copensslx509pkcs#7wolfssl

Could not parse PKCS7 certificate using WolfSSL but same could be parsed by OpenSSL


I'm trying to parse PKCS7 certificate using WolfSSL but its returning ERROR_CODE: -140 (ASN_PARSE_E) But i was able to parse the same certificate using OpenSSL.

I have Base64 encoded PKCS7 file which am decoding to receive a DER format PKCS7 cert. This DER format PKCS7 is what I'm trying to parse using wolfssl ,but the code returns -140 (ASN_PARSE_E).

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/pkcs7.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
#include <wolfssl/wolfcrypt/coding.h>


#define PKCS7CERT                                                       \
"MIICcAYJKoZIhvcNAQcCoIICYTCCAl0CAQExADALBgkqhkiG9w0BBwGgggJFMIIC\r\n"  \
"QTCCAeegAwIBAgICLBMwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhhbXBs\r\n"  \
"ZUNBMB4XDTIwMTEzMDAzMTQwMVoXDTIxMTEzMDAzMTQwMVowFTETMBEGA1UEAxMK\r\n"  \
"ZXN0RXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKn474FX\r\n"  \
"/P+KUY0W0d7C4IFbFDKp1RBUJ8h9DsvfpcRx7chaxAGlVC/3F0iB0OpNPYA057FU\r\n"  \
"QqMfsDVU0/SeQ+sSBzRVJptHdBYdCvfCZqW87MmL7D7j218/pafVmozkzINkKHmB\r\n"  \
"EAHUx4Wtjh5O5R8ttQlBIedDwd4nIswtHUhqMFGg82SWtw+BThBXvzLpNa7Imb29\r\n"  \
"lANriivGc/lbY2kzvNuCoGboW0eGu+TYWaNHfX7gnOwHJ/b30/hscEA3gtPxQksy\r\n"  \
"4etQhBz635yeu9b0cMtR5puOoh0se9vuyj/XkqxJrQ+9oqdVTendY5d7djQZcR1a\r\n"  \
"Z1iummM0LtZK59UCAwEAAaNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYD\r\n"  \
"VR0OBBYEFHri7Gfy4mq5x2bJ/vBFbJCTB29/MB8GA1UdIwQYMBaAFNn/DnEhuCfA\r\n"  \
"dyz1NtN3MlBdg0AhMAoGCCqGSM49BAMCA0gAMEUCIBS+wxEQu5dM55D8txtgZ9uC\r\n"  \
"w9WCdU+UDBTWER116+8IAiEAhmZ51Ak8mZk7bAMx/EmeqvTjCU/8hdzSUWWyP/mO\r\n"  \
"nrIxAA==\r\n" 



int main()
{   
    int ret = 0;
    PKCS7 pkcs7;
    printf("Conversion of PKCS7 to X.509\r\n");
    char cert [] = PKCS7CERT;
    int certs_len = sizeof(cert);
    char out[certs_len];
    int outLen = sizeof(out) ;
    
   ret = Base64_Decode(cert, certs_len, out, &outLen);
   if (ret != 0)
   {
        printf("Failed! Base64_Decode_ret : %d",ret);
        return ret;
   }
    
   ret = wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID);
   if (ret != 0)
    {
        printf(" error wc_PKCS7_Init : ret_code : %d",ret);
        return ret;
    } 
    
   ret = wc_PKCS7_InitWithCert(&pkcs7, out, (word32)(outLen));  
   if (ret != 0)
    {
        printf(" error wc_PKCS7_InitWithCert : ret_code : %d",ret);
        return ret;
    }
   
    wc_PKCS7_Free(&pkcs7);
    return ret;
 }

Same PKCS7CERT is successfully getting parsed using openssl (both command line and through program). Below I am mentioning the OpenSSL code.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/pem.h>    

