From 54286eaa059187e5f1119d57ab09eda69124c50d Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 29 Mar 2023 08:31:58 -0700 Subject: [PATCH 1/9] add example to generate smime --- pkcs7/smime.c | 195 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) create mode 100644 pkcs7/smime.c diff --git a/pkcs7/smime.c b/pkcs7/smime.c new file mode 100644 index 00000000..ddc54fb0 --- /dev/null +++ b/pkcs7/smime.c @@ -0,0 +1,195 @@ +/* smime.c + * + * Copyright (C) 2006-2020 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#include +#include +#include +#include +#include +#include + + +#ifdef HAVE_SMIME + +/* Create an SMIME bundle, uses steps similar to PKCS7_sign() but this is + * with native PKCS7 API allowing for control over the devID set */ +static int Create(byte* smime, int* smimeSz, byte* key, int keySz, + byte* signer, int signerSz, byte* content, int contentSz, int detatched) +{ + WOLFSSL_BIO *out, *in; + WOLFSSL_PKCS7* pkcs7Compat; + PKCS7* pkcs7; + int ret = 0; + + out = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + in = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + if (out == NULL || in == NULL) { + printf("Failed to create bio's\n"); + return -1; + } + + pkcs7Compat = (WOLFSSL_PKCS7*)wolfSSL_PKCS7_new(); + if (pkcs7Compat == NULL) { + ret = MEMORY_E; + } + else { + pkcs7 = &(pkcs7Compat->pkcs7); + + /* can change devID here and set signer */ + ret = wc_PKCS7_Init(pkcs7, NULL, INVALID_DEVID); + } + + if (ret == 0) { + ret = wc_PKCS7_InitWithCert(pkcs7, signer, signerSz); + } + + if (ret == 0) { + /* set signer private key, data types, defaults */ + pkcs7->privateKey = key; + pkcs7->privateKeySz = keySz; + pkcs7->contentOID = DATA; /* inner content default is DATA */ + pkcs7->hashOID = SHA256h; /* default to SHA-256 hash type */ + + /* type of SMIME */ + pkcs7Compat->type = SIGNED_DATA; + + /* add additional chain certs if provided */ + /* wc_PKCS7_AddCertificate(pkcs7, additionalCert, additionalCertSz); */ + + /* set detached flag */ + if (detatched & PKCS7_DETACHED) { + ret = wc_PKCS7_SetDetached(pkcs7, 1); + } + + /* setup content to sign */ + if (ret == 0) { + if (wolfSSL_BIO_write(in, content, contentSz) != contentSz) { + ret = -1; + } + } + + if (ret == 0) { + if (wolfSSL_SMIME_write_PKCS7(out, (PKCS7*)pkcs7Compat, in, + detatched) != WOLFSSL_SUCCESS) { + printf("SMIME write failed!\n"); + ret = -1; + } + } + } + + if (ret == 0) { + ret = wolfSSL_BIO_read(out, smime, *smimeSz); + if (ret > 0) { + *smimeSz = ret; + ret = 0; + } + else { + ret = -1; + } + } + + wolfSSL_BIO_free(in); + wolfSSL_BIO_free(out); + wolfSSL_PKCS7_free((PKCS7*)pkcs7Compat); + return ret; +} + + +/* read private key and signer certificate in DER format */ +static int ReadKeyAndCert(char* keyFile, char* certFile, byte* key, int* keySz, + byte* cert, int* certSz) +{ + int ret; + XFILE f; + + f = XFOPEN(keyFile, "rb"); + if (f == NULL) { + printf("Error opening file %s\n", keyFile); + return -1; + } + else { + ret = XFREAD(key, 1, *keySz, f); + if (ret >= 0) { + *keySz = ret; + ret = 0; + XFCLOSE(f); + } + } + + f = XFOPEN(certFile, "rb"); + if (f == NULL) { + printf("Error opening file %s\n", certFile); + return -1; + } + else { + ret = XFREAD(cert, 1, *certSz, f); + if (ret >= 0) { + *certSz = ret; + ret = 0; + XFCLOSE(f); + } + } + + return ret; +} + +int main(int argc, char** argv) +{ + byte key[2048]; + int keySz = 2048; + + byte cert[2048]; + int certSz = 2048; + + byte smime[3072]; + int smimeSz = 3072; + + byte content[] = "Test content to sign"; + int contentSz = sizeof(content); + + int ret; + int i; + + if (argc != 3) { + printf("Use ./smime \n"); + return -1; + } + + ret = ReadKeyAndCert(argv[1], argv[2], key, &keySz, cert, &certSz); + if (ret == 0) + ret = Create(smime, &smimeSz, key, keySz, cert, certSz, + content, contentSz, 0); + if (ret == 0) { + printf("Generated SMIME : "); + for (i = 0; i < smimeSz; i++) + printf("%02X", smime[i]); + printf("\n"); + } + + return ret; +} +#else +int main() +{ + printf("wolfSSL was compiled with out HAVE_SMIME support\n"); + return 0; +} +#endif From 21cc2df19eb6ae80ecb83b725d229a76c3566736 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 11 May 2023 21:45:25 -0700 Subject: [PATCH 2/9] add example verify of smime --- pkcs7/Makefile | 3 +- pkcs7/smime-verify.c | 195 +++++++++++++++++++++++++++++++++++++++++++ pkcs7/smime.c | 7 ++ 3 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 pkcs7/smime-verify.c diff --git a/pkcs7/Makefile b/pkcs7/Makefile index f4ad6942..9a8cd03e 100644 --- a/pkcs7/Makefile +++ b/pkcs7/Makefile @@ -49,4 +49,5 @@ clean: envelopedDataPWRI.der envelopedDataORI.der envelopedDataKEKRI.der \ authEnvelopedDataKARI.der authEnvelopedDataKTRI.der \ authEnvelopedDataORI.der authEnvelopedDataPWRI.der encryptedData.der \ - authEnvelopedDataKEKRI.der compressedData.der + authEnvelopedDataKEKRI.der compressedData.der \ + smime-created.p7s diff --git a/pkcs7/smime-verify.c b/pkcs7/smime-verify.c new file mode 100644 index 00000000..658c1e21 --- /dev/null +++ b/pkcs7/smime-verify.c @@ -0,0 +1,195 @@ +/* smime-verify.c + * + * Copyright (C) 2006-2020 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#include +#include +#include +#include +#include +#include + + +#ifdef HAVE_SMIME + +static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, int detached) +{ + WOLFSSL_PKCS7* pkcs7Compat = NULL; + WOLFSSL_BIO *in, *content = NULL; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_STORE* store = NULL; + int ret = 0; + + in = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + if (in == NULL) { + ret = MEMORY_E; + } + + if (ret == 0) { + WOLFSSL_BIO *multi = NULL; + + wolfSSL_BIO_write(in, smime, smimeSz); + pkcs7Compat = (WOLFSSL_PKCS7*)wolfSSL_SMIME_read_PKCS7(in, &multi); + if (pkcs7Compat == NULL) { + printf("Error parsing SMIME\n"); + ret = -1; + } + + if (multi != NULL) { + byte* pt; + int ptSz, i; + + printf("Multi part message, signed data is : "); + ptSz = wolfSSL_BIO_get_mem_data(multi, &pt); + for (i = 0; i < ptSz; i ++) + printf("%02X", pt[i]); + printf("\n"); + wolfSSL_BIO_free(multi); + } + } + + if (ret == 0) { + const unsigned char* pt; + + /* set devID */ + pkcs7Compat->pkcs7.devId = INVALID_DEVID; + + pt = ca; + x509 = wolfSSL_d2i_X509(NULL, &pt, caSz); + if (x509 == NULL) { + printf("Error decoding signer\n"); + ret = -1; + } + } + + if (ret == 0) { + store = wolfSSL_X509_STORE_new(); + if (store == NULL) { + printf("Error creating cert store\n"); + ret = MEMORY_E; + } + else { + wolfSSL_X509_STORE_add_cert(store, x509); + } + } + + if (ret == 0) { + content = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); + ret = wolfSSL_PKCS7_verify((PKCS7*)pkcs7Compat, NULL, store, NULL, + content, detached); + if (ret == WOLFSSL_SUCCESS) { + ret = 0; + } + } + + + if (ret == 0 && content != NULL) { + byte* pt; + int ptSz, i; + + printf("Content found on verify : "); + ptSz = wolfSSL_BIO_get_mem_data(content, &pt); + for (i = 0; i < ptSz; i ++) + printf("%c", pt[i]); + printf("\n"); + } + + wolfSSL_BIO_free(in); + wolfSSL_BIO_free(content); + wolfSSL_PKCS7_free((PKCS7*)pkcs7Compat); + wolfSSL_X509_free(x509); + wolfSSL_X509_STORE_free(store); + return