WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #6496 from JacobBarthelmeh/PKCS7 

parse ASN1 only with SMIME_read_PKCS7
pull/6592/head
Sean Parkinson 2023-07-10 10:16:20 +10:00 committed by GitHub
parent f2809c5a24 9d3a95a287
commit fa053be533
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 100 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
src/ssl.c
View File

@ -37036,19 +37036,14 @@ PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len)
return wolfSSL_d2i_PKCS7_ex(p7, in, len, NULL, 0);
}
/*****************************************************************************
* wolfSSL_d2i_PKCS7_ex - Converts the given unsigned char buffer of size len
* into a PKCS7 object. Optionally, accepts a byte buffer of content which
* is stored as the PKCS7 object's content, to support detached signatures.
* @param content The content which is signed, in case the signature is
* detached. Ignored if NULL.
* @param contentSz The size of the passed in content.
/* This internal function is only decoding and setting up the PKCS7 struct. It
* does not verify the PKCS7 signature.
*
* RETURNS:
* returns pointer to a PKCS7 structure on success, otherwise returns NULL
*/
PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len,
byte* content, word32 contentSz)
static PKCS7* wolfSSL_d2i_PKCS7_only(PKCS7** p7, const unsigned char** in,
int len, byte* content, word32 contentSz)
{
WOLFSSL_PKCS7* pkcs7 = NULL;
@ -37072,12 +37067,6 @@ PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len,
pkcs7->pkcs7.content = content;
pkcs7->pkcs7.contentSz = contentSz;
}
if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len)
!= 0) {
WOLFSSL_MSG("wc_PKCS7_VerifySignedData failed");
wolfSSL_PKCS7_free((PKCS7*)pkcs7);
return NULL;
}
if (p7 != NULL)
*p7 = (PKCS7*)pkcs7;
@ -37085,6 +37074,43 @@ PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len,
return (PKCS7*)pkcs7;
}
/*****************************************************************************
* wolfSSL_d2i_PKCS7_ex - Converts the given unsigned char buffer of size len
* into a PKCS7 object. Optionally, accepts a byte buffer of content which
* is stored as the PKCS7 object's content, to support detached signatures.
* @param content The content which is signed, in case the signature is
* detached. Ignored if NULL.
* @param contentSz The size of the passed in content.
*
* RETURNS:
* returns pointer to a PKCS7 structure on success, otherwise returns NULL
*/
PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len,
byte* content, word32 contentSz)
{
WOLFSSL_PKCS7* pkcs7 = NULL;
WOLFSSL_ENTER("wolfSSL_d2i_PKCS7_ex");
if (in == NULL || *in == NULL || len < 0)
return NULL;
pkcs7 = (WOLFSSL_PKCS7*)wolfSSL_d2i_PKCS7_only(p7, in, len, content,
contentSz);
if (pkcs7 != NULL) {
if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len)
!= 0) {
WOLFSSL_MSG("wc_PKCS7_VerifySignedData failed");
wolfSSL_PKCS7_free((PKCS7*)pkcs7);
return NULL;
}
}
return (PKCS7*)pkcs7;
}
/**
* This API was added as a helper function for libest. It
* extracts a stack of certificates from the pkcs7 object.
@ -38256,7 +38282,7 @@ PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in,
WOLFSSL_MSG("Error base64 decoding S/MIME message.");
goto error;
}
pkcs7 = wolfSSL_d2i_PKCS7_ex(NULL, (const unsigned char**)&out, outLen,
pkcs7 = wolfSSL_d2i_PKCS7_only(NULL, (const unsigned char**)&out, outLen,
bcontMem, bcontMemSz);
wc_MIME_free_hdrs(allHdrs);

18
tests/api.c
View File

@ -25656,18 +25656,32 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
tempWrd32 = pkcs7->singleCertSz;
pkcs7->singleCertSz = 0;
}
#if defined(WOLFSSL_ASN_TEMPLATE)
ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)),
BAD_FUNC_ARG);
BUFFER_E);
#else
ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)),
ASN_PARSE_E);
#endif
if (pkcs7 != NULL) {
pkcs7->singleCertSz = tempWrd32;
tmpBytePtr = pkcs7->singleCert;
pkcs7->singleCert = NULL;
}
#if defined(NO_PKCS7_STREAM)
/* when none streaming mode is used and PKCS7 is in bad state buffer error
* is returned from kari parse which gets set to bad func arg */
ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)),
BAD_FUNC_ARG);
#else
ExpectIntEQ(wc_PKCS7_DecodeEnvelopedData(pkcs7, output,
(word32)sizeof(output), decoded, (word32)sizeof(decoded)),
ASN_PARSE_E);
#endif
if (pkcs7 != NULL) {
pkcs7->singleCert = tmpBytePtr;
}
@ -48860,7 +48874,7 @@ static int test_wolfSSL_SMIME_read_PKCS7(void)
smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", "r");
ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS);
pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont);
ExpectNull(pkcs7);
ExpectNotNull(pkcs7); /* can read in the unverified smime bundle */
ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL,
PKCS7_NOVERIFY), SSL_FAILURE);
XFCLOSE(smimeTestFile);

