cms.c 44 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292
  1. /*
  2. * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /* CMS utility function */
  10. #include <stdio.h>
  11. #include <string.h>
  12. #include "apps.h"
  13. #include "progs.h"
  14. #ifndef OPENSSL_NO_CMS
  15. # include <openssl/crypto.h>
  16. # include <openssl/pem.h>
  17. # include <openssl/err.h>
  18. # include <openssl/x509_vfy.h>
  19. # include <openssl/x509v3.h>
  20. # include <openssl/cms.h>
  21. static int save_certs(char *signerfile, STACK_OF(X509) *signers);
  22. static int cms_cb(int ok, X509_STORE_CTX *ctx);
  23. static void receipt_request_print(CMS_ContentInfo *cms);
  24. static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
  25. *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
  26. *rr_from);
  27. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  28. STACK_OF(OPENSSL_STRING) *param);
  29. # define SMIME_OP 0x10
  30. # define SMIME_IP 0x20
  31. # define SMIME_SIGNERS 0x40
  32. # define SMIME_ENCRYPT (1 | SMIME_OP)
  33. # define SMIME_DECRYPT (2 | SMIME_IP)
  34. # define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
  35. # define SMIME_VERIFY (4 | SMIME_IP)
  36. # define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP)
  37. # define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
  38. # define SMIME_DATAOUT (7 | SMIME_IP)
  39. # define SMIME_DATA_CREATE (8 | SMIME_OP)
  40. # define SMIME_DIGEST_VERIFY (9 | SMIME_IP)
  41. # define SMIME_DIGEST_CREATE (10 | SMIME_OP)
  42. # define SMIME_UNCOMPRESS (11 | SMIME_IP)
  43. # define SMIME_COMPRESS (12 | SMIME_OP)
  44. # define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
  45. # define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
  46. # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
  47. # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
  48. static int verify_err = 0;
  49. typedef struct cms_key_param_st cms_key_param;
  50. struct cms_key_param_st {
  51. int idx;
  52. STACK_OF(OPENSSL_STRING) *param;
  53. cms_key_param *next;
  54. };
  55. typedef enum OPTION_choice {
  56. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  57. OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
  58. OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN,
  59. OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
  60. OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
  61. OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
  62. OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
  63. OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
  64. OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
  65. OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
  66. OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
  67. OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
  68. OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
  69. OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
  70. OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
  71. OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
  72. OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
  73. OPT_3DES_WRAP, OPT_ENGINE,
  74. OPT_R_ENUM,
  75. OPT_V_ENUM,
  76. OPT_CIPHER
  77. } OPTION_CHOICE;
  78. const OPTIONS cms_options[] = {
  79. {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
  80. {OPT_HELP_STR, 1, '-',
  81. " cert.pem... recipient certs for encryption\n"},
  82. {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
  83. {"help", OPT_HELP, '-', "Display this summary"},
  84. {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
  85. {"outform", OPT_OUTFORM, 'c',
  86. "Output format SMIME (default), PEM or DER"},
  87. {"in", OPT_IN, '<', "Input file"},
  88. {"out", OPT_OUT, '>', "Output file"},
  89. {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
  90. {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
  91. {"sign", OPT_SIGN, '-', "Sign message"},
  92. {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
  93. {"resign", OPT_RESIGN, '-', "Resign a signed message"},
  94. {"verify", OPT_VERIFY, '-', "Verify signed message"},
  95. {"verify_retcode", OPT_VERIFY_RETCODE, '-'},
  96. {"verify_receipt", OPT_VERIFY_RECEIPT, '<'},
  97. {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
  98. {"data_out", OPT_DATA_OUT, '-'},
  99. {"data_create", OPT_DATA_CREATE, '-'},
  100. {"digest_verify", OPT_DIGEST_VERIFY, '-'},
  101. {"digest_create", OPT_DIGEST_CREATE, '-'},
  102. {"compress", OPT_COMPRESS, '-'},
  103. {"uncompress", OPT_UNCOMPRESS, '-'},
  104. {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'},
  105. {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'},
  106. {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'},
  107. {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
  108. {"asciicrlf", OPT_ASCIICRLF, '-'},
  109. {"nointern", OPT_NOINTERN, '-',
  110. "Don't search certificates in message for signer"},
  111. {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
  112. {"nocerts", OPT_NOCERTS, '-',
  113. "Don't include signers certificate when signing"},
