From c9deb184b0bf5e72d5761d06af0db165676e0f8a Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 16 Nov 2020 19:03:12 +0000 Subject: [PATCH 01/35] mbedtls: add support for pkcs7 PKCS7 signing format is used by OpenPOWER Key Management, which is using mbedtls as its crypto library. This patch adds the limited support of pkcs7 parser and verification to the mbedtls. The limitations are: * Only signed data is supported. * CRLs are not currently handled. * Single signer is supported. Signed-off-by: Daniel Axtens Signed-off-by: Eric Richter Signed-off-by: Nayna Jain --- include/mbedtls/asn1.h | 3 +- include/mbedtls/check_config.h | 7 + include/mbedtls/error.h | 1 + include/mbedtls/mbedtls_config.h | 15 + include/mbedtls/oid.h | 11 + include/mbedtls/pkcs7.h | 224 ++++++++++ library/Makefile | 1 + library/pkcs7.c | 561 +++++++++++++++++++++++++ scripts/config.py | 1 + tests/data_files/Makefile | 92 ++++ tests/suites/test_suite_pkcs7.data | 53 +++ tests/suites/test_suite_pkcs7.function | 420 ++++++++++++++++++ 12 files changed, 1388 insertions(+), 1 deletion(-) create mode 100644 include/mbedtls/pkcs7.h create mode 100644 library/pkcs7.c create mode 100644 tests/suites/test_suite_pkcs7.data create mode 100644 tests/suites/test_suite_pkcs7.function diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index be2cae7b5..21ade1bdb 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -38,8 +38,9 @@ /** * \name ASN1 Error codes - * These error codes are OR'ed to X509 error codes for + * These error codes are combined with other error codes for * higher error granularity. + * e.g. X.509 and PKCS #7 error codes * ASN1 is a standard to specify data structures. * \{ */ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b5d2c40f2..dcb6392f1 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -989,6 +989,13 @@ #error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4341" #endif +#if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ + ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ + ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) ) +#error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" +#endif + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b2b9ea58..08504329b 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -95,6 +95,7 @@ * ECP 4 10 (Started from top) * MD 5 5 * HKDF 5 1 (Started from top) + * PKCS7 5 12 (Started from 0x5300) * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 22 (Started from top, plus 0x6000) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e9487b28f..45dd2748c 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2660,6 +2660,21 @@ */ #define MBEDTLS_PKCS5_C +/** + * \def MBEDTLS_PKCS7_C + * + * Enable PKCS7 core for using PKCS7 formatted signatures. + * RFC Link - https://tools.ietf.org/html/rfc2315 + * + * Module: library/pkcs7.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C + * + * This module is required for the PKCS7 parsing modules. + */ +#define MBEDTLS_PKCS7_C + /** * \def MBEDTLS_PKCS12_C * diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 4ee3f93fb..e5c4b9249 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -220,6 +220,7 @@ #define MBEDTLS_OID_PKCS MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */ #define MBEDTLS_OID_PKCS1 MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */ #define MBEDTLS_OID_PKCS5 MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */ +#define MBEDTLS_OID_PKCS7 MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */ #define MBEDTLS_OID_PKCS9 MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */ #define MBEDTLS_OID_PKCS12 MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */ @@ -300,6 +301,16 @@ #define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */ #define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */ +/* + * PKCS#7 OIDs + */ +#define MBEDTLS_OID_PKCS7_DATA MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */ +#define MBEDTLS_OID_PKCS7_SIGNED_DATA MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */ +#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */ +#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */ +#define MBEDTLS_OID_PKCS7_DIGESTED_DATA MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */ +#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */ + /* * PKCS#8 OIDs */ diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h new file mode 100644 index 000000000..3f87dc3e2 --- /dev/null +++ b/include/mbedtls/pkcs7.h @@ -0,0 +1,224 @@ +/** + * \file pkcs7.h + * + * \brief PKCS7 generic defines and structures + * https://tools.ietf.org/html/rfc2315 + */ +/* + * Copyright (C) 2019, IBM Corp, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/** + * Note: For the time being, this application of the PKCS7 cryptographic + * message syntax is a partial implementation of RFC 2315. + * Differences include: + * - The RFC specifies 6 different content types. The only type currently + * supported in MbedTLS is the signed data content type. + * - The only supported PKCS7 Signed Data syntax version is version 1 + * - The RFC specifies support for BER. This application is limited to + * DER only. + * - The RFC specifies that multiple digest algorithms can be specified + * in the Signed Data type. Only one digest algorithm is supported in MbedTLS. + * - The RFC specifies the Signed Data certificate format can be + * X509 or PKCS6. The only type currently supported in MbedTLS is X509. + * - The RFC specifies the Signed Data type can contain + * certificate-revocation lists (crls). This application has no support + * for crls so it is assumed to be an empty list. + * - The RFC specifies support for multiple signers. This application only + * supports the Signed Data type with a single signer. + */ + +#ifndef MBEDTLS_PKCS7_H +#define MBEDTLS_PKCS7_H + +#include "mbedtls/build_info.h" + +#include "asn1.h" +#include "x509.h" +#include "x509_crt.h" + +/** + * \name PKCS7 Module Error codes + * \{ + */ +#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x53F0 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x54F0 /**< The PKCS7 content info invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x55F0 /**< The certificate tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x56F0 /**< Error parsing the signer's info */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x57F0 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +/* \} name */ + +/** + * \name PKCS7 Supported Version + * \{ + */ +#define MBEDTLS_PKCS7_SUPPORTED_VERSION 0x01 +/* \} name */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * Type-length-value structure that allows for ASN1 using DER. + */ +typedef mbedtls_asn1_buf mbedtls_pkcs7_buf; + +/** + * Container for ASN1 named information objects. + * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.). + */ +typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; + +/** + * Container for a sequence of ASN.1 items + */ +typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; + +/** + * Structure holding PKCS7 signer info + */ +typedef struct mbedtls_pkcs7_signer_info +{ + int version; + mbedtls_x509_buf serial; + mbedtls_x509_name issuer; + mbedtls_x509_buf issuer_raw; + mbedtls_x509_buf alg_identifier; + mbedtls_x509_buf sig_alg_identifier; + mbedtls_x509_buf sig; + struct mbedtls_pkcs7_signer_info *next; +} +mbedtls_pkcs7_signer_info; + +/** + * Structure holding attached data as part of PKCS7 signed data format + */ +typedef struct mbedtls_pkcs7_data +{ + mbedtls_pkcs7_buf oid; + mbedtls_pkcs7_buf data; +} +mbedtls_pkcs7_data; + +/** + * Structure holding the signed data section + */ +typedef struct mbedtls_pkcs7_signed_data +{ + int version; + mbedtls_pkcs7_buf digest_alg_identifiers; + struct mbedtls_pkcs7_data content; + int no_of_certs; + mbedtls_x509_crt certs; + int no_of_crls; + mbedtls_x509_crl crl; + int no_of_signers; + mbedtls_pkcs7_signer_info signers; +} +mbedtls_pkcs7_signed_data; + +/** + * Structure holding PKCS7 structure, only signed data for now + */ +typedef struct mbedtls_pkcs7 +{ + mbedtls_pkcs7_buf raw; + mbedtls_pkcs7_buf content_type_oid; + mbedtls_pkcs7_signed_data signed_data; +} +mbedtls_pkcs7; + +/** + * \brief Initialize pkcs7 structure. + * + * \param pkcs7 pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); + +/** + * \brief Parse a single DER formatted pkcs7 content. + * + * \param pkcs7 The pkcs7 structure to be filled by parser for the output. + * \param buf The buffer holding the DER encoded pkcs7. + * \param buflen The size in Bytes of \p buf. + * + * \note This function makes an internal copy of the PKCS7 buffer + * \p buf. In particular, \p buf may be destroyed or reused + * after this call returns. + * + * \return \c 0, if successful. + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, + const size_t buflen ); + +/** + * \brief Verification of PKCS7 signature. + * + * \param pkcs7 PKCS7 structure containing signature. + * \param cert Certificate containing key to verify signature. + * \param data Plain data on which signature has to be verified. + * \param datalen Length of the data. + * + * \note This function internally calculates the hash on the supplied + * plain data for signature verification. + * + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ); + +/** + * \brief Verification of PKCS7 signature. + * + * \param pkcs7 PKCS7 structure containing signature. + * \param cert Certificate containing key to verify signature. + * \param hash Hash of the plain data on which signature has to be verified. + * \param hashlen Length of the hash. + * + * \note This function is different from mbedtls_pkcs7_signed_data_verify() + * in a way that it directly recieves the hash of the data. + * + * \return A negative error code on failure. + */ +int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *hash, size_t hashlen); + +/** + * \brief Unallocate all PKCS7 data and zeroize the memory. + * It doesn't free pkcs7 itself. It should be done by the caller. + * + * \param pkcs7 PKCS7 structure to free. + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ); + +#ifdef __cplusplus +} +#endif + +#endif /* pkcs7.h */ diff --git a/library/Makefile b/library/Makefile index 85cea6b08..a78026706 100644 --- a/library/Makefile +++ b/library/Makefile @@ -165,6 +165,7 @@ OBJS_X509= \ x509_csr.o \ x509write_crt.o \ x509write_csr.o \ + pkcs7.o \ # This line is intentionally left blank OBJS_TLS= \ diff --git a/library/pkcs7.c b/library/pkcs7.c new file mode 100644 index 000000000..c3236e188 --- /dev/null +++ b/library/pkcs7.c @@ -0,0 +1,561 @@ +/* Copyright 2019 IBM Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "common.h" + +#include "mbedtls/build_info.h" +#if defined(MBEDTLS_PKCS7_C) +#include "mbedtls/pkcs7.h" +#include "mbedtls/x509.h" +#include "mbedtls/asn1.h" +#include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" +#include "mbedtls/oid.h" + +#include +#include +#include +#if defined(MBEDTLS_FS_IO) +#include +#include +#endif + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#include "mbedtls/platform_util.h" +#else +#include +#include +#define mbedtls_free free +#define mbedtls_calloc calloc +#define mbedtls_printf printf +#define mbedtls_snprintf snprintf +#endif + +#if defined(MBEDTLS_HAVE_TIME) +#include "mbedtls/platform_time.h" +#endif +#if defined(MBEDTLS_HAVE_TIME_DATE) +#include +#endif + +/** + * Initializes the pkcs7 structure. + */ +void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) +{ + memset( pkcs7, 0, sizeof( mbedtls_pkcs7 ) ); + pkcs7->raw.p = NULL; +} + +static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, + size_t *len ) +{ + int ret; + + if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + } + + return( 0 ); +} + +/** + * version Version + * Version ::= INTEGER + **/ +static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) +{ + int ret; + + if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_VERSION + ret ); + + /* If version != 1, return invalid version */ + if( *ver != MBEDTLS_PKCS7_SUPPORTED_VERSION ) + return( MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + + return( 0 ); +} + +/** + * ContentInfo ::= SEQUENCE { + * contentType ContentType, + * content + * [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } + **/ +static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *pkcs7 ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + + pkcs7->tag = MBEDTLS_ASN1_OID; + pkcs7->len = len; + pkcs7->p = *p; + + return( ret ); +} + +/** + * DigestAlgorithmIdentifier ::= AlgorithmIdentifier + * + * This is from x509.h + **/ +static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, + mbedtls_x509_buf *alg ) +{ + int ret; + + if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + + return( 0 ); +} + +/** + * DigestAlgorithmIdentifiers :: SET of DigestAlgorithmIdentifier + **/ +static int pkcs7_get_digest_algorithm_set( unsigned char **p, + unsigned char *end, + mbedtls_x509_buf *alg ) +{ + size_t len = 0; + int ret; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + end = *p + len; + + /** For now, it assumes there is only one digest algorithm specified **/ + ret = mbedtls_asn1_get_alg_null( p, end, alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + + if ( *p != end ) + return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT ); + + return( 0 ); +} + +/** + * certificates :: SET OF ExtendedCertificateOrCertificate, + * ExtendedCertificateOrCertificate ::= CHOICE { + * certificate Certificate -- x509, + * extendedCertificate[0] IMPLICIT ExtendedCertificate } + * Return number of certificates added to the signed data, + * 0 or higher is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, + mbedtls_x509_crt *certs ) +{ + int ret; + size_t len1 = 0; + size_t len2 = 0; + unsigned char *end_set, *end_cert; + unsigned char *start = *p; + + if( ( ret = mbedtls_asn1_get_tag( p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + { + if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) + return( 0 ); + + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + } + start = *p; + end_set = *p + len1; + + ret = mbedtls_asn1_get_tag( p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CERT + ret ); + + end_cert = *p + len2; + + /* + * This is to verify that there is only one signer certificate. It seems it is + * not easy to differentiate between the chain vs different signer's certificate. + * So, we support only the root certificate and the single signer. + * The behaviour would be improved with addition of multiple signer support. + */ + if (end_cert != end_set) + return ( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + + *p = start; + if( ( ret = mbedtls_x509_crt_parse( certs, *p, len1 ) ) < 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + + *p = *p + len1; + + /* Since in this version we strictly support single certificate, and reaching + * here implies we have parsed successfully, we return 1. */ + + return( 1 ); +} + +/** + * EncryptedDigest ::= OCTET STRING + **/ +static int pkcs7_get_signature( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_buf *signature ) +{ + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING ); + if( ret != 0 ) + return( ret ); + + signature->tag = MBEDTLS_ASN1_OCTET_STRING; + signature->len = len; + signature->p = *p; + + *p = *p + len; + + return( 0 ); +} + +/** + * SignerInfos ::= SET of SignerInfo + * SignerInfo ::= SEQUENCE { + * version Version; + * issuerAndSerialNumber IssuerAndSerialNumber, + * digestAlgorithm DigestAlgorithmIdentifier, + * authenticatedAttributes + * [0] IMPLICIT Attributes OPTIONAL, + * digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier, + * encryptedDigest EncryptedDigest, + * unauthenticatedAttributes + * [1] IMPLICIT Attributes OPTIONAL, + * Return number of signers added to the signed data, + * 0 or higher is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signers_set ) +{ + unsigned char *end_set, *end_set_signer; + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SET ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_set = *p + len; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_set_signer = *p + len; + if (end_set_signer != end_set) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + end_set = end_set_signer; + + ret = mbedtls_asn1_get_int( p, end_set, &signers_set->version ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + /* Parsing IssuerAndSerialNumber */ + signers_set->issuer_raw.p = *p; + + ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_x509_get_name( p, *p + len, &signers_set->issuer ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + signers_set->issuer_raw.len = *p - signers_set->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_set, &signers_set->serial ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->sig_alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_signature( p, end_set, &signers_set->sig ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + signers_set->next = NULL; + + if (*p != end_set) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + /* Since in this version we strictly support single signer, and reaching + * here implies we have parsed successfully, we return 1. */ + + return( 1 ); +} + +/** + * SignedData ::= SEQUENCE { + * version Version, + * digestAlgorithms DigestAlgorithmIdentifiers, + * contentInfo ContentInfo, + * certificates + * [0] IMPLICIT ExtendedCertificatesAndCertificates + * OPTIONAL, + * crls + * [0] IMPLICIT CertificateRevocationLists OPTIONAL, + * signerInfos SignerInfos } + */ +static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, + mbedtls_pkcs7_signed_data *signed_data ) +{ + unsigned char *p = buf; + unsigned char *end = buf + buflen; + unsigned char *end_set; + size_t len = 0; + int ret; + mbedtls_md_type_t md_alg; + + ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + + end_set = p + len; + + /* Get version of signed data */ + ret = pkcs7_get_version( &p, end_set, &signed_data->version ); + if( ret != 0 ) + return( ret ); + + /* Get digest algorithm */ + ret = pkcs7_get_digest_algorithm_set( &p, end_set, + &signed_data->digest_alg_identifiers ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + + /* Do not expect any content */ + ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid ); + if( ret != 0 ) + return( ret ); + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) ) + { + return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ) ; + } + + p = p + signed_data->content.oid.len; + + /* Look for certificates, there may or may not be any */ + mbedtls_x509_crt_init( &signed_data->certs ); + ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); + if( ret < 0 ) + return( ret ) ; + + signed_data->no_of_certs = ret; + + /* + * Currently CRLs are not supported. If CRL exist, the parsing will fail + * at next step of getting signers info and return error as invalid + * signer info. + */ + + signed_data->no_of_crls = 0; + + /* Get signers info */ + ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers ); + if( ret < 0 ) + return( ret ); + + signed_data->no_of_signers = ret; + + /* Support single signer */ + if ( p != end ) + ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; + + ret = 0; + return( ret ); +} + +int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, + const size_t buflen ) +{ + unsigned char *start; + unsigned char *end; + size_t len = 0; + int ret; + + if( !pkcs7 ) + return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + + /* make an internal copy of the buffer for parsing */ + pkcs7->raw.p = start = mbedtls_calloc( 1, buflen ); + if( pkcs7->raw.p == NULL ) + { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + memcpy( start, buf, buflen ); + pkcs7->raw.len = buflen; + end = start + buflen; + + ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); + if( ret != 0 ) + goto out; + + if( ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid ) + || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) ) + { + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + goto out; + } + + if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid ) ) + { + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + goto out; + } + + start = start + pkcs7->content_type_oid.len; + + ret = pkcs7_get_next_content_len( &start, end, &len ); + if( ret != 0 ) + goto out; + + ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + +out: + if ( ret != 0 ) + mbedtls_pkcs7_free( pkcs7 ); + return( ret ); +} + +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ) +{ + + int ret; + unsigned char *hash; + mbedtls_pk_context pk_cxt = cert->pk; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); + if( hash == NULL ) { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + + mbedtls_md( md_info, data, datalen, hash ); + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + + mbedtls_free( hash ); + + return( ret ); +} + +int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *hash, size_t hashlen) +{ + int ret; + mbedtls_md_type_t md_alg; + mbedtls_pk_context pk_cxt; + + ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + pk_cxt = cert->pk; + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + + return ( ret ); +} + +/* + * Unallocate all pkcs7 data + */ +void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if( pkcs7 == NULL || pkcs7->raw.p == NULL ) + return; + + mbedtls_free( pkcs7->raw.p ); + + mbedtls_x509_crt_free( &pkcs7->signed_data.certs ); + mbedtls_x509_crl_free( &pkcs7->signed_data.crl ); + + name_cur = pkcs7->signed_data.signers.issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_free( name_prv ); + } + + pkcs7->raw.p = NULL; +} + +#endif diff --git a/scripts/config.py b/scripts/config.py index f045f98f9..1e0f8270c 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -306,6 +306,7 @@ def include_in_crypto(name): if name in [ 'MBEDTLS_DEBUG_C', # part of libmbedtls 'MBEDTLS_NET_C', # part of libmbedtls + 'MBEDTLS_PKCS7_C', # part of libmbedx509 ]: return False return True diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6187d17bc..288b01f18 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1131,6 +1131,98 @@ ecdsa_secp521r1.crt: ecdsa_secp521r1.csr all_final += ecdsa_secp521r1.crt ecdsa_secp521r1.key tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key +# PKCS7 test data +pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt +pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt +pkcs7_test_file = pkcs7_data.txt + +# Generate signing cert +pkcs7-rsa-sha256-1.crt: + $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt + cat pkcs7-rsa-sha256-1.crt pkcs7-rsa-sha256-1.key > pkcs7-rsa-sha256-1.pem +all_final += pkcs7-rsa-sha256-1.crt + +pkcs7-rsa-sha256-2.crt: + $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt + cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem +all_final += pkcs7-rsa-sha256-2.crt + +# Generate data file to be signed +pkcs7_data.txt: + echo "Hello" > $@ + echo 2 >> pkcs7_data_1.txt +all_final += pkcs7_data.txt + +# Generate another data file to check hash mismatch during certificate verification +pkcs7_data_1.txt: $(pkcs7_test_file) + cat $(pkcs7_test_file) > $@ + echo 2 >> $@ +all_final += pkcs7_data_1.txt + +# pkcs7 signature file with CERT +pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_cert_signed_sha256.der + +# pkcs7 signature file with CERT and sha1 +pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_cert_signed_sha1.der + +# pkcs7 signature file with CERT and sha512 +pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_cert_signed_sha512.der + +# pkcs7 signature file without CERT +pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ +all_final += pkcs7_data_without_cert_signed.der + +# pkcs7 signature file with multiple signers +pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ +all_final += pkcs7_data_multiple_signed.der + +# pkcs7 signature file with multiple certificates +pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) + $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@ +all_final += pkcs7_data_multiple_certs_signed.der + +# pkcs7 signature file with corrupted CERT +pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der + cp pkcs7_data_cert_signed_sha256.der $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=547 conv=notrunc +all_final += pkcs7_data_signed_badcert.der + +# pkcs7 signature file with corrupted signer info +pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der + cp pkcs7_data_cert_signed_sha256.der $@ + echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc +all_final += pkcs7_data_signed_badsigner.der + +# pkcs7 file with version 2 +pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der + cp pkcs7_data_cert_signed_sha256.der $@ + echo -en '\x02' | dd of=$@ bs=1 seek=25 conv=notrunc +all_final += pkcs7_data_cert_signed_v2.der + +pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.txt -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt +all_final += pkcs7_data_cert_encrypted.der + +## Negative tests +# For some interesting sizes, what happens if we make them off-by-one? +pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der + cp $< $@ + echo -en '\x35' | dd of=$@ seek=919 bs=1 conv=notrunc +all_final += pkcs7_signerInfo_issuer_invalid_size.der + +pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der + cp $< $@ + echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc +all_final += pkcs7_signerInfo_serial_invalid_size.der + ################################################################ #### Diffie-Hellman parameters ################################################################ diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data new file mode 100644 index 000000000..870e83bb8 --- /dev/null +++ b/tests/suites/test_suite_pkcs7.data @@ -0,0 +1,53 @@ +PKCS7 Signed Data Parse Pass SHA256 #1 +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der" + +PKCS7 Signed Data Parse Pass SHA1 #2 +depends_on:MBEDTLS_SHA1_C +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der" + +PKCS7 Signed Data Parse Pass Without CERT #3 +pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der" + +PKCS7 Signed Data Parse Fail with multiple signers #4 +pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der" + +PKCS7 Signed Data Parse Fail with multiple certs #4 +pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der" + +PKCS7 Signed Data Parse Fail with corrupted cert #5 +pkcs7_parse_corrupted_cert:"data_files/pkcs7_data_signed_badcert.der" + +PKCS7 Signed Data Parse Fail with corrupted signer info #6 +pkcs7_parse_corrupted_signer_info:"data_files/pkcs7_data_signed_badsigner.der" + +PKCS7 Signed Data Parse Fail Version other than 1 #7 +pkcs7_parse_version:"data_files/pkcs7_data_cert_signed_v2.der" + +PKCS7 Signed Data Parse Fail Encrypted Content #8 +pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der" + +PKCS7 Signed Data Verification Pass SHA256 #9 +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Pass SHA256 #9.1 +pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Pass SHA1 #10 +depends_on:MBEDTLS_SHA1_C +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Pass SHA512 #11 +depends_on:MBEDTLS_SHA512_C +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Fail because of different certificate #12 +pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.txt" + +PKCS7 Signed Data Verification Fail because of different data hash #13 +pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.txt" + +PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 +pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" + +PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 +pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function new file mode 100644 index 000000000..b5ef2ef36 --- /dev/null +++ b/tests/suites/test_suite_pkcs7.function @@ -0,0 +1,420 @@ +/* BEGIN_HEADER */ +#include "mbedtls/bignum.h" +#include "mbedtls/pkcs7.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" +#include "mbedtls/oid.h" +#include "sys/types.h" +#include "sys/stat.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_FS_IO + * END_DEPENDENCIES + */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C*/ +void pkcs7_parse_without_cert( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse_multiple_signers( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res < 0 ); + + switch ( res ){ + case MBEDTLS_ERR_PKCS7_INVALID_CERT: + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); + break; + + case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO: + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + break; + default: + TEST_ASSERT(0); + } + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse_corrupted_cert( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_parse_corrupted_signer_info( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res < 0 ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ +void pkcs7_parse_version( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */ +void pkcs7_parse_content_oid( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res != 0 ); + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + mbedtls_free( pkcs7_buf ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + + fclose(file); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_free( data ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + unsigned char hash[32]; + struct stat st; + size_t datalen; + int res; + FILE *file; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + TEST_ASSERT( data != NULL); + + buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + fclose( file ); + + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + mbedtls_md( md_info, data, datalen, hash ); + + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash)); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_free( data ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( pkcs7_buf ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + + fclose(file); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + TEST_ASSERT( res != 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_free( data ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( pkcs7_buf ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ +void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509; + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509, crt ); + TEST_ASSERT( res == 0 ); + + res = stat(filetobesigned, &st); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "rb" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = mbedtls_calloc( datalen, 1 ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen); + + fclose(file); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + TEST_ASSERT( res != 0 ); + +exit: + mbedtls_x509_crt_free( &x509 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void pkcs7_parse_failure( char *pkcs7_file ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + int res; + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res != 0 ); +exit: + mbedtls_free( pkcs7_buf ); + mbedtls_pkcs7_free( &pkcs7 ); +} +/* END_CASE */ From 673a226698e1b268fbda06235c04618c9d94a5a1 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Mon, 14 Dec 2020 22:44:49 +0000 Subject: [PATCH 02/35] pkcs7: add support for signed data OpenSSL provides APIs to generate only the signted data format PKCS7 i.e. without content type OID. This patch adds support to parse the data correctly even if formatted only as signed data Signed-off-by: Nayna Jain --- include/mbedtls/pkcs7.h | 16 ++++++++++++++- library/pkcs7.c | 27 +++++++++++++++++++++++--- tests/data_files/Makefile | 5 +++++ tests/suites/test_suite_pkcs7.data | 3 +++ tests/suites/test_suite_pkcs7.function | 20 +++++++++---------- 5 files changed, 57 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 3f87dc3e2..59da147b9 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -96,6 +96,20 @@ typedef mbedtls_asn1_named_data mbedtls_pkcs7_name; */ typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence; +/** + * PKCS7 types + */ +typedef enum { + MBEDTLS_PKCS7_NONE=0, + MBEDTLS_PKCS7_DATA, + MBEDTLS_PKCS7_SIGNED_DATA, + MBEDTLS_PKCS7_ENVELOPED_DATA, + MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA, + MBEDTLS_PKCS7_DIGESTED_DATA, + MBEDTLS_PKCS7_ENCRYPTED_DATA, +} +mbedtls_pkcs7_type; + /** * Structure holding PKCS7 signer info */ @@ -168,7 +182,7 @@ void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ); * \p buf. In particular, \p buf may be destroyed or reused * after this call returns. * - * \return \c 0, if successful. + * \return The \c mbedtls_pkcs7_type of \p buf, if successful. * \return A negative error code on failure. */ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, diff --git a/library/pkcs7.c b/library/pkcs7.c index c3236e188..5563f330e 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -103,6 +103,7 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, { size_t len = 0; int ret; + unsigned char *start = *p; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); @@ -110,8 +111,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); - if( ret != 0 ) + if( ret != 0 ) { + *p = start; return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + } pkcs7->tag = MBEDTLS_ASN1_OID; pkcs7->len = len; @@ -428,6 +431,7 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, unsigned char *end; size_t len = 0; int ret; + int isoidset = 0; if( !pkcs7 ) return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); @@ -444,7 +448,10 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); if( ret != 0 ) - goto out; + { + len = buflen; + goto try_data; + } if( ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid ) || ! MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid ) @@ -463,17 +470,31 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, goto out; } + isoidset = 1; start = start + pkcs7->content_type_oid.len; ret = pkcs7_get_next_content_len( &start, end, &len ); if( ret != 0 ) goto out; +try_data: ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + if ( ret != 0 ) + goto out; + + if ( !isoidset ) + { + pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID; + pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS7_SIGNED_DATA ); + pkcs7->content_type_oid.p = (unsigned char *)MBEDTLS_OID_PKCS7_SIGNED_DATA; + } + + ret = MBEDTLS_PKCS7_SIGNED_DATA; out: - if ( ret != 0 ) + if ( ret < 0 ) mbedtls_pkcs7_free( pkcs7 ); + return( ret ); } diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 288b01f18..dbe32340f 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1223,6 +1223,11 @@ pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc all_final += pkcs7_signerInfo_serial_invalid_size.der +# pkcs7 signature file just with signed data +pkcs7_data_cert_signeddata_sha256.der: pkcs7_data_cert_signed_sha256.der + dd if=pkcs7_data_cert_signed_sha256.der of=$@ skip=19 bs=1 +all_final += pkcs7_data_cert_signeddata_sha256.der + ################################################################ #### Diffie-Hellman parameters ################################################################ diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 870e83bb8..75ee9f6b0 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -51,3 +51,6 @@ pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" + +PKCS7 Only Signed Data Parse Pass #15 +pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index b5ef2ef36..d85a45561 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -29,7 +29,7 @@ void pkcs7_parse( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); exit: mbedtls_free( pkcs7_buf ); @@ -52,7 +52,7 @@ void pkcs7_parse_without_cert( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); exit: mbedtls_free( pkcs7_buf ); @@ -210,10 +210,10 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); mbedtls_free( pkcs7_buf ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); @@ -263,9 +263,9 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); @@ -319,12 +319,12 @@ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); res = mbedtls_x509_crt_parse_file( &x509, crt ); TEST_ASSERT( res == 0 ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); @@ -369,12 +369,12 @@ void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesign TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); res = mbedtls_x509_crt_parse_file( &x509, crt ); TEST_ASSERT( res == 0 ); - res = stat(filetobesigned, &st); + res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); file = fopen( filetobesigned, "rb" ); From ca07f06024c381a69d692bb67a5c75b6675999b9 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Fri, 12 Jun 2020 18:44:04 +0000 Subject: [PATCH 03/35] mbedtls: add pkcs7 in generate_errors.pl This patch updates the generate_errors.pl to handle PKCS7 code as well. Signed-off-by: Nayna Jain --- scripts/generate_errors.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index 0a03f02e9..6ecd0acd4 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -52,7 +52,7 @@ my @low_level_modules = qw( AES ARIA ASN1 BASE64 BIGNUM SHA1 SHA256 SHA512 THREADING ); my @high_level_modules = qw( CIPHER DHM ECP MD PEM PK PKCS12 PKCS5 - RSA SSL X509 ); + RSA SSL X509 PKCS7 ); undef $/; @@ -136,6 +136,7 @@ foreach my $match (@matches) $define_name = "ASN1_PARSE" if ($define_name eq "ASN1"); $define_name = "SSL_TLS" if ($define_name eq "SSL"); $define_name = "PEM_PARSE,PEM_WRITE" if ($define_name eq "PEM"); + $define_name = "PKCS7" if ($define_name eq "PKCS7"); my $include_name = $module_name; $include_name =~ tr/A-Z/a-z/; From aa91d4ef0bda8306925705cfecbf76725001c43a Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Fri, 29 May 2020 00:23:21 +1000 Subject: [PATCH 04/35] pkcs7: build under CMake The patch updates CMakeLists.txt to include pkcs7. Signed-off-by: Daniel Axtens --- library/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 378cfb457..aed4a05c4 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -89,6 +89,7 @@ set(src_crypto ) set(src_x509 + pkcs7.c x509.c x509_create.c x509_crl.c From 106a0afc5a8819d6f7fc450c66caa5919681cdd5 Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Tue, 3 Nov 2020 21:07:21 +0000 Subject: [PATCH 05/35] pkcs7: provide fuzz harness This allows for pkcs7 fuzz testing with OSS-Fuzz. Signed-off-by: Daniel Axtens Signed-off-by: Nayna Jain --- programs/fuzz/.gitignore | 1 + programs/fuzz/CMakeLists.txt | 1 + programs/fuzz/fuzz_pkcs7.c | 19 +++++++++++++++++++ programs/fuzz/fuzz_pkcs7.options | 2 ++ 4 files changed, 23 insertions(+) create mode 100644 programs/fuzz/fuzz_pkcs7.c create mode 100644 programs/fuzz/fuzz_pkcs7.options diff --git a/programs/fuzz/.gitignore b/programs/fuzz/.gitignore index 5dc096055..34e3ed088 100644 --- a/programs/fuzz/.gitignore +++ b/programs/fuzz/.gitignore @@ -1,6 +1,7 @@ fuzz_client fuzz_dtlsclient fuzz_dtlsserver +fuzz_pkcs7 fuzz_privkey fuzz_pubkey fuzz_server diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index c7fcd356b..7747744cd 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -12,6 +12,7 @@ set(executables_no_common_c fuzz_x509crl fuzz_x509crt fuzz_x509csr + fuzz_pkcs7 ) set(executables_with_common_c diff --git a/programs/fuzz/fuzz_pkcs7.c b/programs/fuzz/fuzz_pkcs7.c new file mode 100644 index 000000000..960007d7a --- /dev/null +++ b/programs/fuzz/fuzz_pkcs7.c @@ -0,0 +1,19 @@ +#include +#include "mbedtls/pkcs7.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_PKCS7_C + mbedtls_pkcs7 pkcs7; + + mbedtls_pkcs7_init( &pkcs7 ); + + mbedtls_pkcs7_parse_der( &pkcs7, Data, Size ); + + mbedtls_pkcs7_free( &pkcs7 ); +#else + (void) Data; + (void) Size; +#endif + + return 0; +} diff --git a/programs/fuzz/fuzz_pkcs7.options b/programs/fuzz/fuzz_pkcs7.options new file mode 100644 index 000000000..0824b19fa --- /dev/null +++ b/programs/fuzz/fuzz_pkcs7.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 From 136c6aa46732ad0fd6d1f884af8eae8893208cbe Mon Sep 17 00:00:00 2001 From: Nayna Jain Date: Wed, 18 Nov 2020 14:44:21 +0000 Subject: [PATCH 06/35] mbedtls: add pkcs7 test data This commit adds the static test data generated by commands from Makefile. Signed-off-by: Nayna Jain --- tests/data_files/pkcs7-rsa-sha256-1.crt | 20 ++++++++ tests/data_files/pkcs7-rsa-sha256-1.key | 28 ++++++++++ tests/data_files/pkcs7-rsa-sha256-1.pem | 48 ++++++++++++++++++ tests/data_files/pkcs7-rsa-sha256-2.crt | 20 ++++++++ tests/data_files/pkcs7-rsa-sha256-2.key | 28 ++++++++++ tests/data_files/pkcs7-rsa-sha256-2.pem | 48 ++++++++++++++++++ tests/data_files/pkcs7_data.txt | 1 + tests/data_files/pkcs7_data_1.txt | 1 + .../data_files/pkcs7_data_cert_encrypted.der | Bin 0 -> 452 bytes .../pkcs7_data_cert_signed_sha1.der | Bin 0 -> 1276 bytes .../pkcs7_data_cert_signed_sha256.der | Bin 0 -> 1284 bytes .../pkcs7_data_cert_signed_sha512.der | Bin 0 -> 1284 bytes .../data_files/pkcs7_data_cert_signed_v2.der | Bin 0 -> 1284 bytes .../pkcs7_data_cert_signeddata_sha256.der | Bin 0 -> 1265 bytes .../pkcs7_data_multiple_certs_signed.der | Bin 0 -> 2504 bytes .../data_files/pkcs7_data_multiple_signed.der | Bin 0 -> 810 bytes .../data_files/pkcs7_data_signed_badcert.der | Bin 0 -> 1284 bytes .../pkcs7_data_signed_badsigner.der | Bin 0 -> 1284 bytes .../pkcs7_data_without_cert_signed.der | Bin 0 -> 435 bytes .../pkcs7_signerInfo_issuer_invalid_size.der | Bin 0 -> 1284 bytes .../pkcs7_signerInfo_serial_invalid_size.der | Bin 0 -> 1284 bytes 21 files changed, 194 insertions(+) create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.crt create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.key create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.pem create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.crt create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.key create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.pem create mode 100644 tests/data_files/pkcs7_data.txt create mode 100644 tests/data_files/pkcs7_data_1.txt create mode 100644 tests/data_files/pkcs7_data_cert_encrypted.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_sha1.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_sha256.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_sha512.der create mode 100644 tests/data_files/pkcs7_data_cert_signed_v2.der create mode 100644 tests/data_files/pkcs7_data_cert_signeddata_sha256.der create mode 100644 tests/data_files/pkcs7_data_multiple_certs_signed.der create mode 100644 tests/data_files/pkcs7_data_multiple_signed.der create mode 100644 tests/data_files/pkcs7_data_signed_badcert.der create mode 100644 tests/data_files/pkcs7_data_signed_badsigner.der create mode 100644 tests/data_files/pkcs7_data_without_cert_signed.der create mode 100644 tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der create mode 100644 tests/data_files/pkcs7_signerInfo_serial_invalid_size.der diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt new file mode 100644 index 000000000..ebbaf7cc6 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-1.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUMBERfOWtW1Y8Y661YJt3KlBYYZ0wDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDEwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfqRyKXRqfkj/BThWvwcKfv +qsTiZmVOE6sIusfY86qae4Yv8R8AaBgA3eYbSOat/Xyr3VFgZGtv9Hc8iDM7K1h9 +U9WBKPGN1gGw12LzAxIbf+t5qkH21YtPNkr7liwJruhTh/JLypKE/SVW1XIS47PE +Ug92emsRMKfgsReO7x/EmB/c5cnXfwnrc+DKog2eB+6eIPhq2uq0g+/bV8hkx8+D +N50Qq1OMdy0s/RXeurlYG72jhpj978eOq467vUIIxyD4ggsh9f3ZMOEGFlGjSiZL +CXTgbIbwXnndamf3iqWWN5ZiDH6NVP1UTfCvxvX4HfBE928z0OXu4k7QxNaboEEC +AwEAAaNTMFEwHQYDVR0OBBYEFF1d36HSc95cdyWYy/SRZPsmWncJMB8GA1UdIwQY +MBaAFF1d36HSc95cdyWYy/SRZPsmWncJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAIqAZJRQFPL8GFpxp0ZjF4vSiKX/D0/+LJB+vei4ZGZMaqRo +afT9LBAquK1JjXYXJ9wz56ueVxggouVLb6XTrAwsHISwVxKzxkmBde2egPZ9L7tw +EJdb2YPAkdoi3fY259N6KS8S0MwMMi/YmiXpVpQiPQ5tQFdbT9oSqewi/C7TudFc +hez1M7ToYfbMaZ1yQxf5otT8wKVKhLdEb9ncE2Jku6eH+5+lcVFsliLcNo28bd0c +joRYufduegaxmFluq4YWCozgET38AFKiG9Y8fK34He/qJIwHn7nWJ3cy3j+NAh3X +gpobw4JhCNXaInaNx/BZsoedjXnkunhgRijykOU= +-----END CERTIFICATE----- diff --git a/tests/data_files/pkcs7-rsa-sha256-1.key b/tests/data_files/pkcs7-rsa-sha256-1.key new file mode 100644 index 000000000..0c7d37d88 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDH6kcil0an5I/w +U4Vr8HCn76rE4mZlThOrCLrH2POqmnuGL/EfAGgYAN3mG0jmrf18q91RYGRrb/R3 +PIgzOytYfVPVgSjxjdYBsNdi8wMSG3/reapB9tWLTzZK+5YsCa7oU4fyS8qShP0l +VtVyEuOzxFIPdnprETCn4LEXju8fxJgf3OXJ138J63PgyqINngfuniD4atrqtIPv +21fIZMfPgzedEKtTjHctLP0V3rq5WBu9o4aY/e/HjquOu71CCMcg+IILIfX92TDh +BhZRo0omSwl04GyG8F553Wpn94qlljeWYgx+jVT9VE3wr8b1+B3wRPdvM9Dl7uJO +0MTWm6BBAgMBAAECggEASx6bUEIryJa4B4Q61E5q5o/GSWkRNOvbtB75oHLDTM3z +sH5/Sjjq5Goe94I1KIkkgR5LcXKZCU3uPIfAXg/Tv9KIF+gKrImxar06kfHiq4Et +1hvHgDXyFADV0+MpkK6qzJ3mrYMRQXE7djZkyhKTAU+5zhmk8mppMAvcP4/0Bqk8 +EQRd6rPzeQdK6Lz0UPHsjO2bqksdqtts090W07VY13tZdSL3Xsjig0TEsM0Oalv9 +VKTU+xBLQuD9cn2QYQfSflQl7ZGrS2N7OeZ4Ju5Spygo7YO/Lsl3WMYKNPiX7E7T +Z+sD6duWLbPC6atWgk1XmD9oZLBsx/jZT/Lp+cOLaQKBgQD3u8iNs4AafDnxAdZc +3vQBH0yablI5nRtRrAmpjyj8gNNbszoeCM+7MBJ2Npw3qnYtqRWw5vKljU3gVLXG +aPxUnyAJIVBWZDdlnnqOjKY++k6IF+3vcal9In+j5W0HYEfngLSm1/mJJHfK4N21 +JaJMwIxXJBkt0AbhyJlFc5WWowKBgQDOlgPY2xabKU5r+st3n1QKReirkb07rUR0 +ky3nBDGfI3svglX+5ZC/cDsl/YjAkGgOYgpgf1z0KUj2GmkQ6eMj9QVwzstwhKql +Asg4BXTd36Ia4zAbIYluUqHgbQOXKItLwJ3o1UImRlOosxG1hrHm1YpBZu9LEq// +medOr+nvywKBgA5eNMaLJ53hoJaqzZz7TVmXUCEQzvIKe6AkAzdzVyQ18Iw7+93s +Eug/ZIK4rhzIZSxGxzxIWMBjTqX5I8XLJv9db0U4SmmITHI3W9JSs/2pFM7t3F3r +0LGyQ4bk8orf+auimlem5REgLVZ17kXoVd5vuHQBYvh2PT/xG3qctotTAoGAeVgW +lGdEJQmjPbvHjdExjQM5QqXNUGNbBVp6KOsGtqIhtmtJVfrEBh7HL253yBxKcsBV +tg65q9UgPSaQNlYbjEBc3MErMEFM9rXmozlZRwYX8tElrZoKXpn86ZU++afgAjP2 +zQ+O1mqSs1HTghvHHX6qwfXTcvZcGLfu7QJZV/cCgYEAkpfg4Ev8zPPTpDTeS3h+ +uUhrU7cQ6Ry1+S1effLjaDLm+YdpXJ7DGhtV6yLSXbZPlcmbzYZyvBmYixdz8oqw +btJym460gKjAQLIrMcLL3tJcX5ww6oRCL5hqZgvcFeIlmYSTIEZs0X69Ft8trWSu +A3BsQ4P24o/FXcvGAv0gH0E= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-1.pem b/tests/data_files/pkcs7-rsa-sha256-1.pem new file mode 100644 index 000000000..fe1e16f8d --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-1.pem @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUMBERfOWtW1Y8Y661YJt3KlBYYZ0wDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDEwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfqRyKXRqfkj/BThWvwcKfv +qsTiZmVOE6sIusfY86qae4Yv8R8AaBgA3eYbSOat/Xyr3VFgZGtv9Hc8iDM7K1h9 +U9WBKPGN1gGw12LzAxIbf+t5qkH21YtPNkr7liwJruhTh/JLypKE/SVW1XIS47PE +Ug92emsRMKfgsReO7x/EmB/c5cnXfwnrc+DKog2eB+6eIPhq2uq0g+/bV8hkx8+D +N50Qq1OMdy0s/RXeurlYG72jhpj978eOq467vUIIxyD4ggsh9f3ZMOEGFlGjSiZL +CXTgbIbwXnndamf3iqWWN5ZiDH6NVP1UTfCvxvX4HfBE928z0OXu4k7QxNaboEEC +AwEAAaNTMFEwHQYDVR0OBBYEFF1d36HSc95cdyWYy/SRZPsmWncJMB8GA1UdIwQY +MBaAFF1d36HSc95cdyWYy/SRZPsmWncJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAIqAZJRQFPL8GFpxp0ZjF4vSiKX/D0/+LJB+vei4ZGZMaqRo +afT9LBAquK1JjXYXJ9wz56ueVxggouVLb6XTrAwsHISwVxKzxkmBde2egPZ9L7tw +EJdb2YPAkdoi3fY259N6KS8S0MwMMi/YmiXpVpQiPQ5tQFdbT9oSqewi/C7TudFc +hez1M7ToYfbMaZ1yQxf5otT8wKVKhLdEb9ncE2Jku6eH+5+lcVFsliLcNo28bd0c +joRYufduegaxmFluq4YWCozgET38AFKiG9Y8fK34He/qJIwHn7nWJ3cy3j+NAh3X +gpobw4JhCNXaInaNx/BZsoedjXnkunhgRijykOU= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDH6kcil0an5I/w +U4Vr8HCn76rE4mZlThOrCLrH2POqmnuGL/EfAGgYAN3mG0jmrf18q91RYGRrb/R3 +PIgzOytYfVPVgSjxjdYBsNdi8wMSG3/reapB9tWLTzZK+5YsCa7oU4fyS8qShP0l +VtVyEuOzxFIPdnprETCn4LEXju8fxJgf3OXJ138J63PgyqINngfuniD4atrqtIPv +21fIZMfPgzedEKtTjHctLP0V3rq5WBu9o4aY/e/HjquOu71CCMcg+IILIfX92TDh +BhZRo0omSwl04GyG8F553Wpn94qlljeWYgx+jVT9VE3wr8b1+B3wRPdvM9Dl7uJO +0MTWm6BBAgMBAAECggEASx6bUEIryJa4B4Q61E5q5o/GSWkRNOvbtB75oHLDTM3z +sH5/Sjjq5Goe94I1KIkkgR5LcXKZCU3uPIfAXg/Tv9KIF+gKrImxar06kfHiq4Et +1hvHgDXyFADV0+MpkK6qzJ3mrYMRQXE7djZkyhKTAU+5zhmk8mppMAvcP4/0Bqk8 +EQRd6rPzeQdK6Lz0UPHsjO2bqksdqtts090W07VY13tZdSL3Xsjig0TEsM0Oalv9 +VKTU+xBLQuD9cn2QYQfSflQl7ZGrS2N7OeZ4Ju5Spygo7YO/Lsl3WMYKNPiX7E7T +Z+sD6duWLbPC6atWgk1XmD9oZLBsx/jZT/Lp+cOLaQKBgQD3u8iNs4AafDnxAdZc +3vQBH0yablI5nRtRrAmpjyj8gNNbszoeCM+7MBJ2Npw3qnYtqRWw5vKljU3gVLXG +aPxUnyAJIVBWZDdlnnqOjKY++k6IF+3vcal9In+j5W0HYEfngLSm1/mJJHfK4N21 +JaJMwIxXJBkt0AbhyJlFc5WWowKBgQDOlgPY2xabKU5r+st3n1QKReirkb07rUR0 +ky3nBDGfI3svglX+5ZC/cDsl/YjAkGgOYgpgf1z0KUj2GmkQ6eMj9QVwzstwhKql +Asg4BXTd36Ia4zAbIYluUqHgbQOXKItLwJ3o1UImRlOosxG1hrHm1YpBZu9LEq// +medOr+nvywKBgA5eNMaLJ53hoJaqzZz7TVmXUCEQzvIKe6AkAzdzVyQ18Iw7+93s +Eug/ZIK4rhzIZSxGxzxIWMBjTqX5I8XLJv9db0U4SmmITHI3W9JSs/2pFM7t3F3r +0LGyQ4bk8orf+auimlem5REgLVZ17kXoVd5vuHQBYvh2PT/xG3qctotTAoGAeVgW +lGdEJQmjPbvHjdExjQM5QqXNUGNbBVp6KOsGtqIhtmtJVfrEBh7HL253yBxKcsBV +tg65q9UgPSaQNlYbjEBc3MErMEFM9rXmozlZRwYX8tElrZoKXpn86ZU++afgAjP2 +zQ+O1mqSs1HTghvHHX6qwfXTcvZcGLfu7QJZV/cCgYEAkpfg4Ev8zPPTpDTeS3h+ +uUhrU7cQ6Ry1+S1effLjaDLm+YdpXJ7DGhtV6yLSXbZPlcmbzYZyvBmYixdz8oqw +btJym460gKjAQLIrMcLL3tJcX5ww6oRCL5hqZgvcFeIlmYSTIEZs0X69Ft8trWSu +A3BsQ4P24o/FXcvGAv0gH0E= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.crt b/tests/data_files/pkcs7-rsa-sha256-2.crt new file mode 100644 index 000000000..0cd377afc --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-2.