Topic: WOLFSSL API to extract signer certificate from CMS signature

Hello,

Is there any WOLFSSL API present to exatract signer Certificate from CMS signature without performing verification?
We checked wolfssl code and found this "wolfSSL_X509_STORE_GetCerts" API but it works on store.

Just want to know is there any API in which we can pass cms signature and extract signer certificate using wolfssl?

Share

Re: WOLFSSL API to extract signer certificate from CMS signature

OPENSSL provide CMS_get1_certs API to extract siner certiicate from CMS signature without performing verification.
Is there any  API In wolfssl which provide similar functionality?

Share

Re: WOLFSSL API to extract signer certificate from CMS signature

Hi Anika,

Let me look into this and I'll get back to you shortly.

Thanks,
Chris

Re: WOLFSSL API to extract signer certificate from CMS signature

Hi Anika,

wolfCrypt's CMS/PKCS#7 API's do not currently have the ability to extract signer certificates without calling wc_PKCS7_VerifySignedData() first.  This API parses the CMS/PKCS#7 bundle ASN.1 and extracts details into our own wolfCrypt structure, in addition to then trying to verify the signature.  If you did not care about the verification result, you could call this API, check/ignore the return value of SIG_VERIFY_E, then proceed to get the signer certificates from the pkcs7->certs[] array, using the pkcs7->certSz[] size array for array sizes.

Pseudocode would look something similar to:

ret = wc_PKCS7_VerifySignedData(pkcs7, in, inSz);
if (ret < 0 && ret != SIG_VERIFY_E) {
    /* other error, parsing, etc */
}

/* loop over pkcs7->cert[], where pkcs7->certSz[] holds sizes for each cert */
for (i = 0; i < MAX_PKCS7_CERTS; i++) {
    if (pkcs7->certSz[i] > 0) {
        /* pkcs7->cert[i] holds ith cert from SignedData bundle */
    }
}

Best Regards,
Chris

Re: WOLFSSL API to extract signer certificate from CMS signature

Thank you for your repsonse.
It really helps.

Share