cms.c 44 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289
  1. /*
  2. * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* CMS utility function */
  10. #include <stdio.h>
  11. #include <string.h>
  12. #include "apps.h"
  13. #include "progs.h"
  14. #ifndef OPENSSL_NO_CMS
  15. # include <openssl/crypto.h>
  16. # include <openssl/pem.h>
  17. # include <openssl/err.h>
  18. # include <openssl/x509_vfy.h>
  19. # include <openssl/x509v3.h>
  20. # include <openssl/cms.h>
  21. static int save_certs(char *signerfile, STACK_OF(X509) *signers);
  22. static int cms_cb(int ok, X509_STORE_CTX *ctx);
  23. static void receipt_request_print(CMS_ContentInfo *cms);
  24. static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
  25. *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
  26. *rr_from);
  27. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  28. STACK_OF(OPENSSL_STRING) *param);
  29. # define SMIME_OP 0x10
  30. # define SMIME_IP 0x20
  31. # define SMIME_SIGNERS 0x40
  32. # define SMIME_ENCRYPT (1 | SMIME_OP)
  33. # define SMIME_DECRYPT (2 | SMIME_IP)
  34. # define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
  35. # define SMIME_VERIFY (4 | SMIME_IP)
  36. # define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
  37. # define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
  38. # define SMIME_DATAOUT (7 | SMIME_IP)
  39. # define SMIME_DATA_CREATE (8 | SMIME_OP)
  40. # define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
  41. # define SMIME_DIGEST_CREATE (10 | SMIME_OP)
  42. # define SMIME_UNCOMPRESS (11 | SMIME_IP)
  43. # define SMIME_COMPRESS (12 | SMIME_OP)
  44. # define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
  45. # define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
  46. # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
  47. # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
  48. static int verify_err = 0;
  49. typedef struct cms_key_param_st cms_key_param;
  50. struct cms_key_param_st {
  51. int idx;
  52. STACK_OF(OPENSSL_STRING) *param;
  53. cms_key_param *next;
  54. };
  55. typedef enum OPTION_choice {
  56. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  57. OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
  58. OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN,
  59. OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
  60. OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
  61. OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
  62. OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
  63. OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
  64. OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
  65. OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
  66. OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
  67. OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
  68. OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
  69. OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
  70. OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
  71. OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
  72. OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
  73. OPT_3DES_WRAP, OPT_ENGINE,
  74. OPT_R_ENUM,
  75. OPT_V_ENUM,
  76. OPT_CIPHER
  77. } OPTION_CHOICE;
  78. const OPTIONS cms_options[] = {
  79. {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
  80. {OPT_HELP_STR, 1, '-',
  81. " cert.pem... recipient certs for encryption\n"},
  82. {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
  83. {"help", OPT_HELP, '-', "Display this summary"},
  84. {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
  85. {"outform", OPT_OUTFORM, 'c',
  86. "Output format SMIME (default), PEM or DER"},
  87. {"in", OPT_IN, '<', "Input file"},
  88. {"out", OPT_OUT, '>', "Output file"},
  89. {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
  90. {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
  91. {"sign", OPT_SIGN, '-', "Sign message"},
  92. {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
  93. {"resign", OPT_RESIGN, '-', "Resign a signed message"},
  94. {"verify", OPT_VERIFY, '-', "Verify signed message"},
  95. {"verify_retcode", OPT_VERIFY_RETCODE, '-'},
  96. {"verify_receipt", OPT_VERIFY_RECEIPT, '<'},
  97. {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
  98. {"data_out", OPT_DATA_OUT, '-'},
  99. {"data_create", OPT_DATA_CREATE, '-'},
  100. {"digest_verify", OPT_DIGEST_VERIFY, '-'},
  101. {"digest_create", OPT_DIGEST_CREATE, '-'},
  102. {"compress", OPT_COMPRESS, '-'},
  103. {"uncompress", OPT_UNCOMPRESS, '-'},
  104. {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'},
  105. {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'},
  106. {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'},
  107. {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
  108. {"asciicrlf", OPT_ASCIICRLF, '-'},
  109. {"nointern", OPT_NOINTERN, '-',
  110. "Don't search certificates in message for signer"},
  111. {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
  112. {"nocerts", OPT_NOCERTS, '-',
  113. "Don't include signers certificate when signing"},
