yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #6816 from nick-child-ibm/pkcs7_coverage

Browse source 
Pkcs7 coverage
This commit is contained in:
Dave Rodgman 2023-02-10 12:55:29 +00:00 committed by GitHub
commit a22749e749
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 3620 additions and 128 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
include/mbedtls/pkcs7.h
View file

@ -46,6 +46,8 @@
* - The RFC allows for SignerInfo structure to optionally contain
* unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is
* assumed these fields are empty.
* - The RFC allows for the signed Data type to contain contentInfo. This
* implementation assumes the type is DATA and the content is empty.
*/
#ifndef MBEDTLS_PKCS7_H
@ -66,7 +68,7 @@
#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT -0x5300 /**< The format is invalid, e.g. different type expected. */
#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE -0x5380 /**< Unavailable feature, e.g. anything other than signed data. */
#define MBEDTLS_ERR_PKCS7_INVALID_VERSION -0x5400 /**< The PKCS7 version element is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS7 content info is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */
@ -179,8 +181,9 @@ void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7);
* \brief Parse a single DER formatted pkcs7 content.
*
* \param pkcs7 The pkcs7 structure to be filled by parser for the output.
* \param buf The buffer holding the DER encoded pkcs7.
* \param buflen The size in bytes of \p buf.
* \param buf The buffer holding only the DER encoded pkcs7.
* \param buflen The size in bytes of \p buf. The size must be exactly the
* length of the DER encoded pkcs7.
*
* \note This function makes an internal copy of the PKCS7 buffer
* \p buf. In particular, \p buf may be destroyed or reused

61
library/pkcs7.c
View file

@ -26,9 +26,6 @@
#include "mbedtls/oid.h"
#include "mbedtls/error.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#if defined(MBEDTLS_FS_IO)
#include <sys/types.h>
#include <sys/stat.h>
@ -94,6 +91,7 @@ static int pkcs7_get_version(unsigned char **p, unsigned char *end, int *ver)
* [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
**/
static int pkcs7_get_content_info_type(unsigned char **p, unsigned char *end,
unsigned char **seq_end,
mbedtls_pkcs7_buf *pkcs7)
{
size_t len = 0;
@ -106,8 +104,8 @@ static int pkcs7_get_content_info_type(unsigned char **p, unsigned char *end,
*p = start;
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
}
ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_OID);
*seq_end = *p + len;
ret = mbedtls_asn1_get_tag(p, *seq_end, &len, MBEDTLS_ASN1_OID);
if (ret != 0) {
*p = start;
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
@ -289,7 +287,7 @@ static void pkcs7_free_signer_info(mbedtls_pkcs7_signer_info *signer)
static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
mbedtls_pkcs7_signer_info *signer)
{
unsigned char *end_signer;
unsigned char *end_signer, *end_issuer_and_sn;
int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
@ -312,10 +310,11 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
goto out;
}
end_issuer_and_sn = *p + len;
/* Parsing IssuerAndSerialNumber */
signer->issuer_raw.p = *p;
asn1_ret = mbedtls_asn1_get_tag(p, end_signer, &len,
asn1_ret = mbedtls_asn1_get_tag(p, end_issuer_and_sn, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (asn1_ret != 0) {
goto out;
@ -328,11 +327,17 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
signer->issuer_raw.len = *p - signer->issuer_raw.p;
ret = mbedtls_x509_get_serial(p, end_signer, &signer->serial);
ret = mbedtls_x509_get_serial(p, end_issuer_and_sn, &signer->serial);
if (ret != 0) {
goto out;
}
/* ensure no extra or missing bytes */
if (*p != end_issuer_and_sn) {
ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
goto out;
}
ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->alg_identifier);
if (ret != 0) {
goto out;
@ -449,7 +454,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
{
unsigned char *p = buf;
unsigned char *end = buf + buflen;
unsigned char *end_set;
unsigned char *end_set, *end_content_info;
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_type_t md_alg;
@ -481,11 +486,29 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
}
/* Do not expect any content */
ret = pkcs7_get_content_info_type(&p, end_set, &signed_data->content.oid);
ret = pkcs7_get_content_info_type(&p, end_set, &end_content_info,
&signed_data->content.oid);
if (ret != 0) {
return ret;
}
if (p != end_content_info) {
/* Determine if valid content is present */
ret = mbedtls_asn1_get_tag(&p,
end_content_info,
&len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
if (ret != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
}
p += len;
if (p != end_content_info) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
}
/* Valid content is present - this is not supported */
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
}
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid)) {
return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
}
@ -527,7 +550,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
const size_t buflen)
{
unsigned char *p;
unsigned char *end;
unsigned char *end, *end_content_info;
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int isoidset = 0;
@ -546,14 +569,20 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
pkcs7->raw.len = buflen;
end = p + buflen;
ret = pkcs7_get_content_info_type(&p, end, &pkcs7->content_type_oid);
ret = pkcs7_get_content_info_type(&p, end, &end_content_info,
&pkcs7->content_type_oid);
if (ret != 0) {
len = buflen;
goto try_data;
}
/* Ensure PKCS7 data uses the exact number of bytes specified in buflen */
if (end_content_info != end) {
ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
goto out;
}
if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid)
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid)
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid)
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid)
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid)
@ -574,6 +603,12 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
goto out;
}
/* ensure no extra/missing data */
if (p + len != end) {
ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
goto out;
}
try_data:
ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data);
if (ret != 0) {

