From 2a1165460ec9214e0d2a3a06511c5139b94e4e95 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Wed, 4 Sep 2024 15:11:10 -0600
Subject: [PATCH 1/2] add parsing over optional PKCS8 attributes

---
 certs/ca-key-pkcs8-attribute.der | Bin 0 -> 1239 bytes
 certs/include.am                 |   1 +
 tests/api.c                      |  11 +++++++++++
 wolfcrypt/src/asn.c              |   5 +++--
 4 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 certs/ca-key-pkcs8-attribute.der

diff --git a/certs/ca-key-pkcs8-attribute.der b/certs/ca-key-pkcs8-attribute.der
new file mode 100644
index 0000000000000000000000000000000000000000..692a8cccf4d425060acb57059ebcac704e4a8263
GIT binary patch
literal 1239
zcmXqLV!6!3$Y8+B#;Mij(e|B}k&%&=fu)IMg+UX`5++6lrY1&4hW$LJbVWAFwKzqe
zwUGDv<XbB6ahvJ<`=@G|XIx%$k2&p~*2fzgYV+7bxCLe?`Zk;vQh0vG|DJ2@$)a+j
zSEnZI&I}S@)?e{?>d}wgNnz6O)AN@II8I&5HT&_>0~;<Clm!?>uXw?sQ}cHDqN-jC
zO_?>v-+ro@x?yTlt!IqI*>ctQdmBoFr`Xt@N{*f{y7jWGu)gF)o7-hpXLi({e0u2m
zEr<LYig${oopgie{FC}qySmEEe#X6)8rJl4St1tgD?j#Z%{ZM=U#Ot{bwTpiF#W}9
zm$v6`j1s?YF_Yup<cR!#hlM>k#JHFHrZWT?rYrl+cpK;{yOZT6_nR9Uo4xnGHLGM|
zW@KPwYGP!t&GSo;YN?;wTJzAGz2?ESnOgVe{xmb;E9bN0c;)|;P3_7zi|_Y&`DOIj
z7Jbpmn3G)e*z_68#EDxEZd?+w=K8VUjtj1p=I`b9+rKgBMZBllj4=1(_g=oTNnqTs
zamR4KXZ&Q(_NvC{Y2Lo4Vl4c(KiqWrxZ*7vp?3Bs(s!KSym%9m`25@3W!!pS?>E&S
zlTVbKv!vPbzG7=<e);+~Q6r8;QQT^YzYBOy&9SK6qxA0e;uT^HKf4;_7+O|%IsRy2
zPS;nC)}NiNc9`8{%3@~gqO0?Z9;`iMvU>0Ft6$X&TKNr>Erb5soSv!Z+p%=@yQH1R
zAMAE-KbU#G__M*jbCxV~o-#EyGCVAEZHU}<+4DZvd!cLmAGV*?GT*=a$5!93hNf$u
zES|FP_Qz>!x3Z?RHvf^1)?Bskhnjs^-CCIsr?0DRk!I}+Ypdf(Qaspp&ArlYd+d^9
zR@XO{D0~Z;?#L4S)?V#e{={DyYHzge%=-BJ&hO$6mCn+Niz8W*gV;}Ae|AwiHg4Ll
zV2~Sby!A^-%$~@T$heh%w@Z4k+#U8KDs}U6T9ha9JP~3M^R1Y1W}2;nAHVCYZ9g_o
z=H0YNTJw`y<%y%0D(d2jKV2_K-0g5Kk@a7uT$AQAksS-4PrIOO&pMgm(?j37x7(-X
zeE;y|;(5jy{&z}3R^`S;IU4@^KWp0p*1IbOLVjdlSk=tb*r0fsrOV}Y!1kK7{q5S%
zH2hvQKYD5U@ROkX|Ak-w%-4Nt)%b^zIX`%9i2AmmcTdAE3a@^+nZI-bSId@#2YPs}
z&2!tOZMW6%ZSw9VS9$x3&R&#LGkv{Jy6Eq0%PsBOg}=UPcAY$9SN{{QGh2LC)N|}|
z^jzVoVH;<A@SHir>7P1x13|&CFnqq<&TH$NbDQn^e_yz>;v6%l^2UYI$)}EZhM8(#
z)Jsj6${IRT(Dd)s`!2_qb`-^LY6@IY=sMZ#e2jczAP;N9i}gpVcf~0^wkbW_!Wx=;
z%}TeWbF%Sii(9J<S<jx!(Y+gbIh^~$Qq!yr>kM}}PdmkM-21Vlkn?4yU-_>Z4qODe
zVdw2m1rzmxB$HS1s!2kh=Qi&5csGmhV6VXc)LC<NrMjj>oj9;`X-nd~D=ItRubg|b
zocnk|n(eL=A@?sCKm1z%Q$2BCxa-~RuHq_Rm7iGfO;msPSmB1qi7D>o4&|;A^LWoy
z+J_s4aeAijn-byw?a1m!osS=P9bgUBQ90l>oke}t0$~F|Hs(-SenT!X4g&)NLjwZ?
F0|0*kOlJT9

literal 0
HcmV?d00001

diff --git a/certs/include.am b/certs/include.am
index dd87e3265..d4417fe8e 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -6,6 +6,7 @@ EXTRA_DIST += \
              certs/ca-cert-chain.der \
              certs/ca-cert.pem \
              certs/ca-key.pem \
+             certs/ca-key-pkcs8-attribute.der \
              certs/client-cert.pem \
              certs/client-keyEnc.pem \
              certs/client-key.pem \
diff --git a/tests/api.c b/tests/api.c
index 65b6d2e7a..b1afc1b0a 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -74549,6 +74549,7 @@ static int test_wc_GetPkcs8TraditionalOffset(void)
     int derSz = 0;
     word32 inOutIdx;
     const char* path = "./certs/server-keyPkcs8.der";
+    const char* pathAttributes = "./certs/ca-key-pkcs8-attribute.der";
     XFILE file = XBADFILE;
     byte der[2048];
 
