1*d8c45d21Stb /* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */
2dab3f910Sjsing /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3dab3f910Sjsing * project.
4dab3f910Sjsing */
5dab3f910Sjsing /* ====================================================================
6dab3f910Sjsing * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
7dab3f910Sjsing *
8dab3f910Sjsing * Redistribution and use in source and binary forms, with or without
9dab3f910Sjsing * modification, are permitted provided that the following conditions
10dab3f910Sjsing * are met:
11dab3f910Sjsing *
12dab3f910Sjsing * 1. Redistributions of source code must retain the above copyright
13dab3f910Sjsing * notice, this list of conditions and the following disclaimer.
14dab3f910Sjsing *
15dab3f910Sjsing * 2. Redistributions in binary form must reproduce the above copyright
16dab3f910Sjsing * notice, this list of conditions and the following disclaimer in
17dab3f910Sjsing * the documentation and/or other materials provided with the
18dab3f910Sjsing * distribution.
19dab3f910Sjsing *
20dab3f910Sjsing * 3. All advertising materials mentioning features or use of this
21dab3f910Sjsing * software must display the following acknowledgment:
22dab3f910Sjsing * "This product includes software developed by the OpenSSL Project
23dab3f910Sjsing * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24dab3f910Sjsing *
25dab3f910Sjsing * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26dab3f910Sjsing * endorse or promote products derived from this software without
27dab3f910Sjsing * prior written permission. For written permission, please contact
28dab3f910Sjsing * licensing@OpenSSL.org.
29dab3f910Sjsing *
30dab3f910Sjsing * 5. Products derived from this software may not be called "OpenSSL"
31dab3f910Sjsing * nor may "OpenSSL" appear in their names without prior written
32dab3f910Sjsing * permission of the OpenSSL Project.
33dab3f910Sjsing *
34dab3f910Sjsing * 6. Redistributions of any form whatsoever must retain the following
35dab3f910Sjsing * acknowledgment:
36dab3f910Sjsing * "This product includes software developed by the OpenSSL Project
37dab3f910Sjsing * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38dab3f910Sjsing *
39dab3f910Sjsing * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40dab3f910Sjsing * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41dab3f910Sjsing * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42dab3f910Sjsing * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43dab3f910Sjsing * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44dab3f910Sjsing * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45dab3f910Sjsing * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46dab3f910Sjsing * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47dab3f910Sjsing * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48dab3f910Sjsing * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49dab3f910Sjsing * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50dab3f910Sjsing * OF THE POSSIBILITY OF SUCH DAMAGE.
51dab3f910Sjsing * ====================================================================
52dab3f910Sjsing *
53dab3f910Sjsing * This product includes cryptographic software written by Eric Young
54dab3f910Sjsing * (eay@cryptsoft.com). This product includes software written by Tim
55dab3f910Sjsing * Hudson (tjh@cryptsoft.com).
56dab3f910Sjsing *
57dab3f910Sjsing */
58dab3f910Sjsing
59dab3f910Sjsing /* S/MIME utility function */
60dab3f910Sjsing
61dab3f910Sjsing #include <stdio.h>
62dab3f910Sjsing #include <string.h>
63dab3f910Sjsing
64dab3f910Sjsing #include "apps.h"
65dab3f910Sjsing
66dab3f910Sjsing #include <openssl/crypto.h>
67dab3f910Sjsing #include <openssl/err.h>
68dab3f910Sjsing #include <openssl/pem.h>
69dab3f910Sjsing #include <openssl/x509_vfy.h>
70dab3f910Sjsing #include <openssl/x509v3.h>
71dab3f910Sjsing
72dab3f910Sjsing static int save_certs(char *signerfile, STACK_OF(X509) *signers);
73dab3f910Sjsing
74dab3f910Sjsing #define SMIME_OP 0x10
75dab3f910Sjsing #define SMIME_IP 0x20
76dab3f910Sjsing #define SMIME_SIGNERS 0x40
77dab3f910Sjsing #define SMIME_ENCRYPT (1 | SMIME_OP)
78dab3f910Sjsing #define SMIME_DECRYPT (2 | SMIME_IP)
79dab3f910Sjsing #define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
80dab3f910Sjsing #define SMIME_VERIFY (4 | SMIME_IP)
81dab3f910Sjsing #define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP)
82dab3f910Sjsing #define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
83dab3f910Sjsing
845db72a14Sinoguchi static struct {
855db72a14Sinoguchi char *CAfile;
865db72a14Sinoguchi char *CApath;
875db72a14Sinoguchi char *certfile;
885db72a14Sinoguchi const EVP_CIPHER *cipher;
895db72a14Sinoguchi char *contfile;
905db72a14Sinoguchi int flags;
915db72a14Sinoguchi char *from;
925db72a14Sinoguchi int indef;
935db72a14Sinoguchi char *infile;
945db72a14Sinoguchi int informat;
955db72a14Sinoguchi char *keyfile;
965db72a14Sinoguchi int keyform;
975db72a14Sinoguchi int operation;
985db72a14Sinoguchi char *outfile;
995db72a14Sinoguchi int outformat;
1005db72a14Sinoguchi char *passargin;
1015db72a14Sinoguchi char *recipfile;
1025db72a14Sinoguchi const EVP_MD *sign_md;
1035db72a14Sinoguchi char *signerfile;
1045db72a14Sinoguchi STACK_OF(OPENSSL_STRING) *skkeys;
1055db72a14Sinoguchi STACK_OF(OPENSSL_STRING) *sksigners;
1065db72a14Sinoguchi char *subject;
1075db72a14Sinoguchi char *to;
1085db72a14Sinoguchi X509_VERIFY_PARAM *vpm;
109e7718adaStb } cfg;
1105db72a14Sinoguchi
1115db72a14Sinoguchi static const EVP_CIPHER *
get_cipher_by_name(char * name)1125db72a14Sinoguchi get_cipher_by_name(char *name)
1135db72a14Sinoguchi {
