pkcs7: Drop support for signature in contentInfo of signed data The contentInfo field of PKCS7 Signed Data structures can optionally contain the content of the signature. Per RFC 2315 it can also contain any of the PKCS7 data types. Add test and comments making it clear that the current implementation only supports the DATA content type and the data must be empty. Return codes should be clear whether content was invalid or unsupported. Identification and fix provided by: - Demi Marie Obenour <demiobenour@gmail.com> - Dave Rodgman <dave.rodgman@arm.com> Signed-off-by: Nick Child <nick.child@ibm.com>

commit: 3dafc6c3b3a02bc19bb0fd54dbbd639d1c2ded47 [log] [tgz]
author: Nick Child <nick.child@ibm.com> Tue Feb 07 19:59:58 2023 +0000
committer: Nick Child <nick.child@ibm.com> Tue Feb 07 20:04:52 2023 +0000
tree: 9c495604e71949ffd504acd9dc49dbf226f23b41
parent: 50886c25f326e5def34b90c7903c7b61fce6bdb8 [diff]
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 82f282b..5ddd5a3 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h

@@ -46,6 +46,8 @@
  *  - The RFC allows for SignerInfo structure to optionally contain
  *    unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is
  *    assumed these fields are empty.
+ *  - The RFC allows for the signed Data type to contain contentInfo. This
+ *    implementation assumes the type is DATA and the content is empty.
  */
 
 #ifndef MBEDTLS_PKCS7_H
commit	3dafc6c3b3a02bc19bb0fd54dbbd639d1c2ded47	[log] [tgz]
author	Nick Child <nick.child@ibm.com>	Tue Feb 07 19:59:58 2023 +0000
committer	Nick Child <nick.child@ibm.com>	Tue Feb 07 20:04:52 2023 +0000
tree	9c495604e71949ffd504acd9dc49dbf226f23b41
parent	50886c25f326e5def34b90c7903c7b61fce6bdb8 [diff]