pkcs7: Use better return code for unimplemented specifications

In response to feedback [1] [2], use MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE instead of MBEDTLS_ERR_PKCS7_INVALID_FORMAT for errors due to the pkcs7 implemntation being incomplete. [1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953649079 [2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953658276 Signed-off-by: Nick Child <nick.child@ibm.com>
2022-09-14 14:44:03 -05:00 · 2022-09-14 14:44:03 -05:00 · 34d5e931cf
commit 34d5e931cf
parent 7089ce8381
2 changed files with 4 additions and 4 deletions
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@ -168,7 +168,6 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p,

    end = *p + len;

-    /** For now, it assumes there is only one digest algorithm specified **/
    ret = mbedtls_asn1_get_alg_null( p, end, alg );
    if( ret != 0 )
    {
@ -176,8 +175,9 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p,
        goto out;
    }

+    /** For now, it assumes there is only one digest algorithm specified **/
    if ( *p != end )
-        ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT;
+        ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;

 out:
    return( ret );
@ -231,7 +231,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end,
     */
    if (end_cert != end_set)
    {
-        ret = MBEDTLS_ERR_PKCS7_INVALID_CERT;
+        ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
        goto out;
    }

--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@ -12,7 +12,7 @@ pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED

 PKCS7 Signed Data Parse Fail with multiple certs #4
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
+pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE

 PKCS7 Signed Data Parse Fail with corrupted cert #5
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C