smime.c revision 59191 
1/* smime.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 1999.
4 */
5/* ====================================================================
6 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in
17 *    the documentation and/or other materials provided with the
18 *    distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 *    software must display the following acknowledgment:
22 *    "This product includes software developed by the OpenSSL Project
23 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 *    endorse or promote products derived from this software without
27 *    prior written permission. For written permission, please contact
28 *    licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 *    nor may "OpenSSL" appear in their names without prior written
32 *    permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 *    acknowledgment:
36 *    "This product includes software developed by the OpenSSL Project
37 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com).  This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59/* S/MIME utility function */
60
61#include <stdio.h>
62#include <string.h>
63#include "apps.h"
64#include <openssl/crypto.h>
65#include <openssl/pem.h>
66#include <openssl/err.h>
67
68#undef PROG
69#define PROG smime_main
70static X509 *load_cert(char *file);
71static EVP_PKEY *load_key(char *file, char *pass);
72static STACK_OF(X509) *load_certs(char *file);
73static X509_STORE *setup_verify(char *CAfile, char *CApath);
74static int save_certs(char *signerfile, STACK_OF(X509) *signers);
75
76#define SMIME_OP	0x10
77#define SMIME_ENCRYPT	(1 | SMIME_OP)
78#define SMIME_DECRYPT	2
79#define SMIME_SIGN	(3 | SMIME_OP)
80#define SMIME_VERIFY	4
81#define SMIME_PK7OUT	5
82
83int MAIN(int, char **);
84
85int MAIN(int argc, char **argv)
86{
87	int operation = 0;
88	int ret = 0;
89	char **args;
90	char *inmode = "r", *outmode = "w";
91	char *infile = NULL, *outfile = NULL;
92	char *signerfile = NULL, *recipfile = NULL;
93	char *certfile = NULL, *keyfile = NULL;
94	EVP_CIPHER *cipher = NULL;
95	PKCS7 *p7 = NULL;
96	X509_STORE *store = NULL;
97	X509 *cert = NULL, *recip = NULL, *signer = NULL;
98	EVP_PKEY *key = NULL;
99	STACK_OF(X509) *encerts = NULL, *other = NULL;
100	BIO *in = NULL, *out = NULL, *indata = NULL;
101	int badarg = 0;
102	int flags = PKCS7_DETACHED;
103	char *to = NULL, *from = NULL, *subject = NULL;
104	char *CAfile = NULL, *CApath = NULL;
105	char *passargin = NULL, *passin = NULL;
106	char *inrand = NULL;
107	int need_rand = 0;
108	args = argv + 1;
109
110	ret = 1;
111
112	while (!badarg && *args && *args[0] == '-') {
113		if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
114		else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
115		else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN;
116		else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY;
117		else if (!strcmp (*args, "-pk7out")) operation = SMIME_PK7OUT;
118#ifndef NO_DES
119		else if (!strcmp (*args, "-des3"))
120				cipher = EVP_des_ede3_cbc();
121		else if (!strcmp (*args, "-des"))
122				cipher = EVP_des_cbc();
123#endif
124#ifndef NO_RC2
125		else if (!strcmp (*args, "-rc2-40"))
126				cipher = EVP_rc2_40_cbc();
127		else if (!strcmp (*args, "-rc2-128"))
128				cipher = EVP_rc2_cbc();
129		else if (!strcmp (*args, "-rc2-64"))
130				cipher = EVP_rc2_64_cbc();
131#endif
132		else if (!strcmp (*args, "-text"))
133				flags |= PKCS7_TEXT;
134		else if (!strcmp (*args, "-nointern"))
135				flags |= PKCS7_NOINTERN;
136		else if (!strcmp (*args, "-noverify"))
137				flags |= PKCS7_NOVERIFY;
138		else if (!strcmp (*args, "-nochain"))
139				flags |= PKCS7_NOCHAIN;
140		else if (!strcmp (*args, "-nocerts"))
141				flags |= PKCS7_NOCERTS;
142		else if (!strcmp (*args, "-noattr"))
143				flags |= PKCS7_NOATTR;
144		else if (!strcmp (*args, "-nodetach"))
