Resolve failure caused by empty digest algorithm

[bjwtaylor]

Description

Resolve failure caused by empty digest algorithm depends #10480

This PR is part of a two part set which must be merged in the following order:

1. Test data for failure caused by empty digest algorithm mbedtls-framework#302
2. Resolve failure caused by empty digest algorithm #10746

Parameterised build https://ci.trustedfirmware.org/view/Mbed-TLS/job/mbed-tls-restricted-pr-test-parametrized/145/pipeline-graph/

PR checklist

• changelog provided | not required because: TBC
• framework PR provided Mbed-TLS/mbedtls-framework# Test data for failure caused by empty digest algorithm mbedtls-framework#302
• TF-PSA-Crypto development PR not required because: No changes
• TF-PSA-Crypto 1.1 PR not required because: No changes
• mbedtls development PR provided #HERE
• mbedtls 4.1 PR provided # | not required because: TBC
• mbedtls 3.6 PR provided # | not required because: TBC
• tests provided

[valeriosetti]

Based on the testing requirements in the associated issue I think that:

• [done] pkcs7_get_digest_algorithm_set accepts an empty set.
• [done] In pkcs7_get_signed_data, if the set is empty, don't try to call mbedtls_x509_oid_get_md_alg. In fact, this call is only done to check whether the digest algorithm is supported: it retrieves the internal designation for the digest algorithm, but doesn't store or use that value. So maybe the call should be skipped altogether? If you're only parsing, the use of an unsupported hash doesn't seem problematic to me.
• [done] Have at least one test case for mbedtls_pkcs7_parse_der() where the DigestAlgorithmSet is empty, check that parsing succeeds.
• [partially done - see point (1) below] Have at least one test case for mbedtls_pkcs7_parse_der() where the DigestAlgorithmSet holds an unsupported algorithm, check that parsing succeeds. (This can probably be an existing test case, just removing the depends_on: element for the hash algorithm.)
• [missing] Add tests of mbedtls_pkcs7_signed_data_verify() and mbedtls_pkcs7_signed_hash_verify() where the DigestAlgorithmSet is empty or where the digest algorithm is not supported. We want to make sure that they return a sensible error value.

(1) as far as I understand the idea is to check that parsing is OK even thought the digest algorithm is not supported. So the guard on that test should be !PSA_WANT_ALG_SHA_256, isn't it?

---

Apart from this I see that in the framework PR you created 2 files, but you're only using one here. I suspect something is missing.

[valeriosetti]

Suggested change

	* Fix PKCS7 parsing so that it is able to deal with and empty
	* Fix PKCS7 parsing so that it is able to deal with an empty