  114. {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
  115. {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
  116. {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
  117. {"binary", OPT_BINARY, '-', "Don't translate message to text"},
  118. {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
  119. {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
  120. {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'},
  121. {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'},
  122. {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
  123. {"indef", OPT_INDEF, '-', "Same as -stream"},
  124. {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
  125. {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
  126. {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"},
  127. {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
  128. {"receipt_request_all", OPT_RR_ALL, '-'},
  129. {"receipt_request_first", OPT_RR_FIRST, '-'},
  130. {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
  131. {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
  132. {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
  133. {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
  134. {"no-CAfile", OPT_NOCAFILE, '-',
  135. "Do not load the default certificates file"},
  136. {"no-CApath", OPT_NOCAPATH, '-',
  137. "Do not load certificates from the default certificates directory"},
  138. {"content", OPT_CONTENT, '<',
  139. "Supply or override content for detached signature"},
  140. {"print", OPT_PRINT, '-',
  141. "For the -cmsout operation print out all fields of the CMS structure"},
  142. {"secretkey", OPT_SECRETKEY, 's'},
  143. {"secretkeyid", OPT_SECRETKEYID, 's'},
  144. {"pwri_password", OPT_PWRI_PASSWORD, 's'},
  145. {"econtent_type", OPT_ECONTENT_TYPE, 's'},
  146. {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
  147. {"to", OPT_TO, 's', "To address"},
  148. {"from", OPT_FROM, 's', "From address"},
  149. {"subject", OPT_SUBJECT, 's', "Subject"},
  150. {"signer", OPT_SIGNER, 's', "Signer certificate file"},
  151. {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
  152. {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
  153. {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
  154. {"inkey", OPT_INKEY, 's',
  155. "Input private key (if not signer or recipient)"},
  156. {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
  157. {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
  158. {"receipt_request_from", OPT_RR_FROM, 's'},
  159. {"receipt_request_to", OPT_RR_TO, 's'},
  160. {"", OPT_CIPHER, '-', "Any supported cipher"},
  161. OPT_R_OPTIONS,
  162. OPT_V_OPTIONS,
  163. {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
  164. {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
  165. {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
  166. # ifndef OPENSSL_NO_DES
  167. {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
  168. # endif
  169. # ifndef OPENSSL_NO_ENGINE
  170. {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
  171. # endif
  172. {NULL}
  173. };
  174. int cms_main(int argc, char **argv)
  175. {
  176. ASN1_OBJECT *econtent_type = NULL;
  177. BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
  178. CMS_ContentInfo *cms = NULL, *rcms = NULL;
  179. CMS_ReceiptRequest *rr = NULL;
  180. ENGINE *e = NULL;
  181. EVP_PKEY *key = NULL;
  182. const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
  183. const EVP_MD *sign_md = NULL;
  184. STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
  185. STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
  186. STACK_OF(X509) *encerts = NULL, *other = NULL;
  187. X509 *cert = NULL, *recip = NULL, *signer = NULL;
  188. X509_STORE *store = NULL;
  189. X509_VERIFY_PARAM *vpm = NULL;
  190. char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
  191. const char *CAfile = NULL, *CApath = NULL;
  192. char *certsoutfile = NULL;
  193. int noCAfile = 0, noCApath = 0;
  194. char *infile = NULL, *outfile = NULL, *rctfile = NULL;
  195. char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL;
  196. char *to = NULL, *from = NULL, *subject = NULL, *prog;
  197. cms_key_param *key_first = NULL, *key_param = NULL;
  198. int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0;
  199. int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
  200. int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1;
  201. int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
  202. size_t secret_keylen = 0, secret_keyidlen = 0;
  203. unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
  204. unsigned char *secret_key = NULL, *secret_keyid = NULL;
  205. long ltmp;
  206. const char *mime_eol = "\n";
  207. OPTION_CHOICE o;
  208. if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
  209. return 1;
  210. prog = opt_init(argc, argv, cms_options);
  211. while ((o = opt_next()) != OPT_EOF) {
  212. switch (o) {
  213. case OPT_EOF:
  214. case OPT_ERR:
  215. opthelp:
  216. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  217. goto end;
  218. case OPT_HELP:
  219. opt_help(cms_options);
