Merge pull request #422 from JacobBarthelmeh/pkcs7-examples

douzzer · web-flow · commit 93f4e79b1821 · 2024-02-05T16:28:08.000-05:00
add example of no certs bundle and stream mode
diff --git a/pkcs7/envelopedData-ktri.c b/pkcs7/envelopedData-ktri.c
@@ -79,7 +79,8 @@ static int write_file_buffer(const char* fileName, byte* in, word32 inSz)
 }
 
 static int envelopedData_encrypt(byte* cert, word32 certSz, byte* key,
-                                 word32 keySz, byte* out, word32 outSz)
+                                 word32 keySz, byte* out, word32 outSz,
+                                 byte useStreamMode)
 {
     int ret;
     PKCS7* pkcs7;
@@ -93,6 +94,10 @@ static int envelopedData_encrypt(byte* cert, word32 certSz, byte* key,
     pkcs7->contentOID     = DATA;
     pkcs7->encryptOID     = AES256CBCb;
 
+    if (useStreamMode) {
+        wc_PKCS7_SetStreamMode(pkcs7, 1);
+    }
+
     /* add recipient using RSA certificate (KTRI type) */
     ret = wc_PKCS7_AddRecipient_KTRI(pkcs7, cert, certSz, 0);
     if (ret < 0) {
@@ -109,8 +114,8 @@ static int envelopedData_encrypt(byte* cert, word32 certSz, byte* key,
         return -1;
 
     } else {
-        printf("Successfully encoded EnvelopedData bundle (%s)\n",
-                encodedFileKTRI);
+        printf("Successfully encoded EnvelopedData bundle (%s), stream mode"
+               " %d\n", encodedFileKTRI, useStreamMode);
 
         if (write_file_buffer(encodedFileKTRI, out, ret) != 0) {
             printf("ERROR: error writing encoded to output file\n");
@@ -177,7 +182,7 @@ int main(int argc, char** argv)
     byte key[2048];
     byte encrypted[1024];
     byte decrypted[1024];
-    
+
 #ifdef DEBUG_WOLFSSL
     wolfSSL_Debugging_ON();
 #endif
@@ -189,10 +194,18 @@ int main(int argc, char** argv)
         return -1;
 
     encryptedSz = envelopedData_encrypt(cert, certSz, key, keySz,
-                                        encrypted, sizeof(encrypted));
+                                        encrypted, sizeof(encrypted), 0);
     if (encryptedSz < 0)
         return -1;
 
