cms.c 49 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432
  1. /*
  2. * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* CMS utility function */
  10. #include <stdio.h>
  11. #include <string.h>
  12. #include "apps.h"
  13. #include "progs.h"
  14. #ifndef OPENSSL_NO_CMS
  15. # include <openssl/crypto.h>
  16. # include <openssl/pem.h>
  17. # include <openssl/err.h>
  18. # include <openssl/x509_vfy.h>
  19. # include <openssl/x509v3.h>
  20. # include <openssl/cms.h>
  21. static int save_certs(char *signerfile, STACK_OF(X509) *signers);
  22. static int cms_cb(int ok, X509_STORE_CTX *ctx);
  23. static void receipt_request_print(CMS_ContentInfo *cms);
  24. static CMS_ReceiptRequest *make_receipt_request(
  25. STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
  26. STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx, const char *propq);
  27. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  28. STACK_OF(OPENSSL_STRING) *param);
  29. # define SMIME_OP 0x10
  30. # define SMIME_IP 0x20
  31. # define SMIME_SIGNERS 0x40
  32. # define SMIME_ENCRYPT (1 | SMIME_OP)
  33. # define SMIME_DECRYPT (2 | SMIME_IP)
  34. # define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
  35. # define SMIME_VERIFY (4 | SMIME_IP)
  36. # define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
  37. # define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
  38. # define SMIME_DATAOUT (7 | SMIME_IP)
  39. # define SMIME_DATA_CREATE (8 | SMIME_OP)
  40. # define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
  41. # define SMIME_DIGEST_CREATE (10 | SMIME_OP)
  42. # define SMIME_UNCOMPRESS (11 | SMIME_IP)
  43. # define SMIME_COMPRESS (12 | SMIME_OP)
  44. # define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
  45. # define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
  46. # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
  47. # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
  48. static int verify_err = 0;
  49. typedef struct cms_key_param_st cms_key_param;
  50. struct cms_key_param_st {
  51. int idx;
  52. STACK_OF(OPENSSL_STRING) *param;
  53. cms_key_param *next;
  54. };
  55. typedef enum OPTION_choice {
  56. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  57. OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
  58. OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN,
  59. OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
  60. OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
  61. OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
  62. OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
  63. OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
  64. OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
  65. OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
  66. OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
  67. OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
  68. OPT_CAPATH, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
  69. OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
  70. OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
  71. OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
  72. OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
  73. OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
  74. OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
  75. OPT_R_ENUM,
  76. OPT_PROV_ENUM, OPT_CONFIG,
  77. OPT_V_ENUM,
  78. OPT_CIPHER,
  79. OPT_ORIGINATOR
  80. } OPTION_CHOICE;
  81. const OPTIONS cms_options[] = {
  82. {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
  83. OPT_SECTION("General"),
  84. {"help", OPT_HELP, '-', "Display this summary"},
  85. {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
  86. {"outform", OPT_OUTFORM, 'c',
  87. "Output format SMIME (default), PEM or DER"},
  88. {"in", OPT_IN, '<', "Input file"},
  89. {"out", OPT_OUT, '>', "Output file"},
  90. {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
  91. "Disable MMA protection and return an error if no recipient found"
  92. " (see documentation)"},
  93. {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
  94. {"indef", OPT_INDEF, '-', "Same as -stream"},
  95. {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
  96. {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
  97. {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
  98. {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
  99. {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
  100. {"no-CAfile", OPT_NOCAFILE, '-',
  101. "Do not load the default certificates file"},
  102. {"no-CApath", OPT_NOCAPATH, '-',
  103. "Do not load certificates from the default certificates directory"},
  104. {"no-CAstore", OPT_NOCASTORE, '-',
  105. "Do not load certificates from the default certificates store"},
  106. # ifndef OPENSSL_NO_ENGINE
  107. {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
  108. # endif
  109. OPT_CONFIG_OPTION,
  110. OPT_SECTION("Action"),
  111. {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
  112. {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
  113. {"sign", OPT_SIGN, '-', "Sign message"},
  114. {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
  115. {"resign", OPT_RESIGN, '-', "Resign a signed message"},
  116. {"cades", OPT_CADES, '-', "Include signer certificate digest"},
  117. {"verify", OPT_VERIFY, '-', "Verify signed message"},
  118. {"verify_retcode", OPT_VERIFY_RETCODE, '-',
  119. "Exit non-zero on verification failure"},
  120. {"verify_receipt", OPT_VERIFY_RECEIPT, '<',
  121. "Verify receipts; exit if receipt signatures do not verify"},
  122. {"digest_verify", OPT_DIGEST_VERIFY, '-',
  123. "Verify a CMS \"DigestedData\" object and output it"},
  124. {"digest_create", OPT_DIGEST_CREATE, '-',
