cms.c revision 312826
1/* apps/cms.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2008 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 */ 54 55/* CMS utility function */ 56 57#include <stdio.h> 58#include <string.h> 59#include "apps.h" 60 61#ifndef OPENSSL_NO_CMS 62 63# include <openssl/crypto.h> 64# include <openssl/pem.h> 65# include <openssl/err.h> 66# include <openssl/x509_vfy.h> 67# include <openssl/x509v3.h> 68# include <openssl/cms.h> 69 70# undef PROG 71# define PROG cms_main 72static int save_certs(char *signerfile, STACK_OF(X509) *signers); 73static int cms_cb(int ok, X509_STORE_CTX *ctx); 74static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); 75static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) 76 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) 77 *rr_from); 78static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, 79 STACK_OF(OPENSSL_STRING) *param); 80 81# define SMIME_OP 0x10 82# define SMIME_IP 0x20 83# define SMIME_SIGNERS 0x40 84# define SMIME_ENCRYPT (1 | SMIME_OP) 85# define SMIME_DECRYPT (2 | SMIME_IP) 86# define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) 87# define SMIME_VERIFY (4 | SMIME_IP) 88# define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) 89# define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) 90# define SMIME_DATAOUT (7 | SMIME_IP) 91# define SMIME_DATA_CREATE (8 | SMIME_OP) 92# define SMIME_DIGEST_VERIFY (9 | SMIME_IP) 93# define SMIME_DIGEST_CREATE (10 | SMIME_OP) 94# define SMIME_UNCOMPRESS (11 | SMIME_IP) 95# define SMIME_COMPRESS (12 | SMIME_OP) 96# define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) 97# define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) 98# define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) 99# define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) 100 101int verify_err = 0; 102 103typedef struct cms_key_param_st cms_key_param; 104 105struct cms_key_param_st { 106 int idx; 107 STACK_OF(OPENSSL_STRING) *param; 108 cms_key_param *next; 109}; 110 111int MAIN(int, char **); 112 113int MAIN(int argc, char **argv) 114{ 115 ENGINE *e = NULL; 116 int operation = 0; 117 int ret = 0; 118 char **args; 119 const char *inmode = "r", *outmode = "w"; 120 char *infile = NULL, *outfile = NULL, *rctfile = NULL; 121 char *signerfile = NULL, *recipfile = NULL; 122 STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; 123 char *certfile = NULL, *keyfile = NULL, *contfile = NULL; 124 char *certsoutfile = NULL; 125 const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; 126 CMS_ContentInfo *cms = NULL, *rcms = NULL; 127 X509_STORE *store = NULL; 128 X509 *cert = NULL, *recip = NULL, *signer = NULL; 129 EVP_PKEY *key = NULL; 130 STACK_OF(X509) *encerts = NULL, *other = NULL; 131 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; 132 int badarg = 0; 133 int flags = CMS_DETACHED, noout = 0, print = 0; 134 int verify_retcode = 0; 135 int rr_print = 0, rr_allorfirst = -1; 136 STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; 137 CMS_ReceiptRequest *rr = NULL; 138 char *to = NULL, *from = NULL, *subject = NULL; 139 char *CAfile = NULL, *CApath = NULL; 140 char *passargin = NULL, *passin = NULL; 141 char *inrand = NULL; 142 int need_rand = 0; 143 const EVP_MD *sign_md = NULL; 144 int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; 145 int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; 146 char *engine = NULL; 147 unsigned char *secret_key = NULL, *secret_keyid = NULL; 148 unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; 149 size_t secret_keylen = 0, secret_keyidlen = 0; 150 151 cms_key_param *key_first = NULL, *key_param = NULL; 152 153 ASN1_OBJECT *econtent_type = NULL; 154 155 X509_VERIFY_PARAM *vpm = NULL; 156 157 args = argv + 1; 158 ret = 1; 159 160 apps_startup(); 161 162 if (bio_err == NULL) { 163 if ((bio_err = BIO_new(BIO_s_file())) != NULL) 164 BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); 165 } 166 167 if (!load_config(bio_err, NULL)) 168 goto end; 169 170 while (!badarg && *args && *args[0] == '-') { 171 if (!strcmp(*args, "-encrypt")) 172 operation = SMIME_ENCRYPT; 173 else if (!strcmp(*args, "-decrypt")) 174 operation = SMIME_DECRYPT; 175 else if (!strcmp(*args, "-sign")) 176 operation = SMIME_SIGN; 177 else if (!strcmp(*args, "-sign_receipt")) 178 operation = SMIME_SIGN_RECEIPT; 179 else if (!strcmp(*args, "-resign")) 180 operation = SMIME_RESIGN; 181 else if (!strcmp(*args, "-verify")) 182 operation = SMIME_VERIFY; 183 else if (!strcmp(*args, "-verify_retcode")) 184 verify_retcode = 1; 185 else if (!strcmp(*args, "-verify_receipt")) { 186 operation = SMIME_VERIFY_RECEIPT; 187 if (!args[1]) 188 goto argerr; 189 args++; 190 rctfile = *args; 191 } else if (!strcmp(*args, "-cmsout")) 192 operation = SMIME_CMSOUT; 193 else if (!strcmp(*args, "-data_out")) 194 operation = SMIME_DATAOUT; 195 else if (!strcmp(*args, "-data_create")) 196 operation = SMIME_DATA_CREATE; 197 else if (!strcmp(*args, "-digest_verify")) 198 operation = SMIME_DIGEST_VERIFY; 199 else if (!strcmp(*args, "-digest_create")) 200 operation = SMIME_DIGEST_CREATE; 201 else if (!strcmp(*args, "-compress")) 202 operation = SMIME_COMPRESS; 203 else if (!strcmp(*args, "-uncompress")) 204 operation = SMIME_UNCOMPRESS; 205 else if (!strcmp(*args, "-EncryptedData_decrypt")) 206 operation = SMIME_ENCRYPTED_DECRYPT; 207 else if (!strcmp(*args, "-EncryptedData_encrypt")) 208 operation = SMIME_ENCRYPTED_ENCRYPT; 209# ifndef OPENSSL_NO_DES 210 else if (!strcmp(*args, "-des3")) 211 cipher = EVP_des_ede3_cbc(); 212 else if (!strcmp(*args, "-des")) 213 cipher = EVP_des_cbc(); 214 else if (!strcmp(*args, "-des3-wrap")) 215 wrap_cipher = EVP_des_ede3_wrap(); 216# endif 217# ifndef OPENSSL_NO_SEED 218 else if (!strcmp(*args, "-seed")) 219 cipher = EVP_seed_cbc(); 220# endif 221# ifndef OPENSSL_NO_RC2 222 else if (!strcmp(*args, "-rc2-40")) 223 cipher = EVP_rc2_40_cbc(); 224 else if (!strcmp(*args, "-rc2-128")) 225 cipher = EVP_rc2_cbc(); 226 else if (!strcmp(*args, "-rc2-64")) 227 cipher = EVP_rc2_64_cbc(); 228# endif 229# ifndef OPENSSL_NO_AES 230 else if (!strcmp(*args, "-aes128")) 231 cipher = EVP_aes_128_cbc(); 232 else if (!strcmp(*args, "-aes192")) 233 cipher = EVP_aes_192_cbc(); 234 else if (!strcmp(*args, "-aes256")) 235 cipher = EVP_aes_256_cbc(); 236 else if (!strcmp(*args, "-aes128-wrap")) 237 wrap_cipher = EVP_aes_128_wrap(); 238 else if (!strcmp(*args, "-aes192-wrap")) 239 wrap_cipher = EVP_aes_192_wrap(); 240 else if (!strcmp(*args, "-aes256-wrap")) 241 wrap_cipher = EVP_aes_256_wrap(); 242# endif 243# ifndef OPENSSL_NO_CAMELLIA 244 else if (!strcmp(*args, "-camellia128")) 245 cipher = EVP_camellia_128_cbc(); 246 else if (!strcmp(*args, "-camellia192")) 247 cipher = EVP_camellia_192_cbc(); 248 else if (!strcmp(*args, "-camellia256")) 249 cipher = EVP_camellia_256_cbc(); 250# endif 251 else if (!strcmp(*args, "-debug_decrypt")) 252 flags |= CMS_DEBUG_DECRYPT; 253 else if (!strcmp(*args, "-text")) 254 flags |= CMS_TEXT; 255 else if (!strcmp(*args, "-nointern")) 256 flags |= CMS_NOINTERN; 257 else if (!strcmp(*args, "-noverify") 258 || !strcmp(*args, "-no_signer_cert_verify")) 259 flags |= CMS_NO_SIGNER_CERT_VERIFY; 260 else if (!strcmp(*args, "-nocerts")) 261 flags |= CMS_NOCERTS; 262 else if (!strcmp(*args, "-noattr")) 263 flags |= CMS_NOATTR; 264 else if (!strcmp(*args, "-nodetach")) 265 flags &= ~CMS_DETACHED; 266 else if (!strcmp(*args, "-nosmimecap")) 267 flags |= CMS_NOSMIMECAP; 268 else if (!strcmp(*args, "-binary")) 269 flags |= CMS_BINARY; 270 else if (!strcmp(*args, "-keyid")) 271 flags |= CMS_USE_KEYID; 272 else if (!strcmp(*args, "-nosigs")) 273 flags |= CMS_NOSIGS; 274 else if (!strcmp(*args, "-no_content_verify")) 275 flags |= CMS_NO_CONTENT_VERIFY; 276 else if (!strcmp(*args, "-no_attr_verify")) 277 flags |= CMS_NO_ATTR_VERIFY; 278 else if (!strcmp(*args, "-stream")) 279 flags |= CMS_STREAM; 280 else if (!strcmp(*args, "-indef")) 281 flags |= CMS_STREAM; 282 else if (!strcmp(*args, "-noindef")) 283 flags &= ~CMS_STREAM; 284 else if (!strcmp(*args, "-nooldmime")) 285 flags |= CMS_NOOLDMIMETYPE; 286 else if (!strcmp(*args, "-crlfeol")) 287 flags |= CMS_CRLFEOL; 288 else if (!strcmp(*args, "-noout")) 289 noout = 1; 290 else if (!strcmp(*args, "-receipt_request_print")) 291 rr_print = 1; 292 else if (!strcmp(*args, "-receipt_request_all")) 293 rr_allorfirst = 0; 294 else if (!strcmp(*args, "-receipt_request_first")) 295 rr_allorfirst = 1; 296 else if (!strcmp(*args, "-receipt_request_from")) { 297 if (!args[1]) 298 goto argerr; 299 args++; 300 if (!rr_from) 301 rr_from = sk_OPENSSL_STRING_new_null(); 302 sk_OPENSSL_STRING_push(rr_from, *args); 303 } else if (!strcmp(*args, "-receipt_request_to")) { 304 if (!args[1]) 305 goto argerr; 306 args++; 307 if (!rr_to) 308 rr_to = sk_OPENSSL_STRING_new_null(); 309 sk_OPENSSL_STRING_push(rr_to, *args); 310 } else if (!strcmp(*args, "-print")) { 311 noout = 1; 312 print = 1; 313 } else if (!strcmp(*args, "-secretkey")) { 314 long ltmp; 315 if (!args[1]) 316 goto argerr; 317 args++; 318 secret_key = string_to_hex(*args, <mp); 319 if (!secret_key) { 320 BIO_printf(bio_err, "Invalid key %s\n", *args); 321 goto argerr; 322 } 323 secret_keylen = (size_t)ltmp; 324 } else if (!strcmp(*args, "-secretkeyid")) { 325 long ltmp; 326 if (!args[1]) 327 goto argerr; 328 args++; 329 secret_keyid = string_to_hex(*args, <mp); 330 if (!secret_keyid) { 331 BIO_printf(bio_err, "Invalid id %s\n", *args); 332 goto argerr; 333 } 334 secret_keyidlen = (size_t)ltmp; 335 } else if (!strcmp(*args, "-pwri_password")) { 336 if (!args[1]) 337 goto argerr; 