cms.c 47 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354
  1. /* apps/cms.c */
  2. /*
  3. * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  4. * project.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * licensing@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. */
  54. /* CMS utility function */
  55. #include <stdio.h>
  56. #include <string.h>
  57. #include "apps.h"
  58. #ifndef OPENSSL_NO_CMS
  59. # include <openssl/crypto.h>
  60. # include <openssl/pem.h>
  61. # include <openssl/err.h>
  62. # include <openssl/x509_vfy.h>
  63. # include <openssl/x509v3.h>
  64. # include <openssl/cms.h>
  65. # undef PROG
  66. # define PROG cms_main
  67. static int save_certs(char *signerfile, STACK_OF(X509) *signers);
  68. static int cms_cb(int ok, X509_STORE_CTX *ctx);
  69. static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
  70. static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
  71. *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
  72. *rr_from);
  73. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  74. STACK_OF(OPENSSL_STRING) *param);
  75. # define SMIME_OP 0x10
  76. # define SMIME_IP 0x20
  77. # define SMIME_SIGNERS 0x40
  78. # define SMIME_ENCRYPT (1 | SMIME_OP)
  79. # define SMIME_DECRYPT (2 | SMIME_IP)
  80. # define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
  81. # define SMIME_VERIFY (4 | SMIME_IP)
  82. # define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
  83. # define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
  84. # define SMIME_DATAOUT (7 | SMIME_IP)
  85. # define SMIME_DATA_CREATE (8 | SMIME_OP)
  86. # define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
  87. # define SMIME_DIGEST_CREATE (10 | SMIME_OP)
  88. # define SMIME_UNCOMPRESS (11 | SMIME_IP)
  89. # define SMIME_COMPRESS (12 | SMIME_OP)
  90. # define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
  91. # define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
  92. # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
  93. # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
  94. int verify_err = 0;
  95. typedef struct cms_key_param_st cms_key_param;
  96. struct cms_key_param_st {
  97. int idx;
  98. STACK_OF(OPENSSL_STRING) *param;
  99. cms_key_param *next;
  100. };
  101. int MAIN(int, char **);
  102. int MAIN(int argc, char **argv)
  103. {
  104. ENGINE *e = NULL;
  105. int operation = 0;
  106. int ret = 0;
  107. char **args;
  108. const char *inmode = "r", *outmode = "w";
  109. char *infile = NULL, *outfile = NULL, *rctfile = NULL;
  110. char *signerfile = NULL, *recipfile = NULL;
  111. STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
  112. char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
  113. char *certsoutfile = NULL;
  114. const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
  115. CMS_ContentInfo *cms = NULL, *rcms = NULL;
  116. X509_STORE *store = NULL;
  117. X509 *cert = NULL, *recip = NULL, *signer = NULL;
  118. EVP_PKEY *key = NULL;
  119. STACK_OF(X509) *encerts = NULL, *other = NULL;
  120. BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
  121. int badarg = 0;
  122. int flags = CMS_DETACHED, noout = 0, print = 0;
  123. int verify_retcode = 0;
  124. int rr_print = 0, rr_allorfirst = -1;
  125. STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
  126. CMS_ReceiptRequest *rr = NULL;
  127. char *to = NULL, *from = NULL, *subject = NULL;
  128. char *CAfile = NULL, *CApath = NULL;
  129. char *passargin = NULL, *passin = NULL;
  130. char *inrand = NULL;
  131. int need_rand = 0;
  132. const EVP_MD *sign_md = NULL;
  133. int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
  134. int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
  135. char *engine = NULL;
  136. unsigned char *secret_key = NULL, *secret_keyid = NULL;
  137. unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
  138. size_t secret_keylen = 0, secret_keyidlen = 0;
  139. cms_key_param *key_first = NULL, *key_param = NULL;
  140. ASN1_OBJECT *econtent_type = NULL;
  141. X509_VERIFY_PARAM *vpm = NULL;
  142. args = argv + 1;
  143. ret = 1;
  144. apps_startup();
  145. if (bio_err == NULL) {
  146. if ((bio_err = BIO_new(BIO_s_file())) != NULL)
  147. BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
  148. }
  149. if (!load_config(bio_err, NULL))
  150. goto end;
  151. while (!badarg && *args && *args[0] == '-') {
  152. if (!strcmp(*args, "-encrypt"))
  153. operation = SMIME_ENCRYPT;
  154. else if (!strcmp(*args, "-decrypt"))
  155. operation = SMIME_DECRYPT;
  156. else if (!strcmp(*args, "-sign"))
  157. operation = SMIME_SIGN;
  158. else if (!strcmp(*args, "-sign_receipt"))
  159. operation = SMIME_SIGN_RECEIPT;
  160. else if (!strcmp(*args, "-resign"))
  161. operation = SMIME_RESIGN;
  162. else if (!strcmp(*args, "-verify"))
  163. operation = SMIME_VERIFY;
  164. else if (!strcmp(*args, "-verify_retcode"))
  165. verify_retcode = 1;
  166. else if (!strcmp(*args, "-verify_receipt")) {
  167. operation = SMIME_VERIFY_RECEIPT;
  168. if (!args[1])
  169. goto argerr;
  170. args++;
  171. rctfile = *args;
  172. } else if (!strcmp(*args, "-cmsout"))
  173. operation = SMIME_CMSOUT;