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSbz5H6XcKL1urGmyF9I9v63PwccwDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDIwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4tAEi8b+ZE3OIuv91WduiU +qQQXPqMNndTj3Q3hxd5CvYCZ3dAoYQOdPOtGWxLe89zpqUI/Sp8hSpCOw0ucgxCe +96ahpx/BVvMG6BabtxSXWYmGv0rJmFE3LwzskvK9P8dwaGLZler+9CgjKtcgfhTc +zbwhSDeHCHAZWqJUtLpAACiU8rn78p7x8zWoUUsntUiTCyw1SCHvIhGPeCbT4QVX +YNxIP2H52s7waHqtHLpGtJSsSxTxfbxcmbMQlrDaY/8ArLxo2VKqvGJv90IDjbGy +ORHRMOuxxxjowC9+yH4xtVRl821dsJFSSnmAEBXas3hkneFVBxiR7vUf61Wv760C +AwEAAaNTMFEwHQYDVR0OBBYEFNdysL6wT6p/KA7w/efpAyX7/FXZMB8GA1UdIwQY +MBaAFNdysL6wT6p/KA7w/efpAyX7/FXZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKGSxRvoL+FpC4LtiT4Cie53yKlzISq+ZMR4eHm1BFSidiFv +apntxj9k1JIIlDzbabVEJdy+O8EzipqUNFdPky+EpnZTnoTXilNusPH2FW+R6qMx +XrDl4MwtSYnH1RwkjF+yjYysp6pdxm+gr6k7lS4biHq6VfUYSvQBvSuIYMn+XZa/ +ZgQs0NWeh3GgVFkpGkG/yxXMq1WRGSrFfmqExLVpMeNXTINQsK5PH/JMaj44c4T7 ++qbq9Rf4U4ezkTUXHsQQsA3dFpPiL5Lv6RS+31VKLpXYJQ9j/Z+IWBFjTf/utt5T +VA2cEFCZIkNYUoX8RVs23cQr/ZNBxxgO/7JYNSE= +-----END CERTIFICATE----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key new file mode 100644 index 000000000..6226f8ad4 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-2.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi +Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ +jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo +IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR +j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi +b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 +H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE +8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL +MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK +lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 +QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI +MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 +0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu +G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO +sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O +4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P +A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh +dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF +gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH +9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi +55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm +ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z +Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG +EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE +kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng +Y2ncNnRJI7vczDETaW1vuoE= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem new file mode 100644 index 000000000..0f03a43a0 --- /dev/null +++ b/tests/data_files/pkcs7-rsa-sha256-2.pem @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUSbz5H6XcKL1urGmyF9I9v63PwccwDQYJKoZIhvcNAQEL +BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT +NyBDZXJ0IDIwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4tAEi8b+ZE3OIuv91WduiU +qQQXPqMNndTj3Q3hxd5CvYCZ3dAoYQOdPOtGWxLe89zpqUI/Sp8hSpCOw0ucgxCe +96ahpx/BVvMG6BabtxSXWYmGv0rJmFE3LwzskvK9P8dwaGLZler+9CgjKtcgfhTc +zbwhSDeHCHAZWqJUtLpAACiU8rn78p7x8zWoUUsntUiTCyw1SCHvIhGPeCbT4QVX +YNxIP2H52s7waHqtHLpGtJSsSxTxfbxcmbMQlrDaY/8ArLxo2VKqvGJv90IDjbGy +ORHRMOuxxxjowC9+yH4xtVRl821dsJFSSnmAEBXas3hkneFVBxiR7vUf61Wv760C +AwEAAaNTMFEwHQYDVR0OBBYEFNdysL6wT6p/KA7w/efpAyX7/FXZMB8GA1UdIwQY +MBaAFNdysL6wT6p/KA7w/efpAyX7/FXZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKGSxRvoL+FpC4LtiT4Cie53yKlzISq+ZMR4eHm1BFSidiFv +apntxj9k1JIIlDzbabVEJdy+O8EzipqUNFdPky+EpnZTnoTXilNusPH2FW+R6qMx +XrDl4MwtSYnH1RwkjF+yjYysp6pdxm+gr6k7lS4biHq6VfUYSvQBvSuIYMn+XZa/ +ZgQs0NWeh3GgVFkpGkG/yxXMq1WRGSrFfmqExLVpMeNXTINQsK5PH/JMaj44c4T7 ++qbq9Rf4U4ezkTUXHsQQsA3dFpPiL5Lv6RS+31VKLpXYJQ9j/Z+IWBFjTf/utt5T +VA2cEFCZIkNYUoX8RVs23cQr/ZNBxxgO/7JYNSE= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi +Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ +jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo +IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR +j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi +b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 +H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE +8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL +MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK +lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 +QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI +MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 +0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu +G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO +sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O +4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P +A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh +dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF +gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH +9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi +55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm +ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z +Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG +EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE +kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng +Y2ncNnRJI7vczDETaW1vuoE= +-----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7_data.txt b/tests/data_files/pkcs7_data.txt new file mode 100644 index 000000000..e965047ad --- /dev/null +++ b/tests/data_files/pkcs7_data.txt @@ -0,0 +1 @@ +Hello diff --git a/tests/data_files/pkcs7_data_1.txt b/tests/data_files/pkcs7_data_1.txt new file mode 100644 index 000000000..0cfbf0888 --- /dev/null +++ b/tests/data_files/pkcs7_data_1.txt @@ -0,0 +1 @@ +2 diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der new file mode 100644 index 0000000000000000000000000000000000000000..0d0706931e625b35b37466511e87ea4da5a731ba GIT binary patch literal 452 zcmXqLVm!dcsnzDu_MMlJoq0hM<3@uf#CyK)2f{@U2NS<^=CU)7tGsN z8*UbRUd(O#gvgnWyQ-_FPOJF2?fIEaTr&FBt5s7?9oNTPxe9TNztPBR+2t|wwnwWhJ znwUKenwSh1Ff%bSF^L!m3f4Sb8y#koyl!j4>~gJuh{U-Dyl_2?+(08tz$P+>vaks= z`S}>~8St{-pmyaBKF5g5~d59eI?N z>Lpz%)t2V>x5H1Q96#S|K38CMa8J3e z&R@}cyLLuM?_JzBkruvF5mNwFFbws$nV0DYqJ+PGBGnUFfI-@2sDrd zMv5#Six`VYZ0!Aomx}Mjl&j7-{bgdxZ?&j$P6K(6v@(l?fmj1}1^gfd!iPY=9j-Z z0$MxPdiIuytKTtxzItA`gu=Y1t4iwE384W9i#@4c}_@cNYjukG|P_ zVB#&MyWh;7U#`;B7rJnU$4LLiEY+7`Q{cj1ae53S7@AA%zF|BXD8gF@# z`0Y&Q+#+Z3pNp>iIk42LWxGrM%{#(LDZ7`q|DM0JFfeDD(jBwjJ-K&f`dT7(e$T67 z+c+aKZ*`j(SI+}M+dm9Ji=?mF)U5p>`~Hlzu zrLx}RA0juk&+V;zva2G&P2cD0ckMZUnsnEwEq}B%zT3ClkMn8Q&2=`ZMe3HK zQEz+1z4daw-Fd>=Vrn<1StEDnajWpneVbA{--QMQEU}c__UTTLBJ=kPeQ`7I%g;8^ z(*L8RQ(D-u>|EaQ*2dRfwT0{SymtHW33*OmY_{=<)1t@kKRk}Ixb*4k_OKtvUl>%Z z-RAP~JI9iTQ^S{R{5Q!%ej9hst$wchhY?*F^F62Ed&_9huWY(2%_c~T`Q{3Ht*7>% L|DO2R;oS!S0NDC! literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der new file mode 100644 index 0000000000000000000000000000000000000000..3f2dfb5ace1ae4c6571da3551fac2c2c0d65d89a GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!MnirBUN+8zHV?*BW)>z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8TgQwqH$+Iq-tlYC+q%O!wYrPxVdu>-(HoOzhOW3N zcvL9)(8pUCp%=~p9Rf%C>!u+qah>X+UW9V>utIr$r+!sJ}sDj_3}Y^_v7|%p1~n& zbN}5tEO}|Us={*(&8CSV30aY|H`(72Sz>5%O_g)<)Y|Tomc_0&vU>#frue_@o4Lef R$+>OZT8Z9lsa$D}JOF;``!9Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?Ekt49rc8{0s(7j9g4jjEoG&U%4wycU%6X|3h$V_J@My z?^hjpl$PozyqaUz@f)94&8lwG|0vIpA;EC>nY72VwSQ|?-wjMi$;IWA8P_4cC)CGYd)Azph;6`0Z-9znRzXX*!(iUIe#)@;)`G<*#bk)gqzCn~wzX zmsMp88Z3XXQM~WH{E->*cb=ZSUeEcu_`#_~yz|)K%~SZ1b?eoZ=J&V5Pox|_-)uft zV0Ca$xvtJ%(R;ggMo8~n+&1Iy`{RA9`*!bj;yAAGqlsJb>))FO581>57kjCBbCx{F zY5NdYc{eNld)Lxw=F^gR>Uu-|hWLJ1f9&fI*$*z?^NlY&efP-k!jWsU7dSF8GcqtP z4mJohkOfAHEFX&)i%4wj{e_o`@5Pj>&N%&LV#;r|sB%sNd62X+i-dt#19k=cAO*sV zjQ?3!4VZxxaZOE0hC(UED{5H7U&m}g_@+j$M&YV~&) z2uzQ@*?eH)Ev38P%${Ga($p8aaE8Z7|HdrUmtj+sZ258>!lV6f39Wpi^hfXV&Wkav zZ@wCDd6D?-Oy=AoXYrqluKYQ$)T?E?Oa9F}!bvH+m$(0(zqBwgXPVL-v)(Mfz#g?`|8q4wyftJ4FTTwKQu-@c$?3= zUBS37#MNOAqq(G;lEbApee2(}m9TzDR)|Q~ysxy$Y1LGLut3d&OCO&&`1|S4mN(Z7 zZ}Ta<cO7|dsT+6rJ0vmMGM>?9W$@lvD%|nT+w%-Zjg(i{KvMvewvG? SEh}C;BYi=!>z)7p;->(;m;KTJ literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der new file mode 100644 index 0000000000000000000000000000000000000000..1a24a8a2e3b72232f8ec4c2a1b2a45df051a2444 GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!-PAmVmz!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-cnUbr4cZlDn+hTI06 zY|No7Y{E=_K8Ab-JRlAi4{Lz8bFjIgsDUtu&&njmg*krEPt?3yzjmIks0!Lo}Rp3&-uFe!Kp>O^Vr|bQ}~f}>(!R#_qW4Oq#QrrY(7_D zb#PC)uFhZ4d%Jcume*CFxVLxx*AfZ1c-e4BN0`&+$~wW`%=f!|NQ>{bSBj8eX%1Y%_nO~ zM&_5lIs#fd)_V4qiL2i+e!hBMxP-!@r{4KXFR$Uzk!jfwF0}cWXJhHxc@5uc^>-Ht zOpm_Vd|=`&rMutEo?oug)EByNhQ~<%#w^vBVN;ZB`Enh?qy29Qt$d^ONAL2^i!rTl zz8Y_Nk@)RQ=G-D@@t=#X{5i1Ht7W@O{>?kWNh!ORxBs5Mv@kGdn$jJ!-aWZ@W%^no zc7D&RV%s<)GH-R87+22&LEAqJL5rlX+0?B4A^ZN7N)P+|o!8XMjqcg^GRa zDUsvqEv2&F;~ye7wa@LXe6p(|!A;}Sgr|m0jOD;Hp{DZHT^0tnc4JO;QI<9OiZdKtlE77z|y}o@}@Ku8@y_t;j=B>MM zyT++^rFYh!Rc}vr$izPjn)6UL;Lk=wM#i<#<^6 TiOG_4+qkt7z1dQ^(j0jJ48;70 literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der new file mode 100644 index 0000000000000000000000000000000000000000..7c631f9d7495886951dc80a63dc299421620b8de GIT binary patch literal 1265 zcmXqLVtLEN$Y{uKz{|#&(B{FI%FM#V$jV^A&Bm$K=F#?@myw-uK@+pDK@+p5K@*eV z0%j&gCMFRBLBX1*Yoo(#lGklbm|dIr2W>vT8f0Sp)kYKp`Oxokw+P^ic?*=BMWaob=x9Kpp){dwRzS^kqvG*F|hU-b6 znT4e5UstYj{C2h5-^}axG#$=$FM``Yd7qlp@>ezNYLU?6%}0Xx%c`;k4VFLHDBky8 z{>TjZJ5NtuujhPS{NU6g-g)fr<|+Khy7g*H^ZVQ3CsK}|Z#JJRusXP>Tvz9>=)GM# zBc%5(ZkzG<{qerleY^KMaU56p(ZsFz_3urChiqbji@nsmIZGbow0(%HyqlH&y=&<- z^Jz&ub-f{fLwrB1Klb&9><5?c`NkKXzI)_%;mEbw3mlo485tNC2O9($$O0opmXAe@ zMI<)%{=!Se_hQObXPo{rG3B>fR5_=CJV;uZMZ!R=0lNZzkOE;w#{Vp=2FySTIoN@z z0vPO!3|$Q=QvyUj{gH?&T<(@E-hHWK>3@Fze>xND_P*GWlID}OBqQ_7UmXFh9cw*% z%f!|17(ZVwfegY1g1ydY(6mYmeSpC zX3sBIY3d7IIKyM4e`A*F%dja*wtTq`;nDuLgjT*$`lEMw=f#-TH(!mnyh!|ZCUb6) zv-reaH{CI99f;iQz^%iDj?Us@QLGfnA^S?`|QyE1((5j(%IBBX~I*(CdP7L(klk$JOdx{QZ()?h@6X&awIUxvotX>xa~gF`t|VJ z@XoX^%fugwJQ1k5^?Wst&pUqYd0Tflr&f0{J?y+0CVFG?%+M7#1&<0PpWI&)z_a{-q6cQ3zJ&}Iuh?)yY-A$VR`Q{W2K*)cu#Dw-_+@}H&uP=+C$Gj z_xkK4vR$j=%EsbW6;87fO}o_V+m{7jHR#ft$vAJ`x(l~!oO)M!XZ>0A_GE`l z{Ij4r4`l=XY&2wKTpL{;ZM{u5Bst@A)~5y2uU|(z4j~Ms|jdG;{? literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der new file mode 100644 index 0000000000000000000000000000000000000000..73755dbbdf77afe9bedabad2214bfd1755b4e8d9 GIT binary patch literal 2504 zcmcIldooQtYM#(j#aT_v9E+rWv zESef5mu6C%nyj{La&5+yQkgrp7!it&-t9^b3W&JKF{~_d_V@G z4URBOwM$(=0dmk12BHCEAZnoiKvV`%aD;EF9S{hUfdaA+Q1QP+po9Ux3^HK$AOlJ) zfk6Q%6a%WL#Eo*i+${rcH24-q8M=7-6@8TWk2s(xl`tbJf(ST_Dg#%8Iyn-RK;%cD zfRuG{*iYU`R0q{QVi*$nZ>+mN@We@7BKQ>+Wdah3CT2u4B1p72B!$FJ;1{Yg0Q{%N zlim=<0F)sh15ki6001JG{04u~w(|8kF*)UkIIMEEx^3iepp#mSe2buOq5ATvRKlDN zBnSr)jcMAAaU^jyB3ED95&B}3CDU}*HqUr+_ZfpZRu91K^bI9OOMAi!Ly{DMd%uGX4G~giTYqmv!^D%EcKFPR*+Sbb%$>)FVJ0O zDC#Xq`oUqihHDvVvjgJf(9u-!w=trS?^iO)^LOU^BNJE@3FUzJ=A)%mZL!S?-L!Lb zX2hwpt*5YL9~1^afHE@Z3TjIqMO#TmLk8pH^Xt{;;e*~$`jvz@Igivgh`iAZI@1k)OG-pkx0vR!OXAY4jr$w4Zxm#&Mg0+?EK#7 zd;))>iFVjAR)nTTn2 z;&MFUP8j;4SAWvI>;b%JdB=EH>{fzm=M$s}q3^Q(8~0rNZlz;;J-nO;RIA?N*NwZH zfALOvyJUK6!f*LWaM6kV*mtEb*6)>*k{fO4{X#W=+MUX@wc_&Qu1E9n!W}H$F_BhQ zvS;&3Xe_+;(!tQ0R1Jm9A(h?h5Vumz9?Lk+s`l*UrcAlw=AJE4CWBTisCF;ovgQMZ zpM3WKK9VI6AFN9&V#T~}iT1TMm_I-IyD-`F-szMJ4fvtggX^%*ceiq$-531Mwl5lc zlfNZQCeqOSd6)*bL+p6;F&p8CajVEZaw4}%2D_&WRrKPO2sQk0(3+oEAnG*mgB4j$ z*?OrCE(qULSzD2c^+@Nl9ynY{LbF#Yu2$;YcVB={XcRVLE*?xzZ6&o|a@|QlzP&Kd zw-ST}`S<5dzF#!hXxOWpfD!)8)3e)|CLgxpP$}hB%U*~DnEnfyV*ys!I?z(T9aXHt_!#RhLToFlT zC--KML%DOy>h$c%GUB(~(V-{X?b8L_TAMPzt7BzeudMcYL@&8nwJXn9lNsAWUBZzT z0sc0oZ~J?n{MN%VMxEX4wBsd|gIoWxueC${Newl7gWf6GgbTB8Fn52Yl8p2E^pyi7#Y|6?fCC?9 zZV!?vs4Hlf0{nhYx0Lm-y>^J&wn=jK32;gu>O9T$hz#hAbR@&2H3m9m%xiSqz<3SPaYlI?yP;`+;HeDgaC*PHdS6Zf z^@o0yhpGYXt#K}h2j|Ke7VAU`$%z>g;Dw@g`Cko4Ml<~edj`f(x|OU)rucVtsK;EZ zx^!!P;FdhjkK^J4q>Z3v1Yfo=08u~fF z0~HSML;f|}O`w=R`uYCc_V|qo+e0&$9n=U)Z&B9XbI+Spho-OfI(6_fY+k8jPKoFX z7*ay+GH!29>0%uZk>WjPPcu?fJ(Gl7{a1 zt64T;oP9RU#k;U$>s{-Xvd3MMYCes()tuCx%L0=V0XG8jt=qDOXIzeZL`6+qGmHyG+)IkT;^h9(O2CbSlv+^0S9~ P!j2Xp&PSN9x(@vdYO3T( literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_multiple_signed.der b/tests/data_files/pkcs7_data_multiple_signed.der new file mode 100644 index 0000000000000000000000000000000000000000..a38c3ef63fd7d725c4aa7620eaddb76e1f3a0289 GIT binary patch literal 810 zcmXqLVpe10)N1o+`_9YA&a|M3S=^wBS(u5D(U9MOmyI)_&4V$OnT3gwmBD};p^(wA ziRqm|6Js$@p@ENqi6OTECmVAp3!5;LpN}D*0S}17#lsrl?Hp`wC~6=K;xqH`fcXl} zsYN9UhD;&`f`T;Hp{DZHT z^0tnc4JO;QI<9OiZdKtlE77z|y}o@}@Ku8@y_t;j=B>MMyT++^rFYh!Rc}vr$izPj zn)6UL;Lk=wM#i<#<^6iOG_4+qkt7z1dQ^(j0jx z3w9$W5zjq8<(J;k*qgT|bCdWb+x=_LA3RPt*lU%!bo078PKTC;T%X(L(0^%%(1W*2 zuKS(d+vW0DRHXWD{$~-dx+&iz940UNvS|-zYs^Q_6di7%#%7)$dzdzaG%=R4sS7SI zzk70rTEWUWf4-Y?XxS?WEt1*ETKarmcY8q0?9-b2oOUffaru>S?DlQKe!^#_eu#Ky zvdpET_Iko*)BHk-(-V1rPg{^w_56Epc$M+&lq&s_kh>rDoXdE`$xx6Ye%rE9?-SS8 zushF6PU|t&zm64W>P^Zzo8Pu$uY<_@e2$j$(~C@#m6-Ree7;tMy=HsPuUG8zLnYEB q%VYx=XwO^Bs-r*k5!bxu-t!y$7AVe5^kj=*&Y8z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;fR5_=CJTT5=m02VV#2TzIhm@0t5&dAW!kTNAeQCYI+p(D_y4Cep>FSs9Vux( zSxYi9zx>q^(Au%qv$srK{f_bT)$_t76c#=8&R=?Y4UdjY%Z6~F&Br_&OW)3G_*SdG zyFg%i^v&i26K^Tq{bu(3a+RjO(1kNRM*25qslE)GqGZdL>kuC8e@kfP8>K&bmv>%_ zX?^q6c*~2#Z)Y;+7CDRmTy*8nfu&w8+gBCKl99M5CmGvI~5V@&+Zg1t2T@?v#8lNUSHEd!m2PVB@V9qn}AumPa&VtCf7%4{r zlRQfkBZJ%SL#;Hp{DZHT^0tnc4JO;QI<9OiZdKtlE77z|y}o@}@Ku8@y_t;j=B>MM zyT++^rFYh!Rc}vr$izPjn)6UL;Lk=wM#i<#<^6 TiOG_4+qkt7z1dQ^(j0jJeD?hR literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der new file mode 100644 index 0000000000000000000000000000000000000000..9ea4231a6eb9e0c4645d1007ca30cb3170e580f3 GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!MnirBUN+8zHV?*BW)>z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8Tja?<|)KfBpPy&luvMH zLF8PFlp}#jo~4PA!EN`U)~|=(hIgiYStkBa>$GeBSYE&)d4gIkmcr>0#&1 zFwq;6XNIo0DR@*U`Q-kZ0M5hxOPehJ7>0QHbyOxt^M+ndTA17-(2;oW+O2223d?(s z87uwV#Cu|c{iaT*y{YO`*B*NQ!PiT9TSv?WlkHj^S2h;6s&JZ>XxgP--@YvPszI0D zOvZWh)?K(=Yyla|G zO^oG0g~dRH20jKRhTI06Y|No7Y{E=_K8Ab-JRlAi4{Lz8bFjIgsDUtu&&~gJuh{U<*mIB=XbsZzn4J=KJ3~sv*wSGPPHoP^F5f?M+pmy7tiX558W? z+d5)4m~7YTxU#XhRfW^6MAI(y`u1hPR}H%KW-`v3x9-C28mHcs-dTTEy*=3>6aOq| z&O_ONKN}4h8P`UaM_X^x4N1=Uob_qJ^sAQ-%DW%8ck>JmS)2Rs-eJj0%T*PgYiKr2 z3`xj}oW05Zj>r;2lWVG+lc&~ppR_D?y^-A`us6m3ZQsl#CQHt3z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8Tc6JrsgTcR2Z9bk&;hv zXF=p#jFcmRNuH&Nk-=^Eq1La5--dUleOV^{P~?d~&8_FFd3@gSYtP%d!#TCOi|JwK z%`nj$lV^smxG8v4DEZ|6ngGtj{Y#rH{}_gN`E^t#NAreWPFk4UBG8d|@7k?ryb8;E zj~Ofd+{AlggZ-vXr@g7_Q`a7P{=wHvd0R)!29xbt9alCMx2kZOm1x?fUf;ef_^Lsd z-b}`M^VVIsUE|cd(mU(Vs<$UQWa6I%&3Pyr@MohTBjeiW@@VUAx*^FKpR+zKn11#0 zL3#J%_HLfRA!~F0-8(FKX}PMxa}CX=i6IGDk+V11-w|12XmU-JbMn;M?vs|qt~auK b1oo!*zwMj3#AM02ZQNRk-fXE{X^uPqX$SoE literal 0 HcmV?d00001 diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der new file mode 100644 index 0000000000000000000000000000000000000000..871e77db708b2ac4d3e045f61421e96c73d921eb GIT binary patch literal 1284 zcmXqLVr5|C)N1o+`_9YA&a|M3<)c9p%UdQ!MnirBUN+8zHV?*BW)>z!Rt5uZghIvz zP0YRqP0XGKO-zOhn3))vm_!T&1#6zJjSjO(Ubi)2cDYtSMB-eK5m3V!xq(KQ7;+nM zvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7XdoxfYh++(Xk=n& zVrXD!83p7TB5}zywTV#)*?B-8GB+{uGZ-{6axpbAGBO;0<*qc{ZTXY_55cY39}1Sg zUv=bBTB@J$YK~pUZ+u=gtGZ49qdY@~1jF5D(jL#&{;gSkH!vY3JO4|$O^30yc0_IP z)kckvz1J8wTu=JUEF@k3x^k7{x2xU$W?sLi>2R)l5#0XC`_!bCzp7zZi-aC;J`%)V zR+TMiu>8SB@xJ%+M`p<1d3y4CJ?HD<2d5VC&SQT!PvJ+_tyf!`-`@^Dk#hWev-wkauE;`?F!v9CX5Ke&9)H@@)n-6OvXN3P9Y;K;LDI@B5(Z)o*cI@D6bLgi z{%2t|U}Aa<^ph?n@m@|MUC*)0t4W_r;EsG@q;` z8JS=H>Ii7d5FhwS@TDn0D;cV1I3H@auv%OrcfX_oZi zrbLdbx0K3ykAH~V)IPVj^2x4>1UHRO6P_A2F_r_9UNJD|8TgQwqM3A4^Aut#3{APv zvmkOVM#_=EB+t^s$l$j7Q0v#jZ^Jv&zAO`eDDp(0=GODoJU;LEwdZZ!;hb9C#q_ZA zW|-)W$umP&+!Q=2lzei3O#tWN{-sTpe+)ys{5mR=qj^IwCoN2F5$H&~ckR|QUWMho z$BdPJZsI+$!G2Sx)816|scR2C|KRJTysaZ6BTU9vCN;K_KuWw%#eAS>! zZzkisdFw9Ru5s#J>7Dgw)!UODGV#xX<~)=Q__NWFk#TKwd9?L5-H_yr&sm=qOuu^h zpuGEWdpFPEkhQu0?j4rAv|Lr;xrS!b#E^un$l06h?}#ihG`XhAIeBVr_eslQ*BjYA b0((>Z-}cR1VzT7iHg2s%Z?;sfG)Eo)oICp2 literal 0 HcmV?d00001 From c448c94fe3253ca8a2c2951b3ce1ecb03053c351 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Thu, 1 Jul 2021 15:29:50 -0400 Subject: [PATCH 07/35] pkcs7: pkcs7_get_content_info_type should reset *p on error The function `pkcs7_asn1_get_tag` should return an update pointer only on success. Currently, the pointer is being updated on a failure case. This commit resets *p to start if the first call to mbedtls_asn1_get_tag fails. Signed-off-by: Daniel Axtens Signed-off-by: Nick Child --- library/pkcs7.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5563f330e..8c2a3ecaf 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -107,8 +107,10 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) + if( ret != 0 ) { + *p = start; return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + } ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); if( ret != 0 ) { From 390e61a47a0f9b369e80c413add2a1cde3230d8e Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 9 Aug 2021 13:33:14 -0400 Subject: [PATCH 08/35] pkcs7.h: Make pkcs7 fields private All fields in the mbedtls_pkcs7 struct have been made private with MBEDTLS_PRIVATE. Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 46 +++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 59da147b9..29bb503a7 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -46,6 +46,8 @@ #ifndef MBEDTLS_PKCS7_H #define MBEDTLS_PKCS7_H +#include "mbedtls/private_access.h" + #include "mbedtls/build_info.h" #include "asn1.h" @@ -115,14 +117,14 @@ mbedtls_pkcs7_type; */ typedef struct mbedtls_pkcs7_signer_info { - int version; - mbedtls_x509_buf serial; - mbedtls_x509_name issuer; - mbedtls_x509_buf issuer_raw; - mbedtls_x509_buf alg_identifier; - mbedtls_x509_buf sig_alg_identifier; - mbedtls_x509_buf sig; - struct mbedtls_pkcs7_signer_info *next; + int MBEDTLS_PRIVATE(version); + mbedtls_x509_buf MBEDTLS_PRIVATE(serial); + mbedtls_x509_name MBEDTLS_PRIVATE(issuer); + mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); + mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next); } mbedtls_pkcs7_signer_info; @@ -131,8 +133,8 @@ mbedtls_pkcs7_signer_info; */ typedef struct mbedtls_pkcs7_data { - mbedtls_pkcs7_buf oid; - mbedtls_pkcs7_buf data; + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data); } mbedtls_pkcs7_data; @@ -141,15 +143,15 @@ mbedtls_pkcs7_data; */ typedef struct mbedtls_pkcs7_signed_data { - int version; - mbedtls_pkcs7_buf digest_alg_identifiers; - struct mbedtls_pkcs7_data content; - int no_of_certs; - mbedtls_x509_crt certs; - int no_of_crls; - mbedtls_x509_crl crl; - int no_of_signers; - mbedtls_pkcs7_signer_info signers; + int MBEDTLS_PRIVATE(version); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers); + struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content); + int MBEDTLS_PRIVATE(no_of_certs); + mbedtls_x509_crt MBEDTLS_PRIVATE(certs); + int MBEDTLS_PRIVATE(no_of_crls); + mbedtls_x509_crl MBEDTLS_PRIVATE(crl); + int MBEDTLS_PRIVATE(no_of_signers); + mbedtls_pkcs7_signer_info MBEDTLS_PRIVATE(signers); } mbedtls_pkcs7_signed_data; @@ -158,9 +160,9 @@ mbedtls_pkcs7_signed_data; */ typedef struct mbedtls_pkcs7 { - mbedtls_pkcs7_buf raw; - mbedtls_pkcs7_buf content_type_oid; - mbedtls_pkcs7_signed_data signed_data; + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); + mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid); + mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); } mbedtls_pkcs7; From 600bd30427a9d53b41c03e65f0816aa931669753 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 21 Feb 2022 11:30:43 +0100 Subject: [PATCH 09/35] Avoid unwanted eol conversion of test data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also, text files don't need to be generated by the Makefile. Signed-off-by: Manuel Pégourié-Gonnard --- tests/data_files/Makefile | 28 ++++++------------- .../{pkcs7_data.txt => pkcs7_data.bin} | 0 .../{pkcs7_data_1.txt => pkcs7_data_1.bin} | 0 tests/suites/test_suite_pkcs7.data | 12 ++++---- 4 files changed, 14 insertions(+), 26 deletions(-) rename tests/data_files/{pkcs7_data.txt => pkcs7_data.bin} (100%) rename tests/data_files/{pkcs7_data_1.txt => pkcs7_data_1.bin} (100%) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index dbe32340f..8c7520fe3 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1134,7 +1134,7 @@ tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key # PKCS7 test data pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt -pkcs7_test_file = pkcs7_data.txt +pkcs7_test_file = pkcs7_data.bin # Generate signing cert pkcs7-rsa-sha256-1.crt: @@ -1147,46 +1147,34 @@ pkcs7-rsa-sha256-2.crt: cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem all_final += pkcs7-rsa-sha256-2.crt -# Generate data file to be signed -pkcs7_data.txt: - echo "Hello" > $@ - echo 2 >> pkcs7_data_1.txt -all_final += pkcs7_data.txt - -# Generate another data file to check hash mismatch during certificate verification -pkcs7_data_1.txt: $(pkcs7_test_file) - cat $(pkcs7_test_file) > $@ - echo 2 >> $@ -all_final += pkcs7_data_1.txt - # pkcs7 signature file with CERT pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ all_final += pkcs7_data_cert_signed_sha256.der # pkcs7 signature file with CERT and sha1 pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ all_final += pkcs7_data_cert_signed_sha1.der # pkcs7 signature file with CERT and sha512 pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ all_final += pkcs7_data_cert_signed_sha512.der # pkcs7 