Commit Graph

545 Commits

Author SHA1 Message Date
David Garske 4c75a866d9 Add inline documentation for missing macros and fix spelling errors 2026-03-16 17:09:13 -07:00
Sean Parkinson bbd2f6f898 Fixes from regression testing
CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block
size.
Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.
2026-03-12 08:19:39 +10:00
Daniel Pouzzner 3540d89c0d Merge pull request #9945 from holtrop-wolfssl/zd21327
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData()
2026-03-10 22:39:24 -05:00
Daniel Pouzzner a5bc0cd929 Merge pull request #9887 from rlm2002/static_analysis
20260305 Coverity fixes
2026-03-10 22:34:57 -05:00
Josh Holtrop d37b51c3ce Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData() 2026-03-10 17:26:28 -04:00
Juliusz Sosinowicz 14357576d8 wc_PKCS7_PwriKek_KeyUnWrap: use a ct cmp
F-378
2026-03-06 17:42:37 +01:00
Ruby Martin 2e1a2b951b remove unused tempBuf = NULL 2026-03-05 10:52:20 -07:00
Sameeh Jubran 441bcbb680 Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI
RSA-PSS signed certificates contain a valid RSA public key that can be
used for key transport, but wc_PKCS7_AddRecipient_KTRI and the
EnvelopedData/AuthEnvelopedData encode paths rejected them because they
only checked for RSAk. Allow RSAPSSk to fall through to the RSAk key
transport path, and always use RSAk as the KeyEncryptionAlgorithmIdentifier
since the operation is RSA encryption, not RSA-PSS signing.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-03-04 12:24:08 +02:00
jackctj117 e6d4c5561c Move paramsStart declaration inside WC_RSA_PSS guard 2026-02-27 09:20:54 -07:00
jackctj117 1f9dd3c955 Fix unused variable warning in PKCS7 without WC_RSA_PSS 2026-02-26 14:04:49 -07:00
Sameeh Jubran deb668ca4b pkcs7: add RSA-PSS support for SignedData
Add full RSA-PSS (RSASSA-PSS) support to PKCS#7 SignedData
encoding and verification.

This change enables SignerInfo.signatureAlgorithm to use
id-RSASSA-PSS with explicit RSASSA-PSS-params (hash, MGF1,
salt length), as required by RFC 4055 and CMS profiles.

Key changes:
- Add RSA-PSS encode and verify paths for PKCS7 SignedData
- Encode full RSASSA-PSS AlgorithmIdentifier parameters
- Decode RSA-PSS parameters from SignerInfo for verification
- Treat RSA-PSS like ECDSA (sign raw digest, not DigestInfo)
- Fix certificate signatureAlgorithm parameter length handling
- Add API test coverage for RSA-PSS SignedData

