wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 20:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1898 from cconlon/cmsupdates

Browse Source 
wolfCrypt PKCS#7/CMS Expansion
This commit is contained in:
toddouska
2018-11-07 08:36:02 -08:00
committed by GitHub
parent 24e2a2b228 100bf76748
commit f7f6506a54
10 changed files with 10387 additions and 1854 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
.gitignore vendored
View File

@@ -101,22 +101,84 @@ ecc-key.pem
certreq.der
certreq.pem
pkcs7cert.der
pkcs7signedData_RSA_SHA.der
pkcs7signedData_RSA_SHA_noattr.der
pkcs7signedData_RSA_SHA224.der
pkcs7signedData_RSA_SHA256.der
pkcs7signedData_RSA_SHA384.der
pkcs7signedData_RSA_SHA512.der
pkcs7signedData_ECDSA_SHA.der
pkcs7signedData_ECDSA_SHA_noattr.der
pkcs7signedData_ECDSA_SHA224.der
pkcs7signedData_ECDSA_SHA256.der
pkcs7signedData_ECDSA_SHA384.der
pkcs7signedData_ECDSA_SHA512.der
pkcs7envelopedDataDES3.der
pkcs7authEnvelopedDataAES128GCM.der
pkcs7authEnvelopedDataAES128GCM_ECDH_SHA1KDF.der
pkcs7authEnvelopedDataAES128GCM_KEKRI.der
pkcs7authEnvelopedDataAES128GCM_ORI.der
pkcs7authEnvelopedDataAES128GCM_PWRI.der
pkcs7authEnvelopedDataAES192GCM.der
pkcs7authEnvelopedDataAES256GCM.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_authAttribs.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_bothAttribs.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_fw_bothAttribs.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_unauthAttribs.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF.der
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF_ukm.der
pkcs7authEnvelopedDataAES256GCM_firmwarePkgData.der
pkcs7authEnvelopedDataAES256GCM_IANDS.der
pkcs7authEnvelopedDataAES256GCM_SKID.der
pkcs7compressedData_data_zlib.der
pkcs7compressedData_firmwarePkgData_zlib.der
pkcs7encryptedDataAES128CBC.der
pkcs7encryptedDataAES192CBC.der
pkcs7encryptedDataAES256CBC.der
pkcs7encryptedDataAES256CBC_attribs.der
pkcs7encryptedDataAES256CBC_firmwarePkgData.der
pkcs7encryptedDataAES256CBC_multi_attribs.der
pkcs7encryptedDataDES.der
pkcs7encryptedDataDES3.der
pkcs7envelopedDataAES128CBC.der
pkcs7envelopedDataAES128CBC_ECDH_SHA1KDF.der
pkcs7envelopedDataAES128CBC_KEKRI.der
pkcs7envelopedDataAES128CBC_PWRI.der
pkcs7envelopedDataAES128CBC_ORI.der
pkcs7envelopedDataAES192CBC.der
pkcs7envelopedDataAES256CBC.der
pkcs7envelopedDataAES256CBC_IANDS.der
pkcs7envelopedDataAES256CBC_SKID.der
pkcs7envelopedDataAES256CBC_ECDH_SHA256KDF.der
pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF.der
pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF_ukm.der
pkcs7envelopedDataDES3.der
pkcs7signedData_ECDSA_SHA224.der
pkcs7signedData_ECDSA_SHA256_custom_contentType.der
pkcs7signedData_ECDSA_SHA256.der
pkcs7signedData_ECDSA_SHA256_firmwarePkgData.der
pkcs7signedData_ECDSA_SHA256_SKID.der
pkcs7signedData_ECDSA_SHA384.der
pkcs7signedData_ECDSA_SHA512.der
pkcs7signedData_ECDSA_SHA.der
pkcs7signedData_ECDSA_SHA_noattr.der
pkcs7signedData_RSA_SHA224.der
pkcs7signedData_RSA_SHA256_custom_contentType.der
pkcs7signedData_RSA_SHA256.der
pkcs7signedData_RSA_SHA256_firmwarePkgData.der
pkcs7signedData_RSA_SHA256_SKID.der
pkcs7signedData_RSA_SHA256_with_ca_cert.der
pkcs7signedData_RSA_SHA384.der
pkcs7signedData_RSA_SHA512.der
pkcs7signedData_RSA_SHA.der
pkcs7signedData_RSA_SHA_noattr.der
pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der
pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der
pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der
pkcs7signedCompressedFirmwarePkgData_RSA_SHA256_noattr.der
pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der
pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der
pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der
pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der
pkcs7signedFirmwarePkgData_ECDSA_SHA256.der
pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der
pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der
pkcs7signedFirmwarePkgData_RSA_SHA256.der
pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der
pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der
pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der
pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der
pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der
pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der
pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der
diff
sslSniffer/sslSnifferTest/tracefile.txt
tracefile.txt

53
Makefile.am
View File

@@ -39,10 +39,30 @@ CLEANFILES+= cert.der \
othercert.der \
othercert.pem \
pkcs7cert.der \
pkcs7authEnvelopedDataAES128GCM.der \
pkcs7authEnvelopedDataAES128GCM_ECDH_SHA1KDF.der \
pkcs7authEnvelopedDataAES128GCM_KEKRI.der \
pkcs7authEnvelopedDataAES128GCM_ORI.der \
pkcs7authEnvelopedDataAES128GCM_PWRI.der \
pkcs7authEnvelopedDataAES192GCM.der \
pkcs7authEnvelopedDataAES256GCM.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_authAttribs.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_bothAttribs.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_fw_bothAttribs.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA256KDF_unauthAttribs.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF.der \
pkcs7authEnvelopedDataAES256GCM_ECDH_SHA512KDF_ukm.der \
pkcs7authEnvelopedDataAES256GCM_firmwarePkgData.der \
pkcs7authEnvelopedDataAES256GCM_IANDS.der \
pkcs7authEnvelopedDataAES256GCM_SKID.der \
pkcs7compressedData_data_zlib.der \
pkcs7compressedData_firmwarePkgData_zlib.der \
pkcs7encryptedDataAES128CBC.der \
pkcs7encryptedDataAES192CBC.der \
pkcs7encryptedDataAES256CBC_attribs.der \
pkcs7encryptedDataAES256CBC.der \
pkcs7encryptedDataAES256CBC_firmwarePkgData.der \
pkcs7encryptedDataAES256CBC_multi_attribs.der \
pkcs7encryptedDataDES3.der \
pkcs7encryptedDataDES.der \
@@ -53,20 +73,51 @@ CLEANFILES+= cert.der \
pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF_ukm.der \
pkcs7envelopedDataDES3.der \
pkcs7envelopedDataAES128CBC.der \
pkcs7envelopedDataAES128CBC_KEKRI.der \
pkcs7envelopedDataAES128CBC_PWRI.der \
pkcs7envelopedDataAES128CBC_ORI.der \
pkcs7envelopedDataAES192CBC.der \
pkcs7envelopedDataAES256CBC.der \
pkcs7envelopedDataAES256CBC_IANDS.der \
pkcs7envelopedDataAES256CBC_SKID.der \
pkcs7signedData_RSA_SHA.der \
pkcs7signedData_RSA_SHA_noattr.der \
pkcs7signedData_RSA_SHA224.der \
pkcs7signedData_RSA_SHA256.der \
pkcs7signedData_RSA_SHA256_firmwarePkgData.der \
pkcs7signedData_RSA_SHA256_custom_contentType.der \
pkcs7signedData_RSA_SHA256_with_ca_cert.der \
pkcs7signedData_RSA_SHA256_SKID.der \
pkcs7signedData_RSA_SHA384.der \
pkcs7signedData_RSA_SHA512.der \
pkcs7signedData_ECDSA_SHA.der \
pkcs7signedData_ECDSA_SHA_noattr.der \
pkcs7signedData_ECDSA_SHA224.der \
pkcs7signedData_ECDSA_SHA256.der \
pkcs7signedData_ECDSA_SHA256_firmwarePkgData.der \
pkcs7signedData_ECDSA_SHA256_custom_contentType.der \
pkcs7signedData_ECDSA_SHA256_SKID.der \
pkcs7signedData_ECDSA_SHA384.der \
pkcs7signedData_ECDSA_SHA512.der
pkcs7signedData_ECDSA_SHA512.der \
pkcs7signedFirmwarePkgData_ECDSA_SHA256.der \
pkcs7signedFirmwarePkgData_ECDSA_SHA256_SKID.der \
pkcs7signedFirmwarePkgData_ECDSA_SHA256_noattr.der \
pkcs7signedFirmwarePkgData_RSA_SHA256.der \
pkcs7signedFirmwarePkgData_RSA_SHA256_SKID.der \
pkcs7signedFirmwarePkgData_RSA_SHA256_noattr.der \
pkcs7signedFirmwarePkgData_RSA_SHA256_with_ca_cert.der \
pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256.der \
pkcs7signedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der \
pkcs7signedCompressedFirmwarePkgData_RSA_SHA256.der \
pkcs7signedCompressedFirmwarePkgData_RSA_SHA256_noattr.der \
pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256.der \
pkcs7signedEncryptedFirmwarePkgData_RSA_SHA256_noattr.der \
pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256.der \
pkcs7signedEncryptedFirmwarePkgData_ECDSA_SHA256_noattr.der \
pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256.der \
pkcs7signedEncryptedCompressedFirmwarePkgData_ECDSA_SHA256_noattr.der \
pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256.der \
pkcs7signedEncryptedCompressedFirmwarePkgData_RSA_SHA256_noattr.der
exampledir = $(docdir)/example
dist_example_DATA=