@@ -74577,6 +74578,16 @@ static int test_wc_GetPkcs8TraditionalOffset(void)
     inOutIdx = 0;
     ExpectIntEQ(length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx, (word32)derSz),
         WC_NO_ERR_TRACE(ASN_PARSE_E));
+
+    /* test parsing with attributes */
+    ExpectTrue((file = XFOPEN(pathAttributes, "rb")) != XBADFILE);
+    ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), file), 0);
+    if (file != XBADFILE)
+        XFCLOSE(file);
+
+    inOutIdx = 0;
+    ExpectIntGT(length = wc_GetPkcs8TraditionalOffset(der, &inOutIdx,
+        (word32)derSz), 0);
 #endif /* NO_ASN */
     return EXPECT_RESULT();
 }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d41f8cbe4..1510dbec8 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -6882,8 +6882,9 @@ static const ASNItem pkcs8KeyASN[] = {
 /*  PKEY_ALGO_PARAM_SEQ */            { 2, ASN_SEQUENCE, 1, 0, 1 },
 #endif
 /*  PKEY_DATA           */        { 1, ASN_OCTET_STRING, 0, 0, 0 },
-                /* attributes            [0] Attributes OPTIONAL */
-                /* [[2: publicKey        [1] PublicKey OPTIONAL ]] */
+/*  OPTIONAL Attributes IMPLICIT [0] */
+                                  { 1, ASN_CONTEXT_SPECIFIC | 0, 1, 0, 1 },
+/* [[2: publicKey        [1] PublicKey OPTIONAL ]] */
 };
 enum {
     PKCS8KEYASN_IDX_SEQ = 0,

From 9a8573afc9f2175dff3be100057ed3d3841b59eb Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Wed, 4 Sep 2024 15:48:44 -0600
Subject: [PATCH 2/2] touch up pkcs8 create function and test case warning

---
 tests/api.c         |  1 +
 wolfcrypt/src/asn.c | 11 +++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index b1afc1b0a..880e4199e 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -74557,6 +74557,7 @@ static int test_wc_GetPkcs8TraditionalOffset(void)
     ExpectIntGT(derSz = (int)XFREAD(der, 1, sizeof(der), file), 0);
     if (file != XBADFILE)
         XFCLOSE(file);
+    file = XBADFILE; /* reset file to avoid warning of use after close */
 
     /* valid case */
     inOutIdx = 0;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 1510dbec8..54f257753 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -6897,6 +6897,7 @@ enum {
     PKCS8KEYASN_IDX_PKEY_ALGO_PARAM_SEQ,
 #endif
     PKCS8KEYASN_IDX_PKEY_DATA,
+    PKCS8KEYASN_IDX_PKEY_ATTRIBUTES,
     WOLF_ENUM_DUMMY_LAST_ELEMENT(PKCS8KEYASN_IDX)
 };
 
@@ -7307,7 +7308,9 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
     *outSz = tmpSz + sz;
     return (int)(tmpSz + sz);
 #else
-    DECL_ASNSETDATA(dataASN, pkcs8KeyASN_Length);
+    /* pkcs8KeyASN_Length-1, the -1 is because we are not adding the optional
+     * set of attributes */
+    DECL_ASNSETDATA(dataASN, pkcs8KeyASN_Length-1);
     int sz = 0;
     int ret = 0;
     word32 keyIdx = 0;
@@ -7328,7 +7331,7 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
         ret = ASN_PARSE_E;
     }
 
-    CALLOC_ASNSETDATA(dataASN, pkcs8KeyASN_Length, ret, NULL);
+    CALLOC_ASNSETDATA(dataASN, pkcs8KeyASN_Length-1, ret, NULL);
 
     if (ret == 0) {
         /* Only support default PKCS #8 format - v0. */
@@ -7354,7 +7357,7 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
         SetASN_Buffer(&dataASN[PKCS8KEYASN_IDX_PKEY_DATA], key, keySz);
 
         /* Get the size of the DER encoding. */
-        ret = SizeASN_Items(pkcs8KeyASN, dataASN, pkcs8KeyASN_Length, &sz);
+        ret = SizeASN_Items(pkcs8KeyASN, dataASN, pkcs8KeyASN_Length-1, &sz);
     }
     if (ret == 0) {
         /* Always return the calculated size. */
@@ -7367,7 +7370,7 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz,
     }
     if (ret == 0) {
         /*  Encode PKCS #8 key into buffer. */
-        SetASN_Items(pkcs8KeyASN, dataASN, pkcs8KeyASN_Length, out);
+        SetASN_Items(pkcs8KeyASN, dataASN, pkcs8KeyASN_Length-1, out);
         ret = sz;
     }