145				flags &= ~PKCS7_DETACHED;
146		else if (!strcmp (*args, "-binary"))
147				flags |= PKCS7_BINARY;
148		else if (!strcmp (*args, "-nosigs"))
149				flags |= PKCS7_NOSIGS;
150		else if (!strcmp(*args,"-rand")) {
151			if (args[1]) {
152				args++;
153				inrand = *args;
154			} else badarg = 1;
155			need_rand = 1;
156		} else if (!strcmp(*args,"-passin")) {
157			if (args[1]) {
158				args++;
159				passargin = *args;
160			} else badarg = 1;
161		} else if (!strcmp (*args, "-to")) {
162			if (args[1]) {
163				args++;
164				to = *args;
165			} else badarg = 1;
166		} else if (!strcmp (*args, "-from")) {
167			if (args[1]) {
168				args++;
169				from = *args;
170			} else badarg = 1;
171		} else if (!strcmp (*args, "-subject")) {
172			if (args[1]) {
173				args++;
174				subject = *args;
175			} else badarg = 1;
176		} else if (!strcmp (*args, "-signer")) {
177			if (args[1]) {
178				args++;
179				signerfile = *args;
180			} else badarg = 1;
181		} else if (!strcmp (*args, "-recip")) {
182			if (args[1]) {
183				args++;
184				recipfile = *args;
185			} else badarg = 1;
186		} else if (!strcmp (*args, "-inkey")) {
187			if (args[1]) {
188				args++;
189				keyfile = *args;
190			} else badarg = 1;
191		} else if (!strcmp (*args, "-certfile")) {
192			if (args[1]) {
193				args++;
194				certfile = *args;
195			} else badarg = 1;
196		} else if (!strcmp (*args, "-CAfile")) {
197			if (args[1]) {
198				args++;
199				CAfile = *args;
200			} else badarg = 1;
201		} else if (!strcmp (*args, "-CApath")) {
202			if (args[1]) {
203				args++;
204				CApath = *args;
205			} else badarg = 1;
206		} else if (!strcmp (*args, "-in")) {
207			if (args[1]) {
208				args++;
209				infile = *args;
210			} else badarg = 1;
211		} else if (!strcmp (*args, "-out")) {
212			if (args[1]) {
213				args++;
214				outfile = *args;
215			} else badarg = 1;
216		} else badarg = 1;
217		args++;
218	}
219
220	if(operation == SMIME_SIGN) {
221		if(!signerfile) {
222			BIO_printf(bio_err, "No signer certificate specified\n");
223			badarg = 1;
224		}
225		need_rand = 1;
226	} else if(operation == SMIME_DECRYPT) {
227		if(!recipfile) {
228			BIO_printf(bio_err, "No recipient certificate and key specified\n");
229			badarg = 1;
230		}
231	} else if(operation == SMIME_ENCRYPT) {
232		if(!*args) {
233			BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
234			badarg = 1;
235		}
236		need_rand = 1;
237	} else if(!operation) badarg = 1;
238
239	if (badarg) {
240		BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
241		BIO_printf (bio_err, "where options are\n");
242		BIO_printf (bio_err, "-encrypt       encrypt message\n");
243		BIO_printf (bio_err, "-decrypt       decrypt encrypted message\n");
244		BIO_printf (bio_err, "-sign          sign message\n");
245		BIO_printf (bio_err, "-verify        verify signed message\n");
246		BIO_printf (bio_err, "-pk7out        output PKCS#7 structure\n");
247#ifndef NO_DES
248		BIO_printf (bio_err, "-des3          encrypt with triple DES\n");
249		BIO_printf (bio_err, "-des           encrypt with DES\n");
250#endif
251#ifndef NO_RC2
252		BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
253		BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
254		BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
255#endif
256		BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
257		BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
258		BIO_printf (bio_err, "-noverify      don't verify signers certificate\n");
259		BIO_printf (bio_err, "-nocerts       don't include signers certificate when signing\n");
260		BIO_printf (bio_err, "-nodetach      use opaque signing\n");
261		BIO_printf (bio_err, "-noattr        don't include any signed attributes\n");
262		BIO_printf (bio_err, "-binary        don't translate message to text\n");
263		BIO_printf (bio_err, "-certfile file other certificates file\n");
