Changeset View
Changeset View
Standalone View
Standalone View
apps/cms.c
/* | /* | ||||
* Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. | * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. | ||||
* | * | ||||
* Licensed under the OpenSSL license (the "License"). You may not use | * Licensed under the Apache License 2.0 (the "License"). You may not use | ||||
* this file except in compliance with the License. You can obtain a copy | * this file except in compliance with the License. You can obtain a copy | ||||
* in the file LICENSE in the source distribution or at | * in the file LICENSE in the source distribution or at | ||||
* https://www.openssl.org/source/license.html | * https://www.openssl.org/source/license.html | ||||
*/ | */ | ||||
/* CMS utility function */ | /* CMS utility function */ | ||||
#include <stdio.h> | #include <stdio.h> | ||||
#include <string.h> | #include <string.h> | ||||
#include "apps.h" | #include "apps.h" | ||||
#include "progs.h" | #include "progs.h" | ||||
#ifndef OPENSSL_NO_CMS | |||||
# include <openssl/crypto.h> | #include <openssl/crypto.h> | ||||
# include <openssl/pem.h> | #include <openssl/pem.h> | ||||
# include <openssl/err.h> | #include <openssl/err.h> | ||||
# include <openssl/x509_vfy.h> | #include <openssl/x509_vfy.h> | ||||
# include <openssl/x509v3.h> | #include <openssl/x509v3.h> | ||||
# include <openssl/cms.h> | #include <openssl/cms.h> | ||||
static int save_certs(char *signerfile, STACK_OF(X509) *signers); | static int save_certs(char *signerfile, STACK_OF(X509) *signers); | ||||
static int cms_cb(int ok, X509_STORE_CTX *ctx); | static int cms_cb(int ok, X509_STORE_CTX *ctx); | ||||
static void receipt_request_print(CMS_ContentInfo *cms); | static void receipt_request_print(CMS_ContentInfo *cms); | ||||
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) | static CMS_ReceiptRequest | ||||
*rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) | *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, | ||||
*rr_from); | STACK_OF(OPENSSL_STRING) *rr_from); | ||||
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, | static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, | ||||
STACK_OF(OPENSSL_STRING) *param); | STACK_OF(OPENSSL_STRING) *param); | ||||
# define SMIME_OP 0x10 | #define SMIME_OP 0x100 | ||||
# define SMIME_IP 0x20 | #define SMIME_IP 0x200 | ||||
# define SMIME_SIGNERS 0x40 | #define SMIME_SIGNERS 0x400 | ||||
# define SMIME_ENCRYPT (1 | SMIME_OP) | #define SMIME_ENCRYPT (1 | SMIME_OP) | ||||
# define SMIME_DECRYPT (2 | SMIME_IP) | #define SMIME_DECRYPT (2 | SMIME_IP) | ||||
# define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) | #define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) | ||||
# define SMIME_VERIFY (4 | SMIME_IP) | #define SMIME_VERIFY (4 | SMIME_IP) | ||||
# define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) | #define SMIME_RESIGN (5 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) | ||||
# define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) | #define SMIME_SIGN_RECEIPT (6 | SMIME_IP | SMIME_OP) | ||||
# define SMIME_DATAOUT (7 | SMIME_IP) | #define SMIME_VERIFY_RECEIPT (7 | SMIME_IP) | ||||
# define SMIME_DATA_CREATE (8 | SMIME_OP) | #define SMIME_DIGEST_CREATE (8 | SMIME_OP) | ||||
# define SMIME_DIGEST_VERIFY (9 | SMIME_IP) | #define SMIME_DIGEST_VERIFY (9 | SMIME_IP) | ||||
# define SMIME_DIGEST_CREATE (10 | SMIME_OP) | #define SMIME_COMPRESS (10 | SMIME_OP) | ||||
# define SMIME_UNCOMPRESS (11 | SMIME_IP) | #define SMIME_UNCOMPRESS (11 | SMIME_IP) | ||||
# define SMIME_COMPRESS (12 | SMIME_OP) | #define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP) | ||||
# define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) | #define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) | ||||
# define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) | #define SMIME_DATA_CREATE (14 | SMIME_OP) | ||||
# define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) | #define SMIME_DATA_OUT (15 | SMIME_IP) | ||||
# define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) | #define SMIME_CMSOUT (16 | SMIME_IP | SMIME_OP) | ||||
static int verify_err = 0; | static int verify_err = 0; | ||||
typedef struct cms_key_param_st cms_key_param; | typedef struct cms_key_param_st cms_key_param; | ||||
struct cms_key_param_st { | struct cms_key_param_st { | ||||
int idx; | int idx; | ||||
STACK_OF(OPENSSL_STRING) *param; | STACK_OF(OPENSSL_STRING) *param; | ||||
cms_key_param *next; | cms_key_param *next; | ||||
}; | }; | ||||
typedef enum OPTION_choice { | typedef enum OPTION_choice { | ||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, | OPT_COMMON, | ||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, | OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, | ||||
OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, | OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN, | ||||
OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, | OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, | ||||
OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, | OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, | ||||
OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, | OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, | ||||
OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, | OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, | ||||
OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, | OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, | ||||
OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, | OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, | ||||
OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, | OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, | ||||
OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, | OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, | ||||
OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, | OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, | ||||
OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, | OPT_CAPATH, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, | ||||
OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT, | |||||
OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, | OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, | ||||
OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, | OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, | ||||
OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, | OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, | ||||
OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, | OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, | ||||
OPT_3DES_WRAP, OPT_ENGINE, | OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE, | ||||
OPT_R_ENUM, | OPT_R_ENUM, | ||||
OPT_PROV_ENUM, OPT_CONFIG, | |||||
OPT_V_ENUM, | OPT_V_ENUM, | ||||
OPT_CIPHER | OPT_CIPHER, | ||||
OPT_ORIGINATOR | |||||
} OPTION_CHOICE; | } OPTION_CHOICE; | ||||
const OPTIONS cms_options[] = { | const OPTIONS cms_options[] = { | ||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, | {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"}, | ||||
{OPT_HELP_STR, 1, '-', | |||||
" cert.pem... recipient certs for encryption\n"}, | |||||
{OPT_HELP_STR, 1, '-', "Valid options are:\n"}, | |||||
{"help", OPT_HELP, '-', "Display this summary"}, | {"help", OPT_HELP, '-', "Display this summary"}, | ||||
{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, | |||||
{"outform", OPT_OUTFORM, 'c', | OPT_SECTION("General"), | ||||
"Output format SMIME (default), PEM or DER"}, | |||||
{"in", OPT_IN, '<', "Input file"}, | {"in", OPT_IN, '<', "Input file"}, | ||||
{"out", OPT_OUT, '>', "Output file"}, | {"out", OPT_OUT, '>', "Output file"}, | ||||
OPT_CONFIG_OPTION, | |||||
OPT_SECTION("Operation"), | |||||
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, | {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, | ||||
{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, | {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, | ||||
{"sign", OPT_SIGN, '-', "Sign message"}, | {"sign", OPT_SIGN, '-', "Sign message"}, | ||||
