wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 04:04:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

resolve kari decode without recipient certificate

Browse Source
This commit is contained in:
JacobBarthelmeh
2023-06-13 17:15:22 -06:00
parent f0354b4cbe
commit 7866a40d06
2 changed files with 44 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/api.c
View File

@@ -25658,7 +25658,7 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
} }
ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), (word32)sizeof(output), decoded, (word32)sizeof(decoded)),
BAD_FUNC_ARG); BUFFER_E);
if (pkcs7 != NULL) { if (pkcs7 != NULL) {
pkcs7->singleCertSz = tempWrd32; pkcs7->singleCertSz = tempWrd32;
@@ -25667,7 +25667,7 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
} }
ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), (word32)sizeof(output), decoded, (word32)sizeof(decoded)),
BAD_FUNC_ARG); ASN_PARSE_E);
if (pkcs7 != NULL) { if (pkcs7 != NULL) {
pkcs7->singleCert = tmpBytePtr; pkcs7->singleCert = tmpBytePtr;
} }

75
wolfcrypt/src/pkcs7.c
View File

@@ -5771,29 +5771,30 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
int ret; int ret;
word32 idx; word32 idx;
if (kari == NULL || kari->decoded == NULL || if (kari == NULL || kari->decoded == NULL) {
cert == NULL || certSz == 0)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
}
/* decode certificate */ /* decode certificate */
InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap); if (cert != NULL) {
kari->decodedInit = 1; InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap);
ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0); kari->decodedInit = 1;
if (ret < 0) ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0);
return ret; if (ret < 0)
return ret;
/* only supports ECDSA for now */ /* only supports ECDSA for now */
if (kari->decoded->keyOID != ECDSAk) { if (kari->decoded->keyOID != ECDSAk) {
WOLFSSL_MSG("CMS KARI only supports ECDSA key types"); WOLFSSL_MSG("CMS KARI only supports ECDSA key types");
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
}
/* make sure subject key id was read from cert */
if (kari->decoded->extSubjKeyIdSet == 0) {
WOLFSSL_MSG("Failed to read subject key ID from recipient cert");
return BAD_FUNC_ARG;
}
} }
/* make sure subject key id was read from cert */
if (kari->decoded->extSubjKeyIdSet == 0) {
WOLFSSL_MSG("Failed to read subject key ID from recipient cert");
return BAD_FUNC_ARG;
}
ret = wc_ecc_init_ex(kari->recipKey, kari->heap, kari->devId); ret = wc_ecc_init_ex(kari->recipKey, kari->heap, kari->devId);
if (ret != 0) if (ret != 0)
return ret; return ret;
@@ -5802,6 +5803,10 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
/* get recip public key */ /* get recip public key */
if (kari->direction == WC_PKCS7_ENCODE) { if (kari->direction == WC_PKCS7_ENCODE) {
if (cert == NULL) {
WOLFSSL_MSG("Error recipient cert can not be null with encode");
return BAD_FUNC_ARG;
}
idx = 0; idx = 0;
ret = wc_EccPublicKeyDecode(kari->decoded->publicKey, &idx, ret = wc_EccPublicKeyDecode(kari->decoded->publicKey, &idx,
@@ -9270,7 +9275,14 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari,
} }
/* if we found correct recipient, issuer hashes will match */ /* if we found correct recipient, issuer hashes will match */
if (XMEMCMP(rid, kari->decoded->issuerHash, keyIdSize) == 0) { if (kari->decodedInit == 1) {
if (XMEMCMP(rid, kari->decoded->issuerHash, keyIdSize) == 0) {
*recipFound = 1;
}
}
else {
/* can not confirm recipient serial number with no cert provided */
WOLFSSL_MSG("No recipient cert loaded to match with CMS serial number");
*recipFound = 1; *recipFound = 1;
} }
@@ -9308,7 +9320,8 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari,
return ret; return ret;
} }
if (mp_cmp(recipSerial, serial) != MP_EQ) { if (kari->decodedInit == 1 &&
mp_cmp(recipSerial, serial) != MP_EQ) {
mp_clear(serial); mp_clear(serial);
mp_clear(recipSerial); mp_clear(recipSerial);
WOLFSSL_MSG("CMS serial number does not match recipient"); WOLFSSL_MSG("CMS serial number does not match recipient");
@@ -9944,8 +9957,6 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
WOLFSSL_ENTER("wc_PKCS7_DecryptKari"); WOLFSSL_ENTER("wc_PKCS7_DecryptKari");
if (pkcs7 == NULL || pkiMsg == NULL || if (pkcs7 == NULL || pkiMsg == NULL ||
((pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) &&
pkcs7->wrapCEKCb == NULL) ||
idx == NULL || decryptedKey == NULL || decryptedKeySz == NULL) { idx == NULL || decryptedKey == NULL || decryptedKeySz == NULL) {
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
@@ -9986,17 +9997,15 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
encryptedKeySz = MAX_ENCRYPTED_KEY_SZ; encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
/* parse cert and key */ /* parse cert and key */
if (pkcs7->singleCert != NULL) { ret = wc_PKCS7_KariParseRecipCert(kari, (byte*)pkcs7->singleCert,
ret = wc_PKCS7_KariParseRecipCert(kari, (byte*)pkcs7->singleCert, pkcs7->singleCertSz, pkcs7->privateKey,
pkcs7->singleCertSz, pkcs7->privateKey, pkcs7->privateKeySz);
pkcs7->privateKeySz); if (ret != 0) {
if (ret != 0) { wc_PKCS7_KariFree(kari);
wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK
#ifdef WOLFSSL_SMALL_STACK XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif
#endif return ret;
return ret;
}
} }
/* remove OriginatorIdentifierOrKey */ /* remove OriginatorIdentifierOrKey */