1145db72a14Sinoguchi if (name == NULL || strcmp(name, "") == 0)
1155db72a14Sinoguchi return (NULL);
1165db72a14Sinoguchi #ifndef OPENSSL_NO_AES
1175db72a14Sinoguchi else if (strcmp(name, "aes128") == 0)
1185db72a14Sinoguchi return EVP_aes_128_cbc();
1195db72a14Sinoguchi else if (strcmp(name, "aes192") == 0)
1205db72a14Sinoguchi return EVP_aes_192_cbc();
1215db72a14Sinoguchi else if (strcmp(name, "aes256") == 0)
1225db72a14Sinoguchi return EVP_aes_256_cbc();
1235db72a14Sinoguchi #endif
1245db72a14Sinoguchi #ifndef OPENSSL_NO_CAMELLIA
1255db72a14Sinoguchi else if (strcmp(name, "camellia128") == 0)
1265db72a14Sinoguchi return EVP_camellia_128_cbc();
1275db72a14Sinoguchi else if (strcmp(name, "camellia192") == 0)
1285db72a14Sinoguchi return EVP_camellia_192_cbc();
1295db72a14Sinoguchi else if (strcmp(name, "camellia256") == 0)
1305db72a14Sinoguchi return EVP_camellia_256_cbc();
1315db72a14Sinoguchi #endif
1325db72a14Sinoguchi #ifndef OPENSSL_NO_DES
1335db72a14Sinoguchi else if (strcmp(name, "des") == 0)
1345db72a14Sinoguchi return EVP_des_cbc();
1355db72a14Sinoguchi else if (strcmp(name, "des3") == 0)
1365db72a14Sinoguchi return EVP_des_ede3_cbc();
1375db72a14Sinoguchi #endif
1385db72a14Sinoguchi #ifndef OPENSSL_NO_RC2
1395db72a14Sinoguchi else if (!strcmp(name, "rc2-40"))
1405db72a14Sinoguchi return EVP_rc2_40_cbc();
1415db72a14Sinoguchi else if (!strcmp(name, "rc2-64"))
1425db72a14Sinoguchi return EVP_rc2_64_cbc();
1435db72a14Sinoguchi else if (!strcmp(name, "rc2-128"))
1445db72a14Sinoguchi return EVP_rc2_cbc();
1455db72a14Sinoguchi #endif
1468dbdb22eSinoguchi else
1478dbdb22eSinoguchi return NULL;
1485db72a14Sinoguchi }
1495db72a14Sinoguchi
1505db72a14Sinoguchi static int
smime_opt_cipher(int argc,char ** argv,int * argsused)1515db72a14Sinoguchi smime_opt_cipher(int argc, char **argv, int *argsused)
1525db72a14Sinoguchi {
1535db72a14Sinoguchi char *name = argv[0];
1545db72a14Sinoguchi
1555db72a14Sinoguchi if (*name++ != '-')
1565db72a14Sinoguchi return (1);
1575db72a14Sinoguchi
158e7718adaStb if ((cfg.cipher = get_cipher_by_name(name)) == NULL)
159e7718adaStb if ((cfg.cipher = EVP_get_cipherbyname(name)) == NULL)
1605db72a14Sinoguchi return (1);
1615db72a14Sinoguchi
1625db72a14Sinoguchi *argsused = 1;
1635db72a14Sinoguchi return (0);
1645db72a14Sinoguchi }
1655db72a14Sinoguchi
1665db72a14Sinoguchi static int
smime_opt_inkey(char * arg)1675db72a14Sinoguchi smime_opt_inkey(char *arg)
1685db72a14Sinoguchi {
169e7718adaStb if (cfg.keyfile == NULL) {
170e7718adaStb cfg.keyfile = arg;
1715db72a14Sinoguchi return (0);
1725db72a14Sinoguchi }
1735db72a14Sinoguchi
174e7718adaStb if (cfg.signerfile == NULL) {
1755db72a14Sinoguchi BIO_puts(bio_err, "Illegal -inkey without -signer\n");
1765db72a14Sinoguchi return (1);
1775db72a14Sinoguchi }
1785db72a14Sinoguchi
179e7718adaStb if (cfg.sksigners == NULL) {
180e7718adaStb if ((cfg.sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
1815db72a14Sinoguchi return (1);
1825db72a14Sinoguchi }
183e7718adaStb if (!sk_OPENSSL_STRING_push(cfg.sksigners,
184e7718adaStb cfg.signerfile))
1855db72a14Sinoguchi return (1);
1865db72a14Sinoguchi
187e7718adaStb cfg.signerfile = NULL;
1885db72a14Sinoguchi
189e7718adaStb if (cfg.skkeys == NULL) {
190e7718adaStb if ((cfg.skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
1915db72a14Sinoguchi return (1);
1925db72a14Sinoguchi }
193e7718adaStb if (!sk_OPENSSL_STRING_push(cfg.skkeys, cfg.keyfile))
1945db72a14Sinoguchi return (1);
1955db72a14Sinoguchi
196e7718adaStb cfg.keyfile = arg;
1975db72a14Sinoguchi return (0);
1985db72a14Sinoguchi }
1995db72a14Sinoguchi
2005db72a14Sinoguchi static int
smime_opt_md(char * arg)2015db72a14Sinoguchi smime_opt_md(char *arg)
2025db72a14Sinoguchi {
203e7718adaStb if ((cfg.sign_md = EVP_get_digestbyname(arg)) == NULL) {
2045db72a14Sinoguchi BIO_printf(bio_err, "Unknown digest %s\n", arg);
2055db72a14Sinoguchi return (1);
2065db72a14Sinoguchi }
2075db72a14Sinoguchi return (0);
2085db72a14Sinoguchi }
2095db72a14Sinoguchi
2105db72a14Sinoguchi static int
smime_opt_signer(char * arg)2115db72a14Sinoguchi smime_opt_signer(char *arg)
2125db72a14Sinoguchi {
213e7718adaStb if (cfg.signerfile == NULL) {
214e7718adaStb cfg.signerfile = arg;
2155db72a14Sinoguchi return (0);
2165db72a14Sinoguchi }
2175db72a14Sinoguchi
218e7718adaStb if (cfg.sksigners == NULL) {
219e7718adaStb if ((cfg.sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
2205db72a14Sinoguchi return (1);
2215db72a14Sinoguchi }
222e7718adaStb if (!sk_OPENSSL_STRING_push(cfg.sksigners,
223e7718adaStb cfg.signerfile))
2245db72a14Sinoguchi return (1);
2255db72a14Sinoguchi
226e7718adaStb if (cfg.keyfile == NULL)
227e7718adaStb cfg.keyfile = cfg.signerfile;
2285db72a14Sinoguchi
229e7718adaStb if (cfg.skkeys == NULL) {
230e7718adaStb if ((cfg.skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
2315db72a14Sinoguchi return (1);
2325db72a14Sinoguchi }
233e7718adaStb if (!sk_OPENSSL_STRING_push(cfg.skkeys, cfg.keyfile))
2345db72a14Sinoguchi return (1);
2355db72a14Sinoguchi
236e7718adaStb cfg.keyfile = NULL;
2375db72a14Sinoguchi
238e7718adaStb cfg.signerfile = arg;
2395db72a14Sinoguchi return (0);
2405db72a14Sinoguchi }
2415db72a14Sinoguchi
2425db72a14Sinoguchi static int
smime_opt_verify_param(int argc,char ** argv,int * argsused)2435db72a14Sinoguchi smime_opt_verify_param(int argc, char **argv, int *argsused)
2445db72a14Sinoguchi {
2455db72a14Sinoguchi int oargc = argc;
2465db72a14Sinoguchi int badarg = 0;
2475db72a14Sinoguchi
248e7718adaStb if (!args_verify(&argv, &argc, &badarg, bio_err, &cfg.vpm))
2495db72a14Sinoguchi return (1);
2505db72a14Sinoguchi if (badarg)
2515db72a14Sinoguchi return (1);
