1 /* 2 * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* CMS utility function */ 11 12 #include <stdio.h> 13 #include <string.h> 14 #include "apps.h" 15 #include "progs.h" 16 17 #ifndef OPENSSL_NO_CMS 18 19 # include <openssl/crypto.h> 20 # include <openssl/pem.h> 21 # include <openssl/err.h> 22 # include <openssl/x509_vfy.h> 23 # include <openssl/x509v3.h> 24 # include <openssl/cms.h> 25 26 static int save_certs(char *signerfile, STACK_OF(X509) *signers); 27 static int cms_cb(int ok, X509_STORE_CTX *ctx); 28 static void receipt_request_print(CMS_ContentInfo *cms); 29 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) 30 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) 31 *rr_from); 32 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, 33 STACK_OF(OPENSSL_STRING) *param); 34 35 # define SMIME_OP 0x10 36 # define SMIME_IP 0x20 37 # define SMIME_SIGNERS 0x40 38 # define SMIME_ENCRYPT (1 | SMIME_OP) 39 # define SMIME_DECRYPT (2 | SMIME_IP) 40 # define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) 41 # define SMIME_VERIFY (4 | SMIME_IP) 42 # define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) 43 # define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) 44 # define SMIME_DATAOUT (7 | SMIME_IP) 45 # define SMIME_DATA_CREATE (8 | SMIME_OP) 46 # define SMIME_DIGEST_VERIFY (9 | SMIME_IP) 47 # define SMIME_DIGEST_CREATE (10 | SMIME_OP) 48 # define SMIME_UNCOMPRESS (11 | SMIME_IP) 49 # define SMIME_COMPRESS (12 | SMIME_OP) 50 # define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) 51 # define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) 52 # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) 53 # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) 54 55 static int verify_err = 0; 56 57 typedef struct cms_key_param_st cms_key_param; 58 59 struct cms_key_param_st { 60 int idx; 61 STACK_OF(OPENSSL_STRING) *param; 62 cms_key_param *next; 63 }; 64 65 typedef enum OPTION_choice { 66 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 67 OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, 68 OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, 69 OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, 70 OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, 71 OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, 72 OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, 73 OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, 74 OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, 75 OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, 76 OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, 77 OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, 78 OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, 79 OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, 80 OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, 81 OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, 82 OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, 83 OPT_3DES_WRAP, OPT_ENGINE, 84 OPT_R_ENUM, 85 OPT_V_ENUM, 86 OPT_CIPHER 87 } OPTION_CHOICE; 88 89 const OPTIONS cms_options[] = { 90 {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, 91 {OPT_HELP_STR, 1, '-', 92 " cert.pem... recipient certs for encryption\n"}, 93 {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, 94 {"help", OPT_HELP, '-', "Display this summary"}, 95 {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, 96 {"outform", OPT_OUTFORM, 'c', 97 "Output format SMIME (default), PEM or DER"}, 98 {"in", OPT_IN, '<', "Input file"}, 99 {"out", OPT_OUT, '>', "Output file"}, 100 {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, 101 {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, 102 {"sign", OPT_SIGN, '-', "Sign message"}, 103 {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, 104 {"resign", OPT_RESIGN, '-', "Resign a signed message"}, 105 {"verify", OPT_VERIFY, '-', "Verify signed message"}, 106 {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, 107 {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, 108 {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, 109 {"data_out", OPT_DATA_OUT, '-'}, 110 {"data_create", OPT_DATA_CREATE, '-'}, 111 {"digest_verify", OPT_DIGEST_VERIFY, '-'}, 112 {"digest_create", OPT_DIGEST_CREATE, '-'}, 113 {"compress", OPT_COMPRESS, '-'}, 114 {"uncompress", OPT_UNCOMPRESS, '-'}, 115 {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'}, 116 {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'}, 117 {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'}, 118 {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, 119 {"asciicrlf", OPT_ASCIICRLF, '-'}, 120 {"nointern", OPT_NOINTERN, '-', 121 "Don't search certificates in message for signer"}, 122 {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, 