Implement PKCS7_dataInit and PKCS7_dataFinal #1816
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1816 +/- ##
==========================================
+ Coverage 78.79% 78.88% +0.09%
==========================================
Files 590 595 +5
Lines 101506 102430 +924
Branches 14401 14514 +113
==========================================
+ Hits 79979 80805 +826
- Misses 20891 20974 +83
- Partials 636 651 +15 ☔ View full report in Codecov by Sentry. |
WillChilds-Klein
force-pushed
the
pkcs7-bio-data-init-final
branch
3 times, most recently
from
23e4d39
to
1b0c84d
Compare
WillChilds-Klein
force-pushed
the
pkcs7-bio-data-init-final
branch
from
1b0c84d
to
b7ffbde
Compare
WillChilds-Klein
force-pushed
the
pkcs7-bio-data-init-final
branch
from
b7ffbde
to
69cb0fd
Compare
WillChilds-Klein
force-pushed
the
pkcs7-bio-data-init-final
branch
5 times, most recently
from
a4a9d39
to
f7c09cf
Compare
WillChilds-Klein
changed the title
WillChilds-Klein
force-pushed
the
pkcs7-bio-data-init-final
branch
from
f7c09cf
to
aa9a47c
Compare
| @@ -274,6 +274,215 @@ static const uint8_t kPKCS7NSS[] = { | |||
| 0x00, 0x00, 0x00, | |||
| }; | |||
|
|
|||
| static const uint8_t kPKCS7EnvelopedData[] = { | |||
There was a problem hiding this comment.
Just curious how this file was generated?
There was a problem hiding this comment.
Great question. I snagged this from BouncyCastle. I'll drop a comment.
| ASSERT_TRUE(PKCS7_get_PEM_certificates(certs.get(), bio.get())); | ||
| ASSERT_EQ(1U, sk_X509_num(certs.get())); | ||
| rsa_x509.reset(sk_X509_pop(certs.get())); | ||
| ASSERT_TRUE(X509_set_pubkey(rsa_x509.get(), rsa_pkey.get())); |
There was a problem hiding this comment.
When I parse kPEMCert, it seems like the cert already has a public key in it? Or are both fields actually referring to something different
...
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ec:c7:40:2e:60:a4:71:14:5f:fe:dc:d0:6b:c7:
ae:dc:9e:d2:e4:24:d0:6b:99:ec:d1:17:85:f6:4b:
There was a problem hiding this comment.
it's the same field, but we don't have the corresponding private key for the pre-existing public key. i'd gotten in the habit of replacing the cert's public key with that of a freshly generated keypair to simplify sign/verify testing.
crypto/pkcs7/pkcs7.c
Outdated
| OPENSSL_BEGIN_ALLOW_DEPRECATED | ||
| if (!PKCS7_is_detached(p7) && content && content->length > 0) { | ||
| OPENSSL_END_ALLOW_DEPRECATED |
There was a problem hiding this comment.
NP: Here and several other places -- Since the OPENSSL_XXX_ALLOW_DEPRECATED are not part of the logic, I'd not have them indented; just keep them at the start of their lines.
There was a problem hiding this comment.
yeah, unfortunately this is clang-format's preference not mine. also unfortunately clang-format doesn't support next-line-only disabling so i've added off/on directives above/below these macro invocations.
| err: | ||
| BIO_free_all(out); | ||
| BIO_free_all(btmp); | ||
| return NULL; |
There was a problem hiding this comment.
Do we have any tests that force an error in PKCS7_dataInit?
There was a problem hiding this comment.
no, but we should. i've added a few and will add more when we address sign/verify + detached signatures.
crypto/pkcs7/pkcs7.c
Outdated
| int sign_nid = OBJ_obj2nid(si->digest_alg->algorithm); | ||
| bio_tmp = PKCS7_find_digest(&md_ctx, bio_tmp, sign_nid); | ||
| if (bio_tmp == NULL) { | ||
| goto err; | ||
| } | ||
| // We now have the EVP_MD_CTX, lets do the signing. | ||
| if (!EVP_MD_CTX_copy_ex(md_ctx_tmp, md_ctx)) { | ||
| goto err; | ||
| } | ||
| // We don't currently support signed attributes | ||
| if (sk_X509_ATTRIBUTE_num(si->auth_attr) > 0) { | ||
| OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_PKCS7_DATASIGN); | ||
| goto err; | ||
| } | ||
| unsigned char *abuf = NULL; | ||
| unsigned int abuflen = EVP_PKEY_size(si->pkey); | ||
| if (abuflen == 0 || (abuf = OPENSSL_malloc(abuflen)) == NULL) { | ||
| goto err; | ||
| } | ||
| if (!EVP_SignFinal(md_ctx_tmp, abuf, &abuflen, si->pkey)) { | ||
| OPENSSL_free(abuf); | ||
| OPENSSL_PUT_ERROR(PKCS7, ERR_R_EVP_LIB); | ||
| goto err; | ||
| } | ||
| ASN1_STRING_set0(si->enc_digest, abuf, abuflen); |
There was a problem hiding this comment.
There's apparently no test coverage of the latter part of this loop.
There was a problem hiding this comment.
Correct. that will come once we add PKCS7 verification and expand PKCS7 signing. that will happen 2 PRs from now. In the meantime, I have a "parent" PR here that combines all changes across the PR series (pre-cleanup for each individual PR, so larger and messier). The coverage report shows it's covered there, but we should drop a TODO here to cover (I generally avoid TODO's across commits, but there are currently none in the crypto/pkcs7/ directory, so it won't get lost in any noise).
Notes
This PR adds a few new functions, most notably
PKCS7_dataInitandPKCS7_dataFinalas they're used by ruby to prepare/finalize BIO chains for reading from or writing to a PKCS7 object. Their usage is documented here inpkcs7.h.Testing
Coverage in this PR itself is a bit low due to the cipher-related initialization in PKCS7_dataInit and signature-related finalization in PKCS7_dataFinal. Coverage for these sections of code will be added in the next 2 PRs.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.