Merge pull request #8520 from JacobBarthelmeh/pkcs7_verify_stream

PKCS7 verify and decode indefinite length support
2025-07-31 19:24:42 +02:00 · 2025-03-07 18:47:30 -06:00
parent 27ed748867 8dd614430a
commit c3f24568ff
7 changed files with 920 additions and 401 deletions
--- a/certs/include.am
+++ b/certs/include.am
@@ -53,6 +53,7 @@ EXTRA_DIST += \
             certs/wolfssl-website-ca.pem \
             certs/test-degenerate.p7b \
             certs/test-stream-sign.p7b \
+             certs/test-stream-dec.p7b \
             certs/test-ber-exp02-05-2022.p7b \
             certs/test-servercert.p12 \
             certs/test-servercert-rc2.p12 \
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -858,6 +858,11 @@ run_renewcerts(){
    openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem
    check_result $? ""

+    echo "Creating test-stream-dec.p7b..."
+    echo ""
+    openssl cms -encrypt -in ca-cert.pem -recip client-cert.pem -out test-stream-dec.p7b -outform DER -stream
+    check_result $? ""
+
    echo "End of section"
    echo "---------------------------------------------------------------------"

--- a/certs/test-stream-dec.p7b
+++ b/certs/test-stream-dec.p7b
--- a/tests/api.c
+++ b/tests/api.c
@@ -39219,6 +39219,95 @@ static int myCEKwrapFunc(PKCS7* pkcs7, byte* cek, word32 cekSz, byte* keyId,
 #endif /* HAVE_PKCS7 && !NO_AES && HAVE_AES_CBC && !NO_AES_256 */


+#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER)
+#define MAX_TEST_DECODE_SIZE 6000
+static int test_wc_PKCS7_DecodeEnvelopedData_stream_decrypt_cb(wc_PKCS7* pkcs7,
+    const byte* output, word32 outputSz, void* ctx) {
+     WOLFSSL_BUFFER_INFO* out = (WOLFSSL_BUFFER_INFO*)ctx;
+
+    if (out == NULL) {
+        return -1;
+    }
+
+    if (outputSz + out->length > MAX_TEST_DECODE_SIZE) {
+        printf("Example buffer size needs increased");
+    }
+
+    /* printf("Decoded in %d bytes\n", outputSz);
+     * for (word32 z = 0; z < outputSz; z++) printf("%02X", output[z]);
+     * printf("\n");
+    */
+
+    XMEMCPY(out->buffer + out->length, output, outputSz);
+    out->length += outputSz;
+
+    (void)pkcs7;
+    return 0;
+}
+#endif /* HAVE_PKCS7 && ASN_BER_TO_DER */
+
+/*
+ * Testing wc_PKCS7_DecodeEnvelopedData with streaming
+ */
+static int test_wc_PKCS7_DecodeEnvelopedData_stream(void)
+{
+#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER)
+    EXPECT_DECLS;
+    PKCS7*      pkcs7 = NULL;
+    int ret = 0;
+    XFILE f = XBADFILE;
+    const char* testStream = "./certs/test-stream-dec.p7b";
+    byte testStreamBuffer[100];
+    size_t testStreamBufferSz = 0;
+    byte decodedData[MAX_TEST_DECODE_SIZE]; /* large enough to hold result of decode, which is ca-cert.pem */
+    WOLFSSL_BUFFER_INFO out;
+
+    out.length = 0;
+    out.buffer = decodedData;
+
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+    ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
+        sizeof_client_cert_der_2048), 0);
+
+    ExpectIntEQ(wc_PKCS7_SetKey(pkcs7, (byte*)client_key_der_2048,
+        sizeof_client_key_der_2048), 0);
+    ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, NULL,
+        test_wc_PKCS7_DecodeEnvelopedData_stream_decrypt_cb, (void*)&out), 0);
+
+    ExpectTrue((f = XFOPEN(testStream, "rb")) != XBADFILE);
+    if (EXPECT_SUCCESS()) {
+        do {
+            testStreamBufferSz = XFREAD(testStreamBuffer, 1,
+                sizeof(testStreamBuffer), f);
+            if (testStreamBufferSz == 0) {
+                break;
+            }
+
+            ret = wc_PKCS7_DecodeEnvelopedData(pkcs7, testStreamBuffer,
+                (word32)testStreamBufferSz, NULL, 0);
+            if (testStreamBufferSz < sizeof(testStreamBuffer)) {
+                break;
+            }
+        } while (ret == WC_NO_ERR_TRACE(WC_PKCS7_WANT_READ_E));
+    #ifdef NO_DES3
+        ExpectIntEQ(ret, ALGO_ID_E);
+    #else
+        ExpectIntGT(ret, 0);
+    #endif
+    }
+
+    if (f != XBADFILE) {
+        XFCLOSE(f);
+        f = XBADFILE;
+    }
+
+    wc_PKCS7_Free(pkcs7);
+    return EXPECT_RESULT();
+#else
+    return TEST_SKIPPED;
+#endif
+} /* END test_wc_PKCS7_DecodeEnvelopedData_stream() */
+
 /*
 * Testing wc_PKCS7_EncodeEnvelopedData()
 */
@@ -89473,6 +89562,7 @@ TEST_CASE testCases[] = {
    TEST_DECL(test_wc_PKCS7_EncodeSignedData_ex),
    TEST_DECL(test_wc_PKCS7_VerifySignedData_RSA),
    TEST_DECL(test_wc_PKCS7_VerifySignedData_ECC),
+    TEST_DECL(test_wc_PKCS7_DecodeEnvelopedData_stream),
    TEST_DECL(test_wc_PKCS7_EncodeDecodeEnvelopedData),
    TEST_DECL(test_wc_PKCS7_EncodeEncryptedData),
    TEST_DECL(test_wc_PKCS7_Degenerate),
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -53195,7 +53195,8 @@ static wc_test_ret_t verifyBundle(byte* derBuf, word32 derSz, int keyHint)
 #endif /* !NO_SHA */
    };