437
tests/api.c
View File

@@ -14863,18 +14863,21 @@ static void test_wc_PKCS7_New (void)
static void test_wc_PKCS7_Init (void)
{
#if defined(HAVE_PKCS7)
PKCS7 pkcs7;
PKCS7* pkcs7;
void* heap = NULL;
printf(testingFmt, "wc_PKCS7_Init()");
AssertIntEQ(wc_PKCS7_Init(&pkcs7, heap, devId), 0);
pkcs7 = wc_PKCS7_New(heap, devId);
AssertNotNull(pkcs7);
AssertIntEQ(wc_PKCS7_Init(pkcs7, heap, devId), 0);
/* Pass in bad args. */
AssertIntEQ(wc_PKCS7_Init(NULL, heap, devId), BAD_FUNC_ARG);
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
#endif
} /* END test-wc_PKCS7_Init */
@@ -14885,7 +14888,7 @@ static void test_wc_PKCS7_Init (void)
static void test_wc_PKCS7_InitWithCert (void)
{
#if defined(HAVE_PKCS7)
PKCS7 pkcs7;
PKCS7* pkcs7;
#ifndef NO_RSA
#if defined(USE_CERT_BUFFERS_2048)
@@ -14929,24 +14932,26 @@ static void test_wc_PKCS7_InitWithCert (void)
#error PKCS7 requires ECC or RSA
#endif
printf(testingFmt, "wc_PKCS7_InitWithCert()");
/* If initialization is not successful, it's free'd in init func. */
pkcs7.isDynamic = 0;
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, (word32)certSz), 0);
wc_PKCS7_Free(&pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
/* If initialization is not successful, it's free'd in init func. */
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, (word32)certSz), 0);
wc_PKCS7_Free(pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
/* Valid initialization usage. */
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
/* Pass in bad args. No need free for null checks, free at end.*/
AssertIntEQ(wc_PKCS7_InitWithCert(NULL, (byte*)cert, (word32)certSz),
BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, (word32)certSz),
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, (word32)certSz),
BAD_FUNC_ARG);
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
#endif
} /* END test_wc_PKCS7_InitWithCert */
@@ -14957,7 +14962,7 @@ static void test_wc_PKCS7_InitWithCert (void)
static void test_wc_PKCS7_EncodeData (void)
{
#if defined(HAVE_PKCS7)
PKCS7 pkcs7;
PKCS7* pkcs7;
byte output[FOURK_BUF];
byte data[] = "My encoded DER cert.";
@@ -15028,28 +15033,29 @@ static void test_wc_PKCS7_EncodeData (void)
XMEMSET(output, 0, sizeof(output));
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, certSz), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, certSz), 0);
printf(testingFmt, "wc_PKCS7_EncodeData()");
pkcs7.content = data;
pkcs7.contentSz = sizeof(data);
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
AssertIntGT(wc_PKCS7_EncodeData(&pkcs7, output, (word32)sizeof(output)), 0);
pkcs7->content = data;
pkcs7->contentSz = sizeof(data);
pkcs7->privateKey = key;
pkcs7->privateKeySz = keySz;
AssertIntGT(wc_PKCS7_EncodeData(pkcs7, output, (word32)sizeof(output)), 0);
/* Test bad args. */
AssertIntEQ(wc_PKCS7_EncodeData(NULL, output, (word32)sizeof(output)),
BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeData(&pkcs7, NULL, (word32)sizeof(output)),
AssertIntEQ(wc_PKCS7_EncodeData(pkcs7, NULL, (word32)sizeof(output)),
BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeData(&pkcs7, output, 5), BUFFER_E);
AssertIntEQ(wc_PKCS7_EncodeData(pkcs7, output, 5), BUFFER_E);
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
#endif
} /* END test_wc_PKCS7_EncodeData */
@@ -15060,7 +15066,7 @@ static void test_wc_PKCS7_EncodeData (void)
static void test_wc_PKCS7_EncodeSignedData(void)
{
#if defined(HAVE_PKCS7)
PKCS7 pkcs7;
PKCS7* pkcs7;
WC_RNG rng;
byte output[FOURK_BUF];
byte badOut[0];
@@ -15135,37 +15141,39 @@ static void test_wc_PKCS7_EncodeSignedData(void)
XMEMSET(output, 0, outputSz);
AssertIntEQ(wc_InitRng(&rng), 0);
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, cert, certSz), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
printf(testingFmt, "wc_PKCS7_EncodeSignedData()");
pkcs7.content = data;
pkcs7.contentSz = (word32)sizeof(data);
pkcs7.privateKey = key;
pkcs7.privateKeySz = (word32)sizeof(key);
pkcs7.encryptOID = RSAk;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
pkcs7->content = data;
pkcs7->contentSz = (word32)sizeof(data);
pkcs7->privateKey = key;
pkcs7->privateKeySz = (word32)sizeof(key);
pkcs7->encryptOID = RSAk;
pkcs7->hashOID = SHAh;
pkcs7->rng = &rng;
AssertIntGT(wc_PKCS7_EncodeSignedData(&pkcs7, output, outputSz), 0);
AssertIntGT(wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz), 0);
wc_PKCS7_Free(&pkcs7);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, output, outputSz), 0);
wc_PKCS7_Free(pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, outputSz), 0);
/* Pass in bad args. */
AssertIntEQ(wc_PKCS7_EncodeSignedData(NULL, output, outputSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData(&pkcs7, NULL, outputSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData(&pkcs7, badOut,
AssertIntEQ(wc_PKCS7_EncodeSignedData(pkcs7, NULL, outputSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData(pkcs7, badOut,
badOutSz), BAD_FUNC_ARG);
pkcs7.hashOID = 0; /* bad hashOID */
AssertIntEQ(wc_PKCS7_EncodeSignedData(&pkcs7, output, outputSz), BAD_FUNC_ARG);
pkcs7->hashOID = 0; /* bad hashOID */
AssertIntEQ(wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz), BAD_FUNC_ARG);
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
wc_FreeRng(&rng);
#endif
@@ -15178,7 +15186,7 @@ static void test_wc_PKCS7_EncodeSignedData_ex(void)
{
#if defined(HAVE_PKCS7)
int ret, i;
PKCS7 pkcs7;
PKCS7* pkcs7;
WC_RNG rng;
byte outputHead[FOURK_BUF/2];
byte outputFoot[FOURK_BUF/2];
@@ -15262,19 +15270,20 @@ static void test_wc_PKCS7_EncodeSignedData_ex(void)
XMEMSET(outputFoot, 0, outputFootSz);
AssertIntEQ(wc_InitRng(&rng), 0);
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, cert, certSz), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
printf(testingFmt, "wc_PKCS7_EncodeSignedData()");
pkcs7.content = NULL; /* not used for ex */
pkcs7.contentSz = (word32)sizeof(data);
pkcs7.privateKey = key;
pkcs7.privateKeySz = (word32)sizeof(key);
pkcs7.encryptOID = RSAk;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
pkcs7->content = NULL; /* not used for ex */
pkcs7->contentSz = (word32)sizeof(data);
pkcs7->privateKey = key;
pkcs7->privateKeySz = (word32)sizeof(key);
pkcs7->encryptOID = RSAk;
pkcs7->hashOID = SHAh;
pkcs7->rng = &rng;
/* calculate hash for content */
ret = wc_HashInit(&hash, hashType);
@@ -15288,20 +15297,21 @@ static void test_wc_PKCS7_EncodeSignedData_ex(void)
AssertIntEQ(ret, 0);
/* Perform PKCS7 sign using hash directly */
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, &outputHeadSz, outputFoot, &outputFootSz), 0);
AssertIntGT(outputHeadSz, 0);
AssertIntGT(outputFootSz, 0);
wc_PKCS7_Free(&pkcs7);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
wc_PKCS7_Free(pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
/* required parameter even on verify when using _ex */
pkcs7.contentSz = (word32)sizeof(data);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz,
pkcs7->contentSz = (word32)sizeof(data);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, outputHeadSz, outputFoot, outputFootSz), 0);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
/* assembly complete PKCS7 sign and use normal verify */
{
@@ -15315,48 +15325,66 @@ static void test_wc_PKCS7_EncodeSignedData_ex(void)
XMEMCPY(&output[outputSz], outputFoot, outputFootSz);
outputSz += outputFootSz;
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, output, outputSz), 0);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, outputSz), 0);
XFREE(output, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
}
/* Pass in bad args. */
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(NULL, hashBuf, hashSz, outputHead,
&outputHeadSz, outputFoot, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, NULL, hashSz, outputHead,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, NULL, hashSz, outputHead,
&outputHeadSz, outputFoot, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, 0, outputHead,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, 0, outputHead,
&outputHeadSz, outputFoot, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz, NULL,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, hashSz, NULL,
&outputHeadSz, outputFoot, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, NULL, outputFoot, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, &outputHeadSz, NULL, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz,
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, &outputHeadSz, outputFoot, NULL), BAD_FUNC_ARG);
pkcs7.hashOID = 0; /* bad hashOID */
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz,
pkcs7->hashOID = 0; /* bad hashOID */
