pkcs7: support multiple signers

Rather than only parsing/verifying one SignerInfo in the SignerInfos field of the PKCS7 stucture, allow the ability to parse and verify more than one signature. Verification will return success if any of the signatures produce a match. Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Nick Child <nick.child@ibm.com>
2025-08-08 17:42:09 +03:00 · 2020-09-02 14:48:45 +10:00
parent 8a10f66692
commit 3538479faa
3 changed files with 249 additions and 101 deletions
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -10,13 +10,9 @@ PKCS7 Signed Data Parse Pass Without CERT #3
 depends_on:MBEDTLS_SHA256_C
 pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der"

-PKCS7 Signed Data Parse Fail with multiple signers #4
-depends_on:MBEDTLS_SHA256_C
-pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der"
-
 PKCS7 Signed Data Parse Fail with multiple certs #4
 depends_on:MBEDTLS_SHA256_C
-pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der"
+pkcs7_parse_multiple_certs:"data_files/pkcs7_data_multiple_certs_signed.der"

 PKCS7 Signed Data Parse Fail with corrupted cert #5
 depends_on:MBEDTLS_SHA256_C
@@ -69,3 +65,7 @@ pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der"
 PKCS7 Only Signed Data Parse Pass #15
 depends_on:MBEDTLS_SHA256_C
 pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der"
+
+PKCS7 Signed Data Verify with multiple signers #16
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin"
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -61,7 +61,7 @@ exit:
 /* END_CASE */

 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */
-void pkcs7_parse_multiple_signers( char *pkcs7_file )
+void pkcs7_parse_multiple_certs( char *pkcs7_file )
 {
    unsigned char *pkcs7_buf = NULL;
    size_t buflen;
@@ -75,19 +75,7 @@ void pkcs7_parse_multiple_signers( char *pkcs7_file )
    TEST_ASSERT( res == 0 );

    res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
-    TEST_ASSERT( res < 0 );
-
-    switch ( res ){
-        case MBEDTLS_ERR_PKCS7_INVALID_CERT:
-            TEST_ASSERT( res ==  MBEDTLS_ERR_PKCS7_INVALID_CERT );
-            break;
-
-        case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO:
-            TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO );
-            break;
-        default:
-            TEST_ASSERT(0);
-    }
+    TEST_ASSERT( res ==  MBEDTLS_ERR_PKCS7_INVALID_CERT );

 exit:
    mbedtls_free( pkcs7_buf );
@@ -411,6 +399,70 @@ exit:
 }
 /* END_CASE */

+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
+void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned )
+{
+    unsigned char *pkcs7_buf = NULL;
+    size_t buflen;
+    unsigned char *data = NULL;
+    struct stat st;
+    size_t datalen;
+    int res;
+    FILE *file;
+
+    mbedtls_pkcs7 pkcs7;
+    mbedtls_x509_crt x509_1;
+    mbedtls_x509_crt x509_2;
+
+    USE_PSA_INIT();
+
+    mbedtls_pkcs7_init( &pkcs7 );
+    mbedtls_x509_crt_init( &x509_1 );
+    mbedtls_x509_crt_init( &x509_2 );
+
+    res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+    TEST_ASSERT( res == 0 );
+
+    res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+    TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA );
+
+    TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 );
+
+    res = mbedtls_x509_crt_parse_file( &x509_1, crt1 );
+    TEST_ASSERT( res == 0 );
+
+    res = mbedtls_x509_crt_parse_file( &x509_2, crt2 );
+    TEST_ASSERT( res == 0 );
+
+    res = stat( filetobesigned, &st );
+    TEST_ASSERT( res == 0 );
+
+    file = fopen( filetobesigned, "r" );
+    TEST_ASSERT( file != NULL );
+
+    datalen = st.st_size;
+    data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) );
+    buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file );
+    TEST_ASSERT( buflen == datalen );
+
+    fclose( file );
+
+    res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen );
+    TEST_ASSERT( res == 0 );
+
+    res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen );
+    TEST_ASSERT( res == 0 );
+
+exit:
+    mbedtls_x509_crt_free( &x509_1 );
+    mbedtls_x509_crt_free( &x509_2 );
+    mbedtls_pkcs7_free( &pkcs7 );
+    mbedtls_free( data );
+    mbedtls_free( pkcs7_buf );
+    USE_PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
 void pkcs7_parse_failure( char *pkcs7_file )
 {