  220. ret = 0;
  221. goto end;
  222. case OPT_INFORM:
  223. if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat))
  224. goto opthelp;
  225. break;
  226. case OPT_OUTFORM:
  227. if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat))
  228. goto opthelp;
  229. break;
  230. case OPT_OUT:
  231. outfile = opt_arg();
  232. break;
  233. case OPT_ENCRYPT:
  234. operation = SMIME_ENCRYPT;
  235. break;
  236. case OPT_DECRYPT:
  237. operation = SMIME_DECRYPT;
  238. break;
  239. case OPT_SIGN:
  240. operation = SMIME_SIGN;
  241. break;
  242. case OPT_SIGN_RECEIPT:
  243. operation = SMIME_SIGN_RECEIPT;
  244. break;
  245. case OPT_RESIGN:
  246. operation = SMIME_RESIGN;
  247. break;
  248. case OPT_VERIFY:
  249. operation = SMIME_VERIFY;
  250. break;
  251. case OPT_VERIFY_RETCODE:
  252. verify_retcode = 1;
  253. break;
  254. case OPT_VERIFY_RECEIPT:
  255. operation = SMIME_VERIFY_RECEIPT;
  256. rctfile = opt_arg();
  257. break;
  258. case OPT_CMSOUT:
  259. operation = SMIME_CMSOUT;
  260. break;
  261. case OPT_DATA_OUT:
  262. operation = SMIME_DATAOUT;
  263. break;
  264. case OPT_DATA_CREATE:
  265. operation = SMIME_DATA_CREATE;
  266. break;
  267. case OPT_DIGEST_VERIFY:
  268. operation = SMIME_DIGEST_VERIFY;
  269. break;
  270. case OPT_DIGEST_CREATE:
  271. operation = SMIME_DIGEST_CREATE;
  272. break;
  273. case OPT_COMPRESS:
  274. operation = SMIME_COMPRESS;
  275. break;
  276. case OPT_UNCOMPRESS:
  277. operation = SMIME_UNCOMPRESS;
  278. break;
  279. case OPT_ED_DECRYPT:
  280. operation = SMIME_ENCRYPTED_DECRYPT;
  281. break;
  282. case OPT_ED_ENCRYPT:
  283. operation = SMIME_ENCRYPTED_ENCRYPT;
  284. break;
  285. case OPT_DEBUG_DECRYPT:
  286. flags |= CMS_DEBUG_DECRYPT;
  287. break;
  288. case OPT_TEXT:
  289. flags |= CMS_TEXT;
  290. break;
  291. case OPT_ASCIICRLF:
  292. flags |= CMS_ASCIICRLF;
  293. break;
  294. case OPT_NOINTERN:
  295. flags |= CMS_NOINTERN;
  296. break;
  297. case OPT_NOVERIFY:
  298. flags |= CMS_NO_SIGNER_CERT_VERIFY;
  299. break;
  300. case OPT_NOCERTS:
  301. flags |= CMS_NOCERTS;
  302. break;
  303. case OPT_NOATTR:
  304. flags |= CMS_NOATTR;
  305. break;
  306. case OPT_NODETACH:
  307. flags &= ~CMS_DETACHED;
  308. break;
  309. case OPT_NOSMIMECAP:
  310. flags |= CMS_NOSMIMECAP;
  311. break;
  312. case OPT_BINARY:
  313. flags |= CMS_BINARY;
  314. break;
  315. case OPT_KEYID:
  316. flags |= CMS_USE_KEYID;
  317. break;
  318. case OPT_NOSIGS:
  319. flags |= CMS_NOSIGS;
  320. break;
  321. case OPT_NO_CONTENT_VERIFY:
  322. flags |= CMS_NO_CONTENT_VERIFY;
  323. break;
  324. case OPT_NO_ATTR_VERIFY:
  325. flags |= CMS_NO_ATTR_VERIFY;
  326. break;
  327. case OPT_INDEF:
  328. flags |= CMS_STREAM;
  329. break;
  330. case OPT_NOINDEF:
  331. flags &= ~CMS_STREAM;
  332. break;
  333. case OPT_CRLFEOL:
  334. mime_eol = "\r\n";
  335. flags |= CMS_CRLFEOL;
  336. break;
  337. case OPT_NOOUT:
  338. noout = 1;
  339. break;
  340. case OPT_RR_PRINT:
  341. rr_print = 1;
  342. break;
  343. case OPT_RR_ALL:
  344. rr_allorfirst = 0;
  345. break;
  346. case OPT_RR_FIRST:
  347. rr_allorfirst = 1;
  348. break;
  349. case OPT_RCTFORM:
  350. if (rctformat == FORMAT_SMIME)
  351. rcms = SMIME_read_CMS(rctin, NULL);
  352. else if (rctformat == FORMAT_PEM)
  353. rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
  354. else if (rctformat == FORMAT_ASN1)
  355. if (!opt_format(opt_arg(),
  356. OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
  357. goto opthelp;
  358. break;
  359. case OPT_CERTFILE:
  360. certfile = opt_arg();
  361. break;
  362. case OPT_CAFILE:
  363. CAfile = opt_arg();
  364. break;
  365. case OPT_CAPATH:
  366. CApath = opt_arg();
  367. break;
  368. case OPT_NOCAFILE:
  369. noCAfile = 1;
  370. break;
  371. case OPT_NOCAPATH:
  372. noCApath = 1;
  373. break;
  374. case OPT_IN:
  375. infile = opt_arg();
  376. break;
  377. case OPT_CONTENT:
  378. contfile = opt_arg();
  379. break;
  380. case OPT_RR_FROM:
  381. if (rr_from == NULL
  382. && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
  383. goto end;
  384. sk_OPENSSL_STRING_push(rr_from, opt_arg());
  385. break;
  386. case OPT_RR_TO:
  387. if (rr_to == NULL
  388. && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
  389. goto end;
  390. sk_OPENSSL_STRING_push(rr_to, opt_arg());
  391. break;
  392. case OPT_PRINT:
  393. noout = print = 1;
  394. break;
  395. case OPT_SECRETKEY:
  396. if (secret_key != NULL) {
  397. BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
  398. opt_arg());
  399. goto opthelp;
  400. }
  401. secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
  402. if (secret_key == NULL) {
  403. BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
  404. goto end;
  405. }
  406. secret_keylen = (size_t)ltmp;
  407. break;
  408. case OPT_SECRETKEYID:
  409. if (secret_keyid != NULL) {
  410. BIO_printf(bio_err, "Invalid id (supplied twice) %s\n",
  411. opt_arg());
  412. goto opthelp;
  413. }
  414. secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
  415. if (secret_keyid == NULL) {