123 {"nocerts", OPT_NOCERTS, '-', 124 "Don't include signers certificate when signing"}, 125 {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, 126 {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, 127 {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, 128 {"binary", OPT_BINARY, '-', "Don't translate message to text"}, 129 {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, 130 {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, 131 {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'}, 132 {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'}, 133 {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, 134 {"indef", OPT_INDEF, '-', "Same as -stream"}, 135 {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, 136 {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, 137 {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"}, 138 {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, 139 {"receipt_request_all", OPT_RR_ALL, '-'}, 140 {"receipt_request_first", OPT_RR_FIRST, '-'}, 141 {"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, 142 {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, 143 {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, 144 {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, 145 {"no-CAfile", OPT_NOCAFILE, '-', 146 "Do not load the default certificates file"}, 147 {"no-CApath", OPT_NOCAPATH, '-', 148 "Do not load certificates from the default certificates directory"}, 149 {"content", OPT_CONTENT, '<', 150 "Supply or override content for detached signature"}, 151 {"print", OPT_PRINT, '-', 152 "For the -cmsout operation print out all fields of the CMS structure"}, 153 {"secretkey", OPT_SECRETKEY, 's'}, 154 {"secretkeyid", OPT_SECRETKEYID, 's'}, 155 {"pwri_password", OPT_PWRI_PASSWORD, 's'}, 156 {"econtent_type", OPT_ECONTENT_TYPE, 's'}, 157 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, 158 {"to", OPT_TO, 's', "To address"}, 159 {"from", OPT_FROM, 's', "From address"}, 160 {"subject", OPT_SUBJECT, 's', "Subject"}, 161 {"signer", OPT_SIGNER, 's', "Signer certificate file"}, 162 {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, 163 {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, 164 {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, 165 {"inkey", OPT_INKEY, 's', 166 "Input private key (if not signer or recipient)"}, 167 {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, 168 {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, 169 {"receipt_request_from", OPT_RR_FROM, 's'}, 170 {"receipt_request_to", OPT_RR_TO, 's'}, 171 {"", OPT_CIPHER, '-', "Any supported cipher"}, 172 OPT_R_OPTIONS, 173 OPT_V_OPTIONS, 174 {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, 175 {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, 176 {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, 177 # ifndef OPENSSL_NO_DES 178 {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, 179 # endif 180 # ifndef OPENSSL_NO_ENGINE 181 {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, 182 # endif 183 {NULL} 184 }; 185 186 int cms_main(int argc, char **argv) 187 { 188 ASN1_OBJECT *econtent_type = NULL; 189 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; 190 CMS_ContentInfo *cms = NULL, *rcms = NULL; 191 CMS_ReceiptRequest *rr = NULL; 192 ENGINE *e = NULL; 193 EVP_PKEY *key = NULL; 194 const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; 195 const EVP_MD *sign_md = NULL; 196 STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; 197 STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; 198 STACK_OF(X509) *encerts = NULL, *other = NULL; 199 X509 *cert = NULL, *recip = NULL, *signer = NULL; 200 X509_STORE *store = NULL; 201 X509_VERIFY_PARAM *vpm = NULL; 202 char *certfile = NULL, *keyfile = NULL, *contfile = NULL; 203 const char *CAfile = NULL, *CApath = NULL; 204 char *certsoutfile = NULL; 205 int noCAfile = 0, noCApath = 0; 206 char *infile = NULL, *outfile = NULL, *rctfile = NULL; 207 char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL; 208 char *to = NULL, *from = NULL, *subject = NULL, *prog; 209 cms_key_param *key_first = NULL, *key_param = NULL; 210 int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; 211 int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; 212 int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1; 213 int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; 214 size_t secret_keylen = 0, secret_keyidlen = 0; 215 unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; 216 unsigned char *secret_key = NULL, *secret_keyid = NULL; 217 long ltmp; 218 const char *mime_eol = "\n"; 219 OPTION_CHOICE o; 220 221 if ((vpm = X509_VERIFY_PARAM_new()) == NULL) 222 return 1; 223 224 prog = opt_init(argc, argv, cms_options); 225 while ((o = opt_next()) != OPT_EOF) { 226 switch (o) { 227 case OPT_EOF: 228 case OPT_ERR: 229 opthelp: 230 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 231 goto end; 232 case OPT_HELP: 233 opt_help(cms_options); 234 ret = 0; 235 goto end; 236 case OPT_INFORM: 237 if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) 238 goto opthelp; 239 break; 240 case OPT_OUTFORM: 241 if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) 242 goto opthelp; 243 break; 244 case OPT_OUT: 245 outfile = opt_arg(); 246 break; 247 case OPT_ENCRYPT: 248 operation = SMIME_ENCRYPT; 249 break; 250 case OPT_DECRYPT: 251 operation = SMIME_DECRYPT; 252 break; 253 case OPT_SIGN: 254 operation = SMIME_SIGN; 255 break; 256 case OPT_SIGN_RECEIPT: 257 operation = SMIME_SIGN_RECEIPT; 258 break; 259 case OPT_RESIGN: 260 operation = SMIME_RESIGN; 261 break; 262 case OPT_VERIFY: 263 operation = SMIME_VERIFY; 264 break; 265 case OPT_VERIFY_RETCODE: 266 verify_retcode = 1; 267 break; 268 case OPT_VERIFY_RECEIPT: 269 operation = SMIME_VERIFY_RECEIPT; 270 rctfile = opt_arg(); 271 break; 272 case OPT_CMSOUT: 273 operation = SMIME_CMSOUT; 274 break; 275 case OPT_DATA_OUT: 276 operation = SMIME_DATAOUT; 277 break; 278 case OPT_DATA_CREATE: 279 operation = SMIME_DATA_CREATE; 280 break; 281 case OPT_DIGEST_VERIFY: 282 operation = SMIME_DIGEST_VERIFY; 283 break; 284 case OPT_DIGEST_CREATE: 285 operation = SMIME_DIGEST_CREATE; 286 break; 287 case OPT_COMPRESS: 288 operation = SMIME_COMPRESS; 289 break; 290 case OPT_UNCOMPRESS: 291 operation = SMIME_UNCOMPRESS; 292 break; 293 case OPT_ED_DECRYPT: 294 operation = SMIME_ENCRYPTED_DECRYPT; 295 break; 296 case OPT_ED_ENCRYPT: 297 operation = SMIME_ENCRYPTED_ENCRYPT; 298 break; 299 case OPT_DEBUG_DECRYPT: 300 flags |= CMS_DEBUG_DECRYPT; 301 break; 302 case OPT_TEXT: 303 flags |= CMS_TEXT; 304 break; 305 case OPT_ASCIICRLF: 306 flags |= CMS_ASCIICRLF; 307 break; 308 case OPT_NOINTERN: 309 flags |= CMS_NOINTERN; 310 break; 311 case OPT_NOVERIFY: 312 flags |= CMS_NO_SIGNER_CERT_VERIFY; 313 break; 314 case OPT_NOCERTS: 315 flags |= CMS_NOCERTS; 316 break; 317 case OPT_NOATTR: 318 flags |= CMS_NOATTR; 319 break; 320 case OPT_NODETACH: 321 flags &= ~CMS_DETACHED; 322 break; 323 case OPT_NOSMIMECAP: 324 flags |= CMS_NOSMIMECAP; 325 break; 326 case OPT_BINARY: 327 flags |= CMS_BINARY; 328 break; 329 case OPT_KEYID: 330 flags |= CMS_USE_KEYID; 331 break; 332 case OPT_NOSIGS: 333 flags |= CMS_NOSIGS; 334 break; 335 case OPT_NO_CONTENT_VERIFY: 336 flags |= CMS_NO_CONTENT_VERIFY; 337 break; 338 case OPT_NO_ATTR_VERIFY: 339 flags |= CMS_NO_ATTR_VERIFY; 340 break; 341 case OPT_INDEF: 342 flags |= CMS_STREAM; 343 break; 344 case OPT_NOINDEF: 345 flags &= ~CMS_STREAM; 346 break; 347 case OPT_CRLFEOL: 348 mime_eol = "\r\n"; 349 flags |= CMS_CRLFEOL; 350 break; 351 case OPT_NOOUT: 352 noout = 1; 353 break; 354 case OPT_RR_PRINT: 355 rr_print = 1; 356 break; 357 case OPT_RR_ALL: 358 rr_allorfirst = 0; 359 break; 360 case OPT_RR_FIRST: 361 rr_allorfirst = 1; 362 break; 363 case OPT_RCTFORM: 364 if (rctformat == FORMAT_SMIME) 365 rcms = SMIME_read_CMS(rctin, NULL); 366 else if (rctformat == FORMAT_PEM) 367 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); 368 else if (rctformat == FORMAT_ASN1) 369 if (!opt_format(opt_arg(), 370 OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) 371 goto opthelp; 372 break; 373 case OPT_CERTFILE: 374 certfile = opt_arg(); 375 break; 376 case OPT_CAFILE: 377 CAfile = opt_arg(); 378 break; 379 case OPT_CAPATH: 380 CApath = opt_arg(); 381 break; 382 case OPT_NOCAFILE: 383 noCAfile = 1; 384 break; 385 case OPT_NOCAPATH: 386 noCApath = 1; 387 break; 388 case OPT_IN: 389 infile = opt_arg(); 390 break; 391 case OPT_CONTENT: 392 contfile = opt_arg(); 393 break; 394 case OPT_RR_FROM: 395 if (rr_from == NULL 396 && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) 397 goto end; 398 sk_OPENSSL_STRING_push(rr_from, opt_arg()); 399 break; 400 case OPT_RR_TO: 401 if (rr_to == NULL 402 && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) 403 goto end; 404 sk_OPENSSL_STRING_push(rr_to, opt_arg()); 405 break; 406 case OPT_PRINT: 407 noout = print = 1; 408 break; 409 case OPT_SECRETKEY: 410 if (secret_key != NULL) { 411 BIO_printf(bio_err, "Invalid key (supplied twice) %s\n", 412 opt_arg()); 413 goto opthelp; 414 } 415 secret_key = OPENSSL_hexstr2buf(opt_arg(), <mp); 416 if (secret_key == NULL) { 417 BIO_printf(bio_err, "Invalid key %s\n", opt_arg()); 418 goto end; 419 } 420 secret_keylen = (size_t)ltmp; 421 break; 422 case OPT_SECRETKEYID: 423 if (secret_keyid != NULL) { 424 BIO_printf(bio_err, "Invalid id (supplied twice) %s\n", 425 opt_arg()); 426 goto opthelp; 427 } 428 secret_keyid = OPENSSL_hexstr2buf(opt_arg(), <mp); 