264		BIO_printf (bio_err, "-signer file   signer certificate file\n");
265		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
266		BIO_printf (bio_err, "-in file       input file\n");
267		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
268		BIO_printf (bio_err, "-out file      output file\n");
269		BIO_printf (bio_err, "-to addr       to address\n");
270		BIO_printf (bio_err, "-from ad       from address\n");
271		BIO_printf (bio_err, "-subject s     subject\n");
272		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
273		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
274		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
275		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
276		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
277		BIO_printf(bio_err,  "               the random number generator\n");
278		BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
279		goto end;
280	}
281
282	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
283		BIO_printf(bio_err, "Error getting password\n");
284		goto end;
285	}
286
287	if (need_rand) {
288		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
289		if (inrand != NULL)
290			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
291				app_RAND_load_files(inrand));
292	}
293
294	ret = 2;
295
296	if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
297
298	if(flags & PKCS7_BINARY) {
299		if(operation & SMIME_OP) inmode = "rb";
300		else outmode = "rb";
301	}
302
303	if(operation == SMIME_ENCRYPT) {
304		if (!cipher) {
305#ifndef NO_RC2
306			cipher = EVP_rc2_40_cbc();
307#else
308			BIO_printf(bio_err, "No cipher selected\n");
309			goto end;
310#endif
311		}
312		encerts = sk_X509_new_null();
313		while (*args) {
314			if(!(cert = load_cert(*args))) {
315				BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
316				goto end;
317			}
318			sk_X509_push(encerts, cert);
319			cert = NULL;
320			args++;
321		}
322	}
323
324	if(signerfile && (operation == SMIME_SIGN)) {
325		if(!(signer = load_cert(signerfile))) {
326			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
327			goto end;
328		}
329	}
330
331	if(certfile) {
332		if(!(other = load_certs(certfile))) {
333			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
334			ERR_print_errors(bio_err);
335			goto end;
336		}
337	}
338
339	if(recipfile && (operation == SMIME_DECRYPT)) {
340		if(!(recip = load_cert(recipfile))) {
341			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
342			ERR_print_errors(bio_err);
343			goto end;
344		}
345	}
346
347	if(operation == SMIME_DECRYPT) {
348		if(!keyfile) keyfile = recipfile;
349	} else if(operation == SMIME_SIGN) {
350		if(!keyfile) keyfile = signerfile;
351	} else keyfile = NULL;
352
353	if(keyfile) {
354		if(!(key = load_key(keyfile, passin))) {
355			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
356			ERR_print_errors(bio_err);
357			goto end;
358		}
359	}
360
361	if (infile) {
362		if (!(in = BIO_new_file(infile, inmode))) {
363			BIO_printf (bio_err,
364				 "Can't open input file %s\n", infile);
365			goto end;
366		}
367	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
368
369	if (outfile) {
370		if (!(out = BIO_new_file(outfile, outmode))) {
371			BIO_printf (bio_err,
372				 "Can't open output file %s\n", outfile);
373			goto end;
374		}
375	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
376
377	if(operation == SMIME_VERIFY) {
378		if(!(store = setup_verify(CAfile, CApath))) goto end;
379	}
380
381	ret = 3;
382
383	if(operation == SMIME_ENCRYPT) {
384		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
385	} else if(operation == SMIME_SIGN) {
386		p7 = PKCS7_sign(signer, key, other, in, flags);
387		BIO_reset(in);
388	} else {
389		if(!(p7 = SMIME_read_PKCS7(in, &indata))) {
390			BIO_printf(bio_err, "Error reading S/MIME message\n");
391			goto end;
392		}
393	}
394
395	if(!p7) {
396		BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
