diff --git a/.gitignore b/.gitignore index 915fd9c3..de4b9ceb 100644 --- a/.gitignore +++ b/.gitignore @@ -150,6 +150,8 @@ pkcs7/signedData-DetachedSignature pkcs7/signedData-EncryptedFirmwarePkgData pkcs7/signedData-CompressedFirmwarePkgData pkcs7/signedData-EncryptedCompressedFirmwarePkgData +pkcs7/signedData-EncryptedFirmwareCB +pkcs7/signedData-p7b *.dSYM certmanager/certloadverifybuffer diff --git a/certs/test-degenerate.p7b b/certs/test-degenerate.p7b new file mode 100644 index 00000000..80ea2356 Binary files /dev/null and b/certs/test-degenerate.p7b differ diff --git a/pkcs7/README.md b/pkcs7/README.md index a0d2fbec..55022ad5 100644 --- a/pkcs7/README.md +++ b/pkcs7/README.md @@ -570,6 +570,52 @@ Successfully encoded Signed Encrypted Compressed FirmwarePkgData (signedEncrypte Successfully extracted and verified bundle contents ``` +### Converting P7B Certificate Bundle to PEM using PKCS7 SignedData API + +Example file: `signedData-p7b.c` + +This example parses a .p7b certificate bundle using wolfCrypt's PKCS#7 +SignedData API, looping over each extracted certificate, converting each +certificate to PEM format (from DER), and printing it to the terminal for +info/reference. + +``` +./signedData-p7b +Successfully verified SignedData bundle. +CERT [0] size = 1291 bytes +converted DER to PEM, pemSz = 1805 +CERT [0] PEM: +-----BEGIN CERTIFICATE----- +MIIFBzCCA++gAwIBAgIJAPFcmUNmPZYEMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG +A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw +FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb20wHhcNMjEwMjEwMTk0OTUyWhcNMjMxMTA3MTk0OTUyWjCBnjELMAkG +A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT +BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY +MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwwPRK/45 +pDJFO1PIhCsqfHSavaoqUgdH1qY2sgcyjtC6aXvGw0Se1IFI/S1oootnu6F1yDYs +StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW +kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF +dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj +mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/ +wK71/Fvl+6G60wIDAQABo4IBRDCCAUAwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR +xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh +MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96 +ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu +Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW +EGluZm9Ad29sZnNzbC5jb22CCQDxXJlDZj2WBDAMBgNVHRMEBTADAQH/MBwGA1Ud +EQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAuitI0ajjwoRClqF85fFGukz3h1fH +eMjBMsRp/4W7XWrdyYd+/rv0/RUKTJSVgDCQRQP4M4fKX3Q4pNBax2U4w7Doh7FJ +Mrms6fvTCB2kUXvX2Ut5NaI6C+QMoAKcoWjhXWyOLjok3rvWHKesLs1XREj2cuDH +W5PcfVtkDheEaCyVHSyG1rB0Z1Fue/TVYThRsxjjEBZzSzaKimIF9VaKviHheH2/ +rUX5C/WvoGIB/T9J3zk8/0boCv5ca7tBpWTxXJtRTLxtn6Mg7elI4am+CC2FQlnW +Q31HIqX6H6JYdgtwHB1ZHaq+XS0lfLEGtsCqKKqTfNC9Q62RUBx7TfPk1w== +-----END CERTIFICATE----- +``` + ## Support Please email wolfSSL support at support@wolfssl.com with any questions about diff --git a/pkcs7/signedData-p7b.c b/pkcs7/signedData-p7b.c new file mode 100644 index 00000000..b9520ff0 --- /dev/null +++ b/pkcs7/signedData-p7b.c @@ -0,0 +1,151 @@ +/* signedData-p7b.c + * + * Copyright (C) 2006-2020 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + * DESCRIPTION: + * + * This file includes an example of parsing a .p7b certificate bundle using + * wolfCrypt's PKCS#7 SignedData API, looping over each extracted certificate, + * converting each certificate to PEM format (from DER), and printing + * it