338 args++; 339 pwri_pass = (unsigned char *)*args; 340 } else if (!strcmp(*args, "-econtent_type")) { 341 if (!args[1]) 342 goto argerr; 343 args++; 344 econtent_type = OBJ_txt2obj(*args, 0); 345 if (!econtent_type) { 346 BIO_printf(bio_err, "Invalid OID %s\n", *args); 347 goto argerr; 348 } 349 } else if (!strcmp(*args, "-rand")) { 350 if (!args[1]) 351 goto argerr; 352 args++; 353 inrand = *args; 354 need_rand = 1; 355 } 356# ifndef OPENSSL_NO_ENGINE 357 else if (!strcmp(*args, "-engine")) { 358 if (!args[1]) 359 goto argerr; 360 engine = *++args; 361 } 362# endif 363 else if (!strcmp(*args, "-passin")) { 364 if (!args[1]) 365 goto argerr; 366 passargin = *++args; 367 } else if (!strcmp(*args, "-to")) { 368 if (!args[1]) 369 goto argerr; 370 to = *++args; 371 } else if (!strcmp(*args, "-from")) { 372 if (!args[1]) 373 goto argerr; 374 from = *++args; 375 } else if (!strcmp(*args, "-subject")) { 376 if (!args[1]) 377 goto argerr; 378 subject = *++args; 379 } else if (!strcmp(*args, "-signer")) { 380 if (!args[1]) 381 goto argerr; 382 /* If previous -signer argument add signer to list */ 383 384 if (signerfile) { 385 if (!sksigners) 386 sksigners = sk_OPENSSL_STRING_new_null(); 387 sk_OPENSSL_STRING_push(sksigners, signerfile); 388 if (!keyfile) 389 keyfile = signerfile; 390 if (!skkeys) 391 skkeys = sk_OPENSSL_STRING_new_null(); 392 sk_OPENSSL_STRING_push(skkeys, keyfile); 393 keyfile = NULL; 394 } 395 signerfile = *++args; 396 } else if (!strcmp(*args, "-recip")) { 397 if (!args[1]) 398 goto argerr; 399 if (operation == SMIME_ENCRYPT) { 400 if (!encerts) 401 encerts = sk_X509_new_null(); 402 cert = load_cert(bio_err, *++args, FORMAT_PEM, 403 NULL, e, "recipient certificate file"); 404 if (!cert) 405 goto end; 406 sk_X509_push(encerts, cert); 407 cert = NULL; 408 } else 409 recipfile = *++args; 410 } else if (!strcmp(*args, "-certsout")) { 411 if (!args[1]) 412 goto argerr; 413 certsoutfile = *++args; 414 } else if (!strcmp(*args, "-md")) { 415 if (!args[1]) 416 goto argerr; 417 sign_md = EVP_get_digestbyname(*++args); 418 if (sign_md == NULL) { 419 BIO_printf(bio_err, "Unknown digest %s\n", *args); 420 goto argerr; 421 } 422 } else if (!strcmp(*args, "-inkey")) { 423 if (!args[1]) 424 goto argerr; 425 /* If previous -inkey arument add signer to list */ 426 if (keyfile) { 427 if (!signerfile) { 428 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 429 goto argerr; 430 } 431 if (!sksigners) 432 sksigners = sk_OPENSSL_STRING_new_null(); 433 sk_OPENSSL_STRING_push(sksigners, signerfile); 434 signerfile = NULL; 435 if (!skkeys) 436 skkeys = sk_OPENSSL_STRING_new_null(); 437 sk_OPENSSL_STRING_push(skkeys, keyfile); 438 } 439 keyfile = *++args; 440 } else if (!strcmp(*args, "-keyform")) { 441 if (!args[1]) 442 goto argerr; 443 keyform = str2fmt(*++args); 444 } else if (!strcmp(*args, "-keyopt")) { 445 int keyidx = -1; 446 if (!args[1]) 447 goto argerr; 448 if (operation == SMIME_ENCRYPT) { 449 if (encerts) 450 keyidx += sk_X509_num(encerts); 451 } else { 452 if (keyfile || signerfile) 453 keyidx++; 454 if (skkeys) 455 keyidx += sk_OPENSSL_STRING_num(skkeys); 456 } 457 if (keyidx < 0) { 458 BIO_printf(bio_err, "No key specified\n"); 459 goto argerr; 460 } 461 if (key_param == NULL || key_param->idx != keyidx) { 462 cms_key_param *nparam; 463 nparam = OPENSSL_malloc(sizeof(cms_key_param)); 464 if (!nparam) { 465 BIO_printf(bio_err, "Out of memory\n"); 466 goto argerr; 467 } 468 nparam->idx = keyidx; 469 nparam->param = sk_OPENSSL_STRING_new_null(); 470 nparam->next = NULL; 471 if (key_first == NULL) 472 key_first = nparam; 473 else 474 key_param->next = nparam; 475 key_param = nparam; 476 } 477 sk_OPENSSL_STRING_push(key_param->param, *++args); 478 } else if (!strcmp(*args, "-rctform")) { 479 if (!args[1]) 480 goto argerr; 481 rctformat = str2fmt(*++args); 482 } else if (!strcmp(*args, "-certfile")) { 483 if (!args[1]) 484 goto argerr; 485 certfile = *++args; 486 } else if (!strcmp(*args, "-CAfile")) { 487 if (!args[1]) 488 goto argerr; 489 CAfile = *++args; 490 } else if (!strcmp(*args, "-CApath")) { 491 if (!args[1]) 492 goto argerr; 493 CApath = *++args; 494 } else if (!strcmp(*args, "-in")) { 495 if (!args[1]) 496 goto argerr; 497 infile = *++args; 498 } else if (!strcmp(*args, "-inform")) { 499 if (!args[1]) 500 goto argerr; 501 informat = str2fmt(*++args); 502 } else if (!strcmp(*args, "-outform")) { 503 if (!args[1]) 504 goto argerr; 505 outformat = str2fmt(*++args); 506 } else if (!strcmp(*args, "-out")) { 507 if (!args[1]) 508 goto argerr; 509 outfile = *++args; 510 } else if (!strcmp(*args, "-content")) { 511 if (!args[1]) 512 goto argerr; 513 contfile = *++args; 514 } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) 515 continue; 516 else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) 517 badarg = 1; 518 args++; 519 } 520 521 if (((rr_allorfirst != -1) || rr_from) && !rr_to) { 522 BIO_puts(bio_err, "No Signed Receipts Recipients\n"); 523 goto argerr; 524 } 525 526 if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { 527 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); 528 goto argerr; 529 } 530 if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { 531 BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); 532 goto argerr; 533 } 534 535 if (operation & SMIME_SIGNERS) { 536 if (keyfile && !signerfile) { 537 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 538 goto argerr; 539 } 540 /* Check to see if any final signer needs to be appended */ 541 if (signerfile) { 542 if (!sksigners) 543 sksigners = sk_OPENSSL_STRING_new_null(); 544 sk_OPENSSL_STRING_push(sksigners, signerfile); 545 if (!skkeys) 546 skkeys = sk_OPENSSL_STRING_new_null(); 547 if (!keyfile) 548 keyfile = signerfile; 549 sk_OPENSSL_STRING_push(skkeys, keyfile); 550 } 551 if (!sksigners) { 552 BIO_printf(bio_err, "No signer certificate specified\n"); 553 badarg = 1; 554 } 555 signerfile = NULL; 556 keyfile = NULL; 557 need_rand = 1; 558 } 559 560 else if (operation == SMIME_DECRYPT) { 561 if (!recipfile && !keyfile && !secret_key && !pwri_pass) { 562 BIO_printf(bio_err, 563 "No recipient certificate or key specified\n"); 564 badarg = 1; 565 } 566 } else if (operation == SMIME_ENCRYPT) { 567 if (!*args && !secret_key && !pwri_pass && !encerts) { 568 BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); 569 badarg = 1; 570 } 571 need_rand = 1; 572 } else if (!operation) 573 badarg = 1; 574 575 if (badarg) { 576 argerr: 577 BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n"); 578 BIO_printf(bio_err, "where options are\n"); 579 BIO_printf(bio_err, "-encrypt encrypt message\n"); 580 BIO_printf(bio_err, "-decrypt decrypt encrypted message\n"); 581 BIO_printf(bio_err, "-sign sign message\n"); 582 BIO_printf(bio_err, "-verify verify signed message\n"); 583 BIO_printf(bio_err, "-cmsout output CMS structure\n"); 584# ifndef OPENSSL_NO_DES 585 BIO_printf(bio_err, "-des3 encrypt with triple DES\n"); 586 BIO_printf(bio_err, "-des encrypt with DES\n"); 587# endif 588# ifndef OPENSSL_NO_SEED 589 BIO_printf(bio_err, "-seed encrypt with SEED\n"); 590# endif 591# ifndef OPENSSL_NO_RC2 592 BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n"); 593 BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n"); 594 BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n"); 595# endif 596# ifndef OPENSSL_NO_AES 597 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); 598 BIO_printf(bio_err, 599 " encrypt PEM output with cbc aes\n"); 600# endif 601# ifndef OPENSSL_NO_CAMELLIA 602 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); 603 BIO_printf(bio_err, 604 " encrypt PEM output with cbc camellia\n"); 605# endif 606 BIO_printf(bio_err, 607 "-nointern don't search certificates in message for signer\n"); 608 BIO_printf(bio_err, 609 "-nosigs don't verify message signature\n"); 610 BIO_printf(bio_err, 611 "-noverify don't verify signers certificate\n"); 612 BIO_printf(bio_err, 613 "-nocerts don't include signers certificate when signing\n"); 614 BIO_printf(bio_err, "-nodetach use opaque signing\n"); 615 BIO_printf(bio_err, 616 "-noattr don't include any signed attributes\n"); 617 BIO_printf(bio_err, 618 "-binary don't translate message to text\n"); 619 BIO_printf(bio_err, "-certfile file other certificates file\n"); 620 BIO_printf(bio_err, "-certsout file certificate output file\n"); 621 BIO_printf(bio_err, "-signer file signer certificate file\n"); 622 BIO_printf(bio_err, 623 "-recip file recipient certificate file for decryption\n"); 624 BIO_printf(bio_err, "-keyid use subject key identifier\n"); 625 BIO_printf(bio_err, "-in file input file\n"); 626 BIO_printf(bio_err, 627 "-inform arg input format SMIME (default), PEM or DER\n"); 628 BIO_printf(bio_err, 629 "-inkey file input private key (if not signer or recipient)\n"); 630 BIO_printf(bio_err, 631 "-keyform arg input private key format (PEM or ENGINE)\n"); 632 BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n"); 633 BIO_printf(bio_err, "-out file output file\n"); 634 BIO_printf(bio_err, 635 "-outform arg output format SMIME (default), PEM or DER\n"); 636 BIO_printf(bio_err, 637 "-content file supply or override content for detached signature\n"); 638 BIO_printf(bio_err, "-to addr to address\n"); 639 BIO_printf(bio_err, "-from ad from address\n"); 640 BIO_printf(bio_err, "-subject s subject\n"); 641 BIO_printf(bio_err, 642 "-text include or delete text MIME headers\n"); 643 BIO_printf(bio_err, 644 "-CApath dir trusted certificates directory\n"); 645 BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); 646 BIO_printf(bio_err, 647 "-no_alt_chains only ever use the first certificate chain found\n"); 648 BIO_printf(bio_err, 649 "-crl_check check revocation status of signer's certificate using CRLs\n"); 650 BIO_printf(bio_err, 651 "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); 652# ifndef OPENSSL_NO_ENGINE 653 BIO_printf(bio_err, 654 "-engine e use engine e, possibly a hardware device.