AssertIntEQ(wc_PKCS7_EncodeSignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, &outputHeadSz, outputFoot, &outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(NULL, hashBuf, hashSz, outputHead,
outputHeadSz, outputFoot, outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, NULL, hashSz, outputHead,
outputHeadSz, outputFoot, outputFootSz), ASN_PARSE_E);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, 0, outputHead,
outputHeadSz, outputFoot, outputFootSz), ASN_PARSE_E);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz, NULL,
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, NULL, hashSz, outputHead,
outputHeadSz, outputFoot, outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz,
#ifndef NO_PKCS7_STREAM
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, 0, outputHead,
outputHeadSz, outputFoot, outputFootSz), WC_PKCS7_WANT_READ_E);
#else
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, 0, outputHead,
outputHeadSz, outputFoot, outputFootSz), BUFFER_E);
#endif
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz, NULL,
outputHeadSz, outputFoot, outputFootSz), BAD_FUNC_ARG);
#ifndef NO_PKCS7_STREAM
/* can pass in 0 buffer length with streaming API */
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, 0, outputFoot, outputFootSz), WC_PKCS7_WANT_READ_E);
#else
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, 0, outputFoot, outputFootSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz,
outputHead, outputHeadSz, NULL, outputFootSz), ASN_PARSE_E);
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz,
#endif
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, outputHeadSz, NULL, outputFootSz), BAD_FUNC_ARG);
#ifndef NO_PKCS7_STREAM
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, outputHeadSz, outputFoot, 0), WC_PKCS7_WANT_READ_E);
#else
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, outputHeadSz, outputFoot, 0), ASN_PARSE_E);
#endif
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
wc_FreeRng(&rng);
#endif
@@ -15369,7 +15397,7 @@ static void test_wc_PKCS7_EncodeSignedData_ex(void)
static void test_wc_PKCS7_VerifySignedData(void)
{
#if defined(HAVE_PKCS7)
PKCS7 pkcs7;
PKCS7* pkcs7;
WC_RNG rng;
byte output[FOURK_BUF];
byte badOut[0];
@@ -15444,34 +15472,42 @@ static void test_wc_PKCS7_VerifySignedData(void)
XMEMSET(output, 0, outputSz);
AssertIntEQ(wc_InitRng(&rng), 0);
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, cert, certSz), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
printf(testingFmt, "wc_PKCS7_VerifySignedData()");
pkcs7.content = data;
pkcs7.contentSz = (word32)sizeof(data);
pkcs7.privateKey = key;
pkcs7.privateKeySz = (word32)sizeof(key);
pkcs7.encryptOID = RSAk;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
pkcs7->content = data;
pkcs7->contentSz = (word32)sizeof(data);
pkcs7->privateKey = key;
pkcs7->privateKeySz = (word32)sizeof(key);
pkcs7->encryptOID = RSAk;
pkcs7->hashOID = SHAh;
pkcs7->rng = &rng;
AssertIntGT(wc_PKCS7_EncodeSignedData(&pkcs7, output, outputSz), 0);
wc_PKCS7_Free(&pkcs7);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, output, outputSz), 0);
AssertIntGT(wc_PKCS7_EncodeSignedData(pkcs7, output, outputSz), 0);
wc_PKCS7_Free(pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, outputSz), 0);
/* Test bad args. */
AssertIntEQ(wc_PKCS7_VerifySignedData(NULL, output, outputSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, NULL, outputSz), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, badOut,
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, NULL, outputSz), BAD_FUNC_ARG);
#ifndef NO_PKCS7_STREAM
/* can pass in 0 buffer length with streaming API */
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, badOut,
badOutSz), WC_PKCS7_WANT_READ_E);
#else
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, badOut,
badOutSz), BAD_FUNC_ARG);
#endif
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
wc_FreeRng(&rng);
#endif
} /* END test_wc_PKCS7_VerifySignedData() */
@@ -15483,7 +15519,7 @@ static void test_wc_PKCS7_VerifySignedData(void)
static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
{
#if defined(HAVE_PKCS7)
PKCS7 pkcs7;
PKCS7* pkcs7;
word32 tempWrd32 = 0;
byte* tmpBytePtr = NULL;
const char input[] = "Test data to encode.";
@@ -15615,28 +15651,34 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz},
#endif /* NO_DES3 */
#ifndef NO_AES
#ifndef NO_AES_128
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES128CBCb,
0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz},
#endif
#ifndef NO_AES_192
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES192CBCb,
0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz},
#endif
#ifndef NO_AES_256
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb,
0, 0, rsaCert, rsaCertSz, rsaPrivKey, rsaPrivKeySz},
#endif
#endif /* NO_AES */
#endif /* NO_RSA */
#if defined(HAVE_ECC)
#ifndef NO_AES
#ifndef NO_SHA
#if !defined(NO_SHA) && !defined(NO_AES_128)
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES128CBCb,
AES128_WRAP, dhSinglePass_stdDH_sha1kdf_scheme, eccCert,
eccCertSz, eccPrivKey, eccPrivKeySz},
#endif
#ifndef NO_SHA256
#if !defined(NO_SHA256) && !defined(NO_AES_256)
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb,
AES256_WRAP, dhSinglePass_stdDH_sha256kdf_scheme, eccCert,
eccCertSz, eccPrivKey, eccPrivKeySz},
#endif
#ifdef WOLFSSL_SHA512
#if !defined(WOLFSSL_SHA512) && !defined(NO_AES_256)
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb,
AES256_WRAP, dhSinglePass_stdDH_sha512kdf_scheme, eccCert,
eccCertSz, eccPrivKey, eccPrivKeySz},
@@ -15647,42 +15689,44 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
printf(testingFmt, "wc_PKCS7_EncodeEnvelopedData()");
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, devId), 0);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, devId), 0);
testSz = (int)sizeof(testVectors)/(int)sizeof(pkcs7EnvelopedVector);
for (i = 0; i < testSz; i++) {
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (testVectors + i)->cert,
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, (testVectors + i)->cert,
(word32)(testVectors + i)->certSz), 0);
pkcs7.content = (byte*)(testVectors + i)->content;
pkcs7.contentSz = (testVectors + i)->contentSz;
pkcs7.contentOID = (testVectors + i)->contentOID;
pkcs7.encryptOID = (testVectors + i)->encryptOID;
pkcs7.keyWrapOID = (testVectors + i)->keyWrapOID;
pkcs7.keyAgreeOID = (testVectors + i)->keyAgreeOID;
pkcs7.privateKey = (testVectors + i)->privateKey;
pkcs7.privateKeySz = (testVectors + i)->privateKeySz;
pkcs7->content = (byte*)(testVectors + i)->content;
pkcs7->contentSz = (testVectors + i)->contentSz;
pkcs7->contentOID = (testVectors + i)->contentOID;
pkcs7->encryptOID = (testVectors + i)->encryptOID;
pkcs7->keyWrapOID = (testVectors + i)->keyWrapOID;
pkcs7->keyAgreeOID = (testVectors + i)->keyAgreeOID;
pkcs7->privateKey = (testVectors + i)->privateKey;
pkcs7->privateKeySz = (testVectors + i)->privateKeySz;
AssertIntGE(wc_PKCS7_EncodeEnvelopedData(&pkcs7, output,
AssertIntGE(wc_PKCS7_EncodeEnvelopedData(pkcs7, output,
(word32)sizeof(output)), 0);
decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded));
AssertIntGE(decodedSz, 0);
/* Verify the size of each buffer. */
AssertIntEQ((word32)sizeof(input)/sizeof(char), decodedSz);
/* Don't free the last time through the loop. */
if (i < testSz - 1 ){
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
}
} /* END test loop. */
/* Test bad args. */
AssertIntEQ(wc_PKCS7_EncodeEnvelopedData(NULL, output,
(word32)sizeof(output)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeEnvelopedData(&pkcs7, NULL,
AssertIntEQ(wc_PKCS7_EncodeEnvelopedData(pkcs7, NULL,
(word32)sizeof(output)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeEnvelopedData(&pkcs7, output, 0), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeEnvelopedData(pkcs7, output, 0), BAD_FUNC_ARG);
printf(resultFmt, passed);
/* Decode. */
@@ -15690,39 +15734,39 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(NULL, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), NULL, (word32)sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, 0), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, NULL,
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, NULL,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output, 0, decoded,
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output, 0, decoded,
(word32)sizeof(decoded)), BAD_FUNC_ARG);
/* Should get a return of BAD_FUNC_ARG with structure data. Order matters.*/
tempWrd32 = pkcs7.singleCertSz;
pkcs7.singleCertSz = 0;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