429 if (secret_keyid == NULL) { 430 BIO_printf(bio_err, "Invalid id %s\n", opt_arg()); 431 goto opthelp; 432 } 433 secret_keyidlen = (size_t)ltmp; 434 break; 435 case OPT_PWRI_PASSWORD: 436 pwri_pass = (unsigned char *)opt_arg(); 437 break; 438 case OPT_ECONTENT_TYPE: 439 if (econtent_type != NULL) { 440 BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n", 441 opt_arg()); 442 goto opthelp; 443 } 444 econtent_type = OBJ_txt2obj(opt_arg(), 0); 445 if (econtent_type == NULL) { 446 BIO_printf(bio_err, "Invalid OID %s\n", opt_arg()); 447 goto opthelp; 448 } 449 break; 450 case OPT_ENGINE: 451 e = setup_engine(opt_arg(), 0); 452 break; 453 case OPT_PASSIN: 454 passinarg = opt_arg(); 455 break; 456 case OPT_TO: 457 to = opt_arg(); 458 break; 459 case OPT_FROM: 460 from = opt_arg(); 461 break; 462 case OPT_SUBJECT: 463 subject = opt_arg(); 464 break; 465 case OPT_CERTSOUT: 466 certsoutfile = opt_arg(); 467 break; 468 case OPT_MD: 469 if (!opt_md(opt_arg(), &sign_md)) 470 goto end; 471 break; 472 case OPT_SIGNER: 473 /* If previous -signer argument add signer to list */ 474 if (signerfile != NULL) { 475 if (sksigners == NULL 476 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 477 goto end; 478 sk_OPENSSL_STRING_push(sksigners, signerfile); 479 if (keyfile == NULL) 480 keyfile = signerfile; 481 if (skkeys == NULL 482 && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 483 goto end; 484 sk_OPENSSL_STRING_push(skkeys, keyfile); 485 keyfile = NULL; 486 } 487 signerfile = opt_arg(); 488 break; 489 case OPT_INKEY: 490 /* If previous -inkey argument add signer to list */ 491 if (keyfile != NULL) { 492 if (signerfile == NULL) { 493 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 494 goto end; 495 } 496 if (sksigners == NULL 497 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 498 goto end; 499 sk_OPENSSL_STRING_push(sksigners, signerfile); 500 signerfile = NULL; 501 if (skkeys == NULL 502 && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 503 goto end; 504 sk_OPENSSL_STRING_push(skkeys, keyfile); 505 } 506 keyfile = opt_arg(); 507 break; 508 case OPT_KEYFORM: 509 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) 510 goto opthelp; 511 break; 512 case OPT_RECIP: 513 if (operation == SMIME_ENCRYPT) { 514 if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) 515 goto end; 516 cert = load_cert(opt_arg(), FORMAT_PEM, 517 "recipient certificate file"); 518 if (cert == NULL) 519 goto end; 520 sk_X509_push(encerts, cert); 521 cert = NULL; 522 } else { 523 recipfile = opt_arg(); 524 } 525 break; 526 case OPT_CIPHER: 527 if (!opt_cipher(opt_unknown(), &cipher)) 528 goto end; 529 break; 530 case OPT_KEYOPT: 531 keyidx = -1; 532 if (operation == SMIME_ENCRYPT) { 533 if (encerts != NULL) 534 keyidx += sk_X509_num(encerts); 535 } else { 536 if (keyfile != NULL || signerfile != NULL) 537 keyidx++; 538 if (skkeys != NULL) 539 keyidx += sk_OPENSSL_STRING_num(skkeys); 540 } 541 if (keyidx < 0) { 542 BIO_printf(bio_err, "No key specified\n"); 543 goto opthelp; 544 } 545 if (key_param == NULL || key_param->idx != keyidx) { 546 cms_key_param *nparam; 547 nparam = app_malloc(sizeof(*nparam), "key param buffer"); 548 nparam->idx = keyidx; 549 if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) 550 goto end; 551 nparam->next = NULL; 552 if (key_first == NULL) 553 key_first = nparam; 554 else 555 key_param->next = nparam; 556 key_param = nparam; 557 } 558 sk_OPENSSL_STRING_push(key_param->param, opt_arg()); 559 break; 560 case OPT_V_CASES: 561 if (!opt_verify(o, vpm)) 562 goto end; 563 vpmtouched++; 564 break; 565 case OPT_R_CASES: 566 if (!opt_rand(o)) 567 goto end; 568 break; 569 case OPT_3DES_WRAP: 570 # ifndef OPENSSL_NO_DES 571 wrap_cipher = EVP_des_ede3_wrap(); 572 # endif 573 break; 574 case OPT_AES128_WRAP: 575 wrap_cipher = EVP_aes_128_wrap(); 576 break; 577 case OPT_AES192_WRAP: 578 wrap_cipher = EVP_aes_192_wrap(); 579 break; 580 case OPT_AES256_WRAP: 581 wrap_cipher = EVP_aes_256_wrap(); 582 break; 583 } 584 } 585 argc = opt_num_rest(); 586 argv = opt_rest(); 587 588 if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) { 589 BIO_puts(bio_err, "No Signed Receipts Recipients\n"); 590 goto opthelp; 591 } 592 593 if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) { 594 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); 595 goto opthelp; 596 } 597 if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) { 598 BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); 599 goto opthelp; 600 } 601 602 if (operation & SMIME_SIGNERS) { 603 if (keyfile != NULL && signerfile == NULL) { 604 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 605 goto opthelp; 606 } 607 /* Check to see if any final signer needs to be appended */ 608 if (signerfile != NULL) { 609 if (sksigners == NULL 610 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 611 goto end; 612 sk_OPENSSL_STRING_push(sksigners, signerfile); 613 if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 614 goto end; 615 if (keyfile == NULL) 616 keyfile = signerfile; 617 sk_OPENSSL_STRING_push(skkeys, keyfile); 618 } 619 if (sksigners == NULL) { 620 BIO_printf(bio_err, "No signer certificate specified\n"); 621 goto opthelp; 622 } 623 signerfile = NULL; 624 keyfile = NULL; 625 } else if (operation == SMIME_DECRYPT) { 626 if (recipfile == NULL && keyfile == NULL 627 && secret_key == NULL && pwri_pass == NULL) { 628 BIO_printf(bio_err, 629 "No recipient certificate or key specified\n"); 630 goto opthelp; 631 } 632 } else if (operation == SMIME_ENCRYPT) { 633 if (*argv == NULL && secret_key == NULL 634 && pwri_pass == NULL && encerts == NULL) { 635 BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); 636 goto opthelp; 637 } 638 } else if (!operation) { 639 BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n"); 640 goto opthelp; 641 } 642 643 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 644 BIO_printf(bio_err, "Error getting password\n"); 645 goto end; 646 } 647 648 ret = 2; 649 650 if (!(operation & SMIME_SIGNERS)) 651 flags &= ~CMS_DETACHED; 652 653 if (!(operation & SMIME_OP)) 654 if (flags & CMS_BINARY) 655 outformat = FORMAT_BINARY; 656 657 if (!(operation & SMIME_IP)) 658 if (flags & CMS_BINARY) 659 informat = FORMAT_BINARY; 660 661 if (operation == SMIME_ENCRYPT) { 662 if (!cipher) { 663 # ifndef OPENSSL_NO_DES 664 cipher = EVP_des_ede3_cbc(); 665 # else 666 BIO_printf(bio_err, "No cipher selected\n"); 667 goto end; 668 # endif 669 } 670 671 if (secret_key && !secret_keyid) { 672 BIO_printf(bio_err, "No secret key id\n"); 673 goto end; 674 } 675 676 if (*argv && encerts == NULL) 677 if ((encerts = sk_X509_new_null()) == NULL) 678 goto end; 679 while (*argv) { 680 if ((cert = load_cert(*argv, FORMAT_PEM, 681 "recipient certificate file")) == NULL) 682 goto end; 683 sk_X509_push(encerts, cert); 684 cert = NULL; 685 argv++; 686 } 687 } 688 689 if (certfile != NULL) { 690 if (!load_certs(certfile, &other, FORMAT_PEM, NULL, 691 "certificate file")) { 692 ERR_print_errors(bio_err); 693 goto end; 694 } 695 } 696 697 if (recipfile != NULL && (operation == SMIME_DECRYPT)) { 698 if ((recip = load_cert(recipfile, FORMAT_PEM, 699 "recipient certificate file")) == NULL) { 700 ERR_print_errors(bio_err); 701 goto end; 702 } 703 } 704 705 if (operation == SMIME_SIGN_RECEIPT) { 706 if ((signer = load_cert(signerfile, FORMAT_PEM, 707 "receipt signer certificate file")) == NULL) { 708 ERR_print_errors(bio_err); 709 goto end; 710 } 711 } 712 713 if (operation == SMIME_DECRYPT) { 714 if (keyfile == NULL) 715 keyfile = recipfile; 716 } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { 717 if (keyfile == NULL) 718 keyfile = signerfile; 719 } else { 720 keyfile = NULL; 721 } 722 723 if (keyfile != NULL) { 724 key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); 725 if (key == NULL) 726 goto end; 727 } 728 729 in = bio_open_default(infile, 'r', informat); 730 if (in == NULL) 731 goto end; 732 733 if (operation & SMIME_IP) { 734 if (informat == FORMAT_SMIME) { 735 cms = SMIME_read_CMS(in, &indata); 736 } else if (informat == FORMAT_PEM) { 737 cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); 738 } else if (informat == FORMAT_ASN1) { 739 cms = d2i_CMS_bio(in, NULL); 740 } else { 741 BIO_printf(bio_err, "Bad input format for CMS file\n"); 742 goto end; 743 } 744 745 if (cms == NULL) { 746 BIO_printf(bio_err, "Error reading S/MIME message\n"); 747 goto end; 748 } 749 if (contfile != NULL) { 750 BIO_free(indata); 751 if ((indata = BIO_new_file(contfile, "rb")) == NULL) { 752 BIO_printf(bio_err, "Can't read content file %s\n", contfile); 753 goto end; 754 } 755 } 756 if (certsoutfile != NULL) { 757 STACK_OF(X509) *allcerts; 758 allcerts = CMS_get1_certs(cms); 759 if (!save_certs(certsoutfile, allcerts)) { 760 BIO_printf(bio_err, 761 "Error writing certs to %s\n", certsoutfile); 762 ret = 5; 763 goto end; 764 } 765 sk_X509_pop_free(allcerts, X509_free); 766 } 767 } 768 769 if (rctfile != NULL) { 770 char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; 771 if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) { 772 BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); 773 goto end; 774 } 775 776 if (rctformat == FORMAT_SMIME) { 777 rcms = SMIME_read_CMS(rctin, NULL); 778 } else if (rctformat == FORMAT_PEM) { 779 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); 780 } else if (rctformat == FORMAT_ASN1) { 781 rcms = d2i_CMS_bio(rctin, NULL); 782 } else { 783 BIO_printf(bio_err, "Bad input format for receipt\n"); 