1 |
/* apps/cms.c */ |
2 |
/* |
3 |
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
4 |
* project. |
5 |
*/ |
6 |
/* ==================================================================== |
7 |
* Copyright (c) 2008 The OpenSSL Project. All rights reserved. |
8 |
* |
9 |
* Redistribution and use in source and binary forms, with or without |
10 |
* modification, are permitted provided that the following conditions |
11 |
* are met: |
12 |
* |
13 |
* 1. Redistributions of source code must retain the above copyright |
14 |
* notice, this list of conditions and the following disclaimer. |
15 |
* |
16 |
* 2. Redistributions in binary form must reproduce the above copyright |
17 |
* notice, this list of conditions and the following disclaimer in |
18 |
* the documentation and/or other materials provided with the |
19 |
* distribution. |
20 |
* |
21 |
* 3. All advertising materials mentioning features or use of this |
22 |
* software must display the following acknowledgment: |
23 |
* "This product includes software developed by the OpenSSL Project |
24 |
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
25 |
* |
26 |
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
27 |
* endorse or promote products derived from this software without |
28 |
* prior written permission. For written permission, please contact |
29 |
* licensing@OpenSSL.org. |
30 |
* |
31 |
* 5. Products derived from this software may not be called "OpenSSL" |
32 |
* nor may "OpenSSL" appear in their names without prior written |
33 |
* permission of the OpenSSL Project. |
34 |
* |
35 |
* 6. Redistributions of any form whatsoever must retain the following |
36 |
* acknowledgment: |
37 |
* "This product includes software developed by the OpenSSL Project |
38 |
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
39 |
* |
40 |
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
41 |
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
43 |
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
44 |
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
45 |
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
46 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
47 |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
49 |
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
50 |
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
51 |
* OF THE POSSIBILITY OF SUCH DAMAGE. |
52 |
* ==================================================================== |
53 |
*/ |
54 |
|
55 |
/* CMS utility function */ |
56 |
|
57 |
#include <stdio.h> |
58 |
#include <string.h> |
59 |
#include "apps.h" |
60 |
|
61 |
#ifndef OPENSSL_NO_CMS |
62 |
|
63 |
# include <openssl/crypto.h> |
64 |
# include <openssl/pem.h> |
65 |
# include <openssl/err.h> |
66 |
# include <openssl/x509_vfy.h> |
67 |
# include <openssl/x509v3.h> |
68 |
# include <openssl/cms.h> |
69 |
|
70 |
# undef PROG |
71 |
# define PROG cms_main |
72 |
static int save_certs(char *signerfile, STACK_OF(X509) *signers); |
73 |
static int cms_cb(int ok, X509_STORE_CTX *ctx); |
74 |
static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); |
75 |
static CMS_ReceiptRequest *make_receipt_request(STACK * rr_to, |
76 |
int rr_allorfirst, |
77 |
STACK * rr_from); |
78 |
|
79 |
# define SMIME_OP 0x10 |
80 |
# define SMIME_IP 0x20 |
81 |
# define SMIME_SIGNERS 0x40 |
82 |
# define SMIME_ENCRYPT (1 | SMIME_OP) |
83 |
# define SMIME_DECRYPT (2 | SMIME_IP) |
84 |
# define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) |
85 |
# define SMIME_VERIFY (4 | SMIME_IP) |
86 |
# define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) |
87 |
# define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) |
88 |
# define SMIME_DATAOUT (7 | SMIME_IP) |
89 |
# define SMIME_DATA_CREATE (8 | SMIME_OP) |
90 |
# define SMIME_DIGEST_VERIFY (9 | SMIME_IP) |
91 |
# define SMIME_DIGEST_CREATE (10 | SMIME_OP) |
92 |
# define SMIME_UNCOMPRESS (11 | SMIME_IP) |
93 |
# define SMIME_COMPRESS (12 | SMIME_OP) |
94 |
# define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) |
95 |
# define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) |
96 |
# define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) |
97 |
# define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) |
98 |
|
99 |
int MAIN(int, char **); |
100 |
|
101 |
int MAIN(int argc, char **argv) |
102 |
{ |
103 |
ENGINE *e = NULL; |
104 |
int operation = 0; |
105 |
int ret = 0; |
106 |
char **args; |
107 |
const char *inmode = "r", *outmode = "w"; |
108 |
char *infile = NULL, *outfile = NULL, *rctfile = NULL; |
109 |
char *signerfile = NULL, *recipfile = NULL; |
110 |
STACK *sksigners = NULL, *skkeys = NULL; |
111 |
char *certfile = NULL, *keyfile = NULL, *contfile = NULL; |
112 |
char *certsoutfile = NULL; |
113 |
const EVP_CIPHER *cipher = NULL; |
114 |
CMS_ContentInfo *cms = NULL, *rcms = NULL; |
115 |
X509_STORE *store = NULL; |
116 |
X509 *cert = NULL, *recip = NULL, *signer = NULL; |
117 |
EVP_PKEY *key = NULL; |