-    decoded = (byte *)XMALLOC(decodedSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    decoded = (byte *)XMALLOC((word32)decodedSz, HEAP_HINT,
+        DYNAMIC_TYPE_TMP_BUFFER);
    if (decoded == NULL) {
        ret = MEMORY_E;
        goto out;
@@ -53353,7 +53354,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs7encrypted_test(void)
 {
    wc_test_ret_t ret = 0;
    int i, testSz;
-    int encryptedSz, decodedSz, attribIdx;
+    int encryptedSz, decodedSz;
+    word32 attribIdx;
    wc_PKCS7* pkcs7;
    byte  *encrypted;
    byte  *decoded;
@@ -54721,7 +54723,7 @@ static wc_test_ret_t pkcs7signed_run_SingleShotVectors(
                ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
            /* compare decrypted to expected */
            if (((word32)ret != testVectors[i].contentSz) ||
-                XMEMCMP(out, testVectors[i].content, ret))
+                XMEMCMP(out, testVectors[i].content, (word32)ret))
                ERROR_OUT(WC_TEST_RET_ENC_NC, out);
        }
    #endif
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@@ -243,6 +243,7 @@ typedef int (*CallbackRsaSignRawDigest)(wc_PKCS7* pkcs7, byte* digest,
                                   int devId, int hashOID);
 #endif

+
 /* Public Structure Warning:
 * Existing members must not be changed to maintain backwards compatibility!
 */
@@ -258,6 +259,7 @@ struct wc_PKCS7 {
 #ifdef ASN_BER_TO_DER
    byte*  der;                   /* DER encoded version of message       */
    word32 derSz;
+    byte   indefDepth;
    CallbackGetContent getContentCb;
    CallbackStreamOut  streamOutCb;
    void*  streamCtx; /* passed to getcontentCb and streamOutCb */
@@ -372,6 +374,19 @@ struct wc_PKCS7 {
    byte* customSKID;
    word16 customSKIDSz;

+
+#if !defined(NO_DES3) || !defined(NO_AES)
+    union {
+    #ifndef NO_AES
+        Aes* aes;
+    #endif
+    #ifndef NO_DES3
+        Des*  des;
+        Des3* des3;
+    #endif
+    } decryptKey;
+#endif
+
    /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
 };