diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index c76ee571e..7e73db492 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1618,8 +1618,10 @@ static int GetName(DecodedCert* cert, int nameType) #ifdef HAVE_PKCS7 /* store pointer to raw issuer */ - cert->issuerRaw = &cert->source[cert->srcIdx]; - cert->issuerRawLen = length - cert->srcIdx; + if (nameType == ISSUER) { + cert->issuerRaw = &cert->source[cert->srcIdx]; + cert->issuerRawLen = length - cert->srcIdx; + } #endif while (cert->srcIdx < (word32)length) { diff --git a/ctaocrypt/src/pkcs7.c b/ctaocrypt/src/pkcs7.c index 5afa96138..8bd76c1dd 100644 --- a/ctaocrypt/src/pkcs7.c +++ b/ctaocrypt/src/pkcs7.c @@ -38,9 +38,12 @@ } #endif + +/* placed ASN.1 contentType OID into *output, return idx on success, + * 0 upon failure */ CYASSL_LOCAL int SetContentType(int pkcs7TypeOID, byte* output) { - /* PKCS#7 content types */ + /* PKCS#7 content types, RFC 2315, section 14 */ static const byte pkcs7[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07 }; static const byte data[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, @@ -113,6 +116,8 @@ CYASSL_LOCAL int SetContentType(int pkcs7TypeOID, byte* output) } + +/* get ASN.1 contentType OID sum, return 0 on success, <0 on failure */ int GetContentType(const byte* input, word32* inOutIdx, word32* oid, word32 maxIdx) { @@ -141,6 +146,7 @@ int GetContentType(const byte* input, word32* inOutIdx, word32* oid, } +/* init PKCS7 struct with recipient cert, decode into DecodedCert */ int PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) { int ret = 0; @@ -171,6 +177,7 @@ int PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) } +/* build PKCS#7 data content type */ int PKCS7_EncodeData(PKCS7* pkcs7, byte* output, word32 outputSz) { static const byte oid[] = @@ -300,6 +307,7 @@ static int FlattenAttributes(byte* output, EncodedAttrib* ea, int eaSz) } +/* build PKCS#7 signedData content type */ int PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) { static const byte outerOid[] = @@ -640,6 +648,7 @@ CYASSL_LOCAL int CreateRecipientInfo(const byte* cert, word32 certSz, } +/* build PKCS#7 envelopedData content type, return enveloped size */ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) { int i, idx = 0; @@ -679,6 +688,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) if (output == NULL || outputSz == 0) return BAD_FUNC_ARG; + /* PKCS#7 only supports DES, 3DES for now */ switch (pkcs7->encryptOID) { case DESb: blockKeySz = DES_KEYLEN; @@ -696,7 +706,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) /* outer content type */ outerContentTypeSz = SetContentType(ENVELOPED_DATA, outerContentType); - /* version */ + /* version, defined as 0 in RFC 2315 */ verSz = SetMyVersion(0, ver, 0); /* generate random content encryption key */ @@ -725,7 +735,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) if (contentEncAlgoSz == 0) return BAD_FUNC_ARG; - /* allocate memory for encrypted content, pad if necessary */ + /* allocate encrypted content buffer, pad if necessary, PKCS#7 padding */ padSz = DES_BLOCK_SIZE - (pkcs7->contentSz % DES_BLOCK_SIZE); desOutSz = pkcs7->contentSz + padSz; @@ -838,6 +848,7 @@ int PKCS7_EncodeEnvelopeData(PKCS7* pkcs7, byte* output, word32 outputSz) return idx; } +/* unwrap and decrypt PKCS#7 envelopedData object, return decoded size */ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, byte* output, word32 outputSz) @@ -889,7 +900,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, idx = 0; - /* read past ContentInfo, verify type */ + /* read past ContentInfo, verify type is envelopedData */ if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; @@ -907,7 +918,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; - /* remove EnvelopedData */ + /* remove EnvelopedData and version */ if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) return ASN_PARSE_E; @@ -959,6 +970,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetNameHash(pkiMsg, &idx, issuerHash, pkiMsgSz) < 0) return ASN_PARSE_E; + /* if we found correct recipient, issuer hashes will match */ if (XMEMCMP(issuerHash, decoded.issuerHash, SHA_DIGEST_SIZE) == 0) { recipFound = 1; } @@ -969,6 +981,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) return ASN_PARSE_E; + /* key encryption algorithm must be RSA for now */ if (encOID != RSAk) return ALGO_ID_E; diff --git a/cyassl/ctaocrypt/pkcs7.h b/cyassl/ctaocrypt/pkcs7.h index 73fc96b4e..8dad31748 100644 --- a/cyassl/ctaocrypt/pkcs7.h +++ b/cyassl/ctaocrypt/pkcs7.h @@ -35,8 +35,9 @@ extern "C" { #endif +/* PKCS#7 content types, ref RFC 2315 (Section 14) */ enum PKCS7_TYPES { - PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */ + PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */ DATA = 651, /* 1.2.840.113549.1.7.1 */ SIGNED_DATA = 652, /* 1.2.840.113549.1.7.2 */ ENVELOPED_DATA = 653, /* 1.2.840.113549.1.7.3 */ @@ -46,8 +47,8 @@ enum PKCS7_TYPES { }; enum Pkcs7_Misc { - MAX_ENCRYPTED_KEY_SZ = 512, /* max enc. key size, RSA <= 4096 */ - MAX_CONTENT_KEY_LEN = DES3_KEYLEN, + MAX_ENCRYPTED_KEY_SZ = 512, /* max enc. key size, RSA <= 4096 */ + MAX_CONTENT_KEY_LEN = DES3_KEYLEN, /* highest current cipher is 3DES */ MAX_RECIP_SZ = MAX_VERSION_SZ + MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ + MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