tempWrd32 = pkcs7->singleCertSz;
pkcs7->singleCertSz = 0;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG);
pkcs7.singleCertSz = tempWrd32;
tempWrd32 = pkcs7.privateKeySz;
pkcs7.privateKeySz = 0;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
pkcs7->singleCertSz = tempWrd32;
tempWrd32 = pkcs7->privateKeySz;
pkcs7->privateKeySz = 0;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG);
pkcs7.privateKeySz = tempWrd32;
tmpBytePtr = pkcs7.singleCert;
pkcs7.singleCert = NULL;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
pkcs7->privateKeySz = tempWrd32;
tmpBytePtr = pkcs7->singleCert;
pkcs7->singleCert = NULL;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG);
pkcs7.singleCert = tmpBytePtr;
tmpBytePtr = pkcs7.privateKey;
pkcs7.privateKey = NULL;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(&pkcs7, output,
pkcs7->singleCert = tmpBytePtr;
tmpBytePtr = pkcs7->privateKey;
pkcs7->privateKey = NULL;
AssertIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)), BAD_FUNC_ARG);
pkcs7.privateKey = tmpBytePtr;
pkcs7->privateKey = tmpBytePtr;
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
#ifndef NO_RSA
if (rsaCert) {
XFREE(rsaCert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
@@ -15750,7 +15794,7 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
static void test_wc_PKCS7_EncodeEncryptedData (void)
{
#if defined(HAVE_PKCS7) && !defined(NO_PKCS7_ENCRYPTED_DATA)
PKCS7 pkcs7;
PKCS7* pkcs7;
byte* tmpBytePtr = NULL;
byte encrypted[TWOK_BUF];
byte decoded[TWOK_BUF];
@@ -15778,21 +15822,27 @@ static void test_wc_PKCS7_EncodeEncryptedData (void)
#endif
#ifndef NO_AES
#ifndef NO_AES_128
byte aes128Key[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
#endif
#ifndef NO_AES_192
byte aes192Key[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
#endif
#ifndef NO_AES_256
byte aes256Key[] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
#endif
#endif
const pkcs7EncryptedVector testVectors[] =
{
@@ -15802,14 +15852,20 @@ static void test_wc_PKCS7_EncodeEncryptedData (void)
{data, (word32)sizeof(data), DATA, DESb, desKey, sizeof(desKey)},
#endif /* NO_DES3 */
#ifndef NO_AES
#ifndef NO_AES_128
{data, (word32)sizeof(data), DATA, AES128CBCb, aes128Key,
sizeof(aes128Key)},
#endif
#ifndef NO_AES_192
{data, (word32)sizeof(data), DATA, AES192CBCb, aes192Key,
sizeof(aes192Key)},
#endif
#ifndef NO_AES_256
{data, (word32)sizeof(data), DATA, AES256CBCb, aes256Key,
sizeof(aes256Key)},
#endif
#endif /* NO_AES */
};
@@ -15817,64 +15873,65 @@ static void test_wc_PKCS7_EncodeEncryptedData (void)
testSz = sizeof(testVectors) / sizeof(pkcs7EncryptedVector);
for (i = 0; i < testSz; i++) {
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, devId), 0);
pkcs7.content = (byte*)testVectors[i].content;
pkcs7.contentSz = testVectors[i].contentSz;
pkcs7.contentOID = testVectors[i].contentOID;
pkcs7.encryptOID = testVectors[i].encryptOID;
pkcs7.encryptionKey = testVectors[i].encryptionKey;
pkcs7.encryptionKeySz = testVectors[i].encryptionKeySz;
pkcs7.heap = HEAP_HINT;
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, devId), 0);
pkcs7->content = (byte*)testVectors[i].content;
pkcs7->contentSz = testVectors[i].contentSz;
pkcs7->contentOID = testVectors[i].contentOID;
pkcs7->encryptOID = testVectors[i].encryptOID;
pkcs7->encryptionKey = testVectors[i].encryptionKey;
pkcs7->encryptionKeySz = testVectors[i].encryptionKeySz;
pkcs7->heap = HEAP_HINT;
/* encode encryptedData */
encryptedSz = wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
sizeof(encrypted));
AssertIntGT(encryptedSz, 0);
/* Decode encryptedData */
decodedSz = wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, encryptedSz,
decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
decoded, sizeof(decoded));
AssertIntEQ(XMEMCMP(decoded, data, decodedSz), 0);
/* Keep values for last itr. */
if (i < testSz - 1) {
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
}
}
printf(testingFmt, "wc_PKCS7_EncodeEncryptedData()");
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(NULL, encrypted,
sizeof(encrypted)),BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, NULL,
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, NULL,
sizeof(encrypted)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
0), BAD_FUNC_ARG);
/* Testing the struct. */
tmpBytePtr = pkcs7.content;
pkcs7.content = NULL;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
tmpBytePtr = pkcs7->content;
pkcs7->content = NULL;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
sizeof(encrypted)), BAD_FUNC_ARG);
pkcs7.content = tmpBytePtr;
tmpWrd32 = pkcs7.contentSz;
pkcs7.contentSz = 0;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
pkcs7->content = tmpBytePtr;
tmpWrd32 = pkcs7->contentSz;
pkcs7->contentSz = 0;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
sizeof(encrypted)), BAD_FUNC_ARG);
pkcs7.contentSz = tmpWrd32;
tmpInt = pkcs7.encryptOID;
pkcs7.encryptOID = 0;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
pkcs7->contentSz = tmpWrd32;
tmpInt = pkcs7->encryptOID;
pkcs7->encryptOID = 0;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
sizeof(encrypted)), BAD_FUNC_ARG);
pkcs7.encryptOID = tmpInt;
tmpBytePtr = pkcs7.encryptionKey;
pkcs7.encryptionKey = NULL;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
pkcs7->encryptOID = tmpInt;
tmpBytePtr = pkcs7->encryptionKey;
pkcs7->encryptionKey = NULL;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
sizeof(encrypted)), BAD_FUNC_ARG);
pkcs7.encryptionKey = tmpBytePtr;
tmpWrd32 = pkcs7.encryptionKeySz;
pkcs7.encryptionKeySz = 0;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,
pkcs7->encryptionKey = tmpBytePtr;
tmpWrd32 = pkcs7->encryptionKeySz;
pkcs7->encryptionKeySz = 0;
AssertIntEQ(wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted,
sizeof(encrypted)), BAD_FUNC_ARG);
pkcs7.encryptionKeySz = tmpWrd32;
pkcs7->encryptionKeySz = tmpWrd32;
printf(resultFmt, passed);
@@ -15882,27 +15939,27 @@ static void test_wc_PKCS7_EncodeEncryptedData (void)
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(NULL, encrypted, encryptedSz,
decoded, sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(&pkcs7, NULL, encryptedSz,
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(pkcs7, NULL, encryptedSz,
decoded, sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, 0,
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, 0,
decoded, sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, encryptedSz,
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
NULL, sizeof(decoded)), BAD_FUNC_ARG);
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, encryptedSz,
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
decoded, 0), BAD_FUNC_ARG);
/* Test struct fields */
tmpBytePtr = pkcs7.encryptionKey;
pkcs7.encryptionKey = NULL;
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, encryptedSz,
tmpBytePtr = pkcs7->encryptionKey;
pkcs7->encryptionKey = NULL;
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
decoded, sizeof(decoded)), BAD_FUNC_ARG);
pkcs7.encryptionKey = tmpBytePtr;
pkcs7.encryptionKeySz = 0;
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, encryptedSz,
pkcs7->encryptionKey = tmpBytePtr;
pkcs7->encryptionKeySz = 0;
AssertIntEQ(wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz,
decoded, sizeof(decoded)), BAD_FUNC_ARG);
printf(resultFmt, passed);
wc_PKCS7_Free(&pkcs7);
wc_PKCS7_Free(pkcs7);
#endif
} /* END test_wc_PKCS7_EncodeEncryptedData() */
@@ -15912,7 +15969,7 @@ static void test_wc_PKCS7_EncodeEncryptedData (void)
static void test_wc_PKCS7_Degenerate(void)
{
#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM)
PKCS7 pkcs7;
PKCS7* pkcs7;
char fName[] = "./certs/test-degenerate.p7b";
XFILE f;
byte der[4096];
@@ -15927,17 +15984,19 @@ static void test_wc_PKCS7_Degenerate(void)
XFCLOSE(f);
/* test degenerate success */
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, der, derSz), 0);
wc_PKCS7_Free(&pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), 0);
wc_PKCS7_Free(pkcs7);
/* test with turning off degenerate cases */
AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, NULL, 0), 0);
wc_PKCS7_AllowDegenerate(&pkcs7, 0); /* override allowing degenerate case */
AssertIntEQ(wc_PKCS7_VerifySignedData(&pkcs7, der, derSz), PKCS7_NO_SIGNER_E);
wc_PKCS7_Free(&pkcs7);
AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId));
AssertIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
wc_PKCS7_AllowDegenerate(pkcs7, 0); /* override allowing degenerate case */
AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, der, derSz), PKCS7_NO_SIGNER_E);
wc_PKCS7_Free(pkcs7);
printf(resultFmt, passed);
#endif

