diff options
| author | Nick Child <nick.child@ibm.com> | 2023-02-07 19:59:58 +0000 |
|---|---|---|
| committer | Nick Child <nick.child@ibm.com> | 2023-02-07 20:04:52 +0000 |
| commit | 3dafc6c3b3a02bc19bb0fd54dbbd639d1c2ded47 (patch) | |
| tree | 9c495604e71949ffd504acd9dc49dbf226f23b41 /tests | |
| parent | 50886c25f326e5def34b90c7903c7b61fce6bdb8 (diff) | |
| download | mbedtls-3dafc6c3b3a02bc19bb0fd54dbbd639d1c2ded47.zip mbedtls-3dafc6c3b3a02bc19bb0fd54dbbd639d1c2ded47.tar.gz mbedtls-3dafc6c3b3a02bc19bb0fd54dbbd639d1c2ded47.tar.bz2 | |
pkcs7: Drop support for signature in contentInfo of signed data
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.
Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
- Demi Marie Obenour <demiobenour@gmail.com>
- Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Nick Child <nick.child@ibm.com>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/data_files/Makefile | 5 | ||||
| -rw-r--r-- | tests/data_files/pkcs7_data_with_signature.der | bin | 0 -> 446 bytes | |||
| -rw-r--r-- | tests/suites/test_suite_pkcs7.data | 8 |
3 files changed, 11 insertions, 2 deletions
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 14c1744..7121b5b 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1202,6 +1202,11 @@ pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@ all_final += pkcs7_data_without_cert_signed.der +# pkcs7 signature file with signature +pkcs7_data_with_signature.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) + $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -nodetach -outform DER -out $@ +all_final += pkcs7_data_with_signature.der + # pkcs7 signature file with two signers pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2) $(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@ diff --git a/tests/data_files/pkcs7_data_with_signature.der b/tests/data_files/pkcs7_data_with_signature.der Binary files differnew file mode 100644 index 0000000..cb9d126 --- /dev/null +++ b/tests/data_files/pkcs7_data_with_signature.der diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index 1319d7b..840a24b 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -22,6 +22,10 @@ PKCS7 Signed Data Parse Fail with disabled alg #5.1 depends_on:MBEDTLS_RSA_C:!MBEDTLS_SHA512_C pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha512.der":MBEDTLS_ERR_PKCS7_INVALID_ALG +PKCS7 Parse Fail with Inlined Content Info #5.2 +depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C +pkcs7_parse:"data_files/pkcs7_data_with_signature.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE + PKCS7 Signed Data Parse Fail with corrupted signer info #6 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C pkcs7_parse:"data_files/pkcs7_data_signed_badsigner.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO,MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) @@ -68,11 +72,11 @@ pkcs7_parse:"data_files/pkcs7_signerInfo_serial_invalid_size.der":MBEDTLS_ERR_PK pkcs7_get_signers_info_set error handling (6213931373035520) depends_on:MBEDTLS_RIPEMD160_C -pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO +pkcs7_parse:"data_files/pkcs7_get_signers_info_set-missing_free-fuzz_pkcs7-6213931373035520.der":MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) pkcs7_get_signers_info_set error handling (4541044530479104) depends_on:MBEDTLS_RIPEMD160_C -pkcs7_parse:"data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der":MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO +pkcs7_parse:"data_files/pkcs7_get_signers_info_set-leak-fuzz_pkcs7-4541044530479104.der": MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) PKCS7 Only Signed Data Parse Pass #15 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C |