1 /* 2 * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* CMS utility function */ 11 12 #include <stdio.h> 13 #include <string.h> 14 #include "apps.h" 15 #include "progs.h" 16 17 #ifndef OPENSSL_NO_CMS 18 19 # include <openssl/crypto.h> 20 # include <openssl/pem.h> 21 # include <openssl/err.h> 22 # include <openssl/x509_vfy.h> 23 # include <openssl/x509v3.h> 24 # include <openssl/cms.h> 25 26 static int save_certs(char *signerfile, STACK_OF(X509) *signers); 27 static int cms_cb(int ok, X509_STORE_CTX *ctx); 28 static void receipt_request_print(CMS_ContentInfo *cms); 29 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) 30 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) 31 *rr_from); 32 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, 33 STACK_OF(OPENSSL_STRING) *param); 34 35 # define SMIME_OP 0x10 36 # define SMIME_IP 0x20 37 # define SMIME_SIGNERS 0x40 38 # define SMIME_ENCRYPT (1 | SMIME_OP) 39 # define SMIME_DECRYPT (2 | SMIME_IP) 40 # define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) 41 # define SMIME_VERIFY (4 | SMIME_IP) 42 # define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) 43 # define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) 44 # define SMIME_DATAOUT (7 | SMIME_IP) 45 # define SMIME_DATA_CREATE (8 | SMIME_OP) 46 # define SMIME_DIGEST_VERIFY (9 | SMIME_IP) 47 # define SMIME_DIGEST_CREATE (10 | SMIME_OP) 48 # define SMIME_UNCOMPRESS (11 | SMIME_IP) 49 # define SMIME_COMPRESS (12 | SMIME_OP) 50 # define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) 51 # define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) 52 # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) 53 # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) 54 55 static int verify_err = 0; 56 57 typedef struct cms_key_param_st cms_key_param; 58 59 struct cms_key_param_st { 60 int idx; 61 STACK_OF(OPENSSL_STRING) *param; 62 cms_key_param *next; 63 }; 64 65 typedef enum OPTION_choice { 66 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 67 OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, 68 OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, 69 OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, 70 OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, 71 OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, 72 OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, 73 OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, 74 OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, 75 OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, 76 OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, 77 OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, 78 OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, 79 OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, 80 OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, 81 OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, 82 OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, 83 OPT_3DES_WRAP, OPT_ENGINE, 84 OPT_R_ENUM, 85 OPT_V_ENUM, 86 OPT_CIPHER 87 } OPTION_CHOICE; 88 89 const OPTIONS cms_options[] = { 90 {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, 91 {OPT_HELP_STR, 1, '-', 92 " cert.pem... recipient certs for encryption\n"}, 93 {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, 94 {"help", OPT_HELP, '-', "Display this summary"}, 95 {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, 96 {"outform", OPT_OUTFORM, 'c', 97 "Output format SMIME (default), PEM or DER"}, 98 {"in", OPT_IN, '<', "Input file"}, 99 {"out", OPT_OUT, '>', "Output file"}, 100 {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, 101 {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, 102 {"sign", OPT_SIGN, '-', "Sign message"}, 103 {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, 104 {"resign", OPT_RESIGN, '-', "Resign a signed message"}, 105 {"verify", OPT_VERIFY, '-', "Verify signed message"}, 106 {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, 107 {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, 108 {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, 109 {"data_out", OPT_DATA_OUT, '-'}, 110 {"data_create", OPT_DATA_CREATE, '-'}, 111 {"digest_verify", OPT_DIGEST_VERIFY, '-'}, 112 {"digest_create", OPT_DIGEST_CREATE, '-'}, 113 {"compress", OPT_COMPRESS, '-'}, 114 {"uncompress", OPT_UNCOMPRESS, '-'}, 115 {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'}, 116 {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'}, 117 {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'}, 118 {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, 119 {"asciicrlf", OPT_ASCIICRLF, '-'}, 120 {"nointern", OPT_NOINTERN, '-', 121 "Don't search certificates in message for signer"}, 122 {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, 