In response to feedback[1], we can reuse much of the functions in
similar test cases by specifying some additional parameters.
Specifically, test cases which probe the functionality of
`mbedtls_pkcs7_parse_der` have all been merged into one test function.
Additionally, all test cases which examine the
`mbedtls_pkcs7_signed_data_verify` and `mbedtls_pkcs7_signed_hash_verify`
functions have been merged into two test functions (one for single and one
for multiple signers).
[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953686780
Signed-off-by: Nick Child <nick.child@ibm.com>
Make `mbedtls_pkcs7_signed_hash_verify` loop over all signatures in the
PKCS7 structure and return success if any of them verify successfully.
Signed-off-by: Nick Child <nick.child@ibm.com>
Rather than only parsing/verifying one SignerInfo in the SignerInfos
field of the PKCS7 stucture, allow the ability to parse and verify more
than one signature. Verification will return success if any of the signatures
produce a match.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Nick Child <nick.child@ibm.com>
Fixes include removing PEM dependency for greater
coverage when PEM config is not set and defining
test dependencies at the appropriate level.
Signed-off-by: Nick Child <nick.child@ibm.com>
OpenSSL provides APIs to generate only the signted data
format PKCS7 i.e. without content type OID. This patch
adds support to parse the data correctly even if formatted
only as signed data
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.
This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:
* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>