118 |
STACK_OF(X509) *encerts = NULL, *other = NULL; |
119 |
BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; |
120 |
int badarg = 0; |
121 |
int flags = CMS_DETACHED; |
122 |
int rr_print = 0, rr_allorfirst = -1; |
123 |
STACK *rr_to = NULL, *rr_from = NULL; |
124 |
CMS_ReceiptRequest *rr = NULL; |
125 |
char *to = NULL, *from = NULL, *subject = NULL; |
126 |
char *CAfile = NULL, *CApath = NULL; |
127 |
char *passargin = NULL, *passin = NULL; |
128 |
char *inrand = NULL; |
129 |
int need_rand = 0; |
130 |
const EVP_MD *sign_md = NULL; |
131 |
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; |
132 |
int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; |
133 |
# ifndef OPENSSL_NO_ENGINE |
134 |
char *engine = NULL; |
135 |
# endif |
136 |
unsigned char *secret_key = NULL, *secret_keyid = NULL; |
137 |
size_t secret_keylen = 0, secret_keyidlen = 0; |
138 |
|
139 |
ASN1_OBJECT *econtent_type = NULL; |
140 |
|
141 |
X509_VERIFY_PARAM *vpm = NULL; |
142 |
|
143 |
args = argv + 1; |
144 |
ret = 1; |
145 |
|
146 |
apps_startup(); |
147 |
|
148 |
if (bio_err == NULL) { |
149 |
if ((bio_err = BIO_new(BIO_s_file())) != NULL) |
150 |
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); |
151 |
} |
152 |
|
153 |
if (!load_config(bio_err, NULL)) |
154 |
goto end; |
155 |
|
156 |
while (!badarg && *args && *args[0] == '-') { |
157 |
if (!strcmp(*args, "-encrypt")) |
158 |
operation = SMIME_ENCRYPT; |
159 |
else if (!strcmp(*args, "-decrypt")) |
160 |
operation = SMIME_DECRYPT; |
161 |
else if (!strcmp(*args, "-sign")) |
162 |
operation = SMIME_SIGN; |
163 |
else if (!strcmp(*args, "-sign_receipt")) |
164 |
operation = SMIME_SIGN_RECEIPT; |
165 |
else if (!strcmp(*args, "-resign")) |
166 |
operation = SMIME_RESIGN; |
167 |
else if (!strcmp(*args, "-verify")) |
168 |
operation = SMIME_VERIFY; |
169 |
else if (!strcmp(*args, "-verify_receipt")) { |
170 |
operation = SMIME_VERIFY_RECEIPT; |
171 |
if (!args[1]) |
172 |
goto argerr; |
173 |
args++; |
174 |
rctfile = *args; |
175 |
} else if (!strcmp(*args, "-cmsout")) |
176 |
operation = SMIME_CMSOUT; |
177 |
else if (!strcmp(*args, "-data_out")) |
178 |
operation = SMIME_DATAOUT; |
179 |
else if (!strcmp(*args, "-data_create")) |
180 |
operation = SMIME_DATA_CREATE; |
181 |
else if (!strcmp(*args, "-digest_verify")) |
182 |
operation = SMIME_DIGEST_VERIFY; |
183 |
else if (!strcmp(*args, "-digest_create")) |
184 |
operation = SMIME_DIGEST_CREATE; |
185 |
else if (!strcmp(*args, "-compress")) |
186 |
operation = SMIME_COMPRESS; |
187 |
else if (!strcmp(*args, "-uncompress")) |
188 |
operation = SMIME_UNCOMPRESS; |
189 |
else if (!strcmp(*args, "-EncryptedData_decrypt")) |
190 |
operation = SMIME_ENCRYPTED_DECRYPT; |
191 |
else if (!strcmp(*args, "-EncryptedData_encrypt")) |
192 |
operation = SMIME_ENCRYPTED_ENCRYPT; |
193 |
# ifndef OPENSSL_NO_DES |
194 |
else if (!strcmp(*args, "-des3")) |
195 |
cipher = EVP_des_ede3_cbc(); |
196 |
else if (!strcmp(*args, "-des")) |
197 |
cipher = EVP_des_cbc(); |
198 |
# endif |
199 |
# ifndef OPENSSL_NO_SEED |
200 |
else if (!strcmp(*args, "-seed")) |
201 |
cipher = EVP_seed_cbc(); |
202 |
# endif |
203 |
# ifndef OPENSSL_NO_RC2 |
204 |
else if (!strcmp(*args, "-rc2-40")) |
205 |
cipher = EVP_rc2_40_cbc(); |
206 |
else if (!strcmp(*args, "-rc2-128")) |
207 |
cipher = EVP_rc2_cbc(); |
208 |
else if (!strcmp(*args, "-rc2-64")) |
209 |
cipher = EVP_rc2_64_cbc(); |
210 |
# endif |
211 |
# ifndef OPENSSL_NO_AES |
212 |
else if (!strcmp(*args, "-aes128")) |
213 |
cipher = EVP_aes_128_cbc(); |
214 |
else if (!strcmp(*args, "-aes192")) |
215 |
cipher = EVP_aes_192_cbc(); |
216 |
else if (!strcmp(*args, "-aes256")) |
217 |
cipher = EVP_aes_256_cbc(); |
218 |
# endif |
219 |
# ifndef OPENSSL_NO_CAMELLIA |
220 |
else if (!strcmp(*args, "-camellia128")) |
221 |
cipher = EVP_camellia_128_cbc(); |
222 |
else if (!strcmp(*args, "-camellia192")) |
223 |
cipher = EVP_camellia_192_cbc(); |
224 |
else if (!strcmp(*args, "-camellia256")) |
225 |
cipher = EVP_camellia_256_cbc(); |
226 |
# endif |
227 |
else if (!strcmp(*args, "-debug_decrypt")) |
228 |
flags |= CMS_DEBUG_DECRYPT; |
229 |
else if (!strcmp(*args, "-text")) |
230 |
flags |= CMS_TEXT; |
231 |
else if (!strcmp(*args, "-nointern")) |
232 |
flags |= CMS_NOINTERN; |
233 |
else if (!strcmp(*args, "-noverify") |
234 |
|| !strcmp(*args, "-no_signer_cert_verify")) |
235 |
flags |= CMS_NO_SIGNER_CERT_VERIFY; |
236 |
else if (!strcmp(*args, "-nocerts")) |
237 |
flags |= CMS_NOCERTS; |
238 |
else if (!strcmp(*args, "-noattr")) |
239 |
flags |= CMS_NOATTR; |
240 |
else if (!strcmp(*args, "-nodetach")) |
241 |
flags &= ~CMS_DETACHED; |
242 |
else if (!strcmp(*args, "-nosmimecap")) |
243 |
flags |= CMS_NOSMIMECAP; |
244 |
else if (!strcmp(*args, "-binary")) |
245 |
flags |= CMS_BINARY; |
246 |
else if (!strcmp(*args, "-keyid")) |
247 |
flags |= CMS_USE_KEYID; |
248 |
else if (!strcmp(*args, "-nosigs")) |
249 |
flags |= CMS_NOSIGS; |
250 |
