summaryrefslogtreecommitdiff
path: root/src/usr.bin
diff options
context:
space:
mode:
authorinoguchi <>2022-01-05 10:01:39 +0000
committerinoguchi <>2022-01-05 10:01:39 +0000
commit03944c3703374336fb802e5c452e9983bf0a1281 (patch)
treea6d21f66a5cb96343b1ddf56d9f442c00b9d3fe7 /src/usr.bin
parentefadcc5dd38b1eb8cc4d27a109eb179dbe38502d (diff)
downloadopenbsd-03944c3703374336fb802e5c452e9983bf0a1281.tar.gz
openbsd-03944c3703374336fb802e5c452e9983bf0a1281.tar.bz2
openbsd-03944c3703374336fb802e5c452e9983bf0a1281.zip
Convert openssl(1) cms option handling
Just applying new option handling and no functional changes. Referred to verify.c and using 'verify_shared_options'. ok and comments from jsing@ and tb@
Diffstat (limited to 'src/usr.bin')
-rw-r--r--src/usr.bin/openssl/cms.c1860
1 files changed, 1240 insertions, 620 deletions
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index db485cd290..c1b55b56f0 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cms.c,v 1.18 2021/12/26 15:23:37 tb Exp $ */ 1/* $OpenBSD: cms.c,v 1.19 2022/01/05 10:01:39 inoguchi Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -105,46 +105,1053 @@ struct cms_key_param {
105 struct cms_key_param *next; 105 struct cms_key_param *next;
106}; 106};
107 107
108static struct {
109 char *CAfile;
110 char *CApath;
111 X509 *cert;
112 char *certfile;
113 char *certsoutfile;
114 const EVP_CIPHER *cipher;
115 char *contfile;
116 ASN1_OBJECT *econtent_type;
117 STACK_OF(X509) *encerts;
118 int flags;
119 char *from;
120 char *infile;
121 int informat;
122 struct cms_key_param *key_first;
123 struct cms_key_param *key_param;
124 char *keyfile;
125 int keyform;
126 int noout;
127 int operation;
128 char *outfile;
129 int outformat;
130 char *passargin;
131 int print;
132 unsigned char *pwri_pass;
133 int rr_allorfirst;
134 STACK_OF(OPENSSL_STRING) *rr_from;
135 int rr_print;
136 STACK_OF(OPENSSL_STRING) *rr_to;
137 char *rctfile;
138 int rctformat;
139 char *recipfile;
140 unsigned char *secret_key;
141 unsigned char *secret_keyid;
142 size_t secret_keyidlen;
143 size_t secret_keylen;
144 const EVP_MD *sign_md;
145 char *signerfile;
146 STACK_OF(OPENSSL_STRING) *skkeys;
147 STACK_OF(OPENSSL_STRING) *sksigners;
148 char *subject;
149 char *to;
150 int verify_retcode;
151 X509_VERIFY_PARAM *vpm;
152} cms_config;
153
154static const EVP_CIPHER *
155get_cipher_by_name(char *name)
156{
157 if (name == NULL || strcmp(name, "") == 0)
158 return (NULL);
159#ifndef OPENSSL_NO_AES
160 else if (strcmp(name, "aes128") == 0)
161 return EVP_aes_128_cbc();
162 else if (strcmp(name, "aes192") == 0)
163 return EVP_aes_192_cbc();
164 else if (strcmp(name, "aes256") == 0)
165 return EVP_aes_256_cbc();
166#endif
167#ifndef OPENSSL_NO_CAMELLIA
168 else if (strcmp(name, "camellia128") == 0)
169 return EVP_camellia_128_cbc();
170 else if (strcmp(name, "camellia192") == 0)
171 return EVP_camellia_192_cbc();
172 else if (strcmp(name, "camellia256") == 0)
173 return EVP_camellia_256_cbc();
174#endif
175#ifndef OPENSSL_NO_DES
176 else if (strcmp(name, "des") == 0)
177 return EVP_des_cbc();
178 else if (strcmp(name, "des3") == 0)
179 return EVP_des_ede3_cbc();
180#endif
181#ifndef OPENSSL_NO_RC2
182 else if (!strcmp(name, "rc2-40"))
183 return EVP_rc2_40_cbc();
184 else if (!strcmp(name, "rc2-64"))
185 return EVP_rc2_64_cbc();
186 else if (!strcmp(name, "rc2-128"))
187 return EVP_rc2_cbc();
188#endif
189 else
190 return (NULL);
191}
192
193static int
194cms_opt_cipher(int argc, char **argv, int *argsused)
195{
196 char *name = argv[0];
197
198 if (*name++ != '-')
199 return (1);
200
201 if ((cms_config.cipher = get_cipher_by_name(name)) == NULL)
202 if ((cms_config.cipher = EVP_get_cipherbyname(name)) == NULL)
203 return (1);
204
205 *argsused = 1;
206 return (0);
207}
208
209static int
210cms_opt_econtent_type(char *arg)
211{
212 if ((cms_config.econtent_type = OBJ_txt2obj(arg, 0)) == NULL) {
213 BIO_printf(bio_err, "Invalid OID %s\n", arg);
214 return (1);
215 }
216 return (0);
217}
218
219static int
220cms_opt_inkey(char *arg)
221{
222 if (cms_config.keyfile != NULL) {
223 if (cms_config.signerfile == NULL) {
224 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
225 return (1);
226 }
227
228 if (cms_config.sksigners == NULL)
229 cms_config.sksigners = sk_OPENSSL_STRING_new_null();
230 if (cms_config.sksigners == NULL)
231 return (1);
232 if (!sk_OPENSSL_STRING_push(cms_config.sksigners,
233 cms_config.signerfile))
234 return (1);
235
236 cms_config.signerfile = NULL;
237
238 if (cms_config.skkeys == NULL)
239 cms_config.skkeys = sk_OPENSSL_STRING_new_null();
240 if (cms_config.skkeys == NULL)
241 return (1);
242 if (!sk_OPENSSL_STRING_push(cms_config.skkeys,
243 cms_config.keyfile))
244 return (1);
245 }
246 cms_config.keyfile = arg;
247 return (0);
248}
249
250static int
251cms_opt_keyopt(char *arg)
252{
253 int keyidx = -1;
254
255 if (cms_config.operation == SMIME_ENCRYPT) {
256 if (cms_config.encerts != NULL)
257 keyidx += sk_X509_num(cms_config.encerts);
258 } else {
259 if (cms_config.keyfile != NULL || cms_config.signerfile != NULL)
260 keyidx++;
261 if (cms_config.skkeys != NULL)
262 keyidx += sk_OPENSSL_STRING_num(cms_config.skkeys);
263 }
264
265 if (keyidx < 0) {
266 BIO_printf(bio_err, "No key specified\n");
267 return (1);
268 }
269
270 if (cms_config.key_param == NULL ||
271 cms_config.key_param->idx != keyidx) {
272 struct cms_key_param *nparam;
273
274 if ((nparam = malloc(sizeof(struct cms_key_param))) == NULL)
275 return (1);
276
277 nparam->idx = keyidx;
278 if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
279 free(nparam);
280 return (1);
281 }
282
283 nparam->next = NULL;
284 if (cms_config.key_first == NULL)
285 cms_config.key_first = nparam;
286 else
287 cms_config.key_param->next = nparam;
288
289 cms_config.key_param = nparam;
290 }
291
292 if (!sk_OPENSSL_STRING_push(cms_config.key_param->param, arg))
293 return (1);
294
295 return (0);
296}
297
298static int
299cms_opt_md(char *arg)
300{
301 if ((cms_config.sign_md = EVP_get_digestbyname(arg)) == NULL) {
302 BIO_printf(bio_err, "Unknown digest %s\n", arg);
303 return (1);
304 }
305 return (0);
306}
307
308static int
309cms_opt_print(void)
310{
311 cms_config.noout = 1;
312 cms_config.print = 1;
313 return (0);
314}
315
316static int
317cms_opt_pwri_pass(char *arg)
318{
319 cms_config.pwri_pass = (unsigned char *)arg;
320 return (0);
321}
322
323static int
324cms_opt_recip(char *arg)
325{
326 if (cms_config.operation == SMIME_ENCRYPT) {
327 if (cms_config.encerts == NULL) {
328 if ((cms_config.encerts = sk_X509_new_null()) == NULL)
329 return (1);
330 }
331
332 cms_config.cert = load_cert(bio_err, arg, FORMAT_PEM,
333 NULL, "recipient certificate file");
334 if (cms_config.cert == NULL)
335 return (1);
336
337 if (!sk_X509_push(cms_config.encerts, cms_config.cert))
338 return (1);
339
340 cms_config.cert = NULL;
341 } else {
342 cms_config.recipfile = arg;
343 }
344 return (0);
345}
346
347static int
348cms_opt_receipt_request_from(char *arg)
349{
350 if (cms_config.rr_from == NULL)
351 cms_config.rr_from = sk_OPENSSL_STRING_new_null();
352 if (cms_config.rr_from == NULL)
353 return (1);
354 if (!sk_OPENSSL_STRING_push(cms_config.rr_from, arg))
355 return (1);
356
357 return (0);
358}
359
360static int
361cms_opt_receipt_request_to(char *arg)
362{
363 if (cms_config.rr_to == NULL)
364 cms_config.rr_to = sk_OPENSSL_STRING_new_null();
365 if (cms_config.rr_to == NULL)
366 return (1);
367 if (!sk_OPENSSL_STRING_push(cms_config.rr_to, arg))
368 return (1);
369
370 return (0);
371}
372
373static int
374cms_opt_secretkey(char *arg)
375{
376 long ltmp;
377
378 if ((cms_config.secret_key = string_to_hex(arg, &ltmp)) == NULL) {
379 BIO_printf(bio_err, "Invalid key %s\n", arg);
380 return (1);
381 }
382 cms_config.secret_keylen = (size_t)ltmp;
383 return (0);
384}
385
386static int
387cms_opt_secretkeyid(char *arg)
388{
389 long ltmp;
390
391 if ((cms_config.secret_keyid = string_to_hex(arg, &ltmp)) == NULL) {
392 BIO_printf(bio_err, "Invalid id %s\n", arg);
393 return (1);
394 }
395 cms_config.secret_keyidlen = (size_t)ltmp;
396 return (0);
397}
398
399static int
400cms_opt_signer(char *arg)
401{
402 if (cms_config.signerfile != NULL) {
403 if (cms_config.sksigners == NULL)
404 cms_config.sksigners = sk_OPENSSL_STRING_new_null();
405 if (cms_config.sksigners == NULL)
406 return (1);
407 if (!sk_OPENSSL_STRING_push(cms_config.sksigners,
408 cms_config.signerfile))
409 return (1);
410
411 if (cms_config.keyfile == NULL)
412 cms_config.keyfile = cms_config.signerfile;
413
414 if (cms_config.skkeys == NULL)
415 cms_config.skkeys = sk_OPENSSL_STRING_new_null();
416 if (cms_config.skkeys == NULL)
417 return (1);
418 if (!sk_OPENSSL_STRING_push(cms_config.skkeys,
419 cms_config.keyfile))
420 return (1);
421
422 cms_config.keyfile = NULL;
423 }
424 cms_config.signerfile = arg;
425 return (0);
426}
427
428static int
429cms_opt_verify_param(int argc, char **argv, int *argsused)
430{
431 int oargc = argc;
432 int badarg = 0;
433
434 if (!args_verify(&argv, &argc, &badarg, bio_err, &cms_config.vpm))
435 return (1);
436 if (badarg)
437 return (1);
438
439 *argsused = oargc - argc;
440
441 return (0);
442}
443
444static int
445cms_opt_verify_receipt(char *arg)