22
tests/data_files/Makefile
View file

@ -1198,6 +1198,7 @@ tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key
# PKCS7 test data
pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt
pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt
pkcs7_test_cert_3 = pkcs7-rsa-sha256-3.crt
pkcs7_test_file = pkcs7_data.bin
$(pkcs7_test_file):
@ -1219,6 +1220,15 @@ pkcs7-rsa-sha256-2.crt:
cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem
all_final += pkcs7-rsa-sha256-2.crt
pkcs7-rsa-sha256-3.crt:
$(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 3" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-3.key -out pkcs7-rsa-sha256-3.crt
cat pkcs7-rsa-sha256-3.crt pkcs7-rsa-sha256-3.key > pkcs7-rsa-sha256-3.pem
all_final += pkcs7-rsa-sha256-3.crt
pkcs7-rsa-expired.crt:
$(FAKETIME) -f -3650d $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert Expired" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-expired.key -out pkcs7-rsa-expired.crt
all_final += pkcs7-rsa-expired.crt
# Convert signing certs to DER for testing PEM-free builds
pkcs7-rsa-sha256-1.der: $(pkcs7_test_cert_1)
$(OPENSSL) x509 -in pkcs7-rsa-sha256-1.crt -out $@ -outform DER
@ -1248,11 +1258,21 @@ pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@
all_final += pkcs7_data_without_cert_signed.der
# pkcs7 signature file with multiple signers
# pkcs7 signature file with signature
pkcs7_data_with_signature.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -nodetach -outform DER -out $@
all_final += pkcs7_data_with_signature.der
# pkcs7 signature file with two signers
pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@
all_final += pkcs7_data_multiple_signed.der
# pkcs7 signature file with three signers
pkcs7_data_3_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) $(pkcs7_test_cert_3)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -signer pkcs7-rsa-sha256-3.pem -nocerts -noattr -outform DER -out $@
all_final += pkcs7_data_3_signed.der
# pkcs7 signature file with multiple certificates
pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@

20
tests/data_files/pkcs7-rsa-expired.crt Normal file
View file

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIUOrWS2Prj+YfE0116bm4XvxqfRlkwDQYJKoZIhvcNAQEL
BQAwOjELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRswGQYDVQQDDBJQS0NT
NyBDZXJ0IEV4cGlyZWQwHhcNMTIxMjE3MTkyNzE4WhcNMTMxMjE3MTkyNzE4WjA6
MQswCQYDVQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxGzAZBgNVBAMMElBLQ1M3IENl
cnQgRXhwaXJlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwdVgoF
OCcb8wCxLXbiiRuglTa4iQM/L2pGvQQgJ3HeApAzrbL0zg0SsT02K9YqAsta7z/U
fhVFPawtY3QZU4lg5OukPMJK0JZpYynjDkx4B9mp8fPlzzwalzXDFnrGaS84z0st
jibLDGPs9LL8oRyQSFsum3FSM2CDTw6gFCNYVYB7fz9DLtWh8igOmW1ZmDgxoNYA
ZyWEEcZmzWOG5MSYt8Nx4R5DMuxDa8q50M46sFQ/8kFerlAcvAz7nZQq10F65wdy
JAB/WKZknbdN72ntlHdvbUViax2U4DJNdztuOJYc2GAlLrWmYk09yNorlNsEXjQp
8w5jsjPhlQcnMiECAwEAAaNTMFEwHQYDVR0OBBYEFDOXFiHCdGU5Ebamuhj8tEoU
bGA3MB8GA1UdIwQYMBaAFDOXFiHCdGU5Ebamuhj8tEoUbGA3MA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAA0D8sXvET5XUGs3FwhuBm43ydr8W1u7
07zxRNvMYO6Qrsfxh4UAw9IlHbLhL2mrdPRn1IF9Dtpf/xA2A8QOfDj5/rAUFmnX
C+GO0Yb7/gSuyo6u2o8ICSFDsTkOKCYldneaDt2LIPLidlmTndrqWV3nzOCQqbtz
0DObTVVK0X/hXvSx2k2R71sf1fRLWSHMQBxwe4MTcyXfXqrjq3eRP2xRzGWrVXhu
0U/PYBVPSW0Bfka4toTf8VpZLkwwVbg+9QOIpvGa0kNMsWWgyezLEOkZB1G1JXYF
3FW6LTDP0h64/8xB8YcnttaGstwgEJjoS1W4CjaRL0tNKmRYS5Mu5+E=
-----END CERTIFICATE-----