signature file without CERT pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ all_final += pkcs7_data_without_cert_signed.der # pkcs7 signature file with multiple signers pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ all_final += pkcs7_data_multiple_signed.der # pkcs7 signature file with multiple certificates pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) - $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@ + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@ all_final += pkcs7_data_multiple_certs_signed.der # pkcs7 signature file with corrupted CERT @@ -1208,7 +1196,7 @@ pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der all_final += pkcs7_data_cert_signed_v2.der pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) - $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.txt -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt + $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.bin -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt all_final += pkcs7_data_cert_encrypted.der ## Negative tests diff --git a/tests/data_files/pkcs7_data.txt b/tests/data_files/pkcs7_data.bin similarity index 100% rename from tests/data_files/pkcs7_data.txt rename to tests/data_files/pkcs7_data.bin diff --git a/tests/data_files/pkcs7_data_1.txt b/tests/data_files/pkcs7_data_1.bin similarity index 100% rename from tests/data_files/pkcs7_data_1.txt rename to tests/data_files/pkcs7_data_1.bin diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 75ee9f6b0..4af0edad3 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -27,24 +27,24 @@ PKCS7 Signed Data Parse Fail Encrypted Content #8 pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der" PKCS7 Signed Data Verification Pass SHA256 #9 -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Pass SHA256 #9.1 -pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Pass SHA1 #10 depends_on:MBEDTLS_SHA1_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Pass SHA512 #11 depends_on:MBEDTLS_SHA512_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Fail because of different certificate #12 -pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.txt" +pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" PKCS7 Signed Data Verification Fail because of different data hash #13 -pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.txt" +pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.bin" PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" From 6671841d919beb38ba3d1abc08d93cce8af3314f Mon Sep 17 00:00:00 2001 From: Nick Child Date: Tue, 22 Feb 2022 17:19:59 -0600 Subject: [PATCH 10/35] pkcs7.c: Do not ignore return value of mbedlts_md CI was failing due to the return value of mbedtls_md being ignored. If this function does fail, return early and propogate the md error. Signed-off-by: Nick Child --- library/pkcs7.c | 8 ++++++-- tests/suites/test_suite_pkcs7.function | 5 +++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 8c2a3ecaf..1c73709de 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -523,8 +523,12 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); } - mbedtls_md( md_info, data, datalen, hash ); - + ret = mbedtls_md( md_info, data, datalen, hash ); + if( ret != 0 ) + { + mbedtls_free( hash ); + return( ret ); + } ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, pkcs7->signed_data.signers.sig.p, pkcs7->signed_data.signers.sig.len ); diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index d85a45561..e2d76f36a 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -285,9 +285,10 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) md_info = mbedtls_md_info_from_type( md_alg ); - mbedtls_md( md_info, data, datalen, hash ); + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash)); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); TEST_ASSERT( res == 0 ); exit: From 6427b34dec143af38afbf302cf6c8307894d4ffe Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 25 Feb 2022 11:43:31 -0600 Subject: [PATCH 11/35] pkcs7.c: Use pkcs7_get_version for signerInfo The function pkcs7_get_version can be used again when parsing the version of the signerInfo. Both require that the version be equal to 1. The pkcs7_get_version function will return error if the found value is not the expected version as opposed to mbedtls_asn1_get_int which does not. Signed-off-by: Nick Child --- library/pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 1c73709de..5fa02e311 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -289,7 +289,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, end_set = end_set_signer; - ret = mbedtls_asn1_get_int( p, end_set, &signers_set->version ); + ret = pkcs7_get_version( p, end_set, &signers_set->version ); if( ret != 0 ) return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); From 45525d37688e8b3d9918ca8b59591a3604a9c6db Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 25 Feb 2022 11:54:34 -0600 Subject: [PATCH 12/35] pkcs7: Fix dependencies for pkcs7 tests Fixes include removing PEM dependency for greater coverage when PEM config is not set and defining test dependencies at the appropriate level. Signed-off-by: Nick Child --- tests/data_files/Makefile | 9 +++++++ tests/data_files/pkcs7-rsa-sha256-1.der | Bin 0 -> 845 bytes tests/data_files/pkcs7-rsa-sha256-2.der | Bin 0 -> 845 bytes tests/suites/test_suite_pkcs7.data | 33 +++++++++++++++++------- tests/suites/test_suite_pkcs7.function | 26 +++++++++---------- 5 files changed, 46 insertions(+), 22 deletions(-) create mode 100644 tests/data_files/pkcs7-rsa-sha256-1.der create mode 100644 tests/data_files/pkcs7-rsa-sha256-2.der diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 8c7520fe3..b92944ac2 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1147,6 +1147,15 @@ pkcs7-rsa-sha256-2.crt: cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem all_final += pkcs7-rsa-sha256-2.crt +# Convert signing certs to DER for testing PEM-free builds +pkcs7-rsa-sha256-1.der: $(pkcs7_test_cert_1) + $(OPENSSL) x509 -in pkcs7-rsa-sha256-1.crt -out $@ -outform DER +all_final += pkcs7-rsa-sha256-1.der + +pkcs7-rsa-sha256-2.der: $(pkcs7_test_cert_2) + $(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER +all_final += pkcs7-rsa-sha256-2.der + # pkcs7 signature file with CERT pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@ diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der new file mode 100644 index 0000000000000000000000000000000000000000..622df1e7a38899b4da3a3601badd4fb36a333238 GIT binary patch literal 845 zcmXqLV)is>VlrI7%*4pVBw`>aSo3skbeK)@x~&Pb%e4X`66YH5vTwH$JbLRo$llQJx_~g5mBnX^&@X|JJO&8<>!io&TlW zro-4;JEAuDYNN)--fN5-t|xtF7Lu-iUAfBf+tqG=Gq2y%bU4?&2yXx6eQHw6U)8Xy zMM94^9|__wtI8HMSpHz6c;9>ZBQxahJUw~6p7V9_gHwxm=dr(=r|=`|)~hYe?{9~n zNI8DK*?g|R>foMoU7f$8_jc`!klwqvZN}gC$NN_I?cVFeaa`d?6Sv~mzc&pYvWW#Q z_EPiaEP0UA_93qFZdUsDuBFq=rzP>!^@jWn@%^y=*w-JjA6&lY8((<(?vdYxBiCjx zaAaa;WMEtzY!GN53yc(5J{B<+k=WS#3ojMliz!!~ar(=|l;3Jm<(vlcAZcY52?MbP z>hCTPm>zwz`M|_mN_W4RJ-=L~sV{Wl43ClijajNM!=@VlrI7%*4pVB;vW}r~J}88hi8BWNs3_WV?Uu`Gdy|c-c6$+C196^D;7W zvoaW%7;+nMvN4CUun9By`55vU@PIg6JgfoU&cWt}q6WesJ~Iywn6KcRT2!K7WFRNb zYh++(Xk=n&VrXD!83p7TB5}zywTV#)*?Ekt49rc8{0s(7j9g4jjEoHTbQwJM#213~Tme+zeW^Cn^8C z6LaszO_qWe4PI|NF7e`ke%*;W!>u8ypL1h3Obqg>Y!DE=wYef??!!=aiHYyN%D)a> z|9&kKGb01z;$VY716g3C$nvp>v4~tR+OThf|EhWoz7Kz&zhqYZ{U`LMfjmfBnMJ}t ztO2_MevkrTM#ldvtOm?L3OU$;sR9`6j0_7W9hH8e|1gug>20SSQ|G(#6Dx}qwf3bP zsi>&j$`Z1uOff%e=G$ZTDOV7Cf)zdRK7X zhL7Jw^C!MqY#6uU>4P)6o}I_9%Bb|jZ|dz?vwT(TvHS(=S6WZilkTY675Y`e>kH#v z?T&<#|6-@@Ph-)!aCKgL;ewDzO)1Cyr$x`K4xK2eb+j(4<;d1d!^h!1%>f(M`OAOu z$+EL3Zu$Ld*{iSOKZ4sgPc#*mJ0h@w_paFFNBWcAzZBVbKh#Ta>J3%? Date: Mon, 28 Feb 2022 10:09:16 -0600 Subject: [PATCH 13/35] pkcs7: Change copyright Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 4 +--- library/pkcs7.c | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 29bb503a7..7699b60d5 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -5,7 +5,7 @@ * https://tools.ietf.org/html/rfc2315 */ /* - * Copyright (C) 2019, IBM Corp, All Rights Reserved + * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +19,6 @@ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * - * This file is part of mbed TLS (https://tls.mbed.org) */ /** diff --git a/library/pkcs7.c b/library/pkcs7.c index 5fa02e311..9b66bdb23 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -1,17 +1,18 @@ -/* Copyright 2019 IBM Corp. +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * http://www.apache.org/licenses/LICENSE-2.0 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ #include "common.h" From 8a10f666923ee7e43cbfbc11243088bd7bb97e61 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 6 Jun 2022 12:18:40 -0500 Subject: [PATCH 14/35] test/pkcs7: Add init for PSA tests Initialize the PSA subsystem in the test functions. Signed-off-by: Nick Child --- tests/suites/test_suite_pkcs7.function | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 8b35c5755..01edadb5f 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -200,6 +200,8 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -233,6 +235,7 @@ exit: mbedtls_x509_crt_free( &x509 ); mbedtls_free( data ); mbedtls_pkcs7_free( &pkcs7 ); + USE_PSA_DONE(); } /* END_CASE */ @@ -253,6 +256,8 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -296,6 +301,7 @@ exit: mbedtls_free( data ); mbedtls_pkcs7_free( &pkcs7 ); mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); } /* END_CASE */ @@ -313,6 +319,8 @@ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -346,6 +354,7 @@ exit: mbedtls_free( data ); mbedtls_pkcs7_free( &pkcs7 ); mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); } /* END_CASE */ @@ -363,6 +372,8 @@ void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesign mbedtls_pkcs7 pkcs7; mbedtls_x509_crt x509; + USE_PSA_INIT(); + mbedtls_pkcs7_init( &pkcs7 ); mbedtls_x509_crt_init( &x509 ); @@ -396,6 +407,7 @@ exit: mbedtls_pkcs7_free( &pkcs7 ); mbedtls_free( data ); mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); } /* END_CASE */ From 3538479faa7a73239671239feadbfac1b68b2f0c Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Wed, 2 Sep 2020 14:48:45 +1000 Subject: [PATCH 15/35] pkcs7: support multiple signers Rather than only parsing/verifying one SignerInfo in the SignerInfos field of the PKCS7 stucture, allow the ability to parse and verify more than one signature. Verification will return success if any of the signatures produce a match. Signed-off-by: Daniel Axtens Signed-off-by: Nick Child --- library/pkcs7.c | 260 +++++++++++++++++-------- tests/suites/test_suite_pkcs7.data | 10 +- tests/suites/test_suite_pkcs7.function | 80 ++++++-- 3 files changed, 249 insertions(+), 101 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 9b66bdb23..0f4e1ec2b 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -250,7 +250,6 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, } /** - * SignerInfos ::= SET of SignerInfo * SignerInfo ::= SEQUENCE { * version Version; * issuerAndSerialNumber IssuerAndSerialNumber, @@ -261,6 +260,88 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, * encryptedDigest EncryptedDigest, * unauthenticatedAttributes * [1] IMPLICIT Attributes OPTIONAL, + * Returns 0 if the signerInfo is valid. + * Return negative error code for failure. + **/ +static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, + mbedtls_pkcs7_signer_info *signer ) +{ + unsigned char *end_signer; + int ret; + size_t len = 0; + + ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + end_signer = *p + len; + + ret = pkcs7_get_version( p, end_signer, &signer->version ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + /* Parsing IssuerAndSerialNumber */ + signer->issuer_raw.p = *p; + + ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + + ret = mbedtls_x509_get_name( p, *p + len, &signer->issuer ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + signer->issuer_raw.len = *p - signer->issuer_raw.p; + + ret = mbedtls_x509_get_serial( p, end_signer, &signer->serial ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + ret = pkcs7_get_signature( p, end_signer, &signer->sig ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + /* Do not permit any unauthenticated attributes */ + if( *p != end_signer ) + return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + + return( 0 ); +} + +static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) +{ + mbedtls_x509_name *name_cur; + mbedtls_x509_name *name_prv; + + if( signer == NULL ) + return; + + name_cur = signer->issuer.next; + while( name_cur != NULL ) + { + name_prv = name_cur; + name_cur = name_cur->next; + mbedtls_free( name_prv ); + } +} + +/** + * SignerInfos ::= SET of SignerInfo * Return number of signers added to the signed data, * 0 or higher is valid. * Return negative error code for failure. @@ -268,76 +349,61 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signers_set ) { - unsigned char *end_set, *end_set_signer; + unsigned char *end_set; int ret; + int count = 0; size_t len = 0; + mbedtls_pkcs7_signer_info *signer, *prev; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + /* Detect zero signers */ + if( len == 0 ) + return( 0 ); + end_set = *p + len; - ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); + ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + return( ret ); + count++; - end_set_signer = *p + len; - if (end_set_signer != end_set) - return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + prev = signers_set; + while( *p != end_set ) + { + signer = mbedtls_calloc( 1, sizeof( mbedtls_pkcs7_signer_info ) ); + if( !signer ) + { + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto cleanup; + } - end_set = end_set_signer; + ret = pkcs7_get_signer_info( p, end_set, signer ); + if( ret != 0 ) { + mbedtls_free( signer ); + goto cleanup; + } + prev->next = signer; + prev = signer; + count++; + } - ret = pkcs7_get_version( p, end_set, &signers_set->version ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + return( count ); - ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); - - /* Parsing IssuerAndSerialNumber */ - signers_set->issuer_raw.p = *p; - - ret = mbedtls_asn1_get_tag( p, end_set, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); - - ret = mbedtls_x509_get_name( p, *p + len, &signers_set->issuer ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - signers_set->issuer_raw.len = *p - signers_set->issuer_raw.p; - - ret = mbedtls_x509_get_serial( p, end_set, &signers_set->serial ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->alg_identifier ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - ret = pkcs7_get_digest_algorithm( p, end_set, &signers_set->sig_alg_identifier ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - ret = pkcs7_get_signature( p, end_set, &signers_set->sig ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - signers_set->next = NULL; - - if (*p != end_set) - return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - - /* Since in this version we strictly support single signer, and reaching - * here implies we have parsed successfully, we return 1. */ - - return( 1 ); +cleanup: + signer = signers_set->next; + pkcs7_free_signer_info( signers_set ); + while( signer ) + { + prev = signer; + signer = signer->next; + pkcs7_free_signer_info( prev ); + mbedtls_free( prev ); + } + return( ret ); } /** @@ -419,7 +485,7 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, signed_data->no_of_signers = ret; - /* Support single signer */ + /* Don't permit trailing data */ if ( p != end ) ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; @@ -507,34 +573,62 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, size_t datalen ) { - int ret; + int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; unsigned char *hash; mbedtls_pk_context pk_cxt = cert->pk; const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; + mbedtls_pkcs7_signer_info *signer; - ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); - if( ret != 0 ) + if( pkcs7->signed_data.no_of_signers == 0 ) return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - md_info = mbedtls_md_info_from_type( md_alg ); - hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); - if( hash == NULL ) { - return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); - } - - ret = mbedtls_md( md_info, data, datalen, hash ); - if( ret != 0 ) + /* + * Potential TODOs + * Currently we iterate over all signers and return success if any of them + * verify. + * + * However, we could make this better by checking against the certificate's + * identification and SignerIdentifier fields first. That would also allow + * us to distinguish between 'no signature for key' and 'signature for key + * failed to validate'. + * + * We could also cache hashes by md, so if there are several sigs all using + * the same algo we don't recalculate the hash each time. + */ + signer = &pkcs7->signed_data.signers; + while( signer ) { - mbedtls_free( hash ); - return( ret ); - } - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, 0, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); + ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - mbedtls_free( hash ); + md_info = mbedtls_md_info_from_type( md_alg ); + + hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); + if( hash == NULL ) { + return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + } + + ret = mbedtls_md( md_info, data, datalen, hash ); + if( ret != 0 ) + { + mbedtls_free( hash ); + return( ret ); + } + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, + mbedtls_md_get_size( md_info ), + signer->sig.p, signer->sig.len ); + + mbedtls_free( hash ); + + if( ret == 0 ) + break; + + signer = signer->next; + } return( ret ); } @@ -564,8 +658,8 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, */ void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) { - mbedtls_x509_name *name_cur; - mbedtls_x509_name *name_prv; + mbedtls_pkcs7_signer_info *signer_cur; + mbedtls_pkcs7_signer_info *signer_prev; if( pkcs7 == NULL || pkcs7->raw.p == NULL ) return; @@ -575,12 +669,14 @@ void mbedtls_pkcs7_free( mbedtls_pkcs7 *pkcs7 ) mbedtls_x509_crt_free( &pkcs7->signed_data.certs ); mbedtls_x509_crl_free( &pkcs7->signed_data.crl ); - name_cur = pkcs7->signed_data.signers.issuer.next; - while( name_cur != NULL ) + signer_cur = pkcs7->signed_data.signers.next; + pkcs7_free_signer_info( &pkcs7->signed_data.signers ); + while( signer_cur != NULL ) { - name_prv = name_cur; - name_cur = name_cur->next; - mbedtls_free( name_prv ); + signer_prev = signer_cur; + signer_cur = signer_prev->next; + pkcs7_free_signer_info( signer_prev ); + mbedtls_free( signer_prev ); } pkcs7->raw.p = NULL; diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index d5ecd21cc..daced32b5 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -10,13 +10,9 @@ PKCS7 Signed Data Parse Pass Without CERT #3 depends_on:MBEDTLS_SHA256_C pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der" -PKCS7 Signed Data Parse Fail with multiple signers #4 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der" - PKCS7 Signed Data Parse Fail with multiple certs #4 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der" +pkcs7_parse_multiple_certs:"data_files/pkcs7_data_multiple_certs_signed.der" PKCS7 Signed Data Parse Fail with corrupted cert #5 depends_on:MBEDTLS_SHA256_C @@ -69,3 +65,7 @@ pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_SHA256_C pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" + +PKCS7 Signed Data Verify with multiple signers #16 +depends_on:MBEDTLS_SHA256_C +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" \ No newline at end of file diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 01edadb5f..261824d15 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -61,7 +61,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_multiple_signers( char *pkcs7_file ) +void pkcs7_parse_multiple_certs( char *pkcs7_file ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -75,19 +75,7 @@ void pkcs7_parse_multiple_signers( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res < 0 ); - - switch ( res ){ - case MBEDTLS_ERR_PKCS7_INVALID_CERT: - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); - break; - - case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO: - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); - break; - default: - TEST_ASSERT(0); - } + TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); exit: mbedtls_free( pkcs7_buf ); @@ -411,6 +399,70 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ +void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + struct stat st; + size_t datalen; + int res; + FILE *file; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509_1; + mbedtls_x509_crt x509_2; + + USE_PSA_INIT(); + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509_1 ); + mbedtls_x509_crt_init( &x509_2 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + + TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); + + res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); + TEST_ASSERT( res == 0 ); + + res = stat( filetobesigned, &st ); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "r" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen ); + + fclose( file ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509_1 ); + mbedtls_x509_crt_free( &x509_2 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ void pkcs7_parse_failure( char *pkcs7_file ) { From 62b2d7e7d4a21500e2a159cbae4541903707133d Mon Sep 17 00:00:00 2001 From: Nick Child Date: Thu, 14 Jul 2022 16:24:59 -0500 Subject: [PATCH 16/35] pkcs7: Support verification of hash with multiple signers Make `mbedtls_pkcs7_signed_hash_verify` loop over all signatures in the PKCS7 structure and return success if any of them verify successfully. Signed-off-by: Nick Child --- library/pkcs7.c | 39 ++++++++++--- tests/suites/test_suite_pkcs7.data | 6 +- tests/suites/test_suite_pkcs7.function | 76 ++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 9 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 0f4e1ec2b..65dc83a4c 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -637,18 +637,41 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen) { - int ret; + int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; mbedtls_pk_context pk_cxt; - - ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + mbedtls_pkcs7_signer_info *signer; pk_cxt = cert->pk; - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); + + if( pkcs7->signed_data.no_of_signers == 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + signer = &pkcs7->signed_data.signers; + while( signer ) + { + ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + if( hashlen != mbedtls_md_get_size( md_info ) ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + signer = signer->next; + continue; + } + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + if( ret == 0 ) + break; + + signer = signer->next; + } return ( ret ); } diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index daced32b5..b813c6d3e 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -68,4 +68,8 @@ pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" PKCS7 Signed Data Verify with multiple signers #16 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" \ No newline at end of file +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" + +PKCS7 Signed Data Hash Verify with multiple signers #17 +depends_on:MBEDTLS_SHA256_C +pkcs7_verify_hash_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 261824d15..9822fb826 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -293,6 +293,82 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ +void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + unsigned char hash[32]; + struct stat st; + size_t datalen; + int res; + FILE *file; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509_1; + mbedtls_x509_crt x509_2; + + USE_PSA_INIT(); + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509_1 ); + mbedtls_x509_crt_init( &x509_2 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + + TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); + + res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); + TEST_ASSERT( res == 0 ); + + res = stat( filetobesigned, &st ); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "r" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen ); + + fclose( file ); + + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509_1 ); + mbedtls_x509_crt_free( &x509_2 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) { From 9f4fb3e63f90225661bf3268a6390aaeb3392423 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 12 Sep 2022 16:21:02 -0500 Subject: [PATCH 17/35] pkcs7: Unite function return style In response to feedback[1], standardize return variable management across all pkcs7 functions. Additionally, when adding return codes from two error values, use `MBEDTLS_ERROR_ADD` as recommended [2]. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953634781 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953635128 Signed-off-by: Nick Child --- library/pkcs7.c | 233 +++++++++++++++++++++++++++++++----------------- 1 file changed, 152 insertions(+), 81 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 65dc83a4c..2299cfdac 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -24,6 +24,7 @@ #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" #include "mbedtls/oid.h" +#include "mbedtls/error.h" #include #include @@ -64,15 +65,16 @@ void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, size_t *len ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) + ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_CONTEXT_SPECIFIC ); + if( ret != 0 ) { - return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); } - return( 0 ); + return( ret ); } /** @@ -81,16 +83,17 @@ static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, **/ static int pkcs7_get_version( unsigned char **p, unsigned char *end, int *ver ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_VERSION + ret ); + ret = mbedtls_asn1_get_int( p, end, ver ); + if( ret != 0 ) + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_VERSION, ret ); /* If version != 1, return invalid version */ if( *ver != MBEDTLS_PKCS7_SUPPORTED_VERSION ) - return( MBEDTLS_ERR_PKCS7_INVALID_VERSION ); + ret = MBEDTLS_ERR_PKCS7_INVALID_VERSION; - return( 0 ); + return( ret ); } /** @@ -103,26 +106,29 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, mbedtls_pkcs7_buf *pkcs7 ) { size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *start = *p; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) { *p = start; - return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ); + goto out; } ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OID ); if( ret != 0 ) { *p = start; - return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO + ret ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret ); + goto out; } pkcs7->tag = MBEDTLS_ASN1_OID; pkcs7->len = len; pkcs7->p = *p; +out: return( ret ); } @@ -134,12 +140,12 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, static int pkcs7_get_digest_algorithm( unsigned char **p, unsigned char *end, mbedtls_x509_buf *alg ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); - return( 0 ); + return( ret ); } /** @@ -150,24 +156,31 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, mbedtls_x509_buf *alg ) { size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); + goto out; + } end = *p + len; /** For now, it assumes there is only one digest algorithm specified **/ ret = mbedtls_asn1_get_alg_null( p, end, alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_ALG, ret ); + goto out; + } if ( *p != end ) - return ( MBEDTLS_ERR_PKCS7_INVALID_FORMAT ); + ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; - return( 0 ); +out: + return( ret ); } /** @@ -182,7 +195,7 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, mbedtls_x509_crt *certs ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len1 = 0; size_t len2 = 0; unsigned char *end_set, *end_cert; @@ -192,9 +205,10 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) { if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) - return( 0 ); - - return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + ret = 0; + else + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); + goto out; } start = *p; end_set = *p + len1; @@ -202,7 +216,10 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_CERT + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_CERT, ret ); + goto out; + } end_cert = *p + len2; @@ -213,18 +230,28 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, * The behaviour would be improved with addition of multiple signer support. */ if (end_cert != end_set) - return ( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + { + ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; + goto out; + } *p = start; if( ( ret = mbedtls_x509_crt_parse( certs, *p, len1 ) ) < 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_CERT ); + { + ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; + goto out; + } *p = *p + len1; - /* Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. */ + /* + * Since in this version we strictly support single certificate, and reaching + * here implies we have parsed successfully, we return 1. + */ + ret = 1; - return( 1 ); +out: + return( ret ); } /** @@ -233,12 +260,12 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, static int pkcs7_get_signature( unsigned char **p, unsigned char *end, mbedtls_pkcs7_buf *signature ) { - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_OCTET_STRING ); if( ret != 0 ) - return( ret ); + goto out; signature->tag = MBEDTLS_ASN1_OCTET_STRING; signature->len = len; @@ -246,7 +273,8 @@ static int pkcs7_get_signature( unsigned char **p, unsigned char *end, *p = *p + len; - return( 0 ); +out: + return( ret ); } /** @@ -267,60 +295,67 @@ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signer ) { unsigned char *end_signer; - int ret; + int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; - ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + asn1_ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + if( asn1_ret != 0 ) + goto out; end_signer = *p + len; ret = pkcs7_get_version( p, end_signer, &signer->version ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; - ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; /* Parsing IssuerAndSerialNumber */ signer->issuer_raw.p = *p; - ret = mbedtls_asn1_get_tag( p, end_signer, &len, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE ); - if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + asn1_ret = mbedtls_asn1_get_tag( p, end_signer, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); + if( asn1_ret != 0 ) + goto out; ret = mbedtls_x509_get_name( p, *p + len, &signer->issuer ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; signer->issuer_raw.len = *p - signer->issuer_raw.p; ret = mbedtls_x509_get_serial( p, end_signer, &signer->serial ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->alg_identifier ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; ret = pkcs7_get_signature( p, end_signer, &signer->sig ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + goto out; /* Do not permit any unauthenticated attributes */ if( *p != end_signer ) - return ( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO ); + ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; - return( 0 ); +out: + if( asn1_ret != 0 ) + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, + asn1_ret ); + else if( ret != 0 ) + ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO; + + return( ret ); } static void pkcs7_free_signer_info( mbedtls_pkcs7_signer_info *signer ) @@ -350,7 +385,7 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signers_set ) { unsigned char *end_set; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int count = 0; size_t len = 0; mbedtls_pkcs7_signer_info *signer, *prev; @@ -358,17 +393,23 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO, ret ); + goto out; + } /* Detect zero signers */ if( len == 0 ) - return( 0 ); + { + ret = 0; + goto out; + } end_set = *p + len; ret = pkcs7_get_signer_info( p, end_set, signers_set ); if( ret != 0 ) - return( ret ); + goto out; count++; prev = signers_set; @@ -391,7 +432,8 @@ static int pkcs7_get_signers_info_set( unsigned char **p, unsigned char *end, count++; } - return( count ); + ret = count; + goto out; cleanup: signer = signers_set->next; @@ -403,6 +445,8 @@ cleanup: pkcs7_free_signer_info( prev ); mbedtls_free( prev ); } + +out: return( ret ); } @@ -425,39 +469,46 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, unsigned char *end = buf + buflen; unsigned char *end_set; size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_FORMAT + ret ); + { + ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret ); + goto out; + } end_set = p + len; /* Get version of signed data */ ret = pkcs7_get_version( &p, end_set, &signed_data->version ); if( ret != 0 ) - return( ret ); + goto out; /* Get digest algorithm */ ret = pkcs7_get_digest_algorithm_set( &p, end_set, &signed_data->digest_alg_identifiers ); if( ret != 0 ) - return( ret ); + goto out; ret = mbedtls_oid_get_md_alg( &signed_data->digest_alg_identifiers, &md_alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_INVALID_ALG ); + { + ret = MBEDTLS_ERR_PKCS7_INVALID_ALG; + goto out; + } /* Do not expect any content */ ret = pkcs7_get_content_info_type( &p, end_set, &signed_data->content.oid ); if( ret != 0 ) - return( ret ); + goto out; if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid ) ) { - return( MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO ) ; + ret = MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; + goto out; } p = p + signed_data->content.oid.len; @@ -466,7 +517,7 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, mbedtls_x509_crt_init( &signed_data->certs ); ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); if( ret < 0 ) - return( ret ) ; + goto out; signed_data->no_of_certs = ret; @@ -481,15 +532,17 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, /* Get signers info */ ret = pkcs7_get_signers_info_set( &p, end_set, &signed_data->signers ); if( ret < 0 ) - return( ret ); + goto out; signed_data->no_of_signers = ret; /* Don't permit trailing data */ if ( p != end ) ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; + else + ret = 0; - ret = 0; +out: return( ret ); } @@ -499,17 +552,21 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, unsigned char *start; unsigned char *end; size_t len = 0; - int ret; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int isoidset = 0; if( !pkcs7 ) - return( MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA ); + { + ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA; + goto out; + } /* make an internal copy of the buffer for parsing */ pkcs7->raw.p = start = mbedtls_calloc( 1, buflen ); if( pkcs7->raw.p == NULL ) { - return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto out; } memcpy( start, buf, buflen ); pkcs7->raw.len = buflen; @@ -573,7 +630,7 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, size_t datalen ) { - int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *hash; mbedtls_pk_context pk_cxt = cert->pk; const mbedtls_md_info_t *md_info; @@ -581,8 +638,10 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, mbedtls_pkcs7_signer_info *signer; if( pkcs7->signed_data.no_of_signers == 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } /* * Potential TODOs @@ -602,20 +661,24 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } md_info = mbedtls_md_info_from_type( md_alg ); hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); if( hash == NULL ) { - return( MBEDTLS_ERR_PKCS7_ALLOC_FAILED ); + ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; + goto out; } ret = mbedtls_md( md_info, data, datalen, hash ); if( ret != 0 ) { mbedtls_free( hash ); - return( ret ); + goto out; } ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, @@ -630,6 +693,7 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, signer = signer->next; } +out: return( ret ); } @@ -637,7 +701,7 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen) { - int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; mbedtls_pk_context pk_cxt; @@ -646,14 +710,20 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, pk_cxt = cert->pk; if( pkcs7->signed_data.no_of_signers == 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } signer = &pkcs7->signed_data.signers; while( signer ) { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) - return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } md_info = mbedtls_md_info_from_type( md_alg ); @@ -673,6 +743,7 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, signer = signer->next; } +out: return ( ret ); } From 8a94de40c711612048aa4583b8dc617b206b7f37 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 10:51:51 -0500 Subject: [PATCH 18/35] test/pkcs7: Reduce number of test functions In response to feedback[1], we can reuse much of the functions in similar test cases by specifying some additional parameters. Specifically, test cases which probe the functionality of `mbedtls_pkcs7_parse_der` have all been merged into one test function. Additionally, all test cases which examine the `mbedtls_pkcs7_signed_data_verify` and `mbedtls_pkcs7_signed_hash_verify` functions have been merged into two test functions (one for single and one for multiple signers). [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953686780 Signed-off-by: Nick Child --- tests/suites/test_suite_pkcs7.data | 50 +-- tests/suites/test_suite_pkcs7.function | 439 ++----------------------- 2 files changed, 61 insertions(+), 428 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index b813c6d3e..b26a16fb9 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -1,75 +1,75 @@ PKCS7 Signed Data Parse Pass SHA256 #1 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Pass SHA1 #2 -depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der" +depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Pass Without CERT #3 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der" +pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with multiple certs #4 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_multiple_certs:"data_files/pkcs7_data_multiple_certs_signed.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_INVALID_CERT PKCS7 Signed Data Parse Fail with corrupted cert #5 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_corrupted_cert:"data_files/pkcs7_data_signed_badcert.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_signed_badcert.der":MBEDTLS_ERR_PKCS7_INVALID_CERT PKCS7 Signed Data Parse Fail with corrupted signer info #6 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse_corrupted_signer_info:"data_files/pkcs7_data_signed_badsigner.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Signed Data Parse Fail Version other than 1 #7 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_version:"data_files/pkcs7_data_cert_signed_v2.der" +pkcs7_parse:"data_files/pkcs7_data_cert_signed_v2.der":MBEDTLS_ERR_PKCS7_INVALID_VERSION PKCS7 Signed Data Parse Fail Encrypted Content #8 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der" +pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Verification Pass SHA256 #9 depends_on:MBEDTLS_SHA256_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Pass SHA256 #9.1 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 PKCS7 Signed Data Verification Pass SHA1 #10 depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Pass SHA512 #11 depends_on:MBEDTLS_SHA512_C:MBEDTLS_SHA256_C -pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Verification Fail because of different certificate #12 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_data.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Verification Fail because of different data hash #13 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin" +pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data_1.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der" +pkcs7_parse:"data_files/pkcs7_signerInfo_issuer_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2 depends_on:MBEDTLS_SHA256_C -pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der" +pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO PKCS7 Only Signed Data Parse Pass #15 -depends_on:MBEDTLS_SHA256_C -pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Verify with multiple signers #16 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":0:0 PKCS7 Signed Data Hash Verify with multiple signers #17 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_hash_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0 diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 9822fb826..8db3f3f53 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -14,31 +14,8 @@ * END_DEPENDENCIES */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_without_cert( char *pkcs7_file ) +void pkcs7_parse( char *pkcs7_file, int res_expect ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -52,7 +29,7 @@ void pkcs7_parse_without_cert( char *pkcs7_file ) TEST_ASSERT( res == 0 ); res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + TEST_ASSERT( res == res_expect ); exit: mbedtls_free( pkcs7_buf ); @@ -60,175 +37,8 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_multiple_certs( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_corrupted_cert( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */ -void pkcs7_parse_corrupted_signer_info( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res < 0 ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_version( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_VERSION ); - -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_content_oid( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res != 0 ); - TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE ); -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509 ); - - res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - mbedtls_free( pkcs7_buf ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "rb" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); - - fclose(file); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); - TEST_ASSERT( res == 0 ); - -exit: - mbedtls_x509_crt_free( &x509 ); - mbedtls_free( data ); - mbedtls_pkcs7_free( &pkcs7 ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */ -void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) +void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_hash_alg, int res_expect ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -272,17 +82,23 @@ void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned ) TEST_ASSERT( buflen == datalen); fclose( file ); - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); - TEST_ASSERT( res == 0 ); - TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + if( do_hash_alg ) + { + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == (mbedtls_md_type_t) do_hash_alg ); + md_info = mbedtls_md_info_from_type( md_alg ); - md_info = mbedtls_md_info_from_type( md_alg ); + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); - res = mbedtls_md( md_info, data, datalen, hash ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); - TEST_ASSERT( res == 0 ); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash) ); + } + else + { + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); + } + TEST_ASSERT( res == res_expect ); exit: mbedtls_x509_crt_free( &x509 ); @@ -294,7 +110,7 @@ exit: /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned, int do_hash_alg, int res_expect ) { unsigned char *pkcs7_buf = NULL; size_t buflen; @@ -344,20 +160,28 @@ void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt fclose( file ); - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); - TEST_ASSERT( res == 0 ); - TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + if( do_hash_alg ) + { + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); - md_info = mbedtls_md_info_from_type( md_alg ); + md_info = mbedtls_md_info_from_type( md_alg ); - res = mbedtls_md( md_info, data, datalen, hash ); - TEST_ASSERT( res == 0 ); + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); - TEST_ASSERT( res == 0 ); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + TEST_ASSERT( res == res_expect ); + } + else + { + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); + TEST_ASSERT( res == res_expect ); + } res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); - TEST_ASSERT( res == 0 ); + TEST_ASSERT( res == res_expect ); exit: mbedtls_x509_crt_free( &x509_1 ); @@ -368,194 +192,3 @@ exit: USE_PSA_DONE(); } /* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - - res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "rb" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); - - fclose(file); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); - TEST_ASSERT( res != 0 ); - -exit: - mbedtls_x509_crt_free( &x509 ); - mbedtls_free( data ); - mbedtls_pkcs7_free( &pkcs7 ); - mbedtls_free( pkcs7_buf ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - - res = mbedtls_x509_crt_parse_file( &x509, crt ); - TEST_ASSERT( res == 0 ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "rb" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); - - fclose(file); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen ); - TEST_ASSERT( res != 0 ); - -exit: - mbedtls_x509_crt_free( &x509 ); - mbedtls_pkcs7_free( &pkcs7 ); - mbedtls_free( data ); - mbedtls_free( pkcs7_buf ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ -void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - unsigned char *data = NULL; - struct stat st; - size_t datalen; - int res; - FILE *file; - - mbedtls_pkcs7 pkcs7; - mbedtls_x509_crt x509_1; - mbedtls_x509_crt x509_2; - - USE_PSA_INIT(); - - mbedtls_pkcs7_init( &pkcs7 ); - mbedtls_x509_crt_init( &x509_1 ); - mbedtls_x509_crt_init( &x509_2 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); - - TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); - - res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); - TEST_ASSERT( res == 0 ); - - res = stat( filetobesigned, &st ); - TEST_ASSERT( res == 0 ); - - file = fopen( filetobesigned, "r" ); - TEST_ASSERT( file != NULL ); - - datalen = st.st_size; - data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); - buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen ); - - fclose( file ); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); - TEST_ASSERT( res == 0 ); - -exit: - mbedtls_x509_crt_free( &x509_1 ); - mbedtls_x509_crt_free( &x509_2 ); - mbedtls_pkcs7_free( &pkcs7 ); - mbedtls_free( data ); - mbedtls_free( pkcs7_buf ); - USE_PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ -void pkcs7_parse_failure( char *pkcs7_file ) -{ - unsigned char *pkcs7_buf = NULL; - size_t buflen; - int res; - mbedtls_pkcs7 pkcs7; - - mbedtls_pkcs7_init( &pkcs7 ); - - res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); - TEST_ASSERT( res == 0 ); - - res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); - TEST_ASSERT( res != 0 ); -exit: - mbedtls_free( pkcs7_buf ); - mbedtls_pkcs7_free( &pkcs7 ); -} -/* END_CASE */ From 7089ce83812a13191ba4f3af4b68e840d4660693 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 14:10:00 -0500 Subject: [PATCH 19/35] pkcs7: Handle md errors in multisigner pkcs7 verification In resonse to feedback [1], if `mbedtls_md_info_from_type` were to fail then skip the signer and try the next one. Additionally, use a for loop instead of a while loop when iterating over signers because it simplifies the use of `continue`. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967198650 Signed-off-by: Nick Child --- library/pkcs7.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 2299cfdac..3178ddcab 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -656,17 +656,21 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, * We could also cache hashes by md, so if there are several sigs all using * the same algo we don't recalculate the hash each time. */ - signer = &pkcs7->signed_data.signers; - while( signer ) + for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - goto out; + continue; } md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + continue; + } hash = mbedtls_calloc( mbedtls_md_get_size( md_info ), 1 ); if( hash == NULL ) { @@ -677,8 +681,9 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, ret = mbedtls_md( md_info, data, datalen, hash ); if( ret != 0 ) { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; mbedtls_free( hash ); - goto out; + continue; } ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, @@ -689,8 +694,6 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, if( ret == 0 ) break; - - signer = signer->next; } out: @@ -716,16 +719,21 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, } signer = &pkcs7->signed_data.signers; - while( signer ) + for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) { ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); if( ret != 0 ) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - goto out; + continue; } md_info = mbedtls_md_info_from_type( md_alg ); + if( md_info == NULL ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + continue; + } if( hashlen != mbedtls_md_get_size( md_info ) ) { @@ -739,8 +747,6 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, pkcs7->signed_data.signers.sig.len ); if( ret == 0 ) break; - - signer = signer->next; } out: From 34d5e931cf50a0647d13b05ac1577333b2c8a249 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 14:44:03 -0500 Subject: [PATCH 20/35] pkcs7: Use better return code for unimplemented specifications In response to feedback [1] [2], use MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE instead of MBEDTLS_ERR_PKCS7_INVALID_FORMAT for errors due to the pkcs7 implemntation being incomplete. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953649079 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953658276 Signed-off-by: Nick Child --- library/pkcs7.c | 6 +++--- tests/suites/test_suite_pkcs7.data | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 3178ddcab..9dcbab26c 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -168,7 +168,6 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, end = *p + len; - /** For now, it assumes there is only one digest algorithm specified **/ ret = mbedtls_asn1_get_alg_null( p, end, alg ); if( ret != 0 ) { @@ -176,8 +175,9 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p, goto out; } + /** For now, it assumes there is only one digest algorithm specified **/ if ( *p != end ) - ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT; + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; out: return( ret ); @@ -231,7 +231,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, */ if (end_cert != end_set) { - ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; + ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; goto out; } diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index b26a16fb9..4f81b6f28 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -12,7 +12,7 @@ pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED PKCS7 Signed Data Parse Fail with multiple certs #4 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_INVALID_CERT +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE PKCS7 Signed Data Parse Fail with corrupted cert #5 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C From 8ce1b1afc87c7551e3cb5efa99c1b2fce6ef953d Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 14 Sep 2022 14:51:23 -0500 Subject: [PATCH 21/35] pkcs7: Correct various syntatical mistakes Resond to feedback from the following comments: - use correct spacing [1-7] - remove unnecessary parenthesis [8] - fixup comments [9-11] - remove unnecessary init work [12] - use var instead of type for sizeof [13] [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953655691 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953661514 [3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953689929 [4] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953696384 [5] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697558 [6] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697793 [7] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953697951 [8] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953699102 [9] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r971223775 [10] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967133905 [11] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967135932 [12] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967151430 [13] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967154159 Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 17 ++++++++--------- library/pkcs7.c | 10 +++++----- tests/suites/test_suite_pkcs7.function | 10 +++++----- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 7699b60d5..c56926fd5 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -22,23 +22,22 @@ */ /** - * Note: For the time being, this application of the PKCS7 cryptographic + * Note: For the time being, this implementation of the PKCS7 cryptographic * message syntax is a partial implementation of RFC 2315. * Differences include: * - The RFC specifies 6 different content types. The only type currently - * supported in MbedTLS is the signed data content type. + * supported in Mbed TLS is the signed data content type. * - The only supported PKCS7 Signed Data syntax version is version 1 - * - The RFC specifies support for BER. This application is limited to + * - The RFC specifies support for BER. This implementation is limited to * DER only. * - The RFC specifies that multiple digest algorithms can be specified - * in the Signed Data type. Only one digest algorithm is supported in MbedTLS. - * - The RFC specifies the Signed Data certificate format can be - * X509 or PKCS6. The only type currently supported in MbedTLS is X509. + * in the Signed Data type. Only one digest algorithm is supported in Mbed TLS. + * - The RFC specifies the Signed Data type can contain multiple X509 or PKCS6 + * certificates. In Mbed TLS, this list can only contain 0 or 1 certificates + * and they must be in X509 format. * - The RFC specifies the Signed Data type can contain - * certificate-revocation lists (crls). This application has no support + * certificate-revocation lists (crls). This implementation has no support * for crls so it is assumed to be an empty list. - * - The RFC specifies support for multiple signers. This application only - * supports the Signed Data type with a single signer. */ #ifndef MBEDTLS_PKCS7_H diff --git a/library/pkcs7.c b/library/pkcs7.c index 9dcbab26c..5ec10891c 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -58,8 +58,7 @@ */ void mbedtls_pkcs7_init( mbedtls_pkcs7 *pkcs7 ) { - memset( pkcs7, 0, sizeof( mbedtls_pkcs7 ) ); - pkcs7->raw.p = NULL; + memset( pkcs7, 0, sizeof( *pkcs7 ) ); } static int pkcs7_get_next_content_len( unsigned char **p, unsigned char *end, @@ -229,7 +228,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, * So, we support only the root certificate and the single signer. * The behaviour would be improved with addition of multiple signer support. */ - if (end_cert != end_set) + if ( end_cert != end_set ) { ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; goto out; @@ -702,7 +701,8 @@ out: int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, - const unsigned char *hash, size_t hashlen) + const unsigned char *hash, + size_t hashlen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const mbedtls_md_info_t *md_info; @@ -750,7 +750,7 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, } out: - return ( ret ); + return( ret ); } /* diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 8db3f3f53..c5094bcca 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -76,15 +76,15 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has datalen = st.st_size; data = mbedtls_calloc( datalen, 1 ); - TEST_ASSERT( data != NULL); + TEST_ASSERT( data != NULL ); buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); - TEST_ASSERT( buflen == datalen); + TEST_ASSERT( buflen == datalen ); fclose( file ); if( do_hash_alg ) { - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg ); TEST_ASSERT( res == 0 ); TEST_ASSERT( md_alg == (mbedtls_md_type_t) do_hash_alg ); md_info = mbedtls_md_info_from_type( md_alg ); @@ -162,7 +162,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch if( do_hash_alg ) { - res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + res = mbedtls_oid_get_md_alg( &pkcs7.signed_data.digest_alg_identifiers, &md_alg ); TEST_ASSERT( res == 0 ); TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); @@ -171,7 +171,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch res = mbedtls_md( md_info, data, datalen, hash ); TEST_ASSERT( res == 0 ); - res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash) ); TEST_ASSERT( res == res_expect ); } else From 9512bde5c31b21c09697db5e3845e0375e38ef51 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 16 Sep 2022 09:49:06 -0500 Subject: [PATCH 22/35] pkcs7: Fix pkcs7 error code values Mbed TLS uses a two layer system for error codes. The least significant 7 bits should be used to signal low-level module errors. Since PKCS7 is a high level module, it should leave these bits unassigned. To do this, the least significant byte of PKCS7 error codes must either be 0x00 or 0x80. Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index c56926fd5..513b707d6 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -56,15 +56,15 @@ * \{ */ #define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */ -#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x53F0 /**< Unavailable feature, e.g. anything other than signed data. */ +#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x5380 /**< Unavailable feature, e.g. anything other than signed data. */ #define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x54F0 /**< The PKCS7 content info invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x55F0 /**< The certificate tag or value is invalid or cannot be parsed. */ +#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ -#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x56F0 /**< Error parsing the signer's info */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ -#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x57F0 /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ /* \} name */ From 5f9456f3e36fcb5a45955eb632cf42ae2962e9c9 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 19 Sep 2022 10:01:25 -0500 Subject: [PATCH 23/35] pkcs7: Fix trailing whitespace Signed-off-by: Nick Child --- library/pkcs7.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5ec10891c..c4d605e00 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -243,9 +243,9 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, *p = *p + len1; - /* + /* * Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. + * here implies we have parsed successfully, we return 1. */ ret = 1; @@ -701,7 +701,7 @@ out: int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, - const unsigned char *hash, + const unsigned char *hash, size_t hashlen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; From 7dbe8528f38c393d76b2cbbd358c0b847b9cac11 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 30 Sep 2022 17:24:29 -0500 Subject: [PATCH 24/35] pkcs7: Import header files with included directory path not relative path In #include statements, rely on -I paths instead of relative paths. Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 513b707d6..9486c7153 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -47,9 +47,9 @@ #include "mbedtls/build_info.h" -#include "asn1.h" -#include "x509.h" -#include "x509_crt.h" +#include "mbedtls/asn1.h" +#include "mbedtls/x509.h" +#include "mbedtls/x509_crt.h" /** * \name PKCS7 Module Error codes From 73621ef0f08951885b321f0b9964203ae04c9fb5 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 28 Oct 2022 11:23:15 -0500 Subject: [PATCH 25/35] pkcs7: Improve verify logic and rebuild test data Various responses to feedback regarding the pkcs7_verify_signed_data/hash functions. Mainly, merge these two functions into one to reduce redudant logic [1]. As a result, an identified bug about skipping over a signer is patched [2]. Additionally, add a conditional in the verify logic that checks if the given x509 validity period is expired [3]. During testing of this conditional, it turned out that all of the testing data was expired. So, rebuild all of the pkcs7 testing data to refresh timestamps. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r999652525 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r997090215 [3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r967238206 Signed-off-by: Nick Child --- library/pkcs7.c | 87 +++++++----------- tests/data_files/pkcs7-rsa-sha256-1.crt | 32 +++---- tests/data_files/pkcs7-rsa-sha256-1.der | Bin 845 -> 845 bytes tests/data_files/pkcs7-rsa-sha256-1.key | 52 +++++------ tests/data_files/pkcs7-rsa-sha256-1.pem | 84 ++++++++--------- tests/data_files/pkcs7-rsa-sha256-2.crt | 32 +++---- tests/data_files/pkcs7-rsa-sha256-2.der | Bin 845 -> 845 bytes tests/data_files/pkcs7-rsa-sha256-2.key | 52 +++++------ tests/data_files/pkcs7-rsa-sha256-2.pem | 84 ++++++++--------- .../data_files/pkcs7_data_cert_encrypted.der | Bin 452 -> 452 bytes .../pkcs7_data_cert_signed_sha1.der | Bin 1276 -> 1276 bytes .../pkcs7_data_cert_signed_sha256.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signed_sha512.der | Bin 1284 -> 1284 bytes .../data_files/pkcs7_data_cert_signed_v2.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signeddata_sha256.der | Bin 1265 -> 1265 bytes .../pkcs7_data_multiple_certs_signed.der | Bin 2504 -> 2504 bytes .../data_files/pkcs7_data_multiple_signed.der | Bin 810 -> 810 bytes .../data_files/pkcs7_data_signed_badcert.der | Bin 1284 -> 1284 bytes .../pkcs7_data_signed_badsigner.der | Bin 1284 -> 1284 bytes .../pkcs7_data_without_cert_signed.der | Bin 435 -> 435 bytes .../pkcs7_signerInfo_issuer_invalid_size.der | Bin 1284 -> 1284 bytes .../pkcs7_signerInfo_serial_invalid_size.der | Bin 1284 -> 1284 bytes 22 files changed, 200 insertions(+), 223 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index c4d605e00..56b6bb617 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -623,12 +623,12 @@ out: return( ret ); } -int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, - const mbedtls_x509_crt *cert, - const unsigned char *data, - size_t datalen ) +static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen, + const int is_data_hash ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *hash; mbedtls_pk_context pk_cxt = cert->pk; @@ -642,6 +642,14 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, goto out; } + if( mbedtls_x509_time_is_past( &cert->valid_to ) || + mbedtls_x509_time_is_future( &cert->valid_from )) + { + printf("EXPRED\n"); + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + goto out; + } + /* * Potential TODOs * Currently we iterate over all signers and return success if any of them @@ -676,8 +684,17 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; goto out; } - - ret = mbedtls_md( md_info, data, datalen, hash ); + if( is_data_hash ) + { + if( datalen != mbedtls_md_get_size( md_info )) + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + else + memcpy(hash, data, datalen); + } + else + { + ret = mbedtls_md( md_info, data, datalen, hash ); + } if( ret != 0 ) { ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; @@ -688,7 +705,6 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, mbedtls_md_get_size( md_info ), signer->sig.p, signer->sig.len ); - mbedtls_free( hash ); if( ret == 0 ) @@ -698,59 +714,20 @@ int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, out: return( ret ); } +int mbedtls_pkcs7_signed_data_verify( mbedtls_pkcs7 *pkcs7, + const mbedtls_x509_crt *cert, + const unsigned char *data, + size_t datalen ) +{ + return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, data, datalen, 0 ) ); +} int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const mbedtls_md_info_t *md_info; - mbedtls_md_type_t md_alg; - mbedtls_pk_context pk_cxt; - mbedtls_pkcs7_signer_info *signer; - - pk_cxt = cert->pk; - - if( pkcs7->signed_data.no_of_signers == 0 ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - goto out; - } - - signer = &pkcs7->signed_data.signers; - for( signer = &pkcs7->signed_data.signers; signer; signer = signer->next ) - { - ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); - if( ret != 0 ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - continue; - } - - md_info = mbedtls_md_info_from_type( md_alg ); - if( md_info == NULL ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - continue; - } - - if( hashlen != mbedtls_md_get_size( md_info ) ) - { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; - signer = signer->next; - continue; - } - - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); - if( ret == 0 ) - break; - } - -out: - return( ret ); + return( mbedtls_pkcs7_data_or_hash_verify( pkcs7, cert, hash, hashlen, 1 ) ); } /* diff --git a/tests/data_files/pkcs7-rsa-sha256-1.crt b/tests/data_files/pkcs7-rsa-sha256-1.crt index ebbaf7cc6..9e461cd0c 100644 --- a/tests/data_files/pkcs7-rsa-sha256-1.crt +++ b/tests/data_files/pkcs7-rsa-sha256-1.crt @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSTCCAjGgAwIBAgIUMBERfOWtW1Y8Y661YJt3KlBYYZ0wDQYJKoZIhvcNAQEL +MIIDSTCCAjGgAwIBAgIUe97d0kRM0c3+XEGoECyJt98ubL8wDQYJKoZIhvcNAQEL BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT -NyBDZXJ0IDEwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +NyBDZXJ0IDEwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfqRyKXRqfkj/BThWvwcKfv -qsTiZmVOE6sIusfY86qae4Yv8R8AaBgA3eYbSOat/Xyr3VFgZGtv9Hc8iDM7K1h9 -U9WBKPGN1gGw12LzAxIbf+t5qkH21YtPNkr7liwJruhTh/JLypKE/SVW1XIS47PE -Ug92emsRMKfgsReO7x/EmB/c5cnXfwnrc+DKog2eB+6eIPhq2uq0g+/bV8hkx8+D -N50Qq1OMdy0s/RXeurlYG72jhpj978eOq467vUIIxyD4ggsh9f3ZMOEGFlGjSiZL -CXTgbIbwXnndamf3iqWWN5ZiDH6NVP1UTfCvxvX4HfBE928z0OXu4k7QxNaboEEC -AwEAAaNTMFEwHQYDVR0OBBYEFF1d36HSc95cdyWYy/SRZPsmWncJMB8GA1UdIwQY -MBaAFF1d36HSc95cdyWYy/SRZPsmWncJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI -hvcNAQELBQADggEBAIqAZJRQFPL8GFpxp0ZjF4vSiKX/D0/+LJB+vei4ZGZMaqRo -afT9LBAquK1JjXYXJ9wz56ueVxggouVLb6XTrAwsHISwVxKzxkmBde2egPZ9L7tw -EJdb2YPAkdoi3fY259N6KS8S0MwMMi/YmiXpVpQiPQ5tQFdbT9oSqewi/C7TudFc -hez1M7ToYfbMaZ1yQxf5otT8wKVKhLdEb9ncE2Jku6eH+5+lcVFsliLcNo28bd0c -joRYufduegaxmFluq4YWCozgET38AFKiG9Y8fK34He/qJIwHn7nWJ3cy3j+NAh3X -gpobw4JhCNXaInaNx/BZsoedjXnkunhgRijykOU= +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMi2z2mJnNHw67TKZFwF5w4N +Lv7dzGHQicvVFaOaNXm5I0O2HsdQBg+07TeHYzJADkJfHTdsfnXClzMU7fS7MMj4 +3QO5/P+VWiRdSRN61uYAVsrBlVKoZdUhhxh8wELJxJ4+OpwXpTS0U82rwMsRO09j +9bMXS57pkCsZENEUlqJ5p0Mmrc/uEL/Z5+uvuzd76bY5WRZdE91XURccra08HTra +xovIAR1htUz2AXi+NoOaiayRq0GePKN9a6iB0lUYxNtovKb3yDYC9pmoaxf7Hnc7 +y+dLuTpJslGuhkKLV0Dhhoux1vq54ocS6Y7DGa2Pyk1zAQxLCcS4BFiWHnzwg1MC +AwEAAaNTMFEwHQYDVR0OBBYEFIru5ZR8xnxd1RWnbip+zTHuUv3IMB8GA1UdIwQY +MBaAFIru5ZR8xnxd1RWnbip+zTHuUv3IMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAIIda5jNRX3r0rCBrKJ+vs1Pk6zIKEQ7Oeq/+p+k6eRUO0b8 +wx4rW0gXeQPeppaaxKLMZXBlA5DxsI1DpML5dcfti/M1bHIYOAISRRqPEd5GVTy8 +1ltCVN249mg06yHdoqjzO1geFIRVesoblO6JMd3xYDe3pxcTIakZNq/Cf/zjld51 +1fcMuLWu4F/1BwiNZa8eQ5Zs1Cy+b3+s+NrgVd2CIrFpZSFyP4EkUXhZXJha6Rf9 +SzmYdz4al7e9EAhURvQlm8wJpFSSkoLBuJtx7Vh6d14KPUU2NB9F2ulp6AbJb+/H +EGd3bAK6IhIrkZmxTAwowESHUJBwuX890tbZcnM= -----END CERTIFICATE----- diff --git a/tests/data_files/pkcs7-rsa-sha256-1.der b/tests/data_files/pkcs7-rsa-sha256-1.der index 622df1e7a38899b4da3a3601badd4fb36a333238..0d799ea335a51b79ecc1f0b50037469ab0b69ade 100644 GIT binary patch delta 668 zcmV;N0%QHn2F(T|FoFX~FoFUxpaTK{0s<6!-rdqfOwrB$TtTQ1EQz<@E^NP%BT5=F zF)%VXF*Y$UH8xro4Kgz^FfuqXHZd?YHj#%|f5^7aX^EWC@awe7WLyR34h=5;-OORo ziOba$qnb5&xg$fi9>-7y547z!hhs884nkiYH*9`&!k04??ex1a$oSm@x%~f?S|nXb z6MEL>09MMul~Sl>)ggx%e857<#GXDnoEN1uv{TKiz{?RkPh<777fYV$kSiGw(G-@V ze|e`vCaurz5Wm^y>#w^vd+D}0Sr%Or-B(c;9IdT99Xi^^i^u^TVYN*50eHSPgPMt~ zk*h(TJfnSUsDaW|7{uFXyr%caHUjpUsB0Jd9(Oy-=S#UdNwQI{hC+*1K;edqvDW&z z;)fFHj>8$PkIGGR0SrqC#JB`lmL7cYOM_Da0|5X5qf;(a1+tfGFt%}}eU-MIE>H0vSVqNwvbSRNFF zReH)BlIx2G2qA*mTQufl))f8&+jb=CI_xV5g}U-btFjb*PMLzZmREWU4l ztoYjCRo#Ljv1w%?azBA2QFvKgm|E!<{YyERcRm`Ix4jSuR7UhAo6HHMRFaZ{!MK}o z?O1wuUJ5-$HZ&ha+UaTN2FY*l#}H?CYy!F>5-X9Ju}lmoz(j{okZ`$wJ<`_M0&;Vx C%{4m! delta 668 zcmV;N0%QHn2F(T|FoFX~FoFUxpaTK{0s<5;5fOalty@++W3IJen|CTuSYe%!BT5=D zF)=bUF*GqSF*#Zn4Kgt?F)}nUG%+wSIgy80f5+-aB9}&|a>IJ+gHeB$IpW|oe-;2jCU<8{T1H2xmX*$ zqlTFM@5hd-j=Q}=2*)7!f(s$_{n;?#1{P7HN+wGQbl_};@LqY{YG?O~rIt6AVhnzb zRQ*&<@UO=8_#N;>_ir=MNsV?FC)_jV ztDaXFAfn|7_$3@jXkuvZeZ#z}#7?Vf=4eJ{Ik5SLrogTRs6BHi{j=hJ#AFA~tq z3^Fg+nkDI0lp;M2Z9rFBPudcx>>~Uwf77|qT!rlQGqmVo_RMLWazhvSqSXArrAmai zL~q&L6Jlh$r-%EWrEyVgmLl9Xjl6B$9FBxox%X~*2CWRn`p9`k1(lnM_&)G{uK8UvQQ1q%$k4#Z z!qCjnz|<^CoY%-0!JXJ1QGar(>9mr6%Y}c*KMlFOui@X$DK5c&&jYT{sBtuUoUx+t zsmf%%>M1R@%DP+X=JE3zE%*HR_(_UK>F=G3z8w6lU?)-B_gMb0o$C3MB~rf%HExUE z-R@8*6lByjGuES5@y?5#(MR7`-L_K@EK^otR;k<9*c>shVC{ivg&YrJ88@=mA9{L& z;UT-+txo+y>xD_&$G2>&3%DnfJ(ugSm&NXh5oPhV8U`(ojWa(Sn{^~%&wX*82mIly z3_qoB+ji&!lV4=FbJl+0C%*rW92b09k^E-;=TznXq*p848ZIx-_q^O+x^VM1Q^~AX zjfc0~*^xN)+^#q29`+kbPtD^GUN(IpWBhUNHB*_G85tNC2O9($$g(kq%JQ*@v554! zhV72mXTI*@5_2;2*9y`6y7oK+d62X+i-dt#16Bo-HJDWEm!w|i5EOhjkMVY=XI%W| zhccJWuG*aG?zFo8!o(KEZH{a=rB;Wse^KHwV6W2LtI|GksjBUoHvS`wtt+}N8_c^Y z=i2ggex}(Ux#ZpQQ=a^&kXP83dADs)rdar(OAN_czfyN?u*XLhZlJUIu%w zM;tEc!Q6SGj1dZ#o$3qsm^dDNwZ{4K)AIJ&&8_*X4yn)8O4Cp`tj%$4nQ6}~FRlGM z^iSq%I~|>Ud$#u9ym|83C1oX(>;IY$Oxczun7(1-CYwS(hTz;q87E5l7StzwJ+xM< zBe|>p(_UpmU#ep`eve*dYMG=kecuWIcTFeT delta 668 zcmV;N0%QHn2F(T|FoFX~FoFUxpaTK{0s<6Cy!juc+$grNQ8zCP?2_`mKgV!rV%e4I{`4p#D%T)>6x_|cAxJle2yhu%qExiH ze?R~zl=8Xz@}BYYHKsME{8ia79|i+e9U}x7FcyFm*K)AFuurOgC=T%b=jj6_`}|eelPCfu zf1#4a8|W|LX$ykwi9P~}?sv$kb0I3eWW;!Qd9?&oqIMx~YMJfEKV;OB2$VeAX|+Tp z+`c=(Gm4s&G*?fPFNCIcQ=Wv^ic@Z|@%9yOk?Nx{Ua;lh%q>ZY$JHDpj9;>ijI5`s zUB+*qucfZUO7sD}D~MppfBs#Tzh(q1(AA!YaiCOLDH=h)%N5M4RgoDg z#eQmp#I diff --git a/tests/data_files/pkcs7-rsa-sha256-2.key b/tests/data_files/pkcs7-rsa-sha256-2.key index 6226f8ad4..659c01566 100644 --- a/tests/data_files/pkcs7-rsa-sha256-2.key +++ b/tests/data_files/pkcs7-rsa-sha256-2.