static GTlsCertificateFlags
g_tls_database_openssl_verify_chain (GTlsDatabase *database,
GTlsCertificate *chain,
const gchar *purpose,
GSocketConnectable *identity,
GTlsInteraction *interaction,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GError **error)
{
GTlsDatabaseOpenssl *self = G_TLS_DATABASE_OPENSSL (database);
GTlsDatabaseOpensslPrivate *priv;
STACK_OF(X509) *certs;
X509_STORE_CTX *csc;
X509 *x;
GTlsCertificateFlags result = 0;
g_return_val_if_fail (G_IS_TLS_CERTIFICATE_OPENSSL (chain),
G_TLS_CERTIFICATE_GENERIC_ERROR);
priv = g_tls_database_openssl_get_instance_private (self);
if (g_cancellable_set_error_if_cancelled (cancellable, error))
return G_TLS_CERTIFICATE_GENERIC_ERROR;
certs = convert_certificate_chain_to_openssl (G_TLS_CERTIFICATE_OPENSSL (chain));
csc = X509_STORE_CTX_new ();
x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (chain));
if (!X509_STORE_CTX_init (csc, priv->store, x, certs))
{
X509_STORE_CTX_free (csc);
sk_X509_free (certs);
return G_TLS_CERTIFICATE_GENERIC_ERROR;
}
if (X509_verify_cert (csc) <= 0)
result = g_tls_certificate_openssl_convert_error (X509_STORE_CTX_get_error (csc));
X509_STORE_CTX_free (csc);
sk_X509_free (certs);
if (g_cancellable_set_error_if_cancelled (cancellable, error))
return G_TLS_CERTIFICATE_GENERIC_ERROR;
/* We have to check these ourselves since openssl
* does not give us flags and UNKNOWN_CA will take priority.
*/
result |= double_check_before_after_dates (G_TLS_CERTIFICATE_OPENSSL (chain));
if (identity)
result |= g_tls_certificate_openssl_verify_identity (G_TLS_CERTIFICATE_OPENSSL (chain),
identity);
return result;
}
void pki_pkcs7::signBio(pki_x509 *crt, BIO *bio)
{
pki_key *privkey;
EVP_PKEY *pk;
STACK_OF(X509) *certstack;
if (!crt)
return;
privkey = crt->getRefKey();
if (!privkey)
throw errorEx("No private key for signing found", getClassName());
certstack = sk_X509_new_null();
pki_x509 *signer = crt->getSigner();
if (signer == crt)
signer = NULL;
while (signer != NULL ) {
sk_X509_push(certstack, signer->getCert());
openssl_error();
if (signer == signer->getSigner() )
signer = NULL;
else
signer = signer->getSigner();
}
if (p7)
PKCS7_free(p7);
pk = privkey->decryptKey();
p7 = PKCS7_sign(crt->getCert(), pk, certstack, bio, PKCS7_BINARY);
EVP_PKEY_free(pk);
openssl_error();
sk_X509_free(certstack);
}
int
CA_passive_authentication(const EAC_CTX *ctx, PKCS7 *ef_cardsecurity)
{
X509 *ds_cert;
X509_STORE *store;
STACK_OF(X509) *ds_certs = NULL;
unsigned long issuer_name_hash;
int ret = 0;
check(ef_cardsecurity && ctx && ctx->ca_ctx && ctx->ca_ctx->lookup_csca_cert, "Invalid arguments");
/* Extract the DS certificates from the EF.CardSecurity */
ds_certs = PKCS7_get0_signers(ef_cardsecurity, NULL, 0);
check(ds_certs, "Failed to retrieve certificates from EF.CardSecurity");
/* NOTE: The following code assumes that there is only one certificate in
* PKCS7 structure. ds_cert is implicitly freed together with ds_certs. */
ds_cert = sk_X509_pop(ds_certs);
check(ds_cert, "Failed to retrieve DS certificate from EF.CardSecurity");
/* Get the trust store with at least the csca certificate */
issuer_name_hash = X509_issuer_name_hash(ds_cert);
store = ctx->ca_ctx->lookup_csca_cert(issuer_name_hash);
check (store, "Failed to retrieve CSCA truststore");
/* Verify the signature and the certificate chain */
ret = PKCS7_verify(ef_cardsecurity, ds_certs, store, NULL, NULL, 0);
err:
if (ds_certs)
sk_X509_free(ds_certs);
return ret;
}
STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms)
{
STACK_OF(X509) *signers = NULL;
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
int i;
sinfos = CMS_get0_SignerInfos(cms);
for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++)
{
si = sk_CMS_SignerInfo_value(sinfos, i);
if (si->signer)
{
if (!signers)
{
signers = sk_X509_new_null();
if (!signers)
return NULL;
}
if (!sk_X509_push(signers, si->signer))
{
sk_X509_free(signers);
return NULL;
}
}
}
return signers;
}
// Verify the signed block, the first 32 bytes of the data must be the certificate hash to work.