  416. BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
  417. goto opthelp;
  418. }
  419. secret_keyidlen = (size_t)ltmp;
  420. break;
  421. case OPT_PWRI_PASSWORD:
  422. pwri_pass = (unsigned char *)opt_arg();
  423. break;
  424. case OPT_ECONTENT_TYPE:
  425. if (econtent_type != NULL) {
  426. BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n",
  427. opt_arg());
  428. goto opthelp;
  429. }
  430. econtent_type = OBJ_txt2obj(opt_arg(), 0);
  431. if (econtent_type == NULL) {
  432. BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
  433. goto opthelp;
  434. }
  435. break;
  436. case OPT_ENGINE:
  437. e = setup_engine(opt_arg(), 0);
  438. break;
  439. case OPT_PASSIN:
  440. passinarg = opt_arg();
  441. break;
  442. case OPT_TO:
  443. to = opt_arg();
  444. break;
  445. case OPT_FROM:
  446. from = opt_arg();
  447. break;
  448. case OPT_SUBJECT:
  449. subject = opt_arg();
  450. break;
  451. case OPT_CERTSOUT:
  452. certsoutfile = opt_arg();
  453. break;
  454. case OPT_MD:
  455. if (!opt_md(opt_arg(), &sign_md))
  456. goto end;
  457. break;
  458. case OPT_SIGNER:
  459. /* If previous -signer argument add signer to list */
  460. if (signerfile != NULL) {
  461. if (sksigners == NULL
  462. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  463. goto end;
  464. sk_OPENSSL_STRING_push(sksigners, signerfile);
  465. if (keyfile == NULL)
  466. keyfile = signerfile;
  467. if (skkeys == NULL
  468. && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  469. goto end;
  470. sk_OPENSSL_STRING_push(skkeys, keyfile);
  471. keyfile = NULL;
  472. }
  473. signerfile = opt_arg();
  474. break;
  475. case OPT_INKEY:
  476. /* If previous -inkey argument add signer to list */
  477. if (keyfile != NULL) {
  478. if (signerfile == NULL) {
  479. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  480. goto end;
  481. }
  482. if (sksigners == NULL
  483. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  484. goto end;
  485. sk_OPENSSL_STRING_push(sksigners, signerfile);
  486. signerfile = NULL;
  487. if (skkeys == NULL
  488. && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  489. goto end;
  490. sk_OPENSSL_STRING_push(skkeys, keyfile);
  491. }
  492. keyfile = opt_arg();
  493. break;
  494. case OPT_KEYFORM:
  495. if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
  496. goto opthelp;
  497. break;
  498. case OPT_RECIP:
  499. if (operation == SMIME_ENCRYPT) {
  500. if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
  501. goto end;
  502. cert = load_cert(opt_arg(), FORMAT_PEM,
  503. "recipient certificate file");
  504. if (cert == NULL)
  505. goto end;
  506. sk_X509_push(encerts, cert);
  507. cert = NULL;
  508. } else {
  509. recipfile = opt_arg();
  510. }
  511. break;
  512. case OPT_CIPHER:
  513. if (!opt_cipher(opt_unknown(), &cipher))
  514. goto end;
  515. break;
  516. case OPT_KEYOPT:
  517. keyidx = -1;
  518. if (operation == SMIME_ENCRYPT) {
  519. if (encerts != NULL)
  520. keyidx += sk_X509_num(encerts);
  521. } else {
  522. if (keyfile != NULL || signerfile != NULL)
  523. keyidx++;
  524. if (skkeys != NULL)
  525. keyidx += sk_OPENSSL_STRING_num(skkeys);
  526. }
  527. if (keyidx < 0) {
  528. BIO_printf(bio_err, "No key specified\n");
  529. goto opthelp;
  530. }
  531. if (key_param == NULL || key_param->idx != keyidx) {
  532. cms_key_param *nparam;
  533. nparam = app_malloc(sizeof(*nparam), "key param buffer");
  534. if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
  535. OPENSSL_free(nparam);
  536. goto end;
  537. }
  538. nparam->idx = keyidx;
  539. nparam->next = NULL;
  540. if (key_first == NULL)
  541. key_first = nparam;
  542. else
  543. key_param->next = nparam;
  544. key_param = nparam;
  545. }
  546. sk_OPENSSL_STRING_push(key_param->param, opt_arg());
  547. break;
  548. case OPT_V_CASES:
  549. if (!opt_verify(o, vpm))
  550. goto end;
  551. vpmtouched++;
  552. break;
  553. case OPT_R_CASES:
  554. if (!opt_rand(o))
  555. goto end;
  556. break;
  557. case OPT_3DES_WRAP:
  558. # ifndef OPENSSL_NO_DES
  559. wrap_cipher = EVP_des_ede3_wrap();
  560. # endif
  561. break;
  562. case OPT_AES128_WRAP:
  563. wrap_cipher = EVP_aes_128_wrap();
  564. break;
  565. case OPT_AES192_WRAP:
  566. wrap_cipher = EVP_aes_192_wrap();
  567. break;
  568. case OPT_AES256_WRAP:
  569. wrap_cipher = EVP_aes_256_wrap();
  570. break;
  571. }
  572. }
  573. argc = opt_num_rest();
  574. argv = opt_rest();
  575. if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) {
  576. BIO_puts(bio_err, "No Signed Receipts Recipients\n");
  577. goto opthelp;
  578. }
  579. if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) {
  580. BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
  581. goto opthelp;
  582. }
  583. if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
  584. BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
  585. goto opthelp;
  586. }
  587. if (operation & SMIME_SIGNERS) {
  588. if (keyfile != NULL && signerfile == NULL) {
  589. BIO_puts(bio_err, "Illegal -inkey without -signer\n");
  590. goto opthelp;
  591. }