  174. else if (!strcmp(*args, "-data_out"))
  175. operation = SMIME_DATAOUT;
  176. else if (!strcmp(*args, "-data_create"))
  177. operation = SMIME_DATA_CREATE;
  178. else if (!strcmp(*args, "-digest_verify"))
  179. operation = SMIME_DIGEST_VERIFY;
  180. else if (!strcmp(*args, "-digest_create"))
  181. operation = SMIME_DIGEST_CREATE;
  182. else if (!strcmp(*args, "-compress"))
  183. operation = SMIME_COMPRESS;
  184. else if (!strcmp(*args, "-uncompress"))
  185. operation = SMIME_UNCOMPRESS;
  186. else if (!strcmp(*args, "-EncryptedData_decrypt"))
  187. operation = SMIME_ENCRYPTED_DECRYPT;
  188. else if (!strcmp(*args, "-EncryptedData_encrypt"))
  189. operation = SMIME_ENCRYPTED_ENCRYPT;
  190. # ifndef OPENSSL_NO_DES
  191. else if (!strcmp(*args, "-des3"))
  192. cipher = EVP_des_ede3_cbc();
  193. else if (!strcmp(*args, "-des"))
  194. cipher = EVP_des_cbc();
  195. else if (!strcmp(*args, "-des3-wrap"))
  196. wrap_cipher = EVP_des_ede3_wrap();
  197. # endif
  198. # ifndef OPENSSL_NO_SEED
  199. else if (!strcmp(*args, "-seed"))
  200. cipher = EVP_seed_cbc();
  201. # endif
  202. # ifndef OPENSSL_NO_RC2
  203. else if (!strcmp(*args, "-rc2-40"))
  204. cipher = EVP_rc2_40_cbc();
  205. else if (!strcmp(*args, "-rc2-128"))
  206. cipher = EVP_rc2_cbc();
  207. else if (!strcmp(*args, "-rc2-64"))
  208. cipher = EVP_rc2_64_cbc();
  209. # endif
  210. # ifndef OPENSSL_NO_AES
  211. else if (!strcmp(*args, "-aes128"))
  212. cipher = EVP_aes_128_cbc();
  213. else if (!strcmp(*args, "-aes192"))
  214. cipher = EVP_aes_192_cbc();
  215. else if (!strcmp(*args, "-aes256"))
  216. cipher = EVP_aes_256_cbc();
  217. else if (!strcmp(*args, "-aes128-wrap"))
  218. wrap_cipher = EVP_aes_128_wrap();
  219. else if (!strcmp(*args, "-aes192-wrap"))
  220. wrap_cipher = EVP_aes_192_wrap();
  221. else if (!strcmp(*args, "-aes256-wrap"))
  222. wrap_cipher = EVP_aes_256_wrap();
  223. # endif
  224. # ifndef OPENSSL_NO_CAMELLIA
  225. else if (!strcmp(*args, "-camellia128"))
  226. cipher = EVP_camellia_128_cbc();
  227. else if (!strcmp(*args, "-camellia192"))
  228. cipher = EVP_camellia_192_cbc();
  229. else if (!strcmp(*args, "-camellia256"))
  230. cipher = EVP_camellia_256_cbc();
  231. # endif
  232. else if (!strcmp(*args, "-debug_decrypt"))
  233. flags |= CMS_DEBUG_DECRYPT;
  234. else if (!strcmp(*args, "-text"))
  235. flags |= CMS_TEXT;
  236. else if (!strcmp(*args, "-nointern"))
  237. flags |= CMS_NOINTERN;
  238. else if (!strcmp(*args, "-noverify")
  239. || !strcmp(*args, "-no_signer_cert_verify"))
  240. flags |= CMS_NO_SIGNER_CERT_VERIFY;
  241. else if (!strcmp(*args, "-nocerts"))
  242. flags |= CMS_NOCERTS;
  243. else if (!strcmp(*args, "-noattr"))
  244. flags |= CMS_NOATTR;
  245. else if (!strcmp(*args, "-nodetach"))
  246. flags &= ~CMS_DETACHED;
  247. else if (!strcmp(*args, "-nosmimecap"))
  248. flags |= CMS_NOSMIMECAP;
  249. else if (!strcmp(*args, "-binary"))
  250. flags |= CMS_BINARY;
  251. else if (!strcmp(*args, "-keyid"))
  252. flags |= CMS_USE_KEYID;
  253. else if (!strcmp(*args, "-nosigs"))
  254. flags |= CMS_NOSIGS;
  255. else if (!strcmp(*args, "-no_content_verify"))
  256. flags |= CMS_NO_CONTENT_VERIFY;
  257. else if (!strcmp(*args, "-no_attr_verify"))
  258. flags |= CMS_NO_ATTR_VERIFY;
  259. else if (!strcmp(*args, "-stream"))
  260. flags |= CMS_STREAM;
  261. else if (!strcmp(*args, "-indef"))
  262. flags |= CMS_STREAM;
  263. else if (!strcmp(*args, "-noindef"))
  264. flags &= ~CMS_STREAM;
  265. else if (!strcmp(*args, "-nooldmime"))
  266. flags |= CMS_NOOLDMIMETYPE;
  267. else if (!strcmp(*args, "-crlfeol"))
  268. flags |= CMS_CRLFEOL;
  269. else if (!strcmp(*args, "-noout"))
  270. noout = 1;
  271. else if (!strcmp(*args, "-receipt_request_print"))
  272. rr_print = 1;
  273. else if (!strcmp(*args, "-receipt_request_all"))
  274. rr_allorfirst = 0;
  275. else if (!strcmp(*args, "-receipt_request_first"))
  276. rr_allorfirst = 1;
  277. else if (!strcmp(*args, "-receipt_request_from")) {
  278. if (!args[1])
  279. goto argerr;
  280. args++;
  281. if (!rr_from)
  282. rr_from = sk_OPENSSL_STRING_new_null();
  283. sk_OPENSSL_STRING_push(rr_from, *args);
  284. } else if (!strcmp(*args, "-receipt_request_to")) {
  285. if (!args[1])
  286. goto argerr;
  287. args++;
  288. if (!rr_to)
  289. rr_to = sk_OPENSSL_STRING_new_null();
  290. sk_OPENSSL_STRING_push(rr_to, *args);
  291. } else if (!strcmp(*args, "-print")) {
  292. noout = 1;
  293. print = 1;
  294. } else if (!strcmp(*args, "-secretkey")) {
  295. long ltmp;
  296. if (!args[1])
  297. goto argerr;
  298. args++;
  299. secret_key = string_to_hex(*args, &ltmp);
  300. if (!secret_key) {
  301. BIO_printf(bio_err, "Invalid key %s\n", *args);
  302. goto argerr;
  303. }
  304. secret_keylen = (size_t)ltmp;
  305. } else if (!strcmp(*args, "-secretkeyid")) {
  306. long ltmp;
  307. if (!args[1])
  308. goto argerr;
  309. args++;
  310. secret_keyid = string_to_hex(*args, &ltmp);
  311. if (!secret_keyid) {
  312. BIO_printf(bio_err, "Invalid id %s\n", *args);
  313. goto argerr;
  314. }
  315. secret_keyidlen = (size_t)ltmp;
  316. } else if (!strcmp(*args, "-pwri_password")) {
