diff --git a/library/pkcs7.c b/library/pkcs7.c index 0f4e1ec2b497..65dc83a4c365 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -637,18 +637,41 @@ int mbedtls_pkcs7_signed_hash_verify( mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen) { - int ret; + int ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + const mbedtls_md_info_t *md_info; mbedtls_md_type_t md_alg; mbedtls_pk_context pk_cxt; + mbedtls_pkcs7_signer_info *signer; - ret = mbedtls_oid_get_md_alg( &pkcs7->signed_data.digest_alg_identifiers, &md_alg ); - if( ret != 0 ) + pk_cxt = cert->pk; + + if( pkcs7->signed_data.no_of_signers == 0 ) return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); - pk_cxt = cert->pk; - ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, - pkcs7->signed_data.signers.sig.p, - pkcs7->signed_data.signers.sig.len ); + signer = &pkcs7->signed_data.signers; + while( signer ) + { + ret = mbedtls_oid_get_md_alg( &signer->alg_identifier, &md_alg ); + if( ret != 0 ) + return( MBEDTLS_ERR_PKCS7_VERIFY_FAIL ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + if( hashlen != mbedtls_md_get_size( md_info ) ) + { + ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL; + signer = signer->next; + continue; + } + + ret = mbedtls_pk_verify( &pk_cxt, md_alg, hash, hashlen, + pkcs7->signed_data.signers.sig.p, + pkcs7->signed_data.signers.sig.len ); + if( ret == 0 ) + break; + + signer = signer->next; + } return ( ret ); } diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data index daced32b5546..b813c6d3ebea 100644 --- a/tests/suites/test_suite_pkcs7.data +++ b/tests/suites/test_suite_pkcs7.data @@ -68,4 +68,8 @@ pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der" PKCS7 Signed Data Verify with multiple signers #16 depends_on:MBEDTLS_SHA256_C -pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" \ No newline at end of file +pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" + +PKCS7 Signed Data Hash Verify with multiple signers #17 +depends_on:MBEDTLS_SHA256_C +pkcs7_verify_hash_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 261824d1549b..9822fb826e90 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -293,6 +293,82 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ +void pkcs7_verify_hash_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned ) +{ + unsigned char *pkcs7_buf = NULL; + size_t buflen; + unsigned char *data = NULL; + unsigned char hash[32]; + struct stat st; + size_t datalen; + int res; + FILE *file; + const mbedtls_md_info_t *md_info; + mbedtls_md_type_t md_alg; + + mbedtls_pkcs7 pkcs7; + mbedtls_x509_crt x509_1; + mbedtls_x509_crt x509_2; + + USE_PSA_INIT(); + + mbedtls_pkcs7_init( &pkcs7 ); + mbedtls_x509_crt_init( &x509_1 ); + mbedtls_x509_crt_init( &x509_2 ); + + res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen ); + TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA ); + + TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 ); + + res = mbedtls_x509_crt_parse_file( &x509_1, crt1 ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_x509_crt_parse_file( &x509_2, crt2 ); + TEST_ASSERT( res == 0 ); + + res = stat( filetobesigned, &st ); + TEST_ASSERT( res == 0 ); + + file = fopen( filetobesigned, "r" ); + TEST_ASSERT( file != NULL ); + + datalen = st.st_size; + data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) ); + buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file ); + TEST_ASSERT( buflen == datalen ); + + fclose( file ); + + res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg ); + TEST_ASSERT( res == 0 ); + TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 ); + + md_info = mbedtls_md_info_from_type( md_alg ); + + res = mbedtls_md( md_info, data, datalen, hash ); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509_1, hash, sizeof(hash)); + TEST_ASSERT( res == 0 ); + + res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen ); + TEST_ASSERT( res == 0 ); + +exit: + mbedtls_x509_crt_free( &x509_1 ); + mbedtls_x509_crt_free( &x509_2 ); + mbedtls_pkcs7_free( &pkcs7 ); + mbedtls_free( data ); + mbedtls_free( pkcs7_buf ); + USE_PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */ void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned ) {