@@ -2103,6 +2103,54 @@ int test_wc_PKCS7_VerifySignedData_RSA(void)
21032103 return EXPECT_RESULT ();
21042104} /* END test_wc_PKCS7_VerifySignedData()_RSA */
21052105
2106+ int test_wc_PKCS7_VerifySignedData_TamperedAttribs (void )
2107+ {
2108+ EXPECT_DECLS ;
2109+ #if defined(HAVE_PKCS7 ) && !defined(NO_FILESYSTEM ) && !defined(NO_RSA )
2110+ PKCS7 * pkcs7 = NULL ;
2111+ byte output [6000 ];
2112+ word32 outputSz = sizeof (output );
2113+ byte data [] = "Test data to encode." ;
2114+ /* SCEP messageType OID + SET { PrintableString "19" } */
2115+ const byte pattern [] = {
2116+ 0x06 , 0x0a , 0x60 , 0x86 , 0x48 , 0x01 , 0x86 , 0xF8 ,
2117+ 0x45 , 0x01 , 0x09 , 0x02 ,
2118+ 0x31 , 0x04 , 0x13 , 0x02 , 0x31 , 0x39
2119+ };
2120+ word32 i ;
2121+ int found = -1 ;
2122+ int matches = 0 ;
2123+
2124+ XMEMSET (output , 0 , outputSz );
2125+ ExpectIntGT ((outputSz = (word32 )CreatePKCS7SignedData (output , (int )outputSz ,
2126+ data , (word32 )sizeof (data ),
2127+ 1 /* withAttribs */ , 0 /* detached */ , 0 , RSA_TYPE )), 0 );
2128+
2129+ if (outputSz > 0 && outputSz <= sizeof (output )) {
2130+ for (i = 0 ; i + sizeof (pattern ) <= outputSz ; i ++ ) {
2131+ if (XMEMCMP (output + i , pattern , sizeof (pattern )) == 0 ) {
2132+ if (matches == 0 )
2133+ found = (int )i ;
2134+ matches ++ ;
2135+ }
2136+ }
2137+ ExpectIntEQ (matches , 1 );
2138+ }
2139+
2140+ if (matches == 1 && found >= 0 ) {
2141+ output [found + (int )sizeof (pattern ) - 1 ] ^= 0x01 ;
2142+
2143+ ExpectNotNull (pkcs7 = wc_PKCS7_New (HEAP_HINT , testDevId ));
2144+ ExpectIntEQ (wc_PKCS7_InitWithCert (pkcs7 , NULL , 0 ), 0 );
2145+ ExpectIntEQ (wc_PKCS7_VerifySignedData (pkcs7 , output , outputSz ),
2146+ WC_NO_ERR_TRACE (SIG_VERIFY_E ));
2147+ wc_PKCS7_Free (pkcs7 );
2148+ pkcs7 = NULL ;
2149+ }
2150+ #endif
2151+ return EXPECT_RESULT ();
2152+ }
2153+
21062154/*
21072155 * Testing wc_PKCS_VerifySignedData()
21082156 */
@@ -2292,6 +2340,54 @@ int test_wc_PKCS7_VerifySignedData_ECC(void)
22922340 return EXPECT_RESULT ();
22932341} /* END test_wc_PKCS7_VerifySignedData_ECC() */
22942342
2343+ int test_wc_PKCS7_VerifySignedData_ECC_TamperedAttribs (void )
2344+ {
2345+ EXPECT_DECLS ;
2346+ #if defined(HAVE_PKCS7 ) && !defined(NO_FILESYSTEM ) && defined(HAVE_ECC )
2347+ PKCS7 * pkcs7 = NULL ;
2348+ byte output [6000 ];
2349+ word32 outputSz = sizeof (output );
2350+ byte data [] = "Test data to encode." ;
2351+ /* SCEP messageType OID + SET { PrintableString "19" } */
2352+ const byte pattern [] = {
2353+ 0x06 , 0x0a , 0x60 , 0x86 , 0x48 , 0x01 , 0x86 , 0xF8 ,
2354+ 0x45 , 0x01 , 0x09 , 0x02 ,
2355+ 0x31 , 0x04 , 0x13 , 0x02 , 0x31 , 0x39
2356+ };
2357+ word32 i ;
2358+ int found = -1 ;
2359+ int matches = 0 ;
2360+
2361+ XMEMSET (output , 0 , outputSz );
2362+ ExpectIntGT ((outputSz = (word32 )CreatePKCS7SignedData (output , (int )outputSz ,
2363+ data , (word32 )sizeof (data ),
2364+ 1 /* withAttribs */ , 0 /* detached */ , 0 , ECC_TYPE )), 0 );
2365+
2366+ if (outputSz > 0 && outputSz <= sizeof (output )) {
2367+ for (i = 0 ; i + sizeof (pattern ) <= outputSz ; i ++ ) {
2368+ if (XMEMCMP (output + i , pattern , sizeof (pattern )) == 0 ) {
2369+ if (matches == 0 )
2370+ found = (int )i ;
2371+ matches ++ ;
2372+ }
2373+ }
2374+ ExpectIntEQ (matches , 1 );
2375+ }
2376+
2377+ if (matches == 1 && found >= 0 ) {
2378+ output [found + (int )sizeof (pattern ) - 1 ] ^= 0x01 ;
2379+
2380+ ExpectNotNull (pkcs7 = wc_PKCS7_New (HEAP_HINT , testDevId ));
2381+ ExpectIntEQ (wc_PKCS7_InitWithCert (pkcs7 , NULL , 0 ), 0 );
2382+ ExpectIntEQ (wc_PKCS7_VerifySignedData (pkcs7 , output , outputSz ),
2383+ WC_NO_ERR_TRACE (SIG_VERIFY_E ));
2384+ wc_PKCS7_Free (pkcs7 );
2385+ pkcs7 = NULL ;
2386+ }
2387+ #endif
2388+ return EXPECT_RESULT ();
2389+ }
2390+
22952391
22962392#if defined(HAVE_PKCS7 ) && !defined(NO_AES ) && defined(HAVE_AES_CBC ) && \
22972393 defined(WOLFSSL_AES_256 ) && defined(HAVE_AES_KEYWRAP )
0 commit comments