mbedtls: add support for pkcs7
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.
This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:
* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 6187d17..288b01f 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -1131,6 +1131,98 @@
all_final += ecdsa_secp521r1.crt ecdsa_secp521r1.key
tls13_certs: ecdsa_secp521r1.crt ecdsa_secp521r1.key
+# PKCS7 test data
+pkcs7_test_cert_1 = pkcs7-rsa-sha256-1.crt
+pkcs7_test_cert_2 = pkcs7-rsa-sha256-2.crt
+pkcs7_test_file = pkcs7_data.txt
+
+# Generate signing cert
+pkcs7-rsa-sha256-1.crt:
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 1" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-1.key -out pkcs7-rsa-sha256-1.crt
+ cat pkcs7-rsa-sha256-1.crt pkcs7-rsa-sha256-1.key > pkcs7-rsa-sha256-1.pem
+all_final += pkcs7-rsa-sha256-1.crt
+
+pkcs7-rsa-sha256-2.crt:
+ $(OPENSSL) req -x509 -subj="/C=NL/O=PKCS7/CN=PKCS7 Cert 2" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout pkcs7-rsa-sha256-2.key -out pkcs7-rsa-sha256-2.crt
+ cat pkcs7-rsa-sha256-2.crt pkcs7-rsa-sha256-2.key > pkcs7-rsa-sha256-2.pem
+all_final += pkcs7-rsa-sha256-2.crt
+
+# Generate data file to be signed
+pkcs7_data.txt:
+ echo "Hello" > $@
+ echo 2 >> pkcs7_data_1.txt
+all_final += pkcs7_data.txt
+
+# Generate another data file to check hash mismatch during certificate verification
+pkcs7_data_1.txt: $(pkcs7_test_file)
+ cat $(pkcs7_test_file) > $@
+ echo 2 >> $@
+all_final += pkcs7_data_1.txt
+
+# pkcs7 signature file with CERT
+pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_cert_signed_sha256.der
+
+# pkcs7 signature file with CERT and sha1
+pkcs7_data_cert_signed_sha1.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha1 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_cert_signed_sha1.der
+
+# pkcs7 signature file with CERT and sha512
+pkcs7_data_cert_signed_sha512.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha512 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_cert_signed_sha512.der
+
+# pkcs7 signature file without CERT
+pkcs7_data_without_cert_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -nocerts -noattr -outform DER -out $@
+all_final += pkcs7_data_without_cert_signed.der
+
+# pkcs7 signature file with multiple signers
+pkcs7_data_multiple_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -nocerts -noattr -outform DER -out $@
+all_final += pkcs7_data_multiple_signed.der
+
+# pkcs7 signature file with multiple certificates
+pkcs7_data_multiple_certs_signed.der: $(pkcs7_test_file) $(pkcs7_test_cert_1) $(pkcs7_test_cert_2)
+ $(OPENSSL) smime -sign -binary -in pkcs7_data.txt -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -signer pkcs7-rsa-sha256-2.pem -noattr -outform DER -out $@
+all_final += pkcs7_data_multiple_certs_signed.der
+
+# pkcs7 signature file with corrupted CERT
+pkcs7_data_signed_badcert.der: pkcs7_data_cert_signed_sha256.der
+ cp pkcs7_data_cert_signed_sha256.der $@
+ echo -en '\xa1' | dd of=$@ bs=1 seek=547 conv=notrunc
+all_final += pkcs7_data_signed_badcert.der
+
+# pkcs7 signature file with corrupted signer info
+pkcs7_data_signed_badsigner.der: pkcs7_data_cert_signed_sha256.der
+ cp pkcs7_data_cert_signed_sha256.der $@
+ echo -en '\xa1' | dd of=$@ bs=1 seek=918 conv=notrunc
+all_final += pkcs7_data_signed_badsigner.der
+
+# pkcs7 file with version 2
+pkcs7_data_cert_signed_v2.der: pkcs7_data_cert_signed_sha256.der
+ cp pkcs7_data_cert_signed_sha256.der $@
+ echo -en '\x02' | dd of=$@ bs=1 seek=25 conv=notrunc
+all_final += pkcs7_data_cert_signed_v2.der
+
+pkcs7_data_cert_encrypted.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
+ $(OPENSSL) smime -encrypt -aes256 -in pkcs7_data.txt -binary -outform DER -out $@ pkcs7-rsa-sha256-1.crt
+all_final += pkcs7_data_cert_encrypted.der
+
+## Negative tests
+# For some interesting sizes, what happens if we make them off-by-one?