2525db72a14Sinoguchi
2535db72a14Sinoguchi *argsused = oargc - argc;
2545db72a14Sinoguchi
2555db72a14Sinoguchi return (0);
2565db72a14Sinoguchi }
2575db72a14Sinoguchi
2585db72a14Sinoguchi static const struct option smime_options[] = {
2595db72a14Sinoguchi #ifndef OPENSSL_NO_AES
2605db72a14Sinoguchi {
2615db72a14Sinoguchi .name = "aes128",
2625db72a14Sinoguchi .desc = "Encrypt PEM output with CBC AES",
2635db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
2645db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
2655db72a14Sinoguchi },
2665db72a14Sinoguchi {
2675db72a14Sinoguchi .name = "aes192",
2685db72a14Sinoguchi .desc = "Encrypt PEM output with CBC AES",
2695db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
2705db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
2715db72a14Sinoguchi },
2725db72a14Sinoguchi {
2735db72a14Sinoguchi .name = "aes256",
2745db72a14Sinoguchi .desc = "Encrypt PEM output with CBC AES",
2755db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
2765db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
2775db72a14Sinoguchi },
2785db72a14Sinoguchi #endif
2795db72a14Sinoguchi #ifndef OPENSSL_NO_CAMELLIA
2805db72a14Sinoguchi {
2815db72a14Sinoguchi .name = "camellia128",
2825db72a14Sinoguchi .desc = "Encrypt PEM output with CBC Camellia",
2835db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
2845db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
2855db72a14Sinoguchi },
2865db72a14Sinoguchi {
2875db72a14Sinoguchi .name = "camellia192",
2885db72a14Sinoguchi .desc = "Encrypt PEM output with CBC Camellia",
2895db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
2905db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
2915db72a14Sinoguchi },
2925db72a14Sinoguchi {
2935db72a14Sinoguchi .name = "camellia256",
2945db72a14Sinoguchi .desc = "Encrypt PEM output with CBC Camellia",
2955db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
2965db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
2975db72a14Sinoguchi },
2985db72a14Sinoguchi #endif
2995db72a14Sinoguchi #ifndef OPENSSL_NO_DES
3005db72a14Sinoguchi {
3015db72a14Sinoguchi .name = "des",
3025db72a14Sinoguchi .desc = "Encrypt with DES",
3035db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
3045db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
3055db72a14Sinoguchi },
3065db72a14Sinoguchi {
3075db72a14Sinoguchi .name = "des3",
3085db72a14Sinoguchi .desc = "Encrypt with triple DES",
3095db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
3105db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
3115db72a14Sinoguchi },
3125db72a14Sinoguchi #endif
3135db72a14Sinoguchi #ifndef OPENSSL_NO_RC2
3145db72a14Sinoguchi {
3155db72a14Sinoguchi .name = "rc2-40",
3165db72a14Sinoguchi .desc = "Encrypt with RC2-40 (default)",
3175db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
3185db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
3195db72a14Sinoguchi },
3205db72a14Sinoguchi {
3215db72a14Sinoguchi .name = "rc2-64",
3225db72a14Sinoguchi .desc = "Encrypt with RC2-64",
3235db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
3245db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
3255db72a14Sinoguchi },
3265db72a14Sinoguchi {
3275db72a14Sinoguchi .name = "rc2-128",
3285db72a14Sinoguchi .desc = "Encrypt with RC2-128",
3295db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
3305db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
3315db72a14Sinoguchi },
3325db72a14Sinoguchi #endif
3335db72a14Sinoguchi {
3345db72a14Sinoguchi .name = "CAfile",
3355db72a14Sinoguchi .argname = "file",
3365db72a14Sinoguchi .desc = "Certificate Authority file",
3375db72a14Sinoguchi .type = OPTION_ARG,
338e7718adaStb .opt.arg = &cfg.CAfile,
3395db72a14Sinoguchi },
3405db72a14Sinoguchi {
3415db72a14Sinoguchi .name = "CApath",
3425db72a14Sinoguchi .argname = "path",
3435db72a14Sinoguchi .desc = "Certificate Authority path",
3445db72a14Sinoguchi .type = OPTION_ARG,
345e7718adaStb .opt.arg = &cfg.CApath,
3465db72a14Sinoguchi },
3475db72a14Sinoguchi {
3485db72a14Sinoguchi .name = "binary",
3495db72a14Sinoguchi .desc = "Do not translate message to text",
3505db72a14Sinoguchi .type = OPTION_VALUE_OR,
351e7718adaStb .opt.value = &cfg.flags,
3525db72a14Sinoguchi .value = PKCS7_BINARY,
3535db72a14Sinoguchi },
3545db72a14Sinoguchi {
3555db72a14Sinoguchi .name = "certfile",
3565db72a14Sinoguchi .argname = "file",
3575db72a14Sinoguchi .desc = "Other certificates file",
3585db72a14Sinoguchi .type = OPTION_ARG,
359e7718adaStb .opt.arg = &cfg.certfile,
3605db72a14Sinoguchi },
3615db72a14Sinoguchi {
3625db72a14Sinoguchi .name = "content",
3635db72a14Sinoguchi .argname = "file",
3645db72a14Sinoguchi .desc = "Supply or override content for detached signature",
3655db72a14Sinoguchi .type = OPTION_ARG,
366e7718adaStb .opt.arg = &cfg.contfile,
3675db72a14Sinoguchi },
3685db72a14Sinoguchi {
3695db72a14Sinoguchi .name = "crlfeol",
3705db72a14Sinoguchi .desc = "Use CRLF as EOL termination instead of CR only",
3715db72a14Sinoguchi .type = OPTION_VALUE_OR,
372e7718adaStb .opt.value = &cfg.flags,
3735db72a14Sinoguchi .value = PKCS7_CRLFEOL,
3745db72a14Sinoguchi },
3755db72a14Sinoguchi {
3765db72a14Sinoguchi .name = "decrypt",
3775db72a14Sinoguchi .desc = "Decrypt encrypted message",
3785db72a14Sinoguchi .type = OPTION_VALUE,
379e7718adaStb .opt.value = &cfg.operation,
3805db72a14Sinoguchi .value = SMIME_DECRYPT,
3815db72a14Sinoguchi },
3825db72a14Sinoguchi {
3835db72a14Sinoguchi .name = "encrypt",
3845db72a14Sinoguchi .desc = "Encrypt message",
3855db72a14Sinoguchi .type = OPTION_VALUE,
386e7718adaStb .opt.value = &cfg.operation,
3875db72a14Sinoguchi .value = SMIME_ENCRYPT,