446{
447 cms_config.operation = SMIME_VERIFY_RECEIPT;
448 cms_config.rctfile = arg;
449 return (0);
450}
451
452static const struct option cms_options[] = {
453#ifndef OPENSSL_NO_AES
454 {
455 .name = "aes128",
456 .desc = "Encrypt PEM output with CBC AES",
457 .type = OPTION_ARGV_FUNC,
458 .opt.argvfunc = cms_opt_cipher,
459 },
460 {
461 .name = "aes192",
462 .desc = "Encrypt PEM output with CBC AES",
463 .type = OPTION_ARGV_FUNC,
464 .opt.argvfunc = cms_opt_cipher,
465 },
466 {
467 .name = "aes256",
468 .desc = "Encrypt PEM output with CBC AES",
469 .type = OPTION_ARGV_FUNC,
470 .opt.argvfunc = cms_opt_cipher,
471 },
472#endif
473#ifndef OPENSSL_NO_CAMELLIA
474 {
475 .name = "camellia128",
476 .desc = "Encrypt PEM output with CBC Camellia",
477 .type = OPTION_ARGV_FUNC,
478 .opt.argvfunc = cms_opt_cipher,
479 },
480 {
481 .name = "camellia192",
482 .desc = "Encrypt PEM output with CBC Camellia",
483 .type = OPTION_ARGV_FUNC,
484 .opt.argvfunc = cms_opt_cipher,
485 },
486 {
487 .name = "camellia256",
488 .desc = "Encrypt PEM output with CBC Camellia",
489 .type = OPTION_ARGV_FUNC,
490 .opt.argvfunc = cms_opt_cipher,
491 },
492#endif
493#ifndef OPENSSL_NO_DES
494 {
495 .name = "des",
496 .desc = "Encrypt with DES",
497 .type = OPTION_ARGV_FUNC,
498 .opt.argvfunc = cms_opt_cipher,
499 },
500 {
501 .name = "des3",
502 .desc = "Encrypt with triple DES",
503 .type = OPTION_ARGV_FUNC,
504 .opt.argvfunc = cms_opt_cipher,
505 },
506#endif
507#ifndef OPENSSL_NO_RC2
508 {
509 .name = "rc2-40",
510 .desc = "Encrypt with RC2-40 (default)",
511 .type = OPTION_ARGV_FUNC,
512 .opt.argvfunc = cms_opt_cipher,
513 },
514 {
515 .name = "rc2-64",
516 .desc = "Encrypt with RC2-64",
517 .type = OPTION_ARGV_FUNC,
518 .opt.argvfunc = cms_opt_cipher,
519 },
520 {
521 .name = "rc2-128",
522 .desc = "Encrypt with RC2-128",
523 .type = OPTION_ARGV_FUNC,
524 .opt.argvfunc = cms_opt_cipher,
525 },
526#endif
527 {
528 .name = "CAfile",
529 .argname = "file",
530 .desc = "Certificate Authority file",
531 .type = OPTION_ARG,
532 .opt.arg = &cms_config.CAfile,
533 },
534 {
535 .name = "CApath",
536 .argname = "path",
537 .desc = "Certificate Authority path",
538 .type = OPTION_ARG,
539 .opt.arg = &cms_config.CApath,
540 },
541 {
542 .name = "binary",
543 .desc = "Do not translate message to text",
544 .type = OPTION_VALUE_OR,
545 .opt.value = &cms_config.flags,
546 .value = CMS_BINARY,
547 },
548 {
549 .name = "certfile",
550 .argname = "file",
551 .desc = "Other certificates file",
552 .type = OPTION_ARG,
553 .opt.arg = &cms_config.certfile,
554 },
555 {
556 .name = "certsout",
557 .argname = "file",
558 .desc = "Certificate output file",
559 .type = OPTION_ARG,
560 .opt.arg = &cms_config.certsoutfile,
561 },
562 {
563 .name = "cmsout",
564 .desc = "Output CMS structure",
565 .type = OPTION_VALUE,
566 .opt.value = &cms_config.operation,
567 .value = SMIME_CMSOUT,
568 },
569 {
570 .name = "compress",
571 .desc = "Create CMS CompressedData type",
572 .type = OPTION_VALUE,
573 .opt.value = &cms_config.operation,
574 .value = SMIME_COMPRESS,
575 },
576 {
577 .name = "content",
578 .argname = "file",
579 .desc = "Supply or override content for detached signature",
580 .type = OPTION_ARG,
581 .opt.arg = &cms_config.contfile,
582 },
583 {
584 .name = "crlfeol",
585 .desc = "Use CRLF as EOL termination instead of CR only",
586 .type = OPTION_VALUE_OR,
587 .opt.value = &cms_config.flags,
588 .value = CMS_CRLFEOL,
589 },
590 {
591 .name = "data_create",
592 .desc = "Create CMS Data type",
593 .type = OPTION_VALUE,
594 .opt.value = &cms_config.operation,
595 .value = SMIME_DATA_CREATE,
596 },
597 {
598 .name = "data_out",
599 .desc = "Output content from the input CMS Data type",
600 .type = OPTION_VALUE,
601 .opt.value = &cms_config.operation,
602 .value = SMIME_DATAOUT,
603 },
604 {
605 .name = "debug_decrypt",
606 .desc = "Set the CMS_DEBUG_DECRYPT flag when decrypting",
607 .type = OPTION_VALUE_OR,
608 .opt.value = &cms_config.flags,
609 .value = CMS_DEBUG_DECRYPT,
610 },
611 {
612 .name = "decrypt",
613 .desc = "Decrypt encrypted message",
614 .type = OPTION_VALUE,
615 .opt.value = &cms_config.operation,
616 .value = SMIME_DECRYPT,
617 },
618 {
619 .name = "digest_create",
620 .desc = "Create CMS DigestedData type",
621 .type = OPTION_VALUE,
622 .opt.value = &cms_config.operation,
623 .value = SMIME_DIGEST_CREATE,
624 },
625 {
626 .name = "digest_verify",
627 .desc = "Verify CMS DigestedData type and output the content",
628 .type = OPTION_VALUE,
629 .opt.value = &cms_config.operation,
630 .value = SMIME_DIGEST_VERIFY,
631 },
632 {
633 .name = "econtent_type",
634 .argname = "type",
635 .desc = "Set the encapsulated content type",
636 .type = OPTION_ARG_FUNC,
637 .opt.argfunc = cms_opt_econtent_type,
638 },
639 {
640 .name = "encrypt",
641 .desc = "Encrypt message",
642 .type = OPTION_VALUE,
643 .opt.value = &cms_config.operation,
644 .value = SMIME_ENCRYPT,
645 },
646 {
647 .name = "EncryptedData_decrypt",
648 .desc = "Decrypt CMS EncryptedData",
649 .type = OPTION_VALUE,
650 .opt.value = &cms_config.operation,
651 .value = SMIME_ENCRYPTED_DECRYPT,
652 },
653 {
654 .name = "EncryptedData_encrypt",
655 .desc = "Encrypt content using supplied symmetric key and algorithm",
656 .type = OPTION_VALUE,
657 .opt.value = &cms_config.operation,
658 .value = SMIME_ENCRYPTED_ENCRYPT,
659 },
660 {
661 .name = "from",
662 .argname = "addr",
663 .desc = "From address",
664 .type = OPTION_ARG,
665 .opt.arg = &cms_config.from,
666 },
667 {
668 .name = "in",
669 .argname = "file",
670 .desc = "Input file",
671 .type = OPTION_ARG,
672 .opt.arg = &cms_config.infile,
673 },
674 {
675 .name = "indef",
676 .desc = "Same as -stream",
677 .type = OPTION_VALUE_OR,
678 .opt.value = &cms_config.flags,
679 .value = CMS_STREAM,
680 },
681 {
682 .name = "inform",
683 .argname = "fmt",
684 .desc = "Input format (DER, PEM or SMIME (default))",
685 .type = OPTION_ARG_FORMAT,
686 .opt.value = &cms_config.informat,
687 },
688 {
689 .name = "inkey",
690 .argname = "file",
691 .desc = "Input key file",
692 .type = OPTION_ARG_FUNC,
693 .opt.argfunc = cms_opt_inkey,
694 },
695 {
696 .name = "keyform",
697 .argname = "fmt",
698 .desc = "Input key format (DER or PEM (default))",
699 .type = OPTION_ARG_FORMAT,
700 .opt.value = &cms_config.keyform,
701 },
702 {
703 .name = "keyid",
704 .desc = "Use subject key identifier",
705 .type = OPTION_VALUE_OR,
706 .opt.value = &cms_config.flags,
707 .value = CMS_USE_KEYID,
708 },
709 {
710 .name = "keyopt",
711 .argname = "nm:v",
712 .desc = "Set public key parameters",
713 .type = OPTION_ARG_FUNC,
714 .opt.argfunc = cms_opt_keyopt,
715 },
716 {
717 .name = "md",
718 .argname = "digest",
719 .desc = "Digest to use when signing or resigning",
720 .type = OPTION_ARG_FUNC,
721 .opt.argfunc = cms_opt_md,
722 },
723 {
724 .name = "no_attr_verify",
725 .desc = "Do not verify the signer's attribute of a signature",
726 .type = OPTION_VALUE_OR,
727 .opt.value = &cms_config.flags,
728 .value = CMS_NO_ATTR_VERIFY,
729 },
730 {
731 .name = "no_content_verify",
732 .desc = "Do not verify the content of a signed message",
733 .type = OPTION_VALUE_OR,
734 .opt.value = &cms_config.flags,
735 .value = CMS_NO_CONTENT_VERIFY,
736 },
737 {
738 .name = "no_signer_cert_verify",
739 .desc = "Do not verify the signer's certificate",
740 .type = OPTION_VALUE_OR,
741 .opt.value = &cms_config.flags,
742 .value = CMS_NO_SIGNER_CERT_VERIFY,
743 },
744 {
745 .name = "noattr",
746 .desc = "Do not include any signed attributes",
747 .type = OPTION_VALUE_OR,
748 .opt.value = &cms_config.flags,
749 .value = CMS_NOATTR,
750 },
751 {
752 .name = "nocerts",
753 .desc = "Do not include signer's certificate when signing",
754 .type = OPTION_VALUE_OR,
755 .opt.value = &cms_config.flags,
756 .value = CMS_NOCERTS,
757 },
758 {
759 .name = "nodetach",
760 .desc = "Use opaque signing",
761 .type = OPTION_VALUE_AND,
762 .value = ~CMS_DETACHED,
763 },
764 {
765 .name = "noindef",
766 .desc = "Disable CMS streaming",
767 .type = OPTION_VALUE_AND,
768 .value = ~CMS_STREAM,
769 },
770 {
771 .name = "nointern",
772 .desc = "Do not search certificates in message for signer",
773 .type = OPTION_VALUE_OR,
774 .opt.value = &cms_config.flags,
775 .value = CMS_NOINTERN,
776 },
777 {
778 .name = "nooldmime",
779 .desc = "Output old S/MIME content type",
780 .type = OPTION_VALUE_OR,
781 .opt.value = &cms_config.flags,
782 .value = CMS_NOOLDMIMETYPE,
783 },
784 {
785 .name = "noout",
786 .desc = "Do not output the parsed CMS structure",
787 .type = OPTION_FLAG,
788 .opt.flag = &cms_config.noout,
789 },
790 {
791 .name = "nosigs",
792 .desc = "Do not verify message signature",
793 .type = OPTION_VALUE_OR,
794 .opt.value = &cms_config.flags,
795 .value = CMS_NOSIGS,
796 },
797 {
798 .name = "nosmimecap",
799 .desc = "Omit the SMIMECapabilities attribute",
800 .type = OPTION_VALUE_OR,
801 .opt.value = &cms_config.flags,
802 .value = CMS_NOSMIMECAP,
803 },
804 {
805 .name = "noverify",
806 .desc = "Do not verify signer's certificate",
807 .type = OPTION_VALUE_OR,
808 .opt.value = &cms_config.flags,
809 .value = CMS_NO_SIGNER_CERT_VERIFY,
810 },
811 {
812 .name = "out",
813 .argname = "file",
814 .desc = "Output file",
815 .type = OPTION_ARG,