75
wolfcrypt/src/pkcs7.c
View File

@ -5771,29 +5771,30 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
int ret;
word32 idx;
if (kari == NULL || kari->decoded == NULL ||
cert == NULL || certSz == 0)
if (kari == NULL || kari->decoded == NULL) {
return BAD_FUNC_ARG;
}
/* decode certificate */
InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap);
kari->decodedInit = 1;
ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0)
return ret;
if (cert != NULL) {
InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap);
kari->decodedInit = 1;
ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0)
return ret;
/* only supports ECDSA for now */
if (kari->decoded->keyOID != ECDSAk) {
WOLFSSL_MSG("CMS KARI only supports ECDSA key types");
return BAD_FUNC_ARG;
/* only supports ECDSA for now */
if (kari->decoded->keyOID != ECDSAk) {
WOLFSSL_MSG("CMS KARI only supports ECDSA key types");
return BAD_FUNC_ARG;
}
/* make sure subject key id was read from cert */
if (kari->decoded->extSubjKeyIdSet == 0) {
WOLFSSL_MSG("Failed to read subject key ID from recipient cert");
return BAD_FUNC_ARG;
}
}
/* make sure subject key id was read from cert */
if (kari->decoded->extSubjKeyIdSet == 0) {
WOLFSSL_MSG("Failed to read subject key ID from recipient cert");
return BAD_FUNC_ARG;
}
ret = wc_ecc_init_ex(kari->recipKey, kari->heap, kari->devId);
if (ret != 0)
return ret;
@ -5802,6 +5803,10 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert,
/* get recip public key */
if (kari->direction == WC_PKCS7_ENCODE) {
if (cert == NULL) {
WOLFSSL_MSG("Error recipient cert can not be null with encode");
return BAD_FUNC_ARG;
}
idx = 0;
ret = wc_EccPublicKeyDecode(kari->decoded->publicKey, &idx,
@ -9270,7 +9275,14 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari,
}
/* if we found correct recipient, issuer hashes will match */
if (XMEMCMP(rid, kari->decoded->issuerHash, keyIdSize) == 0) {
if (kari->decodedInit == 1) {
if (XMEMCMP(rid, kari->decoded->issuerHash, keyIdSize) == 0) {
*recipFound = 1;
}
}
else {
/* can not confirm recipient serial number with no cert provided */
WOLFSSL_MSG("No recipient cert loaded to match with CMS serial number");
*recipFound = 1;
}
@ -9308,7 +9320,8 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari,
return ret;
}
if (mp_cmp(recipSerial, serial) != MP_EQ) {
if (kari->decodedInit == 1 &&
mp_cmp(recipSerial, serial) != MP_EQ) {
mp_clear(serial);
mp_clear(recipSerial);
WOLFSSL_MSG("CMS serial number does not match recipient");
@ -9944,8 +9957,6 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
WOLFSSL_ENTER("wc_PKCS7_DecryptKari");
if (pkcs7 == NULL || pkiMsg == NULL ||
((pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) &&
pkcs7->wrapCEKCb == NULL) ||
idx == NULL || decryptedKey == NULL || decryptedKeySz == NULL) {
return BAD_FUNC_ARG;
}
@ -9986,17 +9997,15 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
encryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
/* parse cert and key */
if (pkcs7->singleCert != NULL) {
ret = wc_PKCS7_KariParseRecipCert(kari, (byte*)pkcs7->singleCert,
pkcs7->singleCertSz, pkcs7->privateKey,
pkcs7->privateKeySz);
if (ret != 0) {
wc_PKCS7_KariFree(kari);
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
return ret;
}
ret = wc_PKCS7_KariParseRecipCert(kari, (byte*)pkcs7->singleCert,
pkcs7->singleCertSz, pkcs7->privateKey,
pkcs7->privateKeySz);
if (ret != 0) {
wc_PKCS7_KariFree(kari);
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
return ret;
}
/* remove OriginatorIdentifierOrKey */