mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 13:10:52 +02:00
Address copilot feedback
This commit is contained in:
+34
-8
@@ -490,6 +490,9 @@ static int rsaSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
|
||||
/* ECC sign raw digest callback
|
||||
* This callback demonstrates HSM/secure element use case where the private
|
||||
* key is not passed through PKCS7 structure but obtained independently.
|
||||
* Note: This example callback is hash-agnostic and will work with any
|
||||
* hash algorithm. The hashOID parameter can be used to validate or select
|
||||
* different signing behavior if needed.
|
||||
*/
|
||||
static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
|
||||
byte* out, word32 outSz, byte* privateKey,
|
||||
@@ -498,7 +501,11 @@ static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
|
||||
int ret;
|
||||
word32 idx = 0;
|
||||
word32 sigSz = outSz;
|
||||
ecc_key ecc;
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
ecc_key* ecc = NULL;
|
||||
#else
|
||||
ecc_key ecc[1];
|
||||
#endif
|
||||
|
||||
/* privateKey may be NULL in HSM/secure element use case - we load it
|
||||
* independently in this callback to simulate that scenario */
|
||||
@@ -510,15 +517,25 @@ static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
|
||||
return -1;
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
ecc = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap, DYNAMIC_TYPE_ECC);
|
||||
if (ecc == NULL) {
|
||||
return MEMORY_E;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* set up ECC key */
|
||||
ret = wc_ecc_init_ex(&ecc, pkcs7->heap, devid);
|
||||
ret = wc_ecc_init_ex(ecc, pkcs7->heap, devid);
|
||||
if (ret != 0) {
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
|
||||
#endif
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Load key from test buffer - simulates HSM/secure element access */
|
||||
#if defined(USE_CERT_BUFFERS_256)
|
||||
ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx, &ecc,
|
||||
ret = wc_EccPrivateKeyDecode(ecc_clikey_der_256, &idx, ecc,
|
||||
sizeof_ecc_clikey_der_256);
|
||||
#else
|
||||
{
|
||||
@@ -528,28 +545,37 @@ static int eccSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
|
||||
|
||||
fp = XFOPEN("./certs/client-ecc-key.der", "rb");
|
||||
if (fp == XBADFILE) {
|
||||
wc_ecc_free(&ecc);
|
||||
wc_ecc_free(ecc);
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
|
||||
#endif
|
||||
return -1;
|
||||
}
|
||||
keySz = (int)XFREAD(keyBuf, 1, sizeof(keyBuf), fp);
|
||||
XFCLOSE(fp);
|
||||
if (keySz <= 0) {
|
||||
wc_ecc_free(&ecc);
|
||||
wc_ecc_free(ecc);
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
|
||||
#endif
|
||||
return -1;
|
||||
}
|
||||
ret = wc_EccPrivateKeyDecode(keyBuf, &idx, &ecc, (word32)keySz);
|
||||
ret = wc_EccPrivateKeyDecode(keyBuf, &idx, ecc, (word32)keySz);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* sign digest */
|
||||
if (ret == 0) {
|
||||
ret = wc_ecc_sign_hash(digest, digestSz, out, &sigSz, pkcs7->rng, &ecc);
|
||||
ret = wc_ecc_sign_hash(digest, digestSz, out, &sigSz, pkcs7->rng, ecc);
|
||||
if (ret == 0) {
|
||||
ret = (int)sigSz;
|
||||
}
|
||||
}
|
||||
|
||||
wc_ecc_free(&ecc);
|
||||
wc_ecc_free(ecc);
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
XFREE(ecc, pkcs7->heap, DYNAMIC_TYPE_ECC);
|
||||
#endif
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -2422,6 +2422,10 @@ static int wc_PKCS7_SignedDataBuildSignature(wc_PKCS7* pkcs7,
|
||||
if (pkcs7->eccSignRawDigestCb != NULL) {
|
||||
/* get hash OID */
|
||||
int eccHashOID = wc_HashGetOID(esd->hashType);
|
||||
if (eccHashOID < 0) {
|
||||
ret = eccHashOID;
|
||||
break;
|
||||
}
|
||||
|
||||
/* user signing plain digest */
|
||||
ret = pkcs7->eccSignRawDigestCb(pkcs7,
|
||||
@@ -2429,6 +2433,10 @@ static int wc_PKCS7_SignedDataBuildSignature(wc_PKCS7* pkcs7,
|
||||
esd->encContentDigest, sizeof(esd->encContentDigest),
|
||||
pkcs7->privateKey, pkcs7->privateKeySz, pkcs7->devId,
|
||||
eccHashOID);
|
||||
/* validate return value doesn't exceed buffer size */
|
||||
if (ret > 0 && (word32)ret > sizeof(esd->encContentDigest)) {
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user