  125. "Create a CMS \"DigestedData\" object"},
  126. {"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
  127. {"uncompress", OPT_UNCOMPRESS, '-',
  128. "Uncompress a CMS \"CompressedData\" object"},
  129. {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
  130. "Decrypt CMS \"EncryptedData\" object using symmetric key"},
  131. {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
  132. "Create CMS \"EncryptedData\" object using symmetric key"},
  133. {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
  134. {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
  135. {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
  136. {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
  137. "Do not verify signed content signatures"},
  138. {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
  139. "Do not verify signed attribute signatures"},
  140. {"nointern", OPT_NOINTERN, '-',
  141. "Don't search certificates in message for signer"},
  142. {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
  143. OPT_SECTION("Formatting"),
  144. {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
  145. {"asciicrlf", OPT_ASCIICRLF, '-',
  146. "Perform CRLF canonicalisation when signing"},
  147. {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
  148. {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
  149. {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
  150. {"binary", OPT_BINARY, '-', "Don't translate message to text"},
  151. {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
  152. {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
  153. {"nocerts", OPT_NOCERTS, '-',
  154. "Don't include signers certificate when signing"},
  155. {"noout", OPT_NOOUT, '-',
  156. "For the -cmsout operation do not output the parsed CMS structure"},
  157. {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
  158. {"receipt_request_all", OPT_RR_ALL, '-',
  159. "When signing, create a receipt request for all recipients"},
  160. {"receipt_request_first", OPT_RR_FIRST, '-',
  161. "When signing, create a receipt request for first recipient"},
  162. {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
  163. {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
  164. {"content", OPT_CONTENT, '<',
  165. "Supply or override content for detached signature"},
  166. {"print", OPT_PRINT, '-',
  167. "For the -cmsout operation print out all fields of the CMS structure"},
  168. {"nameopt", OPT_NAMEOPT, 's',
  169. "For the -print option specifies various strings printing options"},
  170. {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
  171. OPT_SECTION("Keying"),
  172. {"secretkey", OPT_SECRETKEY, 's',
  173. "Use specified hex-encoded key to decrypt/encrypt recipients or content"},
  174. {"secretkeyid", OPT_SECRETKEYID, 's',
  175. "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
  176. {"pwri_password", OPT_PWRI_PASSWORD, 's',
  177. "Specific password for recipient"},
  178. {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
  179. {"inkey", OPT_INKEY, 's',
  180. "Input private key (if not signer or recipient)"},
  181. {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
  182. {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
  183. OPT_SECTION("Mail header"),
  184. {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
  185. {"to", OPT_TO, 's', "To address"},
  186. {"from", OPT_FROM, 's', "From address"},
  187. {"subject", OPT_SUBJECT, 's', "Subject"},
  188. {"signer", OPT_SIGNER, 's', "Signer certificate file"},
  189. {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
  190. {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
  191. {"receipt_request_from", OPT_RR_FROM, 's',
  192. "Create signed receipt request with specified email address"},
  193. {"receipt_request_to", OPT_RR_TO, 's',
  194. "Create signed receipt targeted to specified address"},
  195. OPT_SECTION("Encryption"),
  196. {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
  197. {"", OPT_CIPHER, '-', "Any supported cipher"},
  198. OPT_SECTION("Key-wrapping"),
  199. {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
  200. {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
  201. {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
  202. # ifndef OPENSSL_NO_DES
  203. {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
  204. # endif
  205. {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
  206. OPT_R_OPTIONS,
  207. OPT_V_OPTIONS,
  208. OPT_PROV_OPTIONS,
  209. OPT_PARAMETERS(),
  210. {"cert", 0, 0, "Recipient certs (optional; used only when encrypting)"},
  211. {NULL}
  212. };
  213. static CMS_ContentInfo *load_content_info(int informat, BIO *in, BIO **indata,
  214. const char *name,
  215. OSSL_LIB_CTX *libctx,
  216. const char *propq)
  217. {
  218. CMS_ContentInfo *ret, *ci;
  219. ret = CMS_ContentInfo_new_ex(libctx, propq);
  220. if (ret == NULL) {
  221. BIO_printf(bio_err, "Error allocating CMS_contentinfo\n");
  222. return NULL;
  223. }
  224. switch (informat) {
  225. case FORMAT_SMIME:
  226. ci = SMIME_read_CMS_ex(in, indata, &ret);
  227. break;
  228. case FORMAT_PEM:
  229. ci = PEM_read_bio_CMS(in, &ret, NULL, NULL);
  230. break;
  231. case FORMAT_ASN1:
  232. ci = d2i_CMS_bio(in, &ret);
  233. break;
  234. default:
  235. BIO_printf(bio_err, "Bad input format for %s\n", name);
  236. goto err;
  237. }
  238. if (ci == NULL) {
  239. BIO_printf(bio_err, "Error reading %s Content Info\n", name);
  240. goto err;
  241. }
  242. return ret;
  243. err:
  244. CMS_ContentInfo_free(ret);
  245. return NULL;
  246. }
  247. int cms_main(int argc, char **argv)
  248. {
  249. CONF *conf = NULL;
  250. ASN1_OBJECT *econtent_type = NULL;