  592. /* Check to see if any final signer needs to be appended */
  593. if (signerfile != NULL) {
  594. if (sksigners == NULL
  595. && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
  596. goto end;
  597. sk_OPENSSL_STRING_push(sksigners, signerfile);
  598. if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
  599. goto end;
  600. if (keyfile == NULL)
  601. keyfile = signerfile;
  602. sk_OPENSSL_STRING_push(skkeys, keyfile);
  603. }
  604. if (sksigners == NULL) {
  605. BIO_printf(bio_err, "No signer certificate specified\n");
  606. goto opthelp;
  607. }
  608. signerfile = NULL;
  609. keyfile = NULL;
  610. } else if (operation == SMIME_DECRYPT) {
  611. if (recipfile == NULL && keyfile == NULL
  612. && secret_key == NULL && pwri_pass == NULL) {
  613. BIO_printf(bio_err,
  614. "No recipient certificate or key specified\n");
  615. goto opthelp;
  616. }
  617. } else if (operation == SMIME_ENCRYPT) {
  618. if (*argv == NULL && secret_key == NULL
  619. && pwri_pass == NULL && encerts == NULL) {
  620. BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
  621. goto opthelp;
  622. }
  623. } else if (!operation) {
  624. BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n");
  625. goto opthelp;
  626. }
  627. if (!app_passwd(passinarg, NULL, &passin, NULL)) {
  628. BIO_printf(bio_err, "Error getting password\n");
  629. goto end;
  630. }
  631. ret = 2;
  632. if (!(operation & SMIME_SIGNERS))
  633. flags &= ~CMS_DETACHED;
  634. if (!(operation & SMIME_OP))
  635. if (flags & CMS_BINARY)
  636. outformat = FORMAT_BINARY;
  637. if (!(operation & SMIME_IP))
  638. if (flags & CMS_BINARY)
  639. informat = FORMAT_BINARY;
  640. if (operation == SMIME_ENCRYPT) {
  641. if (!cipher) {
  642. # ifndef OPENSSL_NO_DES
  643. cipher = EVP_des_ede3_cbc();
  644. # else
  645. BIO_printf(bio_err, "No cipher selected\n");
  646. goto end;
  647. # endif
  648. }
  649. if (secret_key && !secret_keyid) {
  650. BIO_printf(bio_err, "No secret key id\n");
  651. goto end;
  652. }
  653. if (*argv && encerts == NULL)
  654. if ((encerts = sk_X509_new_null()) == NULL)
  655. goto end;
  656. while (*argv) {
  657. if ((cert = load_cert(*argv, FORMAT_PEM,
  658. "recipient certificate file")) == NULL)
  659. goto end;
  660. sk_X509_push(encerts, cert);
  661. cert = NULL;
  662. argv++;
  663. }
  664. }
  665. if (certfile != NULL) {
  666. if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
  667. "certificate file")) {
  668. ERR_print_errors(bio_err);
  669. goto end;
  670. }
  671. }
  672. if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
  673. if ((recip = load_cert(recipfile, FORMAT_PEM,
  674. "recipient certificate file")) == NULL) {
  675. ERR_print_errors(bio_err);
  676. goto end;
  677. }
  678. }
  679. if (operation == SMIME_SIGN_RECEIPT) {
  680. if ((signer = load_cert(signerfile, FORMAT_PEM,
  681. "receipt signer certificate file")) == NULL) {
  682. ERR_print_errors(bio_err);
  683. goto end;
  684. }
  685. }
  686. if (operation == SMIME_DECRYPT) {
  687. if (keyfile == NULL)
  688. keyfile = recipfile;
  689. } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
  690. if (keyfile == NULL)
  691. keyfile = signerfile;
  692. } else {
  693. keyfile = NULL;
  694. }
  695. if (keyfile != NULL) {
  696. key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
  697. if (key == NULL)
  698. goto end;
  699. }
  700. in = bio_open_default(infile, 'r', informat);
  701. if (in == NULL)
  702. goto end;
  703. if (operation & SMIME_IP) {
  704. if (informat == FORMAT_SMIME) {
  705. cms = SMIME_read_CMS(in, &indata);
  706. } else if (informat == FORMAT_PEM) {
  707. cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
  708. } else if (informat == FORMAT_ASN1) {
  709. cms = d2i_CMS_bio(in, NULL);
  710. } else {
  711. BIO_printf(bio_err, "Bad input format for CMS file\n");
  712. goto end;
  713. }
  714. if (cms == NULL) {
  715. BIO_printf(bio_err, "Error reading S/MIME message\n");
  716. goto end;
  717. }
  718. if (contfile != NULL) {
  719. BIO_free(indata);
  720. if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
  721. BIO_printf(bio_err, "Can't read content file %s\n", contfile);
  722. goto end;
  723. }
  724. }
  725. if (certsoutfile != NULL) {
  726. STACK_OF(X509) *allcerts;
  727. allcerts = CMS_get1_certs(cms);
  728. if (!save_certs(certsoutfile, allcerts)) {
  729. BIO_printf(bio_err,
  730. "Error writing certs to %s\n", certsoutfile);
  731. ret = 5;
  732. goto end;
  733. }
  734. sk_X509_pop_free(allcerts, X509_free);
  735. }
  736. }
  737. if (rctfile != NULL) {
  738. char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
  739. if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) {
  740. BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
  741. goto end;
  742. }
  743. if (rctformat == FORMAT_SMIME) {
  744. rcms = SMIME_read_CMS(rctin, NULL);
  745. } else if (rctformat == FORMAT_PEM) {
  746. rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
  747. } else if (rctformat == FORMAT_ASN1) {
  748. rcms = d2i_CMS_bio(rctin, NULL);
  749. } else {
