From 90b28b5cef16baeff731505bc306af9254e607dc Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Fri, 1 Mar 2024 23:43:46 +0700
Subject: [PATCH] add test case for verify of stream signed PKCS7 bundle

---
 certs/renewcerts.sh        |   4 ++
 certs/test-stream-sign.p7b | Bin 0 -> 6228 bytes
 tests/api.c                |  76 ++++++++++++++++++++++++++++++++++++-
 3 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 certs/test-stream-sign.p7b

diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index 5485656b6..d2482f510 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -854,6 +854,10 @@ run_renewcerts(){
     echo ""
     openssl crl2pkcs7 -nocrl -certfile ./client-cert.pem -out test-degenerate.p7b -outform DER
     check_result $? ""
+
+    openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem
+    check_result $? ""
+
     echo "End of section"
     echo "---------------------------------------------------------------------"
 
diff --git a/certs/test-stream-sign.p7b b/certs/test-stream-sign.p7b
new file mode 100644
index 0000000000000000000000000000000000000000..05f6643c1b4679b77375ab3db0facb0d69e3a3c9
GIT binary patch
literal 6228
zcmc&&dyFgBUB0{bmFwJ_n<`ZrK|`zxi8OnAeP+fpo;hUO%#6pc^<({7uUGt$d3x>j
zW7i&gY!lGE7ZC-~7XC=76a*wvkxEgEC>0_oLZvOBiY6$cwEtA0NC8@iswzc|2&C|x
z+1<O|dw26kgv2KDojK=s&iTF0_kA|GapBTqPiLNf>&nu_<>zmZ8_P>e+*NYr!lfsl
z&MdiS&n+*VKSLIbmY%=yvp3G&y8n#s4*j;*woTuqktqI>rf=>)v9}F(IBF02G%7?N
zB~$*xp$VI)y2G~FjTXl}%N-usvnfHK@i^s7YRXiyDdDJVQ%|B2p&m~Ygo+#`CXL(F
z;V2iUo=Gj6x(ZeuZQpM7O@BOeqiVM`7`FZG9*vH+O<t55c&SuXqi+vqyFQ$|y(l{x
zjp0mGkFG}R)oame4G)Du-#7c_wP+qM+F<VX%>K1#2`^PM@CO5b8*g>I>Vy7h-1Xc2
z*0rc!#6S=P*MmXV8;!cx?LqHa6ieG()p3UIXoUH8-y1x!U~t=y4YS*J+WzeJ0Lw~o
z;72vr8w_0<O}ciJ6QVp%Ife3alqb9pO&4l+El@q*9Y!g#y&H|fZef9RY(aHwbzIy3
z|BwB^k?8u^>bC9ZnmdbTk*DJwvM{+&-r>kRp{Oi(><=YB*z_aVltv%rNnDOvZU3kz
z_YI>cxijvLN5{`RoFs%=9wj!lP0Bm0|14zHrE;9cc`91ecBmjz&ZF^#dvLg#{fj1!
zJ2W9u4h_vwOQM2E6^}X|+cV)%B2Y!9jzCTOWFH)t*+>#~UCNtm6Gx^NVQVE!C8!vu
