Merge pull request #7272 from JacobBarthelmeh/pkcs7-enc

IO callbacks for content and output with PKCS7 bundle sign/encrypt

tests/api.c

@@ -26871,6 +26871,43 @@ static int rsaSignRawDigestCb(PKCS7* pkcs7, byte* digest, word32 digestSz,
 }
 #endif
 
+#if defined(HAVE_PKCS7) && defined(ASN_BER_TO_DER)
+typedef struct encodeSignedDataStream {
+    byte out[FOURK_BUF*3];
+    int  idx;
+    word32 outIdx;
+} encodeSignedDataStream;
+
+
+/* content is 8k of partially created bundle */
+static int GetContentCB(PKCS7* pkcs7, byte** content, void* ctx)
+{
+    int ret = 0;
+    encodeSignedDataStream* strm = (encodeSignedDataStream*)ctx;
+
+    if (strm->outIdx  < pkcs7->contentSz) {
+        ret = (pkcs7->contentSz > strm->outIdx + FOURK_BUF)?
+                FOURK_BUF : pkcs7->contentSz - strm->outIdx;
+        *content = strm->out + strm->outIdx;
+        strm->outIdx += ret;
+    }
+
+    (void)pkcs7;
+    return ret;
+}
+
+static int StreamOutputCB(PKCS7* pkcs7, const byte* output, word32 outputSz,
+    void* ctx)
+{
+    encodeSignedDataStream* strm = (encodeSignedDataStream*)ctx;
+
+    XMEMCPY(strm->out + strm->idx, output, outputSz);
+    strm->idx += outputSz;
+    (void)pkcs7;
+    return 0;
+}
+#endif
+
 
 /*
  * Testing wc_PKCS7_EncodeSignedData()
@@ -26999,6 +27036,7 @@ static int test_wc_PKCS7_EncodeSignedData(void)
     /* reinitialize and test setting stream mode */
     {
         int signedSz;
+        encodeSignedDataStream strm;
 
         ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
         ExpectIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
@@ -27019,8 +27057,9 @@ static int test_wc_PKCS7_EncodeSignedData(void)
             pkcs7->rng = &rng;
         }
         ExpectIntEQ(wc_PKCS7_GetStreamMode(pkcs7), 0);
-        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1), 0);
-        ExpectIntEQ(wc_PKCS7_SetStreamMode(NULL, 1), BAD_FUNC_ARG);
+        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, NULL, NULL, NULL), 0);
+        ExpectIntEQ(wc_PKCS7_SetStreamMode(NULL, 1, NULL, NULL, NULL),
+            BAD_FUNC_ARG);
         ExpectIntEQ(wc_PKCS7_GetStreamMode(pkcs7), 1);
 
         ExpectIntGT(signedSz = wc_PKCS7_EncodeSignedData(pkcs7, output,
@@ -27033,6 +27072,39 @@ static int test_wc_PKCS7_EncodeSignedData(void)
 
         /* use exact signed buffer size since BER encoded */
         ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7, output, signedSz), 0);
+        wc_PKCS7_Free(pkcs7);
+
+        /* now try with using callbacks for IO */
+        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+        ExpectIntEQ(wc_PKCS7_Init(pkcs7, HEAP_HINT, INVALID_DEVID), 0);
+
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
+
+        if (pkcs7 != NULL) {
+            pkcs7->contentSz  = FOURK_BUF*2;
+            pkcs7->privateKey = key;
+            pkcs7->privateKeySz = (word32)sizeof(key);
+            pkcs7->encryptOID = RSAk;
+        #ifdef NO_SHA
+            pkcs7->hashOID = SHA256h;
+        #else
+            pkcs7->hashOID = SHAh;
+        #endif
+            pkcs7->rng = &rng;
+        }
+        XMEMSET(&strm, 0, sizeof(strm));
+        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, GetContentCB,
+            StreamOutputCB, (void*)&strm), 0);
+
+        ExpectIntGT(signedSz = wc_PKCS7_EncodeSignedData(pkcs7, NULL, 0), 0);
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
+
+        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+
+        /* use exact signed buffer size since BER encoded */
+        ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7, strm.out, signedSz), 0);
     }
 #endif
 #ifndef NO_PKCS7_STREAM
@@ -28594,7 +28666,9 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
     testSz = (int)sizeof(testVectors)/(int)sizeof(pkcs7EnvelopedVector);
     for (i = 0; i < testSz; i++) {
     #ifdef ASN_BER_TO_DER
-        /* test setting stream mode */
+        encodeSignedDataStream strm;
+
+        /* test setting stream mode, the first one using IO callbacks */
         ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (testVectors + i)->cert,
                                     (word32)(testVectors + i)->certSz), 0);
         if (pkcs7 != NULL) {
@@ -28602,7 +28676,8 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
             pkcs7->rng = &rng;
         #endif
 
-            pkcs7->content       = (byte*)(testVectors + i)->content;
+            if (i != 0)
+                pkcs7->content       = (byte*)(testVectors + i)->content;
             pkcs7->contentSz     = (testVectors + i)->contentSz;
             pkcs7->contentOID    = (testVectors + i)->contentOID;
             pkcs7->encryptOID    = (testVectors + i)->encryptOID;
@@ -28611,16 +28686,61 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
             pkcs7->privateKey    = (testVectors + i)->privateKey;
             pkcs7->privateKeySz  = (testVectors + i)->privateKeySz;
         }
-        ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1), 0);
 
