mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-31 19:24:42 +02:00
Merge pull request #2084 from cconlon/cmsFeb19
Changes for CMS signedData default signed attributes
This commit is contained in:
toddouska
GitHub
10
tests/api.c
10
tests/api.c
@@ -21933,8 +21933,18 @@ static void test_wolfssl_PKCS7(void)
|
|||||||
AssertNotNull(pkcs7 = d2i_PKCS7(NULL, &p, len));
|
AssertNotNull(pkcs7 = d2i_PKCS7(NULL, &p, len));
|
||||||
AssertIntEQ(wolfSSL_PKCS7_verify(NULL, NULL, NULL, NULL, NULL,
|
AssertIntEQ(wolfSSL_PKCS7_verify(NULL, NULL, NULL, NULL, NULL,
|
||||||
PKCS7_NOVERIFY), WOLFSSL_FAILURE);
|
PKCS7_NOVERIFY), WOLFSSL_FAILURE);
|
||||||
|
PKCS7_free(pkcs7);
|
||||||
|
|
||||||
|
/* fail case, without PKCS7_NOVERIFY */
|
||||||
|
p = data;
|
||||||
|
AssertNotNull(pkcs7 = d2i_PKCS7(NULL, &p, len));
|
||||||
AssertIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL,
|
AssertIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL,
|
||||||
0), WOLFSSL_FAILURE);
|
0), WOLFSSL_FAILURE);
|
||||||
|
PKCS7_free(pkcs7);
|
||||||
|
|
||||||
|
/* success case, with PKCS7_NOVERIFY */
|
||||||
|
p = data;
|
||||||
|
AssertNotNull(pkcs7 = d2i_PKCS7(NULL, &p, len));
|
||||||
AssertIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL,
|
AssertIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, NULL, NULL,
|
||||||
PKCS7_NOVERIFY), WOLFSSL_SUCCESS);
|
PKCS7_NOVERIFY), WOLFSSL_SUCCESS);
|
||||||
|
|
||||||
|
|||||||
@@ -1458,6 +1458,7 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
|
|||||||
int timeSz;
|
int timeSz;
|
||||||
PKCS7Attrib cannedAttribs[3];
|
PKCS7Attrib cannedAttribs[3];
|
||||||
#endif
|
#endif
|
||||||
|
word32 idx = 0;
|
||||||
word32 cannedAttribsCount;
|
word32 cannedAttribsCount;
|
||||||
|
|
||||||
if (pkcs7 == NULL || esd == NULL || contentType == NULL ||
|
if (pkcs7 == NULL || esd == NULL || contentType == NULL ||
|
||||||
@@ -1466,6 +1467,7 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
|
|||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (pkcs7->skipDefaultSignedAttribs == 0) {
|
||||||
hashSz = wc_HashGetDigestSize(esd->hashType);
|
hashSz = wc_HashGetDigestSize(esd->hashType);
|
||||||
if (hashSz < 0)
|
if (hashSz < 0)
|
||||||
return hashSz;
|
return hashSz;
|
||||||
@@ -1482,25 +1484,33 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
|
|||||||
|
|
||||||
cannedAttribsCount = sizeof(cannedAttribs)/sizeof(PKCS7Attrib);
|
cannedAttribsCount = sizeof(cannedAttribs)/sizeof(PKCS7Attrib);
|
||||||
|
|
||||||
cannedAttribs[0].oid = contentTypeOid;
|
cannedAttribs[idx].oid = contentTypeOid;
|
||||||
cannedAttribs[0].oidSz = contentTypeOidSz;
|
cannedAttribs[idx].oidSz = contentTypeOidSz;
|
||||||
cannedAttribs[0].value = contentType;
|
cannedAttribs[idx].value = contentType;
|
||||||
cannedAttribs[0].valueSz = contentTypeSz;
|
cannedAttribs[idx].valueSz = contentTypeSz;
|
||||||
cannedAttribs[1].oid = messageDigestOid;
|
idx++;
|
||||||
cannedAttribs[1].oidSz = messageDigestOidSz;
|
|
||||||
cannedAttribs[1].value = esd->contentDigest;
|
|
||||||
cannedAttribs[1].valueSz = hashSz + 2; /* ASN.1 heading */
|
|
||||||
#ifndef NO_ASN_TIME
|
#ifndef NO_ASN_TIME
|
||||||
cannedAttribs[2].oid = signingTimeOid;
|
cannedAttribs[idx].oid = signingTimeOid;
|
||||||
cannedAttribs[2].oidSz = signingTimeOidSz;
|
cannedAttribs[idx].oidSz = signingTimeOidSz;
|
||||||
cannedAttribs[2].value = signingTime;
|
cannedAttribs[idx].value = signingTime;
|
||||||
cannedAttribs[2].valueSz = timeSz;
|
cannedAttribs[idx].valueSz = timeSz;
|
||||||
|
idx++;
|
||||||
#endif
|
#endif
|
||||||
|
cannedAttribs[idx].oid = messageDigestOid;
|
||||||
|
cannedAttribs[idx].oidSz = messageDigestOidSz;
|
||||||
|
cannedAttribs[idx].value = esd->contentDigest;
|
||||||
|
cannedAttribs[idx].valueSz = hashSz + 2; /* ASN.1 heading */
|
||||||
|
|
||||||
esd->signedAttribsCount += cannedAttribsCount;
|
esd->signedAttribsCount += cannedAttribsCount;
|
||||||
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[0], 3,
|
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[0], 3,
|
||||||
cannedAttribs, cannedAttribsCount);
|
cannedAttribs, cannedAttribsCount);
|
||||||
|
} else {
|
||||||
|
esd->signedAttribsCount = 0;
|
||||||
|
esd->signedAttribsSz = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* add custom signed attributes if set */
|
||||||
|
if (pkcs7->signedAttribsSz > 0 && pkcs7->signedAttribs != NULL) {
|
||||||
esd->signedAttribsCount += pkcs7->signedAttribsSz;
|
esd->signedAttribsCount += pkcs7->signedAttribsSz;
|
||||||
#ifdef NO_ASN_TIME
|
#ifdef NO_ASN_TIME
|
||||||
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[2], 4,
|
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[2], 4,
|
||||||
@@ -1509,6 +1519,7 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,