397		goto end;
398	}
399
400	ret = 4;
401	if(operation == SMIME_DECRYPT) {
402		if(!PKCS7_decrypt(p7, key, recip, out, flags)) {
403			BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
404			goto end;
405		}
406	} else if(operation == SMIME_VERIFY) {
407		STACK_OF(X509) *signers;
408		if(PKCS7_verify(p7, other, store, indata, out, flags)) {
409			BIO_printf(bio_err, "Verification Successful\n");
410		} else {
411			BIO_printf(bio_err, "Verification Failure\n");
412			goto end;
413		}
414		signers = PKCS7_get0_signers(p7, other, flags);
415		if(!save_certs(signerfile, signers)) {
416			BIO_printf(bio_err, "Error writing signers to %s\n",
417								signerfile);
418			ret = 5;
419			goto end;
420		}
421		sk_X509_free(signers);
422	} else if(operation == SMIME_PK7OUT) {
423		PEM_write_bio_PKCS7(out, p7);
424	} else {
425		if(to) BIO_printf(out, "To: %s\n", to);
426		if(from) BIO_printf(out, "From: %s\n", from);
427		if(subject) BIO_printf(out, "Subject: %s\n", subject);
428		SMIME_write_PKCS7(out, p7, in, flags);
429	}
430	ret = 0;
431end:
432	if (need_rand)
433		app_RAND_write_file(NULL, bio_err);
434	if(ret) ERR_print_errors(bio_err);
435	sk_X509_pop_free(encerts, X509_free);
436	sk_X509_pop_free(other, X509_free);
437	X509_STORE_free(store);
438	X509_free(cert);
439	X509_free(recip);
440	X509_free(signer);
441	EVP_PKEY_free(key);
442	PKCS7_free(p7);
443	BIO_free(in);
444	BIO_free(indata);
445	BIO_free(out);
446	if(passin) Free(passin);
447	return (ret);
448}
449
450static X509 *load_cert(char *file)
451{
452	BIO *in;
453	X509 *cert;
454	if(!(in = BIO_new_file(file, "r"))) return NULL;
455	cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
456	BIO_free(in);
457	return cert;
458}
459
460static EVP_PKEY *load_key(char *file, char *pass)
461{
462	BIO *in;
463	EVP_PKEY *key;
464	if(!(in = BIO_new_file(file, "r"))) return NULL;
465	key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
466	BIO_free(in);
467	return key;
468}
469
470static STACK_OF(X509) *load_certs(char *file)
471{
472	BIO *in;
473	int i;
474	STACK_OF(X509) *othercerts;
475	STACK_OF(X509_INFO) *allcerts;
476	X509_INFO *xi;
477	if(!(in = BIO_new_file(file, "r"))) return NULL;
478	othercerts = sk_X509_new(NULL);
479	if(!othercerts) return NULL;
480	allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
481	for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
482		xi = sk_X509_INFO_value (allcerts, i);
483		if (xi->x509) {
484			sk_X509_push(othercerts, xi->x509);
485			xi->x509 = NULL;
486		}
487	}
488	sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
489	BIO_free(in);
490	return othercerts;
491}
492
493static X509_STORE *setup_verify(char *CAfile, char *CApath)
494{
495	X509_STORE *store;
496	X509_LOOKUP *lookup;
497	if(!(store = X509_STORE_new())) goto end;
498	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
499	if (lookup == NULL) goto end;
500	if (CAfile) {
501		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
502			BIO_printf(bio_err, "Error loading file %s\n", CAfile);
503			goto end;
504		}
505	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
506
507	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
508	if (lookup == NULL) goto end;
509	if (CApath) {
510		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
511			BIO_printf(bio_err, "Error loading directory %s\n", CApath);
512			goto end;
513		}
514	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
515
516	ERR_clear_error();
517	return store;
518	end:
519	X509_STORE_free(store);
520	return NULL;
521}
522
523static int save_certs(char *signerfile, STACK_OF(X509) *signers)
524{
525	int i;
526	BIO *tmp;
527	if(!signerfile) return 1;
528	tmp = BIO_new_file(signerfile, "w");
529	if(!tmp) return 0;
530	for(i = 0; i < sk_X509_num(signers); i++)
531		PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
532	BIO_free(tmp);
533	return 1;
534}
535
536