  251. BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
  252. CMS_ContentInfo *cms = NULL, *rcms = NULL;
  253. CMS_ReceiptRequest *rr = NULL;
  254. ENGINE *e = NULL;
  255. EVP_PKEY *key = NULL;
  256. const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
  257. const EVP_MD *sign_md = NULL;
  258. STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
  259. STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
  260. STACK_OF(X509) *encerts = NULL, *other = NULL;
  261. X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = NULL;
  262. X509_STORE *store = NULL;
  263. X509_VERIFY_PARAM *vpm = NULL;
  264. char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
  265. const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
  266. char *certsoutfile = NULL;
  267. int noCAfile = 0, noCApath = 0, noCAstore = 0;
  268. char *infile = NULL, *outfile = NULL, *rctfile = NULL;
  269. char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *originatorfile = NULL, *recipfile = NULL;
  270. char *to = NULL, *from = NULL, *subject = NULL, *prog;
  271. cms_key_param *key_first = NULL, *key_param = NULL;
  272. int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
  273. int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
  274. int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1;
  275. int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
  276. size_t secret_keylen = 0, secret_keyidlen = 0;
  277. unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
  278. unsigned char *secret_key = NULL, *secret_keyid = NULL;
  279. long ltmp;
  280. const char *mime_eol = "\n";
  281. OPTION_CHOICE o;
  282. OSSL_LIB_CTX *libctx = app_get0_libctx();
  283. const char *propq = app_get0_propq();
  284. if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
  285. return 1;
  286. prog = opt_init(argc, argv, cms_options);
  287. while ((o = opt_next()) != OPT_EOF) {
  288. switch (o) {
  289. case OPT_EOF:
  290. case OPT_ERR:
  291. opthelp:
  292. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  293. goto end;
  294. case OPT_HELP:
  295. opt_help(cms_options);
  296. ret = 0;
  297. goto end;
  298. case OPT_INFORM:
  299. if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat))
  300. goto opthelp;
  301. break;
  302. case OPT_OUTFORM:
  303. if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat))
  304. goto opthelp;
  305. break;
  306. case OPT_OUT:
  307. outfile = opt_arg();
  308. break;
  309. case OPT_ENCRYPT:
  310. operation = SMIME_ENCRYPT;
  311. break;
  312. case OPT_DECRYPT:
  313. operation = SMIME_DECRYPT;
  314. break;
  315. case OPT_SIGN:
  316. operation = SMIME_SIGN;
  317. break;
  318. case OPT_SIGN_RECEIPT:
  319. operation = SMIME_SIGN_RECEIPT;
  320. break;
  321. case OPT_RESIGN:
  322. operation = SMIME_RESIGN;
  323. break;
  324. case OPT_VERIFY:
  325. operation = SMIME_VERIFY;
  326. break;
  327. case OPT_VERIFY_RETCODE:
  328. verify_retcode = 1;
  329. break;
  330. case OPT_VERIFY_RECEIPT:
  331. operation = SMIME_VERIFY_RECEIPT;
  332. rctfile = opt_arg();
  333. break;
  334. case OPT_CMSOUT:
  335. operation = SMIME_CMSOUT;
  336. break;
  337. case OPT_DATA_OUT:
  338. operation = SMIME_DATAOUT;
  339. break;
  340. case OPT_DATA_CREATE:
  341. operation = SMIME_DATA_CREATE;
  342. break;
  343. case OPT_DIGEST_VERIFY:
  344. operation = SMIME_DIGEST_VERIFY;
  345. break;
  346. case OPT_DIGEST_CREATE:
  347. operation = SMIME_DIGEST_CREATE;
  348. break;
  349. case OPT_COMPRESS:
  350. operation = SMIME_COMPRESS;
  351. break;
  352. case OPT_UNCOMPRESS:
  353. operation = SMIME_UNCOMPRESS;
  354. break;
  355. case OPT_ED_DECRYPT:
  356. operation = SMIME_ENCRYPTED_DECRYPT;
  357. break;
  358. case OPT_ED_ENCRYPT:
  359. operation = SMIME_ENCRYPTED_ENCRYPT;
  360. break;
  361. case OPT_DEBUG_DECRYPT:
  362. flags |= CMS_DEBUG_DECRYPT;
  363. break;
  364. case OPT_TEXT:
  365. flags |= CMS_TEXT;
  366. break;
  367. case OPT_ASCIICRLF:
  368. flags |= CMS_ASCIICRLF;
  369. break;
  370. case OPT_NOINTERN:
  371. flags |= CMS_NOINTERN;
  372. break;
  373. case OPT_NOVERIFY:
  374. flags |= CMS_NO_SIGNER_CERT_VERIFY;
  375. break;
  376. case OPT_NOCERTS:
  377. flags |= CMS_NOCERTS;
  378. break;
  379. case OPT_NOATTR:
  380. flags |= CMS_NOATTR;
  381. break;
  382. case OPT_NODETACH:
  383. flags &= ~CMS_DETACHED;
  384. break;
  385. case OPT_NOSMIMECAP:
  386. flags |= CMS_NOSMIMECAP;
  387. break;
  388. case OPT_BINARY:
  389. flags |= CMS_BINARY;
  390. break;
  391. case OPT_CADES:
  392. flags |= CMS_CADES;
  393. break;
  394. case OPT_KEYID:
  395. flags |= CMS_USE_KEYID;
  396. break;
  397. case OPT_NOSIGS:
  398. flags |= CMS_NOSIGS;
  399. break;
  400. case OPT_NO_CONTENT_VERIFY:
  401. flags |= CMS_NO_CONTENT_VERIFY;
  402. break;
  403. case OPT_NO_ATTR_VERIFY:
  404. flags |= CMS_NO_ATTR_VERIFY;
  405. break;
  406. case OPT_INDEF:
  407. flags |= CMS_STREAM;
  408. break;
  409. case OPT_NOINDEF:
  410. flags &= ~CMS_STREAM;
  411. break;
  412. case OPT_CRLFEOL:
  413. mime_eol = "\r\n";
  414. flags |= CMS_CRLFEOL;
  415. break;
  416. case OPT_NOOUT:
  417. noout = 1;
  418. break;
  419. case OPT_RR_PRINT:
  420. rr_print = 1;
  421. break;
  422. case OPT_RR_ALL:
  423. rr_allorfirst = 0;
  424. break;
  425. case OPT_RR_FIRST:
  426. rr_allorfirst = 1;
  427. break;
  428. case OPT_RCTFORM:
  429. if (rctformat == FORMAT_ASN1) {
  430. if (!opt_format(opt_arg(),
  431. OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
  432. goto opthelp;
  433. } else {
  434. rcms = load_content_info(rctformat, rctin, NULL, "recipient",
  435. libctx, propq);
  436. }
  437. break;
  438. case OPT_CERTFILE:
  439. certfile = opt_arg();
  440. break;
  441. case OPT_CAFILE:
  442. CAfile = opt_arg();