to the terminal for info/reference. + * + * This is only provided as an example and may need modification if integrated + * into a production application. + */ +#include +#include +#include + +/* Sample certificate .p7b file, to be converted to DER/PEM */ +#define p7bFile "../certs/test-degenerate.p7b" + +/* Max PEM cert size, used to allocate memory below. Change as needed + * for your expected PEM certificate sizes */ +#define MAX_PEM_CERT_SIZE 4096 + +#if defined(HAVE_PKCS7) && defined(WOLFSSL_DER_TO_PEM) + +int main(int argc, char** argv) +{ + int ret, i; + PKCS7* pkcs7; + word32 p7bBufSz; /* size of p7b we read, bytes */ + byte p7bBuf[4096]; /* array to hold input p7b file */ + byte* singleCertDer; /* tmp ptr to one DER cert in decoded PKCS7 */ + word32 singleCertDerSz; /* tmp size of one DER cert in decoded PKCS7 */ + byte* singleCertPem; + word32 singleCertPemSz; + FILE* file; + +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); +#endif + + /* read p7b file into buffer */ + p7bBufSz = sizeof(p7bBuf); + file = fopen(p7bFile, "rb"); + if (file == NULL) { + printf("Error opening %s\n", p7bFile); + return -1; + } + p7bBufSz = (word32)fread(p7bBuf, 1, p7bBufSz, file); + fclose(file); + + /* extract cert from PKCS#7 (p7b) format */ + pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID); + if (pkcs7 == NULL) { + printf("Error creating new PKCS7 structure\n"); + return -1; + } + + ret = wc_PKCS7_VerifySignedData(pkcs7, p7bBuf, p7bBufSz); + if (ret < 0) { + printf("Error in wc_PKCS7_VerifySignedData(), ret = %d\n", ret); + wc_PKCS7_Free(pkcs7); + return -1; + } + printf("Successfully verified SignedData bundle.\n"); + + /* wc_PKCS7_VerifySignedData() decodes input PKCS#7 and stores + * decoded DER certificates into pkcs7->cert[]. Sizes of each cert entry + * is stored in the separate pkcs7->certSz[] array. Max size of each + * of the arrays is MAX_PKCS7_CERTS. Array memory is owned by wolfCrypt + * PKCS7 and freed when calling wc_PKCS7_Free(). */ + + for (i = 0; i < MAX_PKCS7_CERTS; i++) { + if (pkcs7->certSz[i] == 0) { + /* reached end of valid certs in array */ + break; + } + + singleCertDer = pkcs7->cert[i]; + singleCertDerSz = pkcs7->certSz[i]; + printf("CERT [%d] size = %d bytes\n", i, singleCertDerSz); + + /* allocate array for PEM */ + singleCertPem = (byte*)XMALLOC(MAX_PEM_CERT_SIZE, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (singleCertPem == NULL) { + printf("Error allocating memory for PEM\n"); + break; + } + singleCertPemSz = MAX_PEM_CERT_SIZE; + XMEMSET(singleCertPem, 0, singleCertPemSz); + + /* convert DER to PEM */ + singleCertPemSz = wc_DerToPem(singleCertDer, singleCertDerSz, + singleCertPem, singleCertPemSz, + CERT_TYPE); + if (singleCertPem < 0) { + printf("Error converting DER to PEM, ret = %d\n", ret); + XFREE(singleCertPem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + break; + } + printf("converted DER to PEM, pemSz = %d\n", singleCertPemSz); + printf("CERT [%d] PEM:\n", i); + + /* print PEM to terminal, only if able to NULL terminate */ + if (singleCertPemSz < MAX_PEM_CERT_SIZE - 1) { + singleCertPem[singleCertPemSz] = 0; + printf("%s\n", singleCertPem); + } + + /* PEM is now in singleCertPem, of size singleCertPemSz */ + XFREE(singleCertPem, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + + wc_PKCS7_Free(pkcs7); + + (void)argc; + (void)argv; + + return 0; +} + +#else + +int main(int argc, char** argv) +{ + printf("Must build wolfSSL using ./configure --enable-pkcs7 " + "CFLAGS=\"-DWOLFSSL_DER_TO_PEM\"\n"); + return 0; +} + +#endif +