28
tests/data_files/pkcs7-rsa-expired.key Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCsHVYKBTgnG/MA
sS124okboJU2uIkDPy9qRr0EICdx3gKQM62y9M4NErE9NivWKgLLWu8/1H4VRT2s
LWN0GVOJYOTrpDzCStCWaWMp4w5MeAfZqfHz5c88Gpc1wxZ6xmkvOM9LLY4mywxj
7PSy/KEckEhbLptxUjNgg08OoBQjWFWAe38/Qy7VofIoDpltWZg4MaDWAGclhBHG
Zs1jhuTEmLfDceEeQzLsQ2vKudDOOrBUP/JBXq5QHLwM+52UKtdBeucHciQAf1im
ZJ23Te9p7ZR3b21FYmsdlOAyTXc7bjiWHNhgJS61pmJNPcjaK5TbBF40KfMOY7Iz
4ZUHJzIhAgMBAAECggEAb8pSIwoG0egmarGp7QjwswAXSsaLP4+ftXCivnZACIaB
tbXLQWweFYGpmy9/Q4hf7kNvGE9lYV1q1FVavoLgrl8/8Qno6O19E+T5orA2jlZ8
CtWGMLt4YfqHckT3aeFLWn+UrKi3Jt1Fe/XhbgwGfS39wTPBhNY2Rp6jD8XLrrRV
jEBwCGZxRaoQxvf1hddyRob9INQiYxiqhkqkZsFRuuKhm28tv/6nrb3UOFEd6h1r
9Cg2m0BGF7unmFRq3ZM/xJvhMSZlQE8UMpyiLAvs6vTUBlN8OKoTGQQgW8JeFwi8
Dh1oUmw0JOnwiLA/1KPGSc7O6i+54ogNiK4N1U9X0QKBgQDTuB8pHdTyUfXKIm3R
n9/xCAJ/NWJAXjcpUEwoI2BKsZkzhLMlPtT5F86CTOn8P2cxZwZixfgo84z3Mx2A
2D03z4W9FsFsBA7bOY6mpdcupX6IogM7Tgguo+Rh/DwzI7KVgVqio/4YY1zw3kou
FcfIIz5wb79UiFLs12gQUcQQBQKBgQDQHLOood0gGOpCwRTd4BnUnlX43w3WSobR
0Za6rR76qJn13LMF/rBsq5gczvagI1jZ1N96O0qbkL2yPmFeH/ih6vNOgu4uCyv+
LogBnN5yixXYkapRJ3gXZfAdBl2b9ihXJgvWV1YF/6QuLK2V/JTbUQQ8aboO8Vgv
98WcbojgbQKBgQCYICozrv29h+ql7QsfnlKYq/qvULpiKdBU3R97j7+2q9m6zNS0
JGt+9/4oXf+agiwxsSdDfaAMPMPDM3U1iSqjmXctINamOFw8ZST81RjCqaM7pb3Q
tQboDFcjmMvgqvu8tQ9c4ZzIBU1YvUBr0LaWNcy9mW3O3Y1IJJbfcwD/yQKBgQCo
QAwfsX0MjhgWj/NGzf8UHk5zPiH5tZb52vB5S61YCScv1pYFqrsHoFMCN3C8Vtdm
hOuH7peK3aH/kN83MbHZdhHuz3uwTefrP8NFSoWtJTUsOdfwdHBqukc9r//OL1y9
2EyJpWIux1b83bIZKHNQPFeoX/HEUupxHWft6I9QoQKBgQCDsbRTjU3beP+EGv9S
OB7b4EnfTt//JGLjUWQEeZtZbCOCrvtMiZmVfWFmEk9cwBipB5Nczcbzo572jU4X
cjfuoBmvV+IVOki5NfA2OwOwfsxGY6DZdNwIAJSOyr1xqUetW9KE6BJEVroMi5eO
sBaxriPC7PYMrBLGnWX4Ysh1ig==
-----END PRIVATE KEY-----

20
tests/data_files/pkcs7-rsa-sha256-3.crt Normal file
View file

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUYkdymHWejgRxiuVjFV81I8+4TNswDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
NyBDZXJ0IDMwHhcNMjMwMTMwMTkyMTQzWhcNMjQwMTMwMTkyMTQzWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJ/vfx54ZcwX1ImcNW6ERqk
XMUWzQnnNrfKBRkxebIq/NAu/5vVE6D2qAeNBiZO+O3dYcyJGiP6O+SfzyKKrG3z
7O1v4ONY3A5P0ge3LJpj2MaUzPOANdQ8444IdWh1cP02uDhVJxgab6cSoFykK2bC
lETgb5XrV9/42/qCrT+UTuuRFadRLtO7lcs4ZoVCUJ/hBN2Ad65rX6TAc1AmUV+K
gO6b0ZvnVW1cevZ2rlpUqcoJyYtYE3Ysd/aVpqE19vS7gMXvFL616a4d+IUi2Rmu
6uXBYGvzf7eLVLpdzwSurG0oEklfSjDHejxKX7QETlSLNwODK/W0Se+sQQt1t0kC
AwEAAaNTMFEwHQYDVR0OBBYEFC7YxdBlJ9oR3H+KJt8toimNCyudMB8GA1UdIwQY
MBaAFC7YxdBlJ9oR3H+KJt8toimNCyudMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAGqqNRMi6uJRCPFae7L+yOY09FtFjMCY/1cvHjnQzYk3i90u
WiiZfOUD8js96SkdanaZEqxDNjx0VM3t0KDPrNHTMP2LDK58sktPRi62C2eHWI3C
PfqmCxWjSKjOeUaJsVBU4rfQgvnMFlG9iVfhix3aB79GfBSQmLxLAOBVsphTLL6C
AzJ60WjSM9WhILV4U5QnpTUuXFId+ub43jOHfLtJVk2nM5YSaZ0H9jM69FzOnqFE
qUuJ7d0CW256aiAz3hs/y0wXImFUPCfoU45nw7fFcb/EMon5cqgx99IADLecHL8P
uOX5xpJ64mBR5NuVdH2d4bld9vh3sOcCGebHaWw=
-----END CERTIFICATE-----