243
wolfcrypt/src/asn.c
View File

@@ -137,6 +137,14 @@ ASN Options:
WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
return GetLength_ex(input, inOutIdx, len, maxIdx, 1);
}
/* give option to check length value found against index. 1 to check 0 to not */
WOLFSSL_LOCAL int GetLength_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check)
{
int length = 0;
word32 idx = *inOutIdx;
@@ -166,7 +174,7 @@ WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
else
length = b;
if ((idx + length) > maxIdx) { /* for user of length */
if (check && (idx + length) > maxIdx) { /* for user of length */
WOLFSSL_MSG("GetLength value exceeds buffer length");
return BUFFER_E;
}
@@ -179,6 +187,29 @@ WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
}
static int GetASNHeader_ex(const byte* input, byte tag, word32* inOutIdx, int* len,
word32 maxIdx, int check)
{
word32 idx = *inOutIdx;
byte b;
int length;
if ((idx + 1) > maxIdx)
return BUFFER_E;
b = input[idx++];
if (b != tag)
return ASN_PARSE_E;
if (GetLength_ex(input, &idx, &length, maxIdx, check) < 0)
return ASN_PARSE_E;
*len = length;
*inOutIdx = idx;
return length;
}
/* Get the DER/BER encoding of an ASN.1 header.
*
* input Buffer holding DER/BER encoded data.
@@ -193,25 +224,10 @@ WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
static int GetASNHeader(const byte* input, byte tag, word32* inOutIdx, int* len,
word32 maxIdx)
{
word32 idx = *inOutIdx;
byte b;
int length;
if ((idx + 1) > maxIdx)
return BUFFER_E;
b = input[idx++];
if (b != tag)
return ASN_PARSE_E;
if (GetLength(input, &idx, &length, maxIdx) < 0)
return ASN_PARSE_E;
*len = length;
*inOutIdx = idx;
return length;
return GetASNHeader_ex(input, tag, inOutIdx, len, maxIdx, 1);
}
WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
@@ -220,6 +236,14 @@ WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
}
WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check)
{
return GetASNHeader_ex(input, ASN_SEQUENCE | ASN_CONSTRUCTED, inOutIdx, len,
maxIdx, check);
}
WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
@@ -1226,6 +1250,28 @@ static word32 SetBitString16Bit(word16 val, byte* output)
static const byte blkAes256CbcOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 42};
#endif
#endif /* HAVE_AES_CBC */
#ifdef HAVE_AESGCM
#ifdef WOLFSSL_AES_128
static const byte blkAes128GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 6};
#endif
#ifdef WOLFSSL_AES_192
static const byte blkAes192GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 26};
#endif
#ifdef WOLFSSL_AES_256
static const byte blkAes256GcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 46};
#endif
#endif /* HAVE_AESGCM */
#ifdef HAVE_AESCCM
#ifdef WOLFSSL_AES_128
static const byte blkAes128CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 7};
#endif
#ifdef WOLFSSL_AES_192
static const byte blkAes192CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 27};
#endif
#ifdef WOLFSSL_AES_256
static const byte blkAes256CcmOid[] = {96, 134, 72, 1, 101, 3, 4, 1, 47};
#endif
#endif /* HAVE_AESCCM */
#ifndef NO_DES3
static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7};
@@ -1242,6 +1288,10 @@ static word32 SetBitString16Bit(word16 val, byte* output)
#ifdef WOLFSSL_AES_256
static const byte wrapAes256Oid[] = {96, 134, 72, 1, 101, 3, 4, 1, 45};
#endif
#ifdef HAVE_PKCS7
/* From RFC 3211 */
static const byte wrapPwriKekOid[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3,9};
#endif
/* cmsKeyAgreeType */
#ifndef NO_SHA
@@ -1319,6 +1369,11 @@ static const byte pbeSha1RC4128[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 1};
static const byte pbeSha1Des3[] = {42, 134, 72, 134, 247, 13, 1, 12, 1, 3};
#endif
#ifdef HAVE_LIBZ
/* zlib compression */
static const byte zlibCompress[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3, 8};
#endif
/* returns a pointer to the OID string on success and NULL on fail */
const byte* OidFromId(word32 id, word32 type, word32* oidSz)
@@ -1538,6 +1593,46 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
break;
#endif
#endif /* HAVE_AES_CBC */
#ifdef HAVE_AESGCM
#ifdef WOLFSSL_AES_128
case AES128GCMb:
oid = blkAes128GcmOid;
*oidSz = sizeof(blkAes128GcmOid);
break;
#endif
#ifdef WOLFSSL_AES_192
case AES192GCMb:
oid = blkAes192GcmOid;
*oidSz = sizeof(blkAes192GcmOid);
break;
#endif
#ifdef WOLFSSL_AES_256
case AES256GCMb:
oid = blkAes256GcmOid;
*oidSz = sizeof(blkAes256GcmOid);
break;
#endif
#endif /* HAVE_AESGCM */
#ifdef HAVE_AESCCM
#ifdef WOLFSSL_AES_128
case AES128CCMb:
oid = blkAes128CcmOid;
*oidSz = sizeof(blkAes128CcmOid);
break;
#endif
#ifdef WOLFSSL_AES_192
case AES192CCMb:
oid = blkAes192CcmOid;
*oidSz = sizeof(blkAes192CcmOid);
break;
#endif
#ifdef WOLFSSL_AES_256
case AES256CCMb:
oid = blkAes256CcmOid;
*oidSz = sizeof(blkAes256CcmOid);
break;
#endif
#endif /* HAVE_AESCCM */
#ifndef NO_DES3
case DESb:
oid = blkDesCbcOid;
@@ -1736,6 +1831,12 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
*oidSz = sizeof(wrapAes256Oid);
break;
#endif
#ifdef HAVE_PKCS7
case PWRI_KEK_WRAP:
oid = wrapPwriKekOid;
*oidSz = sizeof(wrapPwriKekOid);
break;
#endif
}
break;
@@ -1805,6 +1906,17 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
break;
#endif /* !NO_HMAC */
#ifdef HAVE_LIBZ
case oidCompressType:
switch (id) {
case ZLIBc:
oid = zlibCompress;
*oidSz = sizeof(zlibCompress);
break;
}
break;
#endif /* HAVE_LIBZ */
case oidIgnoreType:
default:
break;
@@ -1938,7 +2050,7 @@ int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
* ASN_PARSE_E when length is invalid.
* Otherwise, 0 to indicate success.
*/
static int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
word32 idx = *inOutIdx;
@@ -1966,7 +2078,7 @@ static int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
* output Buffer to write into.
* returns the number of bytes added to the buffer.
*/
static int SetObjectId(int len, byte* output)
int SetObjectId(int len, byte* output)
{
int idx = 0;
@@ -4845,6 +4957,97 @@ int GetTimeString(byte* date, int format, char* buf, int len)
#endif /* OPENSSL_ALL || WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
#if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7)
/* Set current time string, either UTC or GeneralizedTime.
* (void*) tm should be a pointer to time_t, output is placed in buf.
*
* Return time string length placed in buf on success, negative on error */
int GetAsnTimeString(void* currTime, byte* buf, word32 len)
{
struct tm* ts = NULL;
struct tm* tmpTime = NULL;
#if defined(NEED_TMP_TIME)
struct tm tmpTimeStorage;
tmpTime = &tmpTimeStorage;
#else
(void)tmpTime;
#endif
byte* data_ptr = buf;
word32 data_len = 0;
int year, mon, day, hour, min, sec;
WOLFSSL_ENTER("SetAsnTimeString");
if (buf == NULL || len == 0)
return BAD_FUNC_ARG;
ts = (struct tm *)XGMTIME(currTime, tmpTime);
if (ts == NULL){
WOLFSSL_MSG("failed to get time data.");
return ASN_TIME_E;
}
/* Note ASN_UTC_TIME_SIZE and ASN_GENERALIZED_TIME_SIZE include space for
* the null terminator. ASN encoded values leave off the terminator. */
if (ts->tm_year >= 50 && ts->tm_year < 150) {
/* UTC Time */
char utc_str[ASN_UTC_TIME_SIZE];
data_len = ASN_UTC_TIME_SIZE - 1 + 2;
if (len < data_len)
return BUFFER_E;
if (ts->tm_year >= 50 && ts->tm_year < 100) {
year = ts->tm_year;
} else if (ts->tm_year >= 100 && ts->tm_year < 150) {
year = ts->tm_year - 100;
}
else {
WOLFSSL_MSG("unsupported year range");
return BAD_FUNC_ARG;
}
mon = ts->tm_mon + 1;
day = ts->tm_mday;
hour = ts->tm_hour;
min = ts->tm_min;
sec = ts->tm_sec;
XSNPRINTF((char *)utc_str, ASN_UTC_TIME_SIZE,
"%02d%02d%02d%02d%02d%02dZ", year, mon, day, hour, min, sec);
*data_ptr = (byte) ASN_UTC_TIME; data_ptr++;
/* -1 below excludes null terminator */
*data_ptr = (byte) ASN_UTC_TIME_SIZE - 1; data_ptr++;
XMEMCPY(data_ptr,(byte *)utc_str, ASN_UTC_TIME_SIZE - 1);
} else {
/* GeneralizedTime */
char gt_str[ASN_GENERALIZED_TIME_SIZE];
data_len = ASN_GENERALIZED_TIME_SIZE - 1 + 2;
if (len < data_len)
return BUFFER_E;
year = ts->tm_year + 1900;
mon = ts->tm_mon + 1;
day = ts->tm_mday;
hour = ts->tm_hour;
min = ts->tm_min;
sec = ts->tm_sec;
XSNPRINTF((char *)gt_str, ASN_GENERALIZED_TIME_SIZE,
"%4d%02d%02d%02d%02d%02dZ", year, mon, day, hour, min, sec);
*data_ptr = (byte) ASN_GENERALIZED_TIME; data_ptr++;
/* -1 below excludes null terminator */
*data_ptr = (byte) ASN_GENERALIZED_TIME_SIZE - 1; data_ptr++;
XMEMCPY(data_ptr,(byte *)gt_str, ASN_GENERALIZED_TIME_SIZE - 1);
}
return data_len;
}
#endif /* !NO_ASN_TIME && HAVE_PKCS7 */
#if defined(USE_WOLF_VALIDDATE)
/* to the second */