z#A5qnpJPpN=m*a+A7nypnDLY+)J;&^rg6C8(zwXBvK5-ZeM_9YgTPbQWDYAxh(#rZ
zipT?Dj`1G5x*nnssVy@1PV_;>Dr8KeoJC!aN(m}qA#OgQagMDukqYdOS>fazOze--
z33WnTNJvy9Q~*F&%mG)XM5eq=6F>*&lpPY(#9EWeVbyqrayCo5onT8C+}O+$9D&c1
zqkxS=;|Skobw~A)F<xX5Sz(4zXc4K1Q{j|q3P`m{C4sq(HsEla$g0nwyTWARk^||m
z+_6sf0f7ssg-tE_pl~iS!&4_g9RMX^iA9H?=*}rVBygO?8W=6jyanL841zsm&!MKp
zQY7FM@6?V$+u#ZyT|{K1v|TEh>~<h0GLo#YHjv>VW>4u!v?8Vw9!+qpA$f~>=m9t{
zum|)B>nkKgV&y)u7FO6o7Dq)Kjo1_HbVXrpfN&IK7>wevXZw_nLc&o>*mDxQL1uzo
z6NH0XkM<Tg_RPZuyPXmR+6MfD8-(&%*eXsPe4>X@K9m6W6w58v8>jUo@|;laiqDwt
z4*G5%5G{$KkYIGm5kj~l_}UbSG7+Ng)OY)gbngJLgXu$n4UyHshG1_-dUqYjC#Y<&
zcsY(H;#3ba&n2mlq6R*JKLXVRs>W#&>B0!1hDZ&WCdFfW9h|F<{cT3Xvwci|x083=
zS=*uiSLZXxOSXqav**&7zFM!ws<qVvR*&UZ4=6oWT0P|RSgF2xMCLKQxOxYZ#}<iv
z^;8-^#M)6Pby&ujtWl|oCe)d%F?5;=WlbuCFD7eL8rNwulr<@pYC1JSS#wfCHFE@l
zWRChnv)%VcC)7|^X{}N>PFjB02Wl4*0a~d&aid|5?(T$Su}a;k+1u^9`$8tW9zBpT
zAdkd#g8#Ua&M;UjI<6Czygo8p&@RX9Sc+=-YP8{6Oc72XR#=~~u7sjQ4_~`It#{iP
zzGFJvtomNGUKBtFaPt%jA_H7lE_EcT0Lgg@Vv;3x$Ju4)8CHN+U=M&g@*dEJ4#g!0
zvV-b?`?AayGr&dtKn9Rzakd3OL<uP$_DAbMo`5ttRAdkoxMa`~ad3W|agm7a5^Mx(
zB<vDe%8NwG)B;Y1X-K1BC;&dd3L${Sn8pBQz<HbUZb&Eq@I}ZX`@9<hE^ryT0Xzgj
z04c-34)H5Y=pYIg{0e>oczFx{?;j3R7kCV4N6aRBfa-x9U{s95Atm5WoH+%1fcH`S
z$O;%i0!|{4h(FW}EXfkfGgbn|VIxC?zyRP6PFY-!oMS(xx{zwfo$$^;e1NWi-HZ-F
zJQibO#Ge4OB0-Df7nj%x4Ai0EpfZ4GE+cJ_1FHi54}Ae$;9hzFY?JAoBma?1$Pz}Z
zp$r2ULd*cVSzVDr;C!6As2|z^#X}ac<H1*?5EwuMus{`<^nu&Ru*=Hs;8<9LM^Qq!
z6V@Lp2k}GL9i5NGI2_sLP{L4nA`qks4D1lbw_qL_283k+RE$C%qfH6I&tz#stKbuQ
z2_?i9$Q;B2+DU{62~`JEaVRP_TBKbTHo7gOG)NW^bpk1Zu;H-6^b?pKX=j0ig+wEu
zQx^PJnDRol1u^mw_NN)?Y%!`Em0C8H)zz92jz$XEtPz{*y1L@F)F7*=t!%wO%I01=
z&=TugExE5%^qqMnwZ11y^>UCbH*;%)t?c&1E~;fCAJNKc(Ap|b^|_kUTEz`bZPwK8
zMy*g$gJi3j+$fi`N!2M@yhxf2aeHArgK<4#3A<gZks22&Mvx4`1#3xlyVl%vh{Y?!
zOd7QUyjQupp$EZQnODZPurYGd-SO7kXhsTJGn`a|VBHZMA>Vf<R(fl0^TD{uD}JFO
z2bp7T?`WxQZP)5;P0AT(5;<n9#W$0+?7UFRP7CwwtWevTl~MyX#ut)1K`D8A>~`3Z
z_Y(JF*pXA?K6mSU>Rn=A3_bE*VqXlM^@5h|s70-{v$ws|PAdV?P~()UmUOi&t889x