\n"); 655# endif 656 BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); 657 BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, 658 LIST_SEPARATOR_CHAR); 659 BIO_printf(bio_err, 660 " load the file (or the files in the directory) into\n"); 661 BIO_printf(bio_err, " the random number generator\n"); 662 BIO_printf(bio_err, 663 "cert.pem recipient certificate(s) for encryption\n"); 664 goto end; 665 } 666 e = setup_engine(bio_err, engine, 0); 667 668 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { 669 BIO_printf(bio_err, "Error getting password\n"); 670 goto end; 671 } 672 673 if (need_rand) { 674 app_RAND_load_file(NULL, bio_err, (inrand != NULL)); 675 if (inrand != NULL) 676 BIO_printf(bio_err, "%ld semi-random bytes loaded\n", 677 app_RAND_load_files(inrand)); 678 } 679 680 ret = 2; 681 682 if (!(operation & SMIME_SIGNERS)) 683 flags &= ~CMS_DETACHED; 684 685 if (operation & SMIME_OP) { 686 if (outformat == FORMAT_ASN1) 687 outmode = "wb"; 688 } else { 689 if (flags & CMS_BINARY) 690 outmode = "wb"; 691 } 692 693 if (operation & SMIME_IP) { 694 if (informat == FORMAT_ASN1) 695 inmode = "rb"; 696 } else { 697 if (flags & CMS_BINARY) 698 inmode = "rb"; 699 } 700 701 if (operation == SMIME_ENCRYPT) { 702 if (!cipher) { 703# ifndef OPENSSL_NO_DES 704 cipher = EVP_des_ede3_cbc(); 705# else 706 BIO_printf(bio_err, "No cipher selected\n"); 707 goto end; 708# endif 709 } 710 711 if (secret_key && !secret_keyid) { 712 BIO_printf(bio_err, "No secret key id\n"); 713 goto end; 714 } 715 716 if (*args && !encerts) 717 encerts = sk_X509_new_null(); 718 while (*args) { 719 if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, 720 NULL, e, "recipient certificate file"))) 721 goto end; 722 sk_X509_push(encerts, cert); 723 cert = NULL; 724 args++; 725 } 726 } 727 728 if (certfile) { 729 if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, 730 e, "certificate file"))) { 731 ERR_print_errors(bio_err); 732 goto end; 733 } 734 } 735 736 if (recipfile && (operation == SMIME_DECRYPT)) { 737 if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, 738 e, "recipient certificate file"))) { 739 ERR_print_errors(bio_err); 740 goto end; 741 } 742 } 743 744 if (operation == SMIME_SIGN_RECEIPT) { 745 if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, 746 e, "receipt signer certificate file"))) { 747 ERR_print_errors(bio_err); 748 goto end; 749 } 750 } 751 752 if (operation == SMIME_DECRYPT) { 753 if (!keyfile) 754 keyfile = recipfile; 755 } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { 756 if (!keyfile) 757 keyfile = signerfile; 758 } else 759 keyfile = NULL; 760 761 if (keyfile) { 762 key = load_key(bio_err, keyfile, keyform, 0, passin, e, 763 "signing key file"); 764 if (!key) 765 goto end; 766 } 767 768 if (infile) { 769 if (!(in = BIO_new_file(infile, inmode))) { 770 BIO_printf(bio_err, "Can't open input file %s\n", infile); 771 goto end; 772 } 773 } else 774 in = BIO_new_fp(stdin, BIO_NOCLOSE); 775 776 if (operation & SMIME_IP) { 777 if (informat == FORMAT_SMIME) 778 cms = SMIME_read_CMS(in, &indata); 779 else if (informat == FORMAT_PEM) 780 cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); 781 else if (informat == FORMAT_ASN1) 782 cms = d2i_CMS_bio(in, NULL); 783 else { 784 BIO_printf(bio_err, "Bad input format for CMS file\n"); 785 goto end; 786 } 787 788 if (!cms) { 789 BIO_printf(bio_err, "Error reading S/MIME message\n"); 790 goto end; 791 } 792 if (contfile) { 793 BIO_free(indata); 794 if (!(indata = BIO_new_file(contfile, "rb"))) { 795 BIO_printf(bio_err, "Can't read content file %s\n", contfile); 796 goto end; 797 } 798 } 799 if (certsoutfile) { 800 STACK_OF(X509) *allcerts; 801 allcerts = CMS_get1_certs(cms); 802 if (!save_certs(certsoutfile, allcerts)) { 803 BIO_printf(bio_err, 804 "Error writing certs to %s\n", certsoutfile); 805 ret = 5; 806 goto end; 807 } 808 sk_X509_pop_free(allcerts, X509_free); 809 } 810 } 811 812 if (rctfile) { 813 char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; 814 if (!(rctin = BIO_new_file(rctfile, rctmode))) { 815 BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); 816 goto end; 817 } 818 819 if (rctformat == FORMAT_SMIME) 820 rcms = SMIME_read_CMS(rctin, NULL); 821 else if (rctformat == FORMAT_PEM) 822 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); 823 else if (rctformat == FORMAT_ASN1) 824 rcms = d2i_CMS_bio(rctin, NULL); 825 else { 826 BIO_printf(bio_err, "Bad input format for receipt\n"); 827 goto end; 828 } 829 830 if (!rcms) { 831 BIO_printf(bio_err, "Error reading receipt\n"); 832 goto end; 833 } 834 } 835 836 if (outfile) { 837 if (!