int __fastcall util_verify(char* signature, int signlen, struct util_cert* cert, char** data)
{
unsigned int size, r;
BIO *out = NULL;
PKCS7 *message = NULL;
char* data2 = NULL;
char hash[UTIL_HASHSIZE];
STACK_OF(X509) *st = NULL;
cert->x509 = NULL;
cert->pkey = NULL;
*data = NULL;
message = d2i_PKCS7(NULL, (const unsigned char**)&signature, signlen);
if (message == NULL) goto error;
out = BIO_new(BIO_s_mem());
// Lets rebuild the original message and check the size
size = i2d_PKCS7(message, NULL);
if (size < (unsigned int)signlen) goto error;
// Check the PKCS7 signature, but not the certificate chain.
r = PKCS7_verify(message, NULL, NULL, NULL, out, PKCS7_NOVERIFY);
if (r == 0) goto error;
// If data block contains less than 32 bytes, fail.
size = BIO_get_mem_data(out, &data2);
if (size <= UTIL_HASHSIZE) goto error;
// Copy the data block
*data = (char*)malloc(size + 1);
if (*data == NULL) goto error;
memcpy(*data, data2, size);
(*data)[size] = 0;
// Get the certificate signer
st = PKCS7_get0_signers(message, NULL, PKCS7_NOVERIFY);
cert->x509 = X509_dup(sk_X509_value(st, 0));
sk_X509_free(st);
// Get a full certificate hash of the signer
r = UTIL_HASHSIZE;
X509_digest(cert->x509, EVP_sha256(), (unsigned char*)hash, &r);
// Check certificate hash with first 32 bytes of data.
if (memcmp(hash, *data, UTIL_HASHSIZE) != 0) goto error;
// Approved, cleanup and return.
BIO_free(out);
PKCS7_free(message);
return size;
error:
if (out != NULL) BIO_free(out);
if (message != NULL) PKCS7_free(message);
if (*data != NULL) free(*data);
if (cert->x509 != NULL) { X509_free(cert->x509); cert->x509 = NULL; }
return 0;
}
Settings::KeyPair CertWizard::importCert(QByteArray data, const QString &pw) {
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
PKCS12 *pkcs = NULL;
BIO *mem = NULL;
STACK_OF(X509) *certs = NULL;
Settings::KeyPair kp;
int ret = 0;
mem = BIO_new_mem_buf(data.data(), data.size());
Q_UNUSED(BIO_set_close(mem, BIO_NOCLOSE));
pkcs = d2i_PKCS12_bio(mem, NULL);
if (pkcs) {
ret = PKCS12_parse(pkcs, NULL, &pkey, &x509, &certs);
if (pkcs && !pkey && !x509 && ! pw.isEmpty()) {
if (certs) {
if (ret)
sk_X509_free(certs);
certs = NULL;
}
ret = PKCS12_parse(pkcs, pw.toUtf8().constData(), &pkey, &x509, &certs);
}
if (pkey && x509 && X509_check_private_key(x509, pkey)) {
unsigned char *dptr;
QByteArray key, crt;
key.resize(i2d_PrivateKey(pkey, NULL));
dptr=reinterpret_cast<unsigned char *>(key.data());
i2d_PrivateKey(pkey, &dptr);
crt.resize(i2d_X509(x509, NULL));
dptr=reinterpret_cast<unsigned char *>(crt.data());
i2d_X509(x509, &dptr);
QSslCertificate qscCert = QSslCertificate(crt, QSsl::Der);
QSslKey qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der);
QList<QSslCertificate> qlCerts;
qlCerts << qscCert;
if (certs) {
for (int i=0;i<sk_X509_num(certs);++i) {
X509 *c = sk_X509_value(certs, i);
crt.resize(i2d_X509(c, NULL));
dptr=reinterpret_cast<unsigned char *>(crt.data());
i2d_X509(c, &dptr);
QSslCertificate cert = QSslCertificate(crt, QSsl::Der);
qlCerts << cert;
}
}
bool valid = ! qskKey.isNull();
foreach(const QSslCertificate &cert, qlCerts)
valid = valid && ! cert.isNull();
if (valid)
kp = Settings::KeyPair(qlCerts, qskKey);
}
}
int GTPublicationsFile_getSigningCert(
const GTPublicationsFile *publications_file,
unsigned char **cert_der, size_t *cert_der_length)
{
int res = GT_UNKNOWN_ERROR;
unsigned char *i2dp;
unsigned char *tmp_der = NULL;
int tmp_der_len;
X509 *signing_cert = NULL;
STACK_OF(X509) *certs = NULL;
if (publications_file == NULL || publications_file->signature == NULL ||
cert_der == NULL || cert_der_length == NULL) {
res = GT_INVALID_ARGUMENT;
goto cleanup;
}
certs = PKCS7_get0_signers(publications_file->signature, NULL, 0);
if (certs == NULL) {
res = GT_INVALID_FORMAT;
goto cleanup;
}