28
tests/data_files/pkcs7-rsa-sha256-3.key Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSf738eeGXMF9S
JnDVuhEapFzFFs0J5za3ygUZMXmyKvzQLv+b1ROg9qgHjQYmTvjt3WHMiRoj+jvk
n88iiqxt8+ztb+DjWNwOT9IHtyyaY9jGlMzzgDXUPOOOCHVodXD9Nrg4VScYGm+n
EqBcpCtmwpRE4G+V61ff+Nv6gq0/lE7rkRWnUS7Tu5XLOGaFQlCf4QTdgHeua1+k
wHNQJlFfioDum9Gb51VtXHr2dq5aVKnKCcmLWBN2LHf2laahNfb0u4DF7xS+temu
HfiFItkZrurlwWBr83+3i1S6Xc8ErqxtKBJJX0owx3o8Sl+0BE5UizcDgyv1tEnv
rEELdbdJAgMBAAECggEANIkePRecNnQjriia67SjFS+lWaktpkWXEfqxGA8RjOaO
r1SzhcyBuCAnYq8PNFtsZE1m3bnwFL+c2BwMgdXzYAPLg5zzFzqzvTytsjBEyQmX
bkRv/Gvow14o+udgiiAZgZD5HFIgTjM2349WB5kPnfd9Ms2C+/s/NM5y9IxNufqR
Toto9xwEviJDNVQUeamMbV1hYg0GkvYFNBg5JnGZw+2Sxdml3NFkaHjO+lOhC1VJ
nhtP0OeOhEMJe9J/MlqkByeg4WQW+jgPo9ysOa+JsEYBokBTleAboNNUJz1SmZ2o
CCLcMaEwA1IFZAbqjKzPb0xwjeZAtPsBzGFBwiuDyQKBgQDdCkiCeo+AuCdIK4Y3
i8uf2Pv/eieN37pHBJZcRvNbwcrcnk4Tx0QAsiqnemLDurd+3Xp2BbPMKSNXNkaI
X4KAtv3hh6sNCQZ2QwkSGYvSOrR4xaExbeuPlrDteLG6Z7W+Txl6iFR8r7sbdySD
XIIB2yyyh/01gkphB1XPhPxAnQKBgQDzyqf8IccG/yoSm/luX7yKbsPsLMnV1CkR
hKaPik9vA8wi4P460HqGSwjECubbx2LuGNijVRHqufu6Arm7/hMNya0gA4ToHN+i
r7MiD8iGpKKYv7Dn1KVhw/Knwx3MHhFgB9V55EBn92MVL1ZC1S7cLq7tn1ggVHnC
mlS0OW1DnQKBgDx679QjzNgfi0AICLVyHskiCfGhbuk26jU8YBfnofbdU7CB8EMh
Js458cnZhuSfVk30M+nPLZ8TMoROaYYu+/pUF6t5/6eVbJs3RGgbbVKclXzmNnDb
7rRfOxH/EEI81lG4OvR4EQX832lodCktSrVPTy+aXgIiIE/kPeqGLK9RAoGBAIdN
4X/A62pJsfsUEBKfFdAq+5gXn4mKr6RmX97on394txJglxjjXi0sddgASPKPrauB
pLK54zDIOhqZqqXYtJCBbxGGgnwkkkYDh8MOyXdY5lkqgq+YSJWDICjV1LLVuUT3
9BYrhUdueNJoLFL5aIGRc0q0lj+TQuSrrPk9qhPNAoGADbbSa+iD3C+sladHkMAU
u7CvM/0izVqokKnUTBzQh5oxfKQncMVyYrws/Orkcc7u30FeX6bkCoY6dP1+YXLh
ZlmiSgDK6kebOCGRWjCGKGys4WU1QiFluEjRfXQIMW3Wj45vxB3xPrD1TTHcfWgJ
7BT4C+yor7c/fL356athqxk=
-----END PRIVATE KEY-----

