add messageDigest attribute if adding any custom signed attributes

2025-08-01 03:34:39 +02:00 · 2023-03-15 15:43:35 -06:00
parent ff13a7cdc8
commit ad13717644
1 changed files with 17 additions and 6 deletions
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -1975,16 +1975,27 @@ static int wc_PKCS7_BuildSignedAttributes(PKCS7* pkcs7, ESD* esd,

    /* add custom signed attributes if set */
    if (pkcs7->signedAttribsSz > 0 && pkcs7->signedAttribs != NULL) {
+        /* Signed messageDigest must be present if any signed attributes are
+         * RFC 5652 section 11.2 */
+        if (pkcs7->skipDefaultSignedAttribs != 0) {
+            hashSz = wc_HashGetDigestSize(esd->hashType);
+            if (hashSz < 0)
+                return hashSz;
+
+            cannedAttribs[0].oid     = messageDigestOid;
+            cannedAttribs[0].oidSz   = messageDigestOidSz;
+            cannedAttribs[0].value   = esd->contentDigest;
+            cannedAttribs[0].valueSz = hashSz + 2;  /* ASN.1 heading */
+            esd->signedAttribsCount++;
+            esd->signedAttribsSz += EncodeAttributes(
+                &esd->signedAttribs[atrIdx], 1, cannedAttribs, 1);
+            atrIdx++;
+        }
+
        esd->signedAttribsCount += pkcs7->signedAttribsSz;
-    #ifdef NO_ASN_TIME
        esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx],
                                  esd->signedAttribsCount,
                                  pkcs7->signedAttribs, pkcs7->signedAttribsSz);
-    #else
-        esd->signedAttribsSz += EncodeAttributes(&esd->signedAttribs[atrIdx],
-                                  esd->signedAttribsCount,
-                                  pkcs7->signedAttribs, pkcs7->signedAttribsSz);
-    #endif
    }

 #ifdef NO_ASN_TIME