816 .opt.arg = &cms_config.outfile,
817 },
818 {
819 .name = "outform",
820 .argname = "fmt",
821 .desc = "Output format (DER, PEM or SMIME (default))",
822 .type = OPTION_ARG_FORMAT,
823 .opt.value = &cms_config.outformat,
824 },
825 {
826 .name = "passin",
827 .argname = "src",
828 .desc = "Private key password source",
829 .type = OPTION_ARG,
830 .opt.arg = &cms_config.passargin,
831 },
832 {
833 .name = "print",
834 .desc = "Print out all fields of the CMS structure for the -cmsout",
835 .type = OPTION_FUNC,
836 .opt.func = cms_opt_print,
837 },
838 {
839 .name = "pwri_password",
840 .argname = "arg",
841 .desc = "Specify PasswordRecipientInfo (PWRI) password to use",
842 .type = OPTION_ARG_FUNC,
843 .opt.argfunc = cms_opt_pwri_pass,
844 },
845 {
846 .name = "rctform",
847 .argname = "fmt",
848 .desc = "Receipt file format (DER, PEM or SMIME (default))",
849 .type = OPTION_ARG_FORMAT,
850 .opt.value = &cms_config.rctformat,
851 },
852 {
853 .name = "receipt_request_all",
854 .desc = "Indicate requests should be provided by all recipients",
855 .type = OPTION_VALUE,
856 .opt.value = &cms_config.rr_allorfirst,
857 .value = 0,
858 },
859 {
860 .name = "receipt_request_first",
861 .desc = "Indicate requests should be provided by first tier recipient",
862 .type = OPTION_VALUE,
863 .opt.value = &cms_config.rr_allorfirst,
864 .value = 1,
865 },
866 {
867 .name = "receipt_request_from",
868 .argname = "addr",
869 .desc = "Add explicit email address where receipts should be supplied",
870 .type = OPTION_ARG_FUNC,
871 .opt.argfunc = cms_opt_receipt_request_from,
872 },
873 {
874 .name = "receipt_request_print",
875 .desc = "Print out the contents of any signed receipt requests",
876 .type = OPTION_FLAG,
877 .opt.flag = &cms_config.rr_print,
878 },
879 {
880 .name = "receipt_request_to",
881 .argname = "addr",
882 .desc = "Add explicit email address where receipts should be sent to",
883 .type = OPTION_ARG_FUNC,
884 .opt.argfunc = cms_opt_receipt_request_to,
885 },
886 {
887 .name = "recip",
888 .argname = "file",
889 .desc = "Recipient certificate file for decryption",
890 .type = OPTION_ARG_FUNC,
891 .opt.argfunc = cms_opt_recip,
892 },
893 {
894 .name = "resign",
895 .desc = "Resign a signed message",
896 .type = OPTION_VALUE,
897 .opt.value = &cms_config.operation,
898 .value = SMIME_RESIGN,
899 },
900 {
901 .name = "secretkey",
902 .argname = "key",
903 .desc = "Specify symmetric key to use",
904 .type = OPTION_ARG_FUNC,
905 .opt.argfunc = cms_opt_secretkey,
906 },
907 {
908 .name = "secretkeyid",
909 .argname = "id",
910 .desc = "The key identifier for the supplied symmetric key",
911 .type = OPTION_ARG_FUNC,
912 .opt.argfunc = cms_opt_secretkeyid,
913 },
914 {
915 .name = "sign",
916 .desc = "Sign message",
917 .type = OPTION_VALUE,
918 .opt.value = &cms_config.operation,
919 .value = SMIME_SIGN,
920 },
921 {
922 .name = "sign_receipt",
923 .desc = "Generate a signed receipt for the message",
924 .type = OPTION_VALUE,
925 .opt.value = &cms_config.operation,
926 .value = SMIME_SIGN_RECEIPT,
927 },
928 {
929 .name = "signer",
930 .argname = "file",
931 .desc = "Signer certificate file",
932 .type = OPTION_ARG_FUNC,
933 .opt.argfunc = cms_opt_signer,
934 },
935 {
936 .name = "stream",
937 .desc = "Enable CMS streaming",
938 .type = OPTION_VALUE_OR,
939 .opt.value = &cms_config.flags,
940 .value = CMS_STREAM,
941 },
942 {
943 .name = "subject",
944 .argname = "s",
945 .desc = "Subject",
946 .type = OPTION_ARG,
947 .opt.arg = &cms_config.subject,
948 },
949 {
950 .name = "text",
951 .desc = "Include or delete text MIME headers",
952 .type = OPTION_VALUE_OR,
953 .opt.value = &cms_config.flags,
954 .value = CMS_TEXT,
955 },
956 {
957 .name = "to",
958 .argname = "addr",
959 .desc = "To address",
960 .type = OPTION_ARG,
961 .opt.arg = &cms_config.to,
962 },
963 {
964 .name = "uncompress",
965 .desc = "Uncompress CMS CompressedData type",
966 .type = OPTION_VALUE,
967 .opt.value = &cms_config.operation,
968 .value = SMIME_UNCOMPRESS,
969 },
970 {
971 .name = "verify",
972 .desc = "Verify signed message",
973 .type = OPTION_VALUE,
974 .opt.value = &cms_config.operation,
975 .value = SMIME_VERIFY,
976 },
977 {
978 .name = "verify_receipt",
979 .argname = "file",
980 .desc = "Verify a signed receipt in file",
981 .type = OPTION_ARG_FUNC,
982 .opt.argfunc = cms_opt_verify_receipt,
983 },
984 {
985 .name = "verify_retcode",
986 .desc = "Set verification error code to exit code",
987 .type = OPTION_FLAG,
988 .opt.flag = &cms_config.verify_retcode,
989 },
990 {
991 .name = "check_ss_sig",
992 .type = OPTION_ARGV_FUNC,
993 .opt.argvfunc = cms_opt_verify_param,
994 },
995 {
996 .name = "crl_check",
997 .type = OPTION_ARGV_FUNC,
998 .opt.argvfunc = cms_opt_verify_param,
999 },
1000 {
1001 .name = "crl_check_all",
1002 .type = OPTION_ARGV_FUNC,
1003 .opt.argvfunc = cms_opt_verify_param,
1004 },
1005 {
1006 .name = "extended_crl",
1007 .type = OPTION_ARGV_FUNC,
1008 .opt.argvfunc = cms_opt_verify_param,
1009 },
1010 {
1011 .name = "ignore_critical",
1012 .type = OPTION_ARGV_FUNC,
1013 .opt.argvfunc = cms_opt_verify_param,
1014 },
1015 {
1016 .name = "issuer_checks",
1017 .type = OPTION_ARGV_FUNC,
1018 .opt.argvfunc = cms_opt_verify_param,
1019 },
1020 {
1021 .name = "policy",
1022 .type = OPTION_ARGV_FUNC,
1023 .opt.argvfunc = cms_opt_verify_param,
1024 },
1025 {
1026 .name = "policy_check",
1027 .type = OPTION_ARGV_FUNC,
1028 .opt.argvfunc = cms_opt_verify_param,
1029 },
1030 {
1031 .name = "purpose",
1032 .type = OPTION_ARGV_FUNC,
1033 .opt.argvfunc = cms_opt_verify_param,
1034 },
1035 {
1036 .name = "x509_strict",
1037 .type = OPTION_ARGV_FUNC,
1038 .opt.argvfunc = cms_opt_verify_param,
1039 },
1040 {
1041 .name = NULL,
1042 .type = OPTION_ARGV_FUNC,
1043 .opt.argvfunc = cms_opt_cipher,
1044 },
1045 { NULL },
1046};
1047
1048static const struct option verify_shared_options[] = {
1049 {
1050 .name = "check_ss_sig",
1051 .desc = "Check the root CA self-signed certificate signature",
1052 },
1053 {
1054 .name = "crl_check",
1055 .desc = "Enable CRL checking for the leaf certificate",
1056 },
1057 {
1058 .name = "crl_check_all",
1059 .desc = "Enable CRL checking for the entire certificate chain",
1060 },
1061 {
1062 .name = "extended_crl",
1063 .desc = "Enable extended CRL support",
1064 },
1065 {
1066 .name = "ignore_critical",
1067 .desc = "Disable critical extension checking",
1068 },
1069 {
1070 .name = "issuer_checks",
1071 .desc = "Enable debugging of certificate issuer checks",
1072 },
1073 {
1074 .name = "policy",
1075 .argname = "name",
1076 .desc = "Add given policy to the acceptable set",
1077 },
1078 {
1079 .name = "policy_check",
1080 .desc = "Enable certificate policy checking",
1081 },
1082 {
1083 .name = "purpose",
1084 .argname = "name",
1085 .desc = "Verify for the given purpose",
1086 },
1087 {
1088 .name = "x509_strict",
1089 .desc = "Use strict X.509 rules (disables workarounds)",
1090 },
1091 { NULL },
1092};
1093
1094static void
1095cms_usage(void)
1096{
1097 int i;
1098
1099 fprintf(stderr, "usage: cms "
1100 "[-aes128 | -aes192 | -aes256 | -camellia128 |\n"
1101 " -camellia192 | -camellia256 | -des | -des3 |\n"
1102 " -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n"
1103 " [-CApath directory] [-binary] [-certfile file]\n"
1104 " [-certsout file] [-cmsout] [-compress] [-content file]\n"
1105 " [-crlfeol] [-data_create] [-data_out] [-debug_decrypt]\n"
1106 " [-decrypt] [-digest_create] [-digest_verify]\n"
1107 " [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n"
1108 " [-EncryptedData_encrypt] [-from addr] [-in file]\n"
1109 " [-inform der | pem | smime] [-inkey file]\n"
1110 " [-keyform der | pem] [-keyid] [-keyopt nm:v] [-md digest]\n"
1111 " [-no_attr_verify] [-no_content_verify]\n"
1112 " [-no_signer_cert_verify] [-noattr] [-nocerts] [-nodetach]\n"
1113 " [-nointern] [-nooldmime] [-noout] [-nosigs] [-nosmimecap]\n"
1114 " [-noverify] [-out file] [-outform der | pem | smime]\n"
1115 " [-passin src] [-print] [-pwri_password arg]\n"
1116 " [-rctform der | pem | smime]\n"
1117 " [-receipt_request_all | -receipt_request_first]\n"
1118 " [-receipt_request_from addr] [-receipt_request_print]\n"
1119 " [-receipt_request_to addr] [-recip file] [-resign]\n"
1120 " [-secretkey key] [-secretkeyid id] [-sign] [-sign_receipt]\n"
1121 " [-signer file] [-stream | -indef | -noindef] [-subject s]\n"
1122 " [-text] [-to addr] [-uncompress] [-verify]\n"
1123 " [-verify_receipt file] [-verify_retcode] [cert.pem ...]\n\n");
1124
1125 options_usage(cms_options);
1126
1127 fprintf(stderr, "\nVerification options:\n\n");
1128 options_usage(verify_shared_options);
1129
1130 fprintf(stderr, "\nValid purposes:\n\n");
1131 for (i = 0; i < X509_PURPOSE_get_count(); i++) {
1132 X509_PURPOSE *ptmp = X509_PURPOSE_get0(i);
1133 fprintf(stderr, " %-18s%s\n", X509_PURPOSE_get0_sname(ptmp),
1134 X509_PURPOSE_get0_name(ptmp));
1135 }
1136}
1137
108int 1138int
109cms_main(int argc, char **argv) 1139cms_main(int argc, char **argv)
110{ 1140{
111 int operation = 0;
112 int ret = 0; 1141 int ret = 0;
113 char **args; 1142 char **args;
1143 int argsused = 0;
114 const char *inmode = "r", *outmode = "w"; 1144 const char *inmode = "r", *outmode = "w";
