Add support for verifying PKCS7 signed attributes#2264
Merged
samuel40791765 merged 3 commits intoaws:mainfrom Mar 25, 2025
Merged
Add support for verifying PKCS7 signed attributes#2264samuel40791765 merged 3 commits intoaws:mainfrom
samuel40791765 merged 3 commits intoaws:mainfrom
Conversation
justsmth
reviewed
Mar 13, 2025
| EXPECT_FALSE(p7.get()->d.sign->contents->d.data); | ||
| } | ||
|
|
||
| TEST(PKCS7Test, PKCS7SignedAttributes) { |
Contributor
There was a problem hiding this comment.
Could these PKCS7 test values also be added as seeds in our fuzz corpus?
Contributor
Author
There was a problem hiding this comment.
Great point that we could consider doing. I believe we'll be redoing some of our PKCS7 ASN1 parsing soon to fix the indefinite ber issues we've been having.
We can add these two files along with any new test files that come up to the corpus in a PR once both are completed.
8eb5a67 to
11f7932
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2264 +/- ##
==========================================
+ Coverage 79.01% 79.03% +0.01%
==========================================
Files 612 614 +2
Lines 106589 106991 +402
Branches 15083 15155 +72
==========================================
+ Hits 84225 84561 +336
- Misses 21711 21775 +64
- Partials 653 655 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
justsmth
approved these changes
Mar 25, 2025
WillChilds-Klein
approved these changes
Mar 25, 2025
Merged
skmcgrail
added a commit
that referenced
this pull request
Mar 28, 2025
## What's Changed * Revert "Allow constructed strings in BER parsing (#2015)" by @samuel40791765 in #2278 * Add the rehash utility to the openssl CLI tool by @smittals2 in #2258 * Documentation on service indicator by @justsmth in #2281 * Update patches in Ruby CI by @samuel40791765 in #2233 * Reject DSA trailing garbage in EVP layer, add test cases by @skmcgrail in #2289 * Add support for verifying PKCS7 signed attributes by @samuel40791765 in #2264 * Add support for more SSL BIO functions by @samuel40791765 in #2273 * Wire-up rust-openssl into GitHub CI (for the time being) by @skmcgrail in #2291 * Adding detection of out-of-bound pre-bound memory read to AES-XTS tests. by @nebeid in #2286 * AES: Add function pointer trampoline to avoid delocator issue by @hanno-becker in #2294 * Bump mysql CI to 9.2.0 by @samuel40791765 in #2161 * Cherrypick hardening DSA param checks from BoringSSL by @smittals2 in #2293 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves
CryptoAlg-2946Description of changes:
I discovered this while trying to fix our PKCS7 implementation to use indefinite encoding. The PKCS7 file that Ruby's PKCS7 tests uses signed attributes, but
PKCS7_verifybails out whenever it encounters files that have signed attributes. There are still other issues with the Ruby PKCS7 test that we'll have to fix (indefinite length ASN1), but I believe we should fix the missing support for verifying signed attributes first.AWS-LC turns on
PKCS7_NOATTRby default inPKCS7_sign, so our existingPKCS7_verifyimplementation can do a successful sign/verify round trip against itself. However, OpenSSL does not turn onPKCS7_NOATTRby default and signed attributes are added automatically to the PKCS7 file if no flags are set. This means that the current state of AWS-LC'sPKCS7_verifywould fail against files generated by the default of OpenSSL'sPKCS7_sign. This PR adds support for verifying PKCS7 signed attributes to fix the misalignment.Call-outs:
N/A
Testing:
PKCS7_signdoes not support signed attributes, so we can only test against generated files by OpenSSL.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.