From 34d5e931cf50a0647d13b05ac1577333b2c8a249 Mon Sep 17 00:00:00 2001
From: Nick Child <nick.child@ibm.com>
Date: Wed, 14 Sep 2022 14:44:03 -0500
Subject: [PATCH] pkcs7: Use better return code for unimplemented
 specifications

In response to feedback [1] [2], use MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
instead of MBEDTLS_ERR_PKCS7_INVALID_FORMAT for errors due to the
pkcs7 implemntation being incomplete.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953649079
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953658276

Signed-off-by: Nick Child <nick.child@ibm.com>
---
 library/pkcs7.c                    | 6 +++---
 tests/suites/test_suite_pkcs7.data | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/pkcs7.c b/library/pkcs7.c
index 3178ddcab..9dcbab26c 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -168,7 +168,6 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p,
 
     end = *p + len;
 
-    /** For now, it assumes there is only one digest algorithm specified **/
     ret = mbedtls_asn1_get_alg_null( p, end, alg );
     if( ret != 0 )
     {
@@ -176,8 +175,9 @@ static int pkcs7_get_digest_algorithm_set( unsigned char **p,
         goto out;
     }
 
+    /** For now, it assumes there is only one digest algorithm specified **/
     if ( *p != end )
-        ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT;
+        ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
 
 out:
     return( ret );
@@ -231,7 +231,7 @@ static int pkcs7_get_certificates( unsigned char **p, unsigned char *end,
      */
     if (end_cert != end_set)
     {
-        ret = MBEDTLS_ERR_PKCS7_INVALID_CERT;
+        ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
         goto out;
     }
 
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index b26a16fb9..4f81b6f28 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -12,7 +12,7 @@ pkcs7_parse:"data_files/pkcs7_data_without_cert_signed.der":MBEDTLS_PKCS7_SIGNED
 
 PKCS7 Signed Data Parse Fail with multiple certs #4
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
-pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_INVALID_CERT
+pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
 
 PKCS7 Signed Data Parse Fail with corrupted cert #5
 depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C