3
wolfcrypt/src/error.c
View File

@@ -281,6 +281,9 @@ const char* wc_GetErrorString(int error)
case PKCS7_RECIP_E:
return "PKCS#7 error: no matching recipient found";
case WC_PKCS7_WANT_READ_E:
return "PKCS#7 operations wants more input, call again";
case FIPS_NOT_ALLOWED_E:
return "FIPS mode not allowed error";

8626
wolfcrypt/src/pkcs7.c
View File

File diff suppressed because it is too large Load Diff

2461
wolfcrypt/test/test.c
View File

File diff suppressed because it is too large Load Diff

46
wolfssl/wolfcrypt/asn.h
View File

@@ -276,7 +276,7 @@ enum Misc_ASN {
#endif
/* Max total extensions, id + len + others */
#endif
#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
MAX_OID_SZ = 32, /* Max DER length of OID*/
MAX_OID_STRING_SZ = 64, /* Max string length representation of OID*/
#endif
@@ -285,7 +285,8 @@ enum Misc_ASN {
MAX_KEYUSAGE_SZ = 18, /* Max encoded Key Usage length */
MAX_EXTKEYUSAGE_SZ = 12 + (6 * (8 + 2)) +
CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage
(SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + (6 * (SEQ + OID))) */
(SEQ/LEN + OBJID + OCTSTR/LEN + SEQ +
(6 * (SEQ + OID))) */
MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
#endif
@@ -302,9 +303,11 @@ enum Misc_ASN {
HEADER_ENCRYPTED_KEY_SIZE = 0,
#endif
TRAILING_ZERO = 1, /* Used for size of zero pad */
ASN_TAG_SZ = 1, /* single byte ASN.1 tag */
MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
MAX_TIME_STRING_SZ = 25, /* Max length of formatted time string */
#endif
@@ -331,6 +334,7 @@ enum Oid_Types {
oidCmsKeyAgreeType = 13,
oidPBEType = 14,
oidHmacType = 15,
oidCompressType = 16,
oidIgnoreType
};
@@ -350,12 +354,18 @@ enum Hash_Sum {
enum Block_Sum {
#ifdef WOLFSSL_AES_128
AES128CBCb = 414,
AES128GCMb = 418,
AES128CCMb = 419,
#endif
#ifdef WOLFSSL_AES_192
AES192CBCb = 434,
AES192GCMb = 438,
AES192CCMb = 439,
#endif
#ifdef WOLFSSL_AES_256
AES256CBCb = 454,
AES256GCMb = 458,
AES256CCMb = 459,
#endif
#ifndef NO_DES3
DESb = 69,
@@ -374,19 +384,22 @@ enum Key_Sum {
};
#ifndef NO_AES
#if !defined(NO_AES) || defined(HAVE_PKCS7)
enum KeyWrap_Sum {
#ifdef WOLFSSL_AES_128
AES128_WRAP = 417,
AES128_WRAP = 417,
#endif
#ifdef WOLFSSL_AES_192
AES192_WRAP = 437,
AES192_WRAP = 437,
#endif
#ifdef WOLFSSL_AES_256
AES256_WRAP = 457
AES256_WRAP = 457,
#endif
#ifdef HAVE_PKCS7
PWRI_KEK_WRAP = 680 /*id-alg-PWRI-KEK, 1.2.840.113549.1.9.16.3.9 */
#endif
};
#endif /* !NO_AES */
#endif /* !NO_AES || PKCS7 */
enum Key_Agree {
dhSinglePass_stdDH_sha1kdf_scheme = 464,
@@ -486,6 +499,11 @@ enum ExtKeyUsage_Sum { /* From RFC 5280 */
EKU_OCSP_SIGN_OID = 79 /* 1.3.6.1.5.5.7.3.9, id-kp-OCSPSigning */
};
#ifdef HAVE_LIBZ
enum CompressAlg_Sum {
ZLIBc = 679 /* 1.2.840.113549.1.9.16.3.8, id-alg-zlibCompress */
};
#endif
enum VerifyType {
NO_VERIFY = 0,
@@ -982,6 +1000,9 @@ typedef struct tm wolfssl_tm;
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
#endif
#if !defined(NO_ASN_TIME) && defined(HAVE_PKCS7)
WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
#endif
WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
wolfssl_tm* certTime, int* idx);
WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
@@ -996,8 +1017,12 @@ WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
WOLFSSL_LOCAL char* GetSigName(int oid);
WOLFSSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
WOLFSSL_LOCAL int GetLength_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check);
WOLFSSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
WOLFSSL_LOCAL int GetSequence_ex(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx, int check);
WOLFSSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
@@ -1012,6 +1037,9 @@ WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
word16* out, word32* outSz);
#endif
WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
WOLFSSL_LOCAL int SetObjectId(int len, byte* output);
WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
word32 oidType, word32 maxIdx);
WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,

