Skip to content

Commit

Permalink
Merge pull request #1881 from SparkiDev/pkcs7_no_si
Browse files Browse the repository at this point in the history 
Return error when attempting to verify signed data without signers
  • Loading branch information
@toddouska
toddouska committed Oct 22, 2018
2 parents 878b592 + 67bb558 commit 22aa01a
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 62 deletions.
3 changes: 3 additions & 0 deletions wolfcrypt/src/error.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -497,6 +497,9 @@ const char* wc_GetErrorString(int error)
case ZLIB_DECOMPRESS_ERROR:
return "zlib decompress error";

case PKCS7_NO_SIGNER_E:
return "No signer in PKCS#7 signed data";

default:
return "unknown error number";

Expand Down
123 changes: 62 additions & 61 deletions wolfcrypt/src/pkcs7.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2223,88 +2223,89 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
if (GetSet(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

if (length > 0) {
/* Get the sequence of the first signerInfo */
if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

/* Get the version */
if (GetMyVersion(pkiMsg2, &idx, &version, pkiMsg2Sz) < 0)
return ASN_PARSE_E;
if (length == 0)
return PKCS7_NO_SIGNER_E;

if (version != 1) {
WOLFSSL_MSG("PKCS#7 signerInfo needs to be of version 1");
return ASN_VERSION_E;
}
/* Get the sequence of the first signerInfo */
if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

/* Get the sequence of IssuerAndSerialNumber */
if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;
/* Get the version */
if (GetMyVersion(pkiMsg2, &idx, &version, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

/* Skip it */
idx += length;
if (version != 1) {
WOLFSSL_MSG("PKCS#7 signerInfo needs to be of version 1");
return ASN_VERSION_E;
}

/* Get the sequence of digestAlgorithm */
if (GetAlgoId(pkiMsg2, &idx, &hashOID, oidHashType, pkiMsg2Sz) < 0) {
return ASN_PARSE_E;
}
pkcs7->hashOID = (int)hashOID;
/* Get the sequence of IssuerAndSerialNumber */
if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

/* Get the IMPLICIT[0] SET OF signedAttributes */
if (pkiMsg2[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
idx++;
/* Skip it */
idx += length;

if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;
/* Get the sequence of digestAlgorithm */
if (GetAlgoId(pkiMsg2, &idx, &hashOID, oidHashType, pkiMsg2Sz) < 0) {
return ASN_PARSE_E;
}
pkcs7->hashOID = (int)hashOID;

/* save pointer and length */
signedAttrib = &pkiMsg2[idx];
signedAttribSz = length;
/* Get the IMPLICIT[0] SET OF signedAttributes */
if (pkiMsg2[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
idx++;

if (wc_PKCS7_ParseAttribs(pkcs7, signedAttrib, signedAttribSz) <0) {
WOLFSSL_MSG("Error parsing signed attributes");
return ASN_PARSE_E;
}
if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

idx += length;
}
/* save pointer and length */
signedAttrib = &pkiMsg2[idx];
signedAttribSz = length;

/* Get digestEncryptionAlgorithm */
if (GetAlgoId(pkiMsg2, &idx, &sigOID, oidSigType, pkiMsg2Sz) < 0) {
if (wc_PKCS7_ParseAttribs(pkcs7, signedAttrib, signedAttribSz) <0) {
WOLFSSL_MSG("Error parsing signed attributes");
return ASN_PARSE_E;
}

/* store public key type based on digestEncryptionAlgorithm */
ret = wc_PKCS7_SetPublicKeyOID(pkcs7, sigOID);
if (ret <= 0) {
WOLFSSL_MSG("Failed to set public key OID from signature");
return ret;
}
idx += length;
}

/* Get the signature */
if (pkiMsg2[idx] == ASN_OCTET_STRING) {
idx++;
/* Get digestEncryptionAlgorithm */
if (GetAlgoId(pkiMsg2, &idx, &sigOID, oidSigType, pkiMsg2Sz) < 0) {
return ASN_PARSE_E;
}

if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;
/* store public key type based on digestEncryptionAlgorithm */
ret = wc_PKCS7_SetPublicKeyOID(pkcs7, sigOID);
if (ret <= 0) {
WOLFSSL_MSG("Failed to set public key OID from signature");
return ret;
}

/* save pointer and length */
sig = &pkiMsg2[idx];
sigSz = length;
/* Get the signature */
if (pkiMsg2[idx] == ASN_OCTET_STRING) {
idx++;

idx += length;
}
if (GetLength(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
return ASN_PARSE_E;

pkcs7->content = content;
pkcs7->contentSz = contentSz;
/* save pointer and length */
sig = &pkiMsg2[idx];
sigSz = length;

ret = wc_PKCS7_SignedDataVerifySignature(pkcs7, sig, sigSz,
signedAttrib, signedAttribSz,
hashBuf, hashSz);
if (ret < 0)
return ret;
idx += length;
}

pkcs7->content = content;
pkcs7->contentSz = contentSz;

ret = wc_PKCS7_SignedDataVerifySignature(pkcs7, sig, sigSz,
signedAttrib, signedAttribSz,
hashBuf, hashSz);
if (ret < 0)
return ret;

return 0;
}

Expand Down
4 changes: 3 additions & 1 deletion wolfssl/wolfcrypt/error-crypt.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,9 @@ enum {
ZLIB_COMPRESS_ERROR = -267, /* zlib compression error */
ZLIB_DECOMPRESS_ERROR = -268, /* zlib decompression error */

WC_LAST_E = -268, /* Update this to indicate last error */
PKCS7_NO_SIGNER_E = -269, /* No signer in PKCS#7 signed data msg */

WC_LAST_E = -269, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */

/* add new companion error id strings for any new error codes
Expand Down

0 comments on commit 22aa01a

Please sign in to comment.