115 char *infile = NULL, *outfile = NULL, *rctfile = NULL;
116 char *signerfile = NULL, *recipfile = NULL;
117 STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
118 char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
119 char *certsoutfile = NULL;
120 const EVP_CIPHER *cipher = NULL;
121 CMS_ContentInfo *cms = NULL, *rcms = NULL; 1145 CMS_ContentInfo *cms = NULL, *rcms = NULL;
122 X509_STORE *store = NULL; 1146 X509_STORE *store = NULL;
123 X509 *cert = NULL, *recip = NULL, *signer = NULL; 1147 X509 *recip = NULL, *signer = NULL;
124 EVP_PKEY *key = NULL; 1148 EVP_PKEY *key = NULL;
125 STACK_OF(X509) *encerts = NULL, *other = NULL; 1149 STACK_OF(X509) *other = NULL;
126 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; 1150 BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
127 int badarg = 0; 1151 int badarg = 0;
128 int flags = CMS_DETACHED, noout = 0, print = 0;
129 int verify_retcode = 0;
130 int rr_print = 0, rr_allorfirst = -1;
131 STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
132 CMS_ReceiptRequest *rr = NULL; 1152 CMS_ReceiptRequest *rr = NULL;
133 char *to = NULL, *from = NULL, *subject = NULL; 1153 char *passin = NULL;
134 char *CAfile = NULL, *CApath = NULL; 1154 unsigned char *pwri_tmp = NULL;
135 char *passargin = NULL, *passin = NULL;
136 const EVP_MD *sign_md = NULL;
137 int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
138 int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
139 unsigned char *secret_key = NULL, *secret_keyid = NULL;
140 unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
141 size_t secret_keylen = 0, secret_keyidlen = 0;
142
143 struct cms_key_param *key_first = NULL, *key_param = NULL;
144
145 ASN1_OBJECT *econtent_type = NULL;
146
147 X509_VERIFY_PARAM *vpm = NULL;
148 1155
149 if (single_execution) { 1156 if (single_execution) {
150 if (pledge("stdio rpath wpath cpath tty", NULL) == -1) { 1157 if (pledge("stdio rpath wpath cpath tty", NULL) == -1) {
@@ -153,569 +1160,182 @@ cms_main(int argc, char **argv)
153 } 1160 }
154 } 1161 }
155 1162
156 args = argv + 1; 1163 memset(&cms_config, 0, sizeof(cms_config));
157 ret = 1; 1164 cms_config.flags = CMS_DETACHED;
158 1165 cms_config.rr_allorfirst = -1;
159 while (!badarg && *args && *args[0] == '-') { 1166 cms_config.informat = FORMAT_SMIME;
160 if (!strcmp(*args, "-encrypt")) 1167 cms_config.outformat = FORMAT_SMIME;
161 operation = SMIME_ENCRYPT; 1168 cms_config.rctformat = FORMAT_SMIME;
162 else if (!strcmp(*args, "-decrypt")) 1169 cms_config.keyform = FORMAT_PEM;
163 operation = SMIME_DECRYPT; 1170 if (options_parse(argc, argv, cms_options, NULL, &argsused) != 0) {
164 else if (!strcmp(*args, "-sign")) 1171 goto argerr;
165 operation = SMIME_SIGN;
166 else if (!strcmp(*args, "-sign_receipt"))
167 operation = SMIME_SIGN_RECEIPT;
168 else if (!strcmp(*args, "-resign"))
169 operation = SMIME_RESIGN;
170 else if (!strcmp(*args, "-verify"))
171 operation = SMIME_VERIFY;
172 else if (!strcmp(*args, "-verify_retcode"))
173 verify_retcode = 1;
174 else if (!strcmp(*args, "-verify_receipt")) {
175 operation = SMIME_VERIFY_RECEIPT;
176 if (!args[1])
177 goto argerr;
178 args++;
179 rctfile = *args;
180 } else if (!strcmp(*args, "-cmsout"))
181 operation = SMIME_CMSOUT;
182 else if (!strcmp(*args, "-data_out"))
183 operation = SMIME_DATAOUT;
184 else if (!strcmp(*args, "-data_create"))
185 operation = SMIME_DATA_CREATE;
186 else if (!strcmp(*args, "-digest_verify"))
187 operation = SMIME_DIGEST_VERIFY;
188 else if (!strcmp(*args, "-digest_create"))
189 operation = SMIME_DIGEST_CREATE;
190 else if (!strcmp(*args, "-compress"))
191 operation = SMIME_COMPRESS;
192 else if (!strcmp(*args, "-uncompress"))
193 operation = SMIME_UNCOMPRESS;
194 else if (!strcmp(*args, "-EncryptedData_decrypt"))
195 operation = SMIME_ENCRYPTED_DECRYPT;
196 else if (!strcmp(*args, "-EncryptedData_encrypt"))
197 operation = SMIME_ENCRYPTED_ENCRYPT;
198#ifndef OPENSSL_NO_DES
199 else if (!strcmp(*args, "-des3"))
200 cipher = EVP_des_ede3_cbc();
201 else if (!strcmp(*args, "-des"))
202 cipher = EVP_des_cbc();
203#endif
204#ifndef OPENSSL_NO_RC2
205 else if (!strcmp(*args, "-rc2-40"))
206 cipher = EVP_rc2_40_cbc();
207 else if (!strcmp(*args, "-rc2-128"))
208 cipher = EVP_rc2_cbc();
209 else if (!strcmp(*args, "-rc2-64"))
210 cipher = EVP_rc2_64_cbc();
211#endif
212#ifndef OPENSSL_NO_AES
213 else if (!strcmp(*args, "-aes128"))
214 cipher = EVP_aes_128_cbc();
215 else if (!strcmp(*args, "-aes192"))
216 cipher = EVP_aes_192_cbc();
217 else if (!strcmp(*args, "-aes256"))
218 cipher = EVP_aes_256_cbc();
219#endif
220#ifndef OPENSSL_NO_CAMELLIA
221 else if (!strcmp(*args, "-camellia128"))
222 cipher = EVP_camellia_128_cbc();
223 else if (!strcmp(*args, "-camellia192"))
224 cipher = EVP_camellia_192_cbc();
225 else if (!strcmp(*args, "-camellia256"))
226 cipher = EVP_camellia_256_cbc();
227#endif
228 else if (!strcmp(*args, "-debug_decrypt"))
229 flags |= CMS_DEBUG_DECRYPT;
230 else if (!strcmp(*args, "-text"))
231 flags |= CMS_TEXT;
232 else if (!strcmp(*args, "-nointern"))
233 flags |= CMS_NOINTERN;
234 else if (!strcmp(*args, "-noverify") ||
235 !strcmp(*args, "-no_signer_cert_verify"))
236 flags |= CMS_NO_SIGNER_CERT_VERIFY;
237 else if (!strcmp(*args, "-nocerts"))
238 flags |= CMS_NOCERTS;
239 else if (!strcmp(*args, "-noattr"))
240 flags |= CMS_NOATTR;
241 else if (!strcmp(*args, "-nodetach"))
242 flags &= ~CMS_DETACHED;
243 else if (!strcmp(*args, "-nosmimecap"))
244 flags |= CMS_NOSMIMECAP;
245 else if (!strcmp(*args, "-binary"))
246 flags |= CMS_BINARY;
247 else if (!strcmp(*args, "-keyid"))
248 flags |= CMS_USE_KEYID;
249 else if (!strcmp(*args, "-nosigs"))
250 flags |= CMS_NOSIGS;
251 else if (!strcmp(*args, "-no_content_verify"))
252 flags |= CMS_NO_CONTENT_VERIFY;
253 else if (!strcmp(*args, "-no_attr_verify"))
254 flags |= CMS_NO_ATTR_VERIFY;
255 else if (!strcmp(*args, "-stream"))
256 flags |= CMS_STREAM;
257 else if (!strcmp(*args, "-indef"))
258 flags |= CMS_STREAM;
259 else if (!strcmp(*args, "-noindef"))
260 flags &= ~CMS_STREAM;
261 else if (!strcmp(*args, "-nooldmime"))
262 flags |= CMS_NOOLDMIMETYPE;
263 else if (!strcmp(*args, "-crlfeol"))
264 flags |= CMS_CRLFEOL;
265 else if (!strcmp(*args, "-noout"))
266 noout = 1;
267 else if (!strcmp(*args, "-receipt_request_print"))
268 rr_print = 1;
269 else if (!strcmp(*args, "-receipt_request_all"))
270 rr_allorfirst = 0;
271 else if (!strcmp(*args, "-receipt_request_first"))
272 rr_allorfirst = 1;
273 else if (!strcmp(*args, "-receipt_request_from")) {
274 if (!args[1])
275 goto argerr;
276 args++;
277 if (rr_from == NULL &&
278 (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
279 goto end;
280 if (!sk_OPENSSL_STRING_push(rr_from, *args))
281 goto end;
282 } else if (!strcmp(*args, "-receipt_request_to")) {
283 if (!args[1])
284 goto argerr;
285 args++;
286 if (rr_to == NULL &&
287 (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
288 goto end;
289 if (!sk_OPENSSL_STRING_push(rr_to, *args))
290 goto end;
291 } else if (!strcmp(*args, "-print")) {
292 noout = 1;
293 print = 1;
294 } else if (!strcmp(*args, "-secretkey")) {
295 long ltmp;
296 if (!args[1])
297 goto argerr;
298 args++;
299 secret_key = string_to_hex(*args, &ltmp);
300 if (!secret_key) {
301 BIO_printf(bio_err, "Invalid key %s\n", *args);
302 goto argerr;
303 }
304 secret_keylen = (size_t) ltmp;
305 } else if (!strcmp(*args, "-secretkeyid")) {
306 long ltmp;
307 if (!args[1])
308 goto argerr;
309 args++;
310 secret_keyid = string_to_hex(*args, &ltmp);
311 if (!secret_keyid) {
312 BIO_printf(bio_err, "Invalid id %s\n", *args);
313 goto argerr;
314 }
315 secret_keyidlen = (size_t) ltmp;
316 } else if (!strcmp(*args, "-pwri_password")) {
317 if (!args[1])
318 goto argerr;
319 args++;
320 pwri_pass = (unsigned char *) *args;
321 } else if (!strcmp(*args, "-econtent_type")) {
322 if (!args[1])
323 goto argerr;
324 args++;
325 econtent_type = OBJ_txt2obj(*args, 0);
326 if (!econtent_type) {
327 BIO_printf(bio_err, "Invalid OID %s\n", *args);
328 goto argerr;
329 }
330 }
331 else if (!strcmp(*args, "-passin")) {
332 if (!args[1])
333 goto argerr;
334 passargin = *++args;
335 } else if (!strcmp(*args, "-to")) {
336 if (!args[1])
337 goto argerr;
338 to = *++args;
339 } else if (!strcmp(*args, "-from")) {
340 if (!args[1])
341 goto argerr;
342 from = *++args;
343 } else if (!strcmp(*args, "-subject")) {
344 if (!args[1])
345 goto argerr;
346 subject = *++args;
347 } else if (!strcmp(*args, "-signer")) {
348 if (!args[1])
349 goto argerr;
350 /* If previous -signer argument add signer to list */
351
352 if (signerfile) {
353 if (sksigners == NULL &&
354 (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
355 goto end;
356 if (!sk_OPENSSL_STRING_push(sksigners, signerfile))
357 goto end;
358 if (!keyfile)
359 keyfile = signerfile;
360 if (skkeys == NULL &&
361 (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
362 goto end;
363 if (!sk_OPENSSL_STRING_push(skkeys, keyfile))
364 goto end;
365 keyfile = NULL;
366 }
367 signerfile = *++args;
368 } else if (!strcmp(*args, "-recip")) {
369 if (!args[1])
370 goto argerr;
371 if (operation == SMIME_ENCRYPT) {
372 if (encerts == NULL &&
373 (encerts = sk_X509_new_null()) == NULL)
374 goto end;