(out = BIO_new_file(outfile, outmode))) { 838 BIO_printf(bio_err, "Can't open output file %s\n", outfile); 839 goto end; 840 } 841 } else { 842 out = BIO_new_fp(stdout, BIO_NOCLOSE); 843# ifdef OPENSSL_SYS_VMS 844 { 845 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 846 out = BIO_push(tmpbio, out); 847 } 848# endif 849 } 850 851 if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { 852 if (!(store = setup_verify(bio_err, CAfile, CApath))) 853 goto end; 854 X509_STORE_set_verify_cb(store, cms_cb); 855 if (vpm) 856 X509_STORE_set1_param(store, vpm); 857 } 858 859 ret = 3; 860 861 if (operation == SMIME_DATA_CREATE) { 862 cms = CMS_data_create(in, flags); 863 } else if (operation == SMIME_DIGEST_CREATE) { 864 cms = CMS_digest_create(in, sign_md, flags); 865 } else if (operation == SMIME_COMPRESS) { 866 cms = CMS_compress(in, -1, flags); 867 } else if (operation == SMIME_ENCRYPT) { 868 int i; 869 flags |= CMS_PARTIAL; 870 cms = CMS_encrypt(NULL, in, cipher, flags); 871 if (!cms) 872 goto end; 873 for (i = 0; i < sk_X509_num(encerts); i++) { 874 CMS_RecipientInfo *ri; 875 cms_key_param *kparam; 876 int tflags = flags; 877 X509 *x = sk_X509_value(encerts, i); 878 for (kparam = key_first; kparam; kparam = kparam->next) { 879 if (kparam->idx == i) { 880 tflags |= CMS_KEY_PARAM; 881 break; 882 } 883 } 884 ri = CMS_add1_recipient_cert(cms, x, tflags); 885 if (!ri) 886 goto end; 887 if (kparam) { 888 EVP_PKEY_CTX *pctx; 889 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 890 if (!cms_set_pkey_param(pctx, kparam->param)) 891 goto end; 892 } 893 if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE 894 && wrap_cipher) { 895 EVP_CIPHER_CTX *wctx; 896 wctx = CMS_RecipientInfo_kari_get0_ctx(ri); 897 EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL); 898 } 899 } 900 901 if (secret_key) { 902 if (!CMS_add0_recipient_key(cms, NID_undef, 903 secret_key, secret_keylen, 904 secret_keyid, secret_keyidlen, 905 NULL, NULL, NULL)) 906 goto end; 907 /* NULL these because call absorbs them */ 908 secret_key = NULL; 909 secret_keyid = NULL; 910 } 911 if (pwri_pass) { 912 pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass); 913 if (!pwri_tmp) 914 goto end; 915 if (!CMS_add0_recipient_password(cms, 916 -1, NID_undef, NID_undef, 917 pwri_tmp, -1, NULL)) 918 goto end; 919 pwri_tmp = NULL; 920 } 921 if (!(flags & CMS_STREAM)) { 922 if (!CMS_final(cms, in, NULL, flags)) 923 goto end; 924 } 925 } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { 926 cms = CMS_EncryptedData_encrypt(in, cipher, 927 secret_key, secret_keylen, flags); 928 929 } else if (operation == SMIME_SIGN_RECEIPT) { 930 CMS_ContentInfo *srcms = NULL; 931 STACK_OF(CMS_SignerInfo) *sis; 932 CMS_SignerInfo *si; 933 sis = CMS_get0_SignerInfos(cms); 934 if (!sis) 935 goto end; 936 si = sk_CMS_SignerInfo_value(sis, 0); 937 srcms = CMS_sign_receipt(si, signer, key, other, flags); 938 if (!srcms) 939 goto end; 940 CMS_ContentInfo_free(cms); 941 cms = srcms; 942 } else if (operation & SMIME_SIGNERS) { 943 int i; 944 /* 945 * If detached data content we enable streaming if S/MIME output 946 * format. 947 */ 948 if (operation == SMIME_SIGN) { 949 950 if (flags & CMS_DETACHED) { 951 if (outformat == FORMAT_SMIME) 952 flags |= CMS_STREAM; 953 } 954 flags |= CMS_PARTIAL; 955 cms = CMS_sign(NULL, NULL, other, in, flags); 956 if (!cms) 957 goto end; 958 if (econtent_type) 959 CMS_set1_eContentType(cms, econtent_type); 960 961 if (rr_to) { 962 rr = make_receipt_request(rr_to, rr_allorfirst, rr_from); 963 if (!rr) { 964 BIO_puts(bio_err, 965 "Signed Receipt Request Creation Error\n"); 966 goto end; 967 } 968 } 969 } else 970 flags |= CMS_REUSE_DIGEST; 971 for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { 972 CMS_SignerInfo *si; 973 cms_key_param *kparam; 974 int tflags = flags; 975 signerfile = sk_OPENSSL_STRING_value(sksigners, i); 976 keyfile = sk_OPENSSL_STRING_value(skkeys, i); 977 978 signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, 979 e, "signer certificate"); 980 if (!signer) 981 goto end; 982 key = load_key(bio_err, keyfile, keyform, 0, passin, e, 983 "signing key file"); 984 if (!key) 985 goto end; 986 for (kparam = key_first; kparam; kparam = kparam->next) { 987 if (kparam->idx == i) { 988 tflags |= CMS_KEY_PARAM; 989 break; 990 } 991 } 992 si = CMS_add1_signer(cms, signer, key, sign_md, tflags); 993 if (!si) 994 goto end; 995 if (kparam) { 996 EVP_PKEY_CTX *pctx; 997 pctx = CMS_SignerInfo_get0_pkey_ctx(si); 998 if (!cms_set_pkey_param(pctx, kparam->param)) 999 goto end; 1000 } 1001 if (rr && !CMS_add1_ReceiptRequest(si, rr)) 1002 goto end; 1003 X509_free(signer); 1004 signer = NULL; 1005 EVP_PKEY_free(key); 