+pkcs7_signerInfo_issuer_invalid_size.der: pkcs7_data_cert_signed_sha256.der
+ cp $< $@
+ echo -en '\x35' | dd of=$@ seek=919 bs=1 conv=notrunc
+all_final += pkcs7_signerInfo_issuer_invalid_size.der
+
+pkcs7_signerInfo_serial_invalid_size.der: pkcs7_data_cert_signed_sha256.der
+ cp $< $@
+ echo -en '\x15' | dd of=$@ seek=973 bs=1 conv=notrunc
+all_final += pkcs7_signerInfo_serial_invalid_size.der
+
################################################################
#### Diffie-Hellman parameters
################################################################
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
new file mode 100644
index 0000000..870e83b
--- /dev/null
+++ b/tests/suites/test_suite_pkcs7.data
@@ -0,0 +1,53 @@
+PKCS7 Signed Data Parse Pass SHA256 #1
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der"
+
+PKCS7 Signed Data Parse Pass SHA1 #2
+depends_on:MBEDTLS_SHA1_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der"
+
+PKCS7 Signed Data Parse Pass Without CERT #3
+pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der"
+
+PKCS7 Signed Data Parse Fail with multiple signers #4
+pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der"
+
+PKCS7 Signed Data Parse Fail with multiple certs #4
+pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der"
+
+PKCS7 Signed Data Parse Fail with corrupted cert #5
+pkcs7_parse_corrupted_cert:"data_files/pkcs7_data_signed_badcert.der"
+
+PKCS7 Signed Data Parse Fail with corrupted signer info #6
+pkcs7_parse_corrupted_signer_info:"data_files/pkcs7_data_signed_badsigner.der"
+
+PKCS7 Signed Data Parse Fail Version other than 1 #7
+pkcs7_parse_version:"data_files/pkcs7_data_cert_signed_v2.der"
+
+PKCS7 Signed Data Parse Fail Encrypted Content #8
+pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der"
+
+PKCS7 Signed Data Verification Pass SHA256 #9
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Pass SHA256 #9.1
+pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Pass SHA1 #10
+depends_on:MBEDTLS_SHA1_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Pass SHA512 #11
+depends_on:MBEDTLS_SHA512_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Fail because of different certificate #12
+pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Fail because of different data hash #13
+pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.txt"
+
+PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1
+pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der"
+
+PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2
+pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der"
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
new file mode 100644
index 0000000..b5ef2ef
--- /dev/null
+++ b/tests/suites/test_suite_pkcs7.function
@@ -0,0 +1,420 @@
+/* BEGIN_HEADER */
+#include "mbedtls/bignum.h"
+#include "mbedtls/pkcs7.h"
+#include "mbedtls/x509.h"
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+#include "sys/types.h"
+#include "sys/stat.h"
+/* END_HEADER */
+
+/* BEGIN_DEPENDENCIES
+ * depends_on:MBEDTLS_PKCS7_C:MBEDTLS_FS_IO
+ * END_DEPENDENCIES
+ */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_parse( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == 0 );
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C*/
+void pkcs7_parse_without_cert( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == 0 );
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_parse_multiple_signers( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res < 0 );
+
+ switch ( res ){
+ case MBEDTLS_ERR_PKCS7_INVALID_CERT:
+ TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT );
+ break;
+
+ case MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO:
+ TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO );
+ break;
+ default:
+ TEST_ASSERT(0);
+ }
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_parse_corrupted_cert( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_CERT );
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_parse_corrupted_signer_info( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res < 0 );
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */
+void pkcs7_parse_version( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_INVALID_VERSION );
+
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SHA256_C */
+void pkcs7_parse_content_oid( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen);
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res != 0 );
+ TEST_ASSERT( res == MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE );
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_verify( char *pkcs7_file, char *crt, char *filetobesigned )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ unsigned char *data = NULL;
+ struct stat st;
+ size_t datalen;
+ int res;
+ FILE *file;
+
+ mbedtls_pkcs7 pkcs7;
