Add support for verifying PKCS7 signed attributes #2264
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
justsmth
reviewed
Mar 13, 2025
| @@ -2068,3 +2071,153 @@ TEST(PKCS7Test, SetDetached) { | |||
| EXPECT_TRUE(PKCS7_set_detached(p7.get(), 1)); | |||
| EXPECT_FALSE(p7.get()->d.sign->contents->d.data); | |||
| } | |||
|
|
|||
| TEST(PKCS7Test, PKCS7SignedAttributes) { | |||
There was a problem hiding this comment.
Could these PKCS7 test values also be added as seeds in our fuzz corpus?
There was a problem hiding this comment.
Great point that we could consider doing. I believe we'll be redoing some of our PKCS7 ASN1 parsing soon to fix the indefinite ber issues we've been having.
We can add these two files along with any new test files that come up to the corpus in a PR once both are completed.
samuel40791765
force-pushed
the
pkcs7-sign
branch
from
8eb5a67 to
11f7932
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2264 +/- ##
==========================================
+ Coverage 79.01% 79.03% +0.01%
==========================================
Files 612 614 +2
Lines 106589 106991 +402
Branches 15083 15155 +72
==========================================
+ Hits 84225 84561 +336
- Misses 21711 21775 +64
- Partials 653 655 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
justsmth
approved these changes
Mar 25, 2025
WillChilds-Klein
approved these changes
Mar 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves
CryptoAlg-2946Description of changes:
I discovered this while trying to fix our PKCS7 implementation to use indefinite encoding. The PKCS7 file that Ruby's PKCS7 tests uses signed attributes, but
PKCS7_verifybails out whenever it encounters files that have signed attributes. There are still other issues with the Ruby PKCS7 test that we'll have to fix (indefinite length ASN1), but I believe we should fix the missing support for verifying signed attributes first.AWS-LC turns on
PKCS7_NOATTRby default inPKCS7_sign, so our existingPKCS7_verifyimplementation can do a successful sign/verify round trip against itself. However, OpenSSL does not turn onPKCS7_NOATTRby default and signed attributes are added automatically to the PKCS7 file if no flags are set. This means that the current state of AWS-LC'sPKCS7_verifywould fail against files generated by the default of OpenSSL'sPKCS7_sign. This PR adds support for verifying PKCS7 signed attributes to fix the misalignment.Call-outs:
N/A
Testing:
PKCS7_signdoes not support signed attributes, so we can only test against generated files by OpenSSL.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.