{"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, | |||||
{"resign", OPT_RESIGN, '-', "Resign a signed message"}, | |||||
{"verify", OPT_VERIFY, '-', "Verify signed message"}, | {"verify", OPT_VERIFY, '-', "Verify signed message"}, | ||||
{"verify_retcode", OPT_VERIFY_RETCODE, '-'}, | {"resign", OPT_RESIGN, '-', "Resign a signed message"}, | ||||
{"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, | {"sign_receipt", OPT_SIGN_RECEIPT, '-', | ||||
"Generate a signed receipt for a message"}, | |||||
{"verify_receipt", OPT_VERIFY_RECEIPT, '<', | |||||
"Verify receipts; exit if receipt signatures do not verify"}, | |||||
{"digest_create", OPT_DIGEST_CREATE, '-', | |||||
"Create a CMS \"DigestedData\" object"}, | |||||
{"digest_verify", OPT_DIGEST_VERIFY, '-', | |||||
"Verify a CMS \"DigestedData\" object and output it"}, | |||||
{"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"}, | |||||
{"uncompress", OPT_UNCOMPRESS, '-', | |||||
"Uncompress a CMS \"CompressedData\" object"}, | |||||
{"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-', | |||||
"Create CMS \"EncryptedData\" object using symmetric key"}, | |||||
{"EncryptedData_decrypt", OPT_ED_DECRYPT, '-', | |||||
"Decrypt CMS \"EncryptedData\" object using symmetric key"}, | |||||
{"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"}, | |||||
{"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"}, | |||||
{"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, | {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, | ||||
{"data_out", OPT_DATA_OUT, '-'}, | |||||
{"data_create", OPT_DATA_CREATE, '-'}, | OPT_SECTION("File format"), | ||||
{"digest_verify", OPT_DIGEST_VERIFY, '-'}, | {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, | ||||
{"digest_create", OPT_DIGEST_CREATE, '-'}, | {"outform", OPT_OUTFORM, 'c', | ||||
{"compress", OPT_COMPRESS, '-'}, | "Output format SMIME (default), PEM or DER"}, | ||||
{"uncompress", OPT_UNCOMPRESS, '-'}, | {"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, | ||||
{"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'}, | |||||
{"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'}, | |||||
{"debug_decrypt", OPT_DEBUG_DECRYPT, '-'}, | |||||
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, | |||||
{"asciicrlf", OPT_ASCIICRLF, '-'}, | |||||
{"nointern", OPT_NOINTERN, '-', | |||||
"Don't search certificates in message for signer"}, | |||||
{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, | |||||
{"nocerts", OPT_NOCERTS, '-', | |||||
"Don't include signers certificate when signing"}, | |||||
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, | |||||
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, | |||||
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, | |||||
{"binary", OPT_BINARY, '-', "Don't translate message to text"}, | |||||
{"keyid", OPT_KEYID, '-', "Use subject key identifier"}, | |||||
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, | |||||
{"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'}, | |||||
{"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'}, | |||||
{"stream", OPT_INDEF, '-', "Enable CMS streaming"}, | {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, | ||||
{"indef", OPT_INDEF, '-', "Same as -stream"}, | {"indef", OPT_INDEF, '-', "Same as -stream"}, | ||||
{"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, | {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, | ||||
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, | {"binary", OPT_BINARY, '-', | ||||
{"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"}, | "Treat input as binary: do not translate to canonical form"}, | ||||
{"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, | {"crlfeol", OPT_CRLFEOL, '-', | ||||
{"receipt_request_all", OPT_RR_ALL, '-'}, | "Use CRLF as EOL termination instead of CR only" }, | ||||
{"receipt_request_first", OPT_RR_FIRST, '-'}, | {"asciicrlf", OPT_ASCIICRLF, '-', | ||||
{"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, | "Perform CRLF canonicalisation when signing"}, | ||||
OPT_SECTION("Keys and passwords"), | |||||
{"pwri_password", OPT_PWRI_PASSWORD, 's', | |||||
"Specific password for recipient"}, | |||||
{"secretkey", OPT_SECRETKEY, 's', | |||||
"Use specified hex-encoded key to decrypt/encrypt recipients or content"}, | |||||
{"secretkeyid", OPT_SECRETKEYID, 's', | |||||
"Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"}, | |||||
{"inkey", OPT_INKEY, 's', | |||||
"Input private key (if not signer or recipient)"}, | |||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, | |||||
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, | |||||
{"keyform", OPT_KEYFORM, 'f', | |||||
"Input private key format (ENGINE, other values ignored)"}, | |||||
#ifndef OPENSSL_NO_ENGINE | |||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, | |||||
#endif | |||||
OPT_PROV_OPTIONS, | |||||
OPT_R_OPTIONS, | |||||
OPT_SECTION("Encryption and decryption"), | |||||
{"originator", OPT_ORIGINATOR, 's', "Originator certificate file"}, | |||||
{"recip", OPT_RECIP, '<', "Recipient cert file"}, | |||||
{"cert...", OPT_PARAM, '.', | |||||
"Recipient certs (optional; used only when encrypting)"}, | |||||
{"", OPT_CIPHER, '-', | |||||
"The encryption algorithm to use (any supported cipher)"}, | |||||
{"wrap", OPT_WRAP, 's', | |||||
"Key wrap algorithm to use when encrypting with key agreement"}, | |||||
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, | |||||
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, | |||||
{"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, | |||||
{"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, | |||||
{"debug_decrypt", OPT_DEBUG_DECRYPT, '-', | |||||
"Disable MMA protection, return error if no recipient found (see doc)"}, | |||||
OPT_SECTION("Signing"), | |||||
{"md", OPT_MD, 's', "Digest algorithm to use"}, | |||||
{"signer", OPT_SIGNER, 's', "Signer certificate input file"}, | |||||
{"certfile", OPT_CERTFILE, '<', "Other certificates file"}, | {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, | ||||
{"cades", OPT_CADES, '-', | |||||
"Include signingCertificate attribute (CAdES-BES)"}, | |||||
{"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, | |||||
{"nocerts", OPT_NOCERTS, '-', | |||||
"Don't include signer's certificate when signing"}, | |||||
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, | |||||
{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, | |||||
{"receipt_request_all", OPT_RR_ALL, '-', | |||||
"When signing, create a receipt request for all recipients"}, | |||||
{"receipt_request_first", OPT_RR_FIRST, '-', | |||||
"When signing, create a receipt request for first recipient"}, | |||||
{"receipt_request_from", OPT_RR_FROM, 's', | |||||
"Create signed receipt request with specified email address"}, | |||||
{"receipt_request_to", OPT_RR_TO, 's', | |||||
"Create signed receipt targeted to specified address"}, | |||||
OPT_SECTION("Verification"), | |||||
{"signer", OPT_DUP, 's', "Signer certificate(s) output file"}, | |||||
{"content", OPT_CONTENT, '<', | |||||
"Supply or override content for detached signature"}, | |||||
{"no_content_verify", OPT_NO_CONTENT_VERIFY, '-', | |||||
"Do not verify signed content signatures"}, | |||||
{"no_attr_verify", OPT_NO_ATTR_VERIFY, '-', | |||||
"Do not verify signed attribute signatures"}, | |||||
{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, | |||||
{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, | |||||
{"nointern", OPT_NOINTERN, '-', | |||||
"Don't search certificates in message for signer"}, | |||||
{"cades", OPT_DUP, '-', "Check signingCertificate (CAdES-BES)"}, | |||||
{"verify_retcode", OPT_VERIFY_RETCODE, '-', | |||||
"Exit non-zero on verification failure"}, | |||||
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, | {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, | ||||
{"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, | {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"}, | ||||
{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, | |||||
{"no-CAfile", OPT_NOCAFILE, '-', | {"no-CAfile", OPT_NOCAFILE, '-', | ||||
