wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6199 from JacobBarthelmeh/PKCS7

Browse Source 
add messageDigest attribute if adding any custom signed attributes
This commit is contained in:
Chris Conlon
2023-04-26 09:23:22 -06:00
committed by GitHub
parent c4233e7aec bbe9c694a6
commit 4526df6d78
2 changed files with 72 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
wolfcrypt/src/pkcs7.c
View File

@@ -1929,7 +1929,7 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
if (pkcs7->skipDefaultSignedAttribs == 0) { if (pkcs7->defaultSignedAttribs != WOLFSSL_NO_ATTRIBUTES) {
hashSz = wc_HashGetDigestSize(esd->hashType); hashSz = wc_HashGetDigestSize(esd->hashType);
if (hashSz < 0) if (hashSz < 0)
return hashSz; return hashSz;
@@ -1946,23 +1946,34 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
cannedAttribsCount = sizeof(cannedAttribs)/sizeof(PKCS7Attrib); cannedAttribsCount = sizeof(cannedAttribs)/sizeof(PKCS7Attrib);
cannedAttribs[idx].oid = contentTypeOid; if ((pkcs7->defaultSignedAttribs & WOLFSSL_CONTENT_TYPE_ATTRIBUTE) ||
cannedAttribs[idx].oidSz = contentTypeOidSz; pkcs7->defaultSignedAttribs == 0) {
cannedAttribs[idx].value = contentType; cannedAttribs[idx].oid = contentTypeOid;
cannedAttribs[idx].valueSz = contentTypeSz; cannedAttribs[idx].oidSz = contentTypeOidSz;
idx++; cannedAttribs[idx].value = contentType;
cannedAttribs[idx].valueSz = contentTypeSz;
idx++;
}
#ifndef NO_ASN_TIME #ifndef NO_ASN_TIME
cannedAttribs[idx].oid = signingTimeOid; if ((pkcs7->defaultSignedAttribs & WOLFSSL_SIGNING_TIME_ATTRIBUTE) ||
cannedAttribs[idx].oidSz = signingTimeOidSz; pkcs7->defaultSignedAttribs == 0) {
cannedAttribs[idx].value = signingTime; cannedAttribs[idx].oid = signingTimeOid;
cannedAttribs[idx].valueSz = timeSz; cannedAttribs[idx].oidSz = signingTimeOidSz;
idx++; cannedAttribs[idx].value = signingTime;
cannedAttribs[idx].valueSz = timeSz;
idx++;
}
#endif #endif
cannedAttribs[idx].oid = messageDigestOid;
cannedAttribs[idx].oidSz = messageDigestOidSz; if ((pkcs7->defaultSignedAttribs & WOLFSSL_MESSAGE_DIGEST_ATTRIBUTE) ||
cannedAttribs[idx].value = esd->contentDigest; pkcs7->defaultSignedAttribs == 0) {
cannedAttribs[idx].valueSz = hashSz + 2; /* ASN.1 heading */ cannedAttribs[idx].oid = messageDigestOid;
idx++; cannedAttribs[idx].oidSz = messageDigestOidSz;
cannedAttribs[idx].value = esd->contentDigest;
cannedAttribs[idx].valueSz = hashSz + 2; /* ASN.1 heading */
idx++;
}
esd->signedAttribsCount += cannedAttribsCount; esd->signedAttribsCount += cannedAttribsCount;
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx], esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx],
@@ -1976,15 +1987,9 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
/* add custom signed attributes if set */ /* add custom signed attributes if set */
if (pkcs7->signedAttribsSz > 0 && pkcs7->signedAttribs != NULL) { if (pkcs7->signedAttribsSz > 0 && pkcs7->signedAttribs != NULL) {
esd->signedAttribsCount += pkcs7->signedAttribsSz; esd->signedAttribsCount += pkcs7->signedAttribsSz;
#ifdef NO_ASN_TIME
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx], esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx],
esd->signedAttribsCount, esd->signedAttribsCount,
pkcs7->signedAttribs, pkcs7->signedAttribsSz); pkcs7->signedAttribs, pkcs7->signedAttribsSz);
#else
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx],
esd->signedAttribsCount,
pkcs7->signedAttribs, pkcs7->signedAttribsSz);
#endif
} }
#ifdef NO_ASN_TIME #ifdef NO_ASN_TIME
@@ -2839,14 +2844,49 @@ int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag)
* Returns 0 on success, negative upon error. */ * Returns 0 on success, negative upon error. */
int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7) int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7)
{ {
if (pkcs7 == NULL) return wc_PKCS7_SetDefaultSignedAttribs(pkcs7, WOLFSSL_NO_ATTRIBUTES);
}
/* By default, SignedData bundles have the following signed attributes attached:
* contentType (1.2.840.113549.1.9.3)
* signingTime (1.2.840.113549.1.9.5)
* messageDigest (1.2.840.113549.1.9.4)
*
* Calling this API before wc_PKCS7_EncodeSignedData() allows control over which
* default attributes are added.
*
* pkcs7 - pointer to initialized PKCS7 structure
*
* Returns 0 on success, negative upon error. */
int wc_PKCS7_SetDefaultSignedAttribs(PKCS7* pkcs7, word16 flag)
{
if (pkcs7 == NULL) {
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
}
pkcs7->skipDefaultSignedAttribs = 1; if (flag & WOLFSSL_NO_ATTRIBUTES) {
if (flag ^ WOLFSSL_NO_ATTRIBUTES) {
WOLFSSL_MSG("Error, can not have additional flags with no "
"attributes flag set");
return BAD_FUNC_ARG;
}
pkcs7->defaultSignedAttribs = 0;
}
/* check for unknown flags */
if (flag & ~(WOLFSSL_CONTENT_TYPE_ATTRIBUTE |
WOLFSSL_SIGNING_TIME_ATTRIBUTE |
WOLFSSL_MESSAGE_DIGEST_ATTRIBUTE | WOLFSSL_NO_ATTRIBUTES)) {
WOLFSSL_MSG("Unknown attribute flags found");
return BAD_FUNC_ARG;
}
pkcs7->defaultSignedAttribs |= flag;
return 0; return 0;
} }
/* return codes: >0: Size of signed PKCS7 output buffer, negative: error */ /* return codes: >0: Size of signed PKCS7 output buffer, negative: error */
int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
{ {