  317. if (!args[1])
  318. goto argerr;
  319. args++;
  320. pwri_pass = (unsigned char *)*args;
  321. } else if (!strcmp(*args, "-econtent_type")) {
  322. if (!args[1])
  323. goto argerr;
  324. args++;
  325. econtent_type = OBJ_txt2obj(*args, 0);
  326. if (!econtent_type) {
  327. BIO_printf(bio_err, "Invalid OID %s\n", *args);
  328. goto argerr;
  329. }
  330. } else if (!strcmp(*args, "-rand")) {
  331. if (!args[1])
  332. goto argerr;
  333. args++;
  334. inrand = *args;
  335. need_rand = 1;
  336. }
  337. # ifndef OPENSSL_NO_ENGINE
  338. else if (!strcmp(*args, "-engine")) {
  339. if (!args[1])
  340. goto argerr;
  341. engine = *++args;
  342. }
  343. # endif
  344. else if (!strcmp(*args, "-passin")) {
  345. if (!args[1])
  346. goto argerr;
  347. passargin = *++args;
  348. } else if (!strcmp(*args, "-to")) {
  349. if (!args[1])
  350. goto argerr;
  351. to = *++args;
  352. } else if (!strcmp(*args, "-from")) {
  353. if (!args[1])
  354. goto argerr;
  355. from = *++args;
  356. } else if (!strcmp(*args, "-subject")) {
  357. if (!args[1])
  358. goto argerr;
  359. subject = *++args;
  360. } else if (!strcmp(*args, "-signer")) {
  361. if (!args[1])
  362. goto argerr;
  363. /* If previous -signer argument add signer to list */
  364. if (signerfile) {
  365. if (!sksigners)
  366. sksigners = sk_OPENSSL_STRING_new_null();
  367. sk_OPENSSL_STRING_push(sksigners, signerfile);
  368. if (!keyfile)
  369. keyfile = signerfile;
  370. if (!skkeys)
  371. skkeys = sk_OPENSSL_STRING_new_null();
  372. sk_OPENSSL_STRING_push(skkeys, keyfile);
  373. keyfile = NULL;
  374. }
  375. signerfile = *++args;
  376. } else if (!strcmp(*args, "-recip")) {
  377. if (!args[1])
  378. goto argerr;
  379. if (operation == SMIME_ENCRYPT) {
  380. if (!encerts)
  381. encerts = sk_X509_new_null();
  382. cert = load_cert(bio_err, *++args, FORMAT_PEM,
  383. NULL, e, "recipient certificate file");
  384. if (!cert)
  385. goto end;
  386. sk_X509_push(encerts, cert);
  387. cert = NULL;
  388. } else
  389. recipfile = *++args;
  390. } else if (!strcmp(*args, "-certsout")) {
  391. if (!args[1])
  392. goto argerr;
  393. certsoutfile = *++args;
  394. } else if (!strcmp(*args, "-md")) {
  395. if (!args[1])
  396. goto argerr;
  397. sign_md = EVP_get_digestbyname(*++args);
  398. if (sign_md == NULL) {
  399. BIO_printf(bio_err, "Unknown digest %s\n", *args);
  400. goto argerr;
  401. }
  402. } else if (!strcmp(*args, "-inkey")) {
  403. if (!args[1])
  404. goto argerr;
  405. /* If previous -inkey arument add signer to list */
  406. if (keyfile) {
  407. if (!signerfile) {
  408. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  409. goto argerr;
  410. }
  411. if (!sksigners)
  412. sksigners = sk_OPENSSL_STRING_new_null();
  413. sk_OPENSSL_STRING_push(sksigners, signerfile);
  414. signerfile = NULL;
  415. if (!skkeys)
  416. skkeys = sk_OPENSSL_STRING_new_null();
  417. sk_OPENSSL_STRING_push(skkeys, keyfile);
  418. }
  419. keyfile = *++args;
  420. } else if (!strcmp(*args, "-keyform")) {
  421. if (!args[1])
  422. goto argerr;
  423. keyform = str2fmt(*++args);
  424. } else if (!strcmp(*args, "-keyopt")) {
  425. int keyidx = -1;
  426. if (!args[1])
  427. goto argerr;
  428. if (operation == SMIME_ENCRYPT) {
  429. if (encerts)
  430. keyidx += sk_X509_num(encerts);
  431. } else {
  432. if (keyfile || signerfile)
  433. keyidx++;
  434. if (skkeys)
  435. keyidx += sk_OPENSSL_STRING_num(skkeys);
  436. }
  437. if (keyidx < 0) {
  438. BIO_printf(bio_err, "No key specified\n");
  439. goto argerr;
  440. }
  441. if (key_param == NULL || key_param->idx != keyidx) {
  442. cms_key_param *nparam;
  443. nparam = OPENSSL_malloc(sizeof(cms_key_param));
  444. if (!nparam) {
  445. BIO_printf(bio_err, "Out of memory\n");
  446. goto argerr;
  447. }
  448. nparam->idx = keyidx;
  449. nparam->param = sk_OPENSSL_STRING_new_null();
  450. nparam->next = NULL;
  451. if (key_first == NULL)
  452. key_first = nparam;
  453. else
  454. key_param->next = nparam;
  455. key_param = nparam;
  456. }
  457. sk_OPENSSL_STRING_push(key_param->param, *++args);
  458. } else if (!strcmp(*args, "-rctform")) {
  459. if (!args[1])
  460. goto argerr;
  461. rctformat = str2fmt(*++args);
  462. } else if (!strcmp(*args, "-certfile")) {
  463. if (!args[1])
  464. goto argerr;
  465. certfile = *++args;
  466. } else if (!strcmp(*args, "-CAfile")) {
  467. if (!args[1])
  468. goto argerr;
  469. CAfile = *++args;
  470. } else if (!strcmp(*args, "-CApath")) {
  471. if (!args[1])
  472. goto argerr;
  473. CApath = *++args;
  474. } else if (!strcmp(*args, "-in")) {
  475. if (!args[1])
  476. goto argerr;
  477. infile = *++args;
  478. } else if (!strcmp(*args, "-inform")) {
  479. if (!args[1])
  480. goto argerr;
  481. informat = str2fmt(*++args);
  482. } else if (!strcmp(*args, "-outform")) {
  483. if (!args[1])
  484. goto argerr;
  485. outformat = str2fmt(*++args);
  486. } else if (!strcmp(*args, "-out")) {
  487. if (!args[1])
  488. goto argerr;
  489. outfile = *++args;
  490. } else if (!strcmp(*args, "-content")) {
  491. if (!args[1])
  492. goto argerr;
  493. contfile = *++args;
