From ff2746fa56166569a1f33ee1ab048aeeb0d4028d Mon Sep 17 00:00:00 2001
From: Nick Child <nick.child@ibm.com>
Date: Thu, 15 Dec 2022 13:06:21 -0600
Subject: [PATCH] test/pkcs7: Add test for wrong hash alg

Add a test to verify a hash which uses a different digest
algorithm than the one specified in the pkcs7.

Signed-off-by: Nick Child <nick.child@ibm.com>
---
 tests/suites/test_suite_pkcs7.data     |  5 +++++
 tests/suites/test_suite_pkcs7.function | 28 +++++++++-----------------
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 571d5adf4..3f5b41455 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -81,3 +81,8 @@ pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_
 PKCS7 Signed Data Hash Verify with multiple signers #17
 depends_on:MBEDTLS_SHA256_C
 pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA256:0
+
+PKCS7 Signed Data Hash Verify Fail with multiple signers #18
+depends_on:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C
+pkcs7_verify_multiple_signers:"data_files/pkcs7_data_multiple_signed.der":"data_files/pkcs7-rsa-sha256-1.crt":"data_files/pkcs7-rsa-sha256-2.crt":"data_files/pkcs7_data.bin":MBEDTLS_MD_SHA512:MBEDTLS_ERR_PKCS7_VERIFY_FAIL
+
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 4fc416ae7..d5a69dae1 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -44,13 +44,12 @@ void pkcs7_verify(char *pkcs7_file, char *crt, char *filetobesigned, int do_hash
     unsigned char *pkcs7_buf = NULL;
     size_t buflen;
     unsigned char *data = NULL;
-    unsigned char hash[32];
+    unsigned char hash[64];
     struct stat st;
     size_t datalen;
     int res;
     FILE *file;
     const mbedtls_md_info_t *md_info;
-    mbedtls_md_type_t md_alg;
 
     mbedtls_pkcs7 pkcs7;
     mbedtls_x509_crt x509;
@@ -84,15 +83,12 @@ void pkcs7_verify(char *pkcs7_file, char *crt, char *filetobesigned, int do_hash
     fclose(file);
 
     if (do_hash_alg) {
-        res = mbedtls_oid_get_md_alg(&pkcs7.signed_data.digest_alg_identifiers, &md_alg);
-        TEST_EQUAL(res, 0);
-        TEST_EQUAL(md_alg, (mbedtls_md_type_t) do_hash_alg);
-        md_info = mbedtls_md_info_from_type(md_alg);
+        md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) do_hash_alg);
 
         res = mbedtls_md(md_info, data, datalen, hash);
         TEST_EQUAL(res, 0);
 
-        res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509, hash, sizeof(hash));
+        res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509, hash, mbedtls_md_get_size(md_info));
     } else {
         res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509, data, datalen);
     }
@@ -118,13 +114,12 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file,
     unsigned char *pkcs7_buf = NULL;
     size_t buflen;
     unsigned char *data = NULL;
-    unsigned char hash[32];
+    unsigned char hash[64];
     struct stat st;
     size_t datalen;
     int res;
     FILE *file;
     const mbedtls_md_info_t *md_info;
-    mbedtls_md_type_t md_alg;
 
     mbedtls_pkcs7 pkcs7;
     mbedtls_x509_crt x509_1;
@@ -164,25 +159,22 @@ void pkcs7_verify_multiple_signers(char *pkcs7_file,
     fclose(file);
 
     if (do_hash_alg) {
-        res = mbedtls_oid_get_md_alg(&pkcs7.signed_data.digest_alg_identifiers, &md_alg);
-        TEST_EQUAL(res, 0);
-        TEST_EQUAL(md_alg, MBEDTLS_MD_SHA256);
-
-        md_info = mbedtls_md_info_from_type(md_alg);
+        md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) do_hash_alg);
 
         res = mbedtls_md(md_info, data, datalen, hash);
         TEST_EQUAL(res, 0);
 
-        res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_1, hash, sizeof(hash));
+        res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_1, hash, mbedtls_md_get_size(md_info));
+        TEST_EQUAL(res, res_expect);
+        res = mbedtls_pkcs7_signed_hash_verify(&pkcs7, &x509_2, hash, mbedtls_md_get_size(md_info));
         TEST_EQUAL(res, res_expect);
     } else {
         res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_1, data, datalen);
         TEST_EQUAL(res, res_expect);
+        res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_2, data, datalen);
+        TEST_EQUAL(res, res_expect);
     }
 
-    res = mbedtls_pkcs7_signed_data_verify(&pkcs7, &x509_2, data, datalen);
-    TEST_EQUAL(res, res_expect);
-
 exit:
     mbedtls_x509_crt_free(&x509_1);
     mbedtls_x509_crt_free(&x509_2);