"Do not load the default certificates file"}, | "Do not load the default certificates file"}, | ||||
{"no-CApath", OPT_NOCAPATH, '-', | {"no-CApath", OPT_NOCAPATH, '-', | ||||
"Do not load certificates from the default certificates directory"}, | "Do not load certificates from the default certificates directory"}, | ||||
{"content", OPT_CONTENT, '<', | {"no-CAstore", OPT_NOCASTORE, '-', | ||||
"Supply or override content for detached signature"}, | "Do not load certificates from the default certificates store"}, | ||||
{"print", OPT_PRINT, '-', | |||||
"For the -cmsout operation print out all fields of the CMS structure"}, | OPT_SECTION("Output"), | ||||
{"secretkey", OPT_SECRETKEY, 's'}, | {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, | ||||
{"secretkeyid", OPT_SECRETKEYID, 's'}, | {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"}, | ||||
{"pwri_password", OPT_PWRI_PASSWORD, 's'}, | {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, | ||||
{"econtent_type", OPT_ECONTENT_TYPE, 's'}, | {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, | ||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, | |||||
{"to", OPT_TO, 's', "To address"}, | {"to", OPT_TO, 's', "To address"}, | ||||
{"from", OPT_FROM, 's', "From address"}, | {"from", OPT_FROM, 's', "From address"}, | ||||
{"subject", OPT_SUBJECT, 's', "Subject"}, | {"subject", OPT_SUBJECT, 's', "Subject"}, | ||||
{"signer", OPT_SIGNER, 's', "Signer certificate file"}, | |||||
{"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, | OPT_SECTION("Printing"), | ||||
{"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, | {"noout", OPT_NOOUT, '-', | ||||
{"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, | "For the -cmsout operation do not output the parsed CMS structure"}, | ||||
{"inkey", OPT_INKEY, 's', | {"print", OPT_PRINT, '-', | ||||
"Input private key (if not signer or recipient)"}, | "For the -cmsout operation print out all fields of the CMS structure"}, | ||||
{"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, | {"nameopt", OPT_NAMEOPT, 's', | ||||
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, | "For the -print option specifies various strings printing options"}, | ||||
{"receipt_request_from", OPT_RR_FROM, 's'}, | {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, | ||||
{"receipt_request_to", OPT_RR_TO, 's'}, | |||||
{"", OPT_CIPHER, '-', "Any supported cipher"}, | |||||
OPT_R_OPTIONS, | |||||
OPT_V_OPTIONS, | OPT_V_OPTIONS, | ||||
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, | |||||
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, | |||||
{"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, | |||||
# ifndef OPENSSL_NO_DES | |||||
{"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, | |||||
# endif | |||||
# ifndef OPENSSL_NO_ENGINE | |||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, | |||||
# endif | |||||
{NULL} | {NULL} | ||||
}; | }; | ||||
static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags, | |||||
BIO **indata, const char *name) | |||||
{ | |||||
CMS_ContentInfo *ret, *ci; | |||||
ret = CMS_ContentInfo_new_ex(app_get0_libctx(), app_get0_propq()); | |||||
if (ret == NULL) { | |||||
BIO_printf(bio_err, "Error allocating CMS_contentinfo\n"); | |||||
return NULL; | |||||
} | |||||
switch (informat) { | |||||
case FORMAT_SMIME: | |||||
ci = SMIME_read_CMS_ex(in, flags, indata, &ret); | |||||
break; | |||||
case FORMAT_PEM: | |||||
ci = PEM_read_bio_CMS(in, &ret, NULL, NULL); | |||||
break; | |||||
case FORMAT_ASN1: | |||||
ci = d2i_CMS_bio(in, &ret); | |||||
break; | |||||
default: | |||||
BIO_printf(bio_err, "Bad input format for %s\n", name); | |||||
goto err; | |||||
} | |||||
if (ci == NULL) { | |||||
BIO_printf(bio_err, "Error reading %s Content Info\n", name); | |||||
goto err; | |||||
} | |||||
return ret; | |||||
err: | |||||
CMS_ContentInfo_free(ret); | |||||
return NULL; | |||||
} | |||||
int cms_main(int argc, char **argv) | int cms_main(int argc, char **argv) | ||||
{ | { | ||||
CONF *conf = NULL; | |||||
ASN1_OBJECT *econtent_type = NULL; | ASN1_OBJECT *econtent_type = NULL; | ||||
BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; | BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; | ||||
CMS_ContentInfo *cms = NULL, *rcms = NULL; | CMS_ContentInfo *cms = NULL, *rcms = NULL; | ||||
CMS_ReceiptRequest *rr = NULL; | CMS_ReceiptRequest *rr = NULL; | ||||
ENGINE *e = NULL; | ENGINE *e = NULL; | ||||
EVP_PKEY *key = NULL; | EVP_PKEY *key = NULL; | ||||
const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; | EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; | ||||
const EVP_MD *sign_md = NULL; | EVP_MD *sign_md = NULL; | ||||
STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; | STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; | ||||
STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; | STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; | ||||
STACK_OF(X509) *encerts = NULL, *other = NULL; | STACK_OF(X509) *encerts = sk_X509_new_null(), *other = NULL; | ||||
X509 *cert = NULL, *recip = NULL, *signer = NULL; | X509 *cert = NULL, *recip = NULL, *signer = NULL, *originator = NULL; | ||||
X509_STORE *store = NULL; | X509_STORE *store = NULL; | ||||
X509_VERIFY_PARAM *vpm = NULL; | X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new(); | ||||
char *certfile = NULL, *keyfile = NULL, *contfile = NULL; | char *certfile = NULL, *keyfile = NULL, *contfile = NULL; | ||||
const char *CAfile = NULL, *CApath = NULL; | const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL; | ||||
char *certsoutfile = NULL; | char *certsoutfile = NULL, *digestname = NULL, *wrapname = NULL; | ||||
int noCAfile = 0, noCApath = 0; | int noCAfile = 0, noCApath = 0, noCAstore = 0; | ||||
char *infile = NULL, *outfile = NULL, *rctfile = NULL; | char *infile = NULL, *outfile = NULL, *rctfile = NULL; | ||||
char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL; | char *passinarg = NULL, *passin = NULL, *signerfile = NULL; | ||||
char *originatorfile = NULL, *recipfile = NULL, *ciphername = NULL; | |||||
char *to = NULL, *from = NULL, *subject = NULL, *prog; | char *to = NULL, *from = NULL, *subject = NULL, *prog; | ||||
cms_key_param *key_first = NULL, *key_param = NULL; | cms_key_param *key_first = NULL, *key_param = NULL; | ||||
int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; | int flags = CMS_DETACHED, binary_files = 0; | ||||
int noout = 0, print = 0, keyidx = -1, vpmtouched = 0; | |||||
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; | int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; | ||||
int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1; | int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1; | ||||
int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; | int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_UNDEF; | ||||
size_t secret_keylen = 0, secret_keyidlen = 0; | size_t secret_keylen = 0, secret_keyidlen = 0; | ||||
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; | unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; | ||||
unsigned char *secret_key = NULL, *secret_keyid = NULL; | unsigned char *secret_key = NULL, *secret_keyid = NULL; | ||||
long ltmp; | long ltmp; | ||||
const char *mime_eol = "\n"; | const char *mime_eol = "\n"; | ||||
OPTION_CHOICE o; | OPTION_CHOICE o; | ||||
OSSL_LIB_CTX *libctx = app_get0_libctx(); | |||||
if ((vpm = X509_VERIFY_PARAM_new()) == NULL) | if (encerts == NULL || vpm == NULL) | ||||
return 1; | goto end; | ||||
prog = opt_init(argc, argv, cms_options); | prog = opt_init(argc, argv, cms_options); | ||||
while ((o = opt_next()) != OPT_EOF) { | while ((o = opt_next()) != OPT_EOF) { | ||||
switch (o) { | switch (o) { | ||||
case OPT_EOF: | case OPT_EOF: | ||||
case OPT_ERR: | case OPT_ERR: | ||||
opthelp: | opthelp: | ||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); | BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); | ||||
goto end; | goto end; | ||||
case OPT_HELP: | case OPT_HELP: | ||||
opt_help(cms_options); | opt_help(cms_options); | ||||
ret = 0; | ret = 0; | ||||
goto end; | goto end; | ||||