48
tests/data_files/pkcs7-rsa-sha256-3.pem Normal file
View file

@ -0,0 +1,48 @@
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUYkdymHWejgRxiuVjFV81I8+4TNswDQYJKoZIhvcNAQEL
BQAwNDELMAkGA1UEBhMCTkwxDjAMBgNVBAoMBVBLQ1M3MRUwEwYDVQQDDAxQS0NT
NyBDZXJ0IDMwHhcNMjMwMTMwMTkyMTQzWhcNMjQwMTMwMTkyMTQzWjA0MQswCQYD
VQQGEwJOTDEOMAwGA1UECgwFUEtDUzcxFTATBgNVBAMMDFBLQ1M3IENlcnQgMzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJ/vfx54ZcwX1ImcNW6ERqk
XMUWzQnnNrfKBRkxebIq/NAu/5vVE6D2qAeNBiZO+O3dYcyJGiP6O+SfzyKKrG3z
7O1v4ONY3A5P0ge3LJpj2MaUzPOANdQ8444IdWh1cP02uDhVJxgab6cSoFykK2bC
lETgb5XrV9/42/qCrT+UTuuRFadRLtO7lcs4ZoVCUJ/hBN2Ad65rX6TAc1AmUV+K
gO6b0ZvnVW1cevZ2rlpUqcoJyYtYE3Ysd/aVpqE19vS7gMXvFL616a4d+IUi2Rmu
6uXBYGvzf7eLVLpdzwSurG0oEklfSjDHejxKX7QETlSLNwODK/W0Se+sQQt1t0kC
AwEAAaNTMFEwHQYDVR0OBBYEFC7YxdBlJ9oR3H+KJt8toimNCyudMB8GA1UdIwQY
MBaAFC7YxdBlJ9oR3H+KJt8toimNCyudMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAGqqNRMi6uJRCPFae7L+yOY09FtFjMCY/1cvHjnQzYk3i90u
WiiZfOUD8js96SkdanaZEqxDNjx0VM3t0KDPrNHTMP2LDK58sktPRi62C2eHWI3C
PfqmCxWjSKjOeUaJsVBU4rfQgvnMFlG9iVfhix3aB79GfBSQmLxLAOBVsphTLL6C
AzJ60WjSM9WhILV4U5QnpTUuXFId+ub43jOHfLtJVk2nM5YSaZ0H9jM69FzOnqFE
qUuJ7d0CW256aiAz3hs/y0wXImFUPCfoU45nw7fFcb/EMon5cqgx99IADLecHL8P
uOX5xpJ64mBR5NuVdH2d4bld9vh3sOcCGebHaWw=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDSf738eeGXMF9S
JnDVuhEapFzFFs0J5za3ygUZMXmyKvzQLv+b1ROg9qgHjQYmTvjt3WHMiRoj+jvk
n88iiqxt8+ztb+DjWNwOT9IHtyyaY9jGlMzzgDXUPOOOCHVodXD9Nrg4VScYGm+n
EqBcpCtmwpRE4G+V61ff+Nv6gq0/lE7rkRWnUS7Tu5XLOGaFQlCf4QTdgHeua1+k
wHNQJlFfioDum9Gb51VtXHr2dq5aVKnKCcmLWBN2LHf2laahNfb0u4DF7xS+temu
HfiFItkZrurlwWBr83+3i1S6Xc8ErqxtKBJJX0owx3o8Sl+0BE5UizcDgyv1tEnv
rEELdbdJAgMBAAECggEANIkePRecNnQjriia67SjFS+lWaktpkWXEfqxGA8RjOaO
r1SzhcyBuCAnYq8PNFtsZE1m3bnwFL+c2BwMgdXzYAPLg5zzFzqzvTytsjBEyQmX
bkRv/Gvow14o+udgiiAZgZD5HFIgTjM2349WB5kPnfd9Ms2C+/s/NM5y9IxNufqR
Toto9xwEviJDNVQUeamMbV1hYg0GkvYFNBg5JnGZw+2Sxdml3NFkaHjO+lOhC1VJ
nhtP0OeOhEMJe9J/MlqkByeg4WQW+jgPo9ysOa+JsEYBokBTleAboNNUJz1SmZ2o
CCLcMaEwA1IFZAbqjKzPb0xwjeZAtPsBzGFBwiuDyQKBgQDdCkiCeo+AuCdIK4Y3
i8uf2Pv/eieN37pHBJZcRvNbwcrcnk4Tx0QAsiqnemLDurd+3Xp2BbPMKSNXNkaI
X4KAtv3hh6sNCQZ2QwkSGYvSOrR4xaExbeuPlrDteLG6Z7W+Txl6iFR8r7sbdySD
XIIB2yyyh/01gkphB1XPhPxAnQKBgQDzyqf8IccG/yoSm/luX7yKbsPsLMnV1CkR
hKaPik9vA8wi4P460HqGSwjECubbx2LuGNijVRHqufu6Arm7/hMNya0gA4ToHN+i
r7MiD8iGpKKYv7Dn1KVhw/Knwx3MHhFgB9V55EBn92MVL1ZC1S7cLq7tn1ggVHnC
mlS0OW1DnQKBgDx679QjzNgfi0AICLVyHskiCfGhbuk26jU8YBfnofbdU7CB8EMh
Js458cnZhuSfVk30M+nPLZ8TMoROaYYu+/pUF6t5/6eVbJs3RGgbbVKclXzmNnDb
7rRfOxH/EEI81lG4OvR4EQX832lodCktSrVPTy+aXgIiIE/kPeqGLK9RAoGBAIdN
4X/A62pJsfsUEBKfFdAq+5gXn4mKr6RmX97on394txJglxjjXi0sddgASPKPrauB
pLK54zDIOhqZqqXYtJCBbxGGgnwkkkYDh8MOyXdY5lkqgq+YSJWDICjV1LLVuUT3
9BYrhUdueNJoLFL5aIGRc0q0lj+TQuSrrPk9qhPNAoGADbbSa+iD3C+sladHkMAU
u7CvM/0izVqokKnUTBzQh5oxfKQncMVyYrws/Orkcc7u30FeX6bkCoY6dP1+YXLh
ZlmiSgDK6kebOCGRWjCGKGys4WU1QiFluEjRfXQIMW3Wj45vxB3xPrD1TTHcfWgJ
7BT4C+yor7c/fL356athqxk=
-----END PRIVATE KEY-----

BIN
tests/data_files/pkcs7_data_3_signed.der Normal file
View file

Binary file not shown.

