptedKeySz > MAX_RECIP_SZ) { keyEncAlgSz + encKeyOctetStrSz + encryptedKeySz > MAX_RECIP_SZ) {
WOLFSSL_MSG("RecipientInfo output buffer too small"); WOLFSSL_MSG("RecipientInfo output buffer too small");
FreeDecodedCert(decoded); FreeDecodedCert(decoded);
@ -6625,8 +6622,8 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
XMEMCPY(recip->recip + idx, serial, snSz); XMEMCPY(recip->recip + idx, serial, snSz);
idx += snSz; idx += snSz;
} else { } else {
XMEMCPY(recip->recip + idx, issuerSKIDSeq, issuerSKIDSeqSz); recip->recip[idx] = ASN_CONTEXT_SPECIFIC;
idx += issuerSKIDSeqSz; idx += ASN_TAG_SZ;
XMEMCPY(recip->recip + idx, issuerSKID, issuerSKIDSz); XMEMCPY(recip->recip + idx, issuerSKID, issuerSKIDSz);
idx += issuerSKIDSz; idx += issuerSKIDSz;
XMEMCPY(recip->recip + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE); XMEMCPY(recip->recip + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE);
@ -8420,21 +8417,25 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
#endif #endif
} else { } else {
/* remove SubjectKeyIdentifier */ /* parse SubjectKeyIdentifier
if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) * RFC 5652 lists SubjectKeyIdentifier as [0] followed by
return ASN_PARSE_E; * simple type of octet string
*
if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) * RecipientIdentifier ::= CHOICE {
return ASN_PARSE_E; * issuerAndSerialNumber IssuerAndSerialNumber,
* subjectKeyIdentifier [0] SubjectKeyIdentifier }
if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) *
return ASN_PARSE_E; * The choice of subjectKeyIdentifer (where version was 2) is
* context specific with tag number 0 within the class.
*/
if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0) if (GetASNTag(pkiMsg, idx, &tag, pkiMsgSz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (tag != ASN_OCTET_STRING) /* should be context specific and tag number 0: [0] (0x80) */
if (tag != ASN_CONTEXT_SPECIFIC) {
return ASN_PARSE_E; return ASN_PARSE_E;
}
if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) if (GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;