375 cert = load_cert(bio_err, *++args, FORMAT_PEM,
376 NULL, "recipient certificate file");
377 if (cert == NULL)
378 goto end;
379 if (!sk_X509_push(encerts, cert))
380 goto end;
381 cert = NULL;
382 } else {
383 recipfile = *++args;
384 }
385 } else if (!strcmp(*args, "-certsout")) {
386 if (!args[1])
387 goto argerr;
388 certsoutfile = *++args;
389 } else if (!strcmp(*args, "-md")) {
390 if (!args[1])
391 goto argerr;
392 sign_md = EVP_get_digestbyname(*++args);
393 if (sign_md == NULL) {
394 BIO_printf(bio_err, "Unknown digest %s\n",
395 *args);
396 goto argerr;
397 }
398 } else if (!strcmp(*args, "-inkey")) {
399 if (!args[1])
400 goto argerr;
401 /* If previous -inkey arument add signer to list */
402 if (keyfile) {
403 if (!signerfile) {
404 BIO_puts(bio_err,
405 "Illegal -inkey without -signer\n");
406 goto argerr;
407 }
408 if (sksigners == NULL &&
409 (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
410 goto end;
411 if (!sk_OPENSSL_STRING_push(sksigners, signerfile))
412 goto end;
413 signerfile = NULL;
414 if (skkeys == NULL &&
415 (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
416 goto end;
417 if (!sk_OPENSSL_STRING_push(skkeys, keyfile))
418 goto end;
419 }
420 keyfile = *++args;
421 } else if (!strcmp(*args, "-keyform")) {
422 if (!args[1])
423 goto argerr;
424 keyform = str2fmt(*++args);
425 } else if (!strcmp (*args, "-keyopt")) {
426 int keyidx = -1;
427 if (!args[1])
428 goto argerr;
429 if (operation == SMIME_ENCRYPT) {
430 if (encerts != NULL)
431 keyidx += sk_X509_num(encerts);
432 } else {
433 if (keyfile != NULL || signerfile != NULL)
434 keyidx++;
435 if (skkeys != NULL)
436 keyidx += sk_OPENSSL_STRING_num(skkeys);
437 }
438 if (keyidx < 0) {
439 BIO_printf(bio_err, "No key specified\n");
440 goto argerr;
441 }
442 if (key_param == NULL || key_param->idx != keyidx) {
443 struct cms_key_param *nparam;
444 if ((nparam = malloc(sizeof(struct cms_key_param))) == NULL)
445 goto end;
446 nparam->idx = keyidx;
447 if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
448 free(nparam);
449 goto end;
450 }
451 nparam->next = NULL;
452 if (key_first == NULL)
453 key_first = nparam;
454 else
455 key_param->next = nparam;
456 key_param = nparam;
457 }
458 if (!sk_OPENSSL_STRING_push(key_param->param, *++args))
459 goto end;
460 } else if (!strcmp(*args, "-rctform")) {
461 if (!args[1])
462 goto argerr;
463 rctformat = str2fmt(*++args);
464 } else if (!strcmp(*args, "-certfile")) {
465 if (!args[1])
466 goto argerr;
467 certfile = *++args;
468 } else if (!strcmp(*args, "-CAfile")) {
469 if (!args[1])
470 goto argerr;
471 CAfile = *++args;
472 } else if (!strcmp(*args, "-CApath")) {
473 if (!args[1])
474 goto argerr;
475 CApath = *++args;
476 } else if (!strcmp(*args, "-in")) {
477 if (!args[1])
478 goto argerr;
479 infile = *++args;
480 } else if (!strcmp(*args, "-inform")) {
481 if (!args[1])
482 goto argerr;
483 informat = str2fmt(*++args);
484 } else if (!strcmp(*args, "-outform")) {
485 if (!args[1])
486 goto argerr;
487 outformat = str2fmt(*++args);
488 } else if (!strcmp(*args, "-out")) {
489 if (!args[1])
490 goto argerr;
491 outfile = *++args;
492 } else if (!strcmp(*args, "-content")) {
493 if (!args[1])
494 goto argerr;
495 contfile = *++args;
496 } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
497 continue;
498 else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
499 badarg = 1;
500 args++;
501 } 1172 }
1173 args = argv + argsused;
1174 ret = 1;
502 1175
503 if (((rr_allorfirst != -1) || rr_from) && !rr_to) { 1176 if (((cms_config.rr_allorfirst != -1) || cms_config.rr_from) && !cms_config.rr_to) {
504 BIO_puts(bio_err, "No Signed Receipts Recipients\n"); 1177 BIO_puts(bio_err, "No Signed Receipts Recipients\n");
505 goto argerr; 1178 goto argerr;
506 } 1179 }
507 if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { 1180 if (!(cms_config.operation & SMIME_SIGNERS) && (cms_config.rr_to || cms_config.rr_from)) {
508 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); 1181 BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
509 goto argerr; 1182 goto argerr;
510 } 1183 }
511 if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { 1184 if (!(cms_config.operation & SMIME_SIGNERS) && (cms_config.skkeys || cms_config.sksigners)) {
512 BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); 1185 BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
513 goto argerr; 1186 goto argerr;
514 } 1187 }
515 if (operation & SMIME_SIGNERS) { 1188 if (cms_config.operation & SMIME_SIGNERS) {
516 if (keyfile && !signerfile) { 1189 if (cms_config.keyfile && !cms_config.signerfile) {
517 BIO_puts(bio_err, "Illegal -inkey without -signer\n"); 1190 BIO_puts(bio_err, "Illegal -inkey without -signer\n");
518 goto argerr; 1191 goto argerr;
519 } 1192 }
520 /* Check to see if any final signer needs to be appended */ 1193 /* Check to see if any final signer needs to be appended */
521 if (signerfile) { 1194 if (cms_config.signerfile) {
522 if (sksigners == NULL && 1195 if (cms_config.sksigners == NULL &&
523 (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) 1196 (cms_config.sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
524 goto end; 1197 goto end;
525 if (!sk_OPENSSL_STRING_push(sksigners, signerfile)) 1198 if (!sk_OPENSSL_STRING_push(cms_config.sksigners, cms_config.signerfile))
526 goto end; 1199 goto end;
527 if (skkeys == NULL && 1200 if (cms_config.skkeys == NULL &&
528 (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) 1201 (cms_config.skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
529 goto end; 1202 goto end;
530 if (!keyfile) 1203 if (!cms_config.keyfile)
531 keyfile = signerfile; 1204 cms_config.keyfile = cms_config.signerfile;
532 if (!sk_OPENSSL_STRING_push(skkeys, keyfile)) 1205 if (!sk_OPENSSL_STRING_push(cms_config.skkeys, cms_config.keyfile))
533 goto end; 1206 goto end;
534 } 1207 }
535 if (!sksigners) { 1208 if (!cms_config.sksigners) {
536 BIO_printf(bio_err, 1209 BIO_printf(bio_err,
537 "No signer certificate specified\n"); 1210 "No signer certificate specified\n");
538 badarg = 1; 1211 badarg = 1;
539 } 1212 }
540 signerfile = NULL; 1213 cms_config.signerfile = NULL;
541 keyfile = NULL; 1214 cms_config.keyfile = NULL;
542 } else if (operation == SMIME_DECRYPT) { 1215 } else if (cms_config.operation == SMIME_DECRYPT) {
543 if (!recipfile && !keyfile && !secret_key && !pwri_pass) { 1216 if (!cms_config.recipfile && !cms_config.keyfile && !cms_config.secret_key && !cms_config.pwri_pass) {
544 BIO_printf(bio_err, 1217 BIO_printf(bio_err,
545 "No recipient certificate or key specified\n"); 1218 "No recipient certificate or key specified\n");
546 badarg = 1; 1219 badarg = 1;
547 } 1220 }
548 } else if (operation == SMIME_ENCRYPT) { 1221 } else if (cms_config.operation == SMIME_ENCRYPT) {
549 if (!*args && !secret_key && !pwri_pass && !encerts) { 1222 if (!*args && !cms_config.secret_key && !cms_config.pwri_pass && !cms_config.encerts) {
550 BIO_printf(bio_err, 1223 BIO_printf(bio_err,
551 "No recipient(s) certificate(s) specified\n"); 1224 "No recipient(s) certificate(s) specified\n");
552 badarg = 1; 1225 badarg = 1;
553 } 1226 }
554 } else if (!operation) 1227 } else if (!cms_config.operation)
555 badarg = 1; 1228 badarg = 1;
556 1229
557 if (badarg) { 1230 if (badarg) {
558 argerr: 1231 argerr:
559 BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n"); 1232 cms_usage();
560 BIO_printf(bio_err, "where options are\n");
561 BIO_printf(bio_err, "-encrypt encrypt message\n");
562 BIO_printf(bio_err, "-decrypt decrypt encrypted message\n");
563 BIO_printf(bio_err, "-sign sign message\n");
564 BIO_printf(bio_err, "-verify verify signed message\n");
565 BIO_printf(bio_err, "-cmsout output CMS structure\n");
566#ifndef OPENSSL_NO_DES
567 BIO_printf(bio_err, "-des3 encrypt with triple DES\n");
568 BIO_printf(bio_err, "-des encrypt with DES\n");
569#endif
570#ifndef OPENSSL_NO_RC2
571 BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
572 BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n");
573 BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n");
574#endif
575#ifndef OPENSSL_NO_AES
576 BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
577 BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
578#endif
579#ifndef OPENSSL_NO_CAMELLIA
580 BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
581 BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
582#endif
583 BIO_printf(bio_err, "-nointern don't search certificates in message for signer\n");
584 BIO_printf(bio_err, "-nosigs don't verify message signature\n");
585 BIO_printf(bio_err, "-noverify don't verify signers certificate\n");
586 BIO_printf(bio_err, "-nocerts don't include signers certificate when signing\n");
587 BIO_printf(bio_err, "-nodetach use opaque signing\n");
588 BIO_printf(bio_err, "-noattr don't include any signed attributes\n");
589 BIO_printf(bio_err, "-binary don't translate message to text\n");
590 BIO_printf(bio_err, "-certfile file other certificates file\n");
591 BIO_printf(bio_err, "-certsout file certificate output file\n");
592 BIO_printf(bio_err, "-signer file signer certificate file\n");
593 BIO_printf(bio_err, "-recip file recipient certificate file for decryption\n");