BIN
tests/data_files/pkcs7_data_with_signature.der Normal file
View file

Binary file not shown.

195
tests/scripts/generate_pkcs7_tests.py Executable file
View file

@ -0,0 +1,195 @@
#!/usr/bin/env python3
#
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
"""
Make fuzz like testing for pkcs7 tests
Given a valid DER pkcs7 file add tests to the test_suite_pkcs7.data file
- It is expected that the pkcs7_asn1_fail( data_t *pkcs7_buf )
function is defined in test_suite_pkcs7.function
- This is not meant to be portable code, if anything it is meant to serve as
documentation for showing how those ugly tests in test_suite_pkcs7.data were created
"""
import sys
from os.path import exists
PKCS7_TEST_FILE = "../suites/test_suite_pkcs7.data"
class Test: # pylint: disable=too-few-public-methods
"""
A instance of a test in test_suite_pkcs7.data
"""
def __init__(self, name, depends, func_call):
self.name = name
self.depends = depends
self.func_call = func_call
# pylint: disable=no-self-use
def to_string(self):
return "\n" + self.name + "\n" + self.depends + "\n" + self.func_call + "\n"
class TestData:
"""
Take in test_suite_pkcs7.data file.
Allow for new tests to be added.
"""
mandatory_dep = "MBEDTLS_SHA256_C"
test_name = "PKCS7 Parse Failure Invalid ASN1"
test_function = "pkcs7_asn1_fail:"
def __init__(self, file_name):
self.file_name = file_name
self.last_test_num, self.old_tests = self.read_test_file(file_name)
self.new_tests = []
# pylint: disable=no-self-use
def read_test_file(self, file):
"""
Parse the test_suite_pkcs7.data file.
"""
tests = []
if not exists(file):
print(file + " Does not exist")
sys.exit()
with open(file, "r", encoding='UTF-8') as fp:
data = fp.read()
lines = [line.strip() for line in data.split('\n') if len(line.strip()) > 1]
i = 0
while i < len(lines):
if "depends" in lines[i+1]:
tests.append(Test(lines[i], lines[i+1], lines[i+2]))
i += 3
else:
tests.append(Test(lines[i], None, lines[i+1]))
i += 2
latest_test_num = float(tests[-1].name.split('#')[1])
return latest_test_num, tests
def add(self, name, func_call):
self.last_test_num += 1
self.new_tests.append(Test(self.test_name + ": " + name + " #" + \
str(self.last_test_num), "depends_on:" + self.mandatory_dep, \
self.test_function + '"' + func_call + '"'))
def write_changes(self):
with open(self.file_name, 'a', encoding='UTF-8') as fw:
fw.write("\n")
for t in self.new_tests:
fw.write(t.to_string())
def asn1_mutate(data):
"""
We have been given an asn1 structure representing a pkcs7.
We want to return an array of slightly modified versions of this data
they should be modified in a way which makes the structure invalid
We know that asn1 structures are:
|---1 byte showing data type---|----byte(s) for length of data---|---data content--|
We know that some data types can contain other data types.
Return a dictionary of reasons and mutated data types.
"""
# off the bat just add bytes to start and end of the buffer
mutations = []
reasons = []
mutations.append(["00"] + data)
reasons.append("Add null byte to start")
mutations.append(data + ["00"])
reasons.append("Add null byte to end")
# for every asn1 entry we should attempt to:
# - change the data type tag
# - make the length longer than actual
# - make the length shorter than actual
i = 0
while i < len(data):
tag_i = i
leng_i = tag_i + 1
data_i = leng_i + 1 + (int(data[leng_i][1], 16) if data[leng_i][0] == '8' else 0)
if data[leng_i][0] == '8':
length = int(''.join(data[leng_i + 1: data_i]), 16)
else:
length = int(data[leng_i], 16)
tag = data[tag_i]
print("Looking at ans1: offset " + str(i) + " tag = " + tag + \
", length = " + str(length)+ ":")
print(''.join(data[data_i:data_i+length]))
# change tag to something else
if tag == "02":
# turn integers into octet strings
new_tag = "04"
else:
# turn everything else into an integer
new_tag = "02"
mutations.append(data[:tag_i] + [new_tag] + data[leng_i:])
reasons.append("Change tag " + tag + " to " + new_tag)
# change lengths to too big
# skip any edge cases which would cause carry over
if int(data[data_i - 1], 16) < 255:
new_length = str(hex(int(data[data_i - 1], 16) + 1))[2:]
if len(new_length) == 1:
new_length = "0"+new_length
mutations.append(data[:data_i -1] + [new_length] + data[data_i:])
reasons.append("Change length from " + str(length) + " to " \
+ str(length + 1))
# we can add another test here for tags that contain other tags \
# where they have more data than there containing tags account for
if tag in ["30", "a0", "31"]:
mutations.append(data[:data_i -1] + [new_length] + \
data[data_i:data_i + length] + ["00"] + \
data[data_i + length:])
reasons.append("Change contents of tag " + tag + " to contain \
one unaccounted extra byte")
# change lengths to too small
if int(data[data_i - 1], 16) > 0:
new_length = str(hex(int(data[data_i - 1], 16) - 1))[2:]
if len(new_length) == 1:
new_length = "0"+new_length
mutations.append(data[:data_i -1] + [new_length] + data[data_i:])
reasons.append("Change length from " + str(length) + " to " + str(length - 1))
# some tag types contain other tag types so we should iterate into the data
if tag in ["30", "a0", "31"]:
i = data_i
else:
i = data_i + length
return list(zip(reasons, mutations))
if __name__ == "__main__":
if len(sys.argv) < 2:
print("USAGE: " + sys.argv[0] + " <pkcs7_der_file>")
sys.exit()
DATA_FILE = sys.argv[1]
TEST_DATA = TestData(PKCS7_TEST_FILE)
with open(DATA_FILE, 'rb') as f:
DATA_STR = f.read().hex()
# make data an array of byte strings eg ['de','ad','be','ef']
HEX_DATA = list(map(''.join, [[DATA_STR[i], DATA_STR[i+1]] for i in range(0, len(DATA_STR), \
2)]))
# returns tuples of test_names and modified data buffers
MUT_ARR = asn1_mutate(HEX_DATA)
print("made " + str(len(MUT_ARR)) + " new tests")
for new_test in MUT_ARR:
TEST_DATA.add(new_test[0], ''.join(new_test[1]))
TEST_DATA.write_changes()

