-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement PKCS7_dataInit and PKCS7_dataFinal #1816
Implement PKCS7_dataInit and PKCS7_dataFinal #1816
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1816 +/- ##
==========================================
+ Coverage 78.79% 78.88% +0.09%
==========================================
Files 590 595 +5
Lines 101506 102430 +924
Branches 14401 14514 +113
==========================================
+ Hits 79979 80805 +826
- Misses 20891 20974 +83
- Partials 636 651 +15 ☔ View full report in Codecov by Sentry. |
23e4d39
to
1b0c84d
Compare
1b0c84d
to
b7ffbde
Compare
b7ffbde
to
69cb0fd
Compare
a4a9d39
to
f7c09cf
Compare
f7c09cf
to
aa9a47c
Compare
@@ -274,6 +274,215 @@ static const uint8_t kPKCS7NSS[] = { | |||
0x00, 0x00, 0x00, | |||
}; | |||
|
|||
static const uint8_t kPKCS7EnvelopedData[] = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious how this file was generated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question. I snagged this from BouncyCastle. I'll drop a comment.
ASSERT_TRUE(PKCS7_get_PEM_certificates(certs.get(), bio.get())); | ||
ASSERT_EQ(1U, sk_X509_num(certs.get())); | ||
rsa_x509.reset(sk_X509_pop(certs.get())); | ||
ASSERT_TRUE(X509_set_pubkey(rsa_x509.get(), rsa_pkey.get())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I parse kPEMCert
, it seems like the cert already has a public key in it? Or are both fields actually referring to something different
...
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ec:c7:40:2e:60:a4:71:14:5f:fe:dc:d0:6b:c7:
ae:dc:9e:d2:e4:24:d0:6b:99:ec:d1:17:85:f6:4b:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's the same field, but we don't have the corresponding private key for the pre-existing public key. i'd gotten in the habit of replacing the cert's public key with that of a freshly generated keypair to simplify sign/verify testing.
crypto/pkcs7/pkcs7.c
Outdated
OPENSSL_BEGIN_ALLOW_DEPRECATED | ||
if (!PKCS7_is_detached(p7) && content && content->length > 0) { | ||
OPENSSL_END_ALLOW_DEPRECATED |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NP: Here and several other places -- Since the OPENSSL_XXX_ALLOW_DEPRECATED
are not part of the logic, I'd not have them indented; just keep them at the start of their lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, unfortunately this is clang-format's preference not mine. also unfortunately clang-format doesn't support next-line-only disabling so i've added off/on directives above/below these macro invocations.
err: | ||
BIO_free_all(out); | ||
BIO_free_all(btmp); | ||
return NULL; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have any tests that force an error in PKCS7_dataInit
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, but we should. i've added a few and will add more when we address sign/verify + detached signatures.
crypto/pkcs7/pkcs7.c
Outdated
int sign_nid = OBJ_obj2nid(si->digest_alg->algorithm); | ||
bio_tmp = PKCS7_find_digest(&md_ctx, bio_tmp, sign_nid); | ||
if (bio_tmp == NULL) { | ||
goto err; | ||
} | ||
// We now have the EVP_MD_CTX, lets do the signing. | ||
if (!EVP_MD_CTX_copy_ex(md_ctx_tmp, md_ctx)) { | ||
goto err; | ||
} | ||
// We don't currently support signed attributes | ||
if (sk_X509_ATTRIBUTE_num(si->auth_attr) > 0) { | ||
OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_PKCS7_DATASIGN); | ||
goto err; | ||
} | ||
unsigned char *abuf = NULL; | ||
unsigned int abuflen = EVP_PKEY_size(si->pkey); | ||
if (abuflen == 0 || (abuf = OPENSSL_malloc(abuflen)) == NULL) { | ||
goto err; | ||
} | ||
if (!EVP_SignFinal(md_ctx_tmp, abuf, &abuflen, si->pkey)) { | ||
OPENSSL_free(abuf); | ||
OPENSSL_PUT_ERROR(PKCS7, ERR_R_EVP_LIB); | ||
goto err; | ||
} | ||
ASN1_STRING_set0(si->enc_digest, abuf, abuflen); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's apparently no test coverage of the latter part of this loop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. that will come once we add PKCS7 verification and expand PKCS7 signing. that will happen 2 PRs from now. In the meantime, I have a "parent" PR here that combines all changes across the PR series (pre-cleanup for each individual PR, so larger and messier). The coverage report shows it's covered there, but we should drop a TODO here to cover (I generally avoid TODO's across commits, but there are currently none in the crypto/pkcs7/
directory, so it won't get lost in any noise).
Notes
This PR adds a few new functions, most notably
PKCS7_dataInit
andPKCS7_dataFinal
as they're used by ruby to prepare/finalize BIO chains for reading from or writing to a PKCS7 object. Their usage is documented here inpkcs7.h
.Testing
Coverage in this PR itself is a bit low due to the cipher-related initialization in PKCS7_dataInit and signature-related finalization in PKCS7_dataFinal. Coverage for these sections of code will be added in the next 2 PRs.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.