  443. break;
  444. case OPT_CAPATH:
  445. CApath = opt_arg();
  446. break;
  447. case OPT_CASTORE:
  448. CAstore = opt_arg();
  449. break;
  450. case OPT_NOCAFILE:
  451. noCAfile = 1;
  452. break;
  453. case OPT_NOCAPATH:
  454. noCApath = 1;
  455. break;
  456. case OPT_NOCASTORE:
  457. noCAstore = 1;
  458. break;
  459. case OPT_IN:
  460. infile = opt_arg();
  461. break;
  462. case OPT_CONTENT:
  463. contfile = opt_arg();
  464. break;
  465. case OPT_RR_FROM:
  466. if (rr_from == NULL
  467. && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
  468. goto end;
  469. sk_OPENSSL_STRING_push(rr_from, opt_arg());
  470. break;
  471. case OPT_RR_TO:
  472. if (rr_to == NULL
  473. && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
  474. goto end;
  475. sk_OPENSSL_STRING_push(rr_to, opt_arg());
  476. break;
  477. case OPT_PRINT:
  478. noout = print = 1;
  479. break;
  480. case OPT_NAMEOPT:
  481. if (!set_nameopt(opt_arg()))
  482. goto opthelp;
  483. break;
  484. case OPT_SECRETKEY:
  485. if (secret_key != NULL) {
  486. BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
  487. opt_arg());
  488. goto opthelp;
  489. }
  490. secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
  491. if (secret_key == NULL) {
  492. BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
  493. goto end;
  494. }
  495. secret_keylen = (size_t)ltmp;
  496. break;
  497. case OPT_SECRETKEYID:
  498. if (secret_keyid != NULL) {
  499. BIO_printf(bio_err, "Invalid id (supplied twice) %s\n",
  500. opt_arg());
  501. goto opthelp;
  502. }
  503. secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
  504. if (secret_keyid == NULL) {
  505. BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
  506. goto opthelp;
  507. }
  508. secret_keyidlen = (size_t)ltmp;
  509. break;
  510. case OPT_PWRI_PASSWORD:
  511. pwri_pass = (unsigned char *)opt_arg();
  512. break;
  513. case OPT_ECONTENT_TYPE:
  514. if (econtent_type != NULL) {
  515. BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n",
  516. opt_arg());
  517. goto opthelp;
  518. }
  519. econtent_type = OBJ_txt2obj(opt_arg(), 0);
  520. if (econtent_type == NULL) {
  521. BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
  522. goto opthelp;
  523. }
  524. break;
  525. case OPT_ENGINE:
  526. e = setup_engine(opt_arg(), 0);
  527. break;
  528. case OPT_PASSIN:
  529. passinarg = opt_arg();
  530. break;
  531. case OPT_TO:
  532. to = opt_arg();
  533. break;
  534. case OPT_FROM:
  535. from = opt_arg();
  536. break;
  537. case OPT_SUBJECT:
  538. subject = opt_arg();
  539. break;
  540. case OPT_CERTSOUT:
  541. certsoutfile = opt_arg();
  542. break;
  543. case OPT_MD:
  544. if (!opt_md(opt_arg(), &sign_md))
  545. goto end;
  546. break;
  547. case OPT_SIGNER:
  548. /* If previous -signer argument add signer to list */
  549. if (signerfile != NULL) {
  550. if (sksigners == NULL
  551. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  552. goto end;
  553. sk_OPENSSL_STRING_push(sksigners, signerfile);
  554. if (keyfile == NULL)
  555. keyfile = signerfile;
  556. if (skkeys == NULL
  557. && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  558. goto end;
  559. sk_OPENSSL_STRING_push(skkeys, keyfile);
  560. keyfile = NULL;
  561. }
  562. signerfile = opt_arg();
  563. break;
  564. case OPT_ORIGINATOR:
  565. originatorfile = opt_arg();
  566. break;
  567. case OPT_INKEY:
  568. /* If previous -inkey argument add signer to list */
  569. if (keyfile != NULL) {
  570. if (signerfile == NULL) {
  571. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  572. goto end;
  573. }
  574. if (sksigners == NULL
  575. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  576. goto end;
  577. sk_OPENSSL_STRING_push(sksigners, signerfile);
  578. signerfile = NULL;
  579. if (skkeys == NULL
  580. && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  581. goto end;
  582. sk_OPENSSL_STRING_push(skkeys, keyfile);
  583. }
  584. keyfile = opt_arg();
  585. break;
  586. case OPT_KEYFORM:
  587. if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
  588. goto opthelp;
  589. break;
  590. case OPT_RECIP:
  591. if (operation == SMIME_ENCRYPT) {
  592. if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
  593. goto end;
  594. cert = load_cert(opt_arg(), "recipient certificate file");
  595. if (cert == NULL)
  596. goto end;
  597. sk_X509_push(encerts, cert);
  598. cert = NULL;
  599. } else {
  600. recipfile = opt_arg();
  601. }
  602. break;
  603. case OPT_CIPHER:
  604. if (!opt_cipher(opt_unknown(), &cipher))
  605. goto end;
  606. break;
  607. case OPT_KEYOPT:
  608. keyidx = -1;
  609. if (operation == SMIME_ENCRYPT) {
  610. if (encerts != NULL)
  611. keyidx += sk_X509_num(encerts);
  612. } else {
  613. if (keyfile != NULL || signerfile != NULL)
  614. keyidx++;
  615. if (skkeys != NULL)
  616. keyidx += sk_OPENSSL_STRING_num(skkeys);
  617. }
  618. if (keyidx < 0) {
  619. BIO_printf(bio_err, "No key specified\n");
  620. goto opthelp;
  621. }
  622. if (key_param == NULL || key_param->idx != keyidx) {
  623. cms_key_param *nparam;
  624. nparam = app_malloc(sizeof(*nparam), "key param buffer");
  625. if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
  626. OPENSSL_free(nparam);
  627. goto end;
  628. }
  629. nparam->idx = keyidx;
  630. nparam->next = NULL;
  631. if (key_first == NULL)
  632. key_first = nparam;
  633. else
  634. key_param->next = nparam;
  635. key_param = nparam;
  636. }
  637. sk_OPENSSL_STRING_push(key_param->param, opt_arg());
  638. break;
  639. case OPT_V_CASES:
  640. if (!opt_verify(o, vpm))
  641. goto end;
  642. vpmtouched++;
  643. break;
  644. case OPT_R_CASES:
  645. if (!opt_rand(o))
  646. goto end;
