add PKCS7 set custom SKID

wolfcrypt/src/pkcs7.c

@@ -1380,6 +1380,12 @@ void wc_PKCS7_Free(PKCS7* pkcs7)
         pkcs7->isDynamic = 0;
         XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     }
+
+    if (pkcs7->customSKID) {
+        XFREE(pkcs7->customSKID, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+        pkcs7->customSKID = NULL;
+        pkcs7->customSKIDSz = 0;
+    }
 }
 
 
@@ -2816,6 +2822,15 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7,
     keyIdSize = KEYID_SIZE;
 #endif
 
+    /* use custom SKID if set */
+    if (pkcs7->customSKIDSz > 0) {
+        if (pkcs7->customSKID == NULL) {
+            WOLFSSL_MSG("Bad custom SKID setup, size > 0 and was NULL");
+            return BAD_FUNC_ARG;
+        }
+        keyIdSize = pkcs7->customSKIDSz;
+    }
+
 #ifdef WOLFSSL_SMALL_STACK
     signedDataOid = (byte *)XMALLOC(MAX_OID_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (signedDataOid == NULL) {
@@ -3264,8 +3279,15 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7,
         wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL,
                 esd->issuerSKID, esd->issuerSKIDSz);
         idx += (int)esd->issuerSKIDSz;
-        wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL,
+
+        if (pkcs7->customSKID) {
+            wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL,
+                pkcs7->customSKID, (word32)keyIdSize);
+        }
+        else {
+            wc_PKCS7_WriteOut(pkcs7, (output2)? (output2 + idx) : NULL,
                 pkcs7->issuerSubjKeyId, (word32)keyIdSize);
+        }
         idx += keyIdSize;
     } else if (pkcs7->sidType == DEGENERATE_SID) {
         /* no signer infos in degenerate case */
@@ -3418,6 +3440,28 @@ int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
     return ret;
 }
 
+
+/* Sets a custom SKID in PKCS7 struct, used before calling an encode operation
+ * Returns 0 on success, negative upon error. */
+int wc_PKCS7_SetCustomSKID(PKCS7* pkcs7, byte* in, word16 inSz)
+{
+    int ret = 0;
+
+    if (pkcs7 == NULL || (in == NULL && inSz > 0)) {
+        return BAD_FUNC_ARG;
+    }
+
+    pkcs7->customSKID = (byte*)XMALLOC(inSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    if (pkcs7->customSKID == NULL) {
+        ret = MEMORY_E;
+    }
+    else {
+        XMEMCPY(pkcs7->customSKID, in, inSz);
+    }
+    return ret;
+}
+
+
 /* Toggle detached signature mode on/off for PKCS#7/CMS SignedData content type.
  * By default wolfCrypt includes the data to be signed in the SignedData
  * bundle. This data can be omitted in the case when a detached signature is

wolfssl/wolfcrypt/pkcs7.h

@@ -359,6 +359,14 @@ struct PKCS7 {
     word16 contentCRLF:1; /* have content line endings been converted to CRLF */
     word16 contentIsPkcs7Type:1; /* eContent follows PKCS#7 RFC not CMS */
     word16 hashParamsAbsent:1;
+
+    /* RFC 5280 section-4.2.1.2 lists a possible method for creating the SKID as
+     * a SHA1 hash of the public key, but leaves it open to other methods as
+     * long as it is a unique ID. This allows for setting a custom SKID when
+     * creating PKCS7 bundles*/
+    byte* customSKID;
+    word16 customSKIDSz;
+
     /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
 };
 
@@ -387,6 +395,7 @@ WOLFSSL_API int  wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
                                        word32 outputSz);
 
 /* CMS/PKCS#7 SignedData */
+WOLFSSL_API int  wc_PKCS7_SetCustomSKID(PKCS7* pkcs7, byte* in, word16 inSz);
 WOLFSSL_API int  wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag);
 WOLFSSL_API int  wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7);
 WOLFSSL_API int  wc_PKCS7_SetDefaultSignedAttribs(PKCS7* pkcs7, word16 flag);