594 BIO_printf(bio_err, "-keyid use subject key identifier\n");
595 BIO_printf(bio_err, "-in file input file\n");
596 BIO_printf(bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
597 BIO_printf(bio_err, "-inkey file input private key (if not signer or recipient)\n");
598 BIO_printf(bio_err, "-keyform arg input private key format (PEM)\n");
599 BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n");
600 BIO_printf(bio_err, "-out file output file\n");
601 BIO_printf(bio_err, "-outform arg output format SMIME (default), PEM or DER\n");
602 BIO_printf(bio_err, "-content file supply or override content for detached signature\n");
603 BIO_printf(bio_err, "-to addr to address\n");
604 BIO_printf(bio_err, "-from ad from address\n");
605 BIO_printf(bio_err, "-subject s subject\n");
606 BIO_printf(bio_err, "-text include or delete text MIME headers\n");
607 BIO_printf(bio_err, "-CApath dir trusted certificates directory\n");
608 BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
609 BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
610 BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
611 BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
612 BIO_printf(bio_err, "cert.pem recipient certificate(s) for encryption\n");
613 goto end; 1233 goto end;
614 } 1234 }
615 1235
616 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { 1236 if (!app_passwd(bio_err, cms_config.passargin, NULL, &passin, NULL)) {
617 BIO_printf(bio_err, "Error getting password\n"); 1237 BIO_printf(bio_err, "Error getting password\n");
618 goto end; 1238 goto end;
619 } 1239 }
620 ret = 2; 1240 ret = 2;
621 1241
622 if (!(operation & SMIME_SIGNERS)) 1242 if (!(cms_config.operation & SMIME_SIGNERS))
623 flags &= ~CMS_DETACHED; 1243 cms_config.flags &= ~CMS_DETACHED;
624 1244
625 if (operation & SMIME_OP) { 1245 if (cms_config.operation & SMIME_OP) {
626 if (outformat == FORMAT_ASN1) 1246 if (cms_config.outformat == FORMAT_ASN1)
627 outmode = "wb"; 1247 outmode = "wb";
628 } else { 1248 } else {
629 if (flags & CMS_BINARY) 1249 if (cms_config.flags & CMS_BINARY)
630 outmode = "wb"; 1250 outmode = "wb";
631 } 1251 }
632 1252
633 if (operation & SMIME_IP) { 1253 if (cms_config.operation & SMIME_IP) {
634 if (informat == FORMAT_ASN1) 1254 if (cms_config.informat == FORMAT_ASN1)
635 inmode = "rb"; 1255 inmode = "rb";
636 } else { 1256 } else {
637 if (flags & CMS_BINARY) 1257 if (cms_config.flags & CMS_BINARY)
638 inmode = "rb"; 1258 inmode = "rb";
639 } 1259 }
640 1260
641 if (operation == SMIME_ENCRYPT) { 1261 if (cms_config.operation == SMIME_ENCRYPT) {
642 if (!cipher) { 1262 if (!cms_config.cipher) {
643#ifndef OPENSSL_NO_DES 1263#ifndef OPENSSL_NO_DES
644 cipher = EVP_des_ede3_cbc(); 1264 cms_config.cipher = EVP_des_ede3_cbc();
645#else 1265#else
646 BIO_printf(bio_err, "No cipher selected\n"); 1266 BIO_printf(bio_err, "No cipher selected\n");
647 goto end; 1267 goto end;
648#endif 1268#endif
649 } 1269 }
650 if (secret_key && !secret_keyid) { 1270 if (cms_config.secret_key && !cms_config.secret_keyid) {
651 BIO_printf(bio_err, "No secret key id\n"); 1271 BIO_printf(bio_err, "No secret key id\n");
652 goto end; 1272 goto end;
653 } 1273 }
654 if (*args && encerts == NULL) 1274 if (*args && cms_config.encerts == NULL)
655 if ((encerts = sk_X509_new_null()) == NULL) 1275 if ((cms_config.encerts = sk_X509_new_null()) == NULL)
656 goto end; 1276 goto end;
657 while (*args) { 1277 while (*args) {
658 if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, 1278 if (!(cms_config.cert = load_cert(bio_err, *args, FORMAT_PEM,
659 NULL, "recipient certificate file"))) 1279 NULL, "recipient certificate file")))
660 goto end; 1280 goto end;
661 if (!sk_X509_push(encerts, cert)) 1281 if (!sk_X509_push(cms_config.encerts, cms_config.cert))
662 goto end; 1282 goto end;
663 cert = NULL; 1283 cms_config.cert = NULL;
664 args++; 1284 args++;
665 } 1285 }
666 } 1286 }
667 if (certfile) { 1287 if (cms_config.certfile) {
668 if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, 1288 if (!(other = load_certs(bio_err, cms_config.certfile, FORMAT_PEM, NULL,
669 "certificate file"))) { 1289 "certificate file"))) {
670 ERR_print_errors(bio_err); 1290 ERR_print_errors(bio_err);
671 goto end; 1291 goto end;
672 } 1292 }
673 } 1293 }
674 if (recipfile && (operation == SMIME_DECRYPT)) { 1294 if (cms_config.recipfile && (cms_config.operation == SMIME_DECRYPT)) {
675 if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, 1295 if (!(recip = load_cert(bio_err, cms_config.recipfile, FORMAT_PEM, NULL,
676 "recipient certificate file"))) { 1296 "recipient certificate file"))) {
677 ERR_print_errors(bio_err); 1297 ERR_print_errors(bio_err);
678 goto end; 1298 goto end;
679 } 1299 }
680 } 1300 }
681 if (operation == SMIME_SIGN_RECEIPT) { 1301 if (cms_config.operation == SMIME_SIGN_RECEIPT) {
682 if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, 1302 if (!(signer = load_cert(bio_err, cms_config.signerfile, FORMAT_PEM, NULL,
683 "receipt signer certificate file"))) { 1303 "receipt signer certificate file"))) {
684 ERR_print_errors(bio_err); 1304 ERR_print_errors(bio_err);
685 goto end; 1305 goto end;
686 } 1306 }
687 } 1307 }
688 if (operation == SMIME_DECRYPT) { 1308 if (cms_config.operation == SMIME_DECRYPT) {
689 if (!keyfile) 1309 if (!cms_config.keyfile)
690 keyfile = recipfile; 1310 cms_config.keyfile = cms_config.recipfile;
691 } else if ((operation == SMIME_SIGN) || 1311 } else if ((cms_config.operation == SMIME_SIGN) ||
692 (operation == SMIME_SIGN_RECEIPT)) { 1312 (cms_config.operation == SMIME_SIGN_RECEIPT)) {
693 if (!keyfile) 1313 if (!cms_config.keyfile)
694 keyfile = signerfile; 1314 cms_config.keyfile = cms_config.signerfile;
695 } else 1315 } else
696 keyfile = NULL; 1316 cms_config.keyfile = NULL;
697 1317
698 if (keyfile) { 1318 if (cms_config.keyfile) {
699 key = load_key(bio_err, keyfile, keyform, 0, passin, 1319 key = load_key(bio_err, cms_config.keyfile, cms_config.keyform, 0, passin,
700 "signing key file"); 1320 "signing key file");
701 if (!key) 1321 if (!key)
702 goto end; 1322 goto end;
703 } 1323 }
704 if (infile) { 1324 if (cms_config.infile) {
705 if (!(in = BIO_new_file(infile, inmode))) { 1325 if (!(in = BIO_new_file(cms_config.infile, inmode))) {
706 BIO_printf(bio_err, 1326 BIO_printf(bio_err,
707 "Can't open input file %s\n", infile); 1327 "Can't open input file %s\n", cms_config.infile);
708 goto end; 1328 goto end;
709 } 1329 }
710 } else 1330 } else
711 in = BIO_new_fp(stdin, BIO_NOCLOSE); 1331 in = BIO_new_fp(stdin, BIO_NOCLOSE);
712 1332
713 if (operation & SMIME_IP) { 1333 if (cms_config.operation & SMIME_IP) {
714 if (informat == FORMAT_SMIME) 1334 if (cms_config.informat == FORMAT_SMIME)
715 cms = SMIME_read_CMS(in, &indata); 1335 cms = SMIME_read_CMS(in, &indata);
716 else if (informat == FORMAT_PEM) 1336 else if (cms_config.informat == FORMAT_PEM)
717 cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); 1337 cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
718 else if (informat == FORMAT_ASN1) 1338 else if (cms_config.informat == FORMAT_ASN1)
719 cms = d2i_CMS_bio(in, NULL); 1339 cms = d2i_CMS_bio(in, NULL);
720 else { 1340 else {
721 BIO_printf(bio_err, "Bad input format for CMS file\n"); 1341 BIO_printf(bio_err, "Bad input format for CMS file\n");
@@ -726,40 +1346,40 @@ cms_main(int argc, char **argv)
726 BIO_printf(bio_err, "Error reading S/MIME message\n"); 1346 BIO_printf(bio_err, "Error reading S/MIME message\n");
727 goto end; 1347 goto end;
728 } 1348 }
729 if (contfile) { 1349 if (cms_config.contfile) {
730 BIO_free(indata); 1350 BIO_free(indata);
731 if (!(indata = BIO_new_file(contfile, "rb"))) { 1351 if (!(indata = BIO_new_file(cms_config.contfile, "rb"))) {
732 BIO_printf(bio_err, 1352 BIO_printf(bio_err,
733 "Can't read content file %s\n", contfile); 1353 "Can't read content file %s\n", cms_config.contfile);
734 goto end; 1354 goto end;
735 } 1355 }
736 } 1356 }
737 if (certsoutfile) { 1357 if (cms_config.certsoutfile) {
738 STACK_OF(X509) *allcerts; 1358 STACK_OF(X509) *allcerts;
739 if ((allcerts = CMS_get1_certs(cms)) == NULL) 1359 if ((allcerts = CMS_get1_certs(cms)) == NULL)
740 goto end; 1360 goto end;
741 if (!save_certs(certsoutfile, allcerts)) { 1361 if (!save_certs(cms_config.certsoutfile, allcerts)) {
742 BIO_printf(bio_err, 1362 BIO_printf(bio_err,
743 "Error writing certs to %s\n", 1363 "Error writing certs to %s\n",
744 certsoutfile); 1364 cms_config.certsoutfile);
745 ret = 5; 1365 ret = 5;
746 goto end; 1366 goto end;
747 } 1367 }
748 sk_X509_pop_free(allcerts, X509_free); 1368 sk_X509_pop_free(allcerts, X509_free);
749 } 1369 }
750 } 1370 }
751 if (rctfile) { 1371 if (cms_config.rctfile) {
752 char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; 1372 char *rctmode = (cms_config.rctformat == FORMAT_ASN1) ? "rb" : "r";
753 if (!(rctin = BIO_new_file(rctfile, rctmode))) { 1373 if (!(rctin = BIO_new_file(cms_config.rctfile, rctmode))) {
754 BIO_printf(bio_err, 1374 BIO_printf(bio_err,
755 "Can't open receipt file %s\n", rctfile); 1375 "Can't open receipt file %s\n", cms_config.rctfile);
756 goto end; 1376 goto end;
757 } 1377 }
758 if (rctformat == FORMAT_SMIME) 1378 if (cms_config.rctformat == FORMAT_SMIME)
