@@ -2326,6 +2326,54 @@ int test_wc_PKCS7_VerifySignedData_RSA(void)
23262326 return EXPECT_RESULT ();
23272327} /* END test_wc_PKCS7_VerifySignedData()_RSA */
23282328
2329+ int test_wc_PKCS7_VerifySignedData_TamperedAttribs (void )
2330+ {
2331+ EXPECT_DECLS ;
2332+ #if defined(HAVE_PKCS7 ) && !defined(NO_FILESYSTEM ) && !defined(NO_RSA )
2333+ PKCS7 * pkcs7 = NULL ;
2334+ byte output [6000 ];
2335+ word32 outputSz = sizeof (output );
2336+ byte data [] = "Test data to encode." ;
2337+ /* SCEP messageType OID + SET { PrintableString "19" } */
2338+ const byte pattern [] = {
2339+ 0x06 , 0x0a , 0x60 , 0x86 , 0x48 , 0x01 , 0x86 , 0xF8 ,
2340+ 0x45 , 0x01 , 0x09 , 0x02 ,
2341+ 0x31 , 0x04 , 0x13 , 0x02 , 0x31 , 0x39
2342+ };
2343+ word32 i ;
2344+ int found = -1 ;
2345+ int matches = 0 ;
2346+
2347+ XMEMSET (output , 0 , outputSz );
2348+ ExpectIntGT ((outputSz = (word32 )CreatePKCS7SignedData (output , (int )outputSz ,
2349+ data , (word32 )sizeof (data ),
2350+ 1 /* withAttribs */ , 0 /* detached */ , 0 , RSA_TYPE )), 0 );
2351+
2352+ if (outputSz > 0 && outputSz <= sizeof (output )) {
2353+ for (i = 0 ; i + sizeof (pattern ) <= outputSz ; i ++ ) {
2354+ if (XMEMCMP (output + i , pattern , sizeof (pattern )) == 0 ) {
2355+ if (matches == 0 )
2356+ found = (int )i ;
2357+ matches ++ ;
2358+ }
2359+ }
2360+ ExpectIntEQ (matches , 1 );
2361+ }
2362+
2363+ if (matches == 1 && found >= 0 ) {
2364+ output [found + (int )sizeof (pattern ) - 1 ] ^= 0x01 ;
2365+
2366+ ExpectNotNull (pkcs7 = wc_PKCS7_New (HEAP_HINT , testDevId ));
2367+ ExpectIntEQ (wc_PKCS7_InitWithCert (pkcs7 , NULL , 0 ), 0 );
2368+ ExpectIntEQ (wc_PKCS7_VerifySignedData (pkcs7 , output , outputSz ),
2369+ WC_NO_ERR_TRACE (SIG_VERIFY_E ));
2370+ wc_PKCS7_Free (pkcs7 );
2371+ pkcs7 = NULL ;
2372+ }
2373+ #endif
2374+ return EXPECT_RESULT ();
2375+ }
2376+
23292377/*
23302378 * Testing wc_PKCS_VerifySignedData()
23312379 */
@@ -2515,6 +2563,54 @@ int test_wc_PKCS7_VerifySignedData_ECC(void)
25152563 return EXPECT_RESULT ();
25162564} /* END test_wc_PKCS7_VerifySignedData_ECC() */
25172565
2566+ int test_wc_PKCS7_VerifySignedData_ECC_TamperedAttribs (void )
2567+ {
2568+ EXPECT_DECLS ;
2569+ #if defined(HAVE_PKCS7 ) && !defined(NO_FILESYSTEM ) && defined(HAVE_ECC )
2570+ PKCS7 * pkcs7 = NULL ;
2571+ byte output [6000 ];
2572+ word32 outputSz = sizeof (output );
2573+ byte data [] = "Test data to encode." ;
2574+ /* SCEP messageType OID + SET { PrintableString "19" } */
2575+ const byte pattern [] = {
2576+ 0x06 , 0x0a , 0x60 , 0x86 , 0x48 , 0x01 , 0x86 , 0xF8 ,
2577+ 0x45 , 0x01 , 0x09 , 0x02 ,
2578+ 0x31 , 0x04 , 0x13 , 0x02 , 0x31 , 0x39
2579+ };
2580+ word32 i ;
2581+ int found = -1 ;
2582+ int matches = 0 ;
2583+
2584+ XMEMSET (output , 0 , outputSz );
2585+ ExpectIntGT ((outputSz = (word32 )CreatePKCS7SignedData (output , (int )outputSz ,
2586+ data , (word32 )sizeof (data ),
2587+ 1 /* withAttribs */ , 0 /* detached */ , 0 , ECC_TYPE )), 0 );
2588+
2589+ if (outputSz > 0 && outputSz <= sizeof (output )) {
2590+ for (i = 0 ; i + sizeof (pattern ) <= outputSz ; i ++ ) {
2591+ if (XMEMCMP (output + i , pattern , sizeof (pattern )) == 0 ) {
2592+ if (matches == 0 )
2593+ found = (int )i ;
2594+ matches ++ ;
2595+ }
2596+ }
2597+ ExpectIntEQ (matches , 1 );
2598+ }
2599+
2600+ if (matches == 1 && found >= 0 ) {
2601+ output [found + (int )sizeof (pattern ) - 1 ] ^= 0x01 ;
2602+
2603+ ExpectNotNull (pkcs7 = wc_PKCS7_New (HEAP_HINT , testDevId ));
2604+ ExpectIntEQ (wc_PKCS7_InitWithCert (pkcs7 , NULL , 0 ), 0 );
2605+ ExpectIntEQ (wc_PKCS7_VerifySignedData (pkcs7 , output , outputSz ),
2606+ WC_NO_ERR_TRACE (SIG_VERIFY_E ));
2607+ wc_PKCS7_Free (pkcs7 );
2608+ pkcs7 = NULL ;
2609+ }
2610+ #endif
2611+ return EXPECT_RESULT ();
2612+ }
2613+
25182614
25192615#if defined(HAVE_PKCS7 ) && !defined(NO_AES ) && defined(HAVE_AES_CBC ) && \
25202616 defined(WOLFSSL_AES_256 ) && defined(HAVE_AES_KEYWRAP )
0 commit comments