3885db72a14Sinoguchi },
3895db72a14Sinoguchi {
3905db72a14Sinoguchi .name = "from",
3915db72a14Sinoguchi .argname = "addr",
3925db72a14Sinoguchi .desc = "From address",
3935db72a14Sinoguchi .type = OPTION_ARG,
394e7718adaStb .opt.arg = &cfg.from,
3955db72a14Sinoguchi },
3965db72a14Sinoguchi {
3975db72a14Sinoguchi .name = "in",
3985db72a14Sinoguchi .argname = "file",
3995db72a14Sinoguchi .desc = "Input file",
4005db72a14Sinoguchi .type = OPTION_ARG,
401e7718adaStb .opt.arg = &cfg.infile,
4025db72a14Sinoguchi },
4035db72a14Sinoguchi {
4045db72a14Sinoguchi .name = "indef",
4055db72a14Sinoguchi .desc = "Same as -stream",
4065db72a14Sinoguchi .type = OPTION_VALUE,
407e7718adaStb .opt.value = &cfg.indef,
4085db72a14Sinoguchi .value = 1,
4095db72a14Sinoguchi },
4105db72a14Sinoguchi {
4115db72a14Sinoguchi .name = "inform",
4125db72a14Sinoguchi .argname = "fmt",
4135db72a14Sinoguchi .desc = "Input format (DER, PEM or SMIME (default))",
4145db72a14Sinoguchi .type = OPTION_ARG_FORMAT,
415e7718adaStb .opt.value = &cfg.informat,
4165db72a14Sinoguchi },
4175db72a14Sinoguchi {
4185db72a14Sinoguchi .name = "inkey",
4195db72a14Sinoguchi .argname = "file",
4205db72a14Sinoguchi .desc = "Input key file",
4215db72a14Sinoguchi .type = OPTION_ARG_FUNC,
4225db72a14Sinoguchi .opt.argfunc = smime_opt_inkey,
4235db72a14Sinoguchi },
4245db72a14Sinoguchi {
4255db72a14Sinoguchi .name = "keyform",
4265db72a14Sinoguchi .argname = "fmt",
4275db72a14Sinoguchi .desc = "Input key format (DER or PEM (default))",
4285db72a14Sinoguchi .type = OPTION_ARG_FORMAT,
429e7718adaStb .opt.value = &cfg.keyform,
4305db72a14Sinoguchi },
4315db72a14Sinoguchi {
4325db72a14Sinoguchi .name = "md",
4335db72a14Sinoguchi .argname = "digest",
4345db72a14Sinoguchi .desc = "Digest to use when signing or resigning",
4355db72a14Sinoguchi .type = OPTION_ARG_FUNC,
4365db72a14Sinoguchi .opt.argfunc = smime_opt_md,
4375db72a14Sinoguchi },
4385db72a14Sinoguchi {
4395db72a14Sinoguchi .name = "noattr",
4405db72a14Sinoguchi .desc = "Do not include any signed attributes",
4415db72a14Sinoguchi .type = OPTION_VALUE_OR,
442e7718adaStb .opt.value = &cfg.flags,
4435db72a14Sinoguchi .value = PKCS7_NOATTR,
4445db72a14Sinoguchi },
4455db72a14Sinoguchi {
4465db72a14Sinoguchi .name = "nocerts",
4475db72a14Sinoguchi .desc = "Do not include signer's certificate when signing",
4485db72a14Sinoguchi .type = OPTION_VALUE_OR,
449e7718adaStb .opt.value = &cfg.flags,
4505db72a14Sinoguchi .value = PKCS7_NOCERTS,
4515db72a14Sinoguchi },
4525db72a14Sinoguchi {
4535db72a14Sinoguchi .name = "nochain",
4545db72a14Sinoguchi .desc = "Do not chain verification of signer's certificates",
4555db72a14Sinoguchi .type = OPTION_VALUE_OR,
456e7718adaStb .opt.value = &cfg.flags,
4575db72a14Sinoguchi .value = PKCS7_NOCHAIN,
4585db72a14Sinoguchi },
4595db72a14Sinoguchi {
4605db72a14Sinoguchi .name = "nodetach",
4615db72a14Sinoguchi .desc = "Use opaque signing",
4625db72a14Sinoguchi .type = OPTION_VALUE_AND,
463e7718adaStb .opt.value = &cfg.flags,
4645db72a14Sinoguchi .value = ~PKCS7_DETACHED,
4655db72a14Sinoguchi },
4665db72a14Sinoguchi {
4675db72a14Sinoguchi .name = "noindef",
4685db72a14Sinoguchi .desc = "Disable streaming I/O",
4695db72a14Sinoguchi .type = OPTION_VALUE,
470e7718adaStb .opt.value = &cfg.indef,
4715db72a14Sinoguchi .value = 0,
4725db72a14Sinoguchi },
4735db72a14Sinoguchi {
4745db72a14Sinoguchi .name = "nointern",
4755db72a14Sinoguchi .desc = "Do not search certificates in message for signer",
4765db72a14Sinoguchi .type = OPTION_VALUE_OR,
477e7718adaStb .opt.value = &cfg.flags,
4785db72a14Sinoguchi .value = PKCS7_NOINTERN,
4795db72a14Sinoguchi },
4805db72a14Sinoguchi {
4815db72a14Sinoguchi .name = "nooldmime",
4825db72a14Sinoguchi .desc = "Output old S/MIME content type",
4835db72a14Sinoguchi .type = OPTION_VALUE_OR,
484e7718adaStb .opt.value = &cfg.flags,
4855db72a14Sinoguchi .value = PKCS7_NOOLDMIMETYPE,
4865db72a14Sinoguchi },
4875db72a14Sinoguchi {
4885db72a14Sinoguchi .name = "nosigs",
4895db72a14Sinoguchi .desc = "Do not verify message signature",
4905db72a14Sinoguchi .type = OPTION_VALUE_OR,
491e7718adaStb .opt.value = &cfg.flags,
4925db72a14Sinoguchi .value = PKCS7_NOSIGS,
4935db72a14Sinoguchi },
4945db72a14Sinoguchi {
4955db72a14Sinoguchi .name = "nosmimecap",
4965db72a14Sinoguchi .desc = "Omit the SMIMECapabilities attribute",
4975db72a14Sinoguchi .type = OPTION_VALUE_OR,
498e7718adaStb .opt.value = &cfg.flags,
4995db72a14Sinoguchi .value = PKCS7_NOSMIMECAP,
5005db72a14Sinoguchi },
5015db72a14Sinoguchi {
5025db72a14Sinoguchi .name = "noverify",
5035db72a14Sinoguchi .desc = "Do not verify signer's certificate",
5045db72a14Sinoguchi .type = OPTION_VALUE_OR,
505e7718adaStb .opt.value = &cfg.flags,
5065db72a14Sinoguchi .value = PKCS7_NOVERIFY,
5075db72a14Sinoguchi },
5085db72a14Sinoguchi {
5095db72a14Sinoguchi .name = "out",
5105db72a14Sinoguchi .argname = "file",
5115db72a14Sinoguchi .desc = "Output file",
5125db72a14Sinoguchi .type = OPTION_ARG,
513e7718adaStb .opt.arg = &cfg.outfile,
5145db72a14Sinoguchi },
5155db72a14Sinoguchi {
5165db72a14Sinoguchi .name = "outform",
5175db72a14Sinoguchi .argname = "fmt",
5185db72a14Sinoguchi .desc = "Output format (DER, PEM or SMIME (default))",
5195db72a14Sinoguchi .type = OPTION_ARG_FORMAT,
520e7718adaStb .opt.value = &cfg.outformat,
5215db72a14Sinoguchi },
5225db72a14Sinoguchi {
5235db72a14Sinoguchi .name = "passin",
5245db72a14Sinoguchi .argname = "src",
5255db72a14Sinoguchi .desc = "Private key password source",
5265db72a14Sinoguchi .type = OPTION_ARG,
527e7718adaStb .opt.arg = &cfg.passargin,
5285db72a14Sinoguchi },
5295db72a14Sinoguchi {
5305db72a14Sinoguchi .name = "pk7out",
