aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Child <nick.child@ibm.com>2022-12-15 13:06:21 -0600
committerNick Child <nick.child@ibm.com>2023-01-30 15:55:44 +0000
commitff2746fa56166569a1f33ee1ab048aeeb0d4028d (patch)
tree54baa0563541150e0fadec9ee44f989dd062d153
parent6759eb2c5f26c50d39a3d90b3950d31dacfb2dad (diff)
downloadmbedtls-ff2746fa56166569a1f33ee1ab048aeeb0d4028d.zip
mbedtls-ff2746fa56166569a1f33ee1ab048aeeb0d4028d.tar.gz
mbedtls-ff2746fa56166569a1f33ee1ab048aeeb0d4028d.tar.bz2
test/pkcs7: Add test for wrong hash alg
Add a test to verify a hash which uses a different digest algorithm than the one specified in the pkcs7. Signed-off-by: Nick Child <nick.child@ibm.com>
-rw-r--r--tests/suites/test_suite_pkcs7.data5
-rw-r--r--tests/suites/test_suite_pkcs7.function28
2 files changed, 15 insertions, 18 deletions
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 571d5ad..3f5b414 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -81,3 +81,8 @@ pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_
PKCS7 Signed Data Hash Verify with multiple signers #17
depends_on:MBEDTLS_SHA256_C
pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
+
+PKCS7 Signed Data Hash Verify Fail with multiple signers #18
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C
+pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL
+
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 4fc416a..d5a69da 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -44,13 +44,12 @@ void pkcs7_verify(char *pkcs7_file, char *crt, char *filetobesigned, int do_hash
unsigned char *pkcs7_buf = NULL;
size_t buflen;
unsigned char *data = NULL;
- unsigned char hash[32];
+ unsigned char hash[64];
struct stat st;
size_t datalen;
int res;
FILE *file;
const mbedtls_md_info_t *md_info;
- mbedtls_md_type_t md_alg;
mbedtls_pkcs7 pkcs7;
mbedtls_x509_crt x509;
@@ -84,15 +83,12 @@ void pkcs7_verify(char *pkcs7_file, char *crt, char *filetobesigned, int do_hash
fclose(file);
if (do_hash_alg) {
- res = mbedtls_oid_get_md_alg(&pkcs7.signed_data.digest_alg_identifiers, &md_alg);
- TEST_EQUAL(res, 0);
- TEST_EQUAL(md_alg, (mbedtls_md_type_t) do_hash_alg);
- md_info = mbedtls_md_info_from_type(md_alg);
+ md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) do_hash_alg);
res = mbedtls_md(md_info, data, datalen, hash);
TEST_EQUAL(res, 0);
- res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509, hash, sizeof(hash));
+ res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509, hash, mbedtls_md_get_size(md_info));
} else {
res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509, data, datalen);
}
@@ -118,13 +114,12 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file,
unsigned char *pkcs7_buf = NULL;
size_t buflen;
unsigned char *data = NULL;
- unsigned char hash[32];
+ unsigned char hash[64];
struct stat st;
size_t datalen;
int res;
FILE *file;
const mbedtls_md_info_t *md_info;
- mbedtls_md_type_t md_alg;
mbedtls_pkcs7 pkcs7;
mbedtls_x509_crt x509_1;
@@ -164,25 +159,22 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file,
fclose(file);
if (do_hash_alg) {
- res = mbedtls_oid_get_md_alg(&pkcs7.signed_data.digest_alg_identifiers, &md_alg);
- TEST_EQUAL(res, 0);
- TEST_EQUAL(md_alg, MBEDTLS_MD_SHA256);
-
- md_info = mbedtls_md_info_from_type(md_alg);
+ md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) do_hash_alg);
res = mbedtls_md(md_info, data, datalen, hash);
TEST_EQUAL(res, 0);
- res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_1, hash, sizeof(hash));
+ res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_1, hash, mbedtls_md_get_size(md_info));
+ TEST_EQUAL(res, res_expect);
+ res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_2, hash, mbedtls_md_get_size(md_info));
TEST_EQUAL(res, res_expect);
} else {
res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_1, data, datalen);
TEST_EQUAL(res, res_expect);
+ res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_2, data, datalen);
+ TEST_EQUAL(res, res_expect);
}
- res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_2, data, datalen);
- TEST_EQUAL(res, res_expect);
-
exit:
mbedtls_x509_crt_free(&x509_1);
mbedtls_x509_crt_free(&x509_2);