mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 14:40:50 +02:00
11f71108ba
Allow encoding and verifying a CMS SignedData whose encapContentInfo carries no eContent, that is, a signed-attributes-only signature over empty content (RFC 5652 makes eContent OPTIONAL). This is required for SCEP CertRep PENDING and FAILURE messages (RFC 8894 section 3.2.2), which must omit the pkcsPKIEnvelope entirely. Encode: wc_PKCS7_EncodeSignedData computes the messageDigest over the empty content when detached is set and contentSz is 0, since there is no eContent to drive the normal content-hashing pass. Verify: PKCS7_VerifySignedData no longer rejects an absent eContent when no external content or hash was supplied. It is processed as a detached signature over empty content, and wc_PKCS7_VerifyContentMessageDigest computes the digest of zero-length content using the parsed digest algorithm. The messageDigest comparison still rejects a stripped non-empty eContent. Add pkcs7_signed_no_content_test, a round-trip over a CMS SignedData whose encapContentInfo carries no eContent (a detached signature over empty content, signed-attributes-only), as produced by SCEP CertRep PENDING/FAILURE messages. The encode omits the eContent and the verify accepts it without any caller-supplied content or hash, checking the messageDigest against the hash of empty content. Run for RSA/SHA-256.