759 rcms = SMIME_read_CMS(rctin, NULL); 1379 rcms = SMIME_read_CMS(rctin, NULL);
760 else if (rctformat == FORMAT_PEM) 1380 else if (cms_config.rctformat == FORMAT_PEM)
761 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); 1381 rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
762 else if (rctformat == FORMAT_ASN1) 1382 else if (cms_config.rctformat == FORMAT_ASN1)
763 rcms = d2i_CMS_bio(rctin, NULL); 1383 rcms = d2i_CMS_bio(rctin, NULL);
764 else { 1384 else {
765 BIO_printf(bio_err, "Bad input format for receipt\n"); 1385 BIO_printf(bio_err, "Bad input format for receipt\n");
@@ -771,44 +1391,44 @@ cms_main(int argc, char **argv)
771 goto end; 1391 goto end;
772 } 1392 }
773 } 1393 }
774 if (outfile) { 1394 if (cms_config.outfile) {
775 if (!(out = BIO_new_file(outfile, outmode))) { 1395 if (!(out = BIO_new_file(cms_config.outfile, outmode))) {
776 BIO_printf(bio_err, 1396 BIO_printf(bio_err,
777 "Can't open output file %s\n", outfile); 1397 "Can't open output file %s\n", cms_config.outfile);
778 goto end; 1398 goto end;
779 } 1399 }
780 } else { 1400 } else {
781 out = BIO_new_fp(stdout, BIO_NOCLOSE); 1401 out = BIO_new_fp(stdout, BIO_NOCLOSE);
782 } 1402 }
783 1403
784 if ((operation == SMIME_VERIFY) || 1404 if ((cms_config.operation == SMIME_VERIFY) ||
785 (operation == SMIME_VERIFY_RECEIPT)) { 1405 (cms_config.operation == SMIME_VERIFY_RECEIPT)) {
786 if (!(store = setup_verify(bio_err, CAfile, CApath))) 1406 if (!(store = setup_verify(bio_err, cms_config.CAfile, cms_config.CApath)))
787 goto end; 1407 goto end;
788 X509_STORE_set_verify_cb(store, cms_cb); 1408 X509_STORE_set_verify_cb(store, cms_cb);
789 if (vpm) 1409 if (cms_config.vpm)
790 X509_STORE_set1_param(store, vpm); 1410 X509_STORE_set1_param(store, cms_config.vpm);
791 } 1411 }
792 ret = 3; 1412 ret = 3;
793 1413
794 if (operation == SMIME_DATA_CREATE) { 1414 if (cms_config.operation == SMIME_DATA_CREATE) {
795 cms = CMS_data_create(in, flags); 1415 cms = CMS_data_create(in, cms_config.flags);
796 } else if (operation == SMIME_DIGEST_CREATE) { 1416 } else if (cms_config.operation == SMIME_DIGEST_CREATE) {
797 cms = CMS_digest_create(in, sign_md, flags); 1417 cms = CMS_digest_create(in, cms_config.sign_md, cms_config.flags);
798 } else if (operation == SMIME_COMPRESS) { 1418 } else if (cms_config.operation == SMIME_COMPRESS) {
799 cms = CMS_compress(in, -1, flags); 1419 cms = CMS_compress(in, -1, cms_config.flags);
800 } else if (operation == SMIME_ENCRYPT) { 1420 } else if (cms_config.operation == SMIME_ENCRYPT) {
801 int i; 1421 int i;
802 flags |= CMS_PARTIAL; 1422 cms_config.flags |= CMS_PARTIAL;
803 cms = CMS_encrypt(NULL, in, cipher, flags); 1423 cms = CMS_encrypt(NULL, in, cms_config.cipher, cms_config.flags);
804 if (cms == NULL) 1424 if (cms == NULL)
805 goto end; 1425 goto end;
806 for (i = 0; i < sk_X509_num(encerts); i++) { 1426 for (i = 0; i < sk_X509_num(cms_config.encerts); i++) {
807 CMS_RecipientInfo *ri; 1427 CMS_RecipientInfo *ri;
808 struct cms_key_param *kparam; 1428 struct cms_key_param *kparam;
809 int tflags = flags; 1429 int tflags = cms_config.flags;
810 X509 *x = sk_X509_value(encerts, i); 1430 X509 *x = sk_X509_value(cms_config.encerts, i);
811 for (kparam = key_first; kparam; kparam = kparam->next) { 1431 for (kparam = cms_config.key_first; kparam; kparam = kparam->next) {
812 if (kparam->idx == i) { 1432 if (kparam->idx == i) {
813 tflags |= CMS_KEY_PARAM; 1433 tflags |= CMS_KEY_PARAM;
814 break; 1434 break;
@@ -826,17 +1446,17 @@ cms_main(int argc, char **argv)
826 } 1446 }
827 } 1447 }
828 1448
829 if (secret_key) { 1449 if (cms_config.secret_key) {
830 if (!CMS_add0_recipient_key(cms, NID_undef, secret_key, 1450 if (!CMS_add0_recipient_key(cms, NID_undef, cms_config.secret_key,
831 secret_keylen, secret_keyid, secret_keyidlen, 1451 cms_config.secret_keylen, cms_config.secret_keyid, cms_config.secret_keyidlen,
832 NULL, NULL, NULL)) 1452 NULL, NULL, NULL))
833 goto end; 1453 goto end;
834 /* NULL these because call absorbs them */ 1454 /* NULL these because call absorbs them */
835 secret_key = NULL; 1455 cms_config.secret_key = NULL;
836 secret_keyid = NULL; 1456 cms_config.secret_keyid = NULL;
837 } 1457 }
838 if (pwri_pass) { 1458 if (cms_config.pwri_pass) {
839 pwri_tmp = strdup(pwri_pass); 1459 pwri_tmp = strdup(cms_config.pwri_pass);
840 if (!pwri_tmp) 1460 if (!pwri_tmp)
841 goto end; 1461 goto end;
842 if (!CMS_add0_recipient_password(cms, -1, NID_undef, 1462 if (!CMS_add0_recipient_password(cms, -1, NID_undef,
@@ -844,15 +1464,15 @@ cms_main(int argc, char **argv)
844 goto end; 1464 goto end;
845 pwri_tmp = NULL; 1465 pwri_tmp = NULL;
846 } 1466 }
847 if (!(flags & CMS_STREAM)) { 1467 if (!(cms_config.flags & CMS_STREAM)) {
848 if (!CMS_final(cms, in, NULL, flags)) 1468 if (!CMS_final(cms, in, NULL, cms_config.flags))
849 goto end; 1469 goto end;
850 } 1470 }
851 } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { 1471 } else if (cms_config.operation == SMIME_ENCRYPTED_ENCRYPT) {
852 cms = CMS_EncryptedData_encrypt(in, cipher, secret_key, 1472 cms = CMS_EncryptedData_encrypt(in, cms_config.cipher, cms_config.secret_key,
853 secret_keylen, flags); 1473 cms_config.secret_keylen, cms_config.flags);
854 1474
855 } else if (operation == SMIME_SIGN_RECEIPT) { 1475 } else if (cms_config.operation == SMIME_SIGN_RECEIPT) {
856 CMS_ContentInfo *srcms = NULL; 1476 CMS_ContentInfo *srcms = NULL;
857 STACK_OF(CMS_SignerInfo) *sis; 1477 STACK_OF(CMS_SignerInfo) *sis;
858 CMS_SignerInfo *si; 1478 CMS_SignerInfo *si;
@@ -860,34 +1480,34 @@ cms_main(int argc, char **argv)
860 if (!sis) 1480 if (!sis)
861 goto end; 1481 goto end;
862 si = sk_CMS_SignerInfo_value(sis, 0); 1482 si = sk_CMS_SignerInfo_value(sis, 0);
863 srcms = CMS_sign_receipt(si, signer, key, other, flags); 1483 srcms = CMS_sign_receipt(si, signer, key, other, cms_config.flags);
864 if (!srcms) 1484 if (!srcms)
865 goto end; 1485 goto end;
866 CMS_ContentInfo_free(cms); 1486 CMS_ContentInfo_free(cms);
867 cms = srcms; 1487 cms = srcms;
868 } else if (operation & SMIME_SIGNERS) { 1488 } else if (cms_config.operation & SMIME_SIGNERS) {
869 int i; 1489 int i;
870 /* 1490 /*
871 * If detached data content we enable streaming if S/MIME 1491 * If detached data content we enable streaming if S/MIME
872 * output format. 1492 * output format.
873 */ 1493 */
874 if (operation == SMIME_SIGN) { 1494 if (cms_config.operation == SMIME_SIGN) {
875 1495
876 if (flags & CMS_DETACHED) { 1496 if (cms_config.flags & CMS_DETACHED) {
877 if (outformat == FORMAT_SMIME) 1497 if (cms_config.outformat == FORMAT_SMIME)
878 flags |= CMS_STREAM; 1498 cms_config.flags |= CMS_STREAM;
879 } 1499 }
880 flags |= CMS_PARTIAL; 1500 cms_config.flags |= CMS_PARTIAL;
881 cms = CMS_sign(NULL, NULL, other, in, flags); 1501 cms = CMS_sign(NULL, NULL, other, in, cms_config.flags);
882 if (!cms) 1502 if (!cms)
883 goto end; 1503 goto end;
884 if (econtent_type) 1504 if (cms_config.econtent_type)
885 if (!CMS_set1_eContentType(cms, econtent_type)) 1505 if (!CMS_set1_eContentType(cms, cms_config.econtent_type))
886 goto end; 1506 goto end;
887 1507
888 if (rr_to) { 1508 if (cms_config.rr_to) {
889 rr = make_receipt_request(rr_to, rr_allorfirst, 1509 rr = make_receipt_request(cms_config.rr_to, cms_config.rr_allorfirst,
890 rr_from); 1510 cms_config.rr_from);
891 if (!rr) { 1511 if (!rr) {
892 BIO_puts(bio_err, 1512 BIO_puts(bio_err,
893 "Signed Receipt Request Creation Error\n"); 1513 "Signed Receipt Request Creation Error\n");
@@ -895,29 +1515,29 @@ cms_main(int argc, char **argv)
895 } 1515 }
896 } 1516 }
897 } else 1517 } else
898 flags |= CMS_REUSE_DIGEST; 1518 cms_config.flags |= CMS_REUSE_DIGEST;
899 for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { 1519 for (i = 0; i < sk_OPENSSL_STRING_num(cms_config.sksigners); i++) {
900 CMS_SignerInfo *si; 1520 CMS_SignerInfo *si;
901 struct cms_key_param *kparam; 1521 struct cms_key_param *kparam;
902 int tflags = flags; 1522 int tflags = cms_config.flags;
903 signerfile = sk_OPENSSL_STRING_value(sksigners, i); 1523 cms_config.signerfile = sk_OPENSSL_STRING_value(cms_config.sksigners, i);
904 keyfile = sk_OPENSSL_STRING_value(skkeys, i); 1524 cms_config.keyfile = sk_OPENSSL_STRING_value(cms_config.skkeys, i);
905 1525
906 signer = load_cert(bio_err, signerfile, FORMAT_PEM, 1526 signer = load_cert(bio_err, cms_config.signerfile, FORMAT_PEM,
907 NULL, "signer certificate"); 1527 NULL, "signer certificate");
908 if (!signer) 1528 if (!signer)
909 goto end; 1529 goto end;
910 key = load_key(bio_err, keyfile, keyform, 0, passin, 1530 key = load_key(bio_err, cms_config.keyfile, cms_config.keyform, 0, passin,
911 "signing key file"); 1531 "signing key file");
912 if (!key) 1532 if (!key)
913 goto end; 1533 goto end;
914 for (kparam = key_first; kparam; kparam = kparam->next) { 1534 for (kparam = cms_config.key_first; kparam; kparam = kparam->next) {
915 if (kparam->idx == i) { 1535 if (kparam->idx == i) {
916 tflags |= CMS_KEY_PARAM; 1536 tflags |= CMS_KEY_PARAM;
917 break; 1537 break;
918 } 1538 }
919 } 1539 }
920 si = CMS_add1_signer(cms, signer, key, sign_md, tflags); 1540 si = CMS_add1_signer(cms, signer, key, cms_config.sign_md, tflags);
921 if (si == NULL) 1541 if (si == NULL)
