wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 12:44:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1926 from cconlon/cms2

Browse Source 
CMS expansion, SignedData detached signature support
This commit is contained in:
toddouska
2018-11-26 13:22:26 -08:00
committed by GitHub
parent 4bf61a81e4 09141d479e
commit 4afa0f72fe
5 changed files with 194 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -156,6 +156,7 @@ pkcs7signedData_RSA_SHA256.der
pkcs7signedData_RSA_SHA256_firmwarePkgData.der
pkcs7signedData_RSA_SHA256_SKID.der
pkcs7signedData_RSA_SHA256_with_ca_cert.der
pkcs7signedData_RSA_SHA256_detachedSig.der
pkcs7signedData_RSA_SHA384.der
pkcs7signedData_RSA_SHA512.der
pkcs7signedData_RSA_SHA.der

1
Makefile.am
View File

@@ -88,6 +88,7 @@ CLEANFILES+= cert.der \
pkcs7signedData_RSA_SHA256_custom_contentType.der \
pkcs7signedData_RSA_SHA256_with_ca_cert.der \
pkcs7signedData_RSA_SHA256_SKID.der \
pkcs7signedData_RSA_SHA256_detachedSig.der \
pkcs7signedData_RSA_SHA384.der \
pkcs7signedData_RSA_SHA512.der \
pkcs7signedData_ECDSA_SHA.der \

114
wolfcrypt/src/pkcs7.c
View File

@@ -102,6 +102,7 @@ struct PKCS7State {
#endif
byte multi:1; /* flag for if content is in multiple parts */
byte flagOne:1;
byte detached:1; /* flag to indicate detached signature is present */
};
@@ -177,6 +178,7 @@ static void wc_PKCS7_ResetStream(PKCS7* pkcs7)
pkcs7->stream->multi = 0;
pkcs7->stream->flagOne = 0;
pkcs7->stream->detached = 0;
pkcs7->stream->varOne = 0;
pkcs7->stream->varTwo = 0;
pkcs7->stream->varThree = 0;
@@ -1860,12 +1862,20 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
esd->contentDigest[1] = (byte)hashSz;
XMEMCPY(&esd->contentDigest[2], hashBuf, hashSz);
esd->innerOctetsSz = SetOctetString(pkcs7->contentSz, esd->innerOctets);
esd->innerContSeqSz = SetExplicit(0, esd->innerOctetsSz + pkcs7->contentSz,
esd->innerContSeq);
esd->contentInfoSeqSz = SetSequence(pkcs7->contentSz + esd->innerOctetsSz +
pkcs7->contentTypeSz + esd->innerContSeqSz,
if (pkcs7->detached == 1) {
/* do not include content if generating detached signature */
esd->innerOctetsSz = 0;
esd->innerContSeqSz = 0;
esd->contentInfoSeqSz = SetSequence(pkcs7->contentTypeSz,
esd->contentInfoSeq);
} else {
esd->innerOctetsSz = SetOctetString(pkcs7->contentSz, esd->innerOctets);
esd->innerContSeqSz = SetExplicit(0, esd->innerOctetsSz +
pkcs7->contentSz, esd->innerContSeq);
esd->contentInfoSeqSz = SetSequence(pkcs7->contentSz +
esd->innerOctetsSz + pkcs7->contentTypeSz +
esd->innerContSeqSz, esd->contentInfoSeq);
}
/* SignerIdentifier */
if (pkcs7->sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
@@ -1994,6 +2004,10 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
esd->innerContSeqSz + esd->innerOctetsSz + pkcs7->contentSz;
total2Sz = esd->certsSetSz + certSetSz + signerInfoSz;
if (pkcs7->detached) {
totalSz -= pkcs7->contentSz;
}
esd->innerSeqSz = SetSequence(totalSz + total2Sz, esd->innerSeq);
totalSz += esd->innerSeqSz;
esd->outerContentSz = SetExplicit(0, totalSz + total2Sz, esd->outerContent);
@@ -2011,8 +2025,11 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
#endif
return BUFFER_E;
}
if (!pkcs7->detached) {
totalSz -= pkcs7->contentSz;
}
}
if (totalSz > *outputSz) {
if (pkcs7->signedAttribsSz != 0)
@@ -2053,8 +2070,10 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
idx = 0;
}
else {
if (!pkcs7->detached) {
XMEMCPY(output + idx, pkcs7->content, pkcs7->contentSz);
idx += pkcs7->contentSz;
}
output2 = output;
}
@@ -2174,6 +2193,29 @@ int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf, word32 hashS
return ret;
}
/* Toggle detached signature mode on/off for PKCS#7/CMS SignedData content type.