ret; +} + + +/* read private smime and signer certificate in DER format */ +static int ReadSmimeAndCert(char* smimeFile, char* certFile, byte* smime, + int* smimeSz, byte* cert, int* certSz) +{ + int ret; + XFILE f; + + f = XFOPEN(smimeFile, "rb"); + if (f == NULL) { + printf("Error opening file %s\n", smimeFile); + return -1; + } + else { + ret = XFREAD(smime, 1, *smimeSz, f); + if (ret >= 0) { + *smimeSz = ret; + ret = 0; + XFCLOSE(f); + } + } + + f = XFOPEN(certFile, "rb"); + if (f == NULL) { + printf("Error opening file %s\n", certFile); + return -1; + } + else { + ret = XFREAD(cert, 1, *certSz, f); + if (ret >= 0) { + *certSz = ret; + ret = 0; + XFCLOSE(f); + } + } + + return ret; +} + +int main(int argc, char** argv) +{ + byte cert[2048]; + int certSz = 2048; + + byte smime[3072]; + int smimeSz = 3072; + + int ret; + + if (argc != 3) { + printf("Use ./smime-verify \n"); + return -1; + } + + ret = ReadSmimeAndCert(argv[1], argv[2], smime, &smimeSz, cert, &certSz); + if (ret == 0) { + ret = Verify(smime, smimeSz, cert, certSz, 0); + if (ret == 0) { + printf("Verify Success\n"); + } + else { + printf("Verify Failed\n"); + } + } + + return ret; +} +#else +int main() +{ + printf("wolfSSL was compiled with out HAVE_SMIME support\n"); + return 0; +} +#endif diff --git a/pkcs7/smime.c b/pkcs7/smime.c index ddc54fb0..b4950441 100644 --- a/pkcs7/smime.c +++ b/pkcs7/smime.c @@ -178,10 +178,17 @@ int main(int argc, char** argv) ret = Create(smime, &smimeSz, key, keySz, cert, certSz, content, contentSz, 0); if (ret == 0) { + FILE* f; printf("Generated SMIME : "); for (i = 0; i < smimeSz; i++) printf("%02X", smime[i]); printf("\n"); + printf("output to file ./smime-created.p7s\n"); + f = fopen("./smime-created.p7s", "wb"); + if (f != NULL) { + fwrite(smime, 1, smimeSz, f); + fclose(f); + } } return ret; From f811807462fd28ccd5bd3d1b84848bcced888b64 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 23 May 2023 13:18:35 -0600 Subject: [PATCH 3/9] add smime detatched example --- pkcs7/smime-verify.c | 32 +++++++++++++++++----- pkcs7/smime.c | 63 ++++++++++++++++++++++++++++++++++++++------ 2 files changed, 81 insertions(+), 14 deletions(-) diff --git a/pkcs7/smime-verify.c b/pkcs7/smime-verify.c index 658c1e21..886884e5 100644 --- a/pkcs7/smime-verify.c +++ b/pkcs7/smime-verify.c @@ -135,9 +135,16 @@ static int ReadSmimeAndCert(char* smimeFile, char* certFile, byte* smime, else { ret = XFREAD(smime, 1, *smimeSz, f); if (ret >= 0) { - *smimeSz = ret; - ret = 0; - XFCLOSE(f); + if (ret == *smimeSz) { + printf("smime read in was larger than buffer\n"); + XFCLOSE(f); + return -1; + } + else { + *smimeSz = ret; + ret = 0; + XFCLOSE(f); + } } } @@ -149,9 +156,16 @@ static int ReadSmimeAndCert(char* smimeFile, char* certFile, byte* smime, else { ret = XFREAD(cert, 1, *certSz, f); if (ret >= 0) { - *certSz = ret; - ret = 0; - XFCLOSE(f); + if (ret == *certSz) { + printf("Cert read in was larger than buffer\n"); + XFCLOSE(f); + return -1; + } + else { + *certSz = ret; + ret = 0; + XFCLOSE(f); + } } } @@ -173,6 +187,11 @@ int main(int argc, char** argv) return -1; } + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { + printf("Failure to initialize wolfSSL library\n"); + return -1; + } + ret = ReadSmimeAndCert(argv[1], argv[2], smime, &smimeSz, cert, &certSz); if (ret == 0) { ret = Verify(smime, smimeSz, cert, certSz, 0); @@ -184,6 +203,7 @@ int main(int argc, char** argv) } } + wolfSSL_Cleanup(); return ret; } #else diff --git a/pkcs7/smime.c b/pkcs7/smime.c index b4950441..b9730b64 100644 --- a/pkcs7/smime.c +++ b/pkcs7/smime.c @@ -98,8 +98,14 @@ static int Create(byte* smime, int* smimeSz, byte* key, int keySz, if (ret == 0) { ret = wolfSSL_BIO_read(out, smime, *smimeSz); if (ret > 0) { - *smimeSz = ret; - ret = 0; + if (ret == *smimeSz) { + printf("output smime buffer too small\n"); + ret = -1; + } + else { + *smimeSz = ret; + ret = 0; + } } else { ret = -1; @@ -128,9 +134,16 @@ static int ReadKeyAndCert(char* keyFile, char* certFile, byte* key, int* keySz, else { ret = XFREAD(key, 1, *keySz, f); if (ret >= 0) { - *keySz = ret; - ret = 0; - XFCLOSE(f); + if (ret == *keySz) { + printf("Key read in is larger than buffer\n"); + XFCLOSE(f); + return -1; + } + else { + *keySz = ret; + ret = 0; + XFCLOSE(f); + } } } @@ -142,9 +155,16 @@ static int ReadKeyAndCert(char* keyFile, char* certFile, byte* key, int* keySz, else { ret = XFREAD(cert, 1, *certSz, f); if (ret >= 0) { - *certSz = ret; - ret = 0; - XFCLOSE(f); + if (ret == *certSz) { + printf("Cert read in is larger than buffer\n"); + XFCLOSE(f); + return -1; + } + else { + *certSz = ret; + ret = 0; + XFCLOSE(f); + } } } @@ -173,6 +193,11 @@ int main(int argc, char** argv) return -1; } + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { + printf("Failure to initialize wolfSSL library\n"); + return -1; + } + ret = ReadKeyAndCert(argv[1], argv[2], key, &keySz, cert, &certSz); if (ret == 0) ret = Create(smime, &smimeSz, key, keySz, cert, certSz, @@ -191,6 +216,28 @@ int main(int argc, char** argv) } } + /* create detached pkcs7 smime bundle */ + printf("\n"); + smimeSz = 3072; + memset(smime, 0, smimeSz); + if (ret == 0) + ret = Create(smime, &smimeSz, key, keySz, cert, certSz, + content, contentSz, PKCS7_DETACHED); + if (ret == 0) { + FILE* f; + printf("Generated SMIME : "); + for (i = 0; i < smimeSz; i++) + printf("%02X", smime[i]); + printf("\n"); + printf("output to file ./detached-smime-created.p7s\n"); + f = fopen("./detached-smime-created.p7s", "wb"); + if (f != NULL) { + fwrite(smime, 1, smimeSz, f); + fclose(f); + } + } + + wolfSSL_Cleanup(); return ret; } #else From fa28f249aebe557c7dbc2f44dba3143675c56f6b Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 7 Jun 2023 22:49:30 -0600 Subject: [PATCH 4/9] add print out of certificate attempted to verify --- pkcs7/smime-verify.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkcs7/smime-verify.c b/pkcs7/smime-verify.c index 886884e5..fa07586e 100644 --- a/pkcs7/smime-verify.c +++ b/pkcs7/smime-verify.c @@ -97,6 +97,18 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, int detached) if (ret == WOLFSSL_SUCCESS) { ret = 0; } + else { + /* print out certificate that could not be verified */ + int i; + byte* pt = pkcs7Compat->pkcs7.verifyCert; + + printf("Could not verify certificate :"); + for (i = 0; i < pkcs7Compat->pkcs7.verifyCertSz; i++) { + printf("%02X", pt[i]); + } + printf("\n"); + ret = -1; + } } From fad7bc2966acc3b4f86b4840487cd7a81067b009 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 12 Jun 2023 16:38:21 -0600 Subject: [PATCH 5/9] add detatched content option for smime-verify --- pkcs7/smime-verify.c | 54 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 11 deletions(-) diff --git a/pkcs7/smime-verify.c b/pkcs7/smime-verify.c index fa07586e..5c8de38d 100644 --- a/pkcs7/smime-verify.c +++ b/pkcs7/smime-verify.c @@ -29,7 +29,7 @@ #ifdef HAVE_SMIME -static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, int detached) +static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, int contentInSz, int detached) { WOLFSSL_PKCS7* pkcs7Compat = NULL; WOLFSSL_BIO *in, *content = NULL; @@ -90,6 +90,12 