On Thu, 23 Feb 2023 14:23:05 +0000, Dave Rodgman via mbed-tls mbed-tls@lists.trustedfirmware.org wrote:
Hi Joakim,
The current PKCS #7 implementation indeed does not currently support certificate chains, and does not use a certificate from the PKCS #7 file to validate the signature, and does not support authenticatedAttributes.
We’ve tried to document these limitations clearly in include/mbedtls/pkcs7.h – if you think it’s not sufficiently clear, please raise an issue or PR with points for further improvement. We are currently tidying up the existing PKCS #7 functionality so want to get this right before the next release.
Sorry, I didn't mean to come of as flippant. It was actually just meant as an admission that things had generally just worked up until now so I hadn't done my due diligence.
Regarding use of MBEDTLS_PRIVATE – if there are particular fields that it’s useful to access, the preferred approach would probably be to add functions to the PKCS #7 API to access the fields in question, rather than remove MBEDTLS_PRIVATE.
I think it would be useful to grant access to the list of signers, the issuer name and the signedAttributes associated with each. I also think it would be good to give access to the list of certificates embedded in the signature. At the end of the day I just didn't want to step on anyones toes over it.
Thank you for providing these patches. Would you be able to submit them as a PR for review in the normal way via GitHub (see https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md for details)? They would also need some tests adding. If you don’t have time to work on these, I can create a PR but would need you to confirm that these submissions are made under the terms of our DCO.
I definitely don't have time in the near future, sorry, so I would appreciate it if you would take it from here.
The contribution was created in whole by me and I have the right to submit it under the open source license indicated in the file.
I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
I hope that's clears it up.
Joakim