3
wolfssl/wolfcrypt/error-crypt.h
View File

@@ -221,8 +221,9 @@ enum {
ZLIB_DECOMPRESS_ERROR = -268, /* zlib decompression error */
PKCS7_NO_SIGNER_E = -269, /* No signer in PKCS#7 signed data msg */
WC_PKCS7_WANT_READ_E= -270, /* PKCS7 operations wants more input */
WC_LAST_E = -269, /* Update this to indicate last error */
WC_LAST_E = -270, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes

281
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -48,18 +48,96 @@
/* Max number of certificates that PKCS7 structure can parse */
#ifndef MAX_PKCS7_CERTS
#define MAX_PKCS7_CERTS 4
#define MAX_PKCS7_CERTS 4
#endif
#ifndef MAX_ORI_TYPE_SZ
#define MAX_ORI_TYPE_SZ MAX_OID_SZ
#endif
#ifndef MAX_ORI_VALUE_SZ
#define MAX_ORI_VALUE_SZ 512
#endif
#ifndef MAX_SIGNED_ATTRIBS_SZ
#define MAX_SIGNED_ATTRIBS_SZ 7
#endif
#ifndef MAX_AUTH_ATTRIBS_SZ
#define MAX_AUTH_ATTRIBS_SZ 7
#endif
#ifndef MAX_UNAUTH_ATTRIBS_SZ
#define MAX_UNAUTH_ATTRIBS_SZ 7
#endif
/* PKCS#7 content types, ref RFC 2315 (Section 14) */
enum PKCS7_TYPES {
PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */
DATA = 651, /* 1.2.840.113549.1.7.1 */
SIGNED_DATA = 652, /* 1.2.840.113549.1.7.2 */
ENVELOPED_DATA = 653, /* 1.2.840.113549.1.7.3 */
SIGNED_AND_ENVELOPED_DATA = 654, /* 1.2.840.113549.1.7.4 */
DIGESTED_DATA = 655, /* 1.2.840.113549.1.7.5 */
ENCRYPTED_DATA = 656 /* 1.2.840.113549.1.7.6 */
PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */
DATA = 651, /* 1.2.840.113549.1.7.1 */
SIGNED_DATA = 652, /* 1.2.840.113549.1.7.2 */
ENVELOPED_DATA = 653, /* 1.2.840.113549.1.7.3 */
SIGNED_AND_ENVELOPED_DATA = 654, /* 1.2.840.113549.1.7.4 */
DIGESTED_DATA = 655, /* 1.2.840.113549.1.7.5 */
ENCRYPTED_DATA = 656, /* 1.2.840.113549.1.7.6 */
#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
COMPRESSED_DATA = 678, /* 1.2.840.113549.1.9.16.1.9, RFC 3274 */
#endif
FIRMWARE_PKG_DATA = 685, /* 1.2.840.113549.1.9.16.1.16, RFC 4108 */
AUTH_ENVELOPED_DATA = 692 /* 1.2.840.113549.1.9.16.1.23, RFC 5083 */
};
enum PKCS7_STATE {
WC_PKCS7_START = 0,
/* decode encrypted */
WC_PKCS7_STAGE2,
WC_PKCS7_STAGE3,
WC_PKCS7_STAGE4,
WC_PKCS7_STAGE5,
WC_PKCS7_STAGE6,
WC_PKCS7_VERIFY_STAGE2,
WC_PKCS7_VERIFY_STAGE3,
WC_PKCS7_VERIFY_STAGE4,
WC_PKCS7_VERIFY_STAGE5,
WC_PKCS7_VERIFY_STAGE6,
/* parse info set */
WC_PKCS7_INFOSET_START,
WC_PKCS7_INFOSET_BER,
WC_PKCS7_INFOSET_STAGE1,
WC_PKCS7_INFOSET_STAGE2,
WC_PKCS7_INFOSET_END,
/* decode enveloped data */
WC_PKCS7_ENV_2,
WC_PKCS7_ENV_3,
WC_PKCS7_ENV_4,
WC_PKCS7_ENV_5,
/* decode auth enveloped */
WC_PKCS7_AUTHENV_2,
WC_PKCS7_AUTHENV_3,
WC_PKCS7_AUTHENV_4,
WC_PKCS7_AUTHENV_5,
WC_PKCS7_AUTHENV_6,
WC_PKCS7_AUTHENV_ATRB,
WC_PKCS7_AUTHENV_ATRBEND,
WC_PKCS7_AUTHENV_7,
/* decryption state types */
WC_PKCS7_DECRYPT_KTRI,
WC_PKCS7_DECRYPT_KTRI_2,
WC_PKCS7_DECRYPT_KTRI_3,
WC_PKCS7_DECRYPT_KARI,
WC_PKCS7_DECRYPT_KEKRI,
WC_PKCS7_DECRYPT_PWRI,
WC_PKCS7_DECRYPT_ORI,
WC_PKCS7_DECRYPT_DONE,
};
enum Pkcs7_Misc {
@@ -77,6 +155,19 @@ enum Pkcs7_Misc {
MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ
};
enum Cms_Options {
CMS_SKID = 1,
CMS_ISSUER_AND_SERIAL_NUMBER = 2,
};
/* CMS/PKCS#7 RecipientInfo types, RFC 5652, Section 6.2 */
enum Pkcs7_RecipientInfo_Types {
PKCS7_KTRI = 0,
PKCS7_KARI = 1,
PKCS7_KEKRI = 2,
PKCS7_PWRI = 3,
PKCS7_ORI = 4
};
typedef struct PKCS7Attrib {
const byte* oid;
@@ -94,11 +185,25 @@ typedef struct PKCS7DecodedAttrib {
word32 valueSz;
} PKCS7DecodedAttrib;
typedef struct PKCS7State PKCS7State;
typedef struct Pkcs7Cert Pkcs7Cert;
typedef struct Pkcs7EncodedRecip Pkcs7EncodedRecip;
typedef struct PKCS7 PKCS7;
/* OtherRecipientInfo decrypt callback prototype */
typedef int (*CallbackOriDecrypt)(PKCS7* pkcs7, byte* oriType, word32 oriTypeSz,
byte* oriValue, word32 oriValueSz,
byte* decryptedKey, word32* decryptedKeySz,
void* ctx);
typedef int (*CallbackOriEncrypt)(PKCS7* pkcs7, byte* cek, word32 cekSz,
byte* oriType, word32* oriTypeSz,
byte* oriValue, word32* oriValueSz,
void* ctx);
/* Public Structure Warning:
* Existing members must not be changed to maintain backwards compatibility!
*/
typedef struct PKCS7 {
struct PKCS7 {
WC_RNG* rng;
PKCS7Attrib* signedAttribs;
byte* content; /* inner content, not owner */
@@ -147,40 +252,167 @@ typedef struct PKCS7 {
word16 isDynamic:1;
word16 noDegenerate:1; /* allow degenerate case in verify function */
byte contentType[MAX_OID_SZ]; /* custom contentType byte array */
word32 contentTypeSz; /* size of contentType, bytes */
int sidType; /* SignerIdentifier type to use, of type
Pkcs7_SignerIdentifier_Types, default to
SID_ISSUER_AND_SERIAL_NUMBER */
byte issuerSubjKeyId[KEYID_SIZE]; /* SubjectKeyIdentifier of singleCert */
Pkcs7Cert* certList; /* certificates list for SignedData set */
Pkcs7EncodedRecip* recipList; /* recipients list */
byte* cek; /* content encryption key, random, dynamic */
word32 cekSz; /* size of cek, bytes */
byte* pass; /* password, for PWRI decryption */
word32 passSz; /* size of pass, bytes */
int kekEncryptOID; /* KEK encryption algorithm OID */
CallbackOriEncrypt oriEncryptCb; /* ORI encrypt callback */
CallbackOriDecrypt oriDecryptCb; /* ORI decrypt callback */
void* oriEncryptCtx; /* ORI encrypt user context ptr */
void* oriDecryptCtx; /* ORI decrypt user context ptr */
PKCS7Attrib* authAttribs; /* authenticated attribs */
word32 authAttribsSz;
PKCS7Attrib* unauthAttribs; /* unauthenticated attribs */
word32 unauthAttribsSz;
#ifndef NO_PKCS7_STREAM
PKCS7State* stream;
#endif
word32 state;
/* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
} PKCS7;
};
WOLFSSL_API PKCS7* wc_PKCS7_New(void* heap, int devId);
WOLFSSL_API int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId);
