commit c9deb184b0bf5e72d5761d06af0db165676e0f8a
author Nayna Jain <nayna@linux.ibm.com> Mon Nov 16 19:03:12 2020 +0000
committer Nick Child <nick.child@ibm.com> Thu Sep 01 19:45:33 2022 -0500
tree 58e6f98e9854bdbd7ea22fc088568f7072210f0c
parent e00d6d6b55130c905aee5d1a7fca9b9afa9e53f2

mbedtls: add support for pkcs7

PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.

This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:

* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>

tests/suites/test_suite_pkcs7.data

diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
new file mode 100644
index 0000000..870e83b
--- /dev/null
+++ b/tests/suites/test_suite_pkcs7.data
@@ -0,0 +1,53 @@
+PKCS7 Signed Data Parse Pass SHA256 #1
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha256.der"
+
+PKCS7 Signed Data Parse Pass SHA1 #2
+depends_on:MBEDTLS_SHA1_C
+pkcs7_parse:"data_files/pkcs7_data_cert_signed_sha1.der"
+
+PKCS7 Signed Data Parse Pass Without CERT #3
+pkcs7_parse_without_cert:"data_files/pkcs7_data_without_cert_signed.der"
+
+PKCS7 Signed Data Parse Fail with multiple signers #4
+pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_signed.der"
+
+PKCS7 Signed Data Parse Fail with multiple certs #4
+pkcs7_parse_multiple_signers:"data_files/pkcs7_data_multiple_certs_signed.der"
+
+PKCS7 Signed Data Parse Fail with corrupted cert #5
+pkcs7_parse_corrupted_cert:"data_files/pkcs7_data_signed_badcert.der"
+
+PKCS7 Signed Data Parse Fail with corrupted signer info #6
+pkcs7_parse_corrupted_signer_info:"data_files/pkcs7_data_signed_badsigner.der"
+
+PKCS7 Signed Data Parse Fail Version other than 1 #7
+pkcs7_parse_version:"data_files/pkcs7_data_cert_signed_v2.der"
+
+PKCS7 Signed Data Parse Fail Encrypted Content #8
+pkcs7_parse_content_oid:"data_files/pkcs7_data_cert_encrypted.der"
+
+PKCS7 Signed Data Verification Pass SHA256 #9
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Pass SHA256 #9.1
+pkcs7_verify_hash:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Pass SHA1 #10
+depends_on:MBEDTLS_SHA1_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha1.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Pass SHA512 #11
+depends_on:MBEDTLS_SHA512_C
+pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha512.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Fail because of different certificate #12
+pkcs7_verify_badcert:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.txt"
+
+PKCS7 Signed Data Verification Fail because of different data hash #13
+pkcs7_verify_tampered_data:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7_data_1.txt"
+
+PKCS7 Signed Data Parse Failure Corrupt signerInfo.issuer #15.1
+pkcs7_parse_failure:"data_files/pkcs7_signerInfo_issuer_invalid_size.der"
+
+PKCS7 Signed Data Parse Failure Corrupt signerInfo.serial #15.2
+pkcs7_parse_failure:"data_files/pkcs7_signerInfo_serial_invalid_size.der"