1006 key = NULL; 1007 } 1008 /* If not streaming or resigning finalize structure */ 1009 if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { 1010 if (!CMS_final(cms, in, NULL, flags)) 1011 goto end; 1012 } 1013 } 1014 1015 if (!cms) { 1016 BIO_printf(bio_err, "Error creating CMS structure\n"); 1017 goto end; 1018 } 1019 1020 ret = 4; 1021 if (operation == SMIME_DECRYPT) { 1022 if (flags & CMS_DEBUG_DECRYPT) 1023 CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); 1024 1025 if (secret_key) { 1026 if (!CMS_decrypt_set1_key(cms, 1027 secret_key, secret_keylen, 1028 secret_keyid, secret_keyidlen)) { 1029 BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); 1030 goto end; 1031 } 1032 } 1033 1034 if (key) { 1035 if (!CMS_decrypt_set1_pkey(cms, key, recip)) { 1036 BIO_puts(bio_err, "Error decrypting CMS using private key\n"); 1037 goto end; 1038 } 1039 } 1040 1041 if (pwri_pass) { 1042 if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { 1043 BIO_puts(bio_err, "Error decrypting CMS using password\n"); 1044 goto end; 1045 } 1046 } 1047 1048 if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { 1049 BIO_printf(bio_err, "Error decrypting CMS structure\n"); 1050 goto end; 1051 } 1052 } else if (operation == SMIME_DATAOUT) { 1053 if (!CMS_data(cms, out, flags)) 1054 goto end; 1055 } else if (operation == SMIME_UNCOMPRESS) { 1056 if (!CMS_uncompress(cms, indata, out, flags)) 1057 goto end; 1058 } else if (operation == SMIME_DIGEST_VERIFY) { 1059 if (CMS_digest_verify(cms, indata, out, flags) > 0) 1060 BIO_printf(bio_err, "Verification successful\n"); 1061 else { 1062 BIO_printf(bio_err, "Verification failure\n"); 1063 goto end; 1064 } 1065 } else if (operation == SMIME_ENCRYPTED_DECRYPT) { 1066 if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, 1067 indata, out, flags)) 1068 goto end; 1069 } else if (operation == SMIME_VERIFY) { 1070 if (CMS_verify(cms, other, store, indata, out, flags) > 0) 1071 BIO_printf(bio_err, "Verification successful\n"); 1072 else { 1073 BIO_printf(bio_err, "Verification failure\n"); 1074 if (verify_retcode) 1075 ret = verify_err + 32; 1076 goto end; 1077 } 1078 if (signerfile) { 1079 STACK_OF(X509) *signers; 1080 signers = CMS_get0_signers(cms); 1081 if (!save_certs(signerfile, signers)) { 1082 BIO_printf(bio_err, 1083 "Error writing signers to %s\n", signerfile); 1084 ret = 5; 1085 goto end; 1086 } 1087 sk_X509_free(signers); 1088 } 1089 if (rr_print) 1090 receipt_request_print(bio_err, cms); 1091 1092 } else if (operation == SMIME_VERIFY_RECEIPT) { 1093 if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) 1094 BIO_printf(bio_err, "Verification successful\n"); 1095 else { 1096 BIO_printf(bio_err, "Verification failure\n"); 1097 goto end; 1098 } 1099 } else { 1100 if (noout) { 1101 if (print) 1102 CMS_ContentInfo_print_ctx(out, cms, 0, NULL); 1103 } else if (outformat == FORMAT_SMIME) { 1104 if (to) 1105 BIO_printf(out, "To: %s\n", to); 1106 if (from) 1107 BIO_printf(out, "From: %s\n", from); 1108 if (subject) 1109 BIO_printf(out, "Subject: %s\n", subject); 1110 if (operation == SMIME_RESIGN) 1111 ret = SMIME_write_CMS(out, cms, indata, flags); 1112 else 1113 ret = SMIME_write_CMS(out, cms, in, flags); 1114 } else if (outformat == FORMAT_PEM) 1115 ret = PEM_write_bio_CMS_stream(out, cms, in, flags); 1116 else if (outformat == FORMAT_ASN1) 1117 ret = i2d_CMS_bio_stream(out, cms, in, flags); 1118 else { 1119 BIO_printf(bio_err, "Bad output format for CMS file\n"); 1120 goto end; 1121 } 1122 if (ret <= 0) { 1123 ret = 6; 1124 goto end; 1125 } 1126 } 1127 ret = 0; 1128 end: 1129 if (ret) 1130 ERR_print_errors(bio_err); 1131 if (need_rand) 1132 app_RAND_write_file(NULL, bio_err); 1133 sk_X509_pop_free(encerts, X509_free); 1134 sk_X509_pop_free(other, X509_free); 1135 if (vpm) 1136 X509_VERIFY_PARAM_free(vpm); 1137 if (sksigners) 1138 sk_OPENSSL_STRING_free(sksigners); 1139 if (skkeys) 1140 sk_OPENSSL_STRING_free(skkeys); 1141 if (secret_key) 1142 OPENSSL_free(secret_key); 1143 if (secret_keyid) 1144 OPENSSL_free(secret_keyid); 1145 if (pwri_tmp) 1146 OPENSSL_free(pwri_tmp); 1147 if (econtent_type) 1148 ASN1_OBJECT_free(econtent_type); 1149 if (rr) 1150 CMS_ReceiptRequest_free(rr); 1151 if (rr_to) 1152 sk_OPENSSL_STRING_free(rr_to); 1153 if (rr_from) 1154 sk_OPENSSL_STRING_free(rr_from); 1155 for (key_param = key_first; key_param;) { 1156 cms_key_param *tparam; 1157 sk_OPENSSL_STRING_free(key_param->param); 1158 tparam = key_param->next; 1159 OPENSSL_free(key_param); 1160 key_param = tparam; 1161 } 1162 X509_STORE_free(store); 1163 X509_free(cert); 1164 X509_free(recip); 1165 X509_free(signer); 1166 EVP_PKEY_free(key); 1167 CMS_ContentInfo_free(cms); 1168 CMS_ContentInfo_free(rcms); 1169 release_engine(e); 1170 BIO_free(rctin); 1171 BIO_free(in); 1172 BIO_free(indata); 1173 