  647. break;
  648. case OPT_PROV_CASES:
  649. if (!opt_provider(o))
  650. goto end;
  651. break;
  652. case OPT_CONFIG:
  653. conf = app_load_config_modules(opt_arg());
  654. if (conf == NULL)
  655. goto end;
  656. break;
  657. case OPT_3DES_WRAP:
  658. # ifndef OPENSSL_NO_DES
  659. wrap_cipher = EVP_des_ede3_wrap();
  660. # endif
  661. break;
  662. case OPT_AES128_WRAP:
  663. wrap_cipher = EVP_aes_128_wrap();
  664. break;
  665. case OPT_AES192_WRAP:
  666. wrap_cipher = EVP_aes_192_wrap();
  667. break;
  668. case OPT_AES256_WRAP:
  669. wrap_cipher = EVP_aes_256_wrap();
  670. break;
  671. case OPT_WRAP:
  672. if (!opt_cipher(opt_unknown(), &wrap_cipher))
  673. goto end;
  674. break;
  675. }
  676. }
  677. /* Remaining args are files to process. */
  678. argc = opt_num_rest();
  679. argv = opt_rest();
  680. if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) {
  681. BIO_puts(bio_err, "No Signed Receipts Recipients\n");
  682. goto opthelp;
  683. }
  684. if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) {
  685. BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
  686. goto opthelp;
  687. }
  688. if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
  689. BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
  690. goto opthelp;
  691. }
  692. if ((flags & CMS_CADES) != 0) {
  693. if ((flags & CMS_NOATTR) != 0) {
  694. BIO_puts(bio_err, "Incompatible options: "
  695. "CAdES required signed attributes\n");
  696. goto opthelp;
  697. }
  698. if (operation == SMIME_VERIFY
  699. && (flags & (CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY)) != 0) {
  700. BIO_puts(bio_err, "Incompatible options: CAdES validation require"
  701. " certs and signed attributes validations\n");
  702. goto opthelp;
  703. }
  704. }
  705. if (operation & SMIME_SIGNERS) {
  706. if (keyfile != NULL && signerfile == NULL) {
  707. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  708. goto opthelp;
  709. }
  710. /* Check to see if any final signer needs to be appended */
  711. if (signerfile != NULL) {
  712. if (sksigners == NULL
  713. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  714. goto end;
  715. sk_OPENSSL_STRING_push(sksigners, signerfile);
  716. if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  717. goto end;
  718. if (keyfile == NULL)
  719. keyfile = signerfile;
  720. sk_OPENSSL_STRING_push(skkeys, keyfile);
  721. }
  722. if (sksigners == NULL) {
  723. BIO_printf(bio_err, "No signer certificate specified\n");
  724. goto opthelp;
  725. }
  726. signerfile = NULL;
  727. keyfile = NULL;
  728. } else if (operation == SMIME_DECRYPT) {
  729. if (recipfile == NULL && keyfile == NULL
  730. && secret_key == NULL && pwri_pass == NULL) {
  731. BIO_printf(bio_err,
  732. "No recipient certificate or key specified\n");
  733. goto opthelp;
  734. }
  735. } else if (operation == SMIME_ENCRYPT) {
  736. if (*argv == NULL && secret_key == NULL
  737. && pwri_pass == NULL && encerts == NULL) {
  738. BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
  739. goto opthelp;
  740. }
  741. } else if (!operation) {
  742. BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n");
  743. goto opthelp;
  744. }
  745. if (!app_passwd(passinarg, NULL, &passin, NULL)) {
  746. BIO_printf(bio_err, "Error getting password\n");
  747. goto end;
  748. }
  749. ret = 2;
  750. if (!(operation & SMIME_SIGNERS))
  751. flags &= ~CMS_DETACHED;
  752. if (!(operation & SMIME_OP))
  753. if (flags & CMS_BINARY)
  754. outformat = FORMAT_BINARY;
  755. if (!(operation & SMIME_IP))
  756. if (flags & CMS_BINARY)
  757. informat = FORMAT_BINARY;
  758. if (operation == SMIME_ENCRYPT) {
  759. if (!cipher) {
  760. # ifndef OPENSSL_NO_DES
  761. cipher = EVP_des_ede3_cbc();
  762. # else
  763. BIO_printf(bio_err, "No cipher selected\n");
  764. goto end;
  765. # endif
  766. }
  767. if (secret_key && !secret_keyid) {
  768. BIO_printf(bio_err, "No secret key id\n");
  769. goto end;
  770. }
  771. if (*argv && encerts == NULL)
  772. if ((encerts = sk_X509_new_null()) == NULL)
  773. goto end;
  774. while (*argv) {
  775. if ((cert = load_cert(*argv, "recipient certificate file")) == NULL)
  776. goto end;
  777. sk_X509_push(encerts, cert);
  778. cert = NULL;
  779. argv++;
  780. }
  781. }
  782. if (certfile != NULL) {
  783. if (!load_certs(certfile, &other, NULL, "certificate file")) {
  784. ERR_print_errors(bio_err);
  785. goto end;
  786. }
  787. }
  788. if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
  789. if ((recip = load_cert(recipfile,
  790. "recipient certificate file")) == NULL) {
  791. ERR_print_errors(bio_err);
  792. goto end;
  793. }
  794. }
  795. if (originatorfile != NULL) {
  796. if ((originator = load_cert(originatorfile,
  797. "originator certificate file")) == NULL) {
  798. ERR_print_errors(bio_err);
  799. goto end;
  800. }
  801. }
  802. if (operation == SMIME_SIGN_RECEIPT) {
  803. if ((signer = load_cert(signerfile,
  804. "receipt signer certificate file")) == NULL) {
  805. ERR_print_errors(bio_err);
  806. goto end;
  807. }
  808. }
  809. if ((operation == SMIME_DECRYPT) || (operation == SMIME_ENCRYPT)) {
  810. if (keyfile == NULL)
  811. keyfile = recipfile;
  812. } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
  813. if (keyfile == NULL)
  814. keyfile = signerfile;
  815. } else {
  816. keyfile = NULL;
  817. }
  818. if (keyfile != NULL) {
  819. key = load_key(keyfile, keyform, 0, passin, e, "signing key");
  820. if (key == NULL)
  821. goto end;
  822. }
  823. in = bio_open_default(infile, 'r', informat);
  824. if (in == NULL)
  825. goto end;
  826. if (operation & SMIME_IP) {
  827. cms = load_content_info(informat, in, &indata, "SMIME", libctx, propq);