  494. } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
  495. continue;
  496. else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
  497. badarg = 1;
  498. args++;
  499. }
  500. if (((rr_allorfirst != -1) || rr_from) && !rr_to) {
  501. BIO_puts(bio_err, "No Signed Receipts Recipients\n");
  502. goto argerr;
  503. }
  504. if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) {
  505. BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
  506. goto argerr;
  507. }
  508. if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
  509. BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
  510. goto argerr;
  511. }
  512. if (operation & SMIME_SIGNERS) {
  513. if (keyfile && !signerfile) {
  514. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  515. goto argerr;
  516. }
  517. /* Check to see if any final signer needs to be appended */
  518. if (signerfile) {
  519. if (!sksigners)
  520. sksigners = sk_OPENSSL_STRING_new_null();
  521. sk_OPENSSL_STRING_push(sksigners, signerfile);
  522. if (!skkeys)
  523. skkeys = sk_OPENSSL_STRING_new_null();
  524. if (!keyfile)
  525. keyfile = signerfile;
  526. sk_OPENSSL_STRING_push(skkeys, keyfile);
  527. }
  528. if (!sksigners) {
  529. BIO_printf(bio_err, "No signer certificate specified\n");
  530. badarg = 1;
  531. }
  532. signerfile = NULL;
  533. keyfile = NULL;
  534. need_rand = 1;
  535. }
  536. else if (operation == SMIME_DECRYPT) {
  537. if (!recipfile && !keyfile && !secret_key && !pwri_pass) {
  538. BIO_printf(bio_err,
  539. "No recipient certificate or key specified\n");
  540. badarg = 1;
  541. }
  542. } else if (operation == SMIME_ENCRYPT) {
  543. if (!*args && !secret_key && !pwri_pass && !encerts) {
  544. BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
  545. badarg = 1;
  546. }
  547. need_rand = 1;
  548. } else if (!operation)
  549. badarg = 1;
  550. if (badarg) {
  551. argerr:
  552. BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n");
  553. BIO_printf(bio_err, "where options are\n");
  554. BIO_printf(bio_err, "-encrypt encrypt message\n");
  555. BIO_printf(bio_err, "-decrypt decrypt encrypted message\n");
  556. BIO_printf(bio_err, "-sign sign message\n");
  557. BIO_printf(bio_err, "-verify verify signed message\n");
  558. BIO_printf(bio_err, "-cmsout output CMS structure\n");
  559. # ifndef OPENSSL_NO_DES
  560. BIO_printf(bio_err, "-des3 encrypt with triple DES\n");
  561. BIO_printf(bio_err, "-des encrypt with DES\n");
  562. # endif
  563. # ifndef OPENSSL_NO_SEED
  564. BIO_printf(bio_err, "-seed encrypt with SEED\n");
  565. # endif
  566. # ifndef OPENSSL_NO_RC2
  567. BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
  568. BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n");
  569. BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n");
  570. # endif
  571. # ifndef OPENSSL_NO_AES
  572. BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
  573. BIO_printf(bio_err,
  574. " encrypt PEM output with cbc aes\n");
  575. # endif
  576. # ifndef OPENSSL_NO_CAMELLIA
  577. BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
  578. BIO_printf(bio_err,
  579. " encrypt PEM output with cbc camellia\n");
  580. # endif
  581. BIO_printf(bio_err,
  582. "-nointern don't search certificates in message for signer\n");
  583. BIO_printf(bio_err,
  584. "-nosigs don't verify message signature\n");
  585. BIO_printf(bio_err,
  586. "-noverify don't verify signers certificate\n");
  587. BIO_printf(bio_err,
  588. "-nocerts don't include signers certificate when signing\n");
  589. BIO_printf(bio_err, "-nodetach use opaque signing\n");
  590. BIO_printf(bio_err,
  591. "-noattr don't include any signed attributes\n");
  592. BIO_printf(bio_err,
  593. "-binary don't translate message to text\n");
  594. BIO_printf(bio_err, "-certfile file other certificates file\n");
  595. BIO_printf(bio_err, "-certsout file certificate output file\n");
  596. BIO_printf(bio_err, "-signer file signer certificate file\n");
  597. BIO_printf(bio_err,
  598. "-recip file recipient certificate file for decryption\n");
  599. BIO_printf(bio_err, "-keyid use subject key identifier\n");
  600. BIO_printf(bio_err, "-in file input file\n");
  601. BIO_printf(bio_err,
  602. "-inform arg input format SMIME (default), PEM or DER\n");
  603. BIO_printf(bio_err,
  604. "-inkey file input private key (if not signer or recipient)\n");
  605. BIO_printf(bio_err,
  606. "-keyform arg input private key format (PEM or ENGINE)\n");
  607. BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n");
  608. BIO_printf(bio_err, "-out file output file\n");
  609. BIO_printf(bio_err,
  610. "-outform arg output format SMIME (default), PEM or DER\n");
  611. BIO_printf(bio_err,
  612. "-content file supply or override content for detached signature\n");
  613. BIO_printf(bio_err, "-to addr to address\n");
  614. BIO_printf(bio_err, "-from ad from address\n");
  615. BIO_printf(bio_err, "-subject s subject\n");
  616. BIO_printf(bio_err,
  617. "-text include or delete text MIME headers\n");
  618. BIO_printf(bio_err,
  619. "-CApath dir trusted certificates directory\n");
  620. BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
  621. BIO_printf(bio_err,