  114. {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
  115. {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
  116. {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
  117. {"binary", OPT_BINARY, '-', "Don't translate message to text"},
  118. {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
  119. {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
  120. {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'},
  121. {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'},
  122. {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
  123. {"indef", OPT_INDEF, '-', "Same as -stream"},
  124. {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
  125. {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
  126. {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"},
  127. {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
  128. {"receipt_request_all", OPT_RR_ALL, '-'},
  129. {"receipt_request_first", OPT_RR_FIRST, '-'},
  130. {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
  131. {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
  132. {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
  133. {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
  134. {"no-CAfile", OPT_NOCAFILE, '-',
  135. "Do not load the default certificates file"},
  136. {"no-CApath", OPT_NOCAPATH, '-',
  137. "Do not load certificates from the default certificates directory"},
  138. {"content", OPT_CONTENT, '<',
  139. "Supply or override content for detached signature"},
  140. {"print", OPT_PRINT, '-',
  141. "For the -cmsout operation print out all fields of the CMS structure"},
  142. {"secretkey", OPT_SECRETKEY, 's'},
  143. {"secretkeyid", OPT_SECRETKEYID, 's'},
  144. {"pwri_password", OPT_PWRI_PASSWORD, 's'},
  145. {"econtent_type", OPT_ECONTENT_TYPE, 's'},
  146. {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
  147. {"to", OPT_TO, 's', "To address"},
  148. {"from", OPT_FROM, 's', "From address"},
  149. {"subject", OPT_SUBJECT, 's', "Subject"},
  150. {"signer", OPT_SIGNER, 's', "Signer certificate file"},
  151. {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
  152. {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
  153. {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
  154. {"inkey", OPT_INKEY, 's',
  155. "Input private key (if not signer or recipient)"},
  156. {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
  157. {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
  158. {"receipt_request_from", OPT_RR_FROM, 's'},
  159. {"receipt_request_to", OPT_RR_TO, 's'},
  160. {"", OPT_CIPHER, '-', "Any supported cipher"},
  161. OPT_R_OPTIONS,
  162. OPT_V_OPTIONS,
  163. {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
  164. {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
  165. {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
  166. # ifndef OPENSSL_NO_DES
  167. {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
  168. # endif
  169. # ifndef OPENSSL_NO_ENGINE
  170. {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
  171. # endif
  172. {NULL}
  173. };
  174. int cms_main(int argc, char **argv)
  175. {
  176. ASN1_OBJECT *econtent_type = NULL;
  177. BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
  178. CMS_ContentInfo *cms = NULL, *rcms = NULL;
  179. CMS_ReceiptRequest *rr = NULL;
  180. ENGINE *e = NULL;
  181. EVP_PKEY *key = NULL;
  182. const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
  183. const EVP_MD *sign_md = NULL;
  184. STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
  185. STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
  186. STACK_OF(X509) *encerts = NULL, *other = NULL;
  187. X509 *cert = NULL, *recip = NULL, *signer = NULL;
  188. X509_STORE *store = NULL;
  189. X509_VERIFY_PARAM *vpm = NULL;
  190. char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
  191. const char *CAfile = NULL, *CApath = NULL;
  192. char *certsoutfile = NULL;
  193. int noCAfile = 0, noCApath = 0;
  194. char *infile = NULL, *outfile = NULL, *rctfile = NULL;
  195. char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
  196. char *to = NULL, *from = NULL, *subject = NULL, *prog;
  197. cms_key_param *key_first = NULL, *key_param = NULL;
  198. int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
  199. int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
  200. int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1;
  201. int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
  202. size_t secret_keylen = 0, secret_keyidlen = 0;
  203. unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
  204. unsigned char *secret_key = NULL, *secret_keyid = NULL;
  205. long ltmp;
  206. const char *mime_eol = "\n";
  207. OPTION_CHOICE o;
  208. if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
  209. return 1;
  210. prog = opt_init(argc, argv, cms_options);
  211. while ((o = opt_next()) != OPT_EOF) {
  212. switch (o) {
  213. case OPT_EOF:
  214. case OPT_ERR:
  215. opthelp:
  216. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  217. goto end;
  218. case OPT_HELP:
  219. opt_help(cms_options);
  220. ret = 0;
  221. goto end;
  222. case OPT_INFORM:
  223. if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat))
  224. goto opthelp;
  225. break;
  226. case OPT_OUTFORM:
  227. if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat))
  228. goto opthelp;
  229. break;
  230. case OPT_OUT:
  231. outfile = opt_arg();
  232. break;
  233. case OPT_ENCRYPT:
  234. operation = SMIME_ENCRYPT;
  235. break;
  236. case OPT_DECRYPT:
  237. operation = SMIME_DECRYPT;
  238. break;
  239. case OPT_SIGN:
  240. operation = SMIME_SIGN;
  241. break;
  242. case OPT_SIGN_RECEIPT:
  243. operation = SMIME_SIGN_RECEIPT;
  244. break;
  245. case OPT_RESIGN:
  246. operation = SMIME_RESIGN;
  247. break;
  248. case OPT_VERIFY:
  249. operation = SMIME_VERIFY;
  250. break;
  251. case OPT_VERIFY_RETCODE:
  252. verify_retcode = 1;
  253. break;
  254. case OPT_VERIFY_RECEIPT:
  255. operation = SMIME_VERIFY_RECEIPT;
  256. rctfile = opt_arg();
  257. break;
  258. case OPT_CMSOUT:
  259. operation = SMIME_CMSOUT;
  260. break;
  261. case OPT_DATA_OUT:
  262. operation = SMIME_DATAOUT;
  263. break;
  264. case OPT_DATA_CREATE:
  265. operation = SMIME_DATA_CREATE;
  266. break;
  267. case OPT_DIGEST_VERIFY:
  268. operation = SMIME_DIGEST_VERIFY;
  269. break;
  270. case OPT_DIGEST_CREATE:
  271. operation = SMIME_DIGEST_CREATE;
  272. break;
  273. case OPT_COMPRESS:
  274. operation = SMIME_COMPRESS;
  275. break;
  276. case OPT_UNCOMPRESS:
  277. operation = SMIME_UNCOMPRESS;
  278. break;
  279. case OPT_ED_DECRYPT:
  280. operation = SMIME_ENCRYPTED_DECRYPT;
  281. break;
  282. case OPT_ED_ENCRYPT:
  283. operation = SMIME_ENCRYPTED_ENCRYPT;
  284. break;
  285. case OPT_DEBUG_DECRYPT:
  286. flags |= CMS_DEBUG_DECRYPT;
  287. break;
  288. case OPT_TEXT:
  289. flags |= CMS_TEXT;
  290. break;
  291. case OPT_ASCIICRLF:
  292. flags |= CMS_ASCIICRLF;
  293. break;
  294. case OPT_NOINTERN:
  295. flags |= CMS_NOINTERN;
  296. break;
  297. case OPT_NOVERIFY:
  298. flags |= CMS_NO_SIGNER_CERT_VERIFY;
  299. break;
  300. case OPT_NOCERTS:
  301. flags |= CMS_NOCERTS;
  302. break;
  303. case OPT_NOATTR:
  304. flags |= CMS_NOATTR;
  305. break;
  306. case OPT_NODETACH:
  307. flags &= ~CMS_DETACHED;
  308. break;
  309. case OPT_NOSMIMECAP:
  310. flags |= CMS_NOSMIMECAP;
  311. break;
  312. case OPT_BINARY:
  313. flags |= CMS_BINARY;
  314. break;
  315. case OPT_KEYID:
  316. flags |= CMS_USE_KEYID;
  317. break;
  318. case OPT_NOSIGS:
  319. flags |= CMS_NOSIGS;
  320. break;
  321. case OPT_NO_CONTENT_VERIFY:
  322. flags |= CMS_NO_CONTENT_VERIFY;
  323. break;
  324. case OPT_NO_ATTR_VERIFY:
  325. flags |= CMS_NO_ATTR_VERIFY;
  326. break;
  327. case OPT_INDEF:
  328. flags |= CMS_STREAM;
  329. break;
  330. case OPT_NOINDEF:
  331. flags &= ~CMS_STREAM;
  332. break;
  333. case OPT_CRLFEOL:
  334. mime_eol = "\r\n";
  335. flags |= CMS_CRLFEOL;
  336. break;
  337. case OPT_NOOUT:
  338. noout = 1;
  339. break;
  340. case OPT_RR_PRINT:
  341. rr_print = 1;
  342. break;
  343. case OPT_RR_ALL:
  344. rr_allorfirst = 0;
  345. break;
  346. case OPT_RR_FIRST:
  347. rr_allorfirst = 1;
  348. break;
  349. case OPT_RCTFORM:
  350. if (rctformat == FORMAT_SMIME)
  351. rcms = SMIME_read_CMS(rctin, NULL);
  352. else if (rctformat == FORMAT_PEM)
  353. rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
  354. else if (rctformat == FORMAT_ASN1)
  355. if (!opt_format(opt_arg(),
  356. OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
  357. goto opthelp;
  358. break;
  359. case OPT_CERTFILE:
  360. certfile = opt_arg();
  361. break;
  362. case OPT_CAFILE:
  363. CAfile = opt_arg();
  364. break;
  365. case OPT_CAPATH:
  366. CApath = opt_arg();
  367. break;
  368. case OPT_NOCAFILE:
  369. noCAfile = 1;
  370. break;
  371. case OPT_NOCAPATH:
  372. noCApath = 1;
  373. break;
  374. case OPT_IN:
  375. infile = opt_arg();
  376. break;
  377. case OPT_CONTENT:
  378. contfile = opt_arg();
  379. break;
  380. case OPT_RR_FROM:
  381. if (rr_from == NULL
  382. && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
  383. goto end;
  384. sk_OPENSSL_STRING_push(rr_from, opt_arg());
  385. break;
  386. case OPT_RR_TO:
  387. if (rr_to == NULL
  388. && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
  389. goto end;
  390. sk_OPENSSL_STRING_push(rr_to, opt_arg());
  391. break;
  392. case OPT_PRINT:
  393. noout = print = 1;
  394. break;
  395. case OPT_SECRETKEY:
  396. if (secret_key != NULL) {
  397. BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
  398. opt_arg());
  399. goto opthelp;
  400. }
  401. secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
  402. if (secret_key == NULL) {
  403. BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
  404. goto end;
  405. }
  406. secret_keylen = (size_t)ltmp;
  407. break;
  408. case OPT_SECRETKEYID:
  409. if (secret_keyid != NULL) {
  410. BIO_printf(bio_err, "Invalid id (supplied twice) %s\n",
  411. opt_arg());
  412. goto opthelp;
  413. }
  414. secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
