Skip to content

PKCS#7: add support for authenticated attributes and multiple certificates #10232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: development
Choose a base branch
from
Open

PKCS#7: add support for authenticated attributes and multiple certificates #10232

wants to merge 7 commits into from
+223 −34

Conversation

@jean-baptisteboric-eaton
Copy link

@jean-baptisteboric-eaton jean-baptisteboric-eaton commented Jun 18, 2025
edited
Loading

Description

This PR adds support for parsing and verifying PKCS#7 files with the following characteristics:

  • Authenticated attributes (specifically content type and message digest, other attributes are ignored)
  • Multiple embedded certificates

Note: the use-case spurring this development was verifying PKCS#7 signatures provided by an existing code signing server. This is the minimum set of modifications needed to handle the certificates produced by that server as-is.

PR checklist

@jean-baptisteboric-eaton
framework: update reference
7420386 
Signed-off-by: Jean-Baptiste Boric <[email protected]>
This was referenced Jun 18, 2025
Open
Open
@jean-baptisteboric-eaton jean-baptisteboric-eaton force-pushed the pkcs7-authenticated-attributes branch from aebb433 to ce8a052 Compare June 18, 2025 14:51
@ronald-cron-arm
Copy link
Contributor

ronald-cron-arm commented Jun 19, 2025

Thank you very much for this contribution. The last commit is missing the "Signed-off-by:..." line. Otherwise, why did you mark it as a draft?

@jean-baptisteboric-eaton jean-baptisteboric-eaton force-pushed the pkcs7-authenticated-attributes branch from ce8a052 to 307b02c Compare June 19, 2025 07:43
@jean-baptisteboric-eaton
Copy link
Author

jean-baptisteboric-eaton commented Jun 19, 2025

Otherwise, why did you mark it as a draft?

This is my first time contributing to this project, so I've erred on the side of caution while following the guidelines for contributions. Aside from that, the code should be in good enough shape for a review.

I've amended the last commit with the sign-off.

@jean-baptisteboric-eaton jean-baptisteboric-eaton marked this pull request as ready for review June 19, 2025 07:54
@beni-sandu
Copy link
Contributor

beni-sandu commented Jun 23, 2025

Thanks for the contribution, I have attempted to add this functionality a while ago (https://github.com/Mbed-TLS/mbedtls/pulls/beni-sandu), but it didn't make it in, so maybe your version will (since I haven't rebased since then).

I am interested in this, so will have a closer look at the code when I get the chance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

component-tls enhancement needs-ci Needs to pass CI tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jean-baptisteboric-eaton @ronald-cron-arm @beni-sandu