  622. "-no_alt_chains only ever use the first certificate chain found\n");
  623. BIO_printf(bio_err,
  624. "-crl_check check revocation status of signer's certificate using CRLs\n");
  625. BIO_printf(bio_err,
  626. "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
  627. # ifndef OPENSSL_NO_ENGINE
  628. BIO_printf(bio_err,
  629. "-engine e use engine e, possibly a hardware device.\n");
  630. # endif
  631. BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
  632. BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
  633. LIST_SEPARATOR_CHAR);
  634. BIO_printf(bio_err,
  635. " load the file (or the files in the directory) into\n");
  636. BIO_printf(bio_err, " the random number generator\n");
  637. BIO_printf(bio_err,
  638. "cert.pem recipient certificate(s) for encryption\n");
  639. goto end;
  640. }
  641. e = setup_engine(bio_err, engine, 0);
  642. if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
  643. BIO_printf(bio_err, "Error getting password\n");
  644. goto end;
  645. }
  646. if (need_rand) {
  647. app_RAND_load_file(NULL, bio_err, (inrand != NULL));
  648. if (inrand != NULL)
  649. BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
  650. app_RAND_load_files(inrand));
  651. }
  652. ret = 2;
  653. if (!(operation & SMIME_SIGNERS))
  654. flags &= ~CMS_DETACHED;
  655. if (operation & SMIME_OP) {
  656. if (outformat == FORMAT_ASN1)
  657. outmode = "wb";
  658. } else {
  659. if (flags & CMS_BINARY)
  660. outmode = "wb";
  661. }
  662. if (operation & SMIME_IP) {
  663. if (informat == FORMAT_ASN1)
  664. inmode = "rb";
  665. } else {
  666. if (flags & CMS_BINARY)
  667. inmode = "rb";
  668. }
  669. if (operation == SMIME_ENCRYPT) {
  670. if (!cipher) {
  671. # ifndef OPENSSL_NO_DES
  672. cipher = EVP_des_ede3_cbc();
  673. # else
  674. BIO_printf(bio_err, "No cipher selected\n");
  675. goto end;
  676. # endif
  677. }
  678. if (secret_key && !secret_keyid) {
  679. BIO_printf(bio_err, "No secret key id\n");
  680. goto end;
  681. }
  682. if (*args && !encerts)
  683. encerts = sk_X509_new_null();
  684. while (*args) {
  685. if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
  686. NULL, e, "recipient certificate file")))
  687. goto end;
  688. sk_X509_push(encerts, cert);
  689. cert = NULL;
  690. args++;
  691. }
  692. }
  693. if (certfile) {
  694. if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
  695. e, "certificate file"))) {
  696. ERR_print_errors(bio_err);
  697. goto end;
  698. }
  699. }
  700. if (recipfile && (operation == SMIME_DECRYPT)) {
  701. if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
  702. e, "recipient certificate file"))) {
  703. ERR_print_errors(bio_err);
  704. goto end;
  705. }
  706. }
  707. if (operation == SMIME_SIGN_RECEIPT) {
  708. if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
  709. e, "receipt signer certificate file"))) {
  710. ERR_print_errors(bio_err);
  711. goto end;
  712. }
  713. }
  714. if (operation == SMIME_DECRYPT) {
  715. if (!keyfile)
  716. keyfile = recipfile;
  717. } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
  718. if (!keyfile)
  719. keyfile = signerfile;
  720. } else
  721. keyfile = NULL;
  722. if (keyfile) {
  723. key = load_key(bio_err, keyfile, keyform, 0, passin, e,
  724. "signing key file");
  725. if (!key)
  726. goto end;
  727. }
  728. if (infile) {
  729. if (!(in = BIO_new_file(infile, inmode))) {
  730. BIO_printf(bio_err, "Can't open input file %s\n", infile);
  731. goto end;
  732. }
  733. } else
  734. in = BIO_new_fp(stdin, BIO_NOCLOSE);
  735. if (operation & SMIME_IP) {
  736. if (informat == FORMAT_SMIME)
  737. cms = SMIME_read_CMS(in, &indata);
  738. else if (informat == FORMAT_PEM)
  739. cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
  740. else if (informat == FORMAT_ASN1)
  741. cms = d2i_CMS_bio(in, NULL);
  742. else {
  743. BIO_printf(bio_err, "Bad input format for CMS file\n");
  744. goto end;
  745. }
  746. if (!cms) {
  747. BIO_printf(bio_err, "Error reading S/MIME message\n");
  748. goto end;
  749. }
  750. if (contfile) {
  751. BIO_free(indata);
  752. if (!(indata = BIO_new_file(contfile, "rb"))) {
  753. BIO_printf(bio_err, "Can't read content file %s\n", contfile);
  754. goto end;
  755. }
  756. }
  757. if (certsoutfile) {
  758. STACK_OF(X509) *allcerts;
  759. allcerts = CMS_get1_certs(cms);
  760. if (!save_certs(certsoutfile, allcerts)) {
  761. BIO_printf(bio_err,
  762. "Error writing certs to %s\n", certsoutfile);
  763. ret = 5;
  764. goto end;
  765. }
  766. sk_X509_pop_free(allcerts, X509_free);
  767. }
  768. }
  769. if (rctfile) {
  770. char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
  771. if (!(rctin = BIO_new_file(rctfile, rctmode))) {
  772. BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
  773. goto end;
  774. }
  775. if (rctformat == FORMAT_SMIME)
  776. rcms = SMIME_read_CMS(rctin, NULL);
  777. else if (rctformat == FORMAT_PEM)
  778. rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
  779. else if (rctformat == FORMAT_ASN1)
  780. rcms = d2i_CMS_bio(rctin, NULL);
  781. else {
  782. BIO_printf(bio_err, "Bad input format for receipt\n");
