Merge pull request #4625 from dgarske/zd13208

Fix for PKCS7 verify to handle content type OID with indef BER encoding
2021-12-20 14:49:59 +10:00 · 2021-12-20 14:49:59 +10:00 · 6d2da74c21
commit 6d2da74c21
parent ce4f436d0f 2477574a69
2 changed files with 18 additions and 10 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -3299,7 +3299,7 @@ static int GetBerHeader(const byte* data, word32* idx, word32 maxIdx,
    tag = data[i++];

    /* Indefinite length handled specially */
-    if (data[i] == 0x80) {
+    if (data[i] == ASN_INDEF_LENGTH) {
        /* Check valid tag for indefinite */
        if (((tag & 0xc0) == 0) && ((tag & ASN_CONSTRUCTED) == 0x00)) {
            return ASN_PARSE_E;
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@ -4436,7 +4436,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                        NO_USER_CHECK) < 0)
                ret = ASN_PARSE_E;

-            if (ret == 0 && length == 0 && pkiMsg[idx-1] == 0x80) {
+            if (ret == 0 && length == 0 && pkiMsg[idx-1] == ASN_INDEF_LENGTH) {
        #ifdef ASN_BER_TO_DER
                word32 len = 0;

@ -4512,7 +4512,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,

            /* Skip the set. */
            idx += length;
-            degenerate = (length == 0)? 1 : 0;
+            degenerate = (length == 0) ? 1 : 0;
            if (pkcs7->noDegenerate == 1 && degenerate == 1) {
                ret = PKCS7_NO_SIGNER_E;
            }
@ -4559,15 +4559,23 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,

            /* Get the inner ContentInfo contentType */
            if (ret == 0) {
+                int isIndef = 0;
                word32 tmpIdx = idx;
-
-                if (GetASNObjectId(pkiMsg, &idx, &length, pkiMsgSz) != 0)
+                if (length == 0 && pkiMsg[idx-1] == ASN_INDEF_LENGTH) {
+                    isIndef = 1;
+                }
+                if (GetASNObjectId(pkiMsg, &idx, &length, pkiMsgSz) == 0) {
+                    contentType = pkiMsg + tmpIdx;
+                    contentTypeSz = length + (idx - tmpIdx);
+                    idx += length;
+                }
+                else {
                    ret = ASN_PARSE_E;
-
-                contentType = pkiMsg + tmpIdx;
-                contentTypeSz = length + (idx - tmpIdx);
-
-                idx += length;
+                }
+                /* if indef, skip EOF */
+                if (isIndef && pkiMsg[idx] == ASN_EOC && pkiMsg[idx+1] == 0) {
+                    idx += 2; /* skip EOF + zero byte */
+                }
            }

            if (ret != 0)