Commit Graph

15 Commits

Author SHA1 Message Date
Daniel Pouzzner 178f96c483 Merge pull request #9854 from sameehj/rsa-pss-fix
Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
2026-03-05 15:03:46 -06:00
Daniel Pouzzner f04e6e8718 tests/api.c and tests/api/test_pkcs7.c: fixes for CFLAGS="-Og" --enable-all (PRB-single-flag.txt line 3). 2026-03-04 14:46:20 -06:00
Sameeh Jubran 441bcbb680 Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
RSA-PSS signed certificates contain a valid RSA public key that can be
used for key transport, but wc_PKCS7_AddRecipient_KTRI and the
EnvelopedData/AuthEnvelopedData encode paths rejected them because they
only checked for RSAk. Allow RSAPSSk to fall through to the RSAk key
transport path, and always use RSAk as the KeyEncryptionAlgorithmIdentifier
since the operation is RSA encryption, not RSA-PSS signing.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-03-04 12:24:08 +02:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
jackctj117 cfcd384c4c Address copilot feedback 2026-02-05 12:12:16 -07:00
jackctj117 6d6d0ab088 Add PKCS7 ECC raw sign callback support 2026-01-28 14:44:00 -07:00
Chris Conlon 5eef52c6fa Add test for PKCS#7 SignedData with non-OCTET_STRING content 2025-12-18 15:02:02 -07:00
JacobBarthelmeh a68da8d2d5 update pksc7 decode test for new ca-cert.pem size 2025-11-14 14:53:48 -07:00
JacobBarthelmeh d06221c16e with decode enveloped data track total encrypted content size 2025-11-13 12:08:46 -07:00
Sean Parkinson 821dc5cb13 Regression testing fixes
Adding protection to tests that use RSA and ECC.
2025-10-22 18:33:44 +10:00
JacobBarthelmeh 1237a5468f coverity warnings on test case, CID 549270 and 549271 2025-10-07 09:35:37 -06:00
JacobBarthelmeh 12cfca4060 account for no AES build and add err trace macro 2025-10-03 13:51:15 -06:00
JacobBarthelmeh 328f505702 add pkcs7 test with multiple recipients 2025-10-03 13:51:15 -06:00
Sean Parkinson b40e3d479f api.c: split out more tests into separate files
wolfCrypt PKCS7
wolfCrypt PKCS12
OpenSSL compat ASN.1
OpenSSL compat BN
OpenSSL comppat BIO
OpenSSL comppat Digest
OpenSSL comppat MAC
OpenSSL comppat Cipher
OpenSSL comppat RSA
OpenSSL comppat DH
OpenSSL comppat EC
OpenSSL comppat ECX
OpenSSL comppat DSA
2025-08-05 19:32:56 +10:00