This resolves failures when using RSA-PSS signer certificates
(e.g. -173 invalid signature algorithm) and maintains backward
compatibility with RSA PKCS#1 v1.5 and ECDSA.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
2026-02-25 11:02:47 +02:00
David Garske 1047aaa881 Merge pull request #9796 from JacobBarthelmeh/copyright
update Copyright year
2026-02-19 08:47:30 -08:00
Andrew Hutchings 17680a2359 Fix leak in PKCS7 RSA-OAEP 2026-02-19 11:42:21 +00:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
jackctj117 cfcd384c4c Address copilot feedback 2026-02-05 12:12:16 -07:00
jackctj117 6d6d0ab088 Add PKCS7 ECC raw sign callback support 2026-01-28 14:44:00 -07:00
Reda Chouk 9c7b586565 Increment signedAttribsCount with the right number of attributes it
encoded
2026-01-08 20:46:47 +01:00
Chris Conlon afe82b9512 Fix PKCS#7 degenerate detection based on signerInfos length 2025-12-18 16:28:03 -07:00
Chris Conlon d6dcd30736 Fix PKCS#7 streaming for non OCTET STRING content types 2025-12-18 16:28:01 -07:00
Sean Parkinson 76fec60754 Merge pull request #9448 from anhu/p7_unknownExt
unknown extension support in wc_PKCS7_EcdsaVerify
2025-11-25 09:21:47 +10:00
Anthony Hu 668602016c Allow user to prevent wc_PKCS7_EcdsaVerify from erroring out due to extentions we do not know about 2025-11-19 14:36:04 -05:00
JacobBarthelmeh c63ca04228 convert to type int for return value 2025-11-13 12:17:04 -07:00
JacobBarthelmeh d06221c16e with decode enveloped data track total encrypted content size 2025-11-13 12:08:46 -07:00
effbiae f4b8f844b2 indent {.*;} macro args 2025-10-13 14:04:06 +11:00
effbiae 7a3db09ddd automated small stack compress 2025-10-11 11:40:30 +11:00
JacobBarthelmeh 7128932eff avoid attempt of key decode and free buffer if incorrect recipient found 2025-10-06 10:48:59 -06:00
JacobBarthelmeh fca3028395 advance index past recipent set in non stream case too 2025-10-03 15:55:35 -06:00
JacobBarthelmeh 4e92920a7f cast variable to word32 for compare 2025-10-03 13:51:15 -06:00
JacobBarthelmeh 12cfca4060 account for no AES build and add err trace macro 2025-10-03 13:51:15 -06:00
JacobBarthelmeh 328f505702 add pkcs7 test with multiple recipients 2025-10-03 13:51:15 -06:00
JacobBarthelmeh 7a5e97e30e adjustment for recipient index advancement 2025-10-03 13:51:15 -06:00
JacobBarthelmeh 6987304f42 Fix to advance past multiple recipients 2025-10-03 13:51:15 -06:00
Josh Holtrop df7e105fb7 Allow building with HAVE_PKCS7 set and HAVE_X963_KDF unset 2025-07-29 11:46:44 -04:00
Josh Holtrop 26a4ea93eb Allow building with HAVE_PKCS7 set and HAVE_AES_KEYWRAP unset 2025-07-28 12:40:35 -04:00
David Garske c347f75b3c Merge pull request #9029 from holtrop/extract-kari-rid
Add wc_PKCS7_GetEnvelopedDataKariRid()
2025-07-25 09:04:11 -07:00
David Garske 2db1669713 Merge pull request #8988 from JacobBarthelmeh/visibility
remove WOLFSSL_API in source code when already used in header file
2025-07-24 11:00:55 -07:00
Josh Holtrop cf843c8b82 Add wc_PKCS7_GetEnvelopedDataKariRid()
Allow access to recipient ID before attempting to decrypt content.
2025-07-24 11:15:30 -04:00
David Garske 6aabc73845 Merge pull request #9018 from holtrop/decode-skp
Add API to decode SymmetricKeyPackage and OneSymmetricKey CMS objects
2025-07-23 16:01:58 -07:00
David Garske 44eba446ec Merge pull request #9002 from holtrop/aes-key-wrap-callbacks
Add callback functions for custom AES key wrap/unwrap operations
2025-07-23 16:01:49 -07:00
Josh Holtrop 13fb6b83cd Update style per code review comments 2025-07-22 16:38:13 -04:00
Josh Holtrop 27f0ef8789 Combine AES key wrap/unwrap callbacks 2025-07-22 16:34:37 -04:00
Josh Holtrop 7bcb346dd7 Remove early function returns per code review comments 2025-07-22 14:58:26 -04:00
Josh Holtrop 15c8730ef7 Use wc_ prefix for IndexSequenceOf() 2025-07-22 14:50:42 -04:00
Josh Holtrop 77bace5010 Update style per code review comments 2025-07-22 14:47:22 -04:00
Josh Holtrop 525f1cc39e Update style per code review comments 2025-07-22 08:19:01 -04:00
Josh Holtrop 06d86af67c Add API to decode SymmetricKeyPackage and OneSymmetricKey CMS objects 2025-07-19 18:28:06 -04:00
Josh Holtrop af3296a836 wc_PKCS7_KeyWrap(): mark pointers as to const and check for NULL 2025-07-14 17:28:23 -04:00
Daniel Pouzzner 2c341a5806 Merge pull request #8990 from JacobBarthelmeh/license
updating license from GPLv2 to GPLv3

(linuxkm tweak to `MODULE_LICENSE("GPL")` to follow.)
2025-07-14 16:14:39 -05:00
Josh Holtrop 429ccd5456 Add callback functions for custom AES key wrap/unwrap operations 2025-07-14 15:58:14 -04:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00