  750. BIO_printf(bio_err, "Bad input format for receipt\n");
  751. goto end;
  752. }
  753. if (rcms == NULL) {
  754. BIO_printf(bio_err, "Error reading receipt\n");
  755. goto end;
  756. }
  757. }
  758. out = bio_open_default(outfile, 'w', outformat);
  759. if (out == NULL)
  760. goto end;
  761. if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
  762. if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
  763. goto end;
  764. X509_STORE_set_verify_cb(store, cms_cb);
  765. if (vpmtouched)
  766. X509_STORE_set1_param(store, vpm);
  767. }
  768. ret = 3;
  769. if (operation == SMIME_DATA_CREATE) {
  770. cms = CMS_data_create(in, flags);
  771. } else if (operation == SMIME_DIGEST_CREATE) {
  772. cms = CMS_digest_create(in, sign_md, flags);
  773. } else if (operation == SMIME_COMPRESS) {
  774. cms = CMS_compress(in, -1, flags);
  775. } else if (operation == SMIME_ENCRYPT) {
  776. int i;
  777. flags |= CMS_PARTIAL;
  778. cms = CMS_encrypt(NULL, in, cipher, flags);
  779. if (cms == NULL)
  780. goto end;
  781. for (i = 0; i < sk_X509_num(encerts); i++) {
  782. CMS_RecipientInfo *ri;
  783. cms_key_param *kparam;
  784. int tflags = flags;
  785. X509 *x = sk_X509_value(encerts, i);
  786. for (kparam = key_first; kparam; kparam = kparam->next) {
  787. if (kparam->idx == i) {
  788. tflags |= CMS_KEY_PARAM;
  789. break;
  790. }
  791. }
  792. ri = CMS_add1_recipient_cert(cms, x, tflags);
  793. if (ri == NULL)
  794. goto end;
  795. if (kparam != NULL) {
  796. EVP_PKEY_CTX *pctx;
  797. pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
  798. if (!cms_set_pkey_param(pctx, kparam->param))
  799. goto end;
  800. }
  801. if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
  802. && wrap_cipher) {
  803. EVP_CIPHER_CTX *wctx;
  804. wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
  805. EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
  806. }
  807. }
  808. if (secret_key != NULL) {
  809. if (!CMS_add0_recipient_key(cms, NID_undef,
  810. secret_key, secret_keylen,
  811. secret_keyid, secret_keyidlen,
  812. NULL, NULL, NULL))
  813. goto end;
  814. /* NULL these because call absorbs them */
  815. secret_key = NULL;
  816. secret_keyid = NULL;
  817. }
  818. if (pwri_pass != NULL) {
  819. pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass);
  820. if (pwri_tmp == NULL)
  821. goto end;
  822. if (CMS_add0_recipient_password(cms,
  823. -1, NID_undef, NID_undef,
  824. pwri_tmp, -1, NULL) == NULL)
  825. goto end;
  826. pwri_tmp = NULL;
  827. }
  828. if (!(flags & CMS_STREAM)) {
  829. if (!CMS_final(cms, in, NULL, flags))
  830. goto end;
  831. }
  832. } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
  833. cms = CMS_EncryptedData_encrypt(in, cipher,
  834. secret_key, secret_keylen, flags);
  835. } else if (operation == SMIME_SIGN_RECEIPT) {
  836. CMS_ContentInfo *srcms = NULL;
  837. STACK_OF(CMS_SignerInfo) *sis;
  838. CMS_SignerInfo *si;
  839. sis = CMS_get0_SignerInfos(cms);
  840. if (sis == NULL)
  841. goto end;
  842. si = sk_CMS_SignerInfo_value(sis, 0);
  843. srcms = CMS_sign_receipt(si, signer, key, other, flags);
  844. if (srcms == NULL)
  845. goto end;
  846. CMS_ContentInfo_free(cms);
  847. cms = srcms;
  848. } else if (operation & SMIME_SIGNERS) {
  849. int i;
  850. /*
  851. * If detached data content we enable streaming if S/MIME output
  852. * format.
  853. */
  854. if (operation == SMIME_SIGN) {
  855. if (flags & CMS_DETACHED) {
  856. if (outformat == FORMAT_SMIME)
  857. flags |= CMS_STREAM;
  858. }
  859. flags |= CMS_PARTIAL;
  860. cms = CMS_sign(NULL, NULL, other, in, flags);
  861. if (cms == NULL)
  862. goto end;
  863. if (econtent_type != NULL)
  864. CMS_set1_eContentType(cms, econtent_type);
  865. if (rr_to != NULL) {
  866. rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
  867. if (rr == NULL) {
  868. BIO_puts(bio_err,
  869. "Signed Receipt Request Creation Error\n");
  870. goto end;
  871. }
  872. }
  873. } else {
  874. flags |= CMS_REUSE_DIGEST;
  875. }
  876. for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
  877. CMS_SignerInfo *si;
  878. cms_key_param *kparam;
  879. int tflags = flags;
  880. signerfile = sk_OPENSSL_STRING_value(sksigners, i);
  881. keyfile = sk_OPENSSL_STRING_value(skkeys, i);
  882. signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
  883. if (signer == NULL) {
  884. ret = 2;
  885. goto end;
  886. }
  887. key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
  888. if (key == NULL) {
  889. ret = 2;
  890. goto end;
  891. }
  892. for (kparam = key_first; kparam; kparam = kparam->next) {
  893. if (kparam->idx == i) {
  894. tflags |= CMS_KEY_PARAM;
  895. break;
  896. }
  897. }
  898. si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
  899. if (si == NULL)
  900. goto end;
  901. if (kparam != NULL) {
  902. EVP_PKEY_CTX *pctx;
  903. pctx = CMS_SignerInfo_get0_pkey_ctx(si);
  904. if (!cms_set_pkey_param(pctx, kparam->param))
  905. goto end;
  906. }
  907. if (rr != NULL && !CMS_add1_ReceiptRequest(si, rr))
  908. goto end;
  909. X509_free(signer);
  910. signer = NULL;