  415. if (secret_keyid == NULL) {
  416. BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
  417. goto opthelp;
  418. }
  419. secret_keyidlen = (size_t)ltmp;
  420. break;
  421. case OPT_PWRI_PASSWORD:
  422. pwri_pass = (unsigned char *)opt_arg();
  423. break;
  424. case OPT_ECONTENT_TYPE:
  425. if (econtent_type != NULL) {
  426. BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n",
  427. opt_arg());
  428. goto opthelp;
  429. }
  430. econtent_type = OBJ_txt2obj(opt_arg(), 0);
  431. if (econtent_type == NULL) {
  432. BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
  433. goto opthelp;
  434. }
  435. break;
  436. case OPT_ENGINE:
  437. e = setup_engine(opt_arg(), 0);
  438. break;
  439. case OPT_PASSIN:
  440. passinarg = opt_arg();
  441. break;
  442. case OPT_TO:
  443. to = opt_arg();
  444. break;
  445. case OPT_FROM:
  446. from = opt_arg();
  447. break;
  448. case OPT_SUBJECT:
  449. subject = opt_arg();
  450. break;
  451. case OPT_CERTSOUT:
  452. certsoutfile = opt_arg();
  453. break;
  454. case OPT_MD:
  455. if (!opt_md(opt_arg(), &sign_md))
  456. goto end;
  457. break;
  458. case OPT_SIGNER:
  459. /* If previous -signer argument add signer to list */
  460. if (signerfile != NULL) {
  461. if (sksigners == NULL
  462. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  463. goto end;
  464. sk_OPENSSL_STRING_push(sksigners, signerfile);
  465. if (keyfile == NULL)
  466. keyfile = signerfile;
  467. if (skkeys == NULL
  468. && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  469. goto end;
  470. sk_OPENSSL_STRING_push(skkeys, keyfile);
  471. keyfile = NULL;
  472. }
  473. signerfile = opt_arg();
  474. break;
  475. case OPT_INKEY:
  476. /* If previous -inkey argument add signer to list */
  477. if (keyfile != NULL) {
  478. if (signerfile == NULL) {
  479. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  480. goto end;
  481. }
  482. if (sksigners == NULL
  483. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  484. goto end;
  485. sk_OPENSSL_STRING_push(sksigners, signerfile);
  486. signerfile = NULL;
  487. if (skkeys == NULL
  488. && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  489. goto end;
  490. sk_OPENSSL_STRING_push(skkeys, keyfile);
  491. }
  492. keyfile = opt_arg();
  493. break;
  494. case OPT_KEYFORM:
  495. if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
  496. goto opthelp;
  497. break;
  498. case OPT_RECIP:
  499. if (operation == SMIME_ENCRYPT) {
  500. if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
  501. goto end;
  502. cert = load_cert(opt_arg(), FORMAT_PEM,
  503. "recipient certificate file");
  504. if (cert == NULL)
  505. goto end;
  506. sk_X509_push(encerts, cert);
  507. cert = NULL;
  508. } else {
  509. recipfile = opt_arg();
  510. }
  511. break;
  512. case OPT_CIPHER:
  513. if (!opt_cipher(opt_unknown(), &cipher))
  514. goto end;
  515. break;
  516. case OPT_KEYOPT:
  517. keyidx = -1;
  518. if (operation == SMIME_ENCRYPT) {
  519. if (encerts != NULL)
  520. keyidx += sk_X509_num(encerts);
  521. } else {
  522. if (keyfile != NULL || signerfile != NULL)
  523. keyidx++;
  524. if (skkeys != NULL)
  525. keyidx += sk_OPENSSL_STRING_num(skkeys);
  526. }
  527. if (keyidx < 0) {
  528. BIO_printf(bio_err, "No key specified\n");
  529. goto opthelp;
  530. }
  531. if (key_param == NULL || key_param->idx != keyidx) {
  532. cms_key_param *nparam;
  533. nparam = app_malloc(sizeof(*nparam), "key param buffer");
  534. nparam->idx = keyidx;
  535. if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
  536. goto end;
  537. nparam->next = NULL;
  538. if (key_first == NULL)
  539. key_first = nparam;
  540. else
  541. key_param->next = nparam;
  542. key_param = nparam;
  543. }
  544. sk_OPENSSL_STRING_push(key_param->param, opt_arg());
  545. break;
  546. case OPT_V_CASES:
  547. if (!opt_verify(o, vpm))
  548. goto end;
  549. vpmtouched++;
  550. break;
  551. case OPT_R_CASES:
  552. if (!opt_rand(o))
  553. goto end;
  554. break;
  555. case OPT_3DES_WRAP:
  556. # ifndef OPENSSL_NO_DES
  557. wrap_cipher = EVP_des_ede3_wrap();
  558. # endif
  559. break;
  560. case OPT_AES128_WRAP:
  561. wrap_cipher = EVP_aes_128_wrap();
  562. break;
  563. case OPT_AES192_WRAP:
  564. wrap_cipher = EVP_aes_192_wrap();
  565. break;
  566. case OPT_AES256_WRAP:
  567. wrap_cipher = EVP_aes_256_wrap();
  568. break;
  569. }
  570. }
  571. argc = opt_num_rest();
  572. argv = opt_rest();
  573. if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) {
  574. BIO_puts(bio_err, "No Signed Receipts Recipients\n");
  575. goto opthelp;
  576. }
  577. if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) {
  578. BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
  579. goto opthelp;
  580. }
  581. if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
  582. BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
  583. goto opthelp;
  584. }
  585. if (operation & SMIME_SIGNERS) {
  586. if (keyfile != NULL && signerfile == NULL) {
  587. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  588. goto opthelp;