case OPT_INFORM: | case OPT_INFORM: | ||||
if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) | if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) | ||||
goto opthelp; | goto opthelp; | ||||
break; | break; | ||||
case OPT_OUTFORM: | case OPT_OUTFORM: | ||||
if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) | if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) | ||||
goto opthelp; | goto opthelp; | ||||
break; | break; | ||||
case OPT_OUT: | case OPT_OUT: | ||||
outfile = opt_arg(); | outfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_ENCRYPT: | case OPT_ENCRYPT: | ||||
operation = SMIME_ENCRYPT; | operation = SMIME_ENCRYPT; | ||||
break; | break; | ||||
case OPT_DECRYPT: | case OPT_DECRYPT: | ||||
operation = SMIME_DECRYPT; | operation = SMIME_DECRYPT; | ||||
break; | break; | ||||
case OPT_SIGN: | case OPT_SIGN: | ||||
operation = SMIME_SIGN; | operation = SMIME_SIGN; | ||||
break; | break; | ||||
case OPT_SIGN_RECEIPT: | case OPT_VERIFY: | ||||
operation = SMIME_SIGN_RECEIPT; | operation = SMIME_VERIFY; | ||||
break; | break; | ||||
case OPT_RESIGN: | case OPT_RESIGN: | ||||
operation = SMIME_RESIGN; | operation = SMIME_RESIGN; | ||||
break; | break; | ||||
case OPT_VERIFY: | case OPT_SIGN_RECEIPT: | ||||
operation = SMIME_VERIFY; | operation = SMIME_SIGN_RECEIPT; | ||||
break; | break; | ||||
case OPT_VERIFY_RETCODE: | |||||
verify_retcode = 1; | |||||
break; | |||||
case OPT_VERIFY_RECEIPT: | case OPT_VERIFY_RECEIPT: | ||||
operation = SMIME_VERIFY_RECEIPT; | operation = SMIME_VERIFY_RECEIPT; | ||||
rctfile = opt_arg(); | rctfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_CMSOUT: | case OPT_VERIFY_RETCODE: | ||||
operation = SMIME_CMSOUT; | verify_retcode = 1; | ||||
break; | break; | ||||
case OPT_DATA_OUT: | case OPT_DIGEST_CREATE: | ||||
operation = SMIME_DATAOUT; | operation = SMIME_DIGEST_CREATE; | ||||
break; | break; | ||||
case OPT_DATA_CREATE: | |||||
operation = SMIME_DATA_CREATE; | |||||
break; | |||||
case OPT_DIGEST_VERIFY: | case OPT_DIGEST_VERIFY: | ||||
operation = SMIME_DIGEST_VERIFY; | operation = SMIME_DIGEST_VERIFY; | ||||
break; | break; | ||||
case OPT_DIGEST_CREATE: | |||||
operation = SMIME_DIGEST_CREATE; | |||||
break; | |||||
case OPT_COMPRESS: | case OPT_COMPRESS: | ||||
operation = SMIME_COMPRESS; | operation = SMIME_COMPRESS; | ||||
break; | break; | ||||
case OPT_UNCOMPRESS: | case OPT_UNCOMPRESS: | ||||
operation = SMIME_UNCOMPRESS; | operation = SMIME_UNCOMPRESS; | ||||
break; | break; | ||||
case OPT_ED_ENCRYPT: | |||||
operation = SMIME_ENCRYPTED_ENCRYPT; | |||||
break; | |||||
case OPT_ED_DECRYPT: | case OPT_ED_DECRYPT: | ||||
operation = SMIME_ENCRYPTED_DECRYPT; | operation = SMIME_ENCRYPTED_DECRYPT; | ||||
break; | break; | ||||
case OPT_ED_ENCRYPT: | case OPT_DATA_CREATE: | ||||
operation = SMIME_ENCRYPTED_ENCRYPT; | operation = SMIME_DATA_CREATE; | ||||
break; | break; | ||||
case OPT_DATA_OUT: | |||||
operation = SMIME_DATA_OUT; | |||||
break; | |||||
case OPT_CMSOUT: | |||||
operation = SMIME_CMSOUT; | |||||
break; | |||||
case OPT_DEBUG_DECRYPT: | case OPT_DEBUG_DECRYPT: | ||||
flags |= CMS_DEBUG_DECRYPT; | flags |= CMS_DEBUG_DECRYPT; | ||||
break; | break; | ||||
case OPT_TEXT: | case OPT_TEXT: | ||||
flags |= CMS_TEXT; | flags |= CMS_TEXT; | ||||
break; | break; | ||||
case OPT_ASCIICRLF: | case OPT_ASCIICRLF: | ||||
flags |= CMS_ASCIICRLF; | flags |= CMS_ASCIICRLF; | ||||
Show All 14 Lines | opthelp: | ||||
flags &= ~CMS_DETACHED; | flags &= ~CMS_DETACHED; | ||||
break; | break; | ||||
case OPT_NOSMIMECAP: | case OPT_NOSMIMECAP: | ||||
flags |= CMS_NOSMIMECAP; | flags |= CMS_NOSMIMECAP; | ||||
break; | break; | ||||
case OPT_BINARY: | case OPT_BINARY: | ||||
flags |= CMS_BINARY; | flags |= CMS_BINARY; | ||||
break; | break; | ||||
case OPT_CADES: | |||||
flags |= CMS_CADES; | |||||
break; | |||||
case OPT_KEYID: | case OPT_KEYID: | ||||
flags |= CMS_USE_KEYID; | flags |= CMS_USE_KEYID; | ||||
break; | break; | ||||
case OPT_NOSIGS: | case OPT_NOSIGS: | ||||
flags |= CMS_NOSIGS; | flags |= CMS_NOSIGS; | ||||
break; | break; | ||||
case OPT_NO_CONTENT_VERIFY: | case OPT_NO_CONTENT_VERIFY: | ||||
flags |= CMS_NO_CONTENT_VERIFY; | flags |= CMS_NO_CONTENT_VERIFY; | ||||
Show All 19 Lines | opthelp: | ||||
break; | break; | ||||
case OPT_RR_ALL: | case OPT_RR_ALL: | ||||
rr_allorfirst = 0; | rr_allorfirst = 0; | ||||
break; | break; | ||||
case OPT_RR_FIRST: | case OPT_RR_FIRST: | ||||
rr_allorfirst = 1; | rr_allorfirst = 1; | ||||
break; | break; | ||||
case OPT_RCTFORM: | case OPT_RCTFORM: | ||||
if (rctformat == FORMAT_SMIME) | |||||
rcms = SMIME_read_CMS(rctin, NULL); | |||||
else if (rctformat == FORMAT_PEM) | |||||
rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); | |||||
else if (rctformat == FORMAT_ASN1) | |||||
if (!opt_format(opt_arg(), | if (!opt_format(opt_arg(), | ||||
OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) | OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) | ||||
goto opthelp; | goto opthelp; | ||||
break; | break; | ||||
case OPT_CERTFILE: | case OPT_CERTFILE: | ||||
certfile = opt_arg(); | certfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_CAFILE: | case OPT_CAFILE: | ||||
CAfile = opt_arg(); | CAfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_CAPATH: | case OPT_CAPATH: | ||||
CApath = opt_arg(); | CApath = opt_arg(); | ||||
break; | break; | ||||
case OPT_CASTORE: | |||||
CAstore = opt_arg(); | |||||
break; | |||||
case OPT_NOCAFILE: | case OPT_NOCAFILE: | ||||
noCAfile = 1; | noCAfile = 1; | ||||
break; | break; | ||||
case OPT_NOCAPATH: | case OPT_NOCAPATH: | ||||
noCApath = 1; | noCApath = 1; | ||||
break; | break; | ||||
case OPT_NOCASTORE: | |||||
noCAstore = 1; | |||||
break; | |||||
case OPT_IN: | case OPT_IN: | ||||
infile = opt_arg(); | infile = opt_arg(); | ||||
break; | break; | ||||
case OPT_CONTENT: | case OPT_CONTENT: | ||||
contfile = opt_arg(); | contfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_RR_FROM: | case OPT_RR_FROM: | ||||
if (rr_from == NULL | if (rr_from == NULL | ||||
&& (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) | && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) | ||||
goto end; | goto end; | ||||
sk_OPENSSL_STRING_push(rr_from, opt_arg()); | sk_OPENSSL_STRING_push(rr_from, opt_arg()); | ||||
break; | break; | ||||
case OPT_RR_TO: | case OPT_RR_TO: | ||||
if (rr_to == NULL | if (rr_to == NULL | ||||
&& (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) | && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) | ||||
goto end; | goto end; | ||||
sk_OPENSSL_STRING_push(rr_to, opt_arg()); | sk_OPENSSL_STRING_push(rr_to, opt_arg()); | ||||
break; | break; | ||||
case OPT_PRINT: | case OPT_PRINT: | ||||
noout = print = 1; | noout = print = 1; | ||||
break; | break; | ||||
case OPT_NAMEOPT: | |||||
if (!set_nameopt(opt_arg())) | |||||
goto opthelp; | |||||
break; | |||||
case OPT_SECRETKEY: | case OPT_SECRETKEY: | ||||
if (secret_key != NULL) { | if (secret_key != NULL) { | ||||
BIO_printf(bio_err, "Invalid key (supplied twice) %s\n", | BIO_printf(bio_err, "Invalid key (supplied twice) %s\n", | ||||
opt_arg()); | opt_arg()); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
secret_key = OPENSSL_hexstr2buf(opt_arg(), <mp); | secret_key = OPENSSL_hexstr2buf(opt_arg(), <mp); | ||||
if (secret_key == NULL) { | if (secret_key == NULL) { | ||||
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | opthelp: | ||||
break; | break; | ||||
case OPT_SUBJECT: | case OPT_SUBJECT: | ||||
subject = opt_arg(); | subject = opt_arg(); | ||||
break; | break; | ||||
case OPT_CERTSOUT: | case OPT_CERTSOUT: | ||||
certsoutfile = opt_arg(); | certsoutfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_MD: | case OPT_MD: | ||||
if (!opt_md(opt_arg(), &sign_md)) | digestname = opt_arg(); | ||||
goto end; | |||||
break; | break; | ||||
case OPT_SIGNER: | case OPT_SIGNER: | ||||
/* If previous -signer argument add signer to list */ | /* If previous -signer argument add signer to list */ | ||||
if (signerfile != NULL) { | if (signerfile != NULL) { | ||||
if (sksigners == NULL | if (sksigners == NULL | ||||