922 goto end; 1542 goto end;
923 if (kparam != NULL) { 1543 if (kparam != NULL) {
@@ -935,8 +1555,8 @@ cms_main(int argc, char **argv)
935 key = NULL; 1555 key = NULL;
936 } 1556 }
937 /* If not streaming or resigning finalize structure */ 1557 /* If not streaming or resigning finalize structure */
938 if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { 1558 if ((cms_config.operation == SMIME_SIGN) && !(cms_config.flags & CMS_STREAM)) {
939 if (!CMS_final(cms, in, NULL, flags)) 1559 if (!CMS_final(cms, in, NULL, cms_config.flags))
940 goto end; 1560 goto end;
941 } 1561 }
942 } 1562 }
@@ -945,13 +1565,13 @@ cms_main(int argc, char **argv)
945 goto end; 1565 goto end;
946 } 1566 }
947 ret = 4; 1567 ret = 4;
948 if (operation == SMIME_DECRYPT) { 1568 if (cms_config.operation == SMIME_DECRYPT) {
949 if (flags & CMS_DEBUG_DECRYPT) 1569 if (cms_config.flags & CMS_DEBUG_DECRYPT)
950 CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); 1570 CMS_decrypt(cms, NULL, NULL, NULL, NULL, cms_config.flags);
951 1571
952 if (secret_key) { 1572 if (cms_config.secret_key) {
953 if (!CMS_decrypt_set1_key(cms, secret_key, 1573 if (!CMS_decrypt_set1_key(cms, cms_config.secret_key,
954 secret_keylen, secret_keyid, secret_keyidlen)) { 1574 cms_config.secret_keylen, cms_config.secret_keyid, cms_config.secret_keyidlen)) {
955 BIO_puts(bio_err, 1575 BIO_puts(bio_err,
956 "Error decrypting CMS using secret key\n"); 1576 "Error decrypting CMS using secret key\n");
957 goto end; 1577 goto end;
@@ -964,86 +1584,86 @@ cms_main(int argc, char **argv)
964 goto end; 1584 goto end;
965 } 1585 }
966 } 1586 }
967 if (pwri_pass) { 1587 if (cms_config.pwri_pass) {
968 if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { 1588 if (!CMS_decrypt_set1_password(cms, cms_config.pwri_pass, -1)) {
969 BIO_puts(bio_err, 1589 BIO_puts(bio_err,
970 "Error decrypting CMS using password\n"); 1590 "Error decrypting CMS using password\n");
971 goto end; 1591 goto end;
972 } 1592 }
973 } 1593 }
974 if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { 1594 if (!CMS_decrypt(cms, NULL, NULL, indata, out, cms_config.flags)) {
975 BIO_printf(bio_err, "Error decrypting CMS structure\n"); 1595 BIO_printf(bio_err, "Error decrypting CMS structure\n");
976 goto end; 1596 goto end;
977 } 1597 }
978 } else if (operation == SMIME_DATAOUT) { 1598 } else if (cms_config.operation == SMIME_DATAOUT) {
979 if (!CMS_data(cms, out, flags)) 1599 if (!CMS_data(cms, out, cms_config.flags))
980 goto end; 1600 goto end;
981 } else if (operation == SMIME_UNCOMPRESS) { 1601 } else if (cms_config.operation == SMIME_UNCOMPRESS) {
982 if (!CMS_uncompress(cms, indata, out, flags)) 1602 if (!CMS_uncompress(cms, indata, out, cms_config.flags))
983 goto end; 1603 goto end;
984 } else if (operation == SMIME_DIGEST_VERIFY) { 1604 } else if (cms_config.operation == SMIME_DIGEST_VERIFY) {
985 if (CMS_digest_verify(cms, indata, out, flags) > 0) 1605 if (CMS_digest_verify(cms, indata, out, cms_config.flags) > 0)
986 BIO_printf(bio_err, "Verification successful\n"); 1606 BIO_printf(bio_err, "Verification successful\n");
987 else { 1607 else {
988 BIO_printf(bio_err, "Verification failure\n"); 1608 BIO_printf(bio_err, "Verification failure\n");
989 goto end; 1609 goto end;
990 } 1610 }
991 } else if (operation == SMIME_ENCRYPTED_DECRYPT) { 1611 } else if (cms_config.operation == SMIME_ENCRYPTED_DECRYPT) {
992 if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, 1612 if (!CMS_EncryptedData_decrypt(cms, cms_config.secret_key, cms_config.secret_keylen,
993 indata, out, flags)) 1613 indata, out, cms_config.flags))
994 goto end; 1614 goto end;
995 } else if (operation == SMIME_VERIFY) { 1615 } else if (cms_config.operation == SMIME_VERIFY) {
996 if (CMS_verify(cms, other, store, indata, out, flags) > 0) 1616 if (CMS_verify(cms, other, store, indata, out, cms_config.flags) > 0)
997 BIO_printf(bio_err, "Verification successful\n"); 1617 BIO_printf(bio_err, "Verification successful\n");
998 else { 1618 else {
999 BIO_printf(bio_err, "Verification failure\n"); 1619 BIO_printf(bio_err, "Verification failure\n");
1000 if (verify_retcode) 1620 if (cms_config.verify_retcode)
1001 ret = verify_err + 32; 1621 ret = verify_err + 32;
1002 goto end; 1622 goto end;
1003 } 1623 }
1004 if (signerfile) { 1624 if (cms_config.signerfile) {
1005 STACK_OF(X509) *signers; 1625 STACK_OF(X509) *signers;
1006 if ((signers = CMS_get0_signers(cms)) == NULL) 1626 if ((signers = CMS_get0_signers(cms)) == NULL)
1007 goto end; 1627 goto end;
1008 if (!save_certs(signerfile, signers)) { 1628 if (!save_certs(cms_config.signerfile, signers)) {
1009 BIO_printf(bio_err, 1629 BIO_printf(bio_err,
1010 "Error writing signers to %s\n", 1630 "Error writing signers to %s\n",
1011 signerfile); 1631 cms_config.signerfile);
1012 ret = 5; 1632 ret = 5;
1013 goto end; 1633 goto end;
1014 } 1634 }
1015 sk_X509_free(signers); 1635 sk_X509_free(signers);
1016 } 1636 }
1017 if (rr_print) 1637 if (cms_config.rr_print)
1018 receipt_request_print(bio_err, cms); 1638 receipt_request_print(bio_err, cms);
1019 1639
1020 } else if (operation == SMIME_VERIFY_RECEIPT) { 1640 } else if (cms_config.operation == SMIME_VERIFY_RECEIPT) {
1021 if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) 1641 if (CMS_verify_receipt(rcms, cms, other, store, cms_config.flags) > 0)
1022 BIO_printf(bio_err, "Verification successful\n"); 1642 BIO_printf(bio_err, "Verification successful\n");
1023 else { 1643 else {
1024 BIO_printf(bio_err, "Verification failure\n"); 1644 BIO_printf(bio_err, "Verification failure\n");
1025 goto end; 1645 goto end;
1026 } 1646 }
1027 } else { 1647 } else {
1028 if (noout) { 1648 if (cms_config.noout) {
1029 if (print && 1649 if (cms_config.print &&
1030 !CMS_ContentInfo_print_ctx(out, cms, 0, NULL)) 1650 !CMS_ContentInfo_print_ctx(out, cms, 0, NULL))
1031 goto end; 1651 goto end;
1032 } else if (outformat == FORMAT_SMIME) { 1652 } else if (cms_config.outformat == FORMAT_SMIME) {
1033 if (to) 1653 if (cms_config.to)
1034 BIO_printf(out, "To: %s\n", to); 1654 BIO_printf(out, "To: %s\n", cms_config.to);
1035 if (from) 1655 if (cms_config.from)
1036 BIO_printf(out, "From: %s\n", from); 1656 BIO_printf(out, "From: %s\n", cms_config.from);
1037 if (subject) 1657 if (cms_config.subject)
1038 BIO_printf(out, "Subject: %s\n", subject); 1658 BIO_printf(out, "Subject: %s\n", cms_config.subject);
1039 if (operation == SMIME_RESIGN) 1659 if (cms_config.operation == SMIME_RESIGN)
1040 ret = SMIME_write_CMS(out, cms, indata, flags); 1660 ret = SMIME_write_CMS(out, cms, indata, cms_config.flags);
1041 else 1661 else
1042 ret = SMIME_write_CMS(out, cms, in, flags); 1662 ret = SMIME_write_CMS(out, cms, in, cms_config.flags);
1043 } else if (outformat == FORMAT_PEM) 1663 } else if (cms_config.outformat == FORMAT_PEM)
1044 ret = PEM_write_bio_CMS_stream(out, cms, in, flags); 1664 ret = PEM_write_bio_CMS_stream(out, cms, in, cms_config.flags);
1045 else if (outformat == FORMAT_ASN1) 1665 else if (cms_config.outformat == FORMAT_ASN1)
1046 ret = i2d_CMS_bio_stream(out, cms, in, flags); 1666 ret = i2d_CMS_bio_stream(out, cms, in, cms_config.flags);
1047 else { 1667 else {
1048 BIO_printf(bio_err, "Bad output format for CMS file\n"); 1668 BIO_printf(bio_err, "Bad output format for CMS file\n");
1049 goto end; 1669 goto end;
@@ -1059,27 +1679,27 @@ cms_main(int argc, char **argv)
1059 if (ret) 1679 if (ret)
1060 ERR_print_errors(bio_err); 1680 ERR_print_errors(bio_err);
1061 1681
1062 sk_X509_pop_free(encerts, X509_free); 1682 sk_X509_pop_free(cms_config.encerts, X509_free);
1063 sk_X509_pop_free(other, X509_free); 1683 sk_X509_pop_free(other, X509_free);
1064 X509_VERIFY_PARAM_free(vpm); 1684 X509_VERIFY_PARAM_free(cms_config.vpm);
1065 sk_OPENSSL_STRING_free(sksigners); 1685 sk_OPENSSL_STRING_free(cms_config.sksigners);
1066 sk_OPENSSL_STRING_free(skkeys); 1686 sk_OPENSSL_STRING_free(cms_config.skkeys);
1067 free(secret_key); 1687 free(cms_config.secret_key);
1068 free(secret_keyid); 1688 free(cms_config.secret_keyid);
1069 free(pwri_tmp); 1689 free(pwri_tmp);
1070 ASN1_OBJECT_free(econtent_type); 1690 ASN1_OBJECT_free(cms_config.econtent_type);
1071 CMS_ReceiptRequest_free(rr); 1691 CMS_ReceiptRequest_free(rr);
1072 sk_OPENSSL_STRING_free(rr_to); 1692 sk_OPENSSL_STRING_free(cms_config.rr_to);
1073 sk_OPENSSL_STRING_free(rr_from); 1693 sk_OPENSSL_STRING_free(cms_config.rr_from);
1074 for (key_param = key_first; key_param;) { 1694 for (cms_config.key_param = cms_config.key_first; cms_config.key_param;) {
1075 struct cms_key_param *tparam; 1695 struct cms_key_param *tparam;
1076 sk_OPENSSL_STRING_free(key_param->param); 1696 sk_OPENSSL_STRING_free(cms_config.key_param->param);
1077 tparam = key_param->next; 1697 tparam = cms_config.key_param->next;
1078 free(key_param); 1698 free(cms_config.key_param);
1079 key_param = tparam; 1699 cms_config.key_param = tparam;
1080 } 1700 }
1081 X509_STORE_free(store); 1701 X509_STORE_free(store);
1082 X509_free(cert); 1702 X509_free(cms_config.cert);
1083 X509_free(recip); 1703 X509_free(recip);
1084 X509_free(signer); 1704 X509_free(signer);
1085 EVP_PKEY_free(key); 1705 EVP_PKEY_free(key);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 19:51:08 +0000