784 goto end; 785 } 786 787 if (rcms == NULL) { 788 BIO_printf(bio_err, "Error reading receipt\n"); 789 goto end; 790 } 791 } 792 793 out = bio_open_default(outfile, 'w', outformat); 794 if (out == NULL) 795 goto end; 796 797 if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { 798 if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) 799 goto end; 800 X509_STORE_set_verify_cb(store, cms_cb); 801 if (vpmtouched) 802 X509_STORE_set1_param(store, vpm); 803 } 804 805 ret = 3; 806 807 if (operation == SMIME_DATA_CREATE) { 808 cms = CMS_data_create(in, flags); 809 } else if (operation == SMIME_DIGEST_CREATE) { 810 cms = CMS_digest_create(in, sign_md, flags); 811 } else if (operation == SMIME_COMPRESS) { 812 cms = CMS_compress(in, -1, flags); 813 } else if (operation == SMIME_ENCRYPT) { 814 int i; 815 flags |= CMS_PARTIAL; 816 cms = CMS_encrypt(NULL, in, cipher, flags); 817 if (cms == NULL) 818 goto end; 819 for (i = 0; i < sk_X509_num(encerts); i++) { 820 CMS_RecipientInfo *ri; 821 cms_key_param *kparam; 822 int tflags = flags; 823 X509 *x = sk_X509_value(encerts, i); 824 for (kparam = key_first; kparam; kparam = kparam->next) { 825 if (kparam->idx == i) { 826 tflags |= CMS_KEY_PARAM; 827 break; 828 } 829 } 830 ri = CMS_add1_recipient_cert(cms, x, tflags); 831 if (ri == NULL) 832 goto end; 833 if (kparam != NULL) { 834 EVP_PKEY_CTX *pctx; 835 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 836 if (!cms_set_pkey_param(pctx, kparam->param)) 837 goto end; 838 } 839 if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE 840 && wrap_cipher) { 841 EVP_CIPHER_CTX *wctx; 842 wctx = CMS_RecipientInfo_kari_get0_ctx(ri); 843 EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL); 844 } 845 } 846 847 if (secret_key != NULL) { 848 if (!CMS_add0_recipient_key(cms, NID_undef, 849 secret_key, secret_keylen, 850 secret_keyid, secret_keyidlen, 851 NULL, NULL, NULL)) 852 goto end; 853 /* NULL these because call absorbs them */ 854 secret_key = NULL; 855 secret_keyid = NULL; 856 } 857 if (pwri_pass != NULL) { 858 pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass); 859 if (pwri_tmp == NULL) 860 goto end; 861 if (CMS_add0_recipient_password(cms, 862 -1, NID_undef, NID_undef, 863 pwri_tmp, -1, NULL) == NULL) 864 goto end; 865 pwri_tmp = NULL; 866 } 867 if (!(flags & CMS_STREAM)) { 868 if (!CMS_final(cms, in, NULL, flags)) 869 goto end; 870 } 871 } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { 872 cms = CMS_EncryptedData_encrypt(in, cipher, 873 secret_key, secret_keylen, flags); 874 875 } else if (operation == SMIME_SIGN_RECEIPT) { 876 CMS_ContentInfo *srcms = NULL; 877 STACK_OF(CMS_SignerInfo) *sis; 878 CMS_SignerInfo *si; 879 sis = CMS_get0_SignerInfos(cms); 880 if (sis == NULL) 881 goto end; 882 si = sk_CMS_SignerInfo_value(sis, 0); 883 srcms = CMS_sign_receipt(si, signer, key, other, flags); 884 if (srcms == NULL) 885 goto end; 886 CMS_ContentInfo_free(cms); 887 cms = srcms; 888 } else if (operation & SMIME_SIGNERS) { 889 int i; 890 /* 891 * If detached data content we enable streaming if S/MIME output 892 * format. 893 */ 894 if (operation == SMIME_SIGN) { 895 896 if (flags & CMS_DETACHED) { 897 if (outformat == FORMAT_SMIME) 898 flags |= CMS_STREAM; 899 } 900 flags |= CMS_PARTIAL; 901 cms = CMS_sign(NULL, NULL, other, in, flags); 902 if (cms == NULL) 903 goto end; 904 if (econtent_type != NULL) 905 CMS_set1_eContentType(cms, econtent_type); 906 907 if (rr_to != NULL) { 908 rr = make_receipt_request(rr_to, rr_allorfirst, rr_from); 909 if (rr == NULL) { 910 BIO_puts(bio_err, 911 "Signed Receipt Request Creation Error\n"); 912 goto end; 913 } 914 } 915 } else { 916 flags |= CMS_REUSE_DIGEST; 917 } 918 for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { 919 CMS_SignerInfo *si; 920 cms_key_param *kparam; 921 int tflags = flags; 922 signerfile = sk_OPENSSL_STRING_value(sksigners, i); 923 keyfile = sk_OPENSSL_STRING_value(skkeys, i); 924 925 signer = load_cert(signerfile, FORMAT_PEM, "signer certificate"); 926 if (signer == NULL) { 927 ret = 2; 928 goto end; 929 } 930 key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); 931 if (key == NULL) { 932 ret = 2; 933 goto end; 934 } 935 for (kparam = key_first; kparam; kparam = kparam->next) { 936 if (kparam->idx == i) { 937 tflags |= CMS_KEY_PARAM; 938 break; 939 } 940 } 941 si = CMS_add1_signer(cms, signer, key, sign_md, tflags); 942 if (si == NULL) 943 goto end; 944 if (kparam != NULL) { 945 EVP_PKEY_CTX *pctx; 946 pctx = CMS_SignerInfo_get0_pkey_ctx(si); 947 if (!cms_set_pkey_param(pctx, kparam->param)) 948 goto end; 949 } 950 if (rr != NULL && !CMS_add1_ReceiptRequest(si, rr)) 951 goto end; 952 X509_free(signer); 953 signer = NULL; 954 EVP_PKEY_free(key); 955 key = NULL; 956 } 957 /* If not streaming