&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) | && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) | ||||
goto end; | goto end; | ||||
sk_OPENSSL_STRING_push(sksigners, signerfile); | sk_OPENSSL_STRING_push(sksigners, signerfile); | ||||
if (keyfile == NULL) | if (keyfile == NULL) | ||||
keyfile = signerfile; | keyfile = signerfile; | ||||
if (skkeys == NULL | if (skkeys == NULL | ||||
&& (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) | && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) | ||||
goto end; | goto end; | ||||
sk_OPENSSL_STRING_push(skkeys, keyfile); | sk_OPENSSL_STRING_push(skkeys, keyfile); | ||||
keyfile = NULL; | keyfile = NULL; | ||||
} | } | ||||
signerfile = opt_arg(); | signerfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_ORIGINATOR: | |||||
originatorfile = opt_arg(); | |||||
break; | |||||
case OPT_INKEY: | case OPT_INKEY: | ||||
/* If previous -inkey argument add signer to list */ | /* If previous -inkey argument add signer to list */ | ||||
if (keyfile != NULL) { | if (keyfile != NULL) { | ||||
if (signerfile == NULL) { | if (signerfile == NULL) { | ||||
BIO_puts(bio_err, "Illegal -inkey without -signer\n"); | BIO_puts(bio_err, "Illegal -inkey without -signer\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
if (sksigners == NULL | if (sksigners == NULL | ||||
Show All 9 Lines | opthelp: | ||||
keyfile = opt_arg(); | keyfile = opt_arg(); | ||||
break; | break; | ||||
case OPT_KEYFORM: | case OPT_KEYFORM: | ||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) | if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) | ||||
goto opthelp; | goto opthelp; | ||||
break; | break; | ||||
case OPT_RECIP: | case OPT_RECIP: | ||||
if (operation == SMIME_ENCRYPT) { | if (operation == SMIME_ENCRYPT) { | ||||
if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) | cert = load_cert(opt_arg(), FORMAT_UNDEF, | ||||
goto end; | |||||
cert = load_cert(opt_arg(), FORMAT_PEM, | |||||
"recipient certificate file"); | "recipient certificate file"); | ||||
if (cert == NULL) | if (cert == NULL) | ||||
goto end; | goto end; | ||||
sk_X509_push(encerts, cert); | sk_X509_push(encerts, cert); | ||||
cert = NULL; | cert = NULL; | ||||
} else { | } else { | ||||
recipfile = opt_arg(); | recipfile = opt_arg(); | ||||
} | } | ||||
break; | break; | ||||
case OPT_CIPHER: | case OPT_CIPHER: | ||||
if (!opt_cipher(opt_unknown(), &cipher)) | ciphername = opt_unknown(); | ||||
goto end; | |||||
break; | break; | ||||
case OPT_KEYOPT: | case OPT_KEYOPT: | ||||
keyidx = -1; | keyidx = -1; | ||||
if (operation == SMIME_ENCRYPT) { | if (operation == SMIME_ENCRYPT) { | ||||
if (encerts != NULL) | if (sk_X509_num(encerts) > 0) | ||||
keyidx += sk_X509_num(encerts); | keyidx += sk_X509_num(encerts); | ||||
} else { | } else { | ||||
if (keyfile != NULL || signerfile != NULL) | if (keyfile != NULL || signerfile != NULL) | ||||
keyidx++; | keyidx++; | ||||
if (skkeys != NULL) | if (skkeys != NULL) | ||||
keyidx += sk_OPENSSL_STRING_num(skkeys); | keyidx += sk_OPENSSL_STRING_num(skkeys); | ||||
} | } | ||||
if (keyidx < 0) { | if (keyidx < 0) { | ||||
Show All 21 Lines | opthelp: | ||||
if (!opt_verify(o, vpm)) | if (!opt_verify(o, vpm)) | ||||
goto end; | goto end; | ||||
vpmtouched++; | vpmtouched++; | ||||
break; | break; | ||||
case OPT_R_CASES: | case OPT_R_CASES: | ||||
if (!opt_rand(o)) | if (!opt_rand(o)) | ||||
goto end; | goto end; | ||||
break; | break; | ||||
case OPT_3DES_WRAP: | case OPT_PROV_CASES: | ||||
# ifndef OPENSSL_NO_DES | if (!opt_provider(o)) | ||||
wrap_cipher = EVP_des_ede3_wrap(); | goto end; | ||||
# endif | |||||
break; | break; | ||||
case OPT_AES128_WRAP: | case OPT_CONFIG: | ||||
wrap_cipher = EVP_aes_128_wrap(); | conf = app_load_config_modules(opt_arg()); | ||||
if (conf == NULL) | |||||
goto end; | |||||
break; | break; | ||||
case OPT_AES192_WRAP: | case OPT_WRAP: | ||||
wrap_cipher = EVP_aes_192_wrap(); | wrapname = opt_arg(); | ||||
break; | break; | ||||
case OPT_AES128_WRAP: | |||||
case OPT_AES192_WRAP: | |||||
case OPT_AES256_WRAP: | case OPT_AES256_WRAP: | ||||
wrap_cipher = EVP_aes_256_wrap(); | case OPT_3DES_WRAP: | ||||
wrapname = opt_flag() + 1; | |||||
break; | break; | ||||
} | } | ||||
} | } | ||||
if (!app_RAND_load()) | |||||
goto end; | |||||
if (digestname != NULL) { | |||||
if (!opt_md(digestname, &sign_md)) | |||||
goto end; | |||||
} | |||||
if (ciphername != NULL) { | |||||
if (!opt_cipher_any(ciphername, &cipher)) | |||||
goto end; | |||||
} | |||||
if (wrapname != NULL) { | |||||
if (!opt_cipher_any(wrapname, &wrap_cipher)) | |||||
goto end; | |||||
} | |||||
/* Remaining args are files to process. */ | |||||
argc = opt_num_rest(); | argc = opt_num_rest(); | ||||
argv = opt_rest(); | argv = opt_rest(); | ||||
if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) { | if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) { | ||||
BIO_puts(bio_err, "No Signed Receipts Recipients\n"); | BIO_puts(bio_err, "No Signed Receipts Recipients\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) { | if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) { | ||||
BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); | BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) { | if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) { | ||||
BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); | BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
if ((flags & CMS_CADES) != 0) { | |||||
if ((flags & CMS_NOATTR) != 0) { | |||||
BIO_puts(bio_err, "Incompatible options: " | |||||
"CAdES requires signed attributes\n"); | |||||
goto opthelp; | |||||
} | |||||
if (operation == SMIME_VERIFY | |||||
&& (flags & (CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY)) != 0) { | |||||
BIO_puts(bio_err, "Incompatible options: CAdES validation requires" | |||||
" certs and signed attributes validations\n"); | |||||
goto opthelp; | |||||
} | |||||
} | |||||
if (operation & SMIME_SIGNERS) { | if (operation & SMIME_SIGNERS) { | ||||
if (keyfile != NULL && signerfile == NULL) { | if (keyfile != NULL && signerfile == NULL) { | ||||
BIO_puts(bio_err, "Illegal -inkey without -signer\n"); | BIO_puts(bio_err, "Illegal -inkey without -signer\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
/* Check to see if any final signer needs to be appended */ | /* Check to see if any final signer needs to be appended */ | ||||
if (signerfile != NULL) { | if (signerfile != NULL) { | ||||
if (sksigners == NULL | if (sksigners == NULL | ||||
Show All 16 Lines | if (operation & SMIME_SIGNERS) { | ||||
if (recipfile == NULL && keyfile == NULL | if (recipfile == NULL && keyfile == NULL | ||||
&& secret_key == NULL && pwri_pass == NULL) { | && secret_key == NULL && pwri_pass == NULL) { | ||||
BIO_printf(bio_err, | BIO_printf(bio_err, | ||||
"No recipient certificate or key specified\n"); | "No recipient certificate or key specified\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
} else if (operation == SMIME_ENCRYPT) { | } else if (operation == SMIME_ENCRYPT) { | ||||
if (*argv == NULL && secret_key == NULL | if (*argv == NULL && secret_key == NULL | ||||
&& pwri_pass == NULL && encerts == NULL) { | && pwri_pass == NULL && sk_X509_num(encerts) <= 0) { | ||||
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); | BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
} else if (!operation) { | } else if (!operation) { | ||||
BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n"); | BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n"); | ||||
goto opthelp; | goto opthelp; | ||||
} | } | ||||
if (!app_passwd(passinarg, NULL, &passin, NULL)) { | if (!app_passwd(passinarg, NULL, &passin, NULL)) { | ||||
BIO_printf(bio_err, "Error getting password\n"); | BIO_printf(bio_err, "Error getting password\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
ret = 2; | ret = 2; | ||||
if (!(operation & SMIME_SIGNERS)) | if ((operation & SMIME_SIGNERS) == 0) { | ||||
if ((flags & CMS_DETACHED) == 0) | |||||
BIO_printf(bio_err, | |||||
"Warning: -nodetach option is ignored for non-signing operation\n"); | |||||
flags &= ~CMS_DETACHED; | flags &= ~CMS_DETACHED; | ||||
} | |||||