123 {"nocerts", OPT_NOCERTS, '-', 124 "Don't include signers certificate when signing"}, 125 {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, 126 {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, 127 {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, 128 {"binary", OPT_BINARY, '-', "Don't translate message to text"}, 129 {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, 130 {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, 131 {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'}, 132 {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'}, 133 {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, 134 {"indef", OPT_INDEF, '-', "Same as -stream"}, 135 {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, 136 {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, 137 {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"}, 138 {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, 139 {"receipt_request_all", OPT_RR_ALL, '-'}, 140 {"receipt_request_first", OPT_RR_FIRST, '-'}, 141 {"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, 142 {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, 143 {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, 144 {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, 145 {"no-CAfile", OPT_NOCAFILE, '-', 146 "Do not load the default certificates file"}, 147 {"no-CApath", OPT_NOCAPATH, '-', 148 "Do not load certificates from the default certificates directory"}, 149 {"content", OPT_CONTENT, '<', 150 "Supply or override content for detached signature"}, 151 {"print", OPT_PRINT, '-', 152 "For the -cmsout operation print out all fields of the CMS structure"}, 153 {"secretkey", OPT_SECRETKEY, 's'}, 154 {"secretkeyid", OPT_SECRETKEYID, 's'}, 155 {"pwri_password", OPT_PWRI_PASSWORD, 's'}, 156 {"econtent_type", OPT_ECONTENT_TYPE, 's'}, 157 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, 158 {"to", OPT_TO, 's', "To address"}, 159 {"from", OPT_FROM, 's', "From address"}, 160 {"subject", OPT_SUBJECT, 's', "Subject"}, 161 {"signer", OPT_SIGNER, 's', "Signer certificate file"}, 162 {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, 163 {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, 164 {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, 165 {"inkey", OPT_INKEY, 's', 166 "Input private key (if not signer or recipient)"}, 167 {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, 168 {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, 169 {"receipt_request_from", OPT_RR_FROM, 's'}, 170 {"receipt_request_to", OPT_RR_TO, 's'}, 171 {"", OPT_CIPHER, '-', "Any supported cipher"}, 172 OPT_R_OPTIONS, 173 OPT_V_OPTIONS, 174 {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, 175 {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, 176 {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, 177 # ifndef OPENSSL_NO_DES 178 {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, 179 # endif 180 # ifndef OPENSSL_NO_ENGINE 181 {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, 182 # endif 183 {NULL} 184 }; 185 186 int cms_main(int argc, char **argv) 187 { 188 ASN1_OBJECT *econtent_type = NULL; 189 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; 190 CMS_ContentInfo *cms = NULL, *rcms = NULL; 191 CMS_ReceiptRequest *rr = NULL; 192 ENGINE *e = NULL; 193 EVP_PKEY *key = NULL; 194 const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; 195 const EVP_MD *sign_md = NULL; 196 STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; 197 STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; 198 STACK_OF(X509) *encerts = NULL, *other = NULL; 199 X509 *cert = NULL, *recip = NULL, *signer = NULL; 200 X509_STORE *store = NULL; 201 X509_VERIFY_PARAM *vpm = NULL; 202 char *certfile = NULL, *keyfile = NULL, *contfile = NULL; 203 const char *CAfile = NULL, *CApath = NULL; 204 char *certsoutfile = NULL; 205 int noCAfile = 0, noCApath = 0; 206 char *infile = NULL, *outfile = NULL, *rctfile = NULL; 207 char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL; 208 char *to = NULL, *from = NULL, *subject = NULL, *prog; 209 cms_key_param *key_first = NULL, *key_param = NULL; 210 int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; 211 int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; 212 int operation = 0, ret = 1, rr_print = 0, rr_allorfirst = -1; 213 int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; 214 size_t secret_keylen = 0, secret_keyidlen = 0; 215 unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; 216 unsigned char *secret_key = NULL, *secret_keyid = NULL; 217 long ltmp; 218 const char *mime_eol = "\n"; 219 OPTION_CHOICE o; 220 221 if ((vpm = X509_VERIFY_PARAM_new()) == NULL) 222 return 1; 223 224 prog = opt_init(argc, argv, cms_options); 225 while ((o = opt_next()) != OPT_EOF) { 226 switch (o) { 227 case OPT_EOF: 228 case OPT_ERR: 229 opthelp: 230 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 231 goto end; 232 case OPT_HELP: 233 opt_help(cms_options); 234 ret = 0; 235 goto end; 236 case OPT_INFORM: 237 if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) 238 goto opthelp; 239 break; 240 case OPT_OUTFORM: 241 if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) 242 goto opthelp; 243 break; 244 case OPT_OUT: 245 outfile = opt_arg(); 246 break; 247 case OPT_ENCRYPT: 248 operation = SMIME_ENCRYPT; 249 break; 250 case OPT_DECRYPT: 251 operation = SMIME_DECRYPT; 252 break; 253 case OPT_SIGN: 254 operation = SMIME_SIGN; 255 break; 256 case OPT_SIGN_RECEIPT: 257 operation = SMIME_SIGN_RECEIPT; 258 break; 259 case OPT_RESIGN: 260 operation = SMIME_RESIGN; 261 break; 262 case OPT_VERIFY: 263 operation = SMIME_VERIFY; 264 break; 265 case OPT_VERIFY_RETCODE: 266 verify_retcode = 1; 267 break; 268 case OPT_VERIFY_RECEIPT: 269 operation = SMIME_VERIFY_RECEIPT; 270 rctfile = opt_arg(); 271 break; 272 case OPT_CMSOUT: 273 operation = SMIME_CMSOUT; 274 break; 275 case OPT_DATA_OUT: 276 operation = SMIME_DATAOUT; 277 break; 278 case OPT_DATA_CREATE: 279 operation = SMIME_DATA_CREATE; 280 break; 281 case OPT_DIGEST_VERIFY: 282 operation = SMIME_DIGEST_VERIFY; 283 break; 284 case OPT_DIGEST_CREATE: 285 operation = SMIME_DIGEST_CREATE; 286 break; 287 case OPT_COMPRESS: 288 operation = SMIME_COMPRESS; 289 break; 290 case OPT_UNCOMPRESS: 291 operation = SMIME_UNCOMPRESS; 292 break; 293 case OPT_ED_DECRYPT: 294 operation = SMIME_ENCRYPTED_DECRYPT; 295 break; 296 case OPT_ED_ENCRYPT: 297 operation = SMIME_ENCRYPTED_ENCRYPT; 298 break; 299 case OPT_DEBUG_DECRYPT: 300 flags |= CMS_DEBUG_DECRYPT; 301 break; 302 case OPT_TEXT: 303 flags |= CMS_TEXT; 304 break; 305 case OPT_ASCIICRLF: 306 flags |= CMS_ASCIICRLF; 307 break; 308 case OPT_NOINTERN: 309 flags |= CMS_NOINTERN; 310 break; 311 case OPT_NOVERIFY: 312 flags |= CMS_NO_SIGNER_CERT_VERIFY; 313 break; 314 case OPT_NOCERTS: 315 flags |= CMS_NOCERTS; 316 break; 317 case OPT_NOATTR: 318 flags |= CMS_NOATTR; 319 break; 320 case OPT_NODETACH: 321 flags &= ~CMS_DETACHED; 322 break; 323 case OPT_NOSMIMECAP: 324 flags |= CMS_NOSMIMECAP; 325 break; 326 case OPT_BINARY: 327 flags |= CMS_BINARY; 328 break; 329 case OPT_KEYID: 330 flags |= CMS_USE_KEYID; 331 break; 332 case OPT_NOSIGS: 333 flags |= CMS_NOSIGS; 334 break; 335 case OPT_NO_CONTENT_VERIFY: 336 flags |= CMS_NO_CONTENT_VERIFY; 337 break; 338 case OPT_NO_ATTR_VERIFY: 339 flags |= CMS_NO_ATTR_VERIFY; 340 break; 341 case OPT_INDEF: 342 flags |= CMS_STREAM; 343 break; 344 case OPT_NOINDEF: 345 flags &= ~CMS_STREAM; 346 break; 347 case OPT_CRLFEOL: 348 mime_eol = "\r\n"; 349 flags |= CMS_CRLFEOL; 350 break; 351 case OPT_NOOUT: 352 noout = 1; 353 break; 354 case OPT_RR_PRINT: 355 rr_print = 1; 356 break; 357 case OPT_RR_ALL: 358 rr_allorfirst = 0; 359 break; 360 case OPT_RR_FIRST: 361 rr_allorfirst = 1; 362 break; 363 case OPT_RCTFORM: 364 if (rctformat == FORMAT_SMIME) 365 rcms = SMIME_read_CMS(rctin, NULL); 366 else if (rctformat == FORMAT_PEM) 367 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); 368 else if (rctformat == FORMAT_ASN1) 369 if (!opt_format(opt_arg(), 370 OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) 371 goto opthelp; 372 break; 373 case OPT_CERTFILE: 374 certfile = opt_arg(); 375 break; 376 case OPT_CAFILE: 377 CAfile = opt_arg(); 378 break; 379 case OPT_CAPATH: 380 CApath = opt_arg(); 381 break; 382 case OPT_NOCAFILE: 383 noCAfile = 1; 384 break; 385 case OPT_NOCAPATH: 386 noCApath = 1; 387 break; 388 case OPT_IN: 389 infile = opt_arg(); 390 break; 391 case OPT_CONTENT: 392 contfile = opt_arg(); 393 break; 394 case OPT_RR_FROM: 395 if (rr_from == NULL 396 && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) 397 goto end; 398 sk_OPENSSL_STRING_push(rr_from, opt_arg()); 399 break; 400 case OPT_RR_TO: 401 if (rr_to == NULL 402 && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) 403 goto end; 404 sk_OPENSSL_STRING_push(rr_to, opt_arg()); 405 break; 406 case OPT_PRINT: 407 noout = print = 1; 408 break; 409 case OPT_SECRETKEY: 410 if (secret_key != NULL) { 411 BIO_printf(bio_err, "Invalid key (supplied twice) %s\n", 412 opt_arg()); 413 goto opthelp; 414 } 415 secret_key = OPENSSL_hexstr2buf(opt_arg(), <mp); 416 if (secret_key == NULL) { 417 BIO_printf(bio_err, "Invalid key %s\n", opt_arg()); 418 goto end; 419 } 420 secret_keylen = (size_t)ltmp; 421 break; 422 case OPT_SECRETKEYID: 423 if (secret_keyid != NULL) { 424 BIO_printf(bio_err, "Invalid id (supplied twice) %s\n", 425 opt_arg()); 426 goto opthelp; 427 } 428 secret_keyid = OPENSSL_hexstr2buf(opt_arg(), <mp); 429 if (secret_keyid == NULL) { 430 BIO_printf(bio_err, "Invalid id %s\n", opt_arg()); 431 goto opthelp; 432 } 433 secret_keyidlen = (size_t)ltmp; 434 break; 435 case OPT_PWRI_PASSWORD: 436 pwri_pass = (unsigned char *)opt_arg(); 437 break; 438 case OPT_ECONTENT_TYPE: 439 if (econtent_type != NULL) { 440 BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n", 441 opt_arg()); 442 goto opthelp; 443 } 444 econtent_type = OBJ_txt2obj(opt_arg(), 0); 445 if (econtent_type == NULL) { 446 BIO_printf(bio_err, "Invalid OID %s\n", opt_arg()); 447 goto opthelp; 448 } 449 break; 450 case OPT_ENGINE: 451 e = setup_engine(opt_arg(), 0); 452 break; 453 case OPT_PASSIN: 454 passinarg = opt_arg(); 455 break; 456 case OPT_TO: 457 to = opt_arg(); 458 break; 459 case OPT_FROM: 460 from = opt_arg(); 461 break; 462 case OPT_SUBJECT: 463 subject = opt_arg(); 464 break; 465 case OPT_CERTSOUT: 466 certsoutfile = opt_arg(); 467 break; 468 case OPT_MD: 469 if (!opt_md(opt_arg(), &sign_md)) 470 goto end; 471 break; 472 case OPT_SIGNER: 473 /* If previous -signer argument add signer to list */ 474 if (signerfile != NULL) { 475 if (sksigners == NULL 476 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 477 goto end; 478 sk_OPENSSL_STRING_push(sksigners, signerfile); 479 if (keyfile == NULL) 480 keyfile = signerfile; 481 if (skkeys == NULL 482 && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 483 goto end; 484 sk_OPENSSL_STRING_push(skkeys, keyfile); 485 keyfile = NULL; 486 } 487 signerfile = opt_arg(); 488 break; 489 case OPT_INKEY: 490 /* If previous -inkey argument add signer to list */ 491 if (keyfile != NULL) { 492 if (signerfile == NULL) { 493 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 494 goto end; 495 } 496 if (sksigners == NULL 497 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 498 goto end; 499 sk_OPENSSL_STRING_push(sksigners, signerfile); 500 signerfile = NULL; 501 if (skkeys == NULL 502 && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 503 goto end; 504 sk_OPENSSL_STRING_push(skkeys, keyfile); 505 } 506 keyfile = opt_arg(); 507 break; 508 case OPT_KEYFORM: 509 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) 510 goto opthelp; 511 break; 512 case OPT_RECIP: 513 if (operation == SMIME_ENCRYPT) { 514 if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) 515 goto end; 516 cert = load_cert(opt_arg(), FORMAT_PEM, 517 "recipient certificate file"); 518 if (cert == NULL) 519 goto end; 520 sk_X509_push(encerts, cert); 521 cert = NULL; 522 } else { 523 recipfile = opt_arg(); 524 } 525 break; 526 case OPT_CIPHER: 527 if (!opt_cipher(opt_unknown(), &cipher)) 528 goto end; 529 break; 530 case OPT_KEYOPT: 531 keyidx = -1; 532 if (operation == SMIME_ENCRYPT) { 533 if (encerts != NULL) 534 keyidx += sk_X509_num(encerts); 535 } else { 536 if (keyfile != NULL || signerfile != NULL) 537 keyidx++; 538 if (skkeys != NULL) 539 keyidx += sk_OPENSSL_STRING_num(skkeys); 540 } 541 if (keyidx < 0) { 542 BIO_printf(bio_err, "No key specified\n"); 543 goto opthelp; 544 } 545 if (key_param == NULL || key_param->idx != keyidx) { 546 cms_key_param *nparam; 547 nparam = app_malloc(sizeof(*nparam), "key param buffer"); 548 nparam->idx = keyidx; 549 if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) 550 goto end; 551 nparam->next = NULL; 552 if (key_first == NULL) 553 key_first = nparam; 554 else 555 key_param->next = nparam; 556 key_param = nparam; 557 } 558 sk_OPENSSL_STRING_push(key_param->param, opt_arg()); 559 break; 560 case OPT_V_CASES: 561 if (!opt_verify(o, vpm)) 562 goto end; 563 vpmtouched++; 564 break; 565 case OPT_R_CASES: 566 if (!opt_rand(o)) 567 goto end; 568 break; 569 case OPT_3DES_WRAP: 570 # ifndef OPENSSL_NO_DES 571 wrap_cipher = EVP_des_ede3_wrap(); 572 # endif 573 break; 574 case OPT_AES128_WRAP: 575 wrap_cipher = EVP_aes_128_wrap(); 576 break; 577 case OPT_AES192_WRAP: 578 wrap_cipher = EVP_aes_192_wrap(); 579 break; 580 case OPT_AES256_WRAP: 581 wrap_cipher = EVP_aes_256_wrap(); 582 break; 583 } 584 } 585 argc = opt_num_rest(); 586 argv = opt_rest(); 587 588 if ((rr_allorfirst != -1 || rr_from != NULL) && rr_to == NULL) { 589 BIO_puts(bio_err, "No Signed Receipts Recipients\n"); 590 goto opthelp; 591 } 592 593 if (!