Address copilot feedback

This commit is contained in:
jackctj117
2026-02-05 12:12:16 -07:00
parent 6d6d0ab088
commit cfcd384c4c
2 changed files with 42 additions and 8 deletions
+34 -8
View File
@@ -490,6 +490,9 @@ static int rsaSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
/* ECC sign raw digest callback
* This callback demonstrates HSM/secure element use case where the private
* key is not passed through PKCS7 structure but obtained independently.
* Note: This example callback is hash-agnostic and will work with any
* hash algorithm. The hashOID parameter can be used to validate or select
* different signing behavior if needed.
*/
static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
byte* out, word32 outSz, byte* privateKey,
@@ -498,7 +501,11 @@ static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
int ret;
word32 idx = 0;
word32 sigSz = outSz;
ecc_key ecc;
#ifdef WOLFSSL_SMALL_STACK
ecc_key* ecc = NULL;
#else
ecc_key ecc[1];
#endif
/* privateKey may be NULL in HSM/secure element use case - we load it
* independently in this callback to simulate that scenario */
@@ -510,15 +517,25 @@ static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
return -1;
}
#ifdef WOLFSSL_SMALL_STACK
ecc = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap, DYNAMIC_TYPE_ECC);
if (ecc == NULL) {
return MEMORY_E;
}
#endif
/* set up ECC key */
ret = wc_ecc_init_ex(&ecc, pkcs7->heap, devid);
ret = wc_ecc_init_ex(ecc, pkcs7->heap, devid);
if (ret != 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
#endif
return ret;
}
/* Load key from test buffer - simulates HSM/secure element access */
#if defined(USE_CERT_BUFFERS_256)
ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx, &ecc,
ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx, ecc,
sizeof_ecc_clikey_der_256);
#else
{
@@ -528,28 +545,37 @@ static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
fp = XFOPEN("./certs/client-ecc-key.der", "rb");
if (fp == XBADFILE) {
wc_ecc_free(&ecc);
wc_ecc_free(ecc);
#ifdef WOLFSSL_SMALL_STACK
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
#endif
return -1;
}
keySz = (int)XFREAD(keyBuf, 1, sizeof(keyBuf), fp);
XFCLOSE(fp);
if (keySz <= 0) {
wc_ecc_free(&ecc);
wc_ecc_free(ecc);
#ifdef WOLFSSL_SMALL_STACK
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
#endif
return -1;
}
ret = wc_EccPrivateKeyDecode(keyBuf, &idx, &ecc, (word32)keySz);
ret = wc_EccPrivateKeyDecode(keyBuf, &idx, ecc, (word32)keySz);
}
#endif
/* sign digest */
if (ret == 0) {
ret = wc_ecc_sign_hash(digest, digestSz, out, &sigSz, pkcs7->rng, &ecc);
ret = wc_ecc_sign_hash(digest, digestSz, out, &sigSz, pkcs7->rng, ecc);
if (ret == 0) {
ret = (int)sigSz;
}
}
wc_ecc_free(&ecc);
wc_ecc_free(ecc);
#ifdef WOLFSSL_SMALL_STACK
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
#endif
return ret;
}
+8
View File
@@ -2422,6 +2422,10 @@ static int wc_PKCS7_SignedDataBuildSignature(wc_PKCS7* pkcs7,
if (pkcs7->eccSignRawDigestCb != NULL) {
/* get hash OID */
int eccHashOID = wc_HashGetOID(esd->hashType);
if (eccHashOID < 0) {
ret = eccHashOID;
break;
}
/* user signing plain digest */
ret = pkcs7->eccSignRawDigestCb(pkcs7,
@@ -2429,6 +2433,10 @@ static int wc_PKCS7_SignedDataBuildSignature(wc_PKCS7* pkcs7,
esd->encContentDigest, sizeof(esd->encContentDigest),
pkcs7->privateKey, pkcs7->privateKeySz, pkcs7->devId,
eccHashOID);
/* validate return value doesn't exceed buffer size */
if (ret > 0 && (word32)ret > sizeof(esd->encContentDigest)) {
ret = BUFFER_E;
}
break;
}
#endif