From 7a23cff27f58e69465f91780e76585b5af0ffbde Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 6 Sep 2024 10:23:35 -0700 Subject: [PATCH] add PKCS7 set custom SKID --- wolfcrypt/src/pkcs7.c | 46 ++++++++++++++++++++++++++++++++++++++- wolfssl/wolfcrypt/pkcs7.h | 9 ++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 602e0c29a..08bd9c8e3 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -1380,6 +1380,12 @@ void wc_PKCS7_Free(PKCS7* pkcs7) pkcs7->isDynamic = 0; XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7); } + + if (pkcs7->customSKID) { + XFREE(pkcs7->customSKID, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + pkcs7->customSKID = NULL; + pkcs7->customSKIDSz = 0; + } } @@ -2816,6 +2822,15 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, keyIdSize = KEYID_SIZE; #endif + /* use custom SKID if set */ + if (pkcs7->customSKIDSz > 0) { + if (pkcs7->customSKID == NULL) { + WOLFSSL_MSG("Bad custom SKID setup, size > 0 and was NULL"); + return BAD_FUNC_ARG; + } + keyIdSize = pkcs7->customSKIDSz; + } + #ifdef WOLFSSL_SMALL_STACK signedDataOid = (byte *)XMALLOC(MAX_OID_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (signedDataOid == NULL) { @@ -3264,8 +3279,15 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL, esd->issuerSKID, esd->issuerSKIDSz); idx += (int)esd->issuerSKIDSz; - wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL, + + if (pkcs7->customSKID) { + wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL, + pkcs7->customSKID, (word32)keyIdSize); + } + else { + wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL, pkcs7->issuerSubjKeyId, (word32)keyIdSize); + } idx += keyIdSize; } else if (pkcs7->sidType == DEGENERATE_SID) { /* no signer infos in degenerate case */ @@ -3418,6 +3440,28 @@ int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf, return ret; } + +/* Sets a custom SKID in PKCS7 struct, used before calling an encode operation + * Returns 0 on success, negative upon error. */ +int wc_PKCS7_SetCustomSKID(PKCS7* pkcs7, byte* in, word16 inSz) +{ + int ret = 0; + + if (pkcs7 == NULL || (in == NULL && inSz > 0)) { + return BAD_FUNC_ARG; + } + + pkcs7->customSKID = (byte*)XMALLOC(inSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + if (pkcs7->customSKID == NULL) { + ret = MEMORY_E; + } + else { + XMEMCPY(pkcs7->customSKID, in, inSz); + } + return ret; +} + + /* Toggle detached signature mode on/off for PKCS#7/CMS SignedData content type. * By default wolfCrypt includes the data to be signed in the SignedData * bundle. This data can be omitted in the case when a detached signature is diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index 85b1a1fae..f6254d3ca 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -359,6 +359,14 @@ struct PKCS7 { word16 contentCRLF:1; /* have content line endings been converted to CRLF */ word16 contentIsPkcs7Type:1; /* eContent follows PKCS#7 RFC not CMS */ word16 hashParamsAbsent:1; + + /* RFC 5280 section-4.2.1.2 lists a possible method for creating the SKID as + * a SHA1 hash of the public key, but leaves it open to other methods as + * long as it is a unique ID. This allows for setting a custom SKID when + * creating PKCS7 bundles*/ + byte* customSKID; + word16 customSKIDSz; + /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ }; @@ -387,6 +395,7 @@ WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output, word32 outputSz); /* CMS/PKCS#7 SignedData */ +WOLFSSL_API int wc_PKCS7_SetCustomSKID(PKCS7* pkcs7, byte* in, word16 inSz); WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag); WOLFSSL_API int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7); WOLFSSL_API int wc_PKCS7_SetDefaultSignedAttribs(PKCS7* pkcs7, word16 flag);