pkcs7: Drop support for signature in contentInfo of signed data
The contentInfo field of PKCS7 Signed Data structures can optionally contain the content of the signature. Per RFC 2315 it can also contain any of the PKCS7 data types. Add test and comments making it clear that the current implementation only supports the DATA content type and the data must be empty. Return codes should be clear whether content was invalid or unsupported. Identification and fix provided by: - Demi Marie Obenour <demiobenour@gmail.com> - Dave Rodgman <dave.rodgman@arm.com> Signed-off-by: Nick Child <nick.child@ibm.com>
This commit is contained in:
parent
50886c25f3
commit
3dafc6c3b3
5 changed files with 25 additions and 4 deletions
|
@ -46,6 +46,8 @@
|
|||
* - The RFC allows for SignerInfo structure to optionally contain
|
||||
* unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is
|
||||
* assumed these fields are empty.
|
||||
* - The RFC allows for the signed Data type to contain contentInfo. This
|
||||
* implementation assumes the type is DATA and the content is empty.
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_PKCS7_H
|
||||
|
|
|
@ -495,8 +495,18 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
|
|||
return ret;
|
||||
}
|
||||
|
||||
if (end_content_info != p) {
|
||||
return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
|
||||
if (p != end_content_info) {
|
||||
/* Determine if valid content is present */
|
||||
ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
|
||||
if (ret != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
|
||||
}
|
||||
p += len;
|
||||
if (p != end_content_info) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
|
||||
}
|
||||
/* Valid content is present - this is not supported */
|
||||
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid)) {
|
||||
|
|
|
@ -1202,6 +1202,11 @@ pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
|
|||
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@
|
||||
all_final += pkcs7_data_without_cert_signed.der
|
||||
|
||||
# pkcs7 signature file with signature
|
||||
pkcs7_data_with_signature.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
|
||||
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -nodetach -outform DER -out $@
|
||||
all_final += pkcs7_data_with_signature.der
|
||||
|
||||
# pkcs7 signature file with two signers
|
||||
pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
|
||||
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@
|
||||
|
|
BIN
tests/data_files/pkcs7_data_with_signature.der
Normal file
BIN
tests/data_files/pkcs7_data_with_signature.der
Normal file
Binary file not shown.
|
@ -22,6 +22,10 @@ PKCS7 Signed Data Parse Fail with disabled alg #5.1
|
|||
depends_on:MBEDTLS_RSA_C:!MBEDTLS_SHA512_C
|
||||
pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG
|
||||
|
||||
PKCS7 Parse Fail with Inlined Content Info #5.2
|
||||
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
||||
pkcs7_parse:"data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
|
||||
|
||||
PKCS7 Signed Data Parse Fail with corrupted signer info #6
|
||||
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
||||
pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
|
||||
|
@ -68,11 +72,11 @@ pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PK
|
|||
|
||||
pkcs7_get_signers_info_set error handling (6213931373035520)
|
||||
depends_on:MBEDTLS_RIPEMD160_C
|
||||
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO
|
||||
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
|
||||
|
||||
pkcs7_get_signers_info_set error handling (4541044530479104)
|
||||
depends_on:MBEDTLS_RIPEMD160_C
|
||||
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der":MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO
|
||||
pkcs7_parse:"data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der": MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)
|
||||
|
||||
PKCS7 Only Signed Data Parse Pass #15
|
||||
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
|
||||
|
|
Loading…
Reference in a new issue