add example of no certs bundle and stream mode

JacobBarthelmeh · JacobBarthelmeh · commit 81827df470e2 · 2024-01-29T10:15:21.000-07:00
diff --git a/pkcs7/envelopedData-ktri.c b/pkcs7/envelopedData-ktri.c
@@ -79,7 +79,8 @@ static int write_file_buffer(const char* fileName, byte* in, word32 inSz)
 }
 
 static int envelopedData_encrypt(byte* cert, word32 certSz, byte* key,
-                                 word32 keySz, byte* out, word32 outSz)
+                                 word32 keySz, byte* out, word32 outSz,
+                                 byte useStreamMode)
 {
     int ret;
     PKCS7* pkcs7;
@@ -93,6 +94,10 @@ static int envelopedData_encrypt(byte* cert, word32 certSz, byte* key,
     pkcs7->contentOID     = DATA;
     pkcs7->encryptOID     = AES256CBCb;
 
+    if (useStreamMode) {
+        wc_PKCS7_SetStreamMode(pkcs7, 1);
+    }
+
     /* add recipient using RSA certificate (KTRI type) */
     ret = wc_PKCS7_AddRecipient_KTRI(pkcs7, cert, certSz, 0);
     if (ret < 0) {
@@ -109,8 +114,8 @@ static int envelopedData_encrypt(byte* cert, word32 certSz, byte* key,
         return -1;
 
     } else {
-        printf("Successfully encoded EnvelopedData bundle (%s)\n",
-                encodedFileKTRI);
+        printf("Successfully encoded EnvelopedData bundle (%s), stream mode"
+               " %d\n", encodedFileKTRI, useStreamMode);
 
         if (write_file_buffer(encodedFileKTRI, out, ret) != 0) {
             printf("ERROR: error writing encoded to output file\n");
@@ -177,7 +182,7 @@ int main(int argc, char** argv)
     byte key[2048];
     byte encrypted[1024];
     byte decrypted[1024];
-    
+
 #ifdef DEBUG_WOLFSSL
     wolfSSL_Debugging_ON();
 #endif
@@ -189,10 +194,18 @@ int main(int argc, char** argv)
         return -1;
 
     encryptedSz = envelopedData_encrypt(cert, certSz, key, keySz,
-                                        encrypted, sizeof(encrypted));
+                                        encrypted, sizeof(encrypted), 0);
     if (encryptedSz < 0)
         return -1;
 
+#ifdef ASN_BER_TO_DER
+    /* recreate the bundle with BER encoding */
+    encryptedSz = envelopedData_encrypt(cert, certSz, key, keySz,
+                                        encrypted, sizeof(encrypted), 1);
+    if (encryptedSz < 0)
+        return -1;
+#endif
+
 #ifdef DEBUG_WOLFSSL
     printf("EnvelopedData DER (%d byte):\n", encryptedSz);
     WOLFSSL_BUFFER(encrypted, encryptedSz);
diff --git a/pkcs7/signedData.c b/pkcs7/signedData.c
@@ -79,7 +79,8 @@ static int write_file_buffer(const char* fileName, byte* in, word32 inSz)
 }
 
 static int signedData_sign_noattrs(byte* cert, word32 certSz, byte* key,
-                                   word32 keySz, byte* out, word32 outSz)
+                                   word32 keySz, byte* out, word32 outSz,
+                                   byte streamMode, byte noCerts)
 {
     int ret;
     PKCS7* pkcs7;
@@ -118,6 +119,14 @@ static int signedData_sign_noattrs(byte* cert, word32 certSz, byte* key,
     pkcs7->signedAttribs   = NULL;
     pkcs7->signedAttribsSz = 0;
 
+    if (streamMode) {
+        wc_PKCS7_SetStreamMode(pkcs7, 1);
+    }
+
+    if (noCerts) {
+        wc_PKCS7_SetNoCerts(pkcs7, 1);
+    }
+
     /* encode signedData, returns size */
     ret = wc_PKCS7_EncodeSignedData(pkcs7, out, outSz);
     if (ret <= 0) {
@@ -127,8 +136,8 @@ static int signedData_sign_noattrs(byte* cert, word32 certSz, byte* key,
         return -1;
 
     } else {
-        printf("Successfully encoded SignedData bundle (%s)\n",
-               encodedFileNoAttrs);
+        printf("Successfully encoded SignedData bundle (%s) %s\n",
+               encodedFileNoAttrs, (noCerts)? "No Certs Added":"");
 
 #ifdef DEBUG_WOLFSSL
         printf("Encoded DER (%d bytes):\n", ret);
@@ -244,10 +253,14 @@ static int signedData_verify(byte* in, word32 inSz, byte* cert,
 
     if (ret < 0 || (pkcs7->contentSz != sizeof(data)) ||
         (XMEMCMP(pkcs7->content, data, pkcs7->contentSz) != 0)) {
-        printf("ERROR: Failed to verify SignedData bundle, ret = %d\n", ret);
-        wc_PKCS7_Free(pkcs7);
-        return -1;
-
+        if (ret == PKCS7_SIGNEEDS_CHECK) {
+            printf("WARNING: Parsed through bundle but no certificates found to"
+                   " verify signature with\n");
+        }
+        else {
+            printf("ERROR: Failed to verify SignedData bundle, ret = %d\n",
+                ret);
+        }
     } else {
         printf("Successfully verified SignedData bundle.\n");
 
@@ -287,7 +300,7 @@ int main(int argc, char** argv)
 
     /* no attributes */
     encryptedSz = signedData_sign_noattrs(cert, certSz, key, keySz,
-                                          encrypted, sizeof(encrypted));
+                                          encrypted, sizeof(encrypted), 0, 0);
     if (encryptedSz < 0)
         return -1;
 
@@ -297,6 +310,19 @@ int main(int argc, char** argv)
     if (decryptedSz < 0)
         return -1;
 
+    /* no attributes, stream mode, and no certs */
+    encryptedSz = signedData_sign_noattrs(cert, certSz, key, keySz,
+                                          encrypted, sizeof(encrypted), 1, 1);
+    if (encryptedSz < 0)
+        return -1;
+
+    decryptedSz = signedData_verify(encrypted, encryptedSz,
+                                    cert, certSz, key, keySz,
+                                    decrypted, sizeof(decrypted));
+    /* should be error to warn that the signature needs checked */
+    if (decryptedSz != PKCS7_SIGNEEDS_CHECK)
+        return -1;
+
     /* default attributes + messageType attribute */
     encryptedSz = signedData_sign_attrs(cert, certSz, key, keySz,
                                         encrypted, sizeof(encrypted));