if (sk_X509_num(certs) != 1) {
res = GT_INVALID_FORMAT;
goto cleanup;
}
signing_cert = sk_X509_value(certs, 0);
tmp_der_len = i2d_X509(signing_cert, NULL);
if (tmp_der_len < 0) {
res = GT_CRYPTO_FAILURE;
goto cleanup;
}
tmp_der = GT_malloc(tmp_der_len);
if (tmp_der == NULL) {
res = GT_OUT_OF_MEMORY;
goto cleanup;
}
i2dp = tmp_der;
i2d_X509(signing_cert, &i2dp);
*cert_der = tmp_der;
tmp_der = NULL;
*cert_der_length = tmp_der_len;
res = GT_OK;
cleanup:
GT_free(tmp_der);
sk_X509_free(certs);
return res;
}
END_TEST
START_TEST(test_sscep_handling_perform_sunny)
{
qeo_mgmt_client_ctx_t *ctx = NULL;
STACK_OF(X509) *racerts = get_cert_store(raids);
STACK_OF(X509) *devicecerts = get_cert_store(deviceids);
sscep_mock_ignore_and_return(true, SCEP_PKISTATUS_SUCCESS, racerts, SCEP_PKISTATUS_SUCCESS, devicecerts);
ctx = qeo_mgmt_client_init();
fail_if(ctx == NULL);
fail_unless(qeo_mgmt_client_enroll_device(ctx, s_url, s_rsakey, s_otp, &s_info, my_ssl_cb, (void*) COOKIE_MAGIC_NUMBER, s_certs) == QMGMTCLIENT_OK);
qeo_mgmt_client_clean(ctx);
sscep_mock_expect_called(1, 2, 1);
sk_X509_free(racerts);
sk_X509_free(devicecerts);
}
/**
This function will return the leaf signer certificate in a chain. This is
required because certificate chains are not guaranteed to have the
certificates in the order that they were issued.
A typical certificate chain looks like this:
----------------------------
| Root |
----------------------------
^
|
----------------------------
| Policy CA | <-- Typical Trust Anchor.
----------------------------
^
|
----------------------------
| Issuing CA |
----------------------------
^
|
-----------------------------
/ End-Entity (leaf) signer / <-- Bottom certificate.
----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
(Firmware Signing)
@param[in] CertChain Certificate chain.
@param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
this will be the end-entity (leaf) signer cert.
@retval EFI_SUCCESS The required EKUs were found in the signature.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_NOT_FOUND The number of signers found was not 1.
**/
EFI_STATUS
GetSignerCertificate (
IN CONST PKCS7 *CertChain,
OUT X509 **SignerCert
)
{
EFI_STATUS Status;
STACK_OF(X509) *Signers;
INT32 NumberSigners;
Status = EFI_SUCCESS;
Signers = NULL;
NumberSigners = 0;
if (CertChain == NULL || SignerCert == NULL) {
Status = EFI_INVALID_PARAMETER;
goto Exit;
}
//
// Get the signers from the chain.
//
Signers = PKCS7_get0_signers ((PKCS7*) CertChain, NULL, PKCS7_BINARY);
if (Signers == NULL) {
//
// Fail to get signers form PKCS7
//
Status = EFI_INVALID_PARAMETER;
goto Exit;
}
//
// There should only be one signer in the PKCS7 stack.
//
NumberSigners = sk_X509_num (Signers);
if (NumberSigners != 1) {
//
// The number of singers should have been 1
//
Status = EFI_NOT_FOUND;
goto Exit;
}
*SignerCert = sk_X509_value (Signers, 0);
Exit:
//
// Release Resources
//
if (Signers) {
sk_X509_free (Signers);
}
return Status;
}
static STACK_OF(X509) *
file_to_certs(const char *file)
{
unsigned long ret;
STACK_OF(X509) *certs;
FILE *f;
if ((f = fopen(file, "r")) == NULL) {
warn("open failed %s", file);
return NULL;
}
certs = sk_X509_new_null();
for (;;) {
X509 *cert;
cert = PEM_read_X509(f, NULL, NULL, NULL);
if (cert == NULL) {
ret = ERR_GET_REASON(ERR_peek_error());
if (ret == PEM_R_NO_START_LINE) {
/* End of file reached. no error */
ERR_clear_error();
break;
}
sk_X509_free(certs);
warnx("Can't read certificate in file: %s", file);
fclose(f);
return NULL;
}
sk_X509_insert(certs, cert, sk_X509_num(certs));
}
fclose(f);
if (sk_X509_num(certs) == 0) {
sk_X509_free(certs);
certs = NULL;
warnx("No certificate found in file %s", file);
}
return certs;
}
END_TEST
START_TEST(test_cert_ordening_rainy)
{
qeo_mgmt_cert_contents qmcc