#define PKCS7CERT                                                       \
"MIICcAYJKoZIhvcNAQcCoIICYTCCAl0CAQExADALBgkqhkiG9w0BBwGgggJFMIIC\r\n"  \
"QTCCAeegAwIBAgICLBMwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAxMMZXN0RXhhbXBs\r\n"  \
"ZUNBMB4XDTIwMTEzMDAzMTQwMVoXDTIxMTEzMDAzMTQwMVowFTETMBEGA1UEAxMK\r\n"  \
"ZXN0RXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKn474FX\r\n"  \
"/P+KUY0W0d7C4IFbFDKp1RBUJ8h9DsvfpcRx7chaxAGlVC/3F0iB0OpNPYA057FU\r\n"  \
"QqMfsDVU0/SeQ+sSBzRVJptHdBYdCvfCZqW87MmL7D7j218/pafVmozkzINkKHmB\r\n"  \
"EAHUx4Wtjh5O5R8ttQlBIedDwd4nIswtHUhqMFGg82SWtw+BThBXvzLpNa7Imb29\r\n"  \
"lANriivGc/lbY2kzvNuCoGboW0eGu+TYWaNHfX7gnOwHJ/b30/hscEA3gtPxQksy\r\n"  \
"4etQhBz635yeu9b0cMtR5puOoh0se9vuyj/XkqxJrQ+9oqdVTendY5d7djQZcR1a\r\n"  \
"Z1iummM0LtZK59UCAwEAAaNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYD\r\n"  \
"VR0OBBYEFHri7Gfy4mq5x2bJ/vBFbJCTB29/MB8GA1UdIwQYMBaAFNn/DnEhuCfA\r\n"  \
"dyz1NtN3MlBdg0AhMAoGCCqGSM49BAMCA0gAMEUCIBS+wxEQu5dM55D8txtgZ9uC\r\n"  \
"w9WCdU+UDBTWER116+8IAiEAhmZ51Ak8mZk7bAMx/EmeqvTjCU/8hdzSUWWyP/mO\r\n"  \
"nrIxAA==\r\n"                                                          

int main()
{   
     int i ;
    char cert [] = PKCS7CERT;
    int certs_len = strlen(cert);
    BIO *buff = NULL;
    BIO *b64 = NULL;
    BIO *out =NULL;
    PKCS7 *p7 = NULL;
    STACK_OF(X509) *certs = NULL;

     printf("Conversion of PKCS7 to X.509\r\n");
    //printf("\r\n BASE64 decode start : \r\n");
    
    b64 = BIO_new(BIO_f_base64());
    buff = BIO_new_mem_buf(cert, certs_len);
    buff = BIO_push(b64, buff);
    out =  BIO_new(BIO_s_mem());
         
    p7 = d2i_PKCS7_bio(buff, NULL);
    if (p7 == NULL)
    {
        printf("Error loading PKCS7 file \n");
    }
    
    i = OBJ_obj2nid(p7->type);
    
    if(i == NID_pkcs7_signed)
    {
        certs = p7->d.sign->cert;
    } 
    
    else if(i == NID_pkcs7_signedAndEnveloped) 
    {
        certs = p7->d.signed_and_enveloped->cert;
    }

    for (i = 0; certs && i < sk_X509_num(certs); i++) 
    {
        X509 *x = sk_X509_value(certs,i);
      PEM_write_bio_X509(out,x);
    }
    
    BUF_MEM *bptr;
    BIO_get_mem_ptr(out, &bptr); 
    char *buffer = (char *)malloc(bptr->length);
    memcpy(buffer, bptr->data, bptr->length-1);
    int buf_len = bptr->length-1;
    buffer[bptr->length-1] = 0;
    printf("X509_CERT After Conversion :\r\n %s\r\n",buffer);
    BIO_free_all(buff);
    BIO_free_all(out);
    free(buffer);
    PKCS7_free(p7);     
}

Where I'm possibly going wrong?


Solution

  • The PKCS7 certificate will load correctly if replacing:

        wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID);
        wc_PKCS7_InitWithCert(&pkcs7, out, (word32)(outLen));
    

    with:

        wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID);
        wc_PKCS7_InitWithCert(&pkcs7, NULL, 0); //? maybe redundant
        wc_PKCS7_VerifySignedData(&pkcs7, out, (word32)outLen);
    

    The wc_PKCS7_InitWithCert call doesn't seem to be necessary when there is no recipient certificate, but it's still present in WolfSSL's own pkcs7-verify.c example.