  828. if (cms == NULL)
  829. goto end;
  830. if (contfile != NULL) {
  831. BIO_free(indata);
  832. if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
  833. BIO_printf(bio_err, "Can't read content file %s\n", contfile);
  834. goto end;
  835. }
  836. }
  837. if (certsoutfile != NULL) {
  838. STACK_OF(X509) *allcerts;
  839. allcerts = CMS_get1_certs(cms);
  840. if (!save_certs(certsoutfile, allcerts)) {
  841. BIO_printf(bio_err,
  842. "Error writing certs to %s\n", certsoutfile);
  843. ret = 5;
  844. goto end;
  845. }
  846. sk_X509_pop_free(allcerts, X509_free);
  847. }
  848. }
  849. if (rctfile != NULL) {
  850. char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
  851. if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) {
  852. BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
  853. goto end;
  854. }
  855. rcms = load_content_info(rctformat, rctin, NULL, "recipient", libctx,
  856. propq);
  857. if (rcms == NULL)
  858. goto end;
  859. }
  860. out = bio_open_default(outfile, 'w', outformat);
  861. if (out == NULL)
  862. goto end;
  863. if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
  864. if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
  865. CAstore, noCAstore)) == NULL)
  866. goto end;
  867. X509_STORE_set_verify_cb(store, cms_cb);
  868. if (vpmtouched)
  869. X509_STORE_set1_param(store, vpm);
  870. }
  871. ret = 3;
  872. if (operation == SMIME_DATA_CREATE) {
  873. cms = CMS_data_create_ex(in, flags, libctx, propq);
  874. } else if (operation == SMIME_DIGEST_CREATE) {
  875. cms = CMS_digest_create_ex(in, sign_md, flags, libctx, propq);
  876. } else if (operation == SMIME_COMPRESS) {
  877. cms = CMS_compress(in, -1, flags);
  878. } else if (operation == SMIME_ENCRYPT) {
  879. int i;
  880. flags |= CMS_PARTIAL;
  881. cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, propq);
  882. if (cms == NULL)
  883. goto end;
  884. for (i = 0; i < sk_X509_num(encerts); i++) {
  885. CMS_RecipientInfo *ri;
  886. cms_key_param *kparam;
  887. int tflags = flags | CMS_KEY_PARAM; /* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */
  888. EVP_PKEY_CTX *pctx;
  889. X509 *x = sk_X509_value(encerts, i);
  890. int res;
  891. for (kparam = key_first; kparam; kparam = kparam->next) {
  892. if (kparam->idx == i) {
  893. break;
  894. }
  895. }
  896. ri = CMS_add1_recipient(cms, x, key, originator, tflags);
  897. if (ri == NULL)
  898. goto end;
  899. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  900. if (kparam != NULL) {
  901. if (!cms_set_pkey_param(pctx, kparam->param))
  902. goto end;
  903. }
  904. res = EVP_PKEY_CTX_ctrl(pctx, -1, -1,
  905. EVP_PKEY_CTRL_CIPHER,
  906. EVP_CIPHER_nid(cipher), NULL);
  907. if (res <= 0 && res != -2)
  908. goto end;
  909. if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
  910. && wrap_cipher) {
  911. EVP_CIPHER_CTX *wctx;
  912. wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  913. EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
  914. }
  915. }
  916. if (secret_key != NULL) {
  917. if (!CMS_add0_recipient_key(cms, NID_undef,
  918. secret_key, secret_keylen,
  919. secret_keyid, secret_keyidlen,
  920. NULL, NULL, NULL))
  921. goto end;
  922. /* NULL these because call absorbs them */
  923. secret_key = NULL;
  924. secret_keyid = NULL;
  925. }
  926. if (pwri_pass != NULL) {
  927. pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass);
  928. if (pwri_tmp == NULL)
  929. goto end;
  930. if (CMS_add0_recipient_password(cms,
  931. -1, NID_undef, NID_undef,
  932. pwri_tmp, -1, NULL) == NULL)
  933. goto end;
  934. pwri_tmp = NULL;
  935. }
  936. if (!(flags & CMS_STREAM)) {
  937. if (!CMS_final(cms, in, NULL, flags))
  938. goto end;
  939. }
  940. } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
  941. cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
  942. secret_keylen, flags, libctx, propq);
  943. } else if (operation == SMIME_SIGN_RECEIPT) {
  944. CMS_ContentInfo *srcms = NULL;
  945. STACK_OF(CMS_SignerInfo) *sis;
  946. CMS_SignerInfo *si;
  947. sis = CMS_get0_SignerInfos(cms);
  948. if (sis == NULL)
  949. goto end;
  950. si = sk_CMS_SignerInfo_value(sis, 0);
  951. srcms = CMS_sign_receipt(si, signer, key, other, flags);
  952. if (srcms == NULL)
  953. goto end;
  954. CMS_ContentInfo_free(cms);
  955. cms = srcms;
  956. } else if (operation & SMIME_SIGNERS) {
  957. int i;
  958. /*
  959. * If detached data content we enable streaming if S/MIME output
  960. * format.
  961. */
  962. if (operation == SMIME_SIGN) {
  963. if (flags & CMS_DETACHED) {
  964. if (outformat == FORMAT_SMIME)
  965. flags |= CMS_STREAM;
  966. }
  967. flags |= CMS_PARTIAL;
  968. cms = CMS_sign_ex(NULL, NULL, other, in, flags, libctx, propq);
  969. if (cms == NULL)
  970. goto end;
  971. if (econtent_type != NULL)
  972. CMS_set1_eContentType(cms, econtent_type);
  973. if (rr_to != NULL) {
  974. rr = make_receipt_request(rr_to, rr_allorfirst, rr_from, libctx,
  975. propq);
  976. if (rr == NULL) {
  977. BIO_puts(bio_err,
  978. "Signed Receipt Request Creation Error\n");
  979. goto end;
  980. }
  981. }
  982. } else {
  983. flags |= CMS_REUSE_DIGEST;
  984. }
  985. for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
  986. CMS_SignerInfo *si;
  987. cms_key_param *kparam;
  988. int tflags = flags;
  989. signerfile = sk_OPENSSL_STRING_value(sksigners, i);
  990. keyfile = sk_OPENSSL_STRING_value(skkeys, i);
  991. signer = load_cert(signerfile, "signer certificate");
  992. if (signer == NULL) {
  993. ret = 2;
  994. goto end;
  995. }
  996. key = load_key(keyfile, keyform, 0, passin, e, "signing key");
  997. if (key == NULL) {
  998. ret = 2;
  999. goto end;
  1000. }
