commit 3538479faa7a73239671239feadbfac1b68b2f0c
author Daniel Axtens <dja@axtens.net> Wed Sep 02 14:48:45 2020 +1000
committer Nick Child <nick.child@ibm.com> Thu Sep 01 19:45:41 2022 -0500
tree 2aa0f55e4398c6989bc77c6c6908873639af8fc4
parent 8a10f666923ee7e43cbfbc11243088bd7bb97e61

pkcs7: support multiple signers

Rather than only parsing/verifying one SignerInfo in the SignerInfos
field of the PKCS7 stucture, allow the ability to parse and verify more
than one signature. Verification will return success if any of the signatures
produce a match.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Nick Child <nick.child@ibm.com>

tests/suites/test_suite_pkcs7.data

diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index d5ecd21..daced32 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -10,13 +10,9 @@
 depends_on:MBEDTLS_SHA256_C
 pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der"
 
-PKCS7 Signed Data Parse Fail with multiple signers #4
-depends_on:MBEDTLS_SHA256_C
-pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der"
-
 PKCS7 Signed Data Parse Fail with multiple certs #4
 depends_on:MBEDTLS_SHA256_C
-pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der"
+pkcs7_parse_multiple_certs:"data_files/pkcs7_data_multiple_certs_signed.der"
 
 PKCS7 Signed Data Parse Fail with corrupted cert #5
 depends_on:MBEDTLS_SHA256_C
@@ -69,3 +65,7 @@
 PKCS7 Only Signed Data Parse Pass #15
 depends_on:MBEDTLS_SHA256_C
 pkcs7_parse:"data_files/pkcs7_data_cert_signeddata_sha256.der"
+
+PKCS7 Signed Data Verify with multiple signers #16
+depends_on:MBEDTLS_SHA256_C
+pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin"
\ No newline at end of file

tests/suites/test_suite_pkcs7.function

diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 01edadb..261824d 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -61,7 +61,7 @@
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_RSA_C */
-void pkcs7_parse_multiple_signers( char *pkcs7_file )
+void pkcs7_parse_multiple_certs( char *pkcs7_file )
 {
     unsigned char *pkcs7_buf = NULL;
     size_t buflen;
@@ -75,19 +75,7 @@
     TEST_ASSERT( res == 0 );
 
     res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
-    TEST_ASSERT( res < 0 );
-
-    switch ( res ){
-        case MBEDTLS_ERR_PKCS7_INVALID_CERT:
-            TEST_ASSERT( res ==  MBEDTLS_ERR_PKCS7_INVALID_CERT );
-            break;
-
-        case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO:
-            TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO );
-            break;
-        default:
-            TEST_ASSERT(0);
-    }
+    TEST_ASSERT( res ==  MBEDTLS_ERR_PKCS7_INVALID_CERT );
 
 exit:
     mbedtls_free( pkcs7_buf );
@@ -411,6 +399,70 @@
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C */
+void pkcs7_verify_multiple_signers( char *pkcs7_file, char *crt1, char *crt2, char *filetobesigned )
+{
+    unsigned char *pkcs7_buf = NULL;
+    size_t buflen;
+    unsigned char *data = NULL;
+    struct stat st;
+    size_t datalen;
+    int res;
+    FILE *file;
+
+    mbedtls_pkcs7 pkcs7;
+    mbedtls_x509_crt x509_1;
+    mbedtls_x509_crt x509_2;
+
+    USE_PSA_INIT();
+
+    mbedtls_pkcs7_init( &pkcs7 );
+    mbedtls_x509_crt_init( &x509_1 );
+    mbedtls_x509_crt_init( &x509_2 );
+
+    res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+    TEST_ASSERT( res == 0 );
+
+    res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+    TEST_ASSERT( res == MBEDTLS_PKCS7_SIGNED_DATA );
+
+    TEST_ASSERT( pkcs7.signed_data.no_of_signers == 2 );
+
+    res = mbedtls_x509_crt_parse_file( &x509_1, crt1 );
+    TEST_ASSERT( res == 0 );
+
+    res = mbedtls_x509_crt_parse_file( &x509_2, crt2 );
+    TEST_ASSERT( res == 0 );
+
+    res = stat( filetobesigned, &st );
+    TEST_ASSERT( res == 0 );
+
+    file = fopen( filetobesigned, "r" );
+    TEST_ASSERT( file != NULL );
+
+    datalen = st.st_size;
+    data = ( unsigned char* ) calloc( datalen, sizeof(unsigned char) );
+    buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file );
+    TEST_ASSERT( buflen == datalen );
+
+    fclose( file );
+
+    res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_1, data, datalen );
+    TEST_ASSERT( res == 0 );
+
+    res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509_2, data, datalen );
+    TEST_ASSERT( res == 0 );
+
+exit:
+    mbedtls_x509_crt_free( &x509_1 );
+    mbedtls_x509_crt_free( &x509_2 );
+    mbedtls_pkcs7_free( &pkcs7 );
+    mbedtls_free( data );
+    mbedtls_free( pkcs7_buf );
+    USE_PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
 void pkcs7_parse_failure( char *pkcs7_file )
 {