  589. }
  590. /* Check to see if any final signer needs to be appended */
  591. if (signerfile != NULL) {
  592. if (sksigners == NULL
  593. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  594. goto end;
  595. sk_OPENSSL_STRING_push(sksigners, signerfile);
  596. if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  597. goto end;
  598. if (keyfile == NULL)
  599. keyfile = signerfile;
  600. sk_OPENSSL_STRING_push(skkeys, keyfile);
  601. }
  602. if (sksigners == NULL) {
  603. BIO_printf(bio_err, "No signer certificate specified\n");
  604. goto opthelp;
  605. }
  606. signerfile = NULL;
  607. keyfile = NULL;
  608. } else if (operation == SMIME_DECRYPT) {
  609. if (recipfile == NULL && keyfile == NULL
  610. && secret_key == NULL && pwri_pass == NULL) {
  611. BIO_printf(bio_err,
  612. "No recipient certificate or key specified\n");
  613. goto opthelp;
  614. }
  615. } else if (operation == SMIME_ENCRYPT) {
  616. if (*argv == NULL && secret_key == NULL
  617. && pwri_pass == NULL && encerts == NULL) {
  618. BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
  619. goto opthelp;
  620. }
  621. } else if (!operation) {
  622. goto opthelp;
  623. }
  624. if (!app_passwd(passinarg, NULL, &passin, NULL)) {
  625. BIO_printf(bio_err, "Error getting password\n");
  626. goto end;
  627. }
  628. ret = 2;
  629. if (!(operation & SMIME_SIGNERS))
  630. flags &= ~CMS_DETACHED;
  631. if (!(operation & SMIME_OP))
  632. if (flags & CMS_BINARY)
  633. outformat = FORMAT_BINARY;
  634. if (!(operation & SMIME_IP))
  635. if (flags & CMS_BINARY)
  636. informat = FORMAT_BINARY;
  637. if (operation == SMIME_ENCRYPT) {
  638. if (!cipher) {
  639. # ifndef OPENSSL_NO_DES
  640. cipher = EVP_des_ede3_cbc();
  641. # else
  642. BIO_printf(bio_err, "No cipher selected\n");
  643. goto end;
  644. # endif
  645. }
  646. if (secret_key && !secret_keyid) {
  647. BIO_printf(bio_err, "No secret key id\n");
  648. goto end;
  649. }
  650. if (*argv && encerts == NULL)
  651. if ((encerts = sk_X509_new_null()) == NULL)
  652. goto end;
  653. while (*argv) {
  654. if ((cert = load_cert(*argv, FORMAT_PEM,
  655. "recipient certificate file")) == NULL)
  656. goto end;
  657. sk_X509_push(encerts, cert);
  658. cert = NULL;
  659. argv++;
  660. }
  661. }
  662. if (certfile != NULL) {
  663. if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
  664. "certificate file")) {
  665. ERR_print_errors(bio_err);
  666. goto end;
  667. }
  668. }
  669. if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
  670. if ((recip = load_cert(recipfile, FORMAT_PEM,
  671. "recipient certificate file")) == NULL) {
  672. ERR_print_errors(bio_err);
  673. goto end;
  674. }
  675. }
  676. if (operation == SMIME_SIGN_RECEIPT) {
  677. if ((signer = load_cert(signerfile, FORMAT_PEM,
  678. "receipt signer certificate file")) == NULL) {
  679. ERR_print_errors(bio_err);
  680. goto end;
  681. }
  682. }
  683. if (operation == SMIME_DECRYPT) {
  684. if (keyfile == NULL)
  685. keyfile = recipfile;
  686. } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
  687. if (keyfile == NULL)
  688. keyfile = signerfile;
  689. } else {
  690. keyfile = NULL;
  691. }
  692. if (keyfile != NULL) {
  693. key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
  694. if (key == NULL)
  695. goto end;
  696. }
  697. in = bio_open_default(infile, 'r', informat);
  698. if (in == NULL)
  699. goto end;
  700. if (operation & SMIME_IP) {
  701. if (informat == FORMAT_SMIME) {
  702. cms = SMIME_read_CMS(in, &indata);
  703. } else if (informat == FORMAT_PEM) {
  704. cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
  705. } else if (informat == FORMAT_ASN1) {
  706. cms = d2i_CMS_bio(in, NULL);
  707. } else {
  708. BIO_printf(bio_err, "Bad input format for CMS file\n");
  709. goto end;
  710. }
  711. if (cms == NULL) {
  712. BIO_printf(bio_err, "Error reading S/MIME message\n");
  713. goto end;
  714. }
  715. if (contfile != NULL) {
  716. BIO_free(indata);
  717. if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
  718. BIO_printf(bio_err, "Can't read content file %s\n", contfile);
  719. goto end;
  720. }
  721. }
  722. if (certsoutfile != NULL) {
  723. STACK_OF(X509) *allcerts;
  724. allcerts = CMS_get1_certs(cms);
  725. if (!save_certs(certsoutfile, allcerts)) {
  726. BIO_printf(bio_err,
  727. "Error writing certs to %s\n", certsoutfile);
  728. ret = 5;
  729. goto end;
  730. }
  731. sk_X509_pop_free(allcerts, X509_free);
  732. }
  733. }
  734. if (rctfile != NULL) {
  735. char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
  736. if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) {
  737. BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
  738. goto end;
  739. }
  740. if (rctformat == FORMAT_SMIME) {
  741. rcms = SMIME_read_CMS(rctin, NULL);
  742. } else if (rctformat == FORMAT_PEM) {
  743. rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
  744. } else if (rctformat == FORMAT_ASN1) {
  745. rcms = d2i_CMS_bio(rctin, NULL);
  746. } else {
  747. BIO_printf(bio_err, "Bad input format for receipt\n");