(operation & SMIME_SIGNERS) && (rr_to != NULL || rr_from != NULL)) { 594 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); 595 goto opthelp; 596 } 597 if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) { 598 BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); 599 goto opthelp; 600 } 601 602 if (operation & SMIME_SIGNERS) { 603 if (keyfile != NULL && signerfile == NULL) { 604 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 605 goto opthelp; 606 } 607 /* Check to see if any final signer needs to be appended */ 608 if (signerfile != NULL) { 609 if (sksigners == NULL 610 && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 611 goto end; 612 sk_OPENSSL_STRING_push(sksigners, signerfile); 613 if (skkeys == NULL && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 614 goto end; 615 if (keyfile == NULL) 616 keyfile = signerfile; 617 sk_OPENSSL_STRING_push(skkeys, keyfile); 618 } 619 if (sksigners == NULL) { 620 BIO_printf(bio_err, "No signer certificate specified\n"); 621 goto opthelp; 622 } 623 signerfile = NULL; 624 keyfile = NULL; 625 } else if (operation == SMIME_DECRYPT) { 626 if (recipfile == NULL && keyfile == NULL 627 && secret_key == NULL && pwri_pass == NULL) { 628 BIO_printf(bio_err, 629 "No recipient certificate or key specified\n"); 630 goto opthelp; 631 } 632 } else if (operation == SMIME_ENCRYPT) { 633 if (*argv == NULL && secret_key == NULL 634 && pwri_pass == NULL && encerts == NULL) { 635 BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); 636 goto opthelp; 637 } 638 } else if (!operation) { 639 goto opthelp; 640 } 641 642 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 643 BIO_printf(bio_err, "Error getting password\n"); 644 goto end; 645 } 646 647 ret = 2; 648 649 if (!(operation & SMIME_SIGNERS)) 650 flags &= ~CMS_DETACHED; 651 652 if (!(operation & SMIME_OP)) 653 if (flags & CMS_BINARY) 654 outformat = FORMAT_BINARY; 655 656 if (!(operation & SMIME_IP)) 657 if (flags & CMS_BINARY) 658 informat = FORMAT_BINARY; 659 660 if (operation == SMIME_ENCRYPT) { 661 if (!cipher) { 662 # ifndef OPENSSL_NO_DES 663 cipher = EVP_des_ede3_cbc(); 664 # else 665 BIO_printf(bio_err, "No cipher selected\n"); 666 goto end; 667 # endif 668 } 669 670 if (secret_key && !secret_keyid) { 671 BIO_printf(bio_err, "No secret key id\n"); 672 goto end; 673 } 674 675 if (*argv && encerts == NULL) 676 if ((encerts = sk_X509_new_null()) == NULL) 677 goto end; 678 while (*argv) { 679 if ((cert = load_cert(*argv, FORMAT_PEM, 680 "recipient certificate file")) == NULL) 681 goto end; 682 sk_X509_push(encerts, cert); 683 cert = NULL; 684 argv++; 685 } 686 } 687 688 if (certfile != NULL) { 689 if (!load_certs(certfile, &other, FORMAT_PEM, NULL, 690 "certificate file")) { 691 ERR_print_errors(bio_err); 692 goto end; 693 } 694 } 695 696 if (recipfile != NULL && (operation == SMIME_DECRYPT)) { 697 if ((recip = load_cert(recipfile, FORMAT_PEM, 698 "recipient certificate file")) == NULL) { 699 ERR_print_errors(bio_err); 700 goto end; 701 } 702 } 703 704 if (operation == SMIME_SIGN_RECEIPT) { 705 if ((signer = load_cert(signerfile, FORMAT_PEM, 706 "receipt signer certificate file")) == NULL) { 707 ERR_print_errors(bio_err); 708 goto end; 709 } 710 } 711 712 if (operation == SMIME_DECRYPT) { 713 if (keyfile == NULL) 714 keyfile = recipfile; 715 } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { 716 if (keyfile == NULL) 717 keyfile = signerfile; 718 } else { 719 keyfile = NULL; 720 } 721 722 if (keyfile != NULL) { 723 key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); 724 if (key == NULL) 725 goto end; 726 } 727 728 in = bio_open_default(infile, 'r', informat); 729 if (in == NULL) 730 goto end; 731 732 if (operation & SMIME_IP) { 733 if (informat == FORMAT_SMIME) { 734 cms = SMIME_read_CMS(in, &indata); 735 } else if (informat == FORMAT_PEM) { 736 cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); 737 } else if (informat == FORMAT_ASN1) { 738 cms = d2i_CMS_bio(in, NULL); 739 } else { 740 BIO_printf(bio_err, "Bad input format for CMS file\n"); 741 goto end; 742 } 743 744 if (cms == NULL) { 745 BIO_printf(bio_err, "Error reading S/MIME message\n"); 746 goto end; 747 } 748 if (contfile != NULL) { 749 BIO_free(indata); 750 if ((indata = BIO_new_file(contfile, "rb")) == NULL) { 751 BIO_printf(bio_err, "Can't read content file %s\n", contfile); 752 goto end; 753 } 754 } 755 if (certsoutfile != NULL) { 756 STACK_OF(X509) *allcerts; 757 allcerts = CMS_get1_certs(cms); 758 if (!save_certs(certsoutfile, allcerts)) { 759 BIO_printf(bio_err, 760 "Error writing certs to %s\n", certsoutfile); 761 ret = 5; 762 goto end; 763 } 764 sk_X509_pop_free(allcerts, X509_free); 765 } 766 } 767 768 if (rctfile != NULL) { 769 char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; 770 if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) { 771 BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); 772 goto end; 773 } 774 775 if (rctformat == FORMAT_SMIME) { 776 rcms = SMIME_read_CMS(rctin, NULL); 777 } else if (rctformat == FORMAT_PEM) { 778 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); 779 } else if (rctformat == FORMAT_ASN1) { 780 rcms = d2i_CMS_bio(rctin, NULL); 781 } else { 782 BIO_printf(bio_err, "Bad input format for receipt\n"); 783 goto