tests: Add PKCS#7 verification interoperability test

Intention of this test is to verify PKCS#7 / CMS signatures produced by
third party tools. Usage:

 openssl cms -sign -in <(echo -n "openssl cms interop test message") \
   -signer certs/client-cert.pem -inkey certs/client-key.pem \
   -md sha256 -nodetach -outform DER -out /tmp/cms.der
 openssl smime -sign -in <(echo -n "openssl smime interop test message") \
   -signer certs/client-cert.pem -inkey certs/client-key.pem \
   -md sha256 -binary -nodetach -outform DER -out /tmp/smime.der
 ./configure --enable-pkcs7 --enable-certext --enable-examples \
   --with-pkcs7-test-signed-data=/tmp/cms.der,/tmp/smime.der
 make -j$(nproc)
 tests/unit.test -test_wc_PKCS7_VerifySignedData_interop

Author: haxtibal

configure.ac

@@ -10480,6 +10480,17 @@ if test "x$ENABLED_OLD_EXTDATA_FMT" = "xyes"; then
   AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_EXTDATA_FMT"
 fi
 
+# Optional PKCS#7 SignedData interoperability test
+AC_ARG_WITH([pkcs7-test-signed-data],
+    [AS_HELP_STRING([--with-pkcs7-test-signed-data=FILE[,FILE,...]],
+        [External test data for optional PKCS#7 interoperability test])],
+    [
+        AC_DEFINE([HAVE_PKCS7_TEST_SIGNED_DATA_FILES], [1],
+            [Define to enable PKCS#7 SignedData interoperability test])
+        AC_DEFINE_UNQUOTED([PKCS7_TEST_SIGNED_DATA_FILES], ["$withval"],
+            [Comma-separated list of DER-encoded CMS SignedData files for interop test])
+    ])
+
 # determine if we have key validation mechanism
 if test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_RSA" = "xyes"
 then

tests/api/test_pkcs7.c

@@ -4856,3 +4856,70 @@ int test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq(void)
     return EXPECT_RESULT();
 }
 
+#if defined(HAVE_PKCS7) && defined(HAVE_PKCS7_TEST_SIGNED_DATA_FILES) && \
+    !defined(NO_FILESYSTEM)
+static int pkcs7_verify_one_signed_data_der_file(const char* path)
+{
+    EXPECT_DECLS;
+    XFILE f = XBADFILE;
+    long signedDataSz;
+    byte* signedData = NULL;
+    PKCS7* pkcs7 = NULL;
+
+    ExpectTrue((f = XFOPEN(path, "rb")) != XBADFILE);
+    ExpectIntEQ(XFSEEK(f, 0, XSEEK_END), 0);
+    ExpectIntGT(signedDataSz = XFTELL(f), 0);
+    ExpectIntEQ(XFSEEK(f, 0, XSEEK_SET), 0);
+
+    ExpectNotNull(signedData = (byte*)XMALLOC((word32)signedDataSz, NULL,
+                                              DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectIntEQ((long)XFREAD(signedData, 1, (word32)signedDataSz, f),
+                signedDataSz);
+    if (f != XBADFILE)
+        XFCLOSE(f);
+
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID));
+    ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, NULL, 0), 0);
+
+    /* test signature verification and message content */
+    ExpectIntEQ(wc_PKCS7_VerifySignedData(pkcs7,
+                                          signedData,
+                                          (word32)signedDataSz), 0);
+    ExpectNotNull(pkcs7->contentDynamic);
+
+    XFREE(signedData, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    wc_PKCS7_Free(pkcs7);
+    return EXPECT_RESULT();
+}
+
+/* Verify CMS SignedData DER files created with third party tools.
+ *
+ * This test verifies signatures created with external tools can be verified by
+ * WolfSSL. Standards allow some variance when creating CMS signatures. The
+ * test is intended to catch incompatibility from subtle differences in
+ * implementation.
+ *
+ * DER files are supplied at configure time:
+ *   configure --with-pkcs7-test-signed-data=openssl_cms.der,openssl_smime.der
+ */
+int test_wc_PKCS7_VerifySignedData_interop(void)
+{
+    EXPECT_DECLS;
+    char pathsTokenBuf[FOURK_BUF];
+    char* nextPath;
+    char* tokState = NULL;
+
+    ExpectTrue(XSTRLEN(PKCS7_TEST_SIGNED_DATA_FILES) < sizeof(pathsTokenBuf));
+    XSTRNCPY(pathsTokenBuf, PKCS7_TEST_SIGNED_DATA_FILES, sizeof(pathsTokenBuf));
+
+    nextPath = XSTRTOK(pathsTokenBuf, ",", &tokState);
+    while (nextPath != NULL) {
+        Expect(pkcs7_verify_one_signed_data_der_file(nextPath) == TEST_SUCCESS,
+               ("%s signature verification succeeds", nextPath),
+               ("%s signature verification failed", nextPath));
+        nextPath = XSTRTOK(NULL, ",", &tokState);
+    }
+    return EXPECT_RESULT();
+}
+#endif /* HAVE_PKCS7 && HAVE_PKCS7_TEST_SIGNED_DATA_FILES && !NO_FILESYSTEM */
+

tests/api/test_pkcs7.h

@@ -58,6 +58,14 @@ int test_wc_PKCS7_SetOriDecryptCtx(void);
 int test_wc_PKCS7_DecodeCompressedData(void);
 int test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients(void);
 int test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq(void);
+#if defined(HAVE_PKCS7) && defined(HAVE_PKCS7_TEST_SIGNED_DATA_FILES) && \
+    !defined(NO_FILESYSTEM)
+int test_wc_PKCS7_VerifySignedData_interop(void);
+#define TEST_PKCS7_INTEROP_VERIFY_SD_DECL \
+    TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_interop)
+#else
+#define TEST_PKCS7_INTEROP_VERIFY_SD_DECL
+#endif
 
 
 #define TEST_PKCS7_DECLS                                        \
@@ -92,7 +100,8 @@ int test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq(void);
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_Degenerate),              \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_BER),                     \
     TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_NoDefaultSignedAttribs),  \
-    TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq)
+    TEST_DECL_GROUP("pkcs7_sd", test_wc_PKCS7_VerifySignedData_PKCS7ContentSeq), \
+    TEST_PKCS7_INTEROP_VERIFY_SD_DECL
 
 #define TEST_PKCS7_ENCRYPTED_DATA_DECLS                                     \
     TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_stream),  \