* By default wolfCrypt includes the data to be signed in the SignedData
* bundle. This data can be ommited in the case when a detached signature is
* being created. To enable generation of detached signatures, set flag to "1",
* otherwise set to "0":
*
* flag 1 turns on support
* flag 0 turns off support
*
* pkcs7 - pointer to initialized PKCS7 structure
* flag - turn on/off detached signature generation (1 or 0)
*
* Returns 0 on success, negative upon error. */
int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag)
{
if (pkcs7 == NULL || (flag != 0 && flag != 1))
return BAD_FUNC_ARG;
pkcs7->detached = flag;
return 0;
}
/* return codes: >0: Size of signed PKCS7 output buffer, negative: error */
int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
{
@@ -3293,6 +3335,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
int contentSz = 0, sigSz = 0, certSz = 0, signedAttribSz = 0;
word32 localIdx, start;
byte degenerate = 0;
byte detached = 0;
#ifdef ASN_BER_TO_DER
byte* der;
#endif
@@ -3528,8 +3571,8 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
if (pkiMsg[localIdx++] != ASN_OCTET_STRING)
ret = ASN_PARSE_E;
if (ret == 0 && GetLength_ex(pkiMsg, &localIdx, &length, pkiMsgSz,
NO_USER_CHECK) < 0)
if (ret == 0 && GetLength_ex(pkiMsg, &localIdx,
&length, pkiMsgSz, NO_USER_CHECK) < 0)
ret = ASN_PARSE_E;
}
@@ -3542,14 +3585,26 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
idx = localIdx;
}
else {
if (!degenerate && ret != 0)
/* if pkcs7->content and pkcs7->contentSz are set, try to
process as a detached signature */
if (!degenerate &&
(pkcs7->content != NULL && pkcs7->contentSz != 0)) {
detached = 1;
}
if (!degenerate && !detached && ret != 0)
break;
length = 0; /* no content to read */
pkiMsg2 = pkiMsg;
pkiMsg2Sz = pkiMsgSz;
}
#ifndef NO_PKCS7_STREAM
/* save detached flag value */
pkcs7->stream->detached = detached;
/* save contentType */
pkcs7->stream->nonce = (byte*)XMALLOC(contentTypeSz, pkcs7->heap,
DYNAMIC_TYPE_PKCS7);
@@ -3608,11 +3663,12 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
localIdx = 0;
}
multiPart = pkcs7->stream->multi;
detached = pkcs7->stream->detached;
#endif
/* Break out before content because it can be optional in degenerate
* cases. */
if (ret != 0)
if (ret != 0 && !detached)
break;
/* get parts of content */
@@ -3701,7 +3757,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
/* If getting the content info failed with non degenerate then return the
* error case. Otherwise with a degenerate it is ok if the content
* info was omitted */
if (!degenerate && ret != 0) {
if (!degenerate && !detached && ret != 0) {
break;
}
else {
@@ -3723,6 +3779,12 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
}
#ifndef NO_PKCS7_STREAM
/* save content */
if (detached == 1) {
/* if detached, use content from user in pkcs7 struct */
content = pkcs7->content;
contentSz = pkcs7->contentSz;
}
if (content != NULL) {
XFREE(pkcs7->stream->content, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
pkcs7->stream->content = (byte*)XMALLOC(contentSz, pkcs7->heap,
@@ -3771,6 +3833,9 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
content = pkcs7->stream->content;
contentSz = pkcs7->stream->contentSz;
/* restore detached flag */
detached = pkcs7->stream->detached;
/* store certificate if needed */
if (length > 0 && in2Sz == 0) {
/* free tmpCert if not NULL */
@@ -3867,9 +3932,32 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
idx += length;
}
if (!detached) {
/* set content and size after init of PKCS7 structure */
pkcs7->content = content;
pkcs7->contentSz = contentSz;
}
#ifndef NO_PKCS7_STREAM
else {
/* save content if detached and using streaming API */
if (pkcs7->content != NULL) {
XFREE(pkcs7->stream->content, pkcs7->heap,
DYNAMIC_TYPE_PKCS7);
pkcs7->stream->content = (byte*)XMALLOC(pkcs7->contentSz,
pkcs7->heap,
DYNAMIC_TYPE_PKCS7);
if (pkcs7->stream->content == NULL) {
ret = MEMORY_E;
break;
}
else {
XMEMCPY(pkcs7->stream->content, pkcs7->content,
contentSz);
pkcs7->stream->contentSz = pkcs7->contentSz;