|
|||||||
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[3], 4,
|
esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[3], 4,
|
||||||
pkcs7->signedAttribs, pkcs7->signedAttribsSz);
|
pkcs7->signedAttribs, pkcs7->signedAttribsSz);
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef NO_ASN_TIME
|
#ifdef NO_ASN_TIME
|
||||||
(void)signingTimeOidSz;
|
(void)signingTimeOidSz;
|
||||||
@@ -1648,7 +1659,7 @@ static int wc_PKCS7_BuildDigestInfo(PKCS7* pkcs7, byte* flatSignedAttribs,
|
|||||||
if (hashSz < 0)
|
if (hashSz < 0)
|
||||||
return hashSz;
|
return hashSz;
|
||||||
|
|
||||||
if (pkcs7->signedAttribsSz != 0) {
|
if (flatSignedAttribsSz != 0) {
|
||||||
|
|
||||||
if (flatSignedAttribs == NULL)
|
if (flatSignedAttribs == NULL)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
@@ -1951,9 +1962,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
|
|||||||
digEncAlgoType, 0);
|
digEncAlgoType, 0);
|
||||||
signerInfoSz += esd->digEncAlgoIdSz;
|
signerInfoSz += esd->digEncAlgoIdSz;
|
||||||
|
|
||||||
if (pkcs7->signedAttribsSz != 0) {
|
/* build up signed attributes, include contentType, signingTime, and
|
||||||
|
messageDigest by default */
|
||||||
/* build up signed attributes */
|
|
||||||
ret = wc_PKCS7_BuildSignedAttributes(pkcs7, esd, pkcs7->contentType,
|
ret = wc_PKCS7_BuildSignedAttributes(pkcs7, esd, pkcs7->contentType,
|
||||||
pkcs7->contentTypeSz,
|
pkcs7->contentTypeSz,
|
||||||
contentTypeOid, sizeof(contentTypeOid),
|
contentTypeOid, sizeof(contentTypeOid),
|
||||||
@@ -1967,6 +1977,7 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (esd->signedAttribsSz > 0) {
|
||||||
flatSignedAttribs = (byte*)XMALLOC(esd->signedAttribsSz, pkcs7->heap,
|
flatSignedAttribs = (byte*)XMALLOC(esd->signedAttribsSz, pkcs7->heap,
|
||||||
DYNAMIC_TYPE_PKCS7);
|
DYNAMIC_TYPE_PKCS7);
|
||||||
flatSignedAttribsSz = esd->signedAttribsSz;
|
flatSignedAttribsSz = esd->signedAttribsSz;
|
||||||
@@ -1981,6 +1992,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
|
|||||||
esd->signedAttribs, esd->signedAttribsCount);
|
esd->signedAttribs, esd->signedAttribsCount);
|
||||||
esd->signedAttribSetSz = SetImplicit(ASN_SET, 0, esd->signedAttribsSz,
|
esd->signedAttribSetSz = SetImplicit(ASN_SET, 0, esd->signedAttribsSz,
|
||||||
esd->signedAttribSet);
|
esd->signedAttribSet);
|
||||||
|
} else {
|
||||||
|
esd->signedAttribSetSz = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Calculate the final hash and encrypt it. */
|
/* Calculate the final hash and encrypt it. */
|
||||||
@@ -2241,6 +2254,27 @@ int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* By default, SignedData bundles have the following signed attributes attached:
|
||||||
|
* contentType (1.2.840.113549.1.9.3)
|
||||||
|
* signgingTime (1.2.840.113549.1.9.5)
|
||||||
|
* messageDigest (1.2.840.113549.1.9.4)
|
||||||
|
*
|
||||||
|
* Calling this API before wc_PKCS7_EncodeSignedData() will disable the
|
||||||
|
* inclusion of those attributes.
|
||||||
|
*
|
||||||
|
* pkcs7 - pointer to initialized PKCS7 structure
|
||||||
|
*
|
||||||
|
* Returns 0 on success, negative upon error. */
|
||||||
|
int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7)
|
||||||
|
{
|
||||||
|
if (pkcs7 == NULL)
|
||||||
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
|
pkcs7->skipDefaultSignedAttribs = 1;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* return codes: >0: Size of signed PKCS7 output buffer, negative: error */
|
/* return codes: >0: Size of signed PKCS7 output buffer, negative: error */
|
||||||
int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
|
int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -284,6 +284,8 @@ struct PKCS7 {
|
|||||||
#endif
|
#endif
|
||||||
word32 state;
|
word32 state;
|
||||||
|
|
||||||
|
word16 skipDefaultSignedAttribs:1; /* skip adding default signed attribs */
|
||||||
|
|
||||||
/* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
|
/* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -310,6 +312,7 @@ WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
|
|||||||
|
|
||||||
/* CMS/PKCS#7 SignedData */
|
/* CMS/PKCS#7 SignedData */
|
||||||
WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag);
|
WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag);
|
||||||
|
WOLFSSL_API int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7);
|
||||||
WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
|
WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
|
||||||
byte* output, word32 outputSz);
|
byte* output, word32 outputSz);
|
||||||
WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
|
WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
|
||||||
|
|||||||
Reference in New Issue
Block a user