or resigning finalize structure */ 958 if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { 959 if (!CMS_final(cms, in, NULL, flags)) 960 goto end; 961 } 962 } 963 964 if (cms == NULL) { 965 BIO_printf(bio_err, "Error creating CMS structure\n"); 966 goto end; 967 } 968 969 ret = 4; 970 if (operation == SMIME_DECRYPT) { 971 if (flags & CMS_DEBUG_DECRYPT) 972 CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); 973 974 if (secret_key != NULL) { 975 if (!CMS_decrypt_set1_key(cms, 976 secret_key, secret_keylen, 977 secret_keyid, secret_keyidlen)) { 978 BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); 979 goto end; 980 } 981 } 982 983 if (key != NULL) { 984 if (!CMS_decrypt_set1_pkey(cms, key, recip)) { 985 BIO_puts(bio_err, "Error decrypting CMS using private key\n"); 986 goto end; 987 } 988 } 989 990 if (pwri_pass != NULL) { 991 if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { 992 BIO_puts(bio_err, "Error decrypting CMS using password\n"); 993 goto end; 994 } 995 } 996 997 if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { 998 BIO_printf(bio_err, "Error decrypting CMS structure\n"); 999 goto end; 1000 } 1001 } else if (operation == SMIME_DATAOUT) { 1002 if (!CMS_data(cms, out, flags)) 1003 goto end; 1004 } else if (operation == SMIME_UNCOMPRESS) { 1005 if (!CMS_uncompress(cms, indata, out, flags)) 1006 goto end; 1007 } else if (operation == SMIME_DIGEST_VERIFY) { 1008 if (CMS_digest_verify(cms, indata, out, flags) > 0) { 1009 BIO_printf(bio_err, "Verification successful\n"); 1010 } else { 1011 BIO_printf(bio_err, "Verification failure\n"); 1012 goto end; 1013 } 1014 } else if (operation == SMIME_ENCRYPTED_DECRYPT) { 1015 if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, 1016 indata, out, flags)) 1017 goto end; 1018 } else if (operation == SMIME_VERIFY) { 1019 if (CMS_verify(cms, other, store, indata, out, flags) > 0) { 1020 BIO_printf(bio_err, "Verification successful\n"); 1021 } else { 1022 BIO_printf(bio_err, "Verification failure\n"); 1023 if (verify_retcode) 1024 ret = verify_err + 32; 1025 goto end; 1026 } 1027 if (signerfile != NULL) { 1028 STACK_OF(X509) *signers; 1029 signers = CMS_get0_signers(cms); 1030 if (!save_certs(signerfile, signers)) { 1031 BIO_printf(bio_err, 1032 "Error writing signers to %s\n", signerfile); 1033 ret = 5; 1034 goto end; 1035 } 1036 sk_X509_free(signers); 1037 } 1038 if (rr_print) 1039 receipt_request_print(cms); 1040 1041 } else if (operation == SMIME_VERIFY_RECEIPT) { 1042 if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) { 1043 BIO_printf(bio_err, "Verification successful\n"); 1044 } else { 1045 BIO_printf(bio_err, "Verification failure\n"); 1046 goto end; 1047 } 1048 } else { 1049 if (noout) { 1050 if (print) 1051 CMS_ContentInfo_print_ctx(out, cms, 0, NULL); 1052 } else if (outformat == FORMAT_SMIME) { 1053 if (to) 1054 BIO_printf(out, "To: %s%s", to, mime_eol); 1055 if (from) 1056 BIO_printf(out, "From: %s%s", from, mime_eol); 1057 if (subject) 1058 BIO_printf(out, "Subject: %s%s", subject, mime_eol); 1059 if (operation == SMIME_RESIGN) 1060 ret = SMIME_write_CMS(out, cms, indata, flags); 1061 else 1062 ret = SMIME_write_CMS(out, cms, in, flags); 1063 } else if (outformat == FORMAT_PEM) { 1064 ret = PEM_write_bio_CMS_stream(out, cms, in, flags); 1065 } else if (outformat == FORMAT_ASN1) { 1066 ret = i2d_CMS_bio_stream(out, cms, in, flags); 1067 } else { 1068 BIO_printf(bio_err, "Bad output format for CMS file\n"); 1069 goto end; 1070 } 1071 if (ret <= 0) { 1072 ret = 6; 1073 goto end; 1074 } 1075 } 1076 ret = 0; 1077 end: 1078 if (ret) 1079 ERR_print_errors(bio_err); 1080 sk_X509_pop_free(encerts, X509_free); 1081 sk_X509_pop_free(other, X509_free); 1082 X509_VERIFY_PARAM_free(vpm); 1083 sk_OPENSSL_STRING_free(sksigners); 1084 sk_OPENSSL_STRING_free(skkeys); 1085 OPENSSL_free(secret_key); 1086 OPENSSL_free(secret_keyid); 1087 OPENSSL_free(pwri_tmp); 1088 ASN1_OBJECT_free(econtent_type); 1089 CMS_ReceiptRequest_free(rr); 1090 sk_OPENSSL_STRING_free(rr_to); 1091 sk_OPENSSL_STRING_free(rr_from); 1092 for (key_param = key_first; key_param;) { 1093 cms_key_param *tparam; 1094 sk_OPENSSL_STRING_free(key_param->param); 1095 tparam = key_param->next; 1096 OPENSSL_free(key_param); 1097 key_param = tparam; 1098 } 1099 X509_STORE_free(store); 1100 X509_free(cert); 1101 X509_free(recip); 1102 X509_free(signer); 1103 EVP_PKEY_free(key); 1104 CMS_ContentInfo_free(cms); 1105 CMS_ContentInfo_free(rcms); 1106 release_engine(e); 1107 BIO_free(rctin); 1108 BIO_free(in); 1109 BIO_free(indata); 1110 BIO_free_all(out); 1111 OPENSSL_free(passin); 1112 return ret; 1113 } 1114 1115 static int save_certs(char *signerfile, STACK_OF(X509) *signers) 1116 { 1117 int i; 1118 BIO *tmp; 1119 if (signerfile == NULL) 