end; 784 } 785 786 if (rcms == NULL) { 787 BIO_printf(bio_err, "Error reading receipt\n"); 788 goto end; 789 } 790 } 791 792 out = bio_open_default(outfile, 'w', outformat); 793 if (out == NULL) 794 goto end; 795 796 if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { 797 if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) 798 goto end; 799 X509_STORE_set_verify_cb(store, cms_cb); 800 if (vpmtouched) 801 X509_STORE_set1_param(store, vpm); 802 } 803 804 ret = 3; 805 806 if (operation == SMIME_DATA_CREATE) { 807 cms = CMS_data_create(in, flags); 808 } else if (operation == SMIME_DIGEST_CREATE) { 809 cms = CMS_digest_create(in, sign_md, flags); 810 } else if (operation == SMIME_COMPRESS) { 811 cms = CMS_compress(in, -1, flags); 812 } else if (operation == SMIME_ENCRYPT) { 813 int i; 814 flags |= CMS_PARTIAL; 815 cms = CMS_encrypt(NULL, in, cipher, flags); 816 if (cms == NULL) 817 goto end; 818 for (i = 0; i < sk_X509_num(encerts); i++) { 819 CMS_RecipientInfo *ri; 820 cms_key_param *kparam; 821 int tflags = flags; 822 X509 *x = sk_X509_value(encerts, i); 823 for (kparam = key_first; kparam; kparam = kparam->next) { 824 if (kparam->idx == i) { 825 tflags |= CMS_KEY_PARAM; 826 break; 827 } 828 } 829 ri = CMS_add1_recipient_cert(cms, x, tflags); 830 if (ri == NULL) 831 goto end; 832 if (kparam != NULL) { 833 EVP_PKEY_CTX *pctx; 834 pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); 835 if (!cms_set_pkey_param(pctx, kparam->param)) 836 goto end; 837 } 838 if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE 839 && wrap_cipher) { 840 EVP_CIPHER_CTX *wctx; 841 wctx = CMS_RecipientInfo_kari_get0_ctx(ri); 842 EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL); 843 } 844 } 845 846 if (secret_key != NULL) { 847 if (!CMS_add0_recipient_key(cms, NID_undef, 848 secret_key, secret_keylen, 849 secret_keyid, secret_keyidlen, 850 NULL, NULL, NULL)) 851 goto end; 852 /* NULL these because call absorbs them */ 853 secret_key = NULL; 854 secret_keyid = NULL; 855 } 856 if (pwri_pass != NULL) { 857 pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass); 858 if (pwri_tmp == NULL) 859 goto end; 860 if (CMS_add0_recipient_password(cms, 861 -1, NID_undef, NID_undef, 862 pwri_tmp, -1, NULL) == NULL) 863 goto end; 864 pwri_tmp = NULL; 865 } 866 if (!(flags & CMS_STREAM)) { 867 if (!CMS_final(cms, in, NULL, flags)) 868 goto end; 869 } 870 } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { 871 cms = CMS_EncryptedData_encrypt(in, cipher, 872 secret_key, secret_keylen, flags); 873 874 } else if (operation == SMIME_SIGN_RECEIPT) { 875 CMS_ContentInfo *srcms = NULL; 876 STACK_OF(CMS_SignerInfo) *sis; 877 CMS_SignerInfo *si; 878 sis = CMS_get0_SignerInfos(cms); 879 if (sis == NULL) 880 goto end; 881 si = sk_CMS_SignerInfo_value(sis, 0); 882 srcms = CMS_sign_receipt(si, signer, key, other, flags); 883 if (srcms == NULL) 884 goto end; 885 CMS_ContentInfo_free(cms); 886 cms = srcms; 887 } else if (operation & SMIME_SIGNERS) { 888 int i; 889 /* 890 * If detached data content we enable streaming if S/MIME output 891 * format. 892 */ 893 if (operation == SMIME_SIGN) { 894 895 if (flags & CMS_DETACHED) { 896 if (outformat == FORMAT_SMIME) 897 flags |= CMS_STREAM; 898 } 899 flags |= CMS_PARTIAL; 900 cms = CMS_sign(NULL, NULL, other, in, flags); 901 if (cms == NULL) 902 goto end; 903 if (econtent_type != NULL) 904 CMS_set1_eContentType(cms, econtent_type); 905 906 if (rr_to != NULL) { 907 rr = make_receipt_request(rr_to, rr_allorfirst, rr_from); 908 if (rr == NULL) { 909 BIO_puts(bio_err, 910 "Signed Receipt Request Creation Error\n"); 911 goto end; 912 } 913 } 914 } else { 915 flags |= CMS_REUSE_DIGEST; 916 } 917 for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { 918 CMS_SignerInfo *si; 919 cms_key_param *kparam; 920 int tflags = flags; 921 signerfile = sk_OPENSSL_STRING_value(sksigners, i); 922 keyfile = sk_OPENSSL_STRING_value(skkeys, i); 923 924 signer = load_cert(signerfile, FORMAT_PEM, "signer certificate"); 925 if (signer == NULL) { 926 ret = 2; 927 goto end; 928 } 929 key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); 930 if (key == NULL) { 931 ret = 2; 932 goto end; 933 } 934 for (kparam = key_first; kparam; kparam = kparam->next) { 935 if (kparam->idx == i) { 936 tflags |= CMS_KEY_PARAM; 937 break; 938 } 939 } 940 si = CMS_add1_signer(cms, signer, key, sign_md, tflags); 941 if (si == NULL) 942 goto end; 943 if (kparam != NULL) { 944 EVP_PKEY_CTX *pctx; 945 pctx = CMS_SignerInfo_get0_pkey_ctx(si); 946 if (!cms_set_pkey_param(pctx, kparam->param)) 947 goto end; 948 } 949 if (rr != NULL && !CMS_add1_ReceiptRequest(si, rr)) 950 goto end; 951 X509_free(signer); 952 signer = NULL; 953 EVP_PKEY_free(key); 954 key = NULL; 955 } 956 /* If not streaming or