9
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -75,6 +75,12 @@
#define MAX_UNAUTH_ATTRIBS_SZ 7 #define MAX_UNAUTH_ATTRIBS_SZ 7
#endif #endif
/* bitmap flag for attributes */
#define WOLFSSL_NO_ATTRIBUTES 0x1
#define WOLFSSL_CONTENT_TYPE_ATTRIBUTE 0x2
#define WOLFSSL_SIGNING_TIME_ATTRIBUTE 0x4
#define WOLFSSL_MESSAGE_DIGEST_ATTRIBUTE 0x8
/* PKCS#7 content types, ref RFC 2315 (Section 14) */ /* PKCS#7 content types, ref RFC 2315 (Section 14) */
enum PKCS7_TYPES { enum PKCS7_TYPES {
PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */ PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */
@@ -312,7 +318,7 @@ struct PKCS7 {
#endif #endif
word32 state; word32 state;
word16 skipDefaultSignedAttribs:1; /* skip adding default signed attribs */ word16 defaultSignedAttribs; /* set which default signed attribs */
byte version; /* 1 for RFC 2315 and 3 for RFC 4108 */ byte version; /* 1 for RFC 2315 and 3 for RFC 4108 */
PKCS7SignerInfo* signerInfo; PKCS7SignerInfo* signerInfo;
@@ -361,6 +367,7 @@ WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
/* CMS/PKCS#7 SignedData */ /* CMS/PKCS#7 SignedData */
WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag); WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag);
WOLFSSL_API int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7); WOLFSSL_API int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7);
WOLFSSL_API int wc_PKCS7_SetDefaultSignedAttribs(PKCS7* pkcs7, word16 flag);
WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
byte* output, word32 outputSz); byte* output, word32 outputSz);
WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf, WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,