else if (!strcmp(*args, "-no_content_verify")) |
251 |
flags |= CMS_NO_CONTENT_VERIFY; |
252 |
else if (!strcmp(*args, "-no_attr_verify")) |
253 |
flags |= CMS_NO_ATTR_VERIFY; |
254 |
else if (!strcmp(*args, "-stream")) { |
255 |
args++; |
256 |
continue; |
257 |
} else if (!strcmp(*args, "-indef")) { |
258 |
args++; |
259 |
continue; |
260 |
} else if (!strcmp(*args, "-noindef")) |
261 |
flags &= ~CMS_STREAM; |
262 |
else if (!strcmp(*args, "-nooldmime")) |
263 |
flags |= CMS_NOOLDMIMETYPE; |
264 |
else if (!strcmp(*args, "-crlfeol")) |
265 |
flags |= CMS_CRLFEOL; |
266 |
else if (!strcmp(*args, "-receipt_request_print")) |
267 |
rr_print = 1; |
268 |
else if (!strcmp(*args, "-receipt_request_all")) |
269 |
rr_allorfirst = 0; |
270 |
else if (!strcmp(*args, "-receipt_request_first")) |
271 |
rr_allorfirst = 1; |
272 |
else if (!strcmp(*args, "-receipt_request_from")) { |
273 |
if (!args[1]) |
274 |
goto argerr; |
275 |
args++; |
276 |
if (!rr_from) |
277 |
rr_from = sk_new_null(); |
278 |
sk_push(rr_from, *args); |
279 |
} else if (!strcmp(*args, "-receipt_request_to")) { |
280 |
if (!args[1]) |
281 |
goto argerr; |
282 |
args++; |
283 |
if (!rr_to) |
284 |
rr_to = sk_new_null(); |
285 |
sk_push(rr_to, *args); |
286 |
} else if (!strcmp(*args, "-secretkey")) { |
287 |
long ltmp; |
288 |
if (!args[1]) |
289 |
goto argerr; |
290 |
args++; |
291 |
secret_key = string_to_hex(*args, <mp); |
292 |
if (!secret_key) { |
293 |
BIO_printf(bio_err, "Invalid key %s\n", *args); |
294 |
goto argerr; |
295 |
} |
296 |
secret_keylen = (size_t)ltmp; |
297 |
} else if (!strcmp(*args, "-secretkeyid")) { |
298 |
long ltmp; |
299 |
if (!args[1]) |
300 |
goto argerr; |
301 |
args++; |
302 |
secret_keyid = string_to_hex(*args, <mp); |
303 |
if (!secret_keyid) { |
304 |
BIO_printf(bio_err, "Invalid id %s\n", *args); |
305 |
goto argerr; |
306 |
} |
307 |
secret_keyidlen = (size_t)ltmp; |
308 |
} else if (!strcmp(*args, "-econtent_type")) { |
309 |
if (!args[1]) |
310 |
goto argerr; |
311 |
args++; |
312 |
econtent_type = OBJ_txt2obj(*args, 0); |
313 |
if (!econtent_type) { |
314 |
BIO_printf(bio_err, "Invalid OID %s\n", *args); |
315 |
goto argerr; |
316 |
} |
317 |
} else if (!strcmp(*args, "-rand")) { |
318 |
if (!args[1]) |
319 |
goto argerr; |
320 |
args++; |
321 |
inrand = *args; |
322 |
need_rand = 1; |
323 |
} |
324 |
# ifndef OPENSSL_NO_ENGINE |
325 |
else if (!strcmp(*args, "-engine")) { |
326 |
if (!args[1]) |
327 |
goto argerr; |
328 |
engine = *++args; |
329 |
} |
330 |
# endif |
331 |
else if (!strcmp(*args, "-passin")) { |
332 |
if (!args[1]) |
333 |
goto argerr; |
334 |
passargin = *++args; |
335 |
} else if (!strcmp(*args, "-to")) { |
336 |
if (!args[1]) |
337 |
goto argerr; |
338 |
to = *++args; |
339 |
} else if (!strcmp(*args, "-from")) { |
340 |
if (!args[1]) |
341 |
goto argerr; |
342 |
from = *++args; |
343 |
} else if (!strcmp(*args, "-subject")) { |
344 |
if (!args[1]) |
345 |
goto argerr; |
346 |
subject = *++args; |
347 |
} else if (!strcmp(*args, "-signer")) { |
348 |
if (!args[1]) |
349 |
goto argerr; |
350 |
/* If previous -signer argument add signer to list */ |
351 |
|
352 |
if (signerfile) { |
353 |
if (!sksigners) |
354 |
sksigners = sk_new_null(); |
355 |
sk_push(sksigners, signerfile); |
356 |
if (!keyfile) |
357 |
keyfile = signerfile; |
358 |
if (!skkeys) |
359 |
skkeys = sk_new_null(); |
360 |
sk_push(skkeys, keyfile); |
361 |
keyfile = NULL; |
362 |
} |
363 |
signerfile = *++args; |
364 |
} else if (!strcmp(*args, "-recip")) { |
365 |
if (!args[1]) |
366 |
goto argerr; |
367 |
recipfile = *++args; |
368 |
} else if (!strcmp(*args, "-certsout")) { |
369 |
if (!args[1]) |
370 |
goto argerr; |
371 |
certsoutfile = *++args; |
372 |
} else if (!strcmp(*args, "-md")) { |
373 |
if (!args[1]) |
374 |
goto argerr; |
375 |
sign_md = EVP_get_digestbyname(*++args); |
376 |
if (sign_md == NULL) { |
377 |
BIO_printf(bio_err, "Unknown digest %s\n", *args); |
378 |
goto argerr; |
379 |
} |
380 |
} else if (!strcmp(*args, "-inkey")) { |
381 |
if (!args[1]) |
382 |
goto argerr; |
383 |
/* If previous -inkey arument add signer to list */ |
384 |
if (keyfile) { |
385 |
if (!signerfile) { |
386 |
BIO_puts(bio_err, "Illegal -inkey without -signer\n"); |
387 |
goto argerr; |
388 |
} |
389 |
if (!sksigners) |
390 |
sksigners = sk_new_null(); |
391 |
sk_push(sksigners, signerfile); |
392 |
signerfile = NULL; |
393 |
if (!skkeys) |
394 |
skkeys = sk_new_null(); |
395 |
sk_push(skkeys, keyfile); |
396 |
} |
397 |
keyfile = *++args; |
398 |
} else if (!strcmp(*args, "-keyform")) { |
399 |
if (!args[1]) |
400 |
goto argerr; |
401 |
keyform = str2fmt(*++args); |
402 |
} else if (!strcmp(*args, "-rctform")) { |
403 |
if (!args[1]) |
404 |
goto argerr; |
405 |
rctformat = str2fmt(*++args); |
406 |
} else if (!strcmp(*args, "-certfile")) { |
407 |
if (!args[1]) |
408 |
goto argerr; |
409 |
certfile = *++args; |
410 |
} else if (!strcmp(*args, "-CAfile")) { |
411 |
if (!args[1]) |
412 |
goto argerr; |
413 |
