From c288d0815df031dc082d7b0b07ba231f637b6e8d Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 3 Apr 2018 09:26:57 -0700 Subject: [PATCH] Added support for building and using PKCS7 without RSA (assuming ECC is enabled). --- configure.ac | 5 +- tests/api.c | 121 +++++++++++++++++++++++++++++++++++++++--- wolfcrypt/src/pkcs7.c | 14 +++-- 3 files changed, 127 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index 1be4dbbdf..c24d945eb 100644 --- a/configure.ac +++ b/configure.ac @@ -3907,8 +3907,9 @@ AS_IF([test "x$ENABLED_OCSP" = "xyes" && \ # checks for pkcs7 needed enables AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \ - test "x$ENABLED_RSA" = "xno"], - [AC_MSG_ERROR([please enable rsa if enabling pkcs7.])]) + test "x$ENABLED_RSA" = "xno" && \ + test "x$ENABLED_ECC" = "xno"], + [AC_MSG_ERROR([please enable ecc or rsa if enabling pkcs7.])]) AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \ test "x$ENABLED_SHA" = "xno"], diff --git a/tests/api.c b/tests/api.c index 865a12d68..dc74da332 100644 --- a/tests/api.c +++ b/tests/api.c @@ -307,6 +307,9 @@ #ifndef USE_CERT_BUFFERS_2048 #define USE_CERT_BUFFERS_2048 #endif +#ifndef USE_CERT_BUFFERS_256 + #define USE_CERT_BUFFERS_256 +#endif #include typedef struct testVector { @@ -13918,6 +13921,7 @@ static void test_wc_PKCS7_InitWithCert (void) #if defined(HAVE_PKCS7) PKCS7 pkcs7; +#ifndef NO_RSA #if defined(USE_CERT_BUFFERS_2048) unsigned char cert[sizeof_client_cert_der_2048]; int certSz = (int)sizeof(cert); @@ -13932,14 +13936,33 @@ static void test_wc_PKCS7_InitWithCert (void) unsigned char cert[ONEK_BUF]; FILE* fp; int certSz; - fp = fopen("./certs/client_cert_der_1024", "rb"); + fp = fopen("./certs/1024/client-cert.der", "rb"); AssertNotNull(fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); fclose(fp); #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof_cliecc_cert_der_256]; + int certSz = (int)sizeof(cert); + XMEMSET(cert, 0, certSz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + #else + unsigned char cert[ONEK_BUF]; + FILE* fp; + int certSz; + fp = fopen("./certs/client-ecc-cert.der", "rb"); + AssertNotNull(fp); + + certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp); + fclose(fp); + #endif +#else + #error PKCS7 requires ECC or RSA +#endif printf(testingFmt, "wc_PKCS7_InitWithCert()"); /* If initialization is not successful, it's free'd in init func. */ AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, (word32)certSz), 0); @@ -13972,6 +13995,7 @@ static void test_wc_PKCS7_EncodeData (void) byte output[FOURK_BUF]; byte data[] = "My encoded DER cert."; +#ifndef NO_RSA #if defined(USE_CERT_BUFFERS_2048) unsigned char cert[sizeof_client_cert_der_2048]; unsigned char key[sizeof_client_key_der_2048]; @@ -13998,16 +14022,43 @@ static void test_wc_PKCS7_EncodeData (void) int certSz; int keySz; - fp = fopen("./certs/client_cert_der_1024", "rb"); + fp = fopen("./certs/1024/client-cert.der", "rb"); AssertNotNull(fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); fclose(fp); - fp = fopen("./certs/client_key_der_1024", "rb"); + fp = fopen("./certs/1024/client-key.der", "rb"); AssertNotNull(fp); keySz = fread(key, 1, sizeof_client_key_der_1024, fp); fclose(fp); #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof_cliecc_cert_der_256]; + unsigned char key[sizeof_ecc_clikey_der_256]; + int certSz = (int)sizeof(cert); + int keySz = (int)sizeof(key); + XMEMSET(cert, 0, certSz); + XMEMSET(key, 0, keySz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + FILE* fp; + int certSz, keySz; + + fp = fopen("./certs/client-ecc-cert.der", "rb"); + AssertNotNull(fp); + certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp); + fclose(fp); + + fp = fopen("./certs/client-ecc-key.der", "rb"); + AssertNotNull(fp); + keySz = fread(key, 1, sizeof_ecc_clikey_der_256, fp); + fclose(fp); + #endif +#endif XMEMSET(output, 0, sizeof(output)); @@ -14049,6 +14100,7 @@ static void test_wc_PKCS7_EncodeSignedData (void) word32 badOutSz = (word32)sizeof(badOut); byte data[] = "Test data to encode."; +#ifndef NO_RSA #if defined(USE_CERT_BUFFERS_2048) byte key[sizeof_client_key_der_2048]; byte cert[sizeof_client_cert_der_2048]; @@ -14074,16 +14126,43 @@ static void test_wc_PKCS7_EncodeSignedData (void) int certSz; int keySz; - fp = fopen("./certs/client_cert_der_1024", "rb"); + fp = fopen("./certs/1024/client-cert.der", "rb"); AssertNotNull(fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); fclose(fp); - fp = fopen("./certs/client_key_der_1024", "rb"); + fp = fopen("./certs/1024/client-key.der", "rb"); AssertNotNull(fp); keySz = fread(key, 1, sizeof_client_key_der_1024, fp); fclose(fp); #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof_cliecc_cert_der_256]; + unsigned char key[sizeof_ecc_clikey_der_256]; + int certSz = (int)sizeof(cert); + int keySz = (int)sizeof(key); + XMEMSET(cert, 0, certSz); + XMEMSET(key, 0, keySz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + FILE* fp; + int certSz, keySz; + + fp = fopen("./certs/client-ecc-cert.der", "rb"); + AssertNotNull(fp); + certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp); + fclose(fp); + + fp = fopen("./certs/client-ecc-key.der", "rb"); + AssertNotNull(fp); + keySz = fread(key, 1, sizeof_ecc_clikey_der_256, fp); + fclose(fp); + #endif +#endif XMEMSET(output, 0, outputSz); AssertIntEQ(wc_InitRng(&rng), 0); @@ -14135,6 +14214,7 @@ static void test_wc_PKCS7_VerifySignedData(void) word32 badOutSz = (word32)sizeof(badOut); byte data[] = "Test data to encode."; +#ifndef NO_RSA #if defined(USE_CERT_BUFFERS_2048) byte key[sizeof_client_key_der_2048]; byte cert[sizeof_client_cert_der_2048]; @@ -14160,16 +14240,43 @@ static void test_wc_PKCS7_VerifySignedData(void) int certSz; int keySz; - fp = fopen("./certs/client_cert_der_1024", "rb"); + fp = fopen("./certs/1024/client-cert.der", "rb"); AssertNotNull(fp); certSz = fread(cert, 1, sizeof_client_cert_der_1024, fp); fclose(fp); - fp = fopen("./certs/client_key_der_1024", "rb"); + fp = fopen("./certs/1024/client-key.der", "rb"); AssertNotNull(fp); keySz = fread(key, 1, sizeof_client_key_der_1024, fp); fclose(fp); #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof_cliecc_cert_der_256]; + unsigned char key[sizeof_ecc_clikey_der_256]; + int certSz = (int)sizeof(cert); + int keySz = (int)sizeof(key); + XMEMSET(cert, 0, certSz); + XMEMSET(key, 0, keySz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + FILE* fp; + int certSz, keySz; + + fp = fopen("./certs/client-ecc-cert.der", "rb"); + AssertNotNull(fp); + certSz = fread(cert, 1, sizeof_cliecc_cert_der_256, fp); + fclose(fp); + + fp = fopen("./certs/client-ecc-key.der", "rb"); + AssertNotNull(fp); + keySz = fread(key, 1, sizeof_ecc_clikey_der_256, fp); + fclose(fp); + #endif +#endif XMEMSET(output, 0, outputSz); AssertIntEQ(wc_InitRng(&rng), 0); diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 764d49440..1991834fe 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -2908,6 +2908,7 @@ static int wc_CreateKeyAgreeRecipientInfo(PKCS7* pkcs7, const byte* cert, #endif /* HAVE_ECC */ +#ifndef NO_RSA /* create ASN.1 formatted RecipientInfo structure, returns sequence size */ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, @@ -3128,6 +3129,7 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, return totalSz; } +#endif /* !NO_RSA */ /* encrypt content using encryptOID algo */ @@ -3457,7 +3459,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) /* build RecipientInfo, only handle 1 for now */ switch (pkcs7->publicKeyOID) { - +#ifndef NO_RSA case RSAk: recipSz = wc_CreateRecipientInfo(pkcs7->singleCert, pkcs7->singleCertSz, @@ -3466,7 +3468,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) contentKeyEnc, &contentKeyEncSz, recip, MAX_RECIP_SZ, pkcs7->heap); break; - +#endif #ifdef HAVE_ECC case ECDSAk: recipSz = wc_CreateKeyAgreeRecipientInfo(pkcs7, pkcs7->singleCert, @@ -3656,7 +3658,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) return idx; } - +#ifndef NO_RSA /* decode KeyTransRecipientInfo (ktri), return 0 on success, <0 on error */ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, word32* idx, byte* decryptedKey, @@ -3819,7 +3821,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, return 0; } - +#endif /* !NO_RSA */ #ifdef HAVE_ECC @@ -4353,12 +4355,16 @@ static int wc_PKCS7_DecodeRecipientInfos(PKCS7* pkcs7, byte* pkiMsg, if (version != 0) return ASN_VERSION_E; + #ifndef NO_RSA /* found ktri */ ret = wc_PKCS7_DecodeKtri(pkcs7, pkiMsg, pkiMsgSz, idx, decryptedKey, decryptedKeySz, recipFound); if (ret != 0) return ret; + #else + return NOT_COMPILED_IN; + #endif } else { /* kari is IMPLICIT[1] */