if ((operation & SMIME_IP) == 0 && contfile != NULL) | |||||
BIO_printf(bio_err, | |||||
"Warning: -contfile option is ignored for the given operation\n"); | |||||
if ((flags & CMS_BINARY) != 0) { | |||||
if (!(operation & SMIME_OP)) | if (!(operation & SMIME_OP)) | ||||
if (flags & CMS_BINARY) | |||||
outformat = FORMAT_BINARY; | outformat = FORMAT_BINARY; | ||||
if (!(operation & SMIME_IP)) | if (!(operation & SMIME_IP)) | ||||
if (flags & CMS_BINARY) | |||||
informat = FORMAT_BINARY; | informat = FORMAT_BINARY; | ||||
if ((operation & SMIME_SIGNERS) != 0 && (flags & CMS_DETACHED) != 0) | |||||
binary_files = 1; | |||||
if ((operation & SMIME_IP) != 0 && contfile == NULL) | |||||
binary_files = 1; | |||||
} | |||||
if (operation == SMIME_ENCRYPT) { | if (operation == SMIME_ENCRYPT) { | ||||
if (!cipher) { | if (!cipher) { | ||||
# ifndef OPENSSL_NO_DES | #ifndef OPENSSL_NO_DES | ||||
cipher = EVP_des_ede3_cbc(); | cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); | ||||
# else | #else | ||||
BIO_printf(bio_err, "No cipher selected\n"); | BIO_printf(bio_err, "No cipher selected\n"); | ||||
goto end; | goto end; | ||||
# endif | #endif | ||||
} | } | ||||
if (secret_key && !secret_keyid) { | if (secret_key && !secret_keyid) { | ||||
BIO_printf(bio_err, "No secret key id\n"); | BIO_printf(bio_err, "No secret key id\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
if (*argv && encerts == NULL) | if (*argv != NULL) { | ||||
if ((encerts = sk_X509_new_null()) == NULL) | if (operation == SMIME_ENCRYPT) { | ||||
for (; *argv != NULL; argv++) { | |||||
cert = load_cert(*argv, FORMAT_UNDEF, | |||||
"recipient certificate file"); | |||||
if (cert == NULL) | |||||
goto end; | goto end; | ||||
while (*argv) { | |||||
if ((cert = load_cert(*argv, FORMAT_PEM, | |||||
"recipient certificate file")) == NULL) | |||||
goto end; | |||||
sk_X509_push(encerts, cert); | sk_X509_push(encerts, cert); | ||||
cert = NULL; | cert = NULL; | ||||
argv++; | |||||
} | } | ||||
} else { | |||||
BIO_printf(bio_err, "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n"); | |||||
} | } | ||||
} | |||||
} | |||||
if (certfile != NULL) { | if (certfile != NULL) { | ||||
if (!load_certs(certfile, &other, FORMAT_PEM, NULL, | if (!load_certs(certfile, 0, &other, NULL, "certificate file")) { | ||||
"certificate file")) { | |||||
ERR_print_errors(bio_err); | ERR_print_errors(bio_err); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (recipfile != NULL && (operation == SMIME_DECRYPT)) { | if (recipfile != NULL && (operation == SMIME_DECRYPT)) { | ||||
if ((recip = load_cert(recipfile, FORMAT_PEM, | if ((recip = load_cert(recipfile, FORMAT_UNDEF, | ||||
"recipient certificate file")) == NULL) { | "recipient certificate file")) == NULL) { | ||||
ERR_print_errors(bio_err); | ERR_print_errors(bio_err); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (originatorfile != NULL) { | |||||
if ((originator = load_cert(originatorfile, FORMAT_UNDEF, | |||||
"originator certificate file")) == NULL) { | |||||
ERR_print_errors(bio_err); | |||||
goto end; | |||||
} | |||||
} | |||||
if (operation == SMIME_SIGN_RECEIPT) { | if (operation == SMIME_SIGN_RECEIPT) { | ||||
if ((signer = load_cert(signerfile, FORMAT_PEM, | if ((signer = load_cert(signerfile, FORMAT_UNDEF, | ||||
"receipt signer certificate file")) == NULL) { | "receipt signer certificate file")) == NULL) { | ||||
ERR_print_errors(bio_err); | ERR_print_errors(bio_err); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (operation == SMIME_DECRYPT) { | if ((operation == SMIME_DECRYPT) || (operation == SMIME_ENCRYPT)) { | ||||
if (keyfile == NULL) | if (keyfile == NULL) | ||||
keyfile = recipfile; | keyfile = recipfile; | ||||
} else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { | } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { | ||||
if (keyfile == NULL) | if (keyfile == NULL) | ||||
keyfile = signerfile; | keyfile = signerfile; | ||||
} else { | } else { | ||||
keyfile = NULL; | keyfile = NULL; | ||||
} | } | ||||
if (keyfile != NULL) { | if (keyfile != NULL) { | ||||
key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); | key = load_key(keyfile, keyform, 0, passin, e, "signing key"); | ||||
if (key == NULL) | if (key == NULL) | ||||
goto end; | goto end; | ||||
} | } | ||||
in = bio_open_default(infile, 'r', informat); | in = bio_open_default(infile, 'r', | ||||
binary_files ? FORMAT_BINARY : informat); | |||||
if (in == NULL) | if (in == NULL) | ||||
goto end; | goto end; | ||||
if (operation & SMIME_IP) { | if (operation & SMIME_IP) { | ||||
if (informat == FORMAT_SMIME) { | cms = load_content_info(informat, in, flags, &indata, "SMIME"); | ||||
cms = SMIME_read_CMS(in, &indata); | if (cms == NULL) | ||||
} else if (informat == FORMAT_PEM) { | |||||
cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); | |||||
} else if (informat == FORMAT_ASN1) { | |||||
cms = d2i_CMS_bio(in, NULL); | |||||
} else { | |||||
BIO_printf(bio_err, "Bad input format for CMS file\n"); | |||||
goto end; | goto end; | ||||
} | |||||
if (cms == NULL) { | |||||
BIO_printf(bio_err, "Error reading S/MIME message\n"); | |||||
goto end; | |||||
} | |||||
if (contfile != NULL) { | if (contfile != NULL) { | ||||
BIO_free(indata); | BIO_free(indata); | ||||
if ((indata = BIO_new_file(contfile, "rb")) == NULL) { | if ((indata = BIO_new_file(contfile, "rb")) == NULL) { | ||||
BIO_printf(bio_err, "Can't read content file %s\n", contfile); | BIO_printf(bio_err, "Can't read content file %s\n", contfile); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (certsoutfile != NULL) { | if (certsoutfile != NULL) { | ||||
STACK_OF(X509) *allcerts; | STACK_OF(X509) *allcerts; | ||||
allcerts = CMS_get1_certs(cms); | allcerts = CMS_get1_certs(cms); | ||||
if (!save_certs(certsoutfile, allcerts)) { | if (!save_certs(certsoutfile, allcerts)) { | ||||
BIO_printf(bio_err, | BIO_printf(bio_err, | ||||
"Error writing certs to %s\n", certsoutfile); | "Error writing certs to %s\n", certsoutfile); | ||||
ret = 5; | ret = 5; | ||||
goto end; | goto end; | ||||
} | } | ||||
sk_X509_pop_free(allcerts, X509_free); | sk_X509_pop_free(allcerts, X509_free); | ||||
} | } | ||||
} | } | ||||
if (rctfile != NULL) { | if (rctfile != NULL) { | ||||
char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; | char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; | ||||
if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) { | if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) { | ||||
BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); | BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); | ||||
goto end; | goto end; | ||||
} | } | ||||
if (rctformat == FORMAT_SMIME) { | rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt"); | ||||
rcms = SMIME_read_CMS(rctin, NULL); | if (rcms == NULL) | ||||
} else if (rctformat == FORMAT_PEM) { | |||||
rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); | |||||
} else if (rctformat == FORMAT_ASN1) { | |||||
rcms = d2i_CMS_bio(rctin, NULL); | |||||
} else { | |||||
BIO_printf(bio_err, "Bad input format for receipt\n"); | |||||
goto end; | goto end; | ||||
} | } | ||||
if (rcms == NULL) { | out = bio_open_default(outfile, 'w', | ||||
BIO_printf(bio_err, "Error reading receipt\n"); | binary_files ? FORMAT_BINARY : outformat); | ||||
goto end; | |||||
} | |||||
} | |||||
out = bio_open_default(outfile, 'w', outformat); | |||||
if (out == NULL) | if (out == NULL) | ||||
goto end; | goto end; | ||||
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { | if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { | ||||
if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) | if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath, | ||||
CAstore, noCAstore)) == NULL) | |||||
goto end; | goto end; | ||||
X509_STORE_set_verify_cb(store, cms_cb); | X509_STORE_set_verify_cb(store, cms_cb); | ||||
if (vpmtouched) | if (vpmtouched) | ||||
X509_STORE_set1_param(store, vpm); | X509_STORE_set1_param(store, vpm); | ||||
} | } | ||||
ret = 3; | ret = 3; | ||||
if (operation == SMIME_DATA_CREATE) { | if (operation == SMIME_DATA_CREATE) { | ||||