zt>M{FC&7FzU#ZSAgNojeNjyV_vq){TUY4yU*H>a|Ub)mH(%e;fYrHneG)Eb3ta0VM
zk!zv0$-L1{_UA^-t!xT8yKm2=(Ox++=DSrxEll>-OB+)!oo{xVR)TjXyPBqTO|sTo
zDRqN<vTA3x%7xT;AgQg9SK|AF{$8=9@7R%H!Sm(*Y-5yb=w7{RmkOMab61pBW~0_k
z2Fk2gwEEKqN2a8fpY|*3MV~K?W^vE%cLU!uBjt3gnRTY~G|BpPalVqCOqD%hz^{uP
zcRLfLwq$WHm27ABymY~Dbn<3KnP&9~H%PB@8|{@&B<HUQRw8Al6g%E4cUE?|?MZA@
zs8!3YhAuh9tw5_58g{3)+wtr5x-%}<w)B;Gb1h%YPh7%BTy|f|sy2vcwMq>)vu?2V
zO>R_3Nz<A}N_R_J(-aA2O=o?D%$teQ4zH0wbUPb`Y^EM|W2Ra#T6Pe$?4J5=3kJ=!
zxtmRI7P9Gjp*#w792CKoO&dXOqdqsv1vS2Z^VA?yYbawUof<c5N8?%m=X#2?)!??R
zj!`M7ayk-T)mD(L^C`heD-$Q(ni_MpvVTuT1%0PDvHC^M%2aR*?P)rxHumQVg(Plp
z#F>eL#ZP;-P#ooZFs>P1K_h9sx|gnIEg@Mpa%!bnHXCBkBHD4=X0{%AR|r$XWY#pb
z9;kt##pbHbPR~>fBUMvtt(M=7xapK{r>EWU^rmfifvT!C)d>x&btBbL>sqTd)LKSL
zE8D18GrJZvHLYCF07rw!oj?hkOtxBvrs{&cQp=eW-*n1@ak|#C+X1KgvuU}X*{aRw
z&263EG3-dGTIuhKxngc*x6#_}#SAN#+|6>%b|Tx~N}GDii5amCzdb7Civ4PTR<7j>
z`QfHnQk#~PSt&%U4zFffTBB;oV!XIJ$jdcFEm@UTWmu^WeZD>ti@BU&3?y&5RVhz0
zQp=x?CZ&<-<{Z7*j|8z&XWIyfS}7;JN>iF;N8NmXT%H@|wBD&oJA7gi+bMO1_SU5C
zjU}nm=~#*d(9QBvH=d37rR-j1(C-X~C8CX$j@uI*!S0XLotUsyQ2Sb<GO2EF&l>Xz
z@rwGcmQ~a?KM+Z8WU5|Pi|l0$QW`gc4abnX_FmBPEx)I?HX57K#xCE__?wfFYC1)6
z*lWi+_0@f<Gm6Q(iSA7J$K6`~GP$+<5`KUsH$P8qKFi%pE?qcVKX>7Q<$9I7pWMe@
z?zw#N;2X^0$i>SS55CE8?;}^4P2}=Dhu>(p2gv)_(7l%<M_+8Xhsc9$@a*NQcYMF$
z9w86k{yq58(u4Qk`4wmR{X+7mKHFV-<Ht|Fxm%9pUw!}EFMU6G$Ir#j-+Y}sbhOP`
z?%vxk7njHfZ@*kR&t3h%6+TV`!f~Rg5P6Hlj%LqsA37KP#)Dsf=~tD%`eH7YeO)`V
z8U5rRHXi<%xboj`{l+tYEpLoh$n0prRjx}q1cx2`biMT0;>&}JFUury;hz29z0Y1m
zW)Gj2mzU4nKsZP5OHYuC7tXKTcXs*W@$pAl)CWJEFX2b>bGMexq`v#L%$LPW&wTKq
z$>v+e@`aE8{b&BU^qa5zTKeTby7=1815bSMdmsCidq2Cm`|RWP55E1a-}>AazV-{(
zpW1w&_}t&TaI^YnKYab#pS;rEc>HI6&wA`9AAi;T+#}bQSAn@-N%7ZSc;!EGPrdy^
zzy4ouS~ov!C8po{!S7x;^X$L>_UFBSDZcY>-?;IKKY0DoXI^|`pe&t_R6hD#|9ijR
zx$pe{od5Hmds=?xiuu(){poj<54`y!`k@!Ee)lWC{GYFV=gQ8N`G-ICa`j*T;<5Ti
zzv+5^`*!m$f9dP%Kl<ZuzIfyN<_j->X8wiOz7u^_`LXfN8(;eQ`aeDXJ5PP7D}DM?
ok(xRGN&FMVo$5cl^WxySf2@DI_SJ_U`So8Ep0xk&!hR?JFXBYH-~a#s