BIO_free_all(out); 1174 if (passin) 1175 OPENSSL_free(passin); 1176 return (ret); 1177} 1178 1179static int save_certs(char *signerfile, STACK_OF(X509) *signers) 1180{ 1181 int i; 1182 BIO *tmp; 1183 if (!signerfile) 1184 return 1; 1185 tmp = BIO_new_file(signerfile, "w"); 1186 if (!tmp) 1187 return 0; 1188 for (i = 0; i < sk_X509_num(signers); i++) 1189 PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); 1190 BIO_free(tmp); 1191 return 1; 1192} 1193 1194/* Minimal callback just to output policy info (if any) */ 1195 1196static int cms_cb(int ok, X509_STORE_CTX *ctx) 1197{ 1198 int error; 1199 1200 error = X509_STORE_CTX_get_error(ctx); 1201 1202 verify_err = error; 1203 1204 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) 1205 && ((error != X509_V_OK) || (ok != 2))) 1206 return ok; 1207 1208 policies_print(NULL, ctx); 1209 1210 return ok; 1211 1212} 1213 1214static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) 1215{ 1216 STACK_OF(GENERAL_NAME) *gens; 1217 GENERAL_NAME *gen; 1218 int i, j; 1219 for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { 1220 gens = sk_GENERAL_NAMES_value(gns, i); 1221 for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { 1222 gen = sk_GENERAL_NAME_value(gens, j); 1223 BIO_puts(out, " "); 1224 GENERAL_NAME_print(out, gen); 1225 BIO_puts(out, "\n"); 1226 } 1227 } 1228 return; 1229} 1230 1231static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) 1232{ 1233 STACK_OF(CMS_SignerInfo) *sis; 1234 CMS_SignerInfo *si; 1235 CMS_ReceiptRequest *rr; 1236 int allorfirst; 1237 STACK_OF(GENERAL_NAMES) *rto, *rlist; 1238 ASN1_STRING *scid; 1239 int i, rv; 1240 sis = CMS_get0_SignerInfos(cms); 1241 for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { 1242 si = sk_CMS_SignerInfo_value(sis, i); 1243 rv = CMS_get1_ReceiptRequest(si, &rr); 1244 BIO_printf(bio_err, "Signer %d:\n", i + 1); 1245 if (rv == 0) 1246 BIO_puts(bio_err, " No Receipt Request\n"); 1247 else if (rv < 0) { 1248 BIO_puts(bio_err, " Receipt Request Parse Error\n"); 1249 ERR_print_errors(bio_err); 1250 } else { 1251 char *id; 1252 int idlen; 1253 CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, 1254 &rlist, &rto); 1255 BIO_puts(out, " Signed Content ID:\n"); 1256 idlen = ASN1_STRING_length(scid); 1257 id = (char *)ASN1_STRING_data(scid); 1258 BIO_dump_indent(out, id, idlen, 4); 1259 BIO_puts(out, " Receipts From"); 1260 if (rlist) { 1261 BIO_puts(out, " List:\n"); 1262 gnames_stack_print(out, rlist); 1263 } else if (allorfirst == 1) 1264 BIO_puts(out, ": First Tier\n"); 1265 else if (allorfirst == 0) 1266 BIO_puts(out, ": All\n"); 1267 else 1268 BIO_printf(out, " Unknown (%d)\n", allorfirst); 1269 BIO_puts(out, " Receipts To:\n"); 1270 gnames_stack_print(out, rto); 1271 } 1272 if (rr) 1273 CMS_ReceiptRequest_free(rr); 1274 } 1275} 1276 1277static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) 1278{ 1279 int i; 1280 STACK_OF(GENERAL_NAMES) *ret; 1281 GENERAL_NAMES *gens = NULL; 1282 GENERAL_NAME *gen = NULL; 1283 ret = sk_GENERAL_NAMES_new_null(); 1284 if (!ret) 1285 goto err; 1286 for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { 1287 char *str = sk_OPENSSL_STRING_value(ns, i); 1288 gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); 1289 if (!gen) 1290 goto err; 1291 gens = GENERAL_NAMES_new(); 1292 if (!gens) 1293 goto err; 1294 if (!sk_GENERAL_NAME_push(gens, gen)) 1295 goto err; 1296 gen = NULL; 1297 if (!sk_GENERAL_NAMES_push(ret, gens)) 1298 goto err; 1299 gens = NULL; 1300 } 1301 1302 return ret; 1303 1304 err: 1305 if (ret) 1306 sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); 1307 if (gens) 1308 GENERAL_NAMES_free(gens); 1309 if (gen) 1310 GENERAL_NAME_free(gen); 1311 return NULL; 1312} 1313 1314static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) 1315 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) 1316 *rr_from) 1317{ 1318 STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; 1319 CMS_ReceiptRequest *rr; 1320 rct_to = make_names_stack(rr_to); 1321 if (!rct_to) 1322 goto err; 1323 if (rr_from) { 1324 rct_from = make_names_stack(rr_from); 1325 if (!rct_from) 1326 goto err; 1327 } else 1328 rct_from = NULL; 1329 rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, 1330 rct_to); 1331 return rr; 1332 err: 1333 return NULL; 1334} 1335 1336static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, 1337 STACK_OF(OPENSSL_STRING) *param) 1338{ 1339 char *keyopt; 1340 int i; 1341 if (sk_OPENSSL_STRING_num(param) <= 0) 1342 return 1; 1343 for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { 1344 keyopt = sk_OPENSSL_STRING_value(param, i); 1345 if (pkey_ctrl_string(pctx, keyopt) <= 0) { 1346 BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); 1347 ERR_print_errors(bio_err); 1348 return 0; 1349 } 1350 } 1351 return 1; 1352} 1353 1354#endif 1355