5315db72a14Sinoguchi .desc = "Output PKCS#7 structure",
5325db72a14Sinoguchi .type = OPTION_VALUE,
533e7718adaStb .opt.value = &cfg.operation,
5345db72a14Sinoguchi .value = SMIME_PK7OUT,
5355db72a14Sinoguchi },
5365db72a14Sinoguchi {
5375db72a14Sinoguchi .name = "recip",
5385db72a14Sinoguchi .argname = "file",
5395db72a14Sinoguchi .desc = "Recipient certificate file for decryption",
5405db72a14Sinoguchi .type = OPTION_ARG,
541e7718adaStb .opt.arg = &cfg.recipfile,
5425db72a14Sinoguchi },
5435db72a14Sinoguchi {
5445db72a14Sinoguchi .name = "resign",
5455db72a14Sinoguchi .desc = "Resign a signed message",
5465db72a14Sinoguchi .type = OPTION_VALUE,
547e7718adaStb .opt.value = &cfg.operation,
5485db72a14Sinoguchi .value = SMIME_RESIGN,
5495db72a14Sinoguchi },
5505db72a14Sinoguchi {
5515db72a14Sinoguchi .name = "sign",
5525db72a14Sinoguchi .desc = "Sign message",
5535db72a14Sinoguchi .type = OPTION_VALUE,
554e7718adaStb .opt.value = &cfg.operation,
5555db72a14Sinoguchi .value = SMIME_SIGN,
5565db72a14Sinoguchi },
5575db72a14Sinoguchi {
5585db72a14Sinoguchi .name = "signer",
5595db72a14Sinoguchi .argname = "file",
5605db72a14Sinoguchi .desc = "Signer certificate file",
5615db72a14Sinoguchi .type = OPTION_ARG_FUNC,
5625db72a14Sinoguchi .opt.argfunc = smime_opt_signer,
5635db72a14Sinoguchi },
5645db72a14Sinoguchi {
5655db72a14Sinoguchi .name = "stream",
5665db72a14Sinoguchi .desc = "Enable streaming I/O",
5675db72a14Sinoguchi .type = OPTION_VALUE,
568e7718adaStb .opt.value = &cfg.indef,
5695db72a14Sinoguchi .value = 1,
5705db72a14Sinoguchi },
5715db72a14Sinoguchi {
5725db72a14Sinoguchi .name = "subject",
5735db72a14Sinoguchi .argname = "s",
5745db72a14Sinoguchi .desc = "Subject",
5755db72a14Sinoguchi .type = OPTION_ARG,
576e7718adaStb .opt.arg = &cfg.subject,
5775db72a14Sinoguchi },
5785db72a14Sinoguchi {
5795db72a14Sinoguchi .name = "text",
5805db72a14Sinoguchi .desc = "Include or delete text MIME headers",
5815db72a14Sinoguchi .type = OPTION_VALUE_OR,
582e7718adaStb .opt.value = &cfg.flags,
5835db72a14Sinoguchi .value = PKCS7_TEXT,
5845db72a14Sinoguchi },
5855db72a14Sinoguchi {
5865db72a14Sinoguchi .name = "to",
5875db72a14Sinoguchi .argname = "addr",
5885db72a14Sinoguchi .desc = "To address",
5895db72a14Sinoguchi .type = OPTION_ARG,
590e7718adaStb .opt.arg = &cfg.to,
5915db72a14Sinoguchi },
5925db72a14Sinoguchi {
5935db72a14Sinoguchi .name = "verify",
5945db72a14Sinoguchi .desc = "Verify signed message",
5955db72a14Sinoguchi .type = OPTION_VALUE,
596e7718adaStb .opt.value = &cfg.operation,
5975db72a14Sinoguchi .value = SMIME_VERIFY,
5985db72a14Sinoguchi },
5995db72a14Sinoguchi {
6005db72a14Sinoguchi .name = "check_ss_sig",
6015db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6025db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6035db72a14Sinoguchi },
6045db72a14Sinoguchi {
6055db72a14Sinoguchi .name = "crl_check",
6065db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6075db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6085db72a14Sinoguchi },
6095db72a14Sinoguchi {
6105db72a14Sinoguchi .name = "crl_check_all",
6115db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6125db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6135db72a14Sinoguchi },
6145db72a14Sinoguchi {
6155db72a14Sinoguchi .name = "extended_crl",
6165db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6175db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6185db72a14Sinoguchi },
6195db72a14Sinoguchi {
6205db72a14Sinoguchi .name = "ignore_critical",
6215db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6225db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6235db72a14Sinoguchi },
6245db72a14Sinoguchi {
6255db72a14Sinoguchi .name = "issuer_checks",
6265db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6275db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6285db72a14Sinoguchi },
6295db72a14Sinoguchi {
6305db72a14Sinoguchi .name = "policy_check",
6315db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6325db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6335db72a14Sinoguchi },
6345db72a14Sinoguchi {
6355db72a14Sinoguchi .name = "x509_strict",
6365db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6375db72a14Sinoguchi .opt.argvfunc = smime_opt_verify_param,
6385db72a14Sinoguchi },
6395db72a14Sinoguchi {
6405db72a14Sinoguchi .name = NULL,
6415db72a14Sinoguchi .type = OPTION_ARGV_FUNC,
6425db72a14Sinoguchi .opt.argvfunc = smime_opt_cipher,
6435db72a14Sinoguchi },
6445db72a14Sinoguchi { NULL },
6455db72a14Sinoguchi };
6465db72a14Sinoguchi
6475db72a14Sinoguchi static const struct option verify_shared_options[] = {
6485db72a14Sinoguchi {
6495db72a14Sinoguchi .name = "check_ss_sig",
6505db72a14Sinoguchi .desc = "Check the root CA self-signed certificate signature",
6515db72a14Sinoguchi },
6525db72a14Sinoguchi {
6535db72a14Sinoguchi .name = "crl_check",
6545db72a14Sinoguchi .desc = "Enable CRL checking for the leaf certificate",
6555db72a14Sinoguchi },
6565db72a14Sinoguchi {
6575db72a14Sinoguchi .name = "crl_check_all",
6585db72a14Sinoguchi .desc = "Enable CRL checking for the entire certificate chain",
6595db72a14Sinoguchi },
6605db72a14Sinoguchi {
6615db72a14Sinoguchi .name = "extended_crl",
6625db72a14Sinoguchi .desc = "Enable extended CRL support",
6635db72a14Sinoguchi },
6645db72a14Sinoguchi {
6655db72a14Sinoguchi .name = "ignore_critical",
6665db72a14Sinoguchi .desc = "Disable critical extension checking",
6675db72a14Sinoguchi },
6685db72a14Sinoguchi {
6695db72a14Sinoguchi .name = "issuer_checks",
6705db72a14Sinoguchi .desc = "Enable debugging of certificate issuer checks",
6715db72a14Sinoguchi },
6725db72a14Sinoguchi {
6735db72a14Sinoguchi .name = "policy_check",