  783. goto end;
  784. }
  785. if (!rcms) {
  786. BIO_printf(bio_err, "Error reading receipt\n");
  787. goto end;
  788. }
  789. }
  790. if (outfile) {
  791. if (!(out = BIO_new_file(outfile, outmode))) {
  792. BIO_printf(bio_err, "Can't open output file %s\n", outfile);
  793. goto end;
  794. }
  795. } else {
  796. out = BIO_new_fp(stdout, BIO_NOCLOSE);
  797. # ifdef OPENSSL_SYS_VMS
  798. {
  799. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  800. out = BIO_push(tmpbio, out);
  801. }
  802. # endif
  803. }
  804. if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
  805. if (!(store = setup_verify(bio_err, CAfile, CApath)))
  806. goto end;
  807. X509_STORE_set_verify_cb(store, cms_cb);
  808. if (vpm)
  809. X509_STORE_set1_param(store, vpm);
  810. }
  811. ret = 3;
  812. if (operation == SMIME_DATA_CREATE) {
  813. cms = CMS_data_create(in, flags);
  814. } else if (operation == SMIME_DIGEST_CREATE) {
  815. cms = CMS_digest_create(in, sign_md, flags);
  816. } else if (operation == SMIME_COMPRESS) {
  817. cms = CMS_compress(in, -1, flags);
  818. } else if (operation == SMIME_ENCRYPT) {
  819. int i;
  820. flags |= CMS_PARTIAL;
  821. cms = CMS_encrypt(NULL, in, cipher, flags);
  822. if (!cms)
  823. goto end;
  824. for (i = 0; i < sk_X509_num(encerts); i++) {
  825. CMS_RecipientInfo *ri;
  826. cms_key_param *kparam;
  827. int tflags = flags;
  828. X509 *x = sk_X509_value(encerts, i);
  829. for (kparam = key_first; kparam; kparam = kparam->next) {
  830. if (kparam->idx == i) {
  831. tflags |= CMS_KEY_PARAM;
  832. break;
  833. }
  834. }
  835. ri = CMS_add1_recipient_cert(cms, x, tflags);
  836. if (!ri)
  837. goto end;
  838. if (kparam) {
  839. EVP_PKEY_CTX *pctx;
  840. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  841. if (!cms_set_pkey_param(pctx, kparam->param))
  842. goto end;
  843. }
  844. if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
  845. && wrap_cipher) {
  846. EVP_CIPHER_CTX *wctx;
  847. wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  848. EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
  849. }
  850. }
  851. if (secret_key) {
  852. if (!CMS_add0_recipient_key(cms, NID_undef,
  853. secret_key, secret_keylen,
  854. secret_keyid, secret_keyidlen,
  855. NULL, NULL, NULL))
  856. goto end;
  857. /* NULL these because call absorbs them */
  858. secret_key = NULL;
  859. secret_keyid = NULL;
  860. }
  861. if (pwri_pass) {
  862. pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
  863. if (!pwri_tmp)
  864. goto end;
  865. if (!CMS_add0_recipient_password(cms,
  866. -1, NID_undef, NID_undef,
  867. pwri_tmp, -1, NULL))
  868. goto end;
  869. pwri_tmp = NULL;
  870. }
  871. if (!(flags & CMS_STREAM)) {
  872. if (!CMS_final(cms, in, NULL, flags))
  873. goto end;
  874. }
  875. } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
  876. cms = CMS_EncryptedData_encrypt(in, cipher,
  877. secret_key, secret_keylen, flags);
  878. } else if (operation == SMIME_SIGN_RECEIPT) {
  879. CMS_ContentInfo *srcms = NULL;
  880. STACK_OF(CMS_SignerInfo) *sis;
  881. CMS_SignerInfo *si;
  882. sis = CMS_get0_SignerInfos(cms);
  883. if (!sis)
  884. goto end;
  885. si = sk_CMS_SignerInfo_value(sis, 0);
  886. srcms = CMS_sign_receipt(si, signer, key, other, flags);
  887. if (!srcms)
  888. goto end;
  889. CMS_ContentInfo_free(cms);
  890. cms = srcms;
  891. } else if (operation & SMIME_SIGNERS) {
  892. int i;
  893. /*
  894. * If detached data content we enable streaming if S/MIME output
  895. * format.
  896. */
  897. if (operation == SMIME_SIGN) {
  898. if (flags & CMS_DETACHED) {
  899. if (outformat == FORMAT_SMIME)
  900. flags |= CMS_STREAM;
  901. }
  902. flags |= CMS_PARTIAL;
  903. cms = CMS_sign(NULL, NULL, other, in, flags);
  904. if (!cms)
  905. goto end;
  906. if (econtent_type)
  907. CMS_set1_eContentType(cms, econtent_type);
  908. if (rr_to) {
  909. rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
  910. if (!rr) {
  911. BIO_puts(bio_err,
  912. "Signed Receipt Request Creation Error\n");
  913. goto end;
  914. }
  915. }
  916. } else
  917. flags |= CMS_REUSE_DIGEST;
  918. for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
  919. CMS_SignerInfo *si;
  920. cms_key_param *kparam;
  921. int tflags = flags;
  922. signerfile = sk_OPENSSL_STRING_value(sksigners, i);
  923. keyfile = sk_OPENSSL_STRING_value(skkeys, i);
  924. signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
  925. e, "signer certificate");
  926. if (!signer)
  927. goto end;
  928. key = load_key(bio_err, keyfile, keyform, 0, passin, e,
  929. "signing key file");
  930. if (!key)
  931. goto end;
  932. for (kparam = key_first; kparam; kparam = kparam->next) {
  933. if (kparam->idx == i) {
  934. tflags |= CMS_KEY_PARAM;
  935. break;
  936. }
  937. }
  938. si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
  939. if (!si)
  940. goto end;
  941. if (kparam) {
  942. EVP_PKEY_CTX *pctx;
  943. pctx = CMS_SignerInfo_get0_pkey_ctx(si);
  944. if (!cms_set_pkey_param(pctx, kparam->param))
  945. goto end;
  946. }
  947. if (rr && !CMS_add1_ReceiptRequest(si, rr))
  948. goto end;
  949. X509_free(signer);
