Merge branch 'pkcs7-ber' into 'master'

pkcs7: allow BER encoding when parsing encapContentInfo.eContent

See merge request gnutls/gnutls!803

5 files changed, 89 insertions, 3 deletions

diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 955cb5ae9c..37e2cc3a51 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -111,7 +111,7 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
 
 	/* Try reading as octet string according to rfc5652. If that fails, attempt
 	 * a raw read according to rfc2315 */
-	result = _gnutls_x509_read_string(c2, "encapContentInfo.eContent", &pkcs7->der_signed_data, ASN1_ETYPE_OCTET_STRING, 0);
+	result = _gnutls_x509_read_string(c2, "encapContentInfo.eContent", &pkcs7->der_signed_data, ASN1_ETYPE_OCTET_STRING, 1);
 	if (result < 0) {
 		result = _gnutls_x509_read_value(c2, "encapContentInfo.eContent", &pkcs7->der_signed_data);
 		if (result < 0) {
@@ -130,7 +130,7 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
 				goto cleanup;
 			}
 
-			result = asn1_get_length_der(pkcs7->der_signed_data.data+tag_len, pkcs7->der_signed_data.size-tag_len, &len_len);
+			result = asn1_get_length_ber(pkcs7->der_signed_data.data+tag_len, pkcs7->der_signed_data.size-tag_len, &len_len);
 			if (result < 0) {
 				gnutls_assert();
 				result = GNUTLS_E_ASN1_DER_ERROR;
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index 9e29079fc4..0d800c24fe 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -93,7 +93,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data data/pkcs8-invalid9.der data/key-invalid2.der data/pkcs8-invalid10.der \
 	data/key-invalid3.der data/pkcs8-eddsa.pem data/pkcs8-eddsa.pem.txt \
 	data/rfc4490.p7b data/rfc4490.p7b.out data/gost01.p12 data/gost12.p12 data/gost12-2.p12 \
-	data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl
+	data/ca-crl-invalid.crl data/ca-crl-invalid.pem data/ca-crl-valid.pem data/ca-crl-valid.crl \
+	data/rfc4134-ca-rsa.pem data/rfc4134-4.5.p7b
 