CAfile = *++args; |
414 |
} else if (!strcmp(*args, "-CApath")) { |
415 |
if (!args[1]) |
416 |
goto argerr; |
417 |
CApath = *++args; |
418 |
} else if (!strcmp(*args, "-in")) { |
419 |
if (!args[1]) |
420 |
goto argerr; |
421 |
infile = *++args; |
422 |
} else if (!strcmp(*args, "-inform")) { |
423 |
if (!args[1]) |
424 |
goto argerr; |
425 |
informat = str2fmt(*++args); |
426 |
} else if (!strcmp(*args, "-outform")) { |
427 |
if (!args[1]) |
428 |
goto argerr; |
429 |
outformat = str2fmt(*++args); |
430 |
} else if (!strcmp(*args, "-out")) { |
431 |
if (!args[1]) |
432 |
goto argerr; |
433 |
outfile = *++args; |
434 |
} else if (!strcmp(*args, "-content")) { |
435 |
if (!args[1]) |
436 |
goto argerr; |
437 |
contfile = *++args; |
438 |
} else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) |
439 |
continue; |
440 |
else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) |
441 |
badarg = 1; |
442 |
args++; |
443 |
} |
444 |
|
445 |
if (((rr_allorfirst != -1) || rr_from) && !rr_to) { |
446 |
BIO_puts(bio_err, "No Signed Receipts Recipients\n"); |
447 |
goto argerr; |
448 |
} |
449 |
|
450 |
if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { |
451 |
BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); |
452 |
goto argerr; |
453 |
} |
454 |
if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { |
455 |
BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); |
456 |
goto argerr; |
457 |
} |
458 |
|
459 |
if (operation & SMIME_SIGNERS) { |
460 |
if (keyfile && !signerfile) { |
461 |
BIO_puts(bio_err, "Illegal -inkey without -signer\n"); |
462 |
goto argerr; |
463 |
} |
464 |
/* Check to see if any final signer needs to be appended */ |
465 |
if (signerfile) { |
466 |
if (!sksigners) |
467 |
sksigners = sk_new_null(); |
468 |
sk_push(sksigners, signerfile); |
469 |
if (!skkeys) |
470 |
skkeys = sk_new_null(); |
471 |
if (!keyfile) |
472 |
keyfile = signerfile; |
473 |
sk_push(skkeys, keyfile); |
474 |
} |
475 |
if (!sksigners) { |
476 |
BIO_printf(bio_err, "No signer certificate specified\n"); |
477 |
badarg = 1; |
478 |
} |
479 |
signerfile = NULL; |
480 |
keyfile = NULL; |
481 |
need_rand = 1; |
482 |
} |
483 |
|
484 |
else if (operation == SMIME_DECRYPT) { |
485 |
if (!recipfile && !keyfile && !secret_key) { |
486 |
BIO_printf(bio_err, |
487 |
"No recipient certificate or key specified\n"); |
488 |
badarg = 1; |
489 |
} |
490 |
} else if (operation == SMIME_ENCRYPT) { |
491 |
if (!*args && !secret_key) { |
492 |
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); |
493 |
badarg = 1; |
494 |
} |
495 |
need_rand = 1; |
496 |
} else if (!operation) |
497 |
badarg = 1; |
498 |
|
499 |
if (badarg) { |
500 |
argerr: |
501 |
BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n"); |
502 |
BIO_printf(bio_err, "where options are\n"); |
503 |
BIO_printf(bio_err, "-encrypt encrypt message\n"); |
504 |
BIO_printf(bio_err, "-decrypt decrypt encrypted message\n"); |
505 |
BIO_printf(bio_err, "-sign sign message\n"); |
506 |
BIO_printf(bio_err, "-verify verify signed message\n"); |
507 |
BIO_printf(bio_err, "-cmsout output CMS structure\n"); |
508 |
# ifndef OPENSSL_NO_DES |
509 |
BIO_printf(bio_err, "-des3 encrypt with triple DES\n"); |
510 |
BIO_printf(bio_err, "-des encrypt with DES\n"); |
511 |
# endif |
512 |
# ifndef OPENSSL_NO_SEED |
513 |
BIO_printf(bio_err, "-seed encrypt with SEED\n"); |
514 |
# endif |
515 |
# ifndef OPENSSL_NO_RC2 |
516 |
BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n"); |
517 |
BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n"); |
518 |
BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n"); |
519 |
# endif |
520 |
# ifndef OPENSSL_NO_AES |
521 |
BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); |
522 |
BIO_printf(bio_err, |
523 |
" encrypt PEM output with cbc aes\n"); |
524 |
# endif |
525 |
# ifndef OPENSSL_NO_CAMELLIA |
526 |
BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); |
527 |
BIO_printf(bio_err, |
528 |
" encrypt PEM output with cbc camellia\n"); |
529 |
# endif |
530 |
BIO_printf(bio_err, |
531 |
"-nointern don't search certificates in message for signer\n"); |
532 |
BIO_printf(bio_err, |
533 |
"-nosigs don't verify message signature\n"); |
534 |
BIO_printf(bio_err, |
535 |
"-noverify don't verify signers certificate\n"); |
536 |
BIO_printf(bio_err, |
537 |
"-nocerts don't include signers certificate when signing\n"); |
538 |
BIO_printf(bio_err, "-nodetach use opaque signing\n"); |
539 |
BIO_printf(bio_err, |
540 |
"-noattr don't include any signed attributes\n"); |
541 |
BIO_printf(bio_err, |
542 |
"-binary don't translate message to text\n"); |
543 |
BIO_printf(bio_err, "-certfile file other certificates file\n"); |
544 |
BIO_printf(bio_err, "-certsout file certificate output file\n"); |
545 |
BIO_printf(bio_err, "-signer file signer certificate file\n"); |
546 |
BIO_printf(bio_err, |
547 |
"-recip file recipient certificate file for decryption\n"); |
548 |