1120 return 1; 1121 tmp = BIO_new_file(signerfile, "w"); 1122 if (tmp == NULL) 1123 return 0; 1124 for (i = 0; i < sk_X509_num(signers); i++) 1125 PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); 1126 BIO_free(tmp); 1127 return 1; 1128 } 1129 1130 /* Minimal callback just to output policy info (if any) */ 1131 1132 static int cms_cb(int ok, X509_STORE_CTX *ctx) 1133 { 1134 int error; 1135 1136 error = X509_STORE_CTX_get_error(ctx); 1137 1138 verify_err = error; 1139 1140 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) 1141 && ((error != X509_V_OK) || (ok != 2))) 1142 return ok; 1143 1144 policies_print(ctx); 1145 1146 return ok; 1147 1148 } 1149 1150 static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns) 1151 { 1152 STACK_OF(GENERAL_NAME) *gens; 1153 GENERAL_NAME *gen; 1154 int i, j; 1155 1156 for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { 1157 gens = sk_GENERAL_NAMES_value(gns, i); 1158 for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { 1159 gen = sk_GENERAL_NAME_value(gens, j); 1160 BIO_puts(bio_err, " "); 1161 GENERAL_NAME_print(bio_err, gen); 1162 BIO_puts(bio_err, "\n"); 1163 } 1164 } 1165 return; 1166 } 1167 1168 static void receipt_request_print(CMS_ContentInfo *cms) 1169 { 1170 STACK_OF(CMS_SignerInfo) *sis; 1171 CMS_SignerInfo *si; 1172 CMS_ReceiptRequest *rr; 1173 int allorfirst; 1174 STACK_OF(GENERAL_NAMES) *rto, *rlist; 1175 ASN1_STRING *scid; 1176 int i, rv; 1177 sis = CMS_get0_SignerInfos(cms); 1178 for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { 1179 si = sk_CMS_SignerInfo_value(sis, i); 1180 rv = CMS_get1_ReceiptRequest(si, &rr); 1181 BIO_printf(bio_err, "Signer %d:\n", i + 1); 1182 if (rv == 0) { 1183 BIO_puts(bio_err, " No Receipt Request\n"); 1184 } else if (rv < 0) { 1185 BIO_puts(bio_err, " Receipt Request Parse Error\n"); 1186 ERR_print_errors(bio_err); 1187 } else { 1188 const char *id; 1189 int idlen; 1190 CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, 1191 &rlist, &rto); 1192 BIO_puts(bio_err, " Signed Content ID:\n"); 1193 idlen = ASN1_STRING_length(scid); 1194 id = (const char *)ASN1_STRING_get0_data(scid); 1195 BIO_dump_indent(bio_err, id, idlen, 4); 1196 BIO_puts(bio_err, " Receipts From"); 1197 if (rlist != NULL) { 1198 BIO_puts(bio_err, " List:\n"); 1199 gnames_stack_print(rlist); 1200 } else if (allorfirst == 1) { 1201 BIO_puts(bio_err, ": First Tier\n"); 1202 } else if (allorfirst == 0) { 1203 BIO_puts(bio_err, ": All\n"); 1204 } else { 1205 BIO_printf(bio_err, " Unknown (%d)\n", allorfirst); 1206 } 1207 BIO_puts(bio_err, " Receipts To:\n"); 1208 gnames_stack_print(rto); 1209 } 1210 CMS_ReceiptRequest_free(rr); 1211 } 1212 } 1213 1214 static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) 1215 { 1216 int i; 1217 STACK_OF(GENERAL_NAMES) *ret; 1218 GENERAL_NAMES *gens = NULL; 1219 GENERAL_NAME *gen = NULL; 1220 ret = sk_GENERAL_NAMES_new_null(); 1221 if (ret == NULL) 1222 goto err; 1223 for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { 1224 char *str = sk_OPENSSL_STRING_value(ns, i); 1225 gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); 1226 if (gen == NULL) 1227 goto err; 1228 gens = GENERAL_NAMES_new(); 1229 if (gens == NULL) 1230 goto err; 1231 if (!sk_GENERAL_NAME_push(gens, gen)) 1232 goto err; 1233 gen = NULL; 1234 if (!sk_GENERAL_NAMES_push(ret, gens)) 1235 goto err; 1236 gens = NULL; 1237 } 1238 1239 return ret; 1240 1241 err: 1242 sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); 1243 GENERAL_NAMES_free(gens); 1244 GENERAL_NAME_free(gen); 1245 return NULL; 1246 } 1247 1248 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) 1249 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) 1250 *rr_from) 1251 { 1252 STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL; 1253 CMS_ReceiptRequest *rr; 1254 rct_to = make_names_stack(rr_to); 1255 if (rct_to == NULL) 1256 goto err; 1257 if (rr_from != NULL) { 1258 rct_from = make_names_stack(rr_from); 1259 if (rct_from == NULL) 1260 goto err; 1261 } else { 1262 rct_from = NULL; 1263 } 1264 rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, 1265 rct_to); 1266 return rr; 1267 err: 1268 sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free); 1269 return NULL; 1270 } 1271 1272 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, 1273 STACK_OF(OPENSSL_STRING) *param) 1274 { 1275 char *keyopt; 1276 int i; 1277 if (sk_OPENSSL_STRING_num(param) <= 0) 1278 return 1; 1279 for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { 1280 keyopt = sk_OPENSSL_STRING_value(param, i); 1281 if (pkey_ctrl_string(pctx, keyopt) <= 0) { 1282 BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); 1283 ERR_print_errors(bio_err); 1284 return 0; 1285 } 1286 } 1287 return 1; 1288 } 1289 1290 #endif 1291