  911. EVP_PKEY_free(key);
  912. key = NULL;
  913. }
  914. /* If not streaming or resigning finalize structure */
  915. if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
  916. if (!CMS_final(cms, in, NULL, flags))
  917. goto end;
  918. }
  919. }
  920. if (cms == NULL) {
  921. BIO_printf(bio_err, "Error creating CMS structure\n");
  922. goto end;
  923. }
  924. ret = 4;
  925. if (operation == SMIME_DECRYPT) {
  926. if (flags & CMS_DEBUG_DECRYPT)
  927. CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
  928. if (secret_key != NULL) {
  929. if (!CMS_decrypt_set1_key(cms,
  930. secret_key, secret_keylen,
  931. secret_keyid, secret_keyidlen)) {
  932. BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
  933. goto end;
  934. }
  935. }
  936. if (key != NULL) {
  937. if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
  938. BIO_puts(bio_err, "Error decrypting CMS using private key\n");
  939. goto end;
  940. }
  941. }
  942. if (pwri_pass != NULL) {
  943. if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
  944. BIO_puts(bio_err, "Error decrypting CMS using password\n");
  945. goto end;
  946. }
  947. }
  948. if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
  949. BIO_printf(bio_err, "Error decrypting CMS structure\n");
  950. goto end;
  951. }
  952. } else if (operation == SMIME_DATAOUT) {
  953. if (!CMS_data(cms, out, flags))
  954. goto end;
  955. } else if (operation == SMIME_UNCOMPRESS) {
  956. if (!CMS_uncompress(cms, indata, out, flags))
  957. goto end;
  958. } else if (operation == SMIME_DIGEST_VERIFY) {
  959. if (CMS_digest_verify(cms, indata, out, flags) > 0) {
  960. BIO_printf(bio_err, "Verification successful\n");
  961. } else {
  962. BIO_printf(bio_err, "Verification failure\n");
  963. goto end;
  964. }
  965. } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
  966. if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
  967. indata, out, flags))
  968. goto end;
  969. } else if (operation == SMIME_VERIFY) {
  970. if (CMS_verify(cms, other, store, indata, out, flags) > 0) {
  971. BIO_printf(bio_err, "Verification successful\n");
  972. } else {
  973. BIO_printf(bio_err, "Verification failure\n");
  974. if (verify_retcode)
  975. ret = verify_err + 32;
  976. goto end;
  977. }
  978. if (signerfile != NULL) {
  979. STACK_OF(X509) *signers;
  980. signers = CMS_get0_signers(cms);
  981. if (!save_certs(signerfile, signers)) {
  982. BIO_printf(bio_err,
  983. "Error writing signers to %s\n", signerfile);
  984. ret = 5;
  985. goto end;
  986. }
  987. sk_X509_free(signers);
  988. }
  989. if (rr_print)
  990. receipt_request_print(cms);
  991. } else if (operation == SMIME_VERIFY_RECEIPT) {
  992. if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) {
  993. BIO_printf(bio_err, "Verification successful\n");
  994. } else {
  995. BIO_printf(bio_err, "Verification failure\n");
  996. goto end;
  997. }
  998. } else {
  999. if (noout) {
  1000. if (print)
  1001. CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
  1002. } else if (outformat == FORMAT_SMIME) {
  1003. if (to)
  1004. BIO_printf(out, "To: %s%s", to, mime_eol);
  1005. if (from)
  1006. BIO_printf(out, "From: %s%s", from, mime_eol);
  1007. if (subject)
  1008. BIO_printf(out, "Subject: %s%s", subject, mime_eol);
  1009. if (operation == SMIME_RESIGN)
  1010. ret = SMIME_write_CMS(out, cms, indata, flags);
  1011. else
  1012. ret = SMIME_write_CMS(out, cms, in, flags);
  1013. } else if (outformat == FORMAT_PEM) {
  1014. ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
  1015. } else if (outformat == FORMAT_ASN1) {
  1016. ret = i2d_CMS_bio_stream(out, cms, in, flags);
  1017. } else {
  1018. BIO_printf(bio_err, "Bad output format for CMS file\n");
  1019. goto end;
  1020. }
  1021. if (ret <= 0) {
  1022. ret = 6;
  1023. goto end;
  1024. }
  1025. }
  1026. ret = 0;
  1027. end:
  1028. if (ret)
  1029. ERR_print_errors(bio_err);
  1030. sk_X509_pop_free(encerts, X509_free);
  1031. sk_X509_pop_free(other, X509_free);
  1032. X509_VERIFY_PARAM_free(vpm);
  1033. sk_OPENSSL_STRING_free(sksigners);
  1034. sk_OPENSSL_STRING_free(skkeys);
  1035. OPENSSL_free(secret_key);
  1036. OPENSSL_free(secret_keyid);
  1037. OPENSSL_free(pwri_tmp);
  1038. ASN1_OBJECT_free(econtent_type);
  1039. CMS_ReceiptRequest_free(rr);
  1040. sk_OPENSSL_STRING_free(rr_to);
  1041. sk_OPENSSL_STRING_free(rr_from);
  1042. for (key_param = key_first; key_param;) {
  1043. cms_key_param *tparam;
  1044. sk_OPENSSL_STRING_free(key_param->param);
  1045. tparam = key_param->next;
  1046. OPENSSL_free(key_param);
  1047. key_param = tparam;
  1048. }
  1049. X509_STORE_free(store);
  1050. X509_free(cert);
  1051. X509_free(recip);
  1052. X509_free(signer);
  1053. EVP_PKEY_free(key);
  1054. CMS_ContentInfo_free(cms);
  1055. CMS_ContentInfo_free(rcms);
  1056. release_engine(e);
  1057. BIO_free(rctin);
  1058. BIO_free(in);
  1059. BIO_free(indata);
  1060. BIO_free_all(out);
  1061. OPENSSL_free(passin);
  1062. return ret;
  1063. }
  1064. static int save_certs(char *signerfile, STACK_OF(X509) *signers)
  1065. {
