add pkcs7 test with multiple recipients

Author: JacobBarthelmeh

certs/include.am

@@ -53,6 +53,7 @@ EXTRA_DIST += \
              certs/server-revoked-key.pem \
              certs/wolfssl-website-ca.pem \
              certs/test-degenerate.p7b \
+             certs/test-multiple-recipients.p7b \
              certs/test-stream-sign.p7b \
              certs/test-stream-dec.p7b \
              certs/test-ber-exp02-05-2022.p7b \

certs/renewcerts.sh

@@ -888,6 +888,11 @@ run_renewcerts(){
     openssl cms -encrypt -in ca-cert.pem -recip client-cert.pem -out test-stream-dec.p7b -outform DER -stream
     check_result $? ""
 
+    echo "Creating test-multiple-recipients.p7b..."
+    echo ""
+    openssl smime -encrypt -binary -aes-256-cbc -in ./client-key.pem  -out ./test-multiple-recipients.p7b -outform DER ./client-cert.pem ./server-cert.pem
+    check_result $? ""
+
     echo "End of section"
     echo "---------------------------------------------------------------------"
 

certs/test-multiple-recipients.p7b

@@ -2145,6 +2145,83 @@ int test_wc_PKCS7_DecodeEnvelopedData_stream(void)
 #endif
 } /* END test_wc_PKCS7_DecodeEnvelopedData_stream() */
 
+
+/*
+ * Testing wc_PKCS7_DecodeEnvelopedData with streaming
+ */
+int test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients(void)
+{
+#if defined(HAVE_PKCS7)
+    EXPECT_DECLS;
+    PKCS7*      pkcs7 = NULL;
+    int ret = 0;
+    XFILE f = XBADFILE;
+    const char* testFile = "./certs/test-multiple-recipients.p7b";
+    byte testDerBuffer[8192]; /* test-multiple-recipients is currently 6433
+                                 bytes */
+    size_t testDerBufferSz = 0;
+    byte decodedData[8192];
+
+    ExpectTrue((f = XFOPEN(testFile, "rb")) != XBADFILE);
+    testDerBufferSz = XFREAD(testDerBuffer, 1,
+                sizeof(testDerBuffer), f);
+    ExpectIntNE(testDerBufferSz, 0);
+    if (f != XBADFILE) {
+        XFCLOSE(f);
+        f = XBADFILE;
+    }
+
+    /* test with server cert recipient */
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+    if (pkcs7) {
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)server_cert_der_2048,
+            sizeof_server_cert_der_2048), 0);
+
+        ExpectIntEQ(wc_PKCS7_SetKey(pkcs7, (byte*)server_key_der_2048,
+            sizeof_server_key_der_2048), 0);
+
+        ret = wc_PKCS7_DecodeEnvelopedData(pkcs7, testDerBuffer,
+            (word32)testDerBufferSz, decodedData, sizeof(decodedData));
+        ExpectIntGT(ret, 0);
+        wc_PKCS7_Free(pkcs7);
+    }
+
+    /* test with client cert recipient */
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+    if (pkcs7) {
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)client_cert_der_2048,
+            sizeof_client_cert_der_2048), 0);
+
+        ExpectIntEQ(wc_PKCS7_SetKey(pkcs7, (byte*)client_key_der_2048,
+            sizeof_client_key_der_2048), 0);
+
+        ret = wc_PKCS7_DecodeEnvelopedData(pkcs7, testDerBuffer,
+            (word32)testDerBufferSz, decodedData, sizeof(decodedData));
+        ExpectIntGT(ret, 0);
+        wc_PKCS7_Free(pkcs7);
+    }
+
+    /* test with ca cert recipient (which should fail) */
+    ExpectNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, testDevId));
+    if (pkcs7) {
+        ExpectIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)ca_cert_der_2048,
+            sizeof_ca_cert_der_2048), 0);
+
+        ExpectIntEQ(wc_PKCS7_SetKey(pkcs7, (byte*)ca_key_der_2048,
+            sizeof_ca_key_der_2048), 0);
+
+        ret = wc_PKCS7_DecodeEnvelopedData(pkcs7, testDerBuffer,
+            (word32)testDerBufferSz, decodedData, sizeof(decodedData));
+        ExpectIntLT(ret, 0);
+        wc_PKCS7_Free(pkcs7);
+    }
+
+    return EXPECT_RESULT();
+#else
+    return TEST_SKIPPED;
+#endif
+} /* END test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients() */
+
 /*
  * Testing wc_PKCS7_EncodeEnvelopedData(), wc_PKCS7_DecodeEnvelopedData()
  */

tests/api/test_pkcs7.c

@@ -47,6 +47,7 @@ int test_wc_PKCS7_NoDefaultSignedAttribs(void);
 int test_wc_PKCS7_SetOriEncryptCtx(void);
 int test_wc_PKCS7_SetOriDecryptCtx(void);
 int test_wc_PKCS7_DecodeCompressedData(void);
+int test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients(void);
 
 
 #define TEST_PKCS7_DECLS                                        \
@@ -74,7 +75,8 @@ int test_wc_PKCS7_DecodeCompressedData(void);
     TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeSymmetricKeyPackage),   \
     TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeOneSymmetricKey),       \
     TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriEncryptCtx),            \
-    TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriDecryptCtx)
+    TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_SetOriDecryptCtx),            \
+    TEST_DECL_GROUP("pkcs7_ed", test_wc_PKCS7_DecodeEnvelopedData_multiple_recipients)
 
 #define TEST_PKCS7_SIGNED_ENCRYPTED_DATA_DECLS                              \
     TEST_DECL_GROUP("pkcs7_sed", test_wc_PKCS7_signed_enveloped)

tests/api/test_pkcs7.h

@@ -11974,8 +11974,14 @@ static int wc_PKCS7_DecryptRecipientInfos(wc_PKCS7* pkcs7, byte* in,
             ret = wc_PKCS7_DecryptKtri(pkcs7, in, inSz, idx,
                                       decryptedKey, decryptedKeySz,
                                       recipFound);
-            if (ret != 0)
-                return ret;
+            if (ret != 0) {
+                if (ret != WC_PKCS7_WANT_READ_E && *recipFound == 0) {
+                    continue; /* try next recipient */
+                }
+                else {
+                    return ret; /* found recipient and failed decrypt */
+                }
+            }
         #else
             return NOT_COMPILED_IN;
         #endif
@@ -12096,8 +12102,8 @@ static int wc_PKCS7_DecryptRecipientInfos(wc_PKCS7* pkcs7, byte* in,
                                           recipFound);
                 if (ret != 0)
                     return ret;
-
-            } else {
+            }
+            else {
                 /* failed to find RecipientInfo, restore idx and continue */
                 *idx = savedIdx;
                 break;
@@ -12497,8 +12503,6 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
             decryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
             tmpIdx = idx;
         #endif
-            pkiMsgSz = (pkcs7->stream->length > 0)? pkcs7->stream->length: inSz;
-
             ret = wc_PKCS7_DecryptRecipientInfos(pkcs7, in, inSz, &idx,
                                         decryptedKey, &decryptedKeySz,
                                         &recipFound);