BIO_printf(bio_err, "-keyid use subject key identifier\n"); |
549 |
BIO_printf(bio_err, "-in file input file\n"); |
550 |
BIO_printf(bio_err, |
551 |
"-inform arg input format SMIME (default), PEM or DER\n"); |
552 |
BIO_printf(bio_err, |
553 |
"-inkey file input private key (if not signer or recipient)\n"); |
554 |
BIO_printf(bio_err, |
555 |
"-keyform arg input private key format (PEM or ENGINE)\n"); |
556 |
BIO_printf(bio_err, "-out file output file\n"); |
557 |
BIO_printf(bio_err, |
558 |
"-outform arg output format SMIME (default), PEM or DER\n"); |
559 |
BIO_printf(bio_err, |
560 |
"-content file supply or override content for detached signature\n"); |
561 |
BIO_printf(bio_err, "-to addr to address\n"); |
562 |
BIO_printf(bio_err, "-from ad from address\n"); |
563 |
BIO_printf(bio_err, "-subject s subject\n"); |
564 |
BIO_printf(bio_err, |
565 |
"-text include or delete text MIME headers\n"); |
566 |
BIO_printf(bio_err, |
567 |
"-CApath dir trusted certificates directory\n"); |
568 |
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); |
569 |
BIO_printf(bio_err, |
570 |
"-crl_check check revocation status of signer's certificate using CRLs\n"); |
571 |
BIO_printf(bio_err, |
572 |
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); |
573 |
# ifndef OPENSSL_NO_ENGINE |
574 |
BIO_printf(bio_err, |
575 |
"-engine e use engine e, possibly a hardware device.\n"); |
576 |
# endif |
577 |
BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); |
578 |
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, |
579 |
LIST_SEPARATOR_CHAR); |
580 |
BIO_printf(bio_err, |
581 |
" load the file (or the files in the directory) into\n"); |
582 |
BIO_printf(bio_err, " the random number generator\n"); |
583 |
BIO_printf(bio_err, |
584 |
"cert.pem recipient certificate(s) for encryption\n"); |
585 |
goto end; |
586 |
} |
587 |
# ifndef OPENSSL_NO_ENGINE |
588 |
e = setup_engine(bio_err, engine, 0); |
589 |
# endif |
590 |
|
591 |
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { |
592 |
BIO_printf(bio_err, "Error getting password\n"); |
593 |
goto end; |
594 |
} |
595 |
|
596 |
if (need_rand) { |
597 |
app_RAND_load_file(NULL, bio_err, (inrand != NULL)); |
598 |
if (inrand != NULL) |
599 |
BIO_printf(bio_err, "%ld semi-random bytes loaded\n", |
600 |
app_RAND_load_files(inrand)); |
601 |
} |
602 |
|
603 |
ret = 2; |
604 |
|
605 |
if (!(operation & SMIME_SIGNERS)) |
606 |
flags &= ~CMS_DETACHED; |
607 |
|
608 |
if (operation & SMIME_OP) { |
609 |
if (outformat == FORMAT_ASN1) |
610 |
outmode = "wb"; |
611 |
} else { |
612 |
if (flags & CMS_BINARY) |
613 |
outmode = "wb"; |
614 |
} |
615 |
|
616 |
if (operation & SMIME_IP) { |
617 |
if (informat == FORMAT_ASN1) |
618 |
inmode = "rb"; |
619 |
} else { |
620 |
if (flags & CMS_BINARY) |
621 |
inmode = "rb"; |
622 |
} |
623 |
|
624 |
if (operation == SMIME_ENCRYPT) { |
625 |
if (!cipher) { |
626 |
# ifndef OPENSSL_NO_DES |
627 |
cipher = EVP_des_ede3_cbc(); |
628 |
# else |
629 |
BIO_printf(bio_err, "No cipher selected\n"); |
630 |
goto end; |
631 |
# endif |
632 |
} |
633 |
|
634 |
if (secret_key && !secret_keyid) { |
635 |
BIO_printf(bio_err, "No sectre key id\n"); |
636 |
goto end; |
637 |
} |
638 |
|
639 |
if (*args) |
640 |
encerts = sk_X509_new_null(); |
641 |
while (*args) { |
642 |
if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, |
643 |
NULL, e, "recipient certificate file"))) |
644 |
goto end; |
645 |
sk_X509_push(encerts, cert); |
646 |
cert = NULL; |
647 |
args++; |
648 |
} |
649 |
} |
650 |
|
651 |
if (certfile) { |
652 |
if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, |
653 |
e, "certificate file"))) { |
654 |
ERR_print_errors(bio_err); |
655 |
goto end; |
656 |
} |
657 |
} |
658 |
|
659 |
if (recipfile && (operation == SMIME_DECRYPT)) { |
660 |
if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, |
661 |
e, "recipient certificate file"))) { |
662 |
ERR_print_errors(bio_err); |
663 |
goto end; |
664 |
} |
665 |
} |
666 |
|
667 |
if (operation == SMIME_SIGN_RECEIPT) { |
668 |
if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, |
669 |
e, "receipt signer certificate file"))) { |
670 |
ERR_print_errors(bio_err); |
671 |
goto end; |
672 |
} |
673 |
} |
674 |
|
675 |
if (operation == SMIME_DECRYPT) { |
676 |
if (!keyfile) |
677 |
keyfile = recipfile; |
678 |
} else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { |
679 |
if (!keyfile) |
680 |
keyfile = signerfile; |
681 |
} else |
682 |
keyfile = NULL; |
683 |
|
684 |
if (keyfile) { |
685 |
key = load_key(bio_err, keyfile, keyform, 0, passin, e, |
686 |
"signing key file"); |
687 |
if (!key) |
688 |
goto end; |
689 |
} |
690 |
|
691 |
if (infile) { |
692 |
if (!(in = BIO_new_file(infile, inmode))) { |
693 |
BIO_printf(bio_err, "Can't open input file %s\n", infile); |
694 |
goto end; |
695 |
} |
696 |
} else |
697 |
in = BIO_new_fp(stdin, BIO_NOCLOSE); |
698 |
|
699 |
if (operation & SMIME_IP) { |
700 |
if (informat == FORMAT_SMIME) |
701 |
cms = SMIME_read_CMS(in, &indata); |