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi -Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ -jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo -IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR -j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi -b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 -H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE -8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL -MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK -lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 -QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI -MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 -0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu -G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO -sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O -4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P -A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh -dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF -gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH -9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi -55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm -ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z -Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG -EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE -kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng -Y2ncNnRJI7vczDETaW1vuoE= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of +5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5 +ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2 +IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK +OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp +eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX +oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM +NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7 +73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD +w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T +i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB +qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9 +ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH +slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo +in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D +NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w ++CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95 +0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG ++fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ +FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI +xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9 +1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3 +kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa +uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO +0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ +Qn6c/zyvMKSyrCVxo5pTd5Il -----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7-rsa-sha256-2.pem b/tests/data_files/pkcs7-rsa-sha256-2.pem index 0f03a43a0..b11a00a19 100644 --- a/tests/data_files/pkcs7-rsa-sha256-2.pem +++ b/tests/data_files/pkcs7-rsa-sha256-2.pem @@ -1,48 +1,48 @@ -----BEGIN CERTIFICATE----- -MIIDSTCCAjGgAwIBAgIUSbz5H6XcKL1urGmyF9I9v63PwccwDQYJKoZIhvcNAQEL +MIIDSTCCAjGgAwIBAgIUVk1VQCWvWZ4ycHmycg7wDfN8+3wwDQYJKoZIhvcNAQEL BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT -NyBDZXJ0IDIwHhcNMjAxMTI0MTQxMDE5WhcNMjExMTI0MTQxMDE5WjA0MQswCQYD +NyBDZXJ0IDIwHhcNMjIxMDI4MTYxMDU2WhcNMjMxMDI4MTYxMDU2WjA0MQswCQYD VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMjCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4tAEi8b+ZE3OIuv91WduiU -qQQXPqMNndTj3Q3hxd5CvYCZ3dAoYQOdPOtGWxLe89zpqUI/Sp8hSpCOw0ucgxCe -96ahpx/BVvMG6BabtxSXWYmGv0rJmFE3LwzskvK9P8dwaGLZler+9CgjKtcgfhTc -zbwhSDeHCHAZWqJUtLpAACiU8rn78p7x8zWoUUsntUiTCyw1SCHvIhGPeCbT4QVX -YNxIP2H52s7waHqtHLpGtJSsSxTxfbxcmbMQlrDaY/8ArLxo2VKqvGJv90IDjbGy -ORHRMOuxxxjowC9+yH4xtVRl821dsJFSSnmAEBXas3hkneFVBxiR7vUf61Wv760C -AwEAAaNTMFEwHQYDVR0OBBYEFNdysL6wT6p/KA7w/efpAyX7/FXZMB8GA1UdIwQY -MBaAFNdysL6wT6p/KA7w/efpAyX7/FXZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI -hvcNAQELBQADggEBAKGSxRvoL+FpC4LtiT4Cie53yKlzISq+ZMR4eHm1BFSidiFv -apntxj9k1JIIlDzbabVEJdy+O8EzipqUNFdPky+EpnZTnoTXilNusPH2FW+R6qMx -XrDl4MwtSYnH1RwkjF+yjYysp6pdxm+gr6k7lS4biHq6VfUYSvQBvSuIYMn+XZa/ -ZgQs0NWeh3GgVFkpGkG/yxXMq1WRGSrFfmqExLVpMeNXTINQsK5PH/JMaj44c4T7 -+qbq9Rf4U4ezkTUXHsQQsA3dFpPiL5Lv6RS+31VKLpXYJQ9j/Z+IWBFjTf/utt5T -VA2cEFCZIkNYUoX8RVs23cQr/ZNBxxgO/7JYNSE= +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmVNZZ0/qcT+h/lVNO+gP65 +lERTTudQ15h8QTLjaKhx5SSTLnuUhD0jLbR+ng8PMqdJ8ePkZEh1+7mi9MHzID4Y +c47jH8M+Jc/JdBr6cSjbFd23QHESUjKKmV1IjSHc6Llbxe962z4gEXYjJAMkfr6B +g1iecK3AlnEI4F0BsQfC5dgA4Qce2okvcTuhYgvHtLZ+UN4ca50Kw0o4u5FYdl89 +KDCE4zNp8MaaxGC83xcM4A9XqjHyZ7a2wvACTlmLQ2q/E+RN/8THEel4Y+yv82Uj +j2LqqEaA06dvSdOPdaGz9jUZauqBw7TcuGGVzrrsZ0g/sHXKng9TppehAV/HrJUC +AwEAAaNTMFEwHQYDVR0OBBYEFI5FVrtfLwPXRERcyVX6qBVvfoduMB8GA1UdIwQY +MBaAFI5FVrtfLwPXRERcyVX6qBVvfoduMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKRl0wgREe6eAduJSV5fs+Ec0s2qs2lHQqt/0JGEIbZBBtka +q1UH9CIMMAd6Kb0kh5GlJT2shg/EAYWoitMwntkeRYTln2k2/B5jux+U5Ph4HyC+ +ad2GqmsoXWDru79rltT7Pv1hS1ofJyQ4Jv88vQA/SuIIRGdTC24VAVgg00JxvDRB +xeqsQ9Pld4ebg4VvqsInnSpmKCcxfWxFhJk/Ax8bK/tV/GnrPiwsvry1j9nZyebS +IyI01/6DwJS2ZhFnsLGyPHFOAFNtomjIdQ6gf2L1wq0qiGOKj/K9IzFNCpCz82a+ +gMgqFzCT5TCZC16kUG2NA2pXAx9O4uppKjRk97U= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDeLQBIvG/mRNzi -Lr/dVnbolKkEFz6jDZ3U490N4cXeQr2Amd3QKGEDnTzrRlsS3vPc6alCP0qfIUqQ -jsNLnIMQnvemoacfwVbzBugWm7cUl1mJhr9KyZhRNy8M7JLyvT/HcGhi2ZXq/vQo -IyrXIH4U3M28IUg3hwhwGVqiVLS6QAAolPK5+/Ke8fM1qFFLJ7VIkwssNUgh7yIR -j3gm0+EFV2DcSD9h+drO8Gh6rRy6RrSUrEsU8X28XJmzEJaw2mP/AKy8aNlSqrxi -b/dCA42xsjkR0TDrsccY6MAvfsh+MbVUZfNtXbCRUkp5gBAV2rN4ZJ3hVQcYke71 -H+tVr++tAgMBAAECggEANzztAyiGkbOxTzLcVQV4Tt8XHoNA+X0bLqDwhtEJRvdE -8kJPGb/QTvu696voXMq9ysD1ahkeTm4Sgdpcx+HD3FAJto4eZRDGs2mWLnjMjfwL -MNwll0yD6D1WH1p6NovC3a0e5uS+F00IGyqTLiVP85PqOsnzkIqsGGLVW+K/hEaK -lRqKEf5tYzkdmlay8SfJQf03TuJVFp6qAgG/gH2EkGR/B4SLotXYDNXLFAzlx/N3 -QXHRIKhYOcvznbJ7Doww+nCyO613cUeZ1t3/22QRC3Vm8WMaYzxivGoMzmGM2YqI -MtUG+zXm4if9+MmT0CQ3meWLYwkIbFax6/6DLS6iKQKBgQD4EU4CEEjCsnYm7668 -0THvkcEsOTvSKroLYPKsuUbeoBfCvK4/o6kb2dQbR9c8MnHAJ8yN9gMbuP/njPUu -G9/sycI3uDRYpsQDeBcD74NtCAKqB1s7kcucMzxudwAqw/jJCJxyPqGiS8HJGQRO -sQMtBkvQx9RqKKagAgCWwaiLQwKBgQDlR76cQN3GSVRZfsA2rqTyZo8b4ECSEu0O -4vSQ0i5xMWp8uJLRBxktRYYCMfzH6dHDG+GNYearolOHm7BfC3QUH2EC6kE2D/9P -A40JrF7QEkDRtQ2rmNOQ2diLB1wYQiqRJieuXVIIzaRcyenRxP6ec2YMmHl9FaPh -dmYzjtDSTwKBgFr2/YQENKowhuMAQTM8AvO2nv94fVc0E8TYaCSuTC6Wxh/C0KLF -gN2VoxHd5i9M0CmGbpwf+kPQMwbVyZJ+5j4OPgnwokFf5cDf6JCo46i3p0JyMCJH -9EHzB9X6DTWhZzlQzw2Vqe+5l/YGFm5EusVn6aVFob7L6U4DbfPaT9PBAoGAD1Hi -55fh+azOqQgyGbVDqjq2Fzu9tMT0+AisJL0Wg1O09M50aOkbgo3hrWXfqQ/zhyDm -ykafXhqDkE0T1NX0FKAgIEy8vLsG6SWol9vfnfGKSTjax/t3L3eO44NDYQ+Svo4Z -Gqp7n8D12YlYST7rcHTvfan2fCglAhyiKZHCXDsCgYEA0BeqGpJ6Oz6O8g61JixG -EryjO2cCnQLWlwlal40L63wY5tNDCixuDM6zJFq/tT9DYMuNANrfsqWU2ImKTNPE -kwlMgP813aPXREgyV3ylL4KLusfDF6hqPtDcU2QK05LuTX7puHwi0pR8jAmPzrng -Y2ncNnRJI7vczDETaW1vuoE= +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlTWWdP6nE/of +5VTTvoD+uZREU07nUNeYfEEy42ioceUkky57lIQ9Iy20fp4PDzKnSfHj5GRIdfu5 +ovTB8yA+GHOO4x/DPiXPyXQa+nEo2xXdt0BxElIyipldSI0h3Oi5W8Xvets+IBF2 +IyQDJH6+gYNYnnCtwJZxCOBdAbEHwuXYAOEHHtqJL3E7oWILx7S2flDeHGudCsNK +OLuRWHZfPSgwhOMzafDGmsRgvN8XDOAPV6ox8me2tsLwAk5Zi0NqvxPkTf/ExxHp +eGPsr/NlI49i6qhGgNOnb0nTj3Whs/Y1GWrqgcO03Lhhlc667GdIP7B1yp4PU6aX +oQFfx6yVAgMBAAECggEBAMVHm3w134qQCHfyroPTqtaftDTx+wRyn6yB3iT5XdGM +NZ8H07Pp80kKBo7gY7uFOiNyQKKxQFuR69sPWc3+LI3YzC8IpGslhUfHdjN46gn7 +73hfAVgnf/4qmlEq0cRUOAY/hIUMjUhNhglB9tqEeu3iPjMaTFgfZJwW/czH/QMD +w4zj5XoLgwRkqVvUceu/dBgV8KP5DpON+q8wpfWtjunv7rg5Nc3BVBrpb5SadJ7T +i5TsS+pZQyp+mTvyCI3A1hkr2Vw5tULWO8SPhuEQkdtC/CL+luCUO7L16lU6KhFB +qP5Fduik5skyLCVvAMUkjKcrC22k0gkhOHvfmMhjaAECgYEA68+hAQIiV9ErZGk9 +ZLu+VJHBSPmEQCkUcbviwzoRo8YSyka12TZERy+NJcvmD9deNgFbp8GyZf01XJWH +slSYt6LyInrJrTpv+3q2Vl5GQp0f+39i7MHnwGGKbWsDbSAm+L9yKTJzYJz1O5fo +in06AiyyGPwnXd1cm5bTXVX+dQECgYEA2tdi6DXF8awE23pv4HphPBhXS5hmYP/D +NC7CtP8wQsxjPdiIxkBFFVEaFCC2njq1VhTyJb5noJM4kOIwcoaQ/zgyyxQa0u7w ++CqvAh1WwG+sT/B7vivrtDmmYeyGQapFo5DRIz+MflKAhzDhtnEyT9vLuCdn8J95 +0YvxZJ9+k5UCgYEAh+e7SER9nJUt6AoLWyIlGMKEXlWIFh5W7RG3KIMwJW6D59aG ++fAfu9M5Cx6PsnOSlZeExpOJCOS9O2Xmti2xcqzT1nFkCJWUcqCPtAlTfxLlmuIZ +FpDOy36r9FHnwJ32OAjGd93ex0DOyZDMcfyoURaHcoTo/10UAYwUt0dXhwECgYAI +xad2TWmA1XdgYNkJM36gTQ16v0IjUz084z70yGHj25OC0CIzaDIct6KG+gS39Px9 +1dsa/jXjLuOOkzKD9LbtNBB9KXIl0GQiXnujZw+qKQ/MKISdS99n2wO7WyLKkQu3 +kb+AXTTBf4cdZC04BfORVesll5bIA2x7pNNpSCdnvQKBgG7VXYcPlIV7iAyi2xFa +uN1jccu/AK7xA0G1jz2SHNlpet74LmWR8XsTujJeo8WG1IRFxSky4h/pAP0XWIFO +0LPK7eeDtnFq6y1/DXpI+/9BWX5T/8+4Yk93p37YrBVWKfd21dhrAklQs11m3rlQ +Qn6c/zyvMKSyrCVxo5pTd5Il -----END PRIVATE KEY----- diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der index 0d0706931e625b35b37466511e87ea4da5a731ba..763057d9e5eb7be478369ddaba4f227fbe94afee 100644 GIT binary patch delta 366 zcmV-!0g?X11H=Q6Uw?bv-O@x%(aru`L8uTciMQV_Y`-uK1_>&LNQUo z07}fdUAVJ>X*kQqd%D*rLG$nqctJVMX|%rz8CJY0cOZ|=bocqC8hzAniNN`=Iq zg~|@O?Gp`C`nG6LWNiH}uQV;lvC7Iq>~EVGRC&qVB&h7M3V&(J7{f#jt%@Bd*gWd- zMfq+qY7!9F!t%(f_B#}$tOR! z>kStU9iTuzl0dPYpx!o0?a6Pq&oW{hS6&LNQUo z01MTcgrxL5dy@l*VL5lRlyDm?g)3;67Ot5m=D4eHp1yroHeJsaMz@eznL)aHdzF@W z`L^fGvI-n8JF6vSG~uiUuSN4WLRZ=kt<}U1PsMO$_m}q5!GDh1{Wy+Mhg(GKA%rl- z@sdwGUn!=!UWY{X&uig>@}@2 zJ%Sql=M9|xz+Dk5zXs@I7r*vWg|S{en$X5uW@;P%+#7~y7P7vpi>sgYFC-PxwAqbz z<;2LE_6QQLgJ<*+BYG42=5sl(_A1-;UC7e7B@5w%zz5lxjUF+0XkuP5GJ_9Tl6gEZ zJO&9WhDe6@4FLxMFdYU7V1`HmWdj5ODg+QZckg~VIky`(o)-umhz_rS5NV*BB$WjF MN+nIx-1da?hxulsi~s-t diff --git a/tests/data_files/pkcs7_data_cert_signed_sha1.der b/tests/data_files/pkcs7_data_cert_signed_sha1.der index a888525244b49ec910b7e4b46c338fd3e74f9d37..b6f95998fc3eb91ccb47856b79f61d06bac9af24 100644 GIT binary patch delta 943 zcmeyv`G<3YyGZrDyO&&iE}s1tQ8JtpV>L*;)mB;PNl@KKIh}r`*-(D;)TxBS49`kGOgUH?7U6xcmNy!mbd2Z z$wm%*PVutlId!FnrW=dA{j%HO#E-koJOBKj8l@8JDO`2!8AI5qgHwZ6q+V5Qm#8`5 zbn?hNJF7Y3OHH-}pIv?6w4k+r^4HDc-t%5g(3TXqC^BtPedTgzwYBHp3GBc5{Pp_X z=G8B^Sw@P*3f~P66qi}M)<)Lq*0JsrjIxPaeZDbP>@#bg)wyQkYR7pti)*u2G+qjo zIC48<&$90)%$UB-T#+sQTdv&t^mFf>R-T&z*R?ryhdVrM>)v?n*Um@nLNEIcORnud zxtb5&&B08}j0}v6gAD==WZ9TQW%*ddSVX$sJ)Kf>tS0uV=<+ zO7#oga|^ZEb1m8_^J#Q0!LwzR!-cGR4a?_?E>*%FK|h)wyr>{&K#v zO0TH7BiE{VP5s&dZYFHWYV~!qjNYrS3awXLROQ_lqRV#OR{5Y);L~01pKU(!8U|hd z5UIrb$WD$F4qc(NSr${+Dpp7(9p=l(8SQd&@xJ#*T@jT zowz@u{`f0*rRi?VpY(qSZq5Esu>Ae1BahNj{e)L@>^gqq^Qu|ZZTcVO88Rdo?mm2`Sn6U&?JdjIFgJYJ;yfYJBXy#<<~n(r0EN>H61|s~o>w?e;hG`aMmD zbKQ&J_D|lYCbj%k4ZB(-^my};ApWwdY(azN4>pSTy_c^)GDH5()05ZhIbRn)IJJm( z9{am_3O}-Lz1q_J{&x6@l;h`{&F2cN4(=(})%h!WZ`aNU>Aj2FX8e7Byl-{i?!8VN z#}$4waVviPd(+?{n^@ptFEww@k_S0$AL1(SW~G1cS~|^qS`trPZ^+*e-w*4Lef=T( z!R33t@r9@F9{F83a&5Nv0!JohMh3>k!3Kc_vTV$uvV1IJEF!V7_ZMC&z86!jI^*=0 zi7CI;qRKf9}Aa<^ph?n@m@|MUC*)0t4W z_r;EsG@q;`8JS=H>Ii7ZnF8Md_2q&fNUf%wD{?fw0oM}pT z%zF3a-j(TViP-r)uZnHsjL5vzZDL$K4+L%hFa#}y=j*8;ig26tGATOdXImI+|)j|xAMuZiUc=}PfQb@PHts(#hMr=-(!}mXLO0S zbr0kgJrXY4*qo;&+Nji@-1J?Br8?i#h_kG95l`&L*`;-BL8_ zZI8IOUe32WPgq+_?dCLV7uC6nF diff --git a/tests/data_files/pkcs7_data_cert_signed_sha256.der b/tests/data_files/pkcs7_data_cert_signed_sha256.der index 3f2dfb5ace1ae4c6571da3551fac2c2c0d65d89a..778fb7b4246a314999cac675ef2bf0147f8439b8 100644 GIT binary patch delta 947 zcmZqSYT=sTEmD2&?j;wWi)a7EIIa-T>D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMlc}h9awoGZ)&x2E5wlW# ziDvax!;Gx`PFtoX#JOreFxl##^dO+n_E1T`!4W^xuFPt?&6Q1c_pc^rUDl%8FXvcTFD$w6>aN+Em+4aYgGUb%(XQ+o1sP_eMdd{4edE>G% zV`giN`oXe0F?QX`aTCA3ROp?(=Wq6wt#5W#CG9uRxXHBhdgLtWb)gPLH4SEuyg6!q zZoDMIT3cke#QCM~BrUI?ds1w3pYg&S}7u@`!$Odgze4i OE(e_cEcJv*F$MrvY`x2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHROOcS0??qqhwnjj}XVpghm z+kL3@>*2TIooQc|i9Zy1B2aVd`Dz}Ycl_G(w(f9Ft?pua*m*Nd^v2|wp(}0*9u-PH zxxXfW^Kk#tCd)sDAzpqRmC4b(p_h{uCbtN5B;LDr>lv@Y^4?>{N}Qjm51hoMt7OcJ-;(w=WC6YS5)OlX2d>br){eIQ6dd z&ib?J?a2`nG}M3xwuTvO$oJhis_q-C+|jqDzQy(#{0`(`dNS#oY0 Pw^pJzTPjx?lOqoRq+iEN diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der index bf143a56f0b499929747df519279532d86354d61..41849a943e54d4d08d0d1fdf9926f2c362fc986b 100644 GIT binary patch delta 947 zcmZqSYT=sTEmD2&?j;wWi)a7EIIa-T>D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMlc}h9awoGZ)&x2E5wlXg zUDKZ{D|r+8ul;Jgp?mAZnm&(}-(|n7;+t^I|0i1*&&QfqVhnEfDzTO&KLu<4?AoQr z&6a7pj47`3r@*0G@83KN-+VkaHT#!B(BfO^mfj!F-g3@(BUMs+k)^YeJ?y0S!8a%G z#2Brt$Tc;JnPT|m_jZwsTyI$97=7;udG;TRIa%MHzp6a>l9^dqy>{s99~mVq*X!mL zyuR1&6?gE@=cuLXasMV&1W2s)&A08pqb9EQe%*rGmOHJNtU7$K$hfCVZiNKf#e(~@ z1g5;d#B$)}<~VbqRg?Ecn|`T%xGM4Vnczc0r&z9U`+MIp{AuY_d;jK+cN{8fW*5ER QDG*~-KO;icmTBgH01S=CAOHXW delta 947 zcmZqSYT=sTEn*-jSo3skbeK)@x~&Pb%e4X`66a2g_mVa+G&C|XG%++Vw2TtxH8Mov zPRui(_*2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHROOcS0??qqhwnjj}XVpgi> z7k{95aZ*_J!lkb`S_M|W9x`-NmRxqWrcOSgXK$bUOMw}?}4ckXKQ z?RVSveiU54_l5>bce$S9fj{!A7T$a7oqn17>e5QKtmhpK0p9mNG)6vno6oyl!MHEP z)nN{!xulzt!=*QU>)*7MuzpBZh)CDGue8Z&RsB?fut3d&OCO&&`1|S4mN(Z7Z}Ta< zcO7|dsT+6rJ0vmMGM>?9W$@lvD%|nT+w%-Zjg(i{KvMvewvG?Eh}C; PBYi=!>z)7pOyZ{i)pf~# diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der index 1a24a8a2e3b72232f8ec4c2a1b2a45df051a2444..befd17c190253d2fc76833b5f6cc60b6a2742a2c 100644 GIT binary patch delta 960 zcmZqSYT=q7$;o8MZ@|mOnb0;-NmHcy-rY+sJ{Qmai*Z~bpwqeizFyA$iSb_2MurAP z7KUbq2Bv0F;=D%2NZg5e<`aJ_)SuXPKC^Sq#SgEyoJxsdea^?L_wVkR#0#CLuZk|7 zWm>sY*?F7X@c=gdEpN@+lZ_nsoZ@B8bLvVDO*a;K`(?Mmi63{FcmDZ5HA*GcQ@HBd zGlsBJ2d4(DNWH4qE>Uy9>Ew}lc2;x5mzrz|KD+wBX+dlMz3080pe-qIQDoYp z`pV_bYHQEG6WD+A`Rnz&&8uH-vy2pr6}}rDC@!;ht&ObJtz+FM7-bW;`g~)o*k{%} zt8>l7)sFLQ7T0F4XuK3EapZQ!o@L)pm@$2uxguNqw_LgP>F3@%tvojcu4{AZ4tIFi z*1hrCubq$Dg^GE818-d(ifvvq`=NK0tdDd{Qi zIt}lBOfcWRTwGXjrKH*VL-l{^A5Xnkdi6Wcj;-q+#D8Vy=uKTO=R7Uviq5|L`ZYgp zJqW$qq_i%?Iu%E z@#IcsSF8zg@*`%Y`V!6RtA-g_`<=E-O^9>VeqgfIKj}e0q3xlPeuE=^rd^rUcAG1k z>h51n&bqSWthZp@t@$4B0(5Rld?=4^V-PxW|38z;=3h(aXv|})-7@X)hSw%d)*p&R z)pE^Un^0 z((6JUifS6n9(i-r{M>j+gtfNFaEbFv-$`0tLHDHC=059J4qnv}Ros5ner2)z%1;_H bleJPrPWNjTD+t@0*If=c{aNY>lVS`2W9h&O delta 960 zcmZqSYT=q7$*G%~rw~(NV8k_1NmIl?P_X9d+UPKwp$6H>DCzm(f_7+Y&c)CON|)cDwYjd8>Eq|eMk z()F(^S2=#W+U;-V^?RBQ=eifc?Vr3)O=|h88g{iv=<((wLHuP^*@6bkA8ZuwdoN#q zWQP2mrzfx1bG|NqaB30nJob0<6nK zv?QLo-jKf`z8}^f`}#xngUk1P;|ovUJ@UJ70L%ZtQsXENs&Ig9^Xbmh;1rCu%DUGi_< z5l%|ky}bSR{H29~In$KxnDy?-y(`n#60!4pUKQKM8IgIb+r+qf9thh0VF+3zea)t3 z?GM@auT*;2=kL6xUT$>HzL!b%debcF!%c}CS8pkm^&bBaxv70_Z{?F+6$x${pO_{* zo!rUniZww_e#ER)@3#9;>(|3?!#mTyEE9hy@! zZzkisdFw9Ru5s#J>7Dgw)!UODGV#xX<~)=Q__NWFk#TKwd9?L5-H_yr&sm=qOuu^h zpuGEWdpFPEkhQu0?j4rAv|Lr;xrS!b#E^un$l06h?}#ihG`XhAIeBVr_eslQ*BjYA c0((>Z-}cR1VzT7iHg2s%Z?;sfG$uzL03W2vUH||9 diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der index 7c631f9d7495886951dc80a63dc299421620b8de..85ea9f9fc1f29c7a68936a17ddf3825f10e9636f 100644 GIT binary patch delta 943 zcmey!`H^#ig-G?iyO&&iE}s1tQ8JtpV>L*;)mB;PNl@KKIh}r`*-(D;)TxBS49`kGOgUH?7U6xcmNy!mbd2Z z$wm%*PVutlId!FnrW=dA{j%HO#E-koJOBKj8l@8JDO`2!8AI5qgHwZ6q+V5Qm#8`5 zbn?hNJF7Y3OHH-}pIv?6w4k+r^4HDc-t%5g(3TXqC^BtPedTgzwYBHp3GBc5{Pp_X z=G8B^Sw@P*3f~P66qi}M)<)Lq*0JsrjIxPaeZDbP>@#bg)wyQkYR7pti)*u2G+qjo zIC48<&$90)%$UB-T#+sQTdv&t^mFf>R-T&z*R?ryhdVrM>)v?n*Um@nLNEIcORnud zxtb5&&B08}j0}v6gAD==WZ9TQW%*ddSVX$sJ)Kf>tS0uV=<+ zO7#oga|^ZEb1m8_kq}EYPsgF%@UUi6vdzZ%1jqi zxW>5auK7pqSL+&jj%desyeiP&aB$)5o7wfpk}~C#>u0Ek6sY$FaC*+1mwDr|F=J+H zjQYW{J27_M%5f9FzEtR)z2|TCmaT7gRweB>(74I8^Lpeg>2;wFMKuj(kGwf*er~)Z z!dhEoxWxIT?<6g+pnFnmbD#Aq2e0agDsI1Ozp_|<n;bJ L{w(!`NihZhmT0`V delta 943 zcmey!`H^#ig@}QmV9nFD(P1{p>$WD$F4qc(NSr&-$4kn<(9p=l(8SQd&@xJ#*T@jT zowy;Q{`f0*rRi?VpY(qSZq5Esu>Ae1BahNj{e)L@>^gqq^Qu|ZZTcVO88Rdo?mm2`Sn6U&?JdjIFgJYJ;yfYJBXy#<<~n(r0EN>H61|s~o>w?e;hG`aMmD zbKQ&J_D|lYCbj%k4ZB(-^my};ApWwdY(azN4>pSTy_c^)GDH5()05ZhIbRn)IJJm( z9{am_3O}-Lz1q_J{&x6@l;h`{&F2cN4(=(})%h!WZ`aNU>Aj2FX8e7Byl-{i?!8VN z#}$4waVviPd(+?{n^@ptFEww@k_S0$AL1(SW~G1cS~|^qS`trPZ^+*e-w*4Lef=T( z!R33t@r9@F9{F83a&5Nv0!JohMh3>k!3Kc_vTV$uvV1IJEF!V7_ZMC&z86!jI^*=0 zi7CI;qRKf9}Aa<^ph?n@m@|MUC*)0t4W z_r;EsG@q;`8JS=H>Ii7ZnF8Md_2q&fNUf%wD{?fw0oM}pT z%zF3a-j(TViP-r)uZnHsjL5vzZDL$K4+L%hFa#}y=j*8;ig26tGATOdXImI+|)j|xAMuZiUc=}PfQb@PA+41#hMr=pJ!I8ciVla z_3Poc;hkw;mWe+Uc_L7A>-lOPpLhJ)^S17APOa`@df0h0O!UU&nV~Cg3LX_oKDoap zfb($w(k9D4h9O>l9hJ$^yrGwq7ACg{bR^!pcIz3h!t&l@#!5do@t)XVzp2w{Z>sv# zwTGU6@byyO))BM8WV=?!m5s%%Dx78|ns)W6*S9YVzG~2=Hg~x6nfPZxa~{eD{Ml&8$hbDTJlcAjZb)**=d4c)reD2$P~QExy_;un$lBb0_YO;5 zTCS?_Ttl;IVn{+(y7LlfxRjIZ~JC0F&j#v=lKK)k+X5#cdNci zQnPMvrO`_pTYFKeHCm&*_wGOMymOrQ=XbvEukZZ6Z&-L(IMY-la)v!&c=PS}k&|Af zpki{{>=pl>ELRh8B@|Lg9i@sws;D|b&MIB|ugnqTRL$CxCJ(p1!6iR_ySYXi^>jM* zng8sSBlhb%eR_Kr=mjG>DEzv_smtWsiLd~BP+W+X9$oh5%a`-13 zL_a*vbChv57LJ(w#Bpo1FVDKtizSsPM(oueVNlW6A48rg(`?48d&j_<79Kmz5L4<( zrowr_w<7taEOdSSD+-bSF z3wY428dsEDlU1!p)hdhftBjeziZMR;bUyzvtP0#Mtn`B%K*Kc0KAY078#h_iCFrNx z>CPvlHcsx-7ZQb5(g)7hW{jEz1Ncl&Guk=r^P$8|(>NO-2*3d-vq4%RCAdIX34YFV zoFXY3%ellsqBBdhB0!!rj@q#PHH?J)$A)u?A>4|FH?eJux{Y8x)L;1sNk_fvBe-AOHvyxn+jc zm92N6D&fPMg7`PjZV?ZNS+0gTn;@?LkEcC(Bu^zjz0krI!kr45H z0^)-xyG@rMWUZ7^=xmfG_3z$`mG&It9hVFF(Pl9zs1jV7W^_AHXELaqNUDKZLW}T1Ssx{<{P8uRErW zFgY3ZOUGJW96BZoJciyjyaA#Bdr77~nb4`M_iDAqfVmu&NQrwGSk*6AEPodvhl=vY z#24y-U>6h)u!p!cw4!2nXG_M^)X1j^xU};7qqyGO*1KTuhQ=l>f;orHy;7gyQ2wW6 z_nrP)`6Q2&jPG4=l-Zfg=B>Nk(Zli(WX>|Okk_T$@?ILq*A4_TUs%P-D|>SNXhFpS zH*&0a&=3^x#LvvR$}LR}xg5zt`S|we)AHP0FbZ?ZEf(%`mIUqokPIZlTqOk;iEa*$ zCC#!teBZT?n}SKxPmDG!6{o~D!(08t@e#~wJ!Rf3In2ZfUh6WLB z3#qt2nb!cghfZ>R_dhzJQ{gUIJ1dfDl+Is%w3aXQ2=^W&VhTuq?@)B14yzkPj8psoaW ziX(jhvT@H`&k5FB833>_AOcU&109sxKocWkR2m*A`lq|fp!5) zoYjrw#SnZrUT0p)%fNkBl%~aL&AMg2>DO+)9h@DxRc8YiEGtw~m{e(qE;dxxSh6@u z8Dm8|zpQ?$MO;4^!5o75v@C8SPe delta 1910 zcmaKsX*3&%0)LC8?$3RBNd*B&{uprI=d6khY>#YZ0}Eii%jPLak#- z8`Ro_cBn8+YpAt}L2D^R?2KsNd-La=caHOZ-gED-d%k=7N^AydEN+VghU`suR~7+;%To%D);XDVnJ?K^;vBX81S$2Mqe;Z9sG?Ij>Kt0)-ps8O{?Ac7!Y_O2 zm3bHPe5K0&k!&kkmIQCK-KHw^$A~0zCNDrjb#;~J=Lo~UDi*a}|iwn~rRjfKAq0p)v4CcdIh!FanSizCt6aJivD>GSZ3#~Pnqa$uKE-nMY{ zaF~*-`2rIdkVe}7^i2M;WB6jpXLm5D`0f?RLD_r3t4dT-t2J?wEANYcS)F=VQhCSe zRvwINLSfzJDQ70RweJN-i#8Ov2iK)2N@mQ+UJ?j7mnn^z#W40&)|by_h?TUDX-1r% zHm3ko#uFYZbtm|Uk50kDDIC6gV`?!a>QhIgw~f}OM%Fwc0ceLv03b_&0ATkL4gX@DDA;Xut81G(ls5h)>e4yz6$J328tuJKDA}&~S=M1`dF5yc#H6oD9REat&E3+H@BoRd4t9n|k`r2hnbV;$O z6`b#$mePglFL1g5m;REy$u{SN1o}?qE`QzDI-@hL76<13!BV%qkSZQ>`g$4mMF+`3 zNGoTv{cw}Mv1RkkZg-D*Gp5rGW!odIgW`i$gYJ{kLv=F{#d| zsCbaVR8u6rcoruHrLOI$uHc@d*BQsLIewSf$#keCX`SRBEq(@S913ug|HI~Sfq&S1 zn*By;2|gPnm9Uz28IZOX(N`0yuG5L{iHwYD7QvQr@tu?rv z7hfBuKh807b)dnMs=_h!r15l2Fmq#9fk<60NB+#5pBdD*OXG|xpUt?@NXe+LuJ!6A zmOih!m}{U!j_$ziKvCPmY+bTY5g?T?Ls1e*(o!E!Ih2T|1>qZ*IHde?J{Cn>Oj9 zFhMKC{W>Z8M$WIlE5=cx`%z_rsQ`&Z*^{IEJY;YqzEAyVkl#0iCZClsxu<=ZCc8f z#8^>k&;&v4YCl=|#)9*cSrtb?15#L+;Su3+u|*&27q~^(EX^Msd9C^r$K1vagJsnVQa?DIJb(+sju&TIJQ{A3n^~UD9X*Q%v^%Xj%KJu^<-J;4j z6UCF><=-{-g8^AJiwv+>OzW+`m&HnO&|gl6t2mYF(#uci!E@&%>5J%+c>7ZIVjnwE RH{h*eiL5Z=eSp)-eH44%-O@x%(aru`L8uTciMQV_Y`>9_B7bx#d(|;$YQI9Xm0(^) zE8sM>Ph#LuaXrFxk1)heHHv9_KC^j(e&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC z0wlBgrJN|927R=a!?5c#f;;eY6((&rMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj z>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpv zYqYiOxq4#1Feupqxz|~m8?IGAa(sX`;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#& zs)$;1ht)r+b04YlC>)b2WE9JfDRUqbKR15UP|Ncg-eH1Ve5q#yXTUI<{uC-vBcPda=VV#kYB7a7^!iDw2?N^Cr^rjc# z6yy+m+UKhbOzsaWp0&6`WqXPO;fdK+71)!RRjAn!#S&x5zkE;$!;htcIs7qHN=}G* zV_OYX(_*1xgb;{f-qzaY4IrnD#xo-MvJJ?vKeCBJy=5nrt-|NoK7VD`x299oFp4gj0iK?&(A#`Mjj2m&{HpEAh#X($Qk>x(Q2enm0RgRB zcUwEQEmUJ@^J?;-m(|n3A4kVOMoCjtt!@6^!x_@2B_QW0DT0wyU}{;LvOnAuq%kzs zB?*(2eT&ICb4A!|j1awKPwkGGq%@??whJm@O9o{MW&%MBkvu*ZG6EDyy!juc+$g2jZ}SvN zew6kYK$D{Mvb+g}T=7X{EDI8WgADk*0D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4Hg>6vN4Cs^0A1qh;+SsI;G}VP3%?C z<#}3lXAR#4{XJnI50X}9kuVTzz^Y(!3X^JmlWg{kv#zzTFKuXCv#4(0S^vpvPH4DT zTfW-=YyOg#PeQES{v4Lmj`k3*WWKj-+N>js&ZHKkGEexpq1SoIp`WG4-*$gC%_)+w zU=nhb>KDA{7HYHSTC`Kh-5uXDOkOMAU9{q}b%dNqOK8<8=_&6z4ex$TFyFphTv&0X zq}lpI^?&LgPrX-q^*hgwt?M4de`V+BOL{)hlm#wRriM;Er zmzgivPUgQqE|6ZH!?a6DNPFVUjXpdY2VB|%CKT+fx4m@jCR0)IgCl;XU76K(n=6~@?q5yLy0YV}w_x3^ z`5x~AbZ$y~D35Pr5IS=IKap~rhY8uQQd2`hK z+;~ZZwYJD`iStX}Nm^b(_oUe7KI>NwUeys*+2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUM*_cCRm02VV#2TG9^Id(;tbb!sTws;@y`zmj37W z|EDvdZtsg7DQP}gOENOQ{M8ZA+OgKNw@h69j`8!=^TH(*7CrUOUwU~BkB&^shH#DYm8QPXg)=-x`Zs2&z6_h9WXqT95FYJ+ zOK9aAr9XQ0mv>%_X?^q6c*~2#Z)Y;+7CDRmTy*8nfu&w8+gBCKl99M5CmGvI~5V@&+Zg1t2T@?v#8lRXZJe}Oh?20u(PJYC! zRPVO?Q0v#jZ^Jv&zAO`eDDp(0=GODoJU;LEwdZZ!;hb9C#q_ZAW|-)W$umP&+!Q=2 zlzei3O#tWN{-sTpe+)ys{5mR=qj^IwCoN2F5$H&~ckR|QUWMho$BdPJZsI+$!G2Sx z)816|scR2C|KRJTysaZ6BTU9vCN;K{2Q?GAd7JSv9OK&FQym{*`+^%uz zUFn_mXVu%29WwFHg62Gw4fwOskdbk1ba}M(HrD+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMQ=q8Wu!*tUpoy`ViILI3 zXW_(rQ!ys2>2vZUW~KTP&FZU$8CmUro-svg53`VBM|x9`6ElZc2P8k8fiTI&%L%lgj2_OXq0JW2@aV?eK=zCQa5K zibd6O&0U)%E)^(>KmC=NE~apeao1h*kKC`;HS`?Oj_-I?pugeZ!r3>o>yIU6$|={+ zP!B0k?+f7coH;M^#${v1%+?t7gJpMO?7EfXCVqXX&^vq2-|Q`0-|VbP+Hat7lWFJm z$XU|sLLG`~8q6MfbJYCYcu9n{w#aaa^Gn}JT3$i-q}b*@>sJn5)e%+Pe${?uvHZ$U d8Zwi$QbbPoYZfaA+nd*24mkZ;>Isu#3;=4#!At-E delta 969 zcmZqSYT=sTEn*-jSo3skbeK)@x~&Pb%e4X`66a2g_mVa+G&C|XG%++Vw2TtxH8Mov zPRui(_*2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHRO5)+;pHZhhPG%*%4F)|wX z=%(f=#8f02a!sDktdBLBPJYC!RPVO?Q0v#jZ^Jv&zAO`eDDp(0=GODoJU;LEwdZZ! z;hb9C#q_ZAW|-)W$umP&+!Q=2lzei3O#tWN{-sTpe+)ys{5mR=qj^IwCoN2F5$H&~ zckR|QUWMho$BdPJZsI+$!G2Sx)816|scR2C|KRJTysaZ6BTU9vCN;K{2 zQ?GAd7JSv9OK&FQym{*`+^%uzUFn_mXVu%29WwFHg62Gw4fwOskdbk1ba}M(Hr9_B7bx#d(|;$YQI9Xm0(^) zE8sM>Ph#LuaXrFxk1)heHHv9_KC^j(e&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC z0wlBgrJN|927R=a!?5c#f;;eY6((&rMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj z>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpv zYqYiOxq4#1Feupqxz|~m8?IGAa(sX`;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#& ns)$;1ht)r+b04YlC>)b2WE9JfDRUqbKR15UP|Ncg}{ delta 289 zcmV++0p9+z1G58=eH1Ve5q#yXTUI<{uC-vBcPda=VV#kYB7a7^!iDw2?N^Cr^rjc# z6yy+m+UKhbOzsaWp0&6`WqXPO;fdK+71)!RRjAn!#S&x5zkE;$!;htcIs7qHN=}G* zV_OYX(_*1xgb;{f-qzaY4IrnD#xo-MvJJ?vKeCBJy=5nrt-|NoK7VD`x299oFp4gj0iK?&(A#`Mjj2m&{HpEAh#X($Qk>x(Q2enm0RgRB zcUwEQEmUJ@^J?;-m(|n3A4kVOMoCjtt!@6^!x_@2B_QW0DT0wyU}{;LvOnAuq%kzs nB?*(2eT&ICb4A!|j1awKPwkGGq%@??whJm@O9o{MW&%MBQ09sM diff --git a/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der b/tests/data_files/pkcs7_signerInfo_issuer_invalid_size.der index cfaac2fa78e46fa9db2efe9fbf1bb71b6519d4ab..2973ccd7e50b2f7e667d651e76d939d01fc0f287 100644 GIT binary patch delta 963 zcmZqSYT=sTEmD2&?j;wWi)a7EIIa-T>D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMQ?RJmu!*tUpoy`ViILI3 z$G~)Afr%Is)&x5F5wlW#iDvax!;Gx`PFtoX#JOreFxl##^dO+n_E1T`!4W^xuFPt? z&6Q1c_pc^rUDl%8FXvcTFD$w6>aN+Em+4aYgGUb%( zXQ+o1sP_eMdd{4edE>G%V`giN`oXe0F?QX`aTCA3ROp?(=Wq6wt#5W#CG9uRxXHBh zdgLtWb)gPLH4SEuyg6!qZoDMIT3cke#QCM~BrUI?ds1w3pYg&S}7u@`!$Odgze4iE(e_cEcJv*F$Mr&G{F%7 delta 970 zcmZqSYT=sTEn*-jSo3skbeK)@x~&Pb%e4X`66a2g_mVa+G&C|XG%++Vw2TtxH8Mov zPRui(_*2AxP^nVC$&HhlZ{QasUkJ3{8gjaLyI)3Bxs#(=-`XA*PG9(!8 zK9lx%w)St$>brpnDcSj7%56G~t+gX+gReGfeC)l(xZ!%zXJ#Sk`q!1K9KT)d_BZqT zJxzym-HYJ%Pu`~{wft2LyILglc=M4U{<5lUL4)NFHj4MXm#;rEL;lXwlh^AxUl%_( zwTO2f`@4AxKeBGU+S2^~cKC^uH)k$lnm(59^P8 z{UQ6o<$J#Ig{SWx`CT}2ZMOFUMLDI@B5(Z)oSQSi8VN$K{YDk$9AoA&tL{#B&w`B3|OC3x9^ZWnP znNYX)#g3FTpR6SrnP2|u2x#qC>)Bf-u71b(`RaM$5(d5FhwS@TDn0D;cV1I3 zH@auv%OrcfX_oZirbLdbx0K3ykAH~V)IPVj^2x4>1UHROk`ta9HZhhPG%*%4F)|wX z80eC-Np2<^JbXnjma}ZSKJglDwKS3e@y`A;r^vfmVXRGy!<*UlcRY*r_Qk?8Ulx4Tpi6HiRsub^=H-FlN~bg&w}PWlnwZ^(U6gGZFG6G^)}s* zrph^a mYHjyP%VO6X**yY#Q~cld&0J!#D+!_FK7S6crR%qLjxlVLo-7IQ?n>>UL#{9 z?!