  950. signer = NULL;
  951. EVP_PKEY_free(key);
  952. key = NULL;
  953. }
  954. /* If not streaming or resigning finalize structure */
  955. if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
  956. if (!CMS_final(cms, in, NULL, flags))
  957. goto end;
  958. }
  959. }
  960. if (!cms) {
  961. BIO_printf(bio_err, "Error creating CMS structure\n");
  962. goto end;
  963. }
  964. ret = 4;
  965. if (operation == SMIME_DECRYPT) {
  966. if (flags & CMS_DEBUG_DECRYPT)
  967. CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
  968. if (secret_key) {
  969. if (!CMS_decrypt_set1_key(cms,
  970. secret_key, secret_keylen,
  971. secret_keyid, secret_keyidlen)) {
  972. BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
  973. goto end;
  974. }
  975. }
  976. if (key) {
  977. if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
  978. BIO_puts(bio_err, "Error decrypting CMS using private key\n");
  979. goto end;
  980. }
  981. }
  982. if (pwri_pass) {
  983. if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
  984. BIO_puts(bio_err, "Error decrypting CMS using password\n");
  985. goto end;
  986. }
  987. }
  988. if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
  989. BIO_printf(bio_err, "Error decrypting CMS structure\n");
  990. goto end;
  991. }
  992. } else if (operation == SMIME_DATAOUT) {
  993. if (!CMS_data(cms, out, flags))
  994. goto end;
  995. } else if (operation == SMIME_UNCOMPRESS) {
  996. if (!CMS_uncompress(cms, indata, out, flags))
  997. goto end;
  998. } else if (operation == SMIME_DIGEST_VERIFY) {
  999. if (CMS_digest_verify(cms, indata, out, flags) > 0)
  1000. BIO_printf(bio_err, "Verification successful\n");
  1001. else {
  1002. BIO_printf(bio_err, "Verification failure\n");
  1003. goto end;
  1004. }
  1005. } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
  1006. if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
  1007. indata, out, flags))
  1008. goto end;
  1009. } else if (operation == SMIME_VERIFY) {
  1010. if (CMS_verify(cms, other, store, indata, out, flags) > 0)
  1011. BIO_printf(bio_err, "Verification successful\n");
  1012. else {
  1013. BIO_printf(bio_err, "Verification failure\n");
  1014. if (verify_retcode)
  1015. ret = verify_err + 32;
  1016. goto end;
  1017. }
  1018. if (signerfile) {
  1019. STACK_OF(X509) *signers;
  1020. signers = CMS_get0_signers(cms);
  1021. if (!save_certs(signerfile, signers)) {
  1022. BIO_printf(bio_err,
  1023. "Error writing signers to %s\n", signerfile);
  1024. ret = 5;
  1025. goto end;
  1026. }
  1027. sk_X509_free(signers);
  1028. }
  1029. if (rr_print)
  1030. receipt_request_print(bio_err, cms);
  1031. } else if (operation == SMIME_VERIFY_RECEIPT) {
  1032. if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
  1033. BIO_printf(bio_err, "Verification successful\n");
  1034. else {
  1035. BIO_printf(bio_err, "Verification failure\n");
  1036. goto end;
  1037. }
  1038. } else {
  1039. if (noout) {
  1040. if (print)
  1041. CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
  1042. } else if (outformat == FORMAT_SMIME) {
  1043. if (to)
  1044. BIO_printf(out, "To: %s\n", to);
  1045. if (from)
  1046. BIO_printf(out, "From: %s\n", from);
  1047. if (subject)
  1048. BIO_printf(out, "Subject: %s\n", subject);
  1049. if (operation == SMIME_RESIGN)
  1050. ret = SMIME_write_CMS(out, cms, indata, flags);
  1051. else
  1052. ret = SMIME_write_CMS(out, cms, in, flags);
  1053. } else if (outformat == FORMAT_PEM)
  1054. ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
  1055. else if (outformat == FORMAT_ASN1)
  1056. ret = i2d_CMS_bio_stream(out, cms, in, flags);
  1057. else {
  1058. BIO_printf(bio_err, "Bad output format for CMS file\n");
  1059. goto end;
  1060. }
  1061. if (ret <= 0) {
  1062. ret = 6;
  1063. goto end;
  1064. }
  1065. }
  1066. ret = 0;
  1067. end:
  1068. if (ret)
  1069. ERR_print_errors(bio_err);
  1070. if (need_rand)
  1071. app_RAND_write_file(NULL, bio_err);
  1072. sk_X509_pop_free(encerts, X509_free);
  1073. sk_X509_pop_free(other, X509_free);
  1074. if (vpm)
  1075. X509_VERIFY_PARAM_free(vpm);
  1076. if (sksigners)
  1077. sk_OPENSSL_STRING_free(sksigners);
  1078. if (skkeys)
  1079. sk_OPENSSL_STRING_free(skkeys);
  1080. if (secret_key)
  1081. OPENSSL_free(secret_key);
  1082. if (secret_keyid)
  1083. OPENSSL_free(secret_keyid);
  1084. if (pwri_tmp)
  1085. OPENSSL_free(pwri_tmp);
  1086. if (econtent_type)
  1087. ASN1_OBJECT_free(econtent_type);
  1088. if (rr)
  1089. CMS_ReceiptRequest_free(rr);
  1090. if (rr_to)
  1091. sk_OPENSSL_STRING_free(rr_to);
  1092. if (rr_from)
  1093. sk_OPENSSL_STRING_free(rr_from);
  1094. for (key_param = key_first; key_param;) {
  1095. cms_key_param *tparam;
  1096. sk_OPENSSL_STRING_free(key_param->param);
  1097. tparam = key_param->next;
  1098. OPENSSL_free(key_param);
  1099. key_param = tparam;
  1100. }
  1101. X509_STORE_free(store);
  1102. X509_free(cert);
  1103. X509_free(recip);
  1104. X509_free(signer);
  1105. EVP_PKEY_free(key);
  1106. CMS_ContentInfo_free(cms);
  1107. CMS_ContentInfo_free(rcms);
  1108. release_engine(e);
  1109. BIO_free(rctin);
  1110. BIO_free(in);