  748. goto end;
  749. }
  750. if (rcms == NULL) {
  751. BIO_printf(bio_err, "Error reading receipt\n");
  752. goto end;
  753. }
  754. }
  755. out = bio_open_default(outfile, 'w', outformat);
  756. if (out == NULL)
  757. goto end;
  758. if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
  759. if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
  760. goto end;
  761. X509_STORE_set_verify_cb(store, cms_cb);
  762. if (vpmtouched)
  763. X509_STORE_set1_param(store, vpm);
  764. }
  765. ret = 3;
  766. if (operation == SMIME_DATA_CREATE) {
  767. cms = CMS_data_create(in, flags);
  768. } else if (operation == SMIME_DIGEST_CREATE) {
  769. cms = CMS_digest_create(in, sign_md, flags);
  770. } else if (operation == SMIME_COMPRESS) {
  771. cms = CMS_compress(in, -1, flags);
  772. } else if (operation == SMIME_ENCRYPT) {
  773. int i;
  774. flags |= CMS_PARTIAL;
  775. cms = CMS_encrypt(NULL, in, cipher, flags);
  776. if (cms == NULL)
  777. goto end;
  778. for (i = 0; i < sk_X509_num(encerts); i++) {
  779. CMS_RecipientInfo *ri;
  780. cms_key_param *kparam;
  781. int tflags = flags;
  782. X509 *x = sk_X509_value(encerts, i);
  783. for (kparam = key_first; kparam; kparam = kparam->next) {
  784. if (kparam->idx == i) {
  785. tflags |= CMS_KEY_PARAM;
  786. break;
  787. }
  788. }
  789. ri = CMS_add1_recipient_cert(cms, x, tflags);
  790. if (ri == NULL)
  791. goto end;
  792. if (kparam != NULL) {
  793. EVP_PKEY_CTX *pctx;
  794. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  795. if (!cms_set_pkey_param(pctx, kparam->param))
  796. goto end;
  797. }
  798. if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
  799. && wrap_cipher) {
  800. EVP_CIPHER_CTX *wctx;
  801. wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  802. EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
  803. }
  804. }
  805. if (secret_key != NULL) {
  806. if (!CMS_add0_recipient_key(cms, NID_undef,
  807. secret_key, secret_keylen,
  808. secret_keyid, secret_keyidlen,
  809. NULL, NULL, NULL))
  810. goto end;
  811. /* NULL these because call absorbs them */
  812. secret_key = NULL;
  813. secret_keyid = NULL;
  814. }
  815. if (pwri_pass != NULL) {
  816. pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass);
  817. if (pwri_tmp == NULL)
  818. goto end;
  819. if (CMS_add0_recipient_password(cms,
  820. -1, NID_undef, NID_undef,
  821. pwri_tmp, -1, NULL) == NULL)
  822. goto end;
  823. pwri_tmp = NULL;
  824. }
  825. if (!(flags & CMS_STREAM)) {
  826. if (!CMS_final(cms, in, NULL, flags))
  827. goto end;
  828. }
  829. } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
  830. cms = CMS_EncryptedData_encrypt(in, cipher,
  831. secret_key, secret_keylen, flags);
  832. } else if (operation == SMIME_SIGN_RECEIPT) {
  833. CMS_ContentInfo *srcms = NULL;
  834. STACK_OF(CMS_SignerInfo) *sis;
  835. CMS_SignerInfo *si;
  836. sis = CMS_get0_SignerInfos(cms);
  837. if (sis == NULL)
  838. goto end;
  839. si = sk_CMS_SignerInfo_value(sis, 0);
  840. srcms = CMS_sign_receipt(si, signer, key, other, flags);
  841. if (srcms == NULL)
  842. goto end;
  843. CMS_ContentInfo_free(cms);
  844. cms = srcms;
  845. } else if (operation & SMIME_SIGNERS) {
  846. int i;
  847. /*
  848. * If detached data content we enable streaming if S/MIME output
  849. * format.
  850. */
  851. if (operation == SMIME_SIGN) {
  852. if (flags & CMS_DETACHED) {
  853. if (outformat == FORMAT_SMIME)
  854. flags |= CMS_STREAM;
  855. }
  856. flags |= CMS_PARTIAL;
  857. cms = CMS_sign(NULL, NULL, other, in, flags);
  858. if (cms == NULL)
  859. goto end;
  860. if (econtent_type != NULL)
  861. CMS_set1_eContentType(cms, econtent_type);
  862. if (rr_to != NULL) {
  863. rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
  864. if (rr == NULL) {
  865. BIO_puts(bio_err,
  866. "Signed Receipt Request Creation Error\n");
  867. goto end;
  868. }
  869. }
  870. } else {
  871. flags |= CMS_REUSE_DIGEST;
  872. }
  873. for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
  874. CMS_SignerInfo *si;
  875. cms_key_param *kparam;
  876. int tflags = flags;
  877. signerfile = sk_OPENSSL_STRING_value(sksigners, i);
  878. keyfile = sk_OPENSSL_STRING_value(skkeys, i);
  879. signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
  880. if (signer == NULL) {
  881. ret = 2;
  882. goto end;
  883. }
  884. key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
  885. if (key == NULL) {
  886. ret = 2;
  887. goto end;
  888. }
  889. for (kparam = key_first; kparam; kparam = kparam->next) {
  890. if (kparam->idx == i) {
  891. tflags |= CMS_KEY_PARAM;
  892. break;
  893. }
  894. }
  895. si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
  896. if (si == NULL)
  897. goto end;
  898. if (kparam != NULL) {
  899. EVP_PKEY_CTX *pctx;
  900. pctx = CMS_SignerInfo_get0_pkey_ctx(si);
  901. if (!cms_set_pkey_param(pctx, kparam->param))
  902. goto end;
  903. }
  904. if (rr != NULL && !CMS_add1_ReceiptRequest(si, rr))
  905. goto end;
  906. X509_free(signer);
  907. signer = NULL;
  908. EVP_PKEY_free(key);