WOLFSSL_API int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz);
WOLFSSL_API int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* der, word32 derSz);
WOLFSSL_API int wc_PKCS7_AddCertificate(PKCS7* pkcs7, byte* der, word32 derSz);
WOLFSSL_API void wc_PKCS7_Free(PKCS7* pkcs7);
WOLFSSL_API int wc_PKCS7_GetAttributeValue(PKCS7* pkcs7, const byte* oid,
word32 oidSz, byte* out, word32* outSz);
WOLFSSL_API int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type);
WOLFSSL_API int wc_PKCS7_SetContentType(PKCS7* pkcs7, byte* contentType,
word32 sz);
WOLFSSL_API int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz);
WOLFSSL_API int wc_PKCS7_PadData(byte* in, word32 inSz, byte* out, word32 outSz,
word32 blockSz);
/* CMS/PKCS#7 Data */
WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
word32 outputSz);
/* CMS/PKCS#7 SignedData */
WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
byte* output, word32 outputSz);
WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
word32 hashSz, byte* outputHead, word32* outputHeadSz, byte* outputFoot,
word32* outputFootSz);
word32 hashSz, byte* outputHead,
word32* outputHeadSz,
byte* outputFoot,
word32* outputFootSz);
WOLFSSL_API void wc_PKCS7_AllowDegenerate(PKCS7* pkcs7, word16 flag);
WOLFSSL_API int wc_PKCS7_VerifySignedData(PKCS7* pkcs7,
byte* pkiMsg, word32 pkiMsgSz);
byte* pkiMsg, word32 pkiMsgSz);
WOLFSSL_API int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
word32 hashSz, byte* pkiMsgHead, word32 pkiMsgHeadSz, byte* pkiMsgFoot,
word32 pkiMsgFootSz);
word32 hashSz, byte* pkiMsgHead,
word32 pkiMsgHeadSz, byte* pkiMsgFoot,
word32 pkiMsgFootSz);
/* CMS single-shot API for Signed FirmwarePkgData */
WOLFSSL_API int wc_PKCS7_EncodeSignedFPD(PKCS7* pkcs7, byte* privateKey,
word32 privateKeySz, int signOID,
int hashOID, byte* content,
word32 contentSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz, byte* output,
word32 outputSz);
#ifndef NO_PKCS7_ENCRYPTED_DATA
/* CMS single-shot API for Signed Encrypted FirmwarePkgData */
WOLFSSL_API int wc_PKCS7_EncodeSignedEncryptedFPD(PKCS7* pkcs7,
byte* encryptKey, word32 encryptKeySz,
byte* privateKey, word32 privateKeySz,
int encryptOID, int signOID,
int hashOID, byte* content,
word32 contentSz,
PKCS7Attrib* unprotectedAttribs,
word32 unprotectedAttribsSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz,
byte* output, word32 outputSz);
#endif /* NO_PKCS7_ENCRYPTED_DATA */
#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
/* CMS single-shot API for Signed Compressed FirmwarePkgData */
WOLFSSL_API int wc_PKCS7_EncodeSignedCompressedFPD(PKCS7* pkcs7,
byte* privateKey, word32 privateKeySz,
int signOID, int hashOID,
byte* content, word32 contentSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz, byte* output,
word32 outputSz);
#ifndef NO_PKCS7_ENCRYPTED_DATA
/* CMS single-shot API for Signed Encrypted Compressed FirmwarePkgData */
WOLFSSL_API int wc_PKCS7_EncodeSignedEncryptedCompressedFPD(PKCS7* pkcs7,
byte* encryptKey, word32 encryptKeySz,
byte* privateKey, word32 privateKeySz,
int encryptOID, int signOID,
int hashOID, byte* content,
word32 contentSz,
PKCS7Attrib* unprotectedAttribs,
word32 unprotectedAttribsSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz,
byte* output, word32 outputSz);
#endif /* !NO_PKCS7_ENCRYPTED_DATA */
#endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
/* EnvelopedData and AuthEnvelopedData RecipientInfo functions */
WOLFSSL_API int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert,
word32 certSz, int options);
WOLFSSL_API int wc_PKCS7_AddRecipient_KARI(PKCS7* pkcs7, const byte* cert,
word32 certSz, int keyWrapOID,
int keyAgreeOID, byte* ukm,
word32 ukmSz, int options);
WOLFSSL_API int wc_PKCS7_SetKey(PKCS7* pkcs7, byte* key, word32 keySz);
WOLFSSL_API int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID,
byte* kek, word32 kekSz,
byte* keyID, word32 keyIdSz,
void* timePtr, byte* otherOID,
word32 otherOIDSz, byte* other,
word32 otherSz, int options);
WOLFSSL_API int wc_PKCS7_SetPassword(PKCS7* pkcs7, byte* passwd, word32 pLen);
WOLFSSL_API int wc_PKCS7_AddRecipient_PWRI(PKCS7* pkcs7, byte* passwd,
word32 pLen, byte* salt,
word32 saltSz, int kdfOID,
int prfOID, int iterations,
int kekEncryptOID, int options);
WOLFSSL_API int wc_PKCS7_SetOriEncryptCtx(PKCS7* pkcs7, void* ctx);
WOLFSSL_API int wc_PKCS7_SetOriDecryptCtx(PKCS7* pkcs7, void* ctx);
WOLFSSL_API int wc_PKCS7_SetOriDecryptCb(PKCS7* pkcs7, CallbackOriDecrypt cb);
WOLFSSL_API int wc_PKCS7_AddRecipient_ORI(PKCS7* pkcs7, CallbackOriEncrypt cb,
int options);
/* CMS/PKCS#7 EnvelopedData */
WOLFSSL_API int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
WOLFSSL_API int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz);
WOLFSSL_API int wc_PKCS7_PadData(byte* in, word32 inSz, byte* out, word32 outSz,
word32 blockSz);
/* CMS/PKCS#7 AuthEnvelopedData */
WOLFSSL_API int wc_PKCS7_EncodeAuthEnvelopedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
/* CMS/PKCS#7 EncryptedData */
#ifndef NO_PKCS7_ENCRYPTED_DATA
WOLFSSL_API int wc_PKCS7_EncodeEncryptedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
@@ -189,6 +421,15 @@ WOLFSSL_API int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* pkiMsg,
word32 outputSz);
#endif /* NO_PKCS7_ENCRYPTED_DATA */
/* CMS/PKCS#7 CompressedData */
#if defined(HAVE_LIBZ) && !defined(NO_PKCS7_COMPRESSED_DATA)
WOLFSSL_API int wc_PKCS7_EncodeCompressedData(PKCS7* pkcs7, byte* output,
word32 outputSz);
WOLFSSL_API int wc_PKCS7_DecodeCompressedData(PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
#endif /* HAVE_LIBZ && !NO_PKCS7_COMPRESSED_DATA */
#ifdef __cplusplus
} /* extern "C" */
#endif