6745db72a14Sinoguchi .desc = "Enable certificate policy checking",
6755db72a14Sinoguchi },
6765db72a14Sinoguchi {
6775db72a14Sinoguchi .name = "x509_strict",
6785db72a14Sinoguchi .desc = "Use strict X.509 rules (disables workarounds)",
6795db72a14Sinoguchi },
6805db72a14Sinoguchi { NULL },
6815db72a14Sinoguchi };
6825db72a14Sinoguchi
6835db72a14Sinoguchi static void
smime_usage(void)6845db72a14Sinoguchi smime_usage(void)
6855db72a14Sinoguchi {
6865db72a14Sinoguchi fprintf(stderr, "usage: smime "
6875db72a14Sinoguchi "[-aes128 | -aes192 | -aes256 | -des |\n"
6885db72a14Sinoguchi " -des3 | -rc2-40 | -rc2-64 | -rc2-128] [-binary]\n"
6895db72a14Sinoguchi " [-CAfile file] [-CApath directory] [-certfile file]\n"
6905db72a14Sinoguchi " [-content file]\n"
6915db72a14Sinoguchi " [-decrypt] [-encrypt]\n"
6925db72a14Sinoguchi " [-from addr] [-in file] [-indef]\n"
6935db72a14Sinoguchi " [-inform der | pem | smime] [-inkey file]\n"
6945db72a14Sinoguchi " [-keyform der | pem] [-md digest] [-noattr] [-nocerts]\n"
6955db72a14Sinoguchi " [-nochain] [-nodetach] [-noindef] [-nointern] [-nosigs]\n"
6965db72a14Sinoguchi " [-nosmimecap] [-noverify] [-out file]\n"
6975db72a14Sinoguchi " [-outform der | pem | smime] [-passin arg] [-pk7out]\n"
6985db72a14Sinoguchi " [-recip file] [-resign] [-sign]\n"
6995db72a14Sinoguchi " [-signer file] [-stream] [-subject s] [-text] [-to addr]\n"
7005db72a14Sinoguchi " [-verify] [cert.pem ...]\n\n");
7015db72a14Sinoguchi
7025db72a14Sinoguchi options_usage(smime_options);
7035db72a14Sinoguchi
7045db72a14Sinoguchi fprintf(stderr, "\nVerification options:\n\n");
7055db72a14Sinoguchi options_usage(verify_shared_options);
7065db72a14Sinoguchi }
7075db72a14Sinoguchi
708dab3f910Sjsing int
smime_main(int argc,char ** argv)709dab3f910Sjsing smime_main(int argc, char **argv)
710dab3f910Sjsing {
711dab3f910Sjsing int ret = 0;
712dab3f910Sjsing char **args;
7135db72a14Sinoguchi int argsused = 0;
714dab3f910Sjsing const char *inmode = "r", *outmode = "w";
715dab3f910Sjsing PKCS7 *p7 = NULL;
716dab3f910Sjsing X509_STORE *store = NULL;
717dab3f910Sjsing X509 *cert = NULL, *recip = NULL, *signer = NULL;
718dab3f910Sjsing EVP_PKEY *key = NULL;
719dab3f910Sjsing STACK_OF(X509) *encerts = NULL, *other = NULL;
720dab3f910Sjsing BIO *in = NULL, *out = NULL, *indata = NULL;
721dab3f910Sjsing int badarg = 0;
7225db72a14Sinoguchi char *passin = NULL;
723dab3f910Sjsing
72451811eadSderaadt if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
7259bc487adSdoug perror("pledge");
726e370f0eeSdoug exit(1);
727e370f0eeSdoug }
7289bc487adSdoug
729e7718adaStb memset(&cfg, 0, sizeof(cfg));
730e7718adaStb cfg.flags = PKCS7_DETACHED;
731e7718adaStb cfg.informat = FORMAT_SMIME;
732e7718adaStb cfg.outformat = FORMAT_SMIME;
733e7718adaStb cfg.keyform = FORMAT_PEM;
7345db72a14Sinoguchi if (options_parse(argc, argv, smime_options, NULL, &argsused) != 0) {
7355db72a14Sinoguchi goto argerr;
7365db72a14Sinoguchi }
7375db72a14Sinoguchi args = argv + argsused;
738dab3f910Sjsing ret = 1;
739dab3f910Sjsing
740e7718adaStb if (!(cfg.operation & SMIME_SIGNERS) &&
741e7718adaStb (cfg.skkeys != NULL || cfg.sksigners != NULL)) {
742dab3f910Sjsing BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
743dab3f910Sjsing goto argerr;
744dab3f910Sjsing }
745e7718adaStb if (cfg.operation & SMIME_SIGNERS) {
746dab3f910Sjsing /* Check to see if any final signer needs to be appended */
747e7718adaStb if (cfg.keyfile != NULL &&
748e7718adaStb cfg.signerfile == NULL) {
749dab3f910Sjsing BIO_puts(bio_err, "Illegal -inkey without -signer\n");
750dab3f910Sjsing goto argerr;
751dab3f910Sjsing }
752e7718adaStb if (cfg.signerfile != NULL) {
753e7718adaStb if (cfg.sksigners == NULL) {
754e7718adaStb if ((cfg.sksigners =
755438dcc41Sinoguchi sk_OPENSSL_STRING_new_null()) == NULL)
75651f7a940Sinoguchi goto end;
75751f7a940Sinoguchi }
758e7718adaStb if (!sk_OPENSSL_STRING_push(cfg.sksigners,
759e7718adaStb cfg.signerfile))
76051f7a940Sinoguchi goto end;
761e7718adaStb if (cfg.skkeys == NULL) {
762e7718adaStb if ((cfg.skkeys =
763438dcc41Sinoguchi sk_OPENSSL_STRING_new_null()) == NULL)
76451f7a940Sinoguchi goto end;
76551f7a940Sinoguchi }
766e7718adaStb if (cfg.keyfile == NULL)
767e7718adaStb cfg.keyfile = cfg.signerfile;
768e7718adaStb if (!sk_OPENSSL_STRING_push(cfg.skkeys,
769e7718adaStb cfg.keyfile))
77051f7a940Sinoguchi goto end;
771dab3f910Sjsing }
772e7718adaStb if (cfg.sksigners == NULL) {
773438dcc41Sinoguchi BIO_printf(bio_err,
774438dcc41Sinoguchi "No signer certificate specified\n");
775dab3f910Sjsing badarg = 1;
776dab3f910Sjsing }
777e7718adaStb cfg.signerfile = NULL;
778e7718adaStb cfg.keyfile = NULL;
779e7718adaStb } else if (cfg.operation == SMIME_DECRYPT) {
780e7718adaStb if (cfg.recipfile == NULL &&
781e7718adaStb cfg.keyfile == NULL) {
782438dcc41Sinoguchi BIO_printf(bio_err,
783438dcc41Sinoguchi "No recipient certificate or key specified\n");
784dab3f910Sjsing badarg = 1;
785dab3f910Sjsing }
786e7718adaStb } else if (cfg.operation == SMIME_ENCRYPT) {
78770dc8359Sinoguchi if (*args == NULL) {
788438dcc41Sinoguchi BIO_printf(bio_err,
789438dcc41Sinoguchi "No recipient(s) certificate(s) specified\n");
790dab3f910Sjsing badarg = 1;
791dab3f910Sjsing }
792e7718adaStb } else if (!cfg.operation) {
793dab3f910Sjsing badarg = 1;
79451f7a940Sinoguchi }
795dab3f910Sjsing
796dab3f910Sjsing if (badarg) {
797dab3f910Sjsing argerr:
7985db72a14Sinoguchi smime_usage();
799dab3f910Sjsing goto end;
800dab3f910Sjsing }
801dab3f910Sjsing
802e7718adaStb if (!app_passwd(bio_err, cfg.passargin, NULL, &passin, NULL)) {
803dab3f910Sjsing BIO_printf(bio_err, "Error getting password\n");
804dab3f910Sjsing goto end;