702 |
else if (informat == FORMAT_PEM) |
703 |
cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); |
704 |
else if (informat == FORMAT_ASN1) |
705 |
cms = d2i_CMS_bio(in, NULL); |
706 |
else { |
707 |
BIO_printf(bio_err, "Bad input format for CMS file\n"); |
708 |
goto end; |
709 |
} |
710 |
|
711 |
if (!cms) { |
712 |
BIO_printf(bio_err, "Error reading S/MIME message\n"); |
713 |
goto end; |
714 |
} |
715 |
if (contfile) { |
716 |
BIO_free(indata); |
717 |
if (!(indata = BIO_new_file(contfile, "rb"))) { |
718 |
BIO_printf(bio_err, "Can't read content file %s\n", contfile); |
719 |
goto end; |
720 |
} |
721 |
} |
722 |
if (certsoutfile) { |
723 |
STACK_OF(X509) *allcerts; |
724 |
allcerts = CMS_get1_certs(cms); |
725 |
if (!save_certs(certsoutfile, allcerts)) { |
726 |
BIO_printf(bio_err, |
727 |
"Error writing certs to %s\n", certsoutfile); |
728 |
ret = 5; |
729 |
goto end; |
730 |
} |
731 |
sk_X509_pop_free(allcerts, X509_free); |
732 |
} |
733 |
} |
734 |
|
735 |
if (rctfile) { |
736 |
char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; |
737 |
if (!(rctin = BIO_new_file(rctfile, rctmode))) { |
738 |
BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); |
739 |
goto end; |
740 |
} |
741 |
|
742 |
if (rctformat == FORMAT_SMIME) |
743 |
rcms = SMIME_read_CMS(rctin, NULL); |
744 |
else if (rctformat == FORMAT_PEM) |
745 |
rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); |
746 |
else if (rctformat == FORMAT_ASN1) |
747 |
rcms = d2i_CMS_bio(rctin, NULL); |
748 |
else { |
749 |
BIO_printf(bio_err, "Bad input format for receipt\n"); |
750 |
goto end; |
751 |
} |
752 |
|
753 |
if (!rcms) { |
754 |
BIO_printf(bio_err, "Error reading receipt\n"); |
755 |
goto end; |
756 |
} |
757 |
} |
758 |
|
759 |
if (outfile) { |
760 |
if (!(out = BIO_new_file(outfile, outmode))) { |
761 |
BIO_printf(bio_err, "Can't open output file %s\n", outfile); |
762 |
goto end; |
763 |
} |
764 |
} else { |
765 |
out = BIO_new_fp(stdout, BIO_NOCLOSE); |
766 |
# ifdef OPENSSL_SYS_VMS |
767 |
{ |
768 |
BIO *tmpbio = BIO_new(BIO_f_linebuffer()); |
769 |
out = BIO_push(tmpbio, out); |
770 |
} |
771 |
# endif |
772 |
} |
773 |
|
774 |
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { |
775 |
if (!(store = setup_verify(bio_err, CAfile, CApath))) |
776 |
goto end; |
777 |
X509_STORE_set_verify_cb_func(store, cms_cb); |
778 |
if (vpm) |
779 |
X509_STORE_set1_param(store, vpm); |
780 |
} |
781 |
|
782 |
ret = 3; |
783 |
|
784 |
if (operation == SMIME_DATA_CREATE) { |
785 |
cms = CMS_data_create(in, flags); |
786 |
} else if (operation == SMIME_DIGEST_CREATE) { |
787 |
cms = CMS_digest_create(in, sign_md, flags); |
788 |
} else if (operation == SMIME_COMPRESS) { |
789 |
cms = CMS_compress(in, -1, flags); |
790 |
} else if (operation == SMIME_ENCRYPT) { |
791 |
flags |= CMS_PARTIAL; |
792 |
cms = CMS_encrypt(encerts, in, cipher, flags); |
793 |
if (!cms) |
794 |
goto end; |
795 |
if (secret_key) { |
796 |
if (!CMS_add0_recipient_key(cms, NID_undef, |
797 |
secret_key, secret_keylen, |
798 |
secret_keyid, secret_keyidlen, |
799 |
NULL, NULL, NULL)) |
800 |
goto end; |
801 |
/* NULL these because call absorbs them */ |
802 |
secret_key = NULL; |
803 |
secret_keyid = NULL; |
804 |
} |
805 |
if (!(flags & CMS_STREAM)) { |
806 |
if (!CMS_final(cms, in, NULL, flags)) |
807 |
goto end; |
808 |
} |
809 |
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) { |
810 |
cms = CMS_EncryptedData_encrypt(in, cipher, |
811 |
secret_key, secret_keylen, flags); |
812 |
|
813 |
} else if (operation == SMIME_SIGN_RECEIPT) { |
814 |
CMS_ContentInfo *srcms = NULL; |
815 |
STACK_OF(CMS_SignerInfo) *sis; |
816 |
CMS_SignerInfo *si; |
817 |
sis = CMS_get0_SignerInfos(cms); |
818 |
if (!sis) |
819 |
goto end; |
820 |
si = sk_CMS_SignerInfo_value(sis, 0); |
821 |
srcms = CMS_sign_receipt(si, signer, key, other, flags); |
822 |
if (!srcms) |
823 |
goto end; |
824 |
CMS_ContentInfo_free(cms); |
825 |
cms = srcms; |
826 |
} else if (operation & SMIME_SIGNERS) { |
827 |
int i; |
828 |
/* |
829 |
* If detached data content we enable streaming if S/MIME output |
830 |
* format. |
831 |
*/ |
832 |
if (operation == SMIME_SIGN) { |
833 |
|
834 |
if (flags & CMS_DETACHED) { |
835 |
if (outformat == FORMAT_SMIME) |
836 |
flags |= CMS_STREAM; |
837 |
} |
838 |
flags |= CMS_PARTIAL; |
839 |
cms = CMS_sign(NULL, NULL, other, in, flags); |
840 |
if (!cms) |
841 |
goto end; |
842 |
if (econtent_type) |
843 |
CMS_set1_eContentType(cms, econtent_type); |
844 |
|
845 |
if (rr_to) { |
846 |
rr = make_receipt_request(rr_to, rr_allorfirst, rr_from); |
847 |
if (!rr) { |
848 |
BIO_puts(bio_err, |
849 |
"Signed Receipt Request Creation Error\n"); |
850 |
goto end; |
851 |
} |
852 |
} |
853 |
} else |
854 |
flags |= CMS_REUSE_DIGEST; |
855 |
for (i = 0; i < sk_num(sksigners); i++) { |
856 |
CMS_SignerInfo *si; |
857 |
signerfile = sk_value(sksigners, i); |
858 |
keyfile = sk_value(skkeys, i); |
859 |
signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, |