+ mbedtls_x509_crt x509;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+ mbedtls_x509_crt_init( &x509 );
+
+ res = mbedtls_x509_crt_parse_file( &x509, crt );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == 0 );
+ mbedtls_free( pkcs7_buf );
+
+ res = stat(filetobesigned, &st);
+ TEST_ASSERT( res == 0 );
+
+ file = fopen( filetobesigned, "rb" );
+ TEST_ASSERT( file != NULL );
+
+ datalen = st.st_size;
+ data = mbedtls_calloc( datalen, 1 );
+ buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file );
+ TEST_ASSERT( buflen == datalen);
+
+ fclose(file);
+
+ res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen );
+ TEST_ASSERT( res == 0 );
+
+exit:
+ mbedtls_x509_crt_free( &x509 );
+ mbedtls_free( data );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_verify_hash( char *pkcs7_file, char *crt, char *filetobesigned )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ unsigned char *data = NULL;
+ unsigned char hash[32];
+ struct stat st;
+ size_t datalen;
+ int res;
+ FILE *file;
+ const mbedtls_md_info_t *md_info;
+ mbedtls_md_type_t md_alg;
+
+ mbedtls_pkcs7 pkcs7;
+ mbedtls_x509_crt x509;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+ mbedtls_x509_crt_init( &x509 );
+
+ res = mbedtls_x509_crt_parse_file( &x509, crt );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = stat(filetobesigned, &st);
+ TEST_ASSERT( res == 0 );
+
+ file = fopen( filetobesigned, "rb" );
+ TEST_ASSERT( file != NULL );
+
+ datalen = st.st_size;
+ data = mbedtls_calloc( datalen, 1 );
+ TEST_ASSERT( data != NULL);
+
+ buflen = fread( (void *)data , sizeof( unsigned char ), datalen, file );
+ TEST_ASSERT( buflen == datalen);
+ fclose( file );
+
+ res = mbedtls_oid_get_md_alg( &(pkcs7.signed_data.digest_alg_identifiers), &md_alg );
+ TEST_ASSERT( res == 0 );
+ TEST_ASSERT( md_alg == MBEDTLS_MD_SHA256 );
+
+ md_info = mbedtls_md_info_from_type( md_alg );
+
+ mbedtls_md( md_info, data, datalen, hash );
+
+ res = mbedtls_pkcs7_signed_hash_verify( &pkcs7, &x509, hash, sizeof(hash));
+ TEST_ASSERT( res == 0 );
+
+exit:
+ mbedtls_x509_crt_free( &x509 );
+ mbedtls_free( data );
+ mbedtls_pkcs7_free( &pkcs7 );
+ mbedtls_free( pkcs7_buf );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_verify_badcert( char *pkcs7_file, char *crt, char *filetobesigned )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ unsigned char *data = NULL;
+ struct stat st;
+ size_t datalen;
+ int res;
+ FILE *file;
+
+ mbedtls_pkcs7 pkcs7;
+ mbedtls_x509_crt x509;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+ mbedtls_x509_crt_init( &x509 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_x509_crt_parse_file( &x509, crt );
+ TEST_ASSERT( res == 0 );
+
+ res = stat(filetobesigned, &st);
+ TEST_ASSERT( res == 0 );
+
+ file = fopen( filetobesigned, "rb" );
+ TEST_ASSERT( file != NULL );
+
+ datalen = st.st_size;
+ data = mbedtls_calloc( datalen, 1 );
+ buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file );
+ TEST_ASSERT( buflen == datalen);
+
+ fclose(file);
+
+ res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen );
+ TEST_ASSERT( res != 0 );
+
+exit:
+ mbedtls_x509_crt_free( &x509 );
+ mbedtls_free( data );
+ mbedtls_pkcs7_free( &pkcs7 );
+ mbedtls_free( pkcs7_buf );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C */
+void pkcs7_verify_tampered_data( char *pkcs7_file, char *crt, char *filetobesigned )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ unsigned char *data = NULL;
+ struct stat st;
+ size_t datalen;
+ int res;
+ FILE *file;
+
+ mbedtls_pkcs7 pkcs7;
+ mbedtls_x509_crt x509;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+ mbedtls_x509_crt_init( &x509 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_x509_crt_parse_file( &x509, crt );
+ TEST_ASSERT( res == 0 );
+
+ res = stat(filetobesigned, &st);
+ TEST_ASSERT( res == 0 );
+
+ file = fopen( filetobesigned, "rb" );
+ TEST_ASSERT( file != NULL );
+
+ datalen = st.st_size;
+ data = mbedtls_calloc( datalen, 1 );
+ buflen = fread( ( void * )data , sizeof( unsigned char ), datalen, file );
+ TEST_ASSERT( buflen == datalen);
+
+ fclose(file);
+
+ res = mbedtls_pkcs7_signed_data_verify( &pkcs7, &x509, data, datalen );
+ TEST_ASSERT( res != 0 );
+
+exit:
+ mbedtls_x509_crt_free( &x509 );
+ mbedtls_pkcs7_free( &pkcs7 );
+ mbedtls_free( data );
+ mbedtls_free( pkcs7_buf );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void pkcs7_parse_failure( char *pkcs7_file )
+{
+ unsigned char *pkcs7_buf = NULL;
+ size_t buflen;
+ int res;
+ mbedtls_pkcs7 pkcs7;
+
+ mbedtls_pkcs7_init( &pkcs7 );
+
+ res = mbedtls_pk_load_file( pkcs7_file, &pkcs7_buf, &buflen );
+ TEST_ASSERT( res == 0 );
+
+ res = mbedtls_pkcs7_parse_der( &pkcs7, pkcs7_buf, buflen );
+ TEST_ASSERT( res != 0 );
+exit:
+ mbedtls_free( pkcs7_buf );
+ mbedtls_pkcs7_free( &pkcs7 );
+}
+/* END_CASE */