}
}
}
#endif
if (ret != 0) {
break;
@@ -8881,7 +8969,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
byte* pkiMsg = in;
word32 pkiMsgSz = inSz;
byte* decryptedKey = NULL;
int encryptedContentSz;
int encryptedContentSz = 0;
byte padLen;
byte* encryptedContent = NULL;
int explicitOctet;
@@ -9720,7 +9808,7 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
#else
byte decryptedKey[MAX_ENCRYPTED_KEY_SZ];
#endif
int encryptedContentSz;
int encryptedContentSz = 0;
byte* encryptedContent = NULL;
int explicitOctet = 0;
@@ -10565,7 +10653,7 @@ static int wc_PKCS7_DecodeUnprotectedAttributes(PKCS7* pkcs7, byte* pkiMsg,
int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz,
byte* output, word32 outputSz)
{
int ret = 0, version, length, haveAttribs = 0;
int ret = 0, version, length = 0, haveAttribs = 0;
word32 idx = 0;
#ifndef NO_PKCS7_STREAM

141
wolfcrypt/test/test.c
View File

@@ -20595,6 +20595,7 @@ typedef struct {
word32 encryptKeySz; /* for single-shot, encryptedData */
PKCS7Attrib* unprotectedAttribs; /* for single-shot, encryptedData */
word32 unprotectedAttribsSz; /* for single-shot, encryptedData */
word16 detachedSignature; /* generate detached signature (0:1) */
} pkcs7SignedVector;
@@ -20663,14 +20664,15 @@ static int pkcs7signed_run_vectors(
{data, (word32)sizeof(data), SHAh, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0},
"pkcs7signedData_RSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0, NULL,
0, 0},
/* RSA with SHA, no signed attributes */
{data, (word32)sizeof(data), SHAh, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz,
NULL, 0, NULL, 0,
"pkcs7signedData_RSA_SHA_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#ifdef WOLFSSL_SHA224
/* RSA with SHA224 */
@@ -20678,7 +20680,7 @@ static int pkcs7signed_run_vectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA224.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#ifndef NO_SHA256
/* RSA with SHA256 */
@@ -20686,14 +20688,21 @@ static int pkcs7signed_run_vectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
/* RSA with SHA256, detached signature */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA256_detachedSig.der", 0, NULL, 0, 0, 0, 0,
NULL, 0, NULL, 0, 1},
/* RSA with SHA256 and SubjectKeyIdentifier in SignerIdentifier */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0,
NULL, 0, NULL, 0},
NULL, 0, NULL, 0, 0},
/* RSA with SHA256 and custom contentType */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
@@ -20701,14 +20710,14 @@ static int pkcs7signed_run_vectors(
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA256_custom_contentType.der", 0,
customContentType, sizeof(customContentType), 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
/* RSA with SHA256 and FirmwarePkgData contentType */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA256_firmwarePkgData.der",
FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0},
FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0},
/* RSA with SHA256 using server cert and ca cert */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaServerPrivKeyBuf,
@@ -20716,7 +20725,7 @@ static int pkcs7signed_run_vectors(
rsaCaCertBuf, rsaCaCertBufSz,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA256_with_ca_cert.der", 0, NULL, 0, 0, 0, 0,
NULL, 0, NULL, 0},
NULL, 0, NULL, 0, 0},
#endif
#if defined(WOLFSSL_SHA384)
/* RSA with SHA384 */
@@ -20724,7 +20733,7 @@ static int pkcs7signed_run_vectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA384.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#if defined(WOLFSSL_SHA512)
/* RSA with SHA512 */
@@ -20732,7 +20741,7 @@ static int pkcs7signed_run_vectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_RSA_SHA512.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#endif /* NO_RSA */
@@ -20743,14 +20752,14 @@ static int pkcs7signed_run_vectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
/* ECDSA with SHA, no signed attributes */
{data, (word32)sizeof(data), SHAh, ECDSAk, eccClientPrivKeyBuf,