860 |
e, "signer certificate"); |
861 |
if (!signer) |
862 |
goto end; |
863 |
key = load_key(bio_err, keyfile, keyform, 0, passin, e, |
864 |
"signing key file"); |
865 |
if (!key) |
866 |
goto end; |
867 |
si = CMS_add1_signer(cms, signer, key, sign_md, flags); |
868 |
if (!si) |
869 |
goto end; |
870 |
if (rr && !CMS_add1_ReceiptRequest(si, rr)) |
871 |
goto end; |
872 |
X509_free(signer); |
873 |
signer = NULL; |
874 |
EVP_PKEY_free(key); |
875 |
key = NULL; |
876 |
} |
877 |
/* If not streaming or resigning finalize structure */ |
878 |
if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { |
879 |
if (!CMS_final(cms, in, NULL, flags)) |
880 |
goto end; |
881 |
} |
882 |
} |
883 |
|
884 |
if (!cms) { |
885 |
BIO_printf(bio_err, "Error creating CMS structure\n"); |
886 |
goto end; |
887 |
} |
888 |
|
889 |
ret = 4; |
890 |
if (operation == SMIME_DECRYPT) { |
891 |
if (flags & CMS_DEBUG_DECRYPT) |
892 |
CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); |
893 |
|
894 |
if (secret_key) { |
895 |
if (!CMS_decrypt_set1_key(cms, |
896 |
secret_key, secret_keylen, |
897 |
secret_keyid, secret_keyidlen)) { |
898 |
BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); |
899 |
goto end; |
900 |
} |
901 |
} |
902 |
|
903 |
if (key) { |
904 |
if (!CMS_decrypt_set1_pkey(cms, key, recip)) { |
905 |
BIO_puts(bio_err, "Error decrypting CMS using private key\n"); |
906 |
goto end; |
907 |
} |
908 |
} |
909 |
|
910 |
if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { |
911 |
BIO_printf(bio_err, "Error decrypting CMS structure\n"); |
912 |
goto end; |
913 |
} |
914 |
} else if (operation == SMIME_DATAOUT) { |
915 |
if (!CMS_data(cms, out, flags)) |
916 |
goto end; |
917 |
} else if (operation == SMIME_UNCOMPRESS) { |
918 |
if (!CMS_uncompress(cms, indata, out, flags)) |
919 |
goto end; |
920 |
} else if (operation == SMIME_DIGEST_VERIFY) { |
921 |
if (CMS_digest_verify(cms, indata, out, flags) > 0) |
922 |
BIO_printf(bio_err, "Verification successful\n"); |
923 |
else { |
924 |
BIO_printf(bio_err, "Verification failure\n"); |
925 |
goto end; |
926 |
} |
927 |
} else if (operation == SMIME_ENCRYPTED_DECRYPT) { |
928 |
if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, |
929 |
indata, out, flags)) |
930 |
goto end; |
931 |
} else if (operation == SMIME_VERIFY) { |
932 |
if (CMS_verify(cms, other, store, indata, out, flags) > 0) |
933 |
BIO_printf(bio_err, "Verification successful\n"); |
934 |
else { |
935 |
BIO_printf(bio_err, "Verification failure\n"); |
936 |
goto end; |
937 |
} |
938 |
if (signerfile) { |
939 |
STACK_OF(X509) *signers; |
940 |
signers = CMS_get0_signers(cms); |
941 |
if (!save_certs(signerfile, signers)) { |
942 |
BIO_printf(bio_err, |
943 |
"Error writing signers to %s\n", signerfile); |
944 |
ret = 5; |
945 |
goto end; |
946 |
} |
947 |
sk_X509_free(signers); |
948 |
} |
949 |
if (rr_print) |
950 |
receipt_request_print(bio_err, cms); |
951 |
|
952 |
} else if (operation == SMIME_VERIFY_RECEIPT) { |
953 |
if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) |
954 |
BIO_printf(bio_err, "Verification successful\n"); |
955 |
else { |
956 |
BIO_printf(bio_err, "Verification failure\n"); |
957 |
goto end; |
958 |
} |
959 |
} else { |
960 |
if (outformat == FORMAT_SMIME) { |
961 |
if (to) |
962 |
BIO_printf(out, "To: %s\n", to); |
963 |
if (from) |
964 |
BIO_printf(out, "From: %s\n", from); |
965 |
if (subject) |
966 |
BIO_printf(out, "Subject: %s\n", subject); |
967 |
if (operation == SMIME_RESIGN) |
968 |
ret = SMIME_write_CMS(out, cms, indata, flags); |
969 |
else |
970 |
ret = SMIME_write_CMS(out, cms, in, flags); |
971 |
} else if (outformat == FORMAT_PEM) |
972 |
ret = PEM_write_bio_CMS(out, cms); |
973 |
else if (outformat == FORMAT_ASN1) |
974 |
ret = i2d_CMS_bio(out, cms); |
975 |
else { |
976 |
BIO_printf(bio_err, "Bad output format for CMS file\n"); |
977 |
goto end; |
978 |
} |
979 |
if (ret <= 0) { |
980 |
ret = 6; |
981 |
goto end; |
982 |
} |
983 |
} |
984 |
ret = 0; |
985 |
end: |
986 |
if (ret) |
987 |
ERR_print_errors(bio_err); |
988 |
if (need_rand) |
989 |
app_RAND_write_file(NULL, bio_err); |
990 |
sk_X509_pop_free(encerts, X509_free); |
991 |
sk_X509_pop_free(other, X509_free); |
992 |
if (vpm) |
993 |
X509_VERIFY_PARAM_free(vpm); |
994 |
if (sksigners) |
995 |
sk_free(sksigners); |
996 |
if (skkeys) |
997 |
sk_free(skkeys); |
998 |
if (secret_key) |
999 |
OPENSSL_free(secret_key); |
1000 |
if (secret_keyid) |
1001 |
OPENSSL_free(secret_keyid); |
1002 |
if (econtent_type) |
1003 |
ASN1_OBJECT_free(econtent_type); |
1004 |
if (rr) |
1005 |
CMS_ReceiptRequest_free(rr); |
1006 |
if (rr_to) |
1007 |
sk_free(rr_to); |
1008 |
if (rr_from) |
1009 |
sk_free(rr_from); |
1010 |
X509_STORE_free(store); |
1011 |
X509_free(cert); |
1012 |
X509_free(recip); |
1013 |
X509_free(signer); |
1014 |
EVP_PKEY_free(key); |
1015 |
CMS_ContentInfo_free(cms); |
1016 |
CMS_ContentInfo_free(rcms); |
1017 |
BIO_free(rctin); |
1018 |