 dist_check_SCRIPTS = pathlen aki invalid-sig email \
 	pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \
diff --git a/tests/cert-tests/data/rfc4134-4.5.p7b b/tests/cert-tests/data/rfc4134-4.5.p7b
new file mode 100644
index 0000000000..6608d9b13b
--- /dev/null
+++ b/tests/cert-tests/data/rfc4134-4.5.p7b
diff --git a/tests/cert-tests/data/rfc4134-ca-rsa.pem b/tests/cert-tests/data/rfc4134-ca-rsa.pem
new file mode 100644
index 0000000000..20580fa080
--- /dev/null
+++ b/tests/cert-tests/data/rfc4134-ca-rsa.pem
@@ -0,0 +1,74 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 46346bc7800056bc11d36e2e9ff25020
+	Issuer: CN=CarlRSA
+	Validity:
+		Not Before: Wed Aug 18 07:00:00 UTC 1999
+		Not After: Sat Dec 31 23:59:59 UTC 2039
+	Subject: CN=CarlRSA
+	Subject Public Key Algorithm: RSA
+	Algorithm Security Level: Low (1024 bits)
+		Modulus (bits 1024):
+			00:e4:4b:ff:18:b8:24:57:f4:77:ff:6e:73:7b:93:71
+			5c:bc:33:1a:92:92:72:23:d8:41:46:d0:cd:11:3a:04
+			b3:8e:af:82:9d:bd:51:1e:17:7a:f2:76:2c:2b:86:39
+			a7:bd:d7:8d:1a:53:ec:e4:00:d5:e8:ec:a2:36:b1:ed
+			e2:50:e2:32:09:8a:3f:9f:99:25:8f:b8:4e:ab:b9:7d
+			d5:96:65:da:16:a0:c5:be:0e:ae:44:5b:ef:5e:f4:a7
+			29:cb:82:dd:ac:44:e9:aa:93:94:29:0e:f8:18:d6:c8
+			57:5e:f2:76:c4:f2:11:60:38:b9:1b:3c:1d:97:c9:6a
+			f1
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Basic Constraints (critical):
+			Certificate Authority (CA): TRUE
+		Key Usage (critical):
+			Digital signature.
+			Certificate signing.
+			CRL signing.
+		Subject Key Identifier (not critical):
+			e9e09027ac78207a9ad34cf242374e22ae9e38bb
+	Signature Algorithm: RSA-SHA1
+	Signature:
+		b7:9e:d4:04:d3:ed:29:e4:ff:89:89:15:2e:4c:db:0c
+		f0:48:0f:32:61:ee:c4:04:ec:12:5d:2d:ff:0f:64:59
+		7e:0a:c3:ed:18:fd:e3:56:40:37:a7:07:b5:f0:38:12
+		61:50:ed:ef:dd:3f:e3:0b:b8:61:a5:a4:9b:3c:e6:9e
+		9c:54:9a:b6:95:d6:da:6c:3b:b5:2d:45:35:9d:49:01
+		76:fa:b9:b9:31:f9:f9:6b:12:53:a0:f5:14:60:9b:7d
+		ca:3e:f2:53:6b:b0:37:6f:ad:e6:74:d7:db:fa:5a:ea
+		14:41:63:5d:cd:be:c8:0e:c1:da:6a:8d:53:34:18:02
+Other Information:
+	SHA1 fingerprint:
+		4110908f77c64c0edfc2de6273bfa9a98a9c5ce5
+	SHA256 fingerprint:
+		734c2253ad2d6bfaec981099a152b1ab42216b44cf48dadd306e6221ad824205
+	Public Key ID:
+		e9e09027ac78207a9ad34cf242374e22ae9e38bb
+	Public key's random art:
+		+--[ RSA 1024]----+
+		|                 |
+		|                 |
+		|                 |
+		|   . .   .       |
+		|o   = o S        |
+		|==.= = o         |
+		|**O . . .        |
+		|=*=.             |
+		|EO               |
+		+-----------------+
+
+-----BEGIN CERTIFICATE-----
+MIIB6zCCAVSgAwIBAgIQRjRrx4AAVrwR024un/JQIDANBgkqhkiG9w0BAQUFADAS
+MRAwDgYDVQQDEwdDYXJsUlNBMB4XDTk5MDgxODA3MDAwMFoXDTM5MTIzMTIzNTk1
+OVowEjEQMA4GA1UEAxMHQ2FybFJTQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEA5Ev/GLgkV/R3/25ze5NxXLwzGpKSciPYQUbQzRE6BLOOr4KdvVEeF3rydiwr
+hjmnvdeNGlPs5ADV6OyiNrHt4lDiMgmKP5+ZJY+4Tqu5fdWWZdoWoMW+Dq5EW+9e
+9Kcpy4LdrETpqpOUKQ74GNbIV17ydsTyEWA4uRs8HZfJavECAwEAAaNCMEAwDwYD
+VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFOngkCeseCB6
+mtNM8kI3TiKunji7MA0GCSqGSIb3DQEBBQUAA4GBALee1ATT7Snk/4mJFS5M2wzw
+SA8yYe7EBOwSXS3/D2RZfgrD7Rj941ZAN6cHtfA4EmFQ7e/dP+MLuGGlpJs85p6c
+VJq2ldbabDu1LUU1nUkBdvq5uTH5+WsSU6D1FGCbfco+8lNrsDdvreZ019v6WuoU
+QWNdzb7IDsHaao1TNBgC
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7
index c9ce1e4d27..48192985ec 100755
--- a/tests/cert-tests/pkcs7
+++ b/tests/cert-tests/pkcs7
@@ -290,6 +290,17 @@ if test "${rc}" != "0"; then
 	exit ${rc}
 fi
 
+# Test BER encoding, see RFC 4134 Section 4.5
+# SHA1 signature, so --verify-allow-broken
+FILE="rfc4134-4.5"
+${VALGRIND} "${CERTTOOL}" --p7-verify --verify-allow-broken --load-ca-certificate "${srcdir}/data/rfc4134-ca-rsa.pem" --infile "${srcdir}/data/rfc4134-4.5.p7b" --inder
+rc=$?
+
+if test "${rc}" != "0"; then
+	echo "${FILE}: PKCS7 BER parsing/decoding failed"
+	exit ${rc}
+fi
+
 if test "x$ENABLE_GOST" = "x1"  && test "x${GNUTLS_FORCE_FIPS_MODE}" != "x1"
 then
 	FILE="gost01-signing"