-        ExpectIntGE(encodedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, output,
-            (word32)sizeof(output)), 0);
+        if (i == 0) {
+            XMEMSET(&strm, 0, sizeof(strm));
+            ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, GetContentCB,
+                StreamOutputCB, (void*)&strm), 0);
+            encodedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, NULL, 0);
+        }
+        else {
+            ExpectIntEQ(wc_PKCS7_SetStreamMode(pkcs7, 1, NULL, NULL, NULL), 0);
+            encodedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, output,
+                (word32)sizeof(output));
+        }
 
-        decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
-            (word32)encodedSz, decoded, (word32)sizeof(decoded));
-        ExpectIntGE(decodedSz, 0);
-        /* Verify the size of each buffer. */
-        ExpectIntEQ((word32)sizeof(input)/sizeof(char), decodedSz);
+        switch ((testVectors + i)->encryptOID) {
+        #ifndef NO_DES3
+            case DES3b:
+            case DESb:
+                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
+                break;
+        #endif
+        #ifdef HAVE_AESCCM
+        #ifdef WOLFSSL_AES_128
+            case AES128CCMb:
+                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
+                break;
+        #endif
+        #ifdef WOLFSSL_AES_192
+            case AES192CCMb:
+                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
+                break;
+        #endif
+        #ifdef WOLFSSL_AES_256
+            case AES256CCMb:
+                ExpectIntEQ(encodedSz, BAD_FUNC_ARG);
+                break;
+        #endif
+        #endif
+            default:
+                ExpectIntGE(encodedSz, 0);
+        }
+
+        if (encodedSz > 0) {
+            if (i == 0) {
+                decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7,
+                    strm.out, (word32)encodedSz, decoded,
+                    (word32)sizeof(decoded));
+            }
+            else {
+                decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
+                    (word32)encodedSz, decoded, (word32)sizeof(decoded));
+            }
+            ExpectIntGE(decodedSz, 0);
+            /* Verify the size of each buffer. */
+            ExpectIntEQ((word32)sizeof(input)/sizeof(char), decodedSz);
+        }
         wc_PKCS7_Free(pkcs7);
         pkcs7 = NULL;
         ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));

wolfcrypt/src/asn.c

@@ -3465,7 +3465,9 @@ word32 SetBitString(word32 len, byte unusedBits, byte* output)
 
 #ifdef ASN_BER_TO_DER
 
-#define BER_OCTET_LENGTH 4096
+#ifndef BER_OCTET_LENGTH
+    #define BER_OCTET_LENGTH 4096
+#endif
 
 /* sets the terminating 0x00 0x00 at the end of an indefinite length
  * returns the number of bytes written */

wolfssl/wolfcrypt/pkcs7.h

@@ -225,6 +225,11 @@ typedef int (*CallbackWrapCEK)(PKCS7* pkcs7, byte* cek, word32 cekSz,
                                   byte* out, word32 outSz,
                                   int keyWrapAlgo, int type, int dir);
 
+/* Callbacks for supporting different stream cases */
+typedef int (*CallbackGetContent)(PKCS7* pkcs7, byte** content, void* ctx);
+typedef int (*CallbackStreamOut)(PKCS7* pkcs7, const byte* output,
+        word32 outputSz, void* ctx);
+
 #if defined(HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK) && !defined(NO_RSA)
 /* RSA sign raw digest callback, user builds DigestInfo */
 typedef int (*CallbackRsaSignRawDigest)(PKCS7* pkcs7, byte* digest,
@@ -248,6 +253,9 @@ struct PKCS7 {
 #ifdef ASN_BER_TO_DER
     byte*  der;                   /* DER encoded version of message       */
     word32 derSz;
+    CallbackGetContent getContentCb;
+    CallbackStreamOut  streamOutCb;
+    void*  streamCtx; /* passed to getcontentCb and streamOutCb */
 #endif
     byte   encodeStream:1;        /* use BER when encoding */
     byte   noCerts:1;             /* if certificates should be added into bundle
@@ -499,7 +507,11 @@ WOLFSSL_API int  wc_PKCS7_SetDecodeEncryptedCb(PKCS7* pkcs7,
 WOLFSSL_API int  wc_PKCS7_SetDecodeEncryptedCtx(PKCS7* pkcs7, void* ctx);
 #endif /* NO_PKCS7_ENCRYPTED_DATA */
 
-WOLFSSL_API int wc_PKCS7_SetStreamMode(PKCS7* pkcs7, byte flag);
+/* stream and certs */
+WOLFSSL_LOCAL int wc_PKCS7_WriteOut(PKCS7* pkcs7, byte* output,
+    const byte* input, word32 inputSz);
+WOLFSSL_API int wc_PKCS7_SetStreamMode(PKCS7* pkcs7, byte flag,
+    CallbackGetContent getContentCb, CallbackStreamOut streamOutCb, void* ctx);
 WOLFSSL_API int wc_PKCS7_GetStreamMode(PKCS7* pkcs7);
 WOLFSSL_API int wc_PKCS7_SetNoCerts(PKCS7* pkcs7, byte flag);
 WOLFSSL_API int wc_PKCS7_GetNoCerts(PKCS7* pkcs7);