  1001. for (kparam = key_first; kparam; kparam = kparam->next) {
  1002. if (kparam->idx == i) {
  1003. tflags |= CMS_KEY_PARAM;
  1004. break;
  1005. }
  1006. }
  1007. si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
  1008. if (si == NULL)
  1009. goto end;
  1010. if (kparam != NULL) {
  1011. EVP_PKEY_CTX *pctx;
  1012. pctx = CMS_SignerInfo_get0_pkey_ctx(si);
  1013. if (!cms_set_pkey_param(pctx, kparam->param))
  1014. goto end;
  1015. }
  1016. if (rr != NULL && !CMS_add1_ReceiptRequest(si, rr))
  1017. goto end;
  1018. X509_free(signer);
  1019. signer = NULL;
  1020. EVP_PKEY_free(key);
  1021. key = NULL;
  1022. }
  1023. /* If not streaming or resigning finalize structure */
  1024. if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
  1025. if (!CMS_final(cms, in, NULL, flags))
  1026. goto end;
  1027. }
  1028. }
  1029. if (cms == NULL) {
  1030. BIO_printf(bio_err, "Error creating CMS structure\n");
  1031. goto end;
  1032. }
  1033. ret = 4;
  1034. if (operation == SMIME_DECRYPT) {
  1035. if (flags & CMS_DEBUG_DECRYPT)
  1036. CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
  1037. if (secret_key != NULL) {
  1038. if (!CMS_decrypt_set1_key(cms,
  1039. secret_key, secret_keylen,
  1040. secret_keyid, secret_keyidlen)) {
  1041. BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
  1042. goto end;
  1043. }
  1044. }
  1045. if (key != NULL) {
  1046. if (!CMS_decrypt_set1_pkey_and_peer(cms, key, recip, originator)) {
  1047. BIO_puts(bio_err, "Error decrypting CMS using private key\n");
  1048. goto end;
  1049. }
  1050. }
  1051. if (pwri_pass != NULL) {
  1052. if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
  1053. BIO_puts(bio_err, "Error decrypting CMS using password\n");
  1054. goto end;
  1055. }
  1056. }
  1057. if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
  1058. BIO_printf(bio_err, "Error decrypting CMS structure\n");
  1059. goto end;
  1060. }
  1061. } else if (operation == SMIME_DATAOUT) {
  1062. if (!CMS_data(cms, out, flags))
  1063. goto end;
  1064. } else if (operation == SMIME_UNCOMPRESS) {
  1065. if (!CMS_uncompress(cms, indata, out, flags))
  1066. goto end;
  1067. } else if (operation == SMIME_DIGEST_VERIFY) {
  1068. if (CMS_digest_verify(cms, indata, out, flags) > 0) {
  1069. BIO_printf(bio_err, "Verification successful\n");
  1070. } else {
  1071. BIO_printf(bio_err, "Verification failure\n");
  1072. goto end;
  1073. }
  1074. } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
  1075. if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
  1076. indata, out, flags))
  1077. goto end;
  1078. } else if (operation == SMIME_VERIFY) {
  1079. if (CMS_verify(cms, other, store, indata, out, flags) > 0) {
  1080. BIO_printf(bio_err, "%s Verification successful\n",
  1081. (flags & CMS_CADES) ? "CAdES" : "CMS");
  1082. } else {
  1083. BIO_printf(bio_err, "Verification failure\n");
  1084. if (verify_retcode)
  1085. ret = verify_err + 32;
  1086. goto end;
  1087. }
  1088. if (signerfile != NULL) {
  1089. STACK_OF(X509) *signers;
  1090. signers = CMS_get0_signers(cms);
  1091. if (!save_certs(signerfile, signers)) {
  1092. BIO_printf(bio_err,
  1093. "Error writing signers to %s\n", signerfile);
  1094. ret = 5;
  1095. goto end;
  1096. }
  1097. sk_X509_free(signers);
  1098. }
  1099. if (rr_print)
  1100. receipt_request_print(cms);
  1101. } else if (operation == SMIME_VERIFY_RECEIPT) {
  1102. if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) {
  1103. BIO_printf(bio_err, "Verification successful\n");
  1104. } else {
  1105. BIO_printf(bio_err, "Verification failure\n");
  1106. goto end;
  1107. }
  1108. } else {
  1109. if (noout) {
  1110. if (print) {
  1111. ASN1_PCTX *pctx = NULL;
  1112. if (get_nameopt() != XN_FLAG_ONELINE) {
  1113. pctx = ASN1_PCTX_new();
  1114. if (pctx != NULL) { /* Print anyway if malloc failed */
  1115. ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT);
  1116. ASN1_PCTX_set_str_flags(pctx, get_nameopt());
  1117. ASN1_PCTX_set_nm_flags(pctx, get_nameopt());
  1118. }
  1119. }
  1120. CMS_ContentInfo_print_ctx(out, cms, 0, pctx);
  1121. ASN1_PCTX_free(pctx);
  1122. }
  1123. } else if (outformat == FORMAT_SMIME) {
  1124. if (to)
  1125. BIO_printf(out, "To: %s%s", to, mime_eol);
  1126. if (from)
  1127. BIO_printf(out, "From: %s%s", from, mime_eol);
  1128. if (subject)
  1129. BIO_printf(out, "Subject: %s%s", subject, mime_eol);
  1130. if (operation == SMIME_RESIGN)
  1131. ret = SMIME_write_CMS(out, cms, indata, flags);
  1132. else
  1133. ret = SMIME_write_CMS(out, cms, in, flags);
  1134. } else if (outformat == FORMAT_PEM) {
  1135. ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
  1136. } else if (outformat == FORMAT_ASN1) {
  1137. ret = i2d_CMS_bio_stream(out, cms, in, flags);
  1138. } else {
  1139. BIO_printf(bio_err, "Bad output format for CMS file\n");
  1140. goto end;
  1141. }
  1142. if (ret <= 0) {
  1143. ret = 6;
  1144. goto end;
  1145. }
  1146. }
  1147. ret = 0;
  1148. end:
  1149. if (ret)
  1150. ERR_print_errors(bio_err);
  1151. sk_X509_pop_free(encerts, X509_free);
  1152. sk_X509_pop_free(other, X509_free);
  1153. X509_VERIFY_PARAM_free(vpm);
  1154. sk_OPENSSL_STRING_free(sksigners);
  1155. sk_OPENSSL_STRING_free(skkeys);
  1156. OPENSSL_free(secret_key);
  1157. OPENSSL_free(secret_keyid);
  1158. OPENSSL_free(pwri_tmp);
  1159. ASN1_OBJECT_free(econtent_type);
  1160. CMS_ReceiptRequest_free(rr);
  1161. sk_OPENSSL_STRING_free(rr_to);
  1162. sk_OPENSSL_STRING_free(rr_from);
  1163. for (key_param = key_first; key_param;) {
  1164. cms_key_param *tparam;
  1165. sk_OPENSSL_STRING_free(key_param->param);
  1166. tparam = key_param->next;
  1167. OPENSSL_free(key_param);