805dab3f910Sjsing }
806dab3f910Sjsing ret = 2;
807dab3f910Sjsing
808e7718adaStb if (!(cfg.operation & SMIME_SIGNERS))
809e7718adaStb cfg.flags &= ~PKCS7_DETACHED;
810dab3f910Sjsing
811e7718adaStb if (cfg.operation & SMIME_OP) {
812e7718adaStb if (cfg.outformat == FORMAT_ASN1)
813dab3f910Sjsing outmode = "wb";
814dab3f910Sjsing } else {
815e7718adaStb if (cfg.flags & PKCS7_BINARY)
816dab3f910Sjsing outmode = "wb";
817dab3f910Sjsing }
818dab3f910Sjsing
819e7718adaStb if (cfg.operation & SMIME_IP) {
820e7718adaStb if (cfg.informat == FORMAT_ASN1)
821dab3f910Sjsing inmode = "rb";
822dab3f910Sjsing } else {
823e7718adaStb if (cfg.flags & PKCS7_BINARY)
824dab3f910Sjsing inmode = "rb";
825dab3f910Sjsing }
826dab3f910Sjsing
827e7718adaStb if (cfg.operation == SMIME_ENCRYPT) {
828e7718adaStb if (cfg.cipher == NULL) {
829dab3f910Sjsing #ifndef OPENSSL_NO_RC2
830e7718adaStb cfg.cipher = EVP_rc2_40_cbc();
831dab3f910Sjsing #else
832dab3f910Sjsing BIO_printf(bio_err, "No cipher selected\n");
833dab3f910Sjsing goto end;
834dab3f910Sjsing #endif
835dab3f910Sjsing }
83651f7a940Sinoguchi if ((encerts = sk_X509_new_null()) == NULL)
83751f7a940Sinoguchi goto end;
83870dc8359Sinoguchi while (*args != NULL) {
83970dc8359Sinoguchi if ((cert = load_cert(bio_err, *args, FORMAT_PEM,
84070dc8359Sinoguchi NULL, "recipient certificate file")) == NULL) {
841dab3f910Sjsing goto end;
842dab3f910Sjsing }
84351f7a940Sinoguchi if (!sk_X509_push(encerts, cert))
84451f7a940Sinoguchi goto end;
845dab3f910Sjsing cert = NULL;
846dab3f910Sjsing args++;
847dab3f910Sjsing }
848dab3f910Sjsing }
849e7718adaStb if (cfg.certfile != NULL) {
850e7718adaStb if ((other = load_certs(bio_err, cfg.certfile,
851438dcc41Sinoguchi FORMAT_PEM, NULL, "certificate file")) == NULL) {
852dab3f910Sjsing ERR_print_errors(bio_err);
853dab3f910Sjsing goto end;
854dab3f910Sjsing }
855dab3f910Sjsing }
856e7718adaStb if (cfg.recipfile != NULL &&
857e7718adaStb (cfg.operation == SMIME_DECRYPT)) {
858e7718adaStb if ((recip = load_cert(bio_err, cfg.recipfile,
859438dcc41Sinoguchi FORMAT_PEM, NULL, "recipient certificate file")) == NULL) {
860dab3f910Sjsing ERR_print_errors(bio_err);
861dab3f910Sjsing goto end;
862dab3f910Sjsing }
863dab3f910Sjsing }
864e7718adaStb if (cfg.operation == SMIME_DECRYPT) {
865e7718adaStb if (cfg.keyfile == NULL)
866e7718adaStb cfg.keyfile = cfg.recipfile;
867e7718adaStb } else if (cfg.operation == SMIME_SIGN) {
868e7718adaStb if (cfg.keyfile == NULL)
869e7718adaStb cfg.keyfile = cfg.signerfile;
87051f7a940Sinoguchi } else {
871e7718adaStb cfg.keyfile = NULL;
87251f7a940Sinoguchi }
873dab3f910Sjsing
874e7718adaStb if (cfg.keyfile != NULL) {
875e7718adaStb key = load_key(bio_err, cfg.keyfile,
876e7718adaStb cfg.keyform, 0, passin, "signing key file");
87770dc8359Sinoguchi if (key == NULL)
878dab3f910Sjsing goto end;
879dab3f910Sjsing }
880e7718adaStb if (cfg.infile != NULL) {
881e7718adaStb if ((in = BIO_new_file(cfg.infile, inmode)) == NULL) {
882dab3f910Sjsing BIO_printf(bio_err,
883e7718adaStb "Can't open input file %s\n", cfg.infile);
884dab3f910Sjsing goto end;
885dab3f910Sjsing }
88651f7a940Sinoguchi } else {
88751f7a940Sinoguchi if ((in = BIO_new_fp(stdin, BIO_NOCLOSE)) == NULL)
88851f7a940Sinoguchi goto end;
88951f7a940Sinoguchi }
890dab3f910Sjsing
891e7718adaStb if (cfg.operation & SMIME_IP) {
892e7718adaStb if (cfg.informat == FORMAT_SMIME)
893dab3f910Sjsing p7 = SMIME_read_PKCS7(in, &indata);
894e7718adaStb else if (cfg.informat == FORMAT_PEM)
895dab3f910Sjsing p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
896e7718adaStb else if (cfg.informat == FORMAT_ASN1)
897dab3f910Sjsing p7 = d2i_PKCS7_bio(in, NULL);
898dab3f910Sjsing else {
899438dcc41Sinoguchi BIO_printf(bio_err,
900438dcc41Sinoguchi "Bad input format for PKCS#7 file\n");
901dab3f910Sjsing goto end;
902dab3f910Sjsing }
903dab3f910Sjsing
90470dc8359Sinoguchi if (p7 == NULL) {
905dab3f910Sjsing BIO_printf(bio_err, "Error reading S/MIME message\n");
906dab3f910Sjsing goto end;
907dab3f910Sjsing }
908e7718adaStb if (cfg.contfile != NULL) {
909dab3f910Sjsing BIO_free(indata);
910e7718adaStb if ((indata = BIO_new_file(cfg.contfile,
911438dcc41Sinoguchi "rb")) == NULL) {
912438dcc41Sinoguchi BIO_printf(bio_err,
913438dcc41Sinoguchi "Can't read content file %s\n",
914e7718adaStb cfg.contfile);
915dab3f910Sjsing goto end;
916dab3f910Sjsing }
917dab3f910Sjsing }
918dab3f910Sjsing }
919e7718adaStb if (cfg.outfile != NULL) {
920e7718adaStb if ((out = BIO_new_file(cfg.outfile, outmode)) == NULL) {
921dab3f910Sjsing BIO_printf(bio_err,
922438dcc41Sinoguchi "Can't open output file %s\n",
923e7718adaStb cfg.outfile);
924dab3f910Sjsing goto end;
925dab3f910Sjsing }
926dab3f910Sjsing } else {
92751f7a940Sinoguchi if ((out = BIO_new_fp(stdout, BIO_NOCLOSE)) == NULL)
92851f7a940Sinoguchi goto end;
929dab3f910Sjsing }
930dab3f910Sjsing
931e7718adaStb if (cfg.operation == SMIME_VERIFY) {
932e7718adaStb if ((store = setup_verify(bio_err, cfg.CAfile,
933e7718adaStb cfg.CApath)) == NULL)
934dab3f910Sjsing goto end;
935e7718adaStb if (cfg.vpm != NULL) {
936e7718adaStb if (!X509_STORE_set1_param(store, cfg.vpm))
93751f7a940Sinoguchi goto end;
93851f7a940Sinoguchi }
939dab3f910Sjsing }
940dab3f910Sjsing ret = 3;
941dab3f910Sjsing
942e7718adaStb if (cfg.operation == SMIME_ENCRYPT) {
943e7718adaStb if (cfg.indef)
944e7718adaStb cfg.flags |= PKCS7_STREAM;
945e7718adaStb p7 = PKCS7_encrypt(encerts, in, cfg.cipher,
946e7718adaStb cfg.flags);
947e7718adaStb } else if (cfg.operation & SMIME_SIGNERS) {
948dab3f910Sjsing int i;
949dab3f910Sjsing /*
950dab3f910Sjsing * If detached data content we only enable streaming if
951dab3f910Sjsing * S/MIME output format.