-LviN6)-wh8Gmsz{kM%L=qvF;O$vWZ)LzA;wpGi#pJxn|;O$9Xo3YqM80 zUJ8{sayw(svhOF%n7++ikuCmPuH5?cbMKv2o|^*KwK;W%J3MUb-gxcT&PVM+FZ&Kl zuI)eNTg=Gg&3R-8OT;v}nh)O1!A#7I42+9|4FU~h*_cCR`B=nQM7rKRolq`akuLr`{{Q`kiOT)^!i!zp``mrmmNBo|bb(XJ3B(njg0wgx+mZ+L)QDSY+R* z5?B!#Gb8Gy_+M|!8Rd3T)3@&x;0SU1qB{Ew=aP^~lbR0hm|gfbqN+TO%huJ*MBeq* z%gh&SC-dJQ7f3J9VcMl6q&;!wMjsxH11{|W6AE_L+g`eMlc}h9awoHks3^7+Ir$N@ zQhkYL^;N@+to=?~rY6L>YCka9>Ywx=pwRYENx#7nKhv(vYP-#qO?CILCTCsQan@U~ z?$&&dcL6##B|enLw=oDEx&NO@W%IA4b2R3$)oz(~c*ARxChHHyqH4M3uFVpc3KYek z{>n@jQ@F;s>#q4n?pNy?dX8wvcf2al-*9l@?3>y3$C5JTl5q#yXTUI<{uC-vBcPda=VV#j*N*gdSF)}nUG%+wSIa(JD zGBGhRGBhzXF)%SXT9Ixyk^3Nj$LdESmqw@LkML84Yw&QV@2bS&W@Szjs|dQs*z>BI zdxkIZ9{^|=0Nv&rNan5me5>72U}S4=^mjanGdn9-eN)weDDjQf0kGF%^8*qaf9rXw zLH5;)Pc};XmMjUb=u?OCOUjaj{Uuh_auVaS#8MA-dTS9dr{J*{j_)6T#F!u4<;mB7 z3F~v<%AyUP2kxFA_-fkfw1e;4SIA_?&x1Fe5UW#+cP%Xa72dkJSR1{ghM4{D$BwIx zyS+jP#~}EE3nBIW*)ZV-7Ez;0CQAu);B1EQUU}VWXZMPwmN%AS41SGN{Zvixug3NG z9q>f=Z!^&4?&40+#MYZjpg{ry0RRD`Q!r659R>qc9S#H*1QcCe-=WfT-duMjn9KB$ zWcwyscL^{b1_Mv$kqUB3( zrPHhoEF6TeR}!(S_-S#%;(|Rc{641;HGB4PgCFxd_ zB0UamKv!E&+7hYkBK$6Y)49=Hh3xe+wCG{>%xRr+Ll^m?)cnAuN`$vWZ`s@vVr09g zhx?zUaZzlRBHT8Oylveaj)Yjb_ilOyv6xwItA-W|jNlPH`~Xs-8`eC0t@s`9>LiQ@ zpSjj2cQW2TjRGClf|?t{f?){N+9Gz1$M9LQhn20 ziY}P}o}RAI+k8TesY`17s_n^$9AD;AoZ%f%{IM|s0j*niTRXNbRAXrKYVx3$)ziTr zN5?-#NmEp Date: Fri, 28 Oct 2022 12:28:54 -0500 Subject: [PATCH 26/35] pkcs7: Respond to feeback on parsing logic After recieving review on the pkcs7 parsing functions, attempt to use better API's, increase consisitency and use better documentation. The changes are in response to the following comments: - use mbedtls_x509_crt_parse_der instead of mbedtls_x509_crt_parse [1] - make lack of support for authenticatedAttributes more clear [2] - increment pointer in pkcs7_get_content_info_type rather than after [3] - rename `start` to `p` for consistency in mbedtls_pkcs7_parse_der [4] [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992509630 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992562450 [3] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992741877 [4] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r992754103 Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 3 +++ library/pkcs7.c | 27 ++++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 9486c7153..2a557bfad 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -38,6 +38,9 @@ * - The RFC specifies the Signed Data type can contain * certificate-revocation lists (crls). This implementation has no support * for crls so it is assumed to be an empty list. + * - The RFC allows for SignerInfo structure to optionally contain + * unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is + * assumed these fields are empty. */ #ifndef MBEDTLS_PKCS7_H diff --git a/library/pkcs7.c b/library/pkcs7.c index 56b6bb617..ab7bebdf2 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -126,6 +126,7 @@ static int pkcs7_get_content_info_type( unsigned char **p, unsigned char *end, pkcs7->tag = MBEDTLS_ASN1_OID; pkcs7->len = len; pkcs7->p = *p; + *p += len; out: return( ret ); @@ -197,8 +198,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len1 = 0; size_t len2 = 0; - unsigned char *end_set, *end_cert; - unsigned char *start = *p; + unsigned char *end_set, *end_cert, *start; if( ( ret = mbedtls_asn1_get_tag( p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 ) @@ -235,7 +235,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end, } *p = start; - if( ( ret = mbedtls_x509_crt_parse( certs, *p, len1 ) ) < 0 ) + if( ( ret = mbedtls_x509_crt_parse_der( certs, *p, len1 ) ) < 0 ) { ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; goto out; @@ -289,6 +289,8 @@ out: * [1] IMPLICIT Attributes OPTIONAL, * Returns 0 if the signerInfo is valid. * Return negative error code for failure. + * Structure must not contain vales for authenticatedAttributes + * and unauthenticatedAttributes. **/ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, mbedtls_pkcs7_signer_info *signer ) @@ -335,6 +337,8 @@ static int pkcs7_get_signer_info( unsigned char **p, unsigned char *end, if( ret != 0 ) goto out; + /* Asssume authenticatedAttributes is nonexistent */ + ret = pkcs7_get_digest_algorithm( p, end_signer, &signer->sig_alg_identifier ); if( ret != 0 ) goto out; @@ -510,8 +514,6 @@ static int pkcs7_get_signed_data( unsigned char *buf, size_t buflen, goto out; } - p = p + signed_data->content.oid.len; - /* Look for certificates, there may or may not be any */ mbedtls_x509_crt_init( &signed_data->certs ); ret = pkcs7_get_certificates( &p, end_set, &signed_data->certs ); @@ -548,7 +550,7 @@ out: int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, const size_t buflen ) { - unsigned char *start; + unsigned char *p; unsigned char *end; size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -561,17 +563,17 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } /* make an internal copy of the buffer for parsing */ - pkcs7->raw.p = start = mbedtls_calloc( 1, buflen ); + pkcs7->raw.p = p = mbedtls_calloc( 1, buflen ); if( pkcs7->raw.p == NULL ) { ret = MBEDTLS_ERR_PKCS7_ALLOC_FAILED; goto out; } - memcpy( start, buf, buflen ); + memcpy( p, buf, buflen ); pkcs7->raw.len = buflen; - end = start + buflen; + end = p + buflen; - ret = pkcs7_get_content_info_type( &start, end, &pkcs7->content_type_oid ); + ret = pkcs7_get_content_info_type( &p, end, &pkcs7->content_type_oid ); if( ret != 0 ) { len = buflen; @@ -596,14 +598,13 @@ int mbedtls_pkcs7_parse_der( mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } isoidset = 1; - start = start + pkcs7->content_type_oid.len; - ret = pkcs7_get_next_content_len( &start, end, &len ); + ret = pkcs7_get_next_content_len( &p, end, &len ); if( ret != 0 ) goto out; try_data: - ret = pkcs7_get_signed_data( start, len, &pkcs7->signed_data ); + ret = pkcs7_get_signed_data( p, len, &pkcs7->signed_data ); if ( ret != 0 ) goto out; From 5f39767495331edc29417c52e55f06a0ab665d41 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Fri, 28 Oct 2022 12:38:41 -0500 Subject: [PATCH 27/35] pkcs7: Fix imports Respond to feedback about duplicate imports[1] and new import style [2]. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r991355485 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#pullrequestreview-1138745361 Signed-off-by: Nick Child --- library/pkcs7.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index ab7bebdf2..7976a0b3a 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -34,17 +34,8 @@ #include #endif -#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #include "mbedtls/platform_util.h" -#else -#include -#include -#define mbedtls_free free -#define mbedtls_calloc calloc -#define mbedtls_printf printf -#define mbedtls_snprintf snprintf -#endif #if defined(MBEDTLS_HAVE_TIME) #include "mbedtls/platform_time.h" From 3951a4f3ada028d08e50d32ab837f0a226afd0b0 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Mon, 31 Oct 2022 09:17:15 -0500 Subject: [PATCH 28/35] pkcs7: Use better error codes Remove an unnecessary debug print (whoops). Use new error code for when the x509 is expired. When there are no signers return invalid certificate. Signed-off-by: Nick Child Co-authored-by: Dave Rodgman Signed-off-by: Nick Child --- include/mbedtls/pkcs7.h | 1 + library/pkcs7.c | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index 2a557bfad..52895ac2b 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -69,6 +69,7 @@ #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ #define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS7 date issued/expired dates are invalid */ /* \} name */ /** diff --git a/library/pkcs7.c b/library/pkcs7.c index 7976a0b3a..ca0170a6d 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -630,15 +630,14 @@ static int mbedtls_pkcs7_data_or_hash_verify( mbedtls_pkcs7 *pkcs7, if( pkcs7->signed_data.no_of_signers == 0 ) { - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + ret = MBEDTLS_ERR_PKCS7_INVALID_CERT; goto out; } if( mbedtls_x509_time_is_past( &cert->valid_to ) || mbedtls_x509_time_is_future( &cert->valid_from )) { - printf("EXPRED\n"); - ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + ret = MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID; goto out; } From fc234b7b52af978e0bff0c79a8f685bf9ab839b0 Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 2 Nov 2022 15:23:39 -0500 Subject: [PATCH 29/35] test/pkcs7: Add Windows CRLF EOF to data files Windows tests are failing pkcs7 verification due to differnt line endings. Therefore, add make instuctions for building the data files with Windows EOF instead. As a result, regenerate other data files so that verification works. Add these CRLF EOF files to the exception in check_files to ignore the line endings. Signed-off-by: Nick Child --- tests/data_files/Makefile | 8 ++++++++ tests/data_files/pkcs7_data.bin | 2 +- tests/data_files/pkcs7_data_1.bin | 2 +- .../data_files/pkcs7_data_cert_encrypted.der | Bin 452 -> 452 bytes .../pkcs7_data_cert_signed_sha1.der | Bin 1276 -> 1276 bytes .../pkcs7_data_cert_signed_sha256.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signed_sha512.der | Bin 1284 -> 1284 bytes .../data_files/pkcs7_data_cert_signed_v2.der | Bin 1284 -> 1284 bytes .../pkcs7_data_cert_signeddata_sha256.der | Bin 1265 -> 1265 bytes .../pkcs7_data_multiple_certs_signed.der | Bin 2504 -> 2504 bytes .../data_files/pkcs7_data_multiple_signed.der | Bin 810 -> 810 bytes .../data_files/pkcs7_data_signed_badcert.der | Bin 1284 -> 1284 bytes .../pkcs7_data_signed_badsigner.der | Bin 1284 -> 1284 bytes .../pkcs7_data_without_cert_signed.der | Bin 435 -> 435 bytes .../pkcs7_signerInfo_issuer_invalid_size.der | Bin 1284 -> 1284 bytes .../pkcs7_signerInfo_serial_invalid_size.der | Bin 1284 -> 1284 bytes tests/scripts/check_files.py | 1 + tests/suites/test_suite_pkcs7.function | 2 +- 18 files changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index b92944ac2..581de256f 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1136,6 +1136,14 @@ pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt pkcs7_test_file = pkcs7_data.bin +$(pkcs7_test_file): + echo -e "Hello\xd" > $@ +all_final += $(pkcs7_test_file) + +pkcs7_data_1.bin: + echo -e "2\xd" > $@ +all_final += pkcs7_data_1.bin + # Generate signing cert pkcs7-rsa-sha256-1.crt: $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt diff --git a/tests/data_files/pkcs7_data.bin b/tests/data_files/pkcs7_data.bin index e965047ad..40ee26477 100644 --- a/tests/data_files/pkcs7_data.bin +++ b/tests/data_files/pkcs7_data.bin @@ -1 +1 @@ -Hello +Hello diff --git a/tests/data_files/pkcs7_data_1.bin b/tests/data_files/pkcs7_data_1.bin index 0cfbf0888..78c6baefd 100644 --- a/tests/data_files/pkcs7_data_1.bin +++ b/tests/data_files/pkcs7_data_1.bin @@ -1 +1 @@ -2 +2 diff --git a/tests/data_files/pkcs7_data_cert_encrypted.der b/tests/data_files/pkcs7_data_cert_encrypted.der index 763057d9e5eb7be478369ddaba4f227fbe94afee..b7b1c8331d7899a34c9abbc490fa8c4ab99bdd7a 100644 GIT binary patch delta 327 zcmV-N0l5Ce1H=Q6hJPE)4$EW?YqVdyJBdo8YIJN>@8BewJ9eM(4TYQQ9aJ%WnUhyT zu0wBXZAF(k)I=bfF&5Ngz4bntvBK`xfT>mKybF-i-VB{>XNRj_cMi`4q@dCXz|Q&a zUJ|2R1i6f_!mF56I>Vux-a@^!)qyZuS-crr7VqJeUl8=F@qfv%I;dNga5n+37D`p! zlMd~E)f0Vp%djr-#fG0}hO1!^>Uiy#0a{Kx80qW57A*pdd&Wf!6j5qlP^A5wG-0f; z|D7(H$zIIf1}|8b96=X*BtwW|+GPG(DYijRe8cy@LQ7h5t>bS!?@<`yH5dmoWeU delta 327 zcmV-N0l5Ce1H=Q6hJQ-Tx?Q-lfoV9)#(TQgCqeV@4tPO1&1tm13K>?sDR&@`&2;zq zr5b(IZ;8P9uP7ZhV};5Nx$P4TQ~I`OP-JZVFRwH$$g#@GLhNsw7*u)5+$5;%u?lI* z7{f#jt%@Bd*gWd-Mfq+qY7!9F!t%(f_BmMLJc+}gPe-SXVlKe-8=>1~dR{fL1YSk2nD0zG z1e1lidjeML9yt-&lcdkej*zP>Dvpa!;p-i({!UoRGkSWHP_PS{49*_fNF&2ebMTFu za%v$Ei*vw1bh%2l|Mv>FqOyh&-GTi&S#ZbEYa0&xp0+K0aLL7Hh7cW4f# zURfNN9epg{Ht*AKLnMtAH$e)jo`R1nP)0NcVMtOkw3hYdzCOt!YerQGGW1m{oBRn zm8U~%`C1I$PK8v5^MvUh3AZkwyfqsS&?zHlgr}nOEDx;tzGEP+vx+-qhFKS`eENmc QzTmdm((B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_cert_signed_sha512.der b/tests/data_files/pkcs7_data_cert_signed_sha512.der index 41849a943e54d4d08d0d1fdf9926f2c362fc986b..a4aa5875876de0170637190fe7e71da8bbd73ee6 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$IWxkRl)AS@Ao`ZoC;w%Vw76Q@b>Y0K5Kn{oXNP?Z`kesT;a zS>3BVN*QzSsoHr?1a0hzYtmYDw`udB8*#cr{u_NkM3rg=X|Sx+S(J*|A5FG3oOAgX zlH33xWKdE&+j*Q=1MuH4HlHEM-1CF|CQB1y%^Cs-#q@rC7a2eEB$hG&@m*)d1L9~p0fgJ|V- zKO|i_bomi{{JOd>3kGR5rUG7x`4Ga|@9gGRv&UU!Yx*EkquOUVOYzOxLul+8bbZkT ziFpTB$xFfP$=qBrsd#NQGF+4~^!v9I(F*JY9sy0<5=oE7T*-fjZ>o1=(l$1Be=Ak% z_-J$l*M6RG>)wY-UcvnHTBRpm{*ri57_CijJ&)Wb7bfqnpxZgQJEW?^!E!T{}_UWl>h($ diff --git a/tests/data_files/pkcs7_data_cert_signed_v2.der b/tests/data_files/pkcs7_data_cert_signed_v2.der index befd17c190253d2fc76833b5f6cc60b6a2742a2c..4f4cb047e079c550dc063ef53425dce81a5e31a3 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$Iu?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_cert_signeddata_sha256.der b/tests/data_files/pkcs7_data_cert_signeddata_sha256.der index 85ea9f9fc1f29c7a68936a17ddf3825f10e9636f..cb7d75103daf5ed7cbaf0e2201458ca7c1fad8cf 100644 GIT binary patch delta 266 zcmV+l0rmdz3GoTA@dJNb?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&@It`H2?qr delta 266 zcmV+l0rmdz3GoTA@dJN!DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTr;+Q8~^|S diff --git a/tests/data_files/pkcs7_data_multiple_certs_signed.der b/tests/data_files/pkcs7_data_multiple_certs_signed.der index 69371ae202cfa21a20a1dfdaf11e115c4daa4ffa..4a237e9d145e0f4afedd8c3bcffb3bf146f96c4a 100644 GIT binary patch delta 529 zcmV+s0`C3D6UY;=Q3rop?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 zhj;z#gj$!seGmdI(34RJcYg$6nA~40nd7`J)?_Vz3SsZ7!CW}UV>7(W?(R04PfAvsza}k$w!Zp1P85JQYK(t8eSRuudAsp~VycCG=)wvTwxZ6C zO@A@n8yQoQ&tZkH&NQ#!Se6BQHtDf(w#I(f!YFLNs6Y6jXUDv834gBV*Wr+x(}er{ zVUv#hr5uTq#~rg5a}O5h=XQpAM%V`rkvs<*Z_WQzcHy4B6` z;Fmz`YDF9WQ%?FJP@g-edw~JD9;fA9+x`>*QE+G1uo@}|dGLr_iAsmhwv0`F=#XGY Tfv&lHBGL0V?~*Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? z6F)b8(@@Lv8sq{YT$51&2C4>-vwvIc*m0G?-v5xoOpzv=RkQGEydqpOY%xq4QFw3u6v!~XPD{r; zx;DvnceFuhC!6UWeBXQ-IBMb;VsV`lqoDurfIUVDV)D(XHxz`2GE&3W1x>gVJ}U?s zI2P>)1jZ%ITknV#A(nGR1^b7L;jSpEWbXEmAH zZ_YK%t#>A%y8=wDnQMsP%b0~s>s$+N$4J@v&T4GbH-(F=xD;WECol7)6~^FyJ+PRE zcm3>yT9?0l5CSdGkvu+=@c}u11YnrlUn`m8ye`&cEq@AO@2kOFILBi%yv*+IHkwaL zTivMYStdaw{DDDrb4S@q%Kig?;G43KF)W z&W=rgG2I&(Qv2nJ>e%Hb%Y`>^K_@QUVym1MCuIJa`kekzl z`}|>(j{Kz@iIc}2vlnv@7U$=7hI-`v#bVa+UFC)6xlZ(!qi17hqRXncwl-vo0Cu|7 z&GF!uK&2C4>-vww6cd(|;$YQI9Xm0(^)E8sM>Ph#LuaXrFxk1)heHHv9_KC^j( ze&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC0wlBgrJN|927R=a!?5c#f;;eY6((&r zMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpvYqYiOxq4#1Feupqxz|~m8?IGAa(sX` z;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#&s)$;1ht)r+b04YlC>)b2WE9JfDRUqb zKR15UP|NcgZN{+F&q)V$;=K`E_uLJ=BpwhMP|$yp+n#k}G+}v0`4NNxU>SQKtjF zhGLsqxx*LkZB9X4AHb?>SEMlbakt^j9y0a5wBlO9B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_signed_badsigner.der b/tests/data_files/pkcs7_data_signed_badsigner.der index aff1448728d2d6f7dd2cf447251fe08cf7ac28e8..aa5447c44d27f7f4ccb8239e0598699a0055f9db 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$Iu?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_data_without_cert_signed.der b/tests/data_files/pkcs7_data_without_cert_signed.der index dbff326ad33bb0fbedf6716cfa01f015537a8572..b47fe927e5b427158e0d5f27002e6e1ca885dd63 100644 GIT binary patch delta 265 zcmV+k0rvj01G58=vwvIc*m0G?-v5xoOpzv=RkQGEydqpOY%xq4QFw3u6v!~XPD{r; zx;DvnceFuhC!6UWeBXQ-IBMb;VsV`lqoDurfIUVDV)D(XHxz`2GE&3W1x>gVJ}U?s zI2P>)1jZ%ITknV#A(nGR1^b7L;jSpEWbXEmAH zZ_YK%t#>A%y8=wDnQMsP%b0~s>s$+N$4J@v&T4GbH-(F=xD;WECol7)6~^FyJ+PRE Pcm3>yT9?0l5CSdGJ5+y6 delta 265 zcmV+k0rvj01G58=vww6cd(|;$YQI9Xm0(^)E8sM>Ph#LuaXrFxk1)heHHv9_KC^j( ze&5w&YSg&ROA&tBpGfXdEZG?FcVC7862#yC0wlBgrJN|927R=a!?5c#f;;eY6((&r zMS~d9a3L4v`e|ntAl3o8-8baKu{#4BHj>ToZx!J(VkYk$UKX&xhgm?uk@e{yjhnpvYqYiOxq4#1Feupqxz|~m8?IGAa(sX` z;!6m8`LWUz1$}Zcq(kXVk}674-Wmp-=8q#&s)$;1ht)r+b04YlC>)b2WE9JfDRUqb PKR15UP|NcgB?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der b/tests/data_files/pkcs7_signerInfo_serial_invalid_size.der index 2db359072b44bcabbecbc1d0cae2c647c2406131..f4b4e384dbfc145a6c0382f71b51c8718701eb1c 100644 GIT binary patch delta 266 zcmV+l0rmcb3WN%<1O$Iu?AURY!QTIn!c37Sn^m*$X}ls_GHfwS8c}#}{uIbCzD`TW zJi0c?c6YQvXeXQL9(>B?;p`Da(~G6eTla5aa}3e+TdY?AzX>u*U!F`1s)FqsZdS94=7(pdfic4sx2 z+HcM^&8>GPpt}N0t(j|x;LDhWOzT_=ZpTR3`Oa!=)Hj8Tthf|miYG7gq!q^Ce?736 Qhj;z#gj$!seGmdI&|Q3faR2}S delta 266 zcmV+l0rmcb3WN%<1O$I{DSOp1XllPgw3T39MJwPmwNGN;P;ouNbdNB^PBn^Ydp@&y zf_~rCV`|j6%}Wt}+Mh`7P%POP@ONK^020LC{{kel`lXyGo(6rimcy{?G=e+ua}_3S zH${UO(r_Uc<@#x779iFEy4^SN3+k?bjKnKni0W`Ju)(35*=v8sVrd>Df0!p!a3_vX z2}zlrY1q><0cnL?C&6~yTt156{cE(f?74bkzc47-0=d^&nj5ZFKyrM5 zHsVVNeEG4`6a{^9F{DH3O_C}~Qr;Q{o#u}tQ>utsbBEPGsdFEx@+cgWDr6MPk12B? Q6F)b8(@@Lv8sq{YTw`H;SO5S3 diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py index a0f5e1f53..50af88a6b 100755 --- a/tests/scripts/check_files.py +++ b/tests/scripts/check_files.py @@ -119,6 +119,7 @@ BINARY_FILE_PATH_RE_LIST = [ r'tests/data_files/.*\.req\.[^/]+\Z', r'tests/data_files/.*malformed[^/]+\Z', r'tests/data_files/format_pkcs12\.fmt\Z', + r'tests/data_files/pkcs7_data.*\.bin\Z', ] BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST)) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index c5094bcca..a1de9998d 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -150,7 +150,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch res = stat( filetobesigned, &st ); TEST_ASSERT( res == 0 ); - file = fopen( filetobesigned, "r" ); + file = fopen( filetobesigned, "rb" ); TEST_ASSERT( file != NULL ); datalen = st.st_size; From 2364aaefa64db2d3303a0b716eff14134f60fa66 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 4 Nov 2022 11:33:04 +0000 Subject: [PATCH 30/35] Update tests/suites/test_suite_pkcs7.function Address test dependency issue Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index a1de9998d..14a088253 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -10,7 +10,7 @@ /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PKCS7_C + * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_RSA_C * END_DEPENDENCIES */ From 89e82e1685e87add62385d100f7d9b428042cdbc Mon Sep 17 00:00:00 2001 From: Nick Child Date: Wed, 9 Nov 2022 10:36:10 -0600 Subject: [PATCH 31/35] pkcs7: Add dependecy on MBEDTLS_MD_C Signed-off-by: Nick Child --- include/mbedtls/check_config.h | 3 ++- include/mbedtls/mbedtls_config.h | 3 ++- tests/scripts/all.sh | 2 ++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index dcb6392f1..e5f8b8975 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -992,7 +992,8 @@ #if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ - ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) ) + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) \ + ( !defined(MBEDTLS_MD_C) ) ) #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 45dd2748c..84dcf47ff 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -2669,7 +2669,8 @@ * Module: library/pkcs7.c * * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, - * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, + * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C * * This module is required for the PKCS7 parsing modules. */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7139fde6b..401afaf15 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1211,6 +1211,7 @@ component_test_crypto_full_no_md () { scripts/config.py unset MBEDTLS_HKDF_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_PKCS12_C # Indirect dependencies scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC @@ -1871,6 +1872,7 @@ component_test_psa_crypto_config_accel_hash_use_psa () { scripts/config.py unset MBEDTLS_HKDF_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py unset MBEDTLS_PKCS12_C scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA From 50e5616553b9d3d6f39b2030a6eb6462f2d9921d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 10 Nov 2022 10:07:35 +0000 Subject: [PATCH 32/35] Fix typo in check_config.h Signed-off-by: Dave Rodgman --- include/mbedtls/check_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 701bdedc1..e49cf12b7 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -1065,7 +1065,7 @@ #if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \ ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \ ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) ||\ - ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) \ + ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || ( !defined(MBEDTLS_BIGNUM_C) ) || \ ( !defined(MBEDTLS_MD_C) ) ) #error "MBEDTLS_PKCS7_C is defined, but not all prerequisites" #endif From ebd0caffdf66d57bf64625bb2ec41e031a66aca5 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 10 Nov 2022 15:33:54 +0000 Subject: [PATCH 33/35] Fix test memory allocation Fix error in memory allocation in test code, which was triggering an error in test_memory_buffer_allocator. Signed-off-by: Dave Rodgman --- tests/suites/test_suite_pkcs7.function | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 14a088253..e3961407d 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -75,7 +75,7 @@ void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned, int do_has TEST_ASSERT( file != NULL ); datalen = st.st_size; - data = mbedtls_calloc( datalen, 1 ); + ASSERT_ALLOC( data, datalen ); TEST_ASSERT( data != NULL ); buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file ); @@ -154,7 +154,7 @@ void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, ch TEST_ASSERT( file != NULL ); datalen = st.st_size; - data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + ASSERT_ALLOC( data, datalen ); buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); TEST_ASSERT( buflen == datalen ); From 71565cff3aeaa7f0acb0a019fd646dc0bd67d8d0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 11 Nov 2022 10:37:38 +0000 Subject: [PATCH 34/35] Disable PKCS7 for some TLS 1.3 tests Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 716495e28..d3ad4d92d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3242,6 +3242,7 @@ component_test_tls13_only_psk () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" @@ -3273,6 +3274,7 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" @@ -3290,6 +3292,7 @@ component_test_tls13_only_psk_all () { scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" From 12269e27b190ae399916c81c02ded099864c1b28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Fri, 25 Nov 2022 05:51:02 +0100 Subject: [PATCH 35/35] Add changelog for PKCS7 parser MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Bence Szépkúti --- ChangeLog.d/pkcs7-parser.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 ChangeLog.d/pkcs7-parser.txt diff --git a/ChangeLog.d/pkcs7-parser.txt b/ChangeLog.d/pkcs7-parser.txt new file mode 100644 index 000000000..7f85f0ce1 --- /dev/null +++ b/ChangeLog.d/pkcs7-parser.txt @@ -0,0 +1,13 @@ +Features + * Added partial support for parsing the PKCS7 cryptographic message syntax, + as defined in RFC 2315. Currently, support is limited to the following: + - Only the signed data content type, version 1 is supported. + - Only DER encoding is supported. + - Only a single digest algorithm per message is supported. + - Only 0 or 1, certificate is supported per message, which must be in + X509 format. + - There is no support for certificate-revocation lists. + - The authenticated and unauthenticated attribute fields of SignerInfo + must be empty. + Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for + contributing this feature.