3134
tests/suites/test_suite_pkcs7.data
View file

File diff suppressed because it is too large Load diff

183
tests/suites/test_suite_pkcs7.function
View file

@ -13,6 +13,28 @@
* depends_on:MBEDTLS_PKCS7_C:MBEDTLS_RSA_C
* END_DEPENDENCIES
*/
/* BEGIN_SUITE_HELPERS */
int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen)
{
int res;
mbedtls_pkcs7 pkcs7;
mbedtls_pkcs7_init(&pkcs7);
res = mbedtls_pkcs7_parse_der(&pkcs7, pkcs7_buf, buflen);
mbedtls_pkcs7_free(&pkcs7);
return res;
}
/* END_SUITE_HELPERS */
/* BEGIN_CASE */
void pkcs7_asn1_fail(data_t *pkcs7_buf)
{
int res;
res = pkcs7_parse_buffer(pkcs7_buf->x, pkcs7_buf->len);
TEST_ASSERT(res != MBEDTLS_PKCS7_SIGNED_DATA);
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
void pkcs7_parse(char *pkcs7_file, int res_expect)
@ -21,118 +43,65 @@ void pkcs7_parse(char *pkcs7_file, int res_expect)
size_t buflen;
int res;
mbedtls_pkcs7 pkcs7;
mbedtls_pkcs7_init(&pkcs7);
res = mbedtls_pk_load_file(pkcs7_file, &pkcs7_buf, &buflen);
TEST_EQUAL(res, 0);
res = mbedtls_pkcs7_parse_der(&pkcs7, pkcs7_buf, buflen);
res = pkcs7_parse_buffer(pkcs7_buf, buflen);
TEST_EQUAL(res, res_expect);
exit:
mbedtls_free(pkcs7_buf);
mbedtls_pkcs7_free(&pkcs7);
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
void pkcs7_verify(char *pkcs7_file, char *crt, char *filetobesigned, int do_hash_alg,
void pkcs7_verify(char *pkcs7_file,
char *crt_files,
char *filetobesigned,
int do_hash_alg,
int res_expect)
{
unsigned char *pkcs7_buf = NULL;
size_t buflen;
size_t buflen, i, k, cnt = 0, n_crts = 1;
unsigned char *data = NULL;
unsigned char hash[32];
char **crt_files_arr = NULL;
unsigned char *hash = NULL;
struct stat st;
size_t datalen;
int res;
FILE *file;
const mbedtls_md_info_t *md_info;
mbedtls_md_type_t md_alg;
mbedtls_pkcs7 pkcs7;
mbedtls_x509_crt x509;
mbedtls_x509_crt **crts = NULL;
mbedtls_pkcs7_init(&pkcs7);
mbedtls_x509_crt_init(&x509);
USE_PSA_INIT();
res = mbedtls_x509_crt_parse_file(&x509, crt);
TEST_EQUAL(res, 0);
res = mbedtls_pk_load_file(pkcs7_file, &pkcs7_buf, &buflen);
TEST_EQUAL(res, 0);
res = mbedtls_pkcs7_parse_der(&pkcs7, pkcs7_buf, buflen);
TEST_EQUAL(res, MBEDTLS_PKCS7_SIGNED_DATA);
res = stat(filetobesigned, &st);
TEST_EQUAL(res, 0);
file = fopen(filetobesigned, "rb");
TEST_ASSERT(file != NULL);
datalen = st.st_size;
ASSERT_ALLOC(data, datalen);
TEST_ASSERT(data != NULL);
buflen = fread((void *) data, sizeof(unsigned char), datalen, file);
TEST_EQUAL(buflen, datalen);
fclose(file);
if (do_hash_alg) {
res = mbedtls_oid_get_md_alg(&pkcs7.signed_data.digest_alg_identifiers, &md_alg);
TEST_EQUAL(res, 0);
TEST_EQUAL(md_alg, (mbedtls_md_type_t) do_hash_alg);
md_info = mbedtls_md_info_from_type(md_alg);
res = mbedtls_md(md_info, data, datalen, hash);
TEST_EQUAL(res, 0);
res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509, hash, sizeof(hash));
} else {
res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509, data, datalen);
/* crt_files are space seprated list */
for (i = 0; i < strlen(crt_files); i++) {
if (crt_files[i] == ' ') {
n_crts++;
}
}
TEST_EQUAL(res, res_expect);
exit:
mbedtls_x509_crt_free(&x509);
mbedtls_free(data);
mbedtls_pkcs7_free(&pkcs7);