cms = CMS_data_create(in, flags); | cms = CMS_data_create_ex(in, flags, libctx, app_get0_propq()); | ||||
} else if (operation == SMIME_DIGEST_CREATE) { | } else if (operation == SMIME_DIGEST_CREATE) { | ||||
cms = CMS_digest_create(in, sign_md, flags); | cms = CMS_digest_create_ex(in, sign_md, flags, libctx, app_get0_propq()); | ||||
} else if (operation == SMIME_COMPRESS) { | } else if (operation == SMIME_COMPRESS) { | ||||
cms = CMS_compress(in, -1, flags); | cms = CMS_compress(in, -1, flags); | ||||
} else if (operation == SMIME_ENCRYPT) { | } else if (operation == SMIME_ENCRYPT) { | ||||
int i; | int i; | ||||
flags |= CMS_PARTIAL; | flags |= CMS_PARTIAL; | ||||
cms = CMS_encrypt(NULL, in, cipher, flags); | cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, app_get0_propq()); | ||||
if (cms == NULL) | if (cms == NULL) | ||||
goto end; | goto end; | ||||
for (i = 0; i < sk_X509_num(encerts); i++) { | for (i = 0; i < sk_X509_num(encerts); i++) { | ||||
CMS_RecipientInfo *ri; | CMS_RecipientInfo *ri; | ||||
cms_key_param *kparam; | cms_key_param *kparam; | ||||
int tflags = flags; | int tflags = flags | CMS_KEY_PARAM; | ||||
/* This flag enforces allocating the EVP_PKEY_CTX for the recipient here */ | |||||
EVP_PKEY_CTX *pctx; | |||||
X509 *x = sk_X509_value(encerts, i); | X509 *x = sk_X509_value(encerts, i); | ||||
int res; | |||||
for (kparam = key_first; kparam; kparam = kparam->next) { | for (kparam = key_first; kparam; kparam = kparam->next) { | ||||
if (kparam->idx == i) { | if (kparam->idx == i) { | ||||
tflags |= CMS_KEY_PARAM; | |||||
break; | break; | ||||
} | } | ||||
} | } | ||||
ri = CMS_add1_recipient_cert(cms, x, tflags); | ri = CMS_add1_recipient(cms, x, key, originator, tflags); | ||||
if (ri == NULL) | if (ri == NULL) | ||||
goto end; | goto end; | ||||
if (kparam != NULL) { | |||||
EVP_PKEY_CTX *pctx; | |||||
pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); | pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); | ||||
if (kparam != NULL) { | |||||
if (!cms_set_pkey_param(pctx, kparam->param)) | if (!cms_set_pkey_param(pctx, kparam->param)) | ||||
goto end; | goto end; | ||||
} | } | ||||
res = EVP_PKEY_CTX_ctrl(pctx, -1, -1, | |||||
EVP_PKEY_CTRL_CIPHER, | |||||
EVP_CIPHER_get_nid(cipher), NULL); | |||||
if (res <= 0 && res != -2) | |||||
goto end; | |||||
if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE | if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE | ||||
&& wrap_cipher) { | && wrap_cipher != NULL) { | ||||
EVP_CIPHER_CTX *wctx; | EVP_CIPHER_CTX *wctx; | ||||
wctx = CMS_RecipientInfo_kari_get0_ctx(ri); | wctx = CMS_RecipientInfo_kari_get0_ctx(ri); | ||||
EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL); | EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL); | ||||
} | } | ||||
} | } | ||||
if (secret_key != NULL) { | if (secret_key != NULL) { | ||||
if (!CMS_add0_recipient_key(cms, NID_undef, | if (!CMS_add0_recipient_key(cms, NID_undef, | ||||
Show All 15 Lines | if (operation == SMIME_DATA_CREATE) { | ||||
goto end; | goto end; | ||||
pwri_tmp = NULL; | pwri_tmp = NULL; | ||||
} | } | ||||
if (!(flags & CMS_STREAM)) { | if (!(flags & CMS_STREAM)) { | ||||
if (!CMS_final(cms, in, NULL, flags)) | if (!CMS_final(cms, in, NULL, flags)) | ||||
goto end; | goto end; | ||||
} | } | ||||
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) { | } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { | ||||
cms = CMS_EncryptedData_encrypt(in, cipher, | cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key, | ||||
secret_key, secret_keylen, flags); | secret_keylen, flags, libctx, app_get0_propq()); | ||||
} else if (operation == SMIME_SIGN_RECEIPT) { | } else if (operation == SMIME_SIGN_RECEIPT) { | ||||
CMS_ContentInfo *srcms = NULL; | CMS_ContentInfo *srcms = NULL; | ||||
STACK_OF(CMS_SignerInfo) *sis; | STACK_OF(CMS_SignerInfo) *sis; | ||||
CMS_SignerInfo *si; | CMS_SignerInfo *si; | ||||
sis = CMS_get0_SignerInfos(cms); | sis = CMS_get0_SignerInfos(cms); | ||||
if (sis == NULL) | if (sis == NULL) | ||||
goto end; | goto end; | ||||
Show All 11 Lines | if (operation == SMIME_DATA_CREATE) { | ||||
*/ | */ | ||||
if (operation == SMIME_SIGN) { | if (operation == SMIME_SIGN) { | ||||
if (flags & CMS_DETACHED) { | if (flags & CMS_DETACHED) { | ||||
if (outformat == FORMAT_SMIME) | if (outformat == FORMAT_SMIME) | ||||
flags |= CMS_STREAM; | flags |= CMS_STREAM; | ||||
} | } | ||||
flags |= CMS_PARTIAL; | flags |= CMS_PARTIAL; | ||||
cms = CMS_sign(NULL, NULL, other, in, flags); | cms = CMS_sign_ex(NULL, NULL, other, in, flags, libctx, app_get0_propq()); | ||||
if (cms == NULL) | if (cms == NULL) | ||||
goto end; | goto end; | ||||
if (econtent_type != NULL) | if (econtent_type != NULL) | ||||
CMS_set1_eContentType(cms, econtent_type); | CMS_set1_eContentType(cms, econtent_type); | ||||
if (rr_to != NULL) { | if (rr_to != NULL | ||||
rr = make_receipt_request(rr_to, rr_allorfirst, rr_from); | && ((rr = make_receipt_request(rr_to, rr_allorfirst, rr_from)) | ||||
if (rr == NULL) { | == NULL)) { | ||||
BIO_puts(bio_err, | BIO_puts(bio_err, "Signed Receipt Request Creation Error\n"); | ||||
"Signed Receipt Request Creation Error\n"); | |||||
goto end; | goto end; | ||||
} | } | ||||
} | |||||
} else { | } else { | ||||
flags |= CMS_REUSE_DIGEST; | flags |= CMS_REUSE_DIGEST; | ||||
} | } | ||||
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { | for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { | ||||
CMS_SignerInfo *si; | CMS_SignerInfo *si; | ||||
cms_key_param *kparam; | cms_key_param *kparam; | ||||
int tflags = flags; | int tflags = flags; | ||||
signerfile = sk_OPENSSL_STRING_value(sksigners, i); | signerfile = sk_OPENSSL_STRING_value(sksigners, i); | ||||
keyfile = sk_OPENSSL_STRING_value(skkeys, i); | keyfile = sk_OPENSSL_STRING_value(skkeys, i); | ||||
signer = load_cert(signerfile, FORMAT_PEM, "signer certificate"); | signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); | ||||
if (signer == NULL) { | if (signer == NULL) { | ||||
ret = 2; | ret = 2; | ||||
goto end; | goto end; | ||||
} | } | ||||
key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); | key = load_key(keyfile, keyform, 0, passin, e, "signing key"); | ||||
if (key == NULL) { | if (key == NULL) { | ||||
ret = 2; | ret = 2; | ||||
goto end; | goto end; | ||||
} | } | ||||
for (kparam = key_first; kparam; kparam = kparam->next) { | for (kparam = key_first; kparam; kparam = kparam->next) { | ||||
if (kparam->idx == i) { | if (kparam->idx == i) { | ||||
tflags |= CMS_KEY_PARAM; | tflags |= CMS_KEY_PARAM; | ||||
break; | break; | ||||
} | } | ||||
} | } | ||||
si = CMS_add1_signer(cms, signer, key, sign_md, tflags); | si = CMS_add1_signer(cms, signer, key, sign_md, tflags); | ||||
if (si == NULL) | if (si == NULL) | ||||
Show All 33 Lines | if (operation == SMIME_DECRYPT) { | ||||
secret_key, secret_keylen, | secret_key, secret_keylen, | ||||
secret_keyid, secret_keyidlen)) { | secret_keyid, secret_keyidlen)) { | ||||
BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); | BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (key != NULL) { | if (key != NULL) { | ||||
if (!CMS_decrypt_set1_pkey(cms, key, recip)) { | if (!CMS_decrypt_set1_pkey_and_peer(cms, key, recip, originator)) { | ||||
BIO_puts(bio_err, "Error decrypting CMS using private key\n"); | BIO_puts(bio_err, "Error decrypting CMS using private key\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (pwri_pass != NULL) { | if (pwri_pass != NULL) { | ||||
if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { | if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { | ||||
BIO_puts(bio_err, "Error decrypting CMS using password\n"); | BIO_puts(bio_err, "Error decrypting CMS using password\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
} | } | ||||
if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { | if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { | ||||
BIO_printf(bio_err, "Error decrypting CMS structure\n"); | BIO_printf(bio_err, "Error decrypting CMS structure\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
} else if (operation == SMIME_DATAOUT) { | } else if (operation == SMIME_DATA_OUT) { | ||||