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz,
NULL, 0, NULL, 0,
"pkcs7signedData_ECDSA_SHA_noattr.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#ifdef WOLFSSL_SHA224
/* ECDSA with SHA224 */
@@ -20758,7 +20767,7 @@ static int pkcs7signed_run_vectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA224.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#ifndef NO_SHA256
/* ECDSA with SHA256 */
@@ -20766,14 +20775,14 @@ static int pkcs7signed_run_vectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA256.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
/* ECDSA with SHA256 and SubjectKeyIdentifier in SigherIdentifier */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA256_SKID.der", 0, NULL, 0, CMS_SKID, 0, 0,
NULL, 0, NULL, 0},
NULL, 0, NULL, 0, 0},
/* ECDSA with SHA256 and custom contentType */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
@@ -20781,14 +20790,14 @@ static int pkcs7signed_run_vectors(
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA256_custom_contentType.der", 0,
customContentType, sizeof(customContentType), 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
/* ECDSA with SHA256 and FirmwarePkgData contentType */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA256_firmwarePkgData.der",
FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0},
FIRMWARE_PKG_DATA, NULL, 0, 0, 0, 0, NULL, 0, NULL, 0, 0},
#endif
#ifdef WOLFSSL_SHA384
/* ECDSA with SHA384 */
@@ -20796,7 +20805,7 @@ static int pkcs7signed_run_vectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA384.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#ifdef WOLFSSL_SHA512
/* ECDSA with SHA512 */
@@ -20804,7 +20813,7 @@ static int pkcs7signed_run_vectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedData_ECDSA_SHA512.der", 0, NULL, 0, 0, 0, 0, NULL, 0,
NULL, 0},
NULL, 0, 0},
#endif
#endif /* HAVE_ECC */
};
@@ -20835,12 +20844,10 @@ static int pkcs7signed_run_vectors(
}
for (i = 0; i < testSz; i++) {
pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
return -9513;
pkcs7->heap = HEAP_HINT;
pkcs7->devId = INVALID_DEVID;
ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
(word32)testVectors[i].certSz);
@@ -20949,11 +20956,21 @@ static int pkcs7signed_run_vectors(
}
}
/* enable detached signature generation, if set */
if (testVectors[i].detachedSignature == 1) {
ret = wc_PKCS7_SetDetached(pkcs7, 1);
if (ret != 0) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9521;
}
}
encodedSz = wc_PKCS7_EncodeSignedData(pkcs7, out, outSz);
if (encodedSz < 0) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9521;
return -9522;
}
#ifdef PKCS7_OUTPUT_TEST_BUNDLES
@@ -20962,45 +20979,51 @@ static int pkcs7signed_run_vectors(
if (!file) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9522;
return -9523;
}
ret = (int)fwrite(out, 1, encodedSz, file);
fclose(file);
if (ret != (int)encodedSz) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9526;
return -9524;
}
#endif /* PKCS7_OUTPUT_TEST_BUNDLES */
wc_PKCS7_Free(pkcs7);
pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
return -9527;
return -9525;
wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
if (testVectors[i].detachedSignature == 1) {
/* set content for verifying detached signatures */
pkcs7->content = (byte*)testVectors[i].content;
pkcs7->contentSz = testVectors[i].contentSz;
}
ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
if (ret < 0) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9528;
return -9526;
}
/* verify contentType extracted successfully for custom content types */
if (testVectors[i].contentTypeSz > 0) {
if (pkcs7->contentTypeSz != testVectors[i].contentTypeSz) {
return -9529;
return -9527;
} else if (XMEMCMP(pkcs7->contentType, testVectors[i].contentType,
pkcs7->contentTypeSz) != 0) {
return -9530;
return -9528;
}
}
if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9531;
return -9529;
}
{
@@ -21019,13 +21042,13 @@ static int pkcs7signed_run_vectors(
NULL, (word32*)&bufSz) != LENGTH_ONLY_E) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9532;