mbedtls_free(pkcs7_buf);
USE_PSA_DONE();
}
/* END_CASE */
ASSERT_ALLOC(crts, sizeof(*crts)*n_crts);
ASSERT_ALLOC(crt_files_arr, sizeof(*crt_files_arr)*n_crts);
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
void pkcs7_verify_multiple_signers(char *pkcs7_file,
char *crt1,
char *crt2,
char *filetobesigned,
int do_hash_alg,
int res_expect)
{
unsigned char *pkcs7_buf = NULL;
size_t buflen;
unsigned char *data = NULL;
unsigned char hash[32];
struct stat st;
size_t datalen;
int res;
FILE *file;
const mbedtls_md_info_t *md_info;
mbedtls_md_type_t md_alg;
mbedtls_pkcs7 pkcs7;
mbedtls_x509_crt x509_1;
mbedtls_x509_crt x509_2;
for (i = 0; i < strlen(crt_files); i++) {
for (k = i; k < strlen(crt_files); k++) {
if (crt_files[k] == ' ') {
break;
}
}
ASSERT_ALLOC(crt_files_arr[cnt], (k-i)+1);
crt_files_arr[cnt][k-i] = '\0';
memcpy(crt_files_arr[cnt++], crt_files + i, k-i);
i = k;
}
mbedtls_pkcs7_init(&pkcs7);
mbedtls_x509_crt_init(&x509_1);
mbedtls_x509_crt_init(&x509_2);
for (i = 0; i < n_crts; i++) {
ASSERT_ALLOC(crts[i], sizeof(*crts[i]));
mbedtls_x509_crt_init(crts[i]);
}
USE_PSA_INIT();
@ -142,13 +111,12 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file,
res = mbedtls_pkcs7_parse_der(&pkcs7, pkcs7_buf, buflen);
TEST_EQUAL(res, MBEDTLS_PKCS7_SIGNED_DATA);
TEST_EQUAL(pkcs7.signed_data.no_of_signers, 2);
TEST_EQUAL(pkcs7.signed_data.no_of_signers, n_crts);
res = mbedtls_x509_crt_parse_file(&x509_1, crt1);
TEST_EQUAL(res, 0);
res = mbedtls_x509_crt_parse_file(&x509_2, crt2);
TEST_EQUAL(res, 0);
for (i = 0; i < n_crts; i++) {
res = mbedtls_x509_crt_parse_file(crts[i], crt_files_arr[i]);
TEST_EQUAL(res, 0);
}
res = stat(filetobesigned, &st);
TEST_EQUAL(res, 0);
@ -164,29 +132,34 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file,
fclose(file);
if (do_hash_alg) {
res = mbedtls_oid_get_md_alg(&pkcs7.signed_data.digest_alg_identifiers, &md_alg);
TEST_EQUAL(res, 0);
TEST_EQUAL(md_alg, MBEDTLS_MD_SHA256);
md_info = mbedtls_md_info_from_type(md_alg);
md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) do_hash_alg);
ASSERT_ALLOC(hash, mbedtls_md_get_size(md_info));
res = mbedtls_md(md_info, data, datalen, hash);
TEST_EQUAL(res, 0);
res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_1, hash, sizeof(hash));
TEST_EQUAL(res, res_expect);
for (i = 0; i < n_crts; i++) {
res =
mbedtls_pkcs7_signed_hash_verify(&pkcs7, crts[i], hash,
mbedtls_md_get_size(md_info));
TEST_EQUAL(res, res_expect);
}
} else {
res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_1, data, datalen);
TEST_EQUAL(res, res_expect);
for (i = 0; i < n_crts; i++) {
res = mbedtls_pkcs7_signed_data_verify(&pkcs7, crts[i], data, datalen);
TEST_EQUAL(res, res_expect);
}
}
res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_2, data, datalen);
TEST_EQUAL(res, res_expect);
exit:
mbedtls_x509_crt_free(&x509_1);
mbedtls_x509_crt_free(&x509_2);
for (i = 0; i < n_crts; i++) {
mbedtls_x509_crt_free(crts[i]);
mbedtls_free(crts[i]);
mbedtls_free(crt_files_arr[i]);
}
mbedtls_free(hash);
mbedtls_pkcs7_free(&pkcs7);
mbedtls_free(crt_files_arr);
mbedtls_free(crts);
mbedtls_free(data);
mbedtls_free(pkcs7_buf);
USE_PSA_DONE();