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, int detached) } } + if (ret == 0 && contentIn != NULL) { + pkcs7Compat->pkcs7.content = contentIn; + pkcs7Compat->pkcs7.contentSz = contentInSz; + wc_PKCS7_SetDetached(&pkcs7Compat->pkcs7, 1); + } + if (ret == 0) { content = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); ret = wolfSSL_PKCS7_verify((PKCS7*)pkcs7Compat, NULL, store, NULL, @@ -133,8 +139,9 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, int detached) /* read private smime and signer certificate in DER format */ -static int ReadSmimeAndCert(char* smimeFile, char* certFile, byte* smime, - int* smimeSz, byte* cert, int* certSz) +static int ReadSmimeAndCert(char* smimeFile, char* certFile, char* contentFile, + byte* smime, + int* smimeSz, byte* cert, int* certSz, byte* content, int* contentSz) { int ret; XFILE f; @@ -181,21 +188,45 @@ static int ReadSmimeAndCert(char* smimeFile, char* certFile, byte* smime, } } + f = XFOPEN(contentFile, "rb"); + if (f == NULL) { + printf("Error opening file %s\n", contentFile); + return -1; + } + else { + ret = XFREAD(content, 1, *contentSz, f); + if (ret >= 0) { + if (ret == *contentSz) { + printf("Cert read in was larger than buffer\n"); + XFCLOSE(f); + return -1; + } + else { + *contentSz = ret; + ret = 0; + XFCLOSE(f); + } + } + } + return ret; } int main(int argc, char** argv) { - byte cert[2048]; - int certSz = 2048; + byte cert[4096]; + int certSz = 4096; - byte smime[3072]; - int smimeSz = 3072; + byte smime[10000]; + int smimeSz = 10000; + + byte content[10000]; + int contentSz = 10000; int ret; - if (argc != 3) { - printf("Use ./smime-verify \n"); + if (argc != 4) { + printf("Use ./smime-verify \n"); return -1; } @@ -204,9 +235,10 @@ int main(int argc, char** argv) return -1; } - ret = ReadSmimeAndCert(argv[1], argv[2], smime, &smimeSz, cert, &certSz); + ret = ReadSmimeAndCert(argv[1], argv[2], argv[3], smime, &smimeSz, cert, + &certSz, content, &contentSz); if (ret == 0) { - ret = Verify(smime, smimeSz, cert, certSz, 0); + ret = Verify(smime, smimeSz, cert, certSz, content, contentSz, 0); if (ret == 0) { printf("Verify Success\n"); } From d78289767ad185c169fdde5b19843e7556026fd8 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 21 Feb 2024 16:30:33 +0700 Subject: [PATCH 6/9] pass in multi bio if found --- pkcs7/smime-verify.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkcs7/smime-verify.c b/pkcs7/smime-verify.c index 5c8de38d..6ad40fce 100644 --- a/pkcs7/smime-verify.c +++ b/pkcs7/smime-verify.c @@ -33,6 +33,7 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, { WOLFSSL_PKCS7* pkcs7Compat = NULL; WOLFSSL_BIO *in, *content = NULL; + WOLFSSL_BIO *multi = NULL; WOLFSSL_X509* x509 = NULL; WOLFSSL_X509_STORE* store = NULL; int ret = 0; @@ -43,7 +44,6 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, } if (ret == 0) { - WOLFSSL_BIO *multi = NULL; wolfSSL_BIO_write(in, smime, smimeSz); pkcs7Compat = (WOLFSSL_PKCS7*)wolfSSL_SMIME_read_PKCS7(in, &multi); @@ -61,7 +61,6 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, for (i = 0; i < ptSz; i ++) printf("%02X", pt[i]); printf("\n"); - wolfSSL_BIO_free(multi); } } @@ -98,7 +97,7 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, if (ret == 0) { content = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); - ret = wolfSSL_PKCS7_verify((PKCS7*)pkcs7Compat, NULL, store, NULL, + ret = wolfSSL_PKCS7_verify((PKCS7*)pkcs7Compat, NULL, store, multi, content, detached); if (ret == WOLFSSL_SUCCESS) { ret = 0; @@ -131,6 +130,7 @@ static int Verify(byte* smime, int smimeSz, byte* ca, int