if (!CMS_data(cms, out, flags)) | if (!CMS_data(cms, out, flags)) | ||||
goto end; | goto end; | ||||
} else if (operation == SMIME_UNCOMPRESS) { | } else if (operation == SMIME_UNCOMPRESS) { | ||||
if (!CMS_uncompress(cms, indata, out, flags)) | if (!CMS_uncompress(cms, indata, out, flags)) | ||||
goto end; | goto end; | ||||
} else if (operation == SMIME_DIGEST_VERIFY) { | } else if (operation == SMIME_DIGEST_VERIFY) { | ||||
if (CMS_digest_verify(cms, indata, out, flags) > 0) { | if (CMS_digest_verify(cms, indata, out, flags) > 0) { | ||||
BIO_printf(bio_err, "Verification successful\n"); | BIO_printf(bio_err, "Verification successful\n"); | ||||
} else { | } else { | ||||
BIO_printf(bio_err, "Verification failure\n"); | BIO_printf(bio_err, "Verification failure\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
} else if (operation == SMIME_ENCRYPTED_DECRYPT) { | } else if (operation == SMIME_ENCRYPTED_DECRYPT) { | ||||
if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, | if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, | ||||
indata, out, flags)) | indata, out, flags)) | ||||
goto end; | goto end; | ||||
} else if (operation == SMIME_VERIFY) { | } else if (operation == SMIME_VERIFY) { | ||||
if (CMS_verify(cms, other, store, indata, out, flags) > 0) { | if (CMS_verify(cms, other, store, indata, out, flags) > 0) { | ||||
BIO_printf(bio_err, "Verification successful\n"); | BIO_printf(bio_err, "%s Verification successful\n", | ||||
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS"); | |||||
} else { | } else { | ||||
BIO_printf(bio_err, "Verification failure\n"); | BIO_printf(bio_err, "%s Verification failure\n", | ||||
(flags & CMS_CADES) != 0 ? "CAdES" : "CMS"); | |||||
if (verify_retcode) | if (verify_retcode) | ||||
ret = verify_err + 32; | ret = verify_err + 32; | ||||
goto end; | goto end; | ||||
} | } | ||||
if (signerfile != NULL) { | if (signerfile != NULL) { | ||||
STACK_OF(X509) *signers; | STACK_OF(X509) *signers = CMS_get0_signers(cms); | ||||
signers = CMS_get0_signers(cms); | |||||
if (!save_certs(signerfile, signers)) { | if (!save_certs(signerfile, signers)) { | ||||
BIO_printf(bio_err, | BIO_printf(bio_err, | ||||
"Error writing signers to %s\n", signerfile); | "Error writing signers to %s\n", signerfile); | ||||
ret = 5; | ret = 5; | ||||
goto end; | goto end; | ||||
} | } | ||||
sk_X509_free(signers); | sk_X509_free(signers); | ||||
} | } | ||||
if (rr_print) | if (rr_print) | ||||
receipt_request_print(cms); | receipt_request_print(cms); | ||||
} else if (operation == SMIME_VERIFY_RECEIPT) { | } else if (operation == SMIME_VERIFY_RECEIPT) { | ||||
if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) { | if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) { | ||||
BIO_printf(bio_err, "Verification successful\n"); | BIO_printf(bio_err, "Verification successful\n"); | ||||
} else { | } else { | ||||
BIO_printf(bio_err, "Verification failure\n"); | BIO_printf(bio_err, "Verification failure\n"); | ||||
goto end; | goto end; | ||||
} | } | ||||
} else { | } else { | ||||
if (noout) { | if (noout) { | ||||
if (print) | if (print) { | ||||
CMS_ContentInfo_print_ctx(out, cms, 0, NULL); | ASN1_PCTX *pctx = NULL; | ||||
if (get_nameopt() != XN_FLAG_ONELINE) { | |||||
pctx = ASN1_PCTX_new(); | |||||
if (pctx != NULL) { /* Print anyway if malloc failed */ | |||||
ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT); | |||||
ASN1_PCTX_set_str_flags(pctx, get_nameopt()); | |||||
ASN1_PCTX_set_nm_flags(pctx, get_nameopt()); | |||||
} | |||||
} | |||||
CMS_ContentInfo_print_ctx(out, cms, 0, pctx); | |||||
ASN1_PCTX_free(pctx); | |||||
} | |||||
} else if (outformat == FORMAT_SMIME) { | } else if (outformat == FORMAT_SMIME) { | ||||
if (to) | if (to) | ||||
BIO_printf(out, "To: %s%s", to, mime_eol); | BIO_printf(out, "To: %s%s", to, mime_eol); | ||||
if (from) | if (from) | ||||
BIO_printf(out, "From: %s%s", from, mime_eol); | BIO_printf(out, "From: %s%s", from, mime_eol); | ||||
if (subject) | if (subject) | ||||
BIO_printf(out, "Subject: %s%s", subject, mime_eol); | BIO_printf(out, "Subject: %s%s", subject, mime_eol); | ||||
if (operation == SMIME_RESIGN) | if (operation == SMIME_RESIGN) | ||||
Show All 36 Lines | for (key_param = key_first; key_param;) { | ||||
OPENSSL_free(key_param); | OPENSSL_free(key_param); | ||||
key_param = tparam; | key_param = tparam; | ||||
} | } | ||||
X509_STORE_free(store); | X509_STORE_free(store); | ||||
X509_free(cert); | X509_free(cert); | ||||
X509_free(recip); | X509_free(recip); | ||||
X509_free(signer); | X509_free(signer); | ||||
EVP_PKEY_free(key); | EVP_PKEY_free(key); | ||||
EVP_CIPHER_free(cipher); | |||||
EVP_CIPHER_free(wrap_cipher); | |||||
EVP_MD_free(sign_md); | |||||
CMS_ContentInfo_free(cms); | CMS_ContentInfo_free(cms); | ||||
CMS_ContentInfo_free(rcms); | CMS_ContentInfo_free(rcms); | ||||
release_engine(e); | release_engine(e); | ||||
BIO_free(rctin); | BIO_free(rctin); | ||||
BIO_free(in); | BIO_free(in); | ||||
BIO_free(indata); | BIO_free(indata); | ||||
BIO_free_all(out); | BIO_free_all(out); | ||||
OPENSSL_free(passin); | OPENSSL_free(passin); | ||||
NCONF_free(conf); | |||||
return ret; | return ret; | ||||
} | } | ||||
static int save_certs(char *signerfile, STACK_OF(X509) *signers) | static int save_certs(char *signerfile, STACK_OF(X509) *signers) | ||||
{ | { | ||||
int i; | int i; | ||||
BIO *tmp; | BIO *tmp; | ||||
if (signerfile == NULL) | if (signerfile == NULL) | ||||
▲ Show 20 Lines • Show All 120 Lines • ▼ Show 20 Lines | |||||
err: | err: | ||||
sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); | sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); | ||||
GENERAL_NAMES_free(gens); | GENERAL_NAMES_free(gens); | ||||
GENERAL_NAME_free(gen); | GENERAL_NAME_free(gen); | ||||
return NULL; | return NULL; | ||||
} | } | ||||
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) | static CMS_ReceiptRequest | ||||
*rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) | *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, | ||||
*rr_from) | STACK_OF(OPENSSL_STRING) *rr_from) | ||||
{ | { | ||||
STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL; | STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL; | ||||
CMS_ReceiptRequest *rr; | |||||
rct_to = make_names_stack(rr_to); | rct_to = make_names_stack(rr_to); | ||||
if (rct_to == NULL) | if (rct_to == NULL) | ||||
goto err; | goto err; | ||||
if (rr_from != NULL) { | if (rr_from != NULL) { | ||||
rct_from = make_names_stack(rr_from); | rct_from = make_names_stack(rr_from); | ||||
if (rct_from == NULL) | if (rct_from == NULL) | ||||
goto err; | goto err; | ||||
} else { | } else { | ||||
rct_from = NULL; | rct_from = NULL; | ||||
} | } | ||||
rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, | return CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from, | ||||
rct_to); | rct_to, app_get0_libctx()); | ||||
return rr; | |||||
err: | err: | ||||
sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free); | sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free); | ||||
return NULL; | return NULL; | ||||
} | } | ||||
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, | static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, | ||||
STACK_OF(OPENSSL_STRING) *param) | STACK_OF(OPENSSL_STRING) *param) | ||||
{ | { | ||||
char *keyopt; | char *keyopt; | ||||
int i; | int i; | ||||
if (sk_OPENSSL_STRING_num(param) <= 0) | if (sk_OPENSSL_STRING_num(param) <= 0) | ||||
return 1; | return 1; | ||||
for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { | for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { | ||||
keyopt = sk_OPENSSL_STRING_value(param, i); | keyopt = sk_OPENSSL_STRING_value(param, i); | ||||
if (pkey_ctrl_string(pctx, keyopt) <= 0) { | if (pkey_ctrl_string(pctx, keyopt) <= 0) { | ||||
BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); | BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); | ||||
ERR_print_errors(bio_err); | ERR_print_errors(bio_err); | ||||
return 0; | return 0; | ||||
} | } | ||||
} | } | ||||
return 1; | return 1; | ||||
} | } | ||||
#endif |