resigning finalize structure */ 957 if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { 958 if (!CMS_final(cms, in, NULL, flags)) 959 goto end; 960 } 961 } 962 963 if (cms == NULL) { 964 BIO_printf(bio_err, "Error creating CMS structure\n"); 965 goto end; 966 } 967 968 ret = 4; 969 if (operation == SMIME_DECRYPT) { 970 if (flags & CMS_DEBUG_DECRYPT) 971 CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); 972 973 if (secret_key != NULL) { 974 if (!CMS_decrypt_set1_key(cms, 975 secret_key, secret_keylen, 976 secret_keyid, secret_keyidlen)) { 977 BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); 978 goto end; 979 } 980 } 981 982 if (key != NULL) { 983 if (!CMS_decrypt_set1_pkey(cms, key, recip)) { 984 BIO_puts(bio_err, "Error decrypting CMS using private key\n"); 985 goto end; 986 } 987 } 988 989 if (pwri_pass != NULL) { 990 if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { 991 BIO_puts(bio_err, "Error decrypting CMS using password\n"); 992 goto end; 993 } 994 } 995 996 if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { 997 BIO_printf(bio_err, "Error decrypting CMS structure\n"); 998 goto end; 999 } 1000 } else if (operation == SMIME_DATAOUT) { 1001 if (!CMS_data(cms, out, flags)) 1002 goto end; 1003 } else if (operation == SMIME_UNCOMPRESS) { 1004 if (!CMS_uncompress(cms, indata, out, flags)) 1005 goto end; 1006 } else if (operation == SMIME_DIGEST_VERIFY) { 1007 if (CMS_digest_verify(cms, indata, out, flags) > 0) { 1008 BIO_printf(bio_err, "Verification successful\n"); 1009 } else { 1010 BIO_printf(bio_err, "Verification failure\n"); 1011 goto end; 1012 } 1013 } else if (operation == SMIME_ENCRYPTED_DECRYPT) { 1014 if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, 1015 indata, out, flags)) 1016 goto end; 1017 } else if (operation == SMIME_VERIFY) { 1018 if (CMS_verify(cms, other, store, indata, out, flags) > 0) { 1019 BIO_printf(bio_err, "Verification successful\n"); 1020 } else { 1021 BIO_printf(bio_err, "Verification failure\n"); 1022 if (verify_retcode) 1023 ret = verify_err + 32; 1024 goto end; 1025 } 1026 if (signerfile != NULL) { 1027 STACK_OF(X509) *signers; 1028 signers = CMS_get0_signers(cms); 1029 if (!save_certs(signerfile, signers)) { 1030 BIO_printf(bio_err, 1031 "Error writing signers to %s\n", signerfile); 1032 ret = 5; 1033 goto end; 1034 } 1035 sk_X509_free(signers); 1036 } 1037 if (rr_print) 1038 receipt_request_print(cms); 1039 1040 } else if (operation == SMIME_VERIFY_RECEIPT) { 1041 if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) { 1042 BIO_printf(bio_err, "Verification successful\n"); 1043 } else { 1044 BIO_printf(bio_err, "Verification failure\n"); 1045 goto end; 1046 } 1047 } else { 1048 if (noout) { 1049 if (print) 1050 CMS_ContentInfo_print_ctx(out, cms, 0, NULL); 1051 } else if (outformat == FORMAT_SMIME) { 1052 if (to) 1053 BIO_printf(out, "To: %s%s", to, mime_eol); 1054 if (from) 1055 BIO_printf(out, "From: %s%s", from, mime_eol); 1056 if (subject) 1057 BIO_printf(out, "Subject: %s%s", subject, mime_eol); 1058 if (operation == SMIME_RESIGN) 1059 ret = SMIME_write_CMS(out, cms, indata, flags); 1060 else 1061 ret = SMIME_write_CMS(out, cms, in, flags); 1062 } else if (outformat == FORMAT_PEM) { 1063 ret = PEM_write_bio_CMS_stream(out, cms, in, flags); 1064 } else if (outformat == FORMAT_ASN1) { 1065 ret = i2d_CMS_bio_stream(out, cms, in, flags); 1066 } else { 1067 BIO_printf(bio_err, "Bad output format for CMS file\n"); 1068 goto end; 1069 } 1070 if (ret <= 0) { 1071 ret = 6; 1072 goto end; 1073 } 1074 } 1075 ret = 0; 1076 end: 1077 if (ret) 1078 ERR_print_errors(bio_err); 1079 sk_X509_pop_free(encerts, X509_free); 1080 sk_X509_pop_free(other, X509_free); 1081 X509_VERIFY_PARAM_free(vpm); 1082 sk_OPENSSL_STRING_free(sksigners); 1083 sk_OPENSSL_STRING_free(skkeys); 1084 OPENSSL_free(secret_key); 1085 OPENSSL_free(secret_keyid); 1086 OPENSSL_free(pwri_tmp); 1087 ASN1_OBJECT_free(econtent_type); 1088 CMS_ReceiptRequest_free(rr); 1089 sk_OPENSSL_STRING_free(rr_to); 1090 sk_OPENSSL_STRING_free(rr_from); 1091 for (key_param = key_first; key_param;) { 1092 cms_key_param *tparam; 1093 sk_OPENSSL_STRING_free(key_param->param); 1094 tparam = key_param->next; 1095 OPENSSL_free(key_param); 1096 key_param = tparam; 1097 } 1098 X509_STORE_free(store); 1099 X509_free(cert); 1100 X509_free(recip); 1101 X509_free(signer); 1102 EVP_PKEY_free(key); 1103 CMS_ContentInfo_free(cms); 1104 CMS_ContentInfo_free(rcms); 1105 release_engine(e); 1106 BIO_free(rctin); 1107 BIO_free(in); 1108 BIO_free(indata); 1109 BIO_free_all(out); 1110 OPENSSL_free(passin); 1111 return ret; 1112 } 1113 1114 static int save_certs(char *signerfile, STACK_OF(X509) *signers) 1115 { 1116 int i; 1117 BIO *tmp; 1118 if (signerfile == NULL) 