return -9530;
}
if (bufSz > (int)sizeof(buf)) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9533;
return -9531;
}
bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
@@ -21034,7 +21057,7 @@ static int pkcs7signed_run_vectors(
(testVectors[i].signedAttribs == NULL && bufSz > 0)) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9534;
return -9532;
}
}
@@ -21043,7 +21066,7 @@ static int pkcs7signed_run_vectors(
if (!file) {
XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
wc_PKCS7_Free(pkcs7);
return -9535;
return -9533;
}
ret = (int)fwrite(pkcs7->singleCert, 1, pkcs7->singleCertSz, file);
fclose(file);
@@ -21133,21 +21156,21 @@ static int pkcs7signed_run_SingleShotVectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der", 0, NULL, 0, 0,
0, 0, NULL, 0, NULL, 0},
0, 0, NULL, 0, NULL, 0, 0},
/* Signed FirmwarePkgData, RSA, SHA256, attrs */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedFirmwarePkgData_RSA_SHA256.der", 0, NULL, 0, 0, 0, 0,
NULL, 0, NULL, 0},
NULL, 0, NULL, 0, 0},
/* Signed FirmwarePkgData, RSA, SHA256, SubjectKeyIdentifier, attrs */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der", 0, NULL,
0, CMS_SKID, 0, 0, NULL, 0, NULL, 0},
0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0},
/* Signed FirmwraePkgData, RSA, SHA256, server cert and ca cert, attr */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaServerPrivKeyBuf,
@@ -21155,7 +21178,7 @@ static int pkcs7signed_run_SingleShotVectors(
rsaCaCertBuf, rsaCaCertBufSz,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der", 0, NULL,
0, 0, 0, 0, NULL, 0, NULL, 0},
0, 0, 0, 0, NULL, 0, NULL, 0, 0},
#if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
/* Signed Encrypted FirmwarePkgData, RSA, SHA256, no attribs */
@@ -21163,7 +21186,7 @@ static int pkcs7signed_run_SingleShotVectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der", 0,
NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0},
NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0, 0},
/* Signed Encrypted FirmwarePkgData, RSA, SHA256, attribs */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
@@ -21171,7 +21194,7 @@ static int pkcs7signed_run_SingleShotVectors(
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der", 0,
NULL, 0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
#endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
@@ -21180,14 +21203,14 @@ static int pkcs7signed_run_SingleShotVectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedCompressedFirmwarePkgData_RSA_SHA256_noattr.der", 0,
NULL, 0, 0, 0, 2, NULL, 0, NULL, 0},
NULL, 0, 0, 0, 2, NULL, 0, NULL, 0, 0},
/* Signed Compressed FirmwarePkgData, RSA, SHA256, attribs */
{data, (word32)sizeof(data), SHA256h, RSAk, rsaClientPrivKeyBuf,
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der", 0,
NULL, 0, 0, 0, 2, NULL, 0, NULL, 0},
NULL, 0, 0, 0, 2, NULL, 0, NULL, 0, 0},
#ifndef NO_PKCS7_ENCRYPTED_DATA
/* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
@@ -21196,7 +21219,8 @@ static int pkcs7signed_run_SingleShotVectors(
rsaClientPrivKeyBufSz, rsaClientCertBuf, rsaClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der",
0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL, 0},
0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL,
0, 0},
/* Signed Encrypted Compressed FirmwarePkgData, RSA, SHA256,
attribs */
@@ -21205,7 +21229,7 @@ static int pkcs7signed_run_SingleShotVectors(
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der",
0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
#endif /* !NO_PKCS7_ENCRYPTED_DATA */
#endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
@@ -21220,21 +21244,21 @@ static int pkcs7signed_run_SingleShotVectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
0, 0, 0, 0, NULL, 0, NULL, 0},
0, 0, 0, 0, NULL, 0, NULL, 0, 0},
/* Signed FirmwarePkgData, ECDSA, SHA256, attribs */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
0, 0, 0, 0, NULL, 0, NULL, 0},
0, 0, 0, 0, NULL, 0, NULL, 0, 0},