  1066. int i;
  1067. BIO *tmp;
  1068. if (signerfile == NULL)
  1069. return 1;
  1070. tmp = BIO_new_file(signerfile, "w");
  1071. if (tmp == NULL)
  1072. return 0;
  1073. for (i = 0; i < sk_X509_num(signers); i++)
  1074. PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
  1075. BIO_free(tmp);
  1076. return 1;
  1077. }
  1078. /* Minimal callback just to output policy info (if any) */
  1079. static int cms_cb(int ok, X509_STORE_CTX *ctx)
  1080. {
  1081. int error;
  1082. error = X509_STORE_CTX_get_error(ctx);
  1083. verify_err = error;
  1084. if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
  1085. && ((error != X509_V_OK) || (ok != 2)))
  1086. return ok;
  1087. policies_print(ctx);
  1088. return ok;
  1089. }
  1090. static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
  1091. {
  1092. STACK_OF(GENERAL_NAME) *gens;
  1093. GENERAL_NAME *gen;
  1094. int i, j;
  1095. for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
  1096. gens = sk_GENERAL_NAMES_value(gns, i);
  1097. for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
  1098. gen = sk_GENERAL_NAME_value(gens, j);
  1099. BIO_puts(bio_err, " ");
  1100. GENERAL_NAME_print(bio_err, gen);
  1101. BIO_puts(bio_err, "\n");
  1102. }
  1103. }
  1104. return;
  1105. }
  1106. static void receipt_request_print(CMS_ContentInfo *cms)
  1107. {
  1108. STACK_OF(CMS_SignerInfo) *sis;
  1109. CMS_SignerInfo *si;
  1110. CMS_ReceiptRequest *rr;
  1111. int allorfirst;
  1112. STACK_OF(GENERAL_NAMES) *rto, *rlist;
  1113. ASN1_STRING *scid;
  1114. int i, rv;
  1115. sis = CMS_get0_SignerInfos(cms);
  1116. for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
  1117. si = sk_CMS_SignerInfo_value(sis, i);
  1118. rv = CMS_get1_ReceiptRequest(si, &rr);
  1119. BIO_printf(bio_err, "Signer %d:\n", i + 1);
  1120. if (rv == 0) {
  1121. BIO_puts(bio_err, " No Receipt Request\n");
  1122. } else if (rv < 0) {
  1123. BIO_puts(bio_err, " Receipt Request Parse Error\n");
  1124. ERR_print_errors(bio_err);
  1125. } else {
  1126. const char *id;
  1127. int idlen;
  1128. CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
  1129. &rlist, &rto);
  1130. BIO_puts(bio_err, " Signed Content ID:\n");
  1131. idlen = ASN1_STRING_length(scid);
  1132. id = (const char *)ASN1_STRING_get0_data(scid);
  1133. BIO_dump_indent(bio_err, id, idlen, 4);
  1134. BIO_puts(bio_err, " Receipts From");
  1135. if (rlist != NULL) {
  1136. BIO_puts(bio_err, " List:\n");
  1137. gnames_stack_print(rlist);
  1138. } else if (allorfirst == 1) {
  1139. BIO_puts(bio_err, ": First Tier\n");
  1140. } else if (allorfirst == 0) {
  1141. BIO_puts(bio_err, ": All\n");
  1142. } else {
  1143. BIO_printf(bio_err, " Unknown (%d)\n", allorfirst);
  1144. }
  1145. BIO_puts(bio_err, " Receipts To:\n");
  1146. gnames_stack_print(rto);
  1147. }
  1148. CMS_ReceiptRequest_free(rr);
  1149. }
  1150. }
  1151. static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
  1152. {
  1153. int i;
  1154. STACK_OF(GENERAL_NAMES) *ret;
  1155. GENERAL_NAMES *gens = NULL;
  1156. GENERAL_NAME *gen = NULL;
  1157. ret = sk_GENERAL_NAMES_new_null();
  1158. if (ret == NULL)
  1159. goto err;
  1160. for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
  1161. char *str = sk_OPENSSL_STRING_value(ns, i);
  1162. gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
  1163. if (gen == NULL)
  1164. goto err;
  1165. gens = GENERAL_NAMES_new();
  1166. if (gens == NULL)
  1167. goto err;
  1168. if (!sk_GENERAL_NAME_push(gens, gen))
  1169. goto err;
  1170. gen = NULL;
  1171. if (!sk_GENERAL_NAMES_push(ret, gens))
  1172. goto err;
  1173. gens = NULL;
  1174. }
  1175. return ret;
  1176. err:
  1177. sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
  1178. GENERAL_NAMES_free(gens);
  1179. GENERAL_NAME_free(gen);
  1180. return NULL;
  1181. }
  1182. static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
  1183. *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
  1184. *rr_from)
  1185. {
  1186. STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
  1187. CMS_ReceiptRequest *rr;
  1188. rct_to = make_names_stack(rr_to);
  1189. if (rct_to == NULL)
  1190. goto err;
  1191. if (rr_from != NULL) {
  1192. rct_from = make_names_stack(rr_from);
  1193. if (rct_from == NULL)
  1194. goto err;
  1195. } else {
  1196. rct_from = NULL;
  1197. }
  1198. rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
  1199. rct_to);
  1200. return rr;
  1201. err:
  1202. sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
  1203. return NULL;
  1204. }
  1205. static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
  1206. STACK_OF(OPENSSL_STRING) *param)
  1207. {
  1208. char *keyopt;
  1209. int i;
  1210. if (sk_OPENSSL_STRING_num(param) <= 0)
  1211. return 1;
  1212. for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
  1213. keyopt = sk_OPENSSL_STRING_value(param, i);
  1214. if (pkey_ctrl_string(pctx, keyopt) <= 0) {
  1215. BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
  1216. ERR_print_errors(bio_err);
  1217. return 0;
  1218. }
  1219. }
  1220. return 1;
  1221. }
  1222. #endif