  1111. BIO_free(indata);
  1112. BIO_free_all(out);
  1113. if (passin)
  1114. OPENSSL_free(passin);
  1115. return (ret);
  1116. }
  1117. static int save_certs(char *signerfile, STACK_OF(X509) *signers)
  1118. {
  1119. int i;
  1120. BIO *tmp;
  1121. if (!signerfile)
  1122. return 1;
  1123. tmp = BIO_new_file(signerfile, "w");
  1124. if (!tmp)
  1125. return 0;
  1126. for (i = 0; i < sk_X509_num(signers); i++)
  1127. PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
  1128. BIO_free(tmp);
  1129. return 1;
  1130. }
  1131. /* Minimal callback just to output policy info (if any) */
  1132. static int cms_cb(int ok, X509_STORE_CTX *ctx)
  1133. {
  1134. int error;
  1135. error = X509_STORE_CTX_get_error(ctx);
  1136. verify_err = error;
  1137. if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
  1138. && ((error != X509_V_OK) || (ok != 2)))
  1139. return ok;
  1140. policies_print(NULL, ctx);
  1141. return ok;
  1142. }
  1143. static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns)
  1144. {
  1145. STACK_OF(GENERAL_NAME) *gens;
  1146. GENERAL_NAME *gen;
  1147. int i, j;
  1148. for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
  1149. gens = sk_GENERAL_NAMES_value(gns, i);
  1150. for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
  1151. gen = sk_GENERAL_NAME_value(gens, j);
  1152. BIO_puts(out, " ");
  1153. GENERAL_NAME_print(out, gen);
  1154. BIO_puts(out, "\n");
  1155. }
  1156. }
  1157. return;
  1158. }
  1159. static void receipt_request_print(BIO *out, CMS_ContentInfo *cms)
  1160. {
  1161. STACK_OF(CMS_SignerInfo) *sis;
  1162. CMS_SignerInfo *si;
  1163. CMS_ReceiptRequest *rr;
  1164. int allorfirst;
  1165. STACK_OF(GENERAL_NAMES) *rto, *rlist;
  1166. ASN1_STRING *scid;
  1167. int i, rv;
  1168. sis = CMS_get0_SignerInfos(cms);
  1169. for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
  1170. si = sk_CMS_SignerInfo_value(sis, i);
  1171. rv = CMS_get1_ReceiptRequest(si, &rr);
  1172. BIO_printf(bio_err, "Signer %d:\n", i + 1);
  1173. if (rv == 0)
  1174. BIO_puts(bio_err, " No Receipt Request\n");
  1175. else if (rv < 0) {
  1176. BIO_puts(bio_err, " Receipt Request Parse Error\n");
  1177. ERR_print_errors(bio_err);
  1178. } else {
  1179. char *id;
  1180. int idlen;
  1181. CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
  1182. &rlist, &rto);
  1183. BIO_puts(out, " Signed Content ID:\n");
  1184. idlen = ASN1_STRING_length(scid);
  1185. id = (char *)ASN1_STRING_data(scid);
  1186. BIO_dump_indent(out, id, idlen, 4);
  1187. BIO_puts(out, " Receipts From");
  1188. if (rlist) {
  1189. BIO_puts(out, " List:\n");
  1190. gnames_stack_print(out, rlist);
  1191. } else if (allorfirst == 1)
  1192. BIO_puts(out, ": First Tier\n");
  1193. else if (allorfirst == 0)
  1194. BIO_puts(out, ": All\n");
  1195. else
  1196. BIO_printf(out, " Unknown (%d)\n", allorfirst);
  1197. BIO_puts(out, " Receipts To:\n");
  1198. gnames_stack_print(out, rto);
  1199. }
  1200. if (rr)
  1201. CMS_ReceiptRequest_free(rr);
  1202. }
  1203. }
  1204. static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
  1205. {
  1206. int i;
  1207. STACK_OF(GENERAL_NAMES) *ret;
  1208. GENERAL_NAMES *gens = NULL;
  1209. GENERAL_NAME *gen = NULL;
  1210. ret = sk_GENERAL_NAMES_new_null();
  1211. if (!ret)
  1212. goto err;
  1213. for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
  1214. char *str = sk_OPENSSL_STRING_value(ns, i);
  1215. gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
  1216. if (!gen)
  1217. goto err;
  1218. gens = GENERAL_NAMES_new();
  1219. if (!gens)
  1220. goto err;
  1221. if (!sk_GENERAL_NAME_push(gens, gen))
  1222. goto err;
  1223. gen = NULL;
  1224. if (!sk_GENERAL_NAMES_push(ret, gens))
  1225. goto err;
  1226. gens = NULL;
  1227. }
  1228. return ret;
  1229. err:
  1230. if (ret)
  1231. sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
  1232. if (gens)
  1233. GENERAL_NAMES_free(gens);
  1234. if (gen)
  1235. GENERAL_NAME_free(gen);
  1236. return NULL;
  1237. }
  1238. static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
  1239. *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
  1240. *rr_from)
  1241. {
  1242. STACK_OF(GENERAL_NAMES) *rct_to, *rct_from;
  1243. CMS_ReceiptRequest *rr;
  1244. rct_to = make_names_stack(rr_to);
  1245. if (!rct_to)
  1246. goto err;
  1247. if (rr_from) {
  1248. rct_from = make_names_stack(rr_from);
  1249. if (!rct_from)
  1250. goto err;
  1251. } else
  1252. rct_from = NULL;
  1253. rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
  1254. rct_to);
  1255. return rr;
  1256. err:
  1257. return NULL;
  1258. }
  1259. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  1260. STACK_OF(OPENSSL_STRING) *param)
  1261. {
  1262. char *keyopt;
  1263. int i;
  1264. if (sk_OPENSSL_STRING_num(param) <= 0)
  1265. return 1;
  1266. for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
  1267. keyopt = sk_OPENSSL_STRING_value(param, i);
  1268. if (pkey_ctrl_string(pctx, keyopt) <= 0) {
  1269. BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
  1270. ERR_print_errors(bio_err);
  1271. return 0;
  1272. }
  1273. }
  1274. return 1;
  1275. }
  1276. #endif