952dab3f910Sjsing */
953e7718adaStb if (cfg.operation == SMIME_SIGN) {
954e7718adaStb if (cfg.flags & PKCS7_DETACHED) {
955e7718adaStb if (cfg.outformat == FORMAT_SMIME)
956e7718adaStb cfg.flags |= PKCS7_STREAM;
957e7718adaStb } else if (cfg.indef) {
958e7718adaStb cfg.flags |= PKCS7_STREAM;
95951f7a940Sinoguchi }
960e7718adaStb cfg.flags |= PKCS7_PARTIAL;
961438dcc41Sinoguchi p7 = PKCS7_sign(NULL, NULL, other, in,
962e7718adaStb cfg.flags);
96370dc8359Sinoguchi if (p7 == NULL)
964dab3f910Sjsing goto end;
96551f7a940Sinoguchi } else {
966e7718adaStb cfg.flags |= PKCS7_REUSE_DIGEST;
96751f7a940Sinoguchi }
968e7718adaStb for (i = 0; i < sk_OPENSSL_STRING_num(cfg.sksigners); i++) {
969e7718adaStb cfg.signerfile =
970e7718adaStb sk_OPENSSL_STRING_value(cfg.sksigners, i);
971e7718adaStb cfg.keyfile =
972e7718adaStb sk_OPENSSL_STRING_value(cfg.skkeys, i);
973e7718adaStb signer = load_cert(bio_err, cfg.signerfile,
974438dcc41Sinoguchi FORMAT_PEM, NULL, "signer certificate");
97570dc8359Sinoguchi if (signer == NULL)
976dab3f910Sjsing goto end;
977e7718adaStb key = load_key(bio_err, cfg.keyfile,
978e7718adaStb cfg.keyform, 0, passin,
979dab3f910Sjsing "signing key file");
98070dc8359Sinoguchi if (key == NULL)
981dab3f910Sjsing goto end;
98270dc8359Sinoguchi if (PKCS7_sign_add_signer(p7, signer, key,
983e7718adaStb cfg.sign_md, cfg.flags) == NULL)
984dab3f910Sjsing goto end;
985dab3f910Sjsing X509_free(signer);
986dab3f910Sjsing signer = NULL;
987dab3f910Sjsing EVP_PKEY_free(key);
988dab3f910Sjsing key = NULL;
989dab3f910Sjsing }
990dab3f910Sjsing /* If not streaming or resigning finalize structure */
991e7718adaStb if ((cfg.operation == SMIME_SIGN) &&
992e7718adaStb !(cfg.flags & PKCS7_STREAM)) {
993e7718adaStb if (!PKCS7_final(p7, in, cfg.flags))
994dab3f910Sjsing goto end;
995dab3f910Sjsing }
996dab3f910Sjsing }
99770dc8359Sinoguchi if (p7 == NULL) {
998dab3f910Sjsing BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
999dab3f910Sjsing goto end;
1000dab3f910Sjsing }
1001dab3f910Sjsing ret = 4;
1002438dcc41Sinoguchi
1003e7718adaStb if (cfg.operation == SMIME_DECRYPT) {
1004e7718adaStb if (!PKCS7_decrypt(p7, key, recip, out, cfg.flags)) {
1005438dcc41Sinoguchi BIO_printf(bio_err,
1006438dcc41Sinoguchi "Error decrypting PKCS#7 structure\n");
1007dab3f910Sjsing goto end;
1008dab3f910Sjsing }
1009e7718adaStb } else if (cfg.operation == SMIME_VERIFY) {
1010dab3f910Sjsing STACK_OF(X509) *signers;
1011438dcc41Sinoguchi if (PKCS7_verify(p7, other, store, indata, out,
1012e7718adaStb cfg.flags)) {
1013dab3f910Sjsing BIO_printf(bio_err, "Verification successful\n");
101451f7a940Sinoguchi } else {
1015dab3f910Sjsing BIO_printf(bio_err, "Verification failure\n");
1016dab3f910Sjsing goto end;
1017dab3f910Sjsing }
1018438dcc41Sinoguchi if ((signers = PKCS7_get0_signers(p7, other,
1019e7718adaStb cfg.flags)) == NULL)
102051f7a940Sinoguchi goto end;
1021e7718adaStb if (!save_certs(cfg.signerfile, signers)) {
1022dab3f910Sjsing BIO_printf(bio_err, "Error writing signers to %s\n",
1023e7718adaStb cfg.signerfile);
1024b70cebc4Sinoguchi sk_X509_free(signers);
1025dab3f910Sjsing ret = 5;
1026dab3f910Sjsing goto end;
1027dab3f910Sjsing }
1028dab3f910Sjsing sk_X509_free(signers);
1029e7718adaStb } else if (cfg.operation == SMIME_PK7OUT) {
1030dab3f910Sjsing PEM_write_bio_PKCS7(out, p7);
103151f7a940Sinoguchi } else {
1032e7718adaStb if (cfg.to != NULL)
1033e7718adaStb BIO_printf(out, "To: %s\n", cfg.to);
1034e7718adaStb if (cfg.from != NULL)
1035e7718adaStb BIO_printf(out, "From: %s\n", cfg.from);
1036e7718adaStb if (cfg.subject != NULL)
1037e7718adaStb BIO_printf(out, "Subject: %s\n", cfg.subject);
1038e7718adaStb if (cfg.outformat == FORMAT_SMIME) {
1039e7718adaStb if (cfg.operation == SMIME_RESIGN) {
1040438dcc41Sinoguchi if (!SMIME_write_PKCS7(out, p7, indata,
1041e7718adaStb cfg.flags))
104251f7a940Sinoguchi goto end;
104351f7a940Sinoguchi } else {
1044438dcc41Sinoguchi if (!SMIME_write_PKCS7(out, p7, in,
1045e7718adaStb cfg.flags))
104651f7a940Sinoguchi goto end;
104751f7a940Sinoguchi }
1048e7718adaStb } else if (cfg.outformat == FORMAT_PEM) {
1049438dcc41Sinoguchi if (!PEM_write_bio_PKCS7_stream(out, p7, in,
1050e7718adaStb cfg.flags))
105151f7a940Sinoguchi goto end;
1052e7718adaStb } else if (cfg.outformat == FORMAT_ASN1) {
1053438dcc41Sinoguchi if (!i2d_PKCS7_bio_stream(out, p7, in,
1054e7718adaStb cfg.flags))
105551f7a940Sinoguchi goto end;
105651f7a940Sinoguchi } else {
1057438dcc41Sinoguchi BIO_printf(bio_err,
1058438dcc41Sinoguchi "Bad output format for PKCS#7 file\n");
1059dab3f910Sjsing goto end;
1060dab3f910Sjsing }
1061dab3f910Sjsing }
106251f7a940Sinoguchi
1063dab3f910Sjsing ret = 0;
106451f7a940Sinoguchi
1065dab3f910Sjsing end:
1066dab3f910Sjsing if (ret)
1067dab3f910Sjsing ERR_print_errors(bio_err);
1068dab3f910Sjsing sk_X509_pop_free(encerts, X509_free);
1069dab3f910Sjsing sk_X509_pop_free(other, X509_free);
1070e7718adaStb X509_VERIFY_PARAM_free(cfg.vpm);
1071e7718adaStb sk_OPENSSL_STRING_free(cfg.sksigners);
1072e7718adaStb sk_OPENSSL_STRING_free(cfg.skkeys);
1073dab3f910Sjsing X509_STORE_free(store);
1074dab3f910Sjsing X509_free(cert);
1075dab3f910Sjsing X509_free(recip);
1076dab3f910Sjsing X509_free(signer);
1077dab3f910Sjsing EVP_PKEY_free(key);
1078dab3f910Sjsing PKCS7_free(p7);
1079dab3f910Sjsing BIO_free(in);
1080dab3f910Sjsing BIO_free(indata);
1081dab3f910Sjsing BIO_free_all(out);
1082dab3f910Sjsing free(passin);
1083dab3f910Sjsing
1084dab3f910Sjsing return (ret);
1085dab3f910Sjsing }
1086dab3f910Sjsing
1087dab3f910Sjsing static int
save_certs(char * signerfile,STACK_OF (X509)* signers)1088dab3f910Sjsing save_certs(char *signerfile, STACK_OF(X509) *signers)
1089dab3f910Sjsing {
1090dab3f910Sjsing int i;
1091dab3f910Sjsing BIO *tmp;
1092dc4e41faSinoguchi
109370dc8359Sinoguchi if (signerfile == NULL)
1094dab3f910Sjsing return 1;
1095dab3f910Sjsing tmp = BIO_new_file(signerfile, "w");
109670dc8359Sinoguchi if (tmp == NULL)
1097dab3f910Sjsing return 0;
1098dab3f910Sjsing for (i = 0; i < sk_X509_num(signers); i++)
1099dab3f910Sjsing PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
1100dab3f910Sjsing BIO_free(tmp);
1101dc4e41faSinoguchi
1102dab3f910Sjsing return 1;
1103dab3f910Sjsing }
1104