  1168. key_param = tparam;
  1169. }
  1170. X509_STORE_free(store);
  1171. X509_free(cert);
  1172. X509_free(recip);
  1173. X509_free(signer);
  1174. EVP_PKEY_free(key);
  1175. CMS_ContentInfo_free(cms);
  1176. CMS_ContentInfo_free(rcms);
  1177. release_engine(e);
  1178. BIO_free(rctin);
  1179. BIO_free(in);
  1180. BIO_free(indata);
  1181. BIO_free_all(out);
  1182. OPENSSL_free(passin);
  1183. NCONF_free(conf);
  1184. return ret;
  1185. }
  1186. static int save_certs(char *signerfile, STACK_OF(X509) *signers)
  1187. {
  1188. int i;
  1189. BIO *tmp;
  1190. if (signerfile == NULL)
  1191. return 1;
  1192. tmp = BIO_new_file(signerfile, "w");
  1193. if (tmp == NULL)
  1194. return 0;
  1195. for (i = 0; i < sk_X509_num(signers); i++)
  1196. PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
  1197. BIO_free(tmp);
  1198. return 1;
  1199. }
  1200. /* Minimal callback just to output policy info (if any) */
  1201. static int cms_cb(int ok, X509_STORE_CTX *ctx)
  1202. {
  1203. int error;
  1204. error = X509_STORE_CTX_get_error(ctx);
  1205. verify_err = error;
  1206. if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
  1207. && ((error != X509_V_OK) || (ok != 2)))
  1208. return ok;
  1209. policies_print(ctx);
  1210. return ok;
  1211. }
  1212. static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
  1213. {
  1214. STACK_OF(GENERAL_NAME) *gens;
  1215. GENERAL_NAME *gen;
  1216. int i, j;
  1217. for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
  1218. gens = sk_GENERAL_NAMES_value(gns, i);
  1219. for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
  1220. gen = sk_GENERAL_NAME_value(gens, j);
  1221. BIO_puts(bio_err, " ");
  1222. GENERAL_NAME_print(bio_err, gen);
  1223. BIO_puts(bio_err, "\n");
  1224. }
  1225. }
  1226. return;
  1227. }
  1228. static void receipt_request_print(CMS_ContentInfo *cms)
  1229. {
  1230. STACK_OF(CMS_SignerInfo) *sis;
  1231. CMS_SignerInfo *si;
  1232. CMS_ReceiptRequest *rr;
  1233. int allorfirst;
  1234. STACK_OF(GENERAL_NAMES) *rto, *rlist;
  1235. ASN1_STRING *scid;
  1236. int i, rv;
  1237. sis = CMS_get0_SignerInfos(cms);
  1238. for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
  1239. si = sk_CMS_SignerInfo_value(sis, i);
  1240. rv = CMS_get1_ReceiptRequest(si, &rr);
  1241. BIO_printf(bio_err, "Signer %d:\n", i + 1);
  1242. if (rv == 0) {
  1243. BIO_puts(bio_err, " No Receipt Request\n");
  1244. } else if (rv < 0) {
  1245. BIO_puts(bio_err, " Receipt Request Parse Error\n");
  1246. ERR_print_errors(bio_err);
  1247. } else {
  1248. const char *id;
  1249. int idlen;
  1250. CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
  1251. &rlist, &rto);
  1252. BIO_puts(bio_err, " Signed Content ID:\n");
  1253. idlen = ASN1_STRING_length(scid);
  1254. id = (const char *)ASN1_STRING_get0_data(scid);
  1255. BIO_dump_indent(bio_err, id, idlen, 4);
  1256. BIO_puts(bio_err, " Receipts From");
  1257. if (rlist != NULL) {
  1258. BIO_puts(bio_err, " List:\n");
  1259. gnames_stack_print(rlist);
  1260. } else if (allorfirst == 1) {
  1261. BIO_puts(bio_err, ": First Tier\n");
  1262. } else if (allorfirst == 0) {
  1263. BIO_puts(bio_err, ": All\n");
  1264. } else {
  1265. BIO_printf(bio_err, " Unknown (%d)\n", allorfirst);
  1266. }
  1267. BIO_puts(bio_err, " Receipts To:\n");
  1268. gnames_stack_print(rto);
  1269. }
  1270. CMS_ReceiptRequest_free(rr);
  1271. }
  1272. }
  1273. static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
  1274. {
  1275. int i;
  1276. STACK_OF(GENERAL_NAMES) *ret;
  1277. GENERAL_NAMES *gens = NULL;
  1278. GENERAL_NAME *gen = NULL;
  1279. ret = sk_GENERAL_NAMES_new_null();
  1280. if (ret == NULL)
  1281. goto err;
  1282. for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
  1283. char *str = sk_OPENSSL_STRING_value(ns, i);
  1284. gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
  1285. if (gen == NULL)
  1286. goto err;
  1287. gens = GENERAL_NAMES_new();
  1288. if (gens == NULL)
  1289. goto err;
  1290. if (!sk_GENERAL_NAME_push(gens, gen))
  1291. goto err;
  1292. gen = NULL;
  1293. if (!sk_GENERAL_NAMES_push(ret, gens))
  1294. goto err;
  1295. gens = NULL;
  1296. }
  1297. return ret;
  1298. err:
  1299. sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
  1300. GENERAL_NAMES_free(gens);
  1301. GENERAL_NAME_free(gen);
  1302. return NULL;
  1303. }
  1304. static CMS_ReceiptRequest *make_receipt_request(
  1305. STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
  1306. STACK_OF(OPENSSL_STRING) *rr_from,
  1307. OSSL_LIB_CTX *libctx, const char *propq)
  1308. {
  1309. STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
  1310. CMS_ReceiptRequest *rr;
  1311. rct_to = make_names_stack(rr_to);
  1312. if (rct_to == NULL)
  1313. goto err;
  1314. if (rr_from != NULL) {
  1315. rct_from = make_names_stack(rr_from);
  1316. if (rct_from == NULL)
  1317. goto err;
  1318. } else {
  1319. rct_from = NULL;
  1320. }
  1321. rr = CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from,
  1322. rct_to, libctx, propq);
  1323. return rr;
  1324. err:
  1325. sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
  1326. return NULL;
  1327. }
  1328. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  1329. STACK_OF(OPENSSL_STRING) *param)
  1330. {
  1331. char *keyopt;
  1332. int i;
  1333. if (sk_OPENSSL_STRING_num(param) <= 0)
  1334. return 1;
  1335. for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
  1336. keyopt = sk_OPENSSL_STRING_value(param, i);
  1337. if (pkey_ctrl_string(pctx, keyopt) <= 0) {
  1338. BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
  1339. ERR_print_errors(bio_err);
  1340. return 0;
  1341. }
  1342. }
  1343. return 1;
  1344. }
  1345. #endif