  909. key = NULL;
  910. }
  911. /* If not streaming or resigning finalize structure */
  912. if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
  913. if (!CMS_final(cms, in, NULL, flags))
  914. goto end;
  915. }
  916. }
  917. if (cms == NULL) {
  918. BIO_printf(bio_err, "Error creating CMS structure\n");
  919. goto end;
  920. }
  921. ret = 4;
  922. if (operation == SMIME_DECRYPT) {
  923. if (flags & CMS_DEBUG_DECRYPT)
  924. CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
  925. if (secret_key != NULL) {
  926. if (!CMS_decrypt_set1_key(cms,
  927. secret_key, secret_keylen,
  928. secret_keyid, secret_keyidlen)) {
  929. BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
  930. goto end;
  931. }
  932. }
  933. if (key != NULL) {
  934. if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
  935. BIO_puts(bio_err, "Error decrypting CMS using private key\n");
  936. goto end;
  937. }
  938. }
  939. if (pwri_pass != NULL) {
  940. if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
  941. BIO_puts(bio_err, "Error decrypting CMS using password\n");
  942. goto end;
  943. }
  944. }
  945. if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
  946. BIO_printf(bio_err, "Error decrypting CMS structure\n");
  947. goto end;
  948. }
  949. } else if (operation == SMIME_DATAOUT) {
  950. if (!CMS_data(cms, out, flags))
  951. goto end;
  952. } else if (operation == SMIME_UNCOMPRESS) {
  953. if (!CMS_uncompress(cms, indata, out, flags))
  954. goto end;
  955. } else if (operation == SMIME_DIGEST_VERIFY) {
  956. if (CMS_digest_verify(cms, indata, out, flags) > 0) {
  957. BIO_printf(bio_err, "Verification successful\n");
  958. } else {
  959. BIO_printf(bio_err, "Verification failure\n");
  960. goto end;
  961. }
  962. } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
  963. if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
  964. indata, out, flags))
  965. goto end;
  966. } else if (operation == SMIME_VERIFY) {
  967. if (CMS_verify(cms, other, store, indata, out, flags) > 0) {
  968. BIO_printf(bio_err, "Verification successful\n");
  969. } else {
  970. BIO_printf(bio_err, "Verification failure\n");
  971. if (verify_retcode)
  972. ret = verify_err + 32;
  973. goto end;
  974. }
  975. if (signerfile != NULL) {
  976. STACK_OF(X509) *signers;
  977. signers = CMS_get0_signers(cms);
  978. if (!save_certs(signerfile, signers)) {
  979. BIO_printf(bio_err,
  980. "Error writing signers to %s\n", signerfile);
  981. ret = 5;
  982. goto end;
  983. }
  984. sk_X509_free(signers);
  985. }
  986. if (rr_print)
  987. receipt_request_print(cms);
  988. } else if (operation == SMIME_VERIFY_RECEIPT) {
  989. if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) {
  990. BIO_printf(bio_err, "Verification successful\n");
  991. } else {
  992. BIO_printf(bio_err, "Verification failure\n");
  993. goto end;
  994. }
  995. } else {
  996. if (noout) {
  997. if (print)
  998. CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
  999. } else if (outformat == FORMAT_SMIME) {
  1000. if (to)
  1001. BIO_printf(out, "To: %s%s", to, mime_eol);
  1002. if (from)
  1003. BIO_printf(out, "From: %s%s", from, mime_eol);
  1004. if (subject)
  1005. BIO_printf(out, "Subject: %s%s", subject, mime_eol);
  1006. if (operation == SMIME_RESIGN)
  1007. ret = SMIME_write_CMS(out, cms, indata, flags);
  1008. else
  1009. ret = SMIME_write_CMS(out, cms, in, flags);
  1010. } else if (outformat == FORMAT_PEM) {
  1011. ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
  1012. } else if (outformat == FORMAT_ASN1) {
  1013. ret = i2d_CMS_bio_stream(out, cms, in, flags);
  1014. } else {
  1015. BIO_printf(bio_err, "Bad output format for CMS file\n");
  1016. goto end;
  1017. }
  1018. if (ret <= 0) {
  1019. ret = 6;
  1020. goto end;
  1021. }
  1022. }
  1023. ret = 0;
  1024. end:
  1025. if (ret)
  1026. ERR_print_errors(bio_err);
  1027. sk_X509_pop_free(encerts, X509_free);
  1028. sk_X509_pop_free(other, X509_free);
  1029. X509_VERIFY_PARAM_free(vpm);
  1030. sk_OPENSSL_STRING_free(sksigners);
  1031. sk_OPENSSL_STRING_free(skkeys);
  1032. OPENSSL_free(secret_key);
  1033. OPENSSL_free(secret_keyid);
  1034. OPENSSL_free(pwri_tmp);
  1035. ASN1_OBJECT_free(econtent_type);
  1036. CMS_ReceiptRequest_free(rr);
  1037. sk_OPENSSL_STRING_free(rr_to);
  1038. sk_OPENSSL_STRING_free(rr_from);
  1039. for (key_param = key_first; key_param;) {
  1040. cms_key_param *tparam;
  1041. sk_OPENSSL_STRING_free(key_param->param);
  1042. tparam = key_param->next;
  1043. OPENSSL_free(key_param);
  1044. key_param = tparam;
  1045. }
  1046. X509_STORE_free(store);
  1047. X509_free(cert);
  1048. X509_free(recip);
  1049. X509_free(signer);
  1050. EVP_PKEY_free(key);
  1051. CMS_ContentInfo_free(cms);
  1052. CMS_ContentInfo_free(rcms);
  1053. release_engine(e);
  1054. BIO_free(rctin);
  1055. BIO_free(in);
  1056. BIO_free(indata);
  1057. BIO_free_all(out);
  1058. OPENSSL_free(passin);
  1059. return ret;
  1060. }
  1061. static int save_certs(char *signerfile, STACK_OF(X509) *signers)
  1062. {
  1063. int i;