BIO_free(in); |
1019 |
BIO_free(indata); |
1020 |
BIO_free_all(out); |
1021 |
if (passin) |
1022 |
OPENSSL_free(passin); |
1023 |
return (ret); |
1024 |
} |
1025 |
|
1026 |
static int save_certs(char *signerfile, STACK_OF(X509) *signers) |
1027 |
{ |
1028 |
int i; |
1029 |
BIO *tmp; |
1030 |
if (!signerfile) |
1031 |
return 1; |
1032 |
tmp = BIO_new_file(signerfile, "w"); |
1033 |
if (!tmp) |
1034 |
return 0; |
1035 |
for (i = 0; i < sk_X509_num(signers); i++) |
1036 |
PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); |
1037 |
BIO_free(tmp); |
1038 |
return 1; |
1039 |
} |
1040 |
|
1041 |
/* Minimal callback just to output policy info (if any) */ |
1042 |
|
1043 |
static int cms_cb(int ok, X509_STORE_CTX *ctx) |
1044 |
{ |
1045 |
int error; |
1046 |
|
1047 |
error = X509_STORE_CTX_get_error(ctx); |
1048 |
|
1049 |
if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) |
1050 |
&& ((error != X509_V_OK) || (ok != 2))) |
1051 |
return ok; |
1052 |
|
1053 |
policies_print(NULL, ctx); |
1054 |
|
1055 |
return ok; |
1056 |
|
1057 |
} |
1058 |
|
1059 |
static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) |
1060 |
{ |
1061 |
STACK_OF(GENERAL_NAME) *gens; |
1062 |
GENERAL_NAME *gen; |
1063 |
int i, j; |
1064 |
for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { |
1065 |
gens = sk_GENERAL_NAMES_value(gns, i); |
1066 |
for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { |
1067 |
gen = sk_GENERAL_NAME_value(gens, j); |
1068 |
BIO_puts(out, " "); |
1069 |
GENERAL_NAME_print(out, gen); |
1070 |
BIO_puts(out, "\n"); |
1071 |
} |
1072 |
} |
1073 |
return; |
1074 |
} |
1075 |
|
1076 |
static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) |
1077 |
{ |
1078 |
STACK_OF(CMS_SignerInfo) *sis; |
1079 |
CMS_SignerInfo *si; |
1080 |
CMS_ReceiptRequest *rr; |
1081 |
int allorfirst; |
1082 |
STACK_OF(GENERAL_NAMES) *rto, *rlist; |
1083 |
ASN1_STRING *scid; |
1084 |
int i, rv; |
1085 |
sis = CMS_get0_SignerInfos(cms); |
1086 |
for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { |
1087 |
si = sk_CMS_SignerInfo_value(sis, i); |
1088 |
rv = CMS_get1_ReceiptRequest(si, &rr); |
1089 |
BIO_printf(bio_err, "Signer %d:\n", i + 1); |
1090 |
if (rv == 0) |
1091 |
BIO_puts(bio_err, " No Receipt Request\n"); |
1092 |
else if (rv < 0) { |
1093 |
BIO_puts(bio_err, " Receipt Request Parse Error\n"); |
1094 |
ERR_print_errors(bio_err); |
1095 |
} else { |
1096 |
char *id; |
1097 |
int idlen; |
1098 |
CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, |
1099 |
&rlist, &rto); |
1100 |
BIO_puts(out, " Signed Content ID:\n"); |
1101 |
idlen = ASN1_STRING_length(scid); |
1102 |
id = (char *)ASN1_STRING_data(scid); |
1103 |
BIO_dump_indent(out, id, idlen, 4); |
1104 |
BIO_puts(out, " Receipts From"); |
1105 |
if (rlist) { |
1106 |
BIO_puts(out, " List:\n"); |
1107 |
gnames_stack_print(out, rlist); |
1108 |
} else if (allorfirst == 1) |
1109 |
BIO_puts(out, ": First Tier\n"); |
1110 |
else if (allorfirst == 0) |
1111 |
BIO_puts(out, ": All\n"); |
1112 |
else |
1113 |
BIO_printf(out, " Unknown (%d)\n", allorfirst); |
1114 |
BIO_puts(out, " Receipts To:\n"); |
1115 |
gnames_stack_print(out, rto); |
1116 |
} |
1117 |
if (rr) |
1118 |
CMS_ReceiptRequest_free(rr); |
1119 |
} |
1120 |
} |
1121 |
|
1122 |
static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK * ns) |
1123 |
{ |
1124 |
int i; |
1125 |
STACK_OF(GENERAL_NAMES) *ret; |
1126 |
GENERAL_NAMES *gens = NULL; |
1127 |
GENERAL_NAME *gen = NULL; |
1128 |
ret = sk_GENERAL_NAMES_new_null(); |
1129 |
if (!ret) |
1130 |
goto err; |
1131 |
for (i = 0; i < sk_num(ns); i++) { |
1132 |
CONF_VALUE cnf; |
1133 |
cnf.name = "email"; |
1134 |
cnf.value = sk_value(ns, i); |
1135 |
gen = v2i_GENERAL_NAME(NULL, NULL, &cnf); |
1136 |
if (!gen) |
1137 |
goto err; |
1138 |
gens = GENERAL_NAMES_new(); |
1139 |
if (!gens) |
1140 |
goto err; |
1141 |
if (!sk_GENERAL_NAME_push(gens, gen)) |
1142 |
goto err; |
1143 |
gen = NULL; |
1144 |
if (!sk_GENERAL_NAMES_push(ret, gens)) |
1145 |
goto err; |
1146 |
gens = NULL; |
1147 |
} |
1148 |
|
1149 |
return ret; |
1150 |
|
1151 |
err: |
1152 |
if (ret) |
1153 |
sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); |
1154 |
if (gens) |
1155 |
GENERAL_NAMES_free(gens); |
1156 |
if (gen) |
1157 |
GENERAL_NAME_free(gen); |
1158 |
return NULL; |
1159 |
} |
1160 |
|
1161 |
static CMS_ReceiptRequest *make_receipt_request(STACK * rr_to, |
1162 |
int rr_allorfirst, |
1163 |
STACK * rr_from) |
1164 |
{ |
1165 |
STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; |
1166 |
CMS_ReceiptRequest *rr; |
1167 |
rct_to = make_names_stack(rr_to); |
1168 |
if (!rct_to) |
1169 |
goto err; |
1170 |
if (rr_from) { |
1171 |
rct_from = make_names_stack(rr_from); |
1172 |
if (!rct_from) |
1173 |
goto err; |
1174 |
} else |
1175 |
rct_from = NULL; |
1176 |
rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, |
1177 |
rct_to); |
1178 |
return rr; |
1179 |
err: |
1180 |
return NULL; |
1181 |
} |
1182 |
|
1183 |
#endif |