1119 return 1; 1120 tmp = BIO_new_file(signerfile, "w"); 1121 if (tmp == NULL) 1122 return 0; 1123 for (i = 0; i < sk_X509_num(signers); i++) 1124 PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); 1125 BIO_free(tmp); 1126 return 1; 1127 } 1128 1129 /* Minimal callback just to output policy info (if any) */ 1130 1131 static int cms_cb(int ok, X509_STORE_CTX *ctx) 1132 { 1133 int error; 1134 1135 error = X509_STORE_CTX_get_error(ctx); 1136 1137 verify_err = error; 1138 1139 if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) 1140 && ((error != X509_V_OK) || (ok != 2))) 1141 return ok; 1142 1143 policies_print(ctx); 1144 1145 return ok; 1146 1147 } 1148 1149 static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns) 1150 { 1151 STACK_OF(GENERAL_NAME) *gens; 1152 GENERAL_NAME *gen; 1153 int i, j; 1154 1155 for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { 1156 gens = sk_GENERAL_NAMES_value(gns, i); 1157 for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { 1158 gen = sk_GENERAL_NAME_value(gens, j); 1159 BIO_puts(bio_err, " "); 1160 GENERAL_NAME_print(bio_err, gen); 1161 BIO_puts(bio_err, "\n"); 1162 } 1163 } 1164 return; 1165 } 1166 1167 static void receipt_request_print(CMS_ContentInfo *cms) 1168 { 1169 STACK_OF(CMS_SignerInfo) *sis; 1170 CMS_SignerInfo *si; 1171 CMS_ReceiptRequest *rr; 1172 int allorfirst; 1173 STACK_OF(GENERAL_NAMES) *rto, *rlist; 1174 ASN1_STRING *scid; 1175 int i, rv; 1176 sis = CMS_get0_SignerInfos(cms); 1177 for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { 1178 si = sk_CMS_SignerInfo_value(sis, i); 1179 rv = CMS_get1_ReceiptRequest(si, &rr); 1180 BIO_printf(bio_err, "Signer %d:\n", i + 1); 1181 if (rv == 0) { 1182 BIO_puts(bio_err, " No Receipt Request\n"); 1183 } else if (rv < 0) { 1184 BIO_puts(bio_err, " Receipt Request Parse Error\n"); 1185 ERR_print_errors(bio_err); 1186 } else { 1187 const char *id; 1188 int idlen; 1189 CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, 1190 &rlist, &rto); 1191 BIO_puts(bio_err, " Signed Content ID:\n"); 1192 idlen = ASN1_STRING_length(scid); 1193 id = (const char *)ASN1_STRING_get0_data(scid); 1194 BIO_dump_indent(bio_err, id, idlen, 4); 1195 BIO_puts(bio_err, " Receipts From"); 1196 if (rlist != NULL) { 1197 BIO_puts(bio_err, " List:\n"); 1198 gnames_stack_print(rlist); 1199 } else if (allorfirst == 1) { 1200 BIO_puts(bio_err, ": First Tier\n"); 1201 } else if (allorfirst == 0) { 1202 BIO_puts(bio_err, ": All\n"); 1203 } else { 1204 BIO_printf(bio_err, " Unknown (%d)\n", allorfirst); 1205 } 1206 BIO_puts(bio_err, " Receipts To:\n"); 1207 gnames_stack_print(rto); 1208 } 1209 CMS_ReceiptRequest_free(rr); 1210 } 1211 } 1212 1213 static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) 1214 { 1215 int i; 1216 STACK_OF(GENERAL_NAMES) *ret; 1217 GENERAL_NAMES *gens = NULL; 1218 GENERAL_NAME *gen = NULL; 1219 ret = sk_GENERAL_NAMES_new_null(); 1220 if (ret == NULL) 1221 goto err; 1222 for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { 1223 char *str = sk_OPENSSL_STRING_value(ns, i); 1224 gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); 1225 if (gen == NULL) 1226 goto err; 1227 gens = GENERAL_NAMES_new(); 1228 if (gens == NULL) 1229 goto err; 1230 if (!sk_GENERAL_NAME_push(gens, gen)) 1231 goto err; 1232 gen = NULL; 1233 if (!sk_GENERAL_NAMES_push(ret, gens)) 1234 goto err; 1235 gens = NULL; 1236 } 1237 1238 return ret; 1239 1240 err: 1241 sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); 1242 GENERAL_NAMES_free(gens); 1243 GENERAL_NAME_free(gen); 1244 return NULL; 1245 } 1246 1247 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) 1248 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) 1249 *rr_from) 1250 { 1251 STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL; 1252 CMS_ReceiptRequest *rr; 1253 rct_to = make_names_stack(rr_to); 1254 if (rct_to == NULL) 1255 goto err; 1256 if (rr_from != NULL) { 1257 rct_from = make_names_stack(rr_from); 1258 if (rct_from == NULL) 1259 goto err; 1260 } else { 1261 rct_from = NULL; 1262 } 1263 rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, 1264 rct_to); 1265 return rr; 1266 err: 1267 sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free); 1268 return NULL; 1269 } 1270 1271 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, 1272 STACK_OF(OPENSSL_STRING) *param) 1273 { 1274 char *keyopt; 1275 int i; 1276 if (sk_OPENSSL_STRING_num(param) <= 0) 1277 return 1; 1278 for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { 1279 keyopt = sk_OPENSSL_STRING_value(param, i); 1280 if (pkey_ctrl_string(pctx, keyopt) <= 0) { 1281 BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); 1282 ERR_print_errors(bio_err); 1283 return 0; 1284 } 1285 } 1286 return 1; 1287 } 1288 1289 #endif 1290