literal 0
HcmV?d00001

diff --git a/tests/api.c b/tests/api.c
index 6bf2cb801..7c768d4e0 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -26945,7 +26945,7 @@ static int test_wc_PKCS7_EncodeSignedData(void)
         int             certSz;
         int             keySz;
 
-        ExpectTrue((fp = XOPEN("./certs/client-ecc-cert.der", "rb")) !=
+        ExpectTrue((fp = XFOPEN("./certs/client-ecc-cert.der", "rb")) !=
             XBADFILE);
         ExpectIntGT(certSz = (int)XFREAD(cert, 1, ONEK_BUF, fp), 0);
         if (fp != XBADFILE) {
@@ -27099,6 +27099,7 @@ static int test_wc_PKCS7_EncodeSignedData(void)
 
     wc_PKCS7_Free(pkcs7);
     DoExpectIntEQ(wc_FreeRng(&rng), 0);
+
 #endif
     return EXPECT_RESULT();
 } /* END test_wc_PKCS7_EncodeSignedData */
@@ -28008,6 +28009,79 @@ static int test_wc_PKCS7_VerifySignedData_RSA(void)
 #endif /* !NO_PKCS7_STREAM */
 
 #endif /* !NO_RSA */
+#if defined(ASN_BER_TO_DER) && !defined(NO_PKCS7_STREAM) && \
+        !defined(NO_FILESYSTEM)
+    {
+        XFILE signedBundle = XBADFILE;
+        int   signedBundleSz = 0;
+        int   chunkSz = 1;
+        int   i, rc;
+        byte* buf = NULL;
+
+        ExpectTrue((signedBundle = XFOPEN("./certs/test-stream-sign.p7b",
+            "rb")) != XBADFILE);
+        ExpectTrue(XFSEEK(signedBundle, 0, XSEEK_END) == 0);
+        ExpectIntGT(signedBundleSz = (int)XFTELL(signedBundle), 0);
+        ExpectTrue(XFSEEK(signedBundle, 0, XSEEK_SET) == 0);
+        ExpectNotNull(buf = (byte*)XMALLOC(signedBundleSz, HEAP_HINT,
+            DYNAMIC_TYPE_FILE));
+        if (buf != NULL) {
+            ExpectIntEQ(XFREAD(buf, 1, signedBundleSz, signedBundle),
+                signedBundleSz);
+        }
+        if (signedBundle != XBADFILE) {
+            XFCLOSE(signedBundle);
+            signedBundle = XBADFILE;
+        }
+
+        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+        for (i = 0; i < signedBundleSz;) {
+            int sz = (i + chunkSz > signedBundleSz)? signedBundleSz - i :
+                chunkSz;
+            rc = wc_PKCS7_VerifySignedData(pkcs7, buf + i, sz);
+            if (rc < 0 ) {
+                if (rc == WC_PKCS7_WANT_READ_E) {
+                    i += sz;
+                    continue;
+                }
+                break;
+            }
+            else {
+                break;
+            }
+        }
+        ExpectIntEQ(rc, PKCS7_SIGNEEDS_CHECK);
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
+
+
+        /* now try with malformed bundle */
+        ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+        buf[signedBundleSz - 2] = buf[signedBundleSz - 2] + 1;
+        for (i = 0; i < signedBundleSz;) {
+            int sz = (i + chunkSz > signedBundleSz)? signedBundleSz - i :
+                chunkSz;
+            rc = wc_PKCS7_VerifySignedData(pkcs7, buf + i, sz);
+            if (rc < 0 ) {
+                if (rc == WC_PKCS7_WANT_READ_E) {
+                    i += sz;
+                    continue;
+                }
+                break;
+            }
+            else {
+                break;
+            }
+        }
+        ExpectIntEQ(rc, ASN_PARSE_E);
+        wc_PKCS7_Free(pkcs7);
+        pkcs7 = NULL;
+        if (buf != NULL)
+            XFREE(buf, HEAP_HINT, DYNAMIC_TYPE_FILE);
+    }
+#endif /* BER and stream */
 #endif
     return EXPECT_RESULT();
 } /* END test_wc_PKCS7_VerifySignedData()_RSA */