/* Signed FirmwarePkgData, ECDSA, SHA256, SubjectKeyIdentifier, attr */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der", 0, NULL,
0, CMS_SKID, 0, 0, NULL, 0, NULL, 0},
0, CMS_SKID, 0, 0, NULL, 0, NULL, 0, 0},
#if defined(WOLFSSL_AES_256) && !defined(NO_PKCS7_ENCRYPTED_DATA)
/* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, no attribs */
@@ -21242,7 +21266,7 @@ static int pkcs7signed_run_SingleShotVectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0},
0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key), NULL, 0, 0},
/* Signed Encrypted FirmwarePkgData, ECDSA, SHA256, attribs */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
@@ -21250,7 +21274,7 @@ static int pkcs7signed_run_SingleShotVectors(
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
0, 0, AES256CBCb, 1, aes256Key, sizeof(aes256Key),
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
#endif /* WOLFSSL_AES_256 && !NO_PKCS7_ENCRYPTED_DATA */
#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
@@ -21259,14 +21283,14 @@ static int pkcs7signed_run_SingleShotVectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der", 0, NULL,
0, 0, 0, 2, NULL, 0, NULL, 0},
0, 0, 0, 2, NULL, 0, NULL, 0, 0},
/* Signed Compressed FirmwarePkgData, ECDSA, SHA256, attrib */
{data, (word32)sizeof(data), SHA256h, ECDSAk, eccClientPrivKeyBuf,
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der", 0, NULL,
0, 0, 0, 2, NULL, 0, NULL, 0},
0, 0, 0, 2, NULL, 0, NULL, 0, 0},
#ifndef NO_PKCS7_ENCRYPTED_DATA
/* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
@@ -21275,7 +21299,8 @@ static int pkcs7signed_run_SingleShotVectors(
eccClientPrivKeyBufSz, eccClientCertBuf, eccClientCertBufSz, NULL, 0,
NULL, 0,
"pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der",
0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL, 0},
0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key), NULL,
0, 0},
/* Signed Encrypted Compressed FirmwarePkgData, ECDSA, SHA256,
attribs */
@@ -21284,7 +21309,7 @@ static int pkcs7signed_run_SingleShotVectors(
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
"pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der",
0, NULL, 0, 0, AES256CBCb, 3, aes256Key, sizeof(aes256Key),
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib))},
attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)), 0},
#endif /* !NO_PKCS7_ENCRYPTED_DATA */
#endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
@@ -21319,12 +21344,10 @@ static int pkcs7signed_run_SingleShotVectors(
}
for (i = 0; i < testSz; i++) {
pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
return -9553;
pkcs7->heap = HEAP_HINT;
pkcs7->devId = INVALID_DEVID;
ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert,
(word32)testVectors[i].certSz);
@@ -21460,7 +21483,7 @@ static int pkcs7signed_run_SingleShotVectors(
wc_PKCS7_Free(pkcs7);
pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
pkcs7 = wc_PKCS7_New(HEAP_HINT, devId);
if (pkcs7 == NULL)
return -9564;
wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
@@ -21757,7 +21780,7 @@ int pkcs7signed_test(void)
XFREE(rsaClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(eccClientCertBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(eccClientPrivKeyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
return -9509;
return ret;
}
ret = pkcs7signed_run_SingleShotVectors(

2
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -251,6 +251,7 @@ struct PKCS7 {
/* flags - up to 16-bits */
word16 isDynamic:1;
word16 noDegenerate:1; /* allow degenerate case in verify function */
word16 detached:1; /* generate detached SignedData signature bundles */
byte contentType[MAX_OID_SZ]; /* custom contentType byte array */
word32 contentTypeSz; /* size of contentType, bytes */
@@ -307,6 +308,7 @@ WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
word32 outputSz);
/* CMS/PKCS#7 SignedData */
WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag);
WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,