caSz, byte* contentIn, wolfSSL_BIO_free(in); wolfSSL_BIO_free(content); + wolfSSL_BIO_free(multi); wolfSSL_PKCS7_free((PKCS7*)pkcs7Compat); wolfSSL_X509_free(x509); wolfSSL_X509_STORE_free(store); @@ -230,6 +230,10 @@ int main(int argc, char** argv) return -1; } +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { printf("Failure to initialize wolfSSL library\n"); return -1; From 7b48a13f344b1d5dfc09475b9b45e0e354e96d17 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 21 Feb 2024 17:03:16 +0700 Subject: [PATCH 7/9] update README --- pkcs7/README.md | 20 ++++++++++++++++++++ pkcs7/smime.c | 6 +++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkcs7/README.md b/pkcs7/README.md index 01311f3e..71ffac25 100644 --- a/pkcs7/README.md +++ b/pkcs7/README.md @@ -618,6 +618,26 @@ Q31HIqX6H6JYdgtwHB1ZHaq+XS0lfLEGtsCqKKqTfNC9Q62RUBx7TfPk1w== -----END CERTIFICATE----- ``` +### Creating an SMIME bundle and verifying it + +In these example cases the content will be overridden by the content found in the +SMIME bundle. The smime application creates both a detatched +(detatched-smime-created.p7s) and a non detatched bundle (smime-created.p7s). + +Creating RSA signed bundles: + +``` +./smime ../certs/client-key.der ../certs/client-cert.der +./smime-verify smime-created.p7s ../certs/client-cert.der content.txt +``` + +Creating ECC signed bundles: + +``` +./smime ../certs/ecc-client-key.der ../certs/client-ecc-cert.der +./smime-verify detached-smime-created.p7s ../certs/client-ecc-cert.der content.txt +``` + ## Support Please email wolfSSL support at support@wolfssl.com with any questions about diff --git a/pkcs7/smime.c b/pkcs7/smime.c index b9730b64..376ae6f0 100644 --- a/pkcs7/smime.c +++ b/pkcs7/smime.c @@ -193,6 +193,10 @@ int main(int argc, char** argv) return -1; } +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { printf("Failure to initialize wolfSSL library\n"); return -1; @@ -218,7 +222,7 @@ int main(int argc, char** argv) /* create detached pkcs7 smime bundle */ printf("\n"); - smimeSz = 3072; + smimeSz = sizeof(smime); memset(smime, 0, smimeSz); if (ret == 0) ret = Create(smime, &smimeSz, key, keySz, cert, certSz, From e310409d0e5d5fe4d7ed6fa723613a7e15c58790 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 21 Feb 2024 17:09:48 +0700 Subject: [PATCH 8/9] increase default example smime buffer size --- pkcs7/smime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkcs7/smime.c b/pkcs7/smime.c index 376ae6f0..9d4a6c49 100644 --- a/pkcs7/smime.c +++ b/pkcs7/smime.c @@ -179,8 +179,8 @@ int main(int argc, char** argv) byte cert[2048]; int certSz = 2048; - byte smime[3072]; - int smimeSz = 3072; + byte smime[4096]; + int smimeSz = 4096; byte content[] = "Test content to sign"; int contentSz = sizeof(content); From e73bc9578d264012e9aa12d1442687df4edeb60d Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 21 Feb 2024 17:17:04 +0700 Subject: [PATCH 9/9] add setting key wrap OID to example --- pkcs7/smime.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkcs7/smime.c b/pkcs7/smime.c index 9d4a6c49..972fe944 100644 --- a/pkcs7/smime.c +++ b/pkcs7/smime.c @@ -67,6 +67,12 @@ static int Create(byte* smime, int* smimeSz, byte* key, int keySz, pkcs7->privateKeySz = keySz; pkcs7->contentOID = DATA; /* inner content default is DATA */ pkcs7->hashOID = SHA256h; /* default to SHA-256 hash type */ + pkcs7->signedAttribs = NULL; + pkcs7->signedAttribsSz = 0; + #ifndef NO_AES + pkcs7->keyWrapOID = AES256_WRAP; + pkcs7->keyAgreeOID = dhSinglePass_stdDH_sha256kdf_scheme; + #endif /* type of SMIME */ pkcs7Compat->type = SIGNED_DATA;