+#ifdef ASN_BER_TO_DER
+    /* recreate the bundle with BER encoding */
+    encryptedSz = envelopedData_encrypt(cert, certSz, key, keySz,
+                                        encrypted, sizeof(encrypted), 1);
+    if (encryptedSz < 0)
+        return -1;
+#endif
+
 #ifdef DEBUG_WOLFSSL
     printf("EnvelopedData DER (%d byte):\n", encryptedSz);
     WOLFSSL_BUFFER(encrypted, encryptedSz);
diff --git a/pkcs7/envelopedDataDecode.c b/pkcs7/envelopedDataDecode.c
@@ -0,0 +1,184 @@
+/* envelopedDataDecode.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+
+#include <wolfssl/options.h>
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/pkcs7.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/logging.h>
+
+static int load_certs(const char* certFile, byte* cert, word32* certSz,
+    const char* keyFile, byte* key, word32* keySz)
+{
+    FILE* file;
+
+    /* certificate file */
+    file = fopen(certFile, "rb");
+    if (!file)
+        return -1;
+
+    *certSz = (word32)fread(cert, 1, *certSz, file);
+    fclose(file);
+
+    /* key file */
+    file = fopen(keyFile, "rb");
+    if (!file)
+        return -1;
+
+    *keySz = (word32)fread(key, 1, *keySz, file);
+    fclose(file);
+
+    return 0;
+}
+
+
+static int envelopedData_decrypt(byte* in, word32 inSz, byte* cert,
+                                word32 certSz, byte* key, word32 keySz,
+                                byte* out, word32 outSz)
+{
+    int ret;
+    PKCS7* pkcs7;
+
+    pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
+    if (pkcs7 == NULL)
+        return -1;
+
+    /* init with recipient cert */
+    ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return -1;
+    }
+
+    /* set recipient private key */
+    ret = wc_PKCS7_SetKey(pkcs7, key, keySz);
+    if (ret != 0) {
+        wc_PKCS7_Free(pkcs7);
+        return -1;
+    }
+
+    /* decode envelopedData, returns size */
+    ret = wc_PKCS7_DecodeEnvelopedData(pkcs7, in, inSz, out, outSz);
+    wc_PKCS7_Free(pkcs7);
+
+    if (ret <= 0) {
+        printf("Failed to decode EnvelopedData bundle error of %d\n", ret);
+    }
+    else {
+        printf("Successfully decoded EnvelopedData bundle\n");
+    }
+
+
+    return ret;
+}
+
+#ifdef HAVE_PKCS7
+
+int main(int argc, char** argv)
+{
+    int ret;
+    int encryptedSz, decryptedSz;
+    word32 certSz, keySz;
+
+    byte cert[2048];
+    byte key[2048];
+    byte* encrypted;
+    byte* decrypted;
+
+#ifdef DEBUG_WOLFSSL
+    wolfSSL_Debugging_ON();
+#endif
+
+    if (argc != 4) {
+        printf("expecting DER cert, key, and encrypted bundle as args\n");
+        printf("%s <DER cert> <DER key> <Encrypted bundle>\n", argv[0]);
+        return -1;
+    }
+
+    certSz = sizeof(cert);
+    keySz  = sizeof(key);
+    ret = load_certs(argv[1], cert, &certSz, argv[2], key, &keySz);
+    if (ret != 0) {
+        printf("Error loading cert and key\n");
+        return -1;
+    }
+
+    /* read encrypted bundle */
+    {
+        FILE* file;
+
+        file = fopen(argv[3], "rb");
+        if (!file) {
+            printf("unable to open file %s\n", argv[3]);
+            return -1;
+        }
+        fseek(file, 0, SEEK_END);
+        encryptedSz = (int)ftell(file);
+        rewind(file);
+
+        encrypted = (byte*)malloc(encryptedSz);
+        if (encrypted == NULL) {
+            printf("malloc failed\n");
+            return -1;
+        }
+
+        decryptedSz = encryptedSz;
+        decrypted = (byte*)malloc(decryptedSz);
+        if (decrypted == NULL) {
+            printf("malloc failed\n");
+            free(encrypted);
+            return -1;
+        }
+
+        encryptedSz = (word32)fread(encrypted, 1, encryptedSz, file);
+        printf("encrypted bundle size read = %d\n", encryptedSz);
+        fclose(file);
+    }
+
+    decryptedSz = envelopedData_decrypt(encrypted, encryptedSz,
+                                        cert, certSz, key, keySz,
+                                        decrypted, decryptedSz);
+    free(encrypted);
+    if (decryptedSz < 0) {
+        free(decrypted);
+        return -1;
+    }
+
+#ifdef DEBUG_WOLFSSL
+    printf("Decrypted content (%d byte):\n", decryptedSz);
+    WOLFSSL_BUFFER(decrypted, decryptedSz);
+#endif
+    free(decrypted);
+
+    return 0;
+}
+
+#else
+
+int main(int argc, char** argv)
+{
+    printf("Must build wolfSSL using ./configure --enable-pkcs7\n");
+    return 0;
+}
+
+#endif
+
diff --git a/pkcs7/scripts/runall.sh b/pkcs7/scripts/runall.sh
@@ -32,6 +32,7 @@ fileArray=(
 
     # CMS EnvelopedData example apps
     "envelopedData-kari"
+    "envelopedDataDecode"
     "envelopedData-kekri"
     "envelopedData-ktri"
     "envelopedData-ori"
@@ -53,7 +54,11 @@ echo ""
 for i in "${fileArray[@]}"
 do
     if [ -f $i ]; then
-        eval "./$i"
+        if [ "$i" == "envelopedDataDecode" ]; then
+            eval "./$i ../certs/client-cert.der ../certs/client-key.der envelopedDataKTRI.der"
+        else
+            eval "./$i"
+        fi
         if [ $? -ne 0 ]
         then
             echo "Test FAILED"
diff --git a/pkcs7/signedData.c b/pkcs7/signedData.c
@@ -79,7 +79,8 @@ static int write_file_buffer(const char* fileName, byte* in, word32 inSz)
 }
 
 static int signedData_sign_noattrs(byte* cert, word32 certSz, byte* key,
-                                   word32 keySz, byte* out, word32 outSz)
+                                   word32 keySz, byte* out, word32 outSz,
+                                   byte streamMode, byte noCerts)
 {
     int ret;
     PKCS7* pkcs7;
@@ -118,6 +119,14 @@ static int signedData_sign_noattrs(byte* cert, word32 certSz, byte* key,
     pkcs7->signedAttribs   = NULL;
     pkcs7->signedAttribsSz = 0;
 
+    if (streamMode) {
+        wc_PKCS7_SetStreamMode(pkcs7, 1);
+    }
+
+    if (noCerts) {
+        wc_PKCS7_SetNoCerts(pkcs7, 1);
+    }
+
     /* encode signedData, returns size */
     ret = wc_PKCS7_EncodeSignedData(pkcs7, out, outSz);
     if (ret <= 0) {
@@ -127,8 +136,9 @@ static int signedData_sign_noattrs(byte* cert, word32 certSz, byte* key,
         return -1;
 
     } else {
-        printf("Successfully encoded SignedData bundle (%s)\n",
-               encodedFileNoAttrs);
+        printf("Successfully encoded SignedData bundle (%s) %s %s\n",
+               encodedFileNoAttrs, (noCerts)? ", No Certs Added":"",
+               (streamMode)? ", Using Stream Mode": "");
 
 #ifdef DEBUG_WOLFSSL
         printf("Encoded DER (%d bytes):\n", ret);
@@ -244,10 +254,14 @@ static int signedData_verify(byte* in, word32 inSz, byte* cert,
 
     if (ret < 0 || (pkcs7->contentSz != sizeof(data)) ||
         (XMEMCMP(pkcs7->content, data, pkcs7->contentSz) != 0)) {
-        printf("ERROR: Failed to verify SignedData bundle, ret = %d\n", ret);
-        wc_PKCS7_Free(pkcs7);
-        return -1;
-
+        if (ret == PKCS7_SIGNEEDS_CHECK) {
+            printf("WARNING: Parsed through bundle but no certificates found to"
+                   " verify signature with\n");
+        }
+        else {
+            printf("ERROR: Failed to verify SignedData bundle, ret = %d\n",
+                ret);
+        }
     } else {
         printf("Successfully verified SignedData bundle.\n");
 
@@ -287,7 +301,7 @@ int main(int argc, char** argv)
 
     /* no attributes */
     encryptedSz = signedData_sign_noattrs(cert, certSz, key, keySz,
-                                          encrypted, sizeof(encrypted));
+                                          encrypted, sizeof(encrypted), 0, 0);
     if (encryptedSz < 0)
         return -1;
 
@@ -297,6 +311,19 @@ int main(int argc, char** argv)
     if (decryptedSz < 0)
         return -1;
 
+    /* no attributes, stream mode, and no certs */
+    encryptedSz = signedData_sign_noattrs(cert, certSz, key, keySz,
+                                          encrypted, sizeof(encrypted), 1, 1);
+    if (encryptedSz < 0)
+        return -1;
+
+    decryptedSz = signedData_verify(encrypted, encryptedSz,
+                                    cert, certSz, key, keySz,
+                                    decrypted, sizeof(decrypted));
+    /* should be error to warn that the signature needs checked */
+    if (decryptedSz != PKCS7_SIGNEEDS_CHECK)
+        return -1;
+
     /* default attributes + messageType attribute */
     encryptedSz = signedData_sign_attrs(cert, certSz, key, keySz,
                                         encrypted, sizeof(encrypted));