  1064. BIO *tmp;
  1065. if (signerfile == NULL)
  1066. return 1;
  1067. tmp = BIO_new_file(signerfile, "w");
  1068. if (tmp == NULL)
  1069. return 0;
  1070. for (i = 0; i < sk_X509_num(signers); i++)
  1071. PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
  1072. BIO_free(tmp);
  1073. return 1;
  1074. }
  1075. /* Minimal callback just to output policy info (if any) */
  1076. static int cms_cb(int ok, X509_STORE_CTX *ctx)
  1077. {
  1078. int error;
  1079. error = X509_STORE_CTX_get_error(ctx);
  1080. verify_err = error;
  1081. if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
  1082. && ((error != X509_V_OK) || (ok != 2)))
  1083. return ok;
  1084. policies_print(ctx);
  1085. return ok;
  1086. }
  1087. static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
  1088. {
  1089. STACK_OF(GENERAL_NAME) *gens;
  1090. GENERAL_NAME *gen;
  1091. int i, j;
  1092. for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
  1093. gens = sk_GENERAL_NAMES_value(gns, i);
  1094. for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
  1095. gen = sk_GENERAL_NAME_value(gens, j);
  1096. BIO_puts(bio_err, " ");
  1097. GENERAL_NAME_print(bio_err, gen);
  1098. BIO_puts(bio_err, "\n");
  1099. }
  1100. }
  1101. return;
  1102. }
  1103. static void receipt_request_print(CMS_ContentInfo *cms)
  1104. {
  1105. STACK_OF(CMS_SignerInfo) *sis;
  1106. CMS_SignerInfo *si;
  1107. CMS_ReceiptRequest *rr;
  1108. int allorfirst;
  1109. STACK_OF(GENERAL_NAMES) *rto, *rlist;
  1110. ASN1_STRING *scid;
  1111. int i, rv;
  1112. sis = CMS_get0_SignerInfos(cms);
  1113. for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
  1114. si = sk_CMS_SignerInfo_value(sis, i);
  1115. rv = CMS_get1_ReceiptRequest(si, &rr);
  1116. BIO_printf(bio_err, "Signer %d:\n", i + 1);
  1117. if (rv == 0) {
  1118. BIO_puts(bio_err, " No Receipt Request\n");
  1119. } else if (rv < 0) {
  1120. BIO_puts(bio_err, " Receipt Request Parse Error\n");
  1121. ERR_print_errors(bio_err);
  1122. } else {
  1123. const char *id;
  1124. int idlen;
  1125. CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
  1126. &rlist, &rto);
  1127. BIO_puts(bio_err, " Signed Content ID:\n");
  1128. idlen = ASN1_STRING_length(scid);
  1129. id = (const char *)ASN1_STRING_get0_data(scid);
  1130. BIO_dump_indent(bio_err, id, idlen, 4);
  1131. BIO_puts(bio_err, " Receipts From");
  1132. if (rlist != NULL) {
  1133. BIO_puts(bio_err, " List:\n");
  1134. gnames_stack_print(rlist);
  1135. } else if (allorfirst == 1) {
  1136. BIO_puts(bio_err, ": First Tier\n");
  1137. } else if (allorfirst == 0) {
  1138. BIO_puts(bio_err, ": All\n");
  1139. } else {
  1140. BIO_printf(bio_err, " Unknown (%d)\n", allorfirst);
  1141. }
  1142. BIO_puts(bio_err, " Receipts To:\n");
  1143. gnames_stack_print(rto);
  1144. }
  1145. CMS_ReceiptRequest_free(rr);
  1146. }
  1147. }
  1148. static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
  1149. {
  1150. int i;
  1151. STACK_OF(GENERAL_NAMES) *ret;
  1152. GENERAL_NAMES *gens = NULL;
  1153. GENERAL_NAME *gen = NULL;
  1154. ret = sk_GENERAL_NAMES_new_null();
  1155. if (ret == NULL)
  1156. goto err;
  1157. for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
  1158. char *str = sk_OPENSSL_STRING_value(ns, i);
  1159. gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
  1160. if (gen == NULL)
  1161. goto err;
  1162. gens = GENERAL_NAMES_new();
  1163. if (gens == NULL)
  1164. goto err;
  1165. if (!sk_GENERAL_NAME_push(gens, gen))
  1166. goto err;
  1167. gen = NULL;
  1168. if (!sk_GENERAL_NAMES_push(ret, gens))
  1169. goto err;
  1170. gens = NULL;
  1171. }
  1172. return ret;
  1173. err:
  1174. sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
  1175. GENERAL_NAMES_free(gens);
  1176. GENERAL_NAME_free(gen);
  1177. return NULL;
  1178. }
  1179. static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
  1180. *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
  1181. *rr_from)
  1182. {
  1183. STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
  1184. CMS_ReceiptRequest *rr;
  1185. rct_to = make_names_stack(rr_to);
  1186. if (rct_to == NULL)
  1187. goto err;
  1188. if (rr_from != NULL) {
  1189. rct_from = make_names_stack(rr_from);
  1190. if (rct_from == NULL)
  1191. goto err;
  1192. } else {
  1193. rct_from = NULL;
  1194. }
  1195. rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
  1196. rct_to);
  1197. return rr;
  1198. err:
  1199. sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
  1200. return NULL;
  1201. }
  1202. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  1203. STACK_OF(OPENSSL_STRING) *param)
  1204. {
  1205. char *keyopt;
  1206. int i;
  1207. if (sk_OPENSSL_STRING_num(param) <= 0)
  1208. return 1;
  1209. for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
  1210. keyopt = sk_OPENSSL_STRING_value(param, i);
  1211. if (pkey_ctrl_string(pctx, keyopt) <= 0) {
  1212. BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
  1213. ERR_print_errors(bio_err);
  1214. return 0;
  1215. }
  1216. }
  1217. return 1;
  1218. }
  1219. #endif