WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #250 from cconlon/pkcs7_to_pem 

add PKCS7 example of converting p7b to PEM
pull/252/head
Eric Blankenhorn 2021-03-16 16:51:43 -05:00 committed by GitHub
parent e5874466fa bafe057ef7
commit e5a77b2872
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 199 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -150,6 +150,8 @@ pkcs7/signedData-DetachedSignature
pkcs7/signedData-EncryptedFirmwarePkgData
pkcs7/signedData-CompressedFirmwarePkgData
pkcs7/signedData-EncryptedCompressedFirmwarePkgData
pkcs7/signedData-EncryptedFirmwareCB
pkcs7/signedData-p7b
*.dSYM
certmanager/certloadverifybuffer

BIN
certs/test-degenerate.p7b 100644
View File

Binary file not shown.

46
pkcs7/README.md
View File

@ -570,6 +570,52 @@ Successfully encoded Signed Encrypted Compressed FirmwarePkgData (signedEncrypte
Successfully extracted and verified bundle contents
```
### Converting P7B Certificate Bundle to PEM using PKCS7 SignedData API
Example file: `signedData-p7b.c`
This example parses a .p7b certificate bundle using wolfCrypt's PKCS#7
SignedData API, looping over each extracted certificate, converting each
certificate to PEM format (from DER), and printing it to the terminal for
info/reference.
```
./signedData-p7b
Successfully verified SignedData bundle.
CERT [0] size = 1291 bytes
converted DER to PEM, pemSz = 1805
CERT [0] PEM:
-----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgIJAPFcmUNmPZYEMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG
A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw
FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s
ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG
A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT
BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY
MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45
pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs
StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW
kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF
dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj
mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/
wK71/Fvl+6G60wIDAQABo4IBRDCCAUAwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR
xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh
MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96
ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu
Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW
EGluZm9Ad29sZnNzbC5jb22CCQDxXJlDZj2WBDAMBgNVHRMEBTADAQH/MBwGA1Ud
EQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAuitI0ajjwoRClqF85fFGukz3h1fH
eMjBMsRp/4W7XWrdyYd+/rv0/RUKTJSVgDCQRQP4M4fKX3Q4pNBax2U4w7Doh7FJ
Mrms6fvTCB2kUXvX2Ut5NaI6C+QMoAKcoWjhXWyOLjok3rvWHKesLs1XREj2cuDH
W5PcfVtkDheEaCyVHSyG1rB0Z1Fue/TVYThRsxjjEBZzSzaKimIF9VaKviHheH2/
rUX5C/WvoGIB/T9J3zk8/0boCv5ca7tBpWTxXJtRTLxtn6Mg7elI4am+CC2FQlnW
Q31HIqX6H6JYdgtwHB1ZHaq+XS0lfLEGtsCqKKqTfNC9Q62RUBx7TfPk1w==
-----END CERTIFICATE-----
```
## Support
Please email wolfSSL support at support@wolfssl.com with any questions about

151
pkcs7/signedData-p7b.c 100644
View File

@ -0,0 +1,151 @@
/* signedData-p7b.c
*
* Copyright (C) 2006-2020 wolfSSL Inc.
*
* This file is part of wolfSSL. (formerly known as CyaSSL)
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*
* DESCRIPTION:
*
* This file includes an example of parsing a .p7b certificate bundle using
* wolfCrypt's PKCS#7 SignedData API, looping over each extracted certificate,
* converting each certificate to PEM format (from DER), and printing
* it to the terminal for info/reference.
*
* This is only provided as an example and may need modification if integrated
* into a production application.
*/
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/pkcs7.h>
#include <wolfssl/wolfcrypt/asn_public.h>
/* Sample certificate .p7b file, to be converted to DER/PEM */
#define p7bFile "../certs/test-degenerate.p7b"
/* Max PEM cert size, used to allocate memory below. Change as needed
* for your expected PEM certificate sizes */
#define MAX_PEM_CERT_SIZE 4096
#if defined(HAVE_PKCS7) && defined(WOLFSSL_DER_TO_PEM)
int main(int argc, char** argv)
{
int ret, i;
PKCS7* pkcs7;
word32 p7bBufSz; /* size of p7b we read, bytes */
byte p7bBuf[4096]; /* array to hold input p7b file */
byte* singleCertDer; /* tmp ptr to one DER cert in decoded PKCS7 */
word32 singleCertDerSz; /* tmp size of one DER cert in decoded PKCS7 */
byte* singleCertPem;
word32 singleCertPemSz;
FILE* file;
#ifdef DEBUG_WOLFSSL
wolfSSL_Debugging_ON();
#endif
/* read p7b file into buffer */
p7bBufSz = sizeof(p7bBuf);
file = fopen(p7bFile, "rb");
if (file == NULL) {
printf("Error opening %s\n", p7bFile);
return -1;
}
p7bBufSz = (word32)fread(p7bBuf, 1, p7bBufSz, file);
fclose(file);
/* extract cert from PKCS#7 (p7b) format */
pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
if (pkcs7 == NULL) {
printf("Error creating new PKCS7 structure\n");
return -1;
}
ret = wc_PKCS7_VerifySignedData(pkcs7, p7bBuf, p7bBufSz);
if (ret < 0) {
printf("Error in wc_PKCS7_VerifySignedData(), ret = %d\n", ret);
wc_PKCS7_Free(pkcs7);
return -1;
}
printf("Successfully verified SignedData bundle.\n");
/* wc_PKCS7_VerifySignedData() decodes input PKCS#7 and stores
* decoded DER certificates into pkcs7->cert[]. Sizes of each cert entry
* is stored in the separate pkcs7->certSz[] array. Max size of each
* of the arrays is MAX_PKCS7_CERTS. Array memory is owned by wolfCrypt
* PKCS7 and freed when calling wc_PKCS7_Free(). */
for (i = 0; i < MAX_PKCS7_CERTS; i++) {
if (pkcs7->certSz[i] == 0) {
/* reached end of valid certs in array */
break;
}
singleCertDer = pkcs7->cert[i];
singleCertDerSz = pkcs7->certSz[i];
printf("CERT [%d] size = %d bytes\n", i, singleCertDerSz);
/* allocate array for PEM */
singleCertPem = (byte*)XMALLOC(MAX_PEM_CERT_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (singleCertPem == NULL) {
printf("Error allocating memory for PEM\n");
break;
}
singleCertPemSz = MAX_PEM_CERT_SIZE;
XMEMSET(singleCertPem, 0, singleCertPemSz);
/* convert DER to PEM */
singleCertPemSz = wc_DerToPem(singleCertDer, singleCertDerSz,
singleCertPem, singleCertPemSz,
CERT_TYPE);
if (singleCertPem < 0) {
printf("Error converting DER to PEM, ret = %d\n", ret);
XFREE(singleCertPem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
break;
}
printf("converted DER to PEM, pemSz = %d\n", singleCertPemSz);
printf("CERT [%d] PEM:\n", i);
/* print PEM to terminal, only if able to NULL terminate */
if (singleCertPemSz < MAX_PEM_CERT_SIZE - 1) {
singleCertPem[singleCertPemSz] = 0;
printf("%s\n", singleCertPem);
}
/* PEM is now in singleCertPem, of size singleCertPemSz */
XFREE(singleCertPem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
}
wc_PKCS7_Free(pkcs7);
(void)argc;
(void)argv;
return 0;
}
#else
int main(int argc, char** argv)
{
printf("Must build wolfSSL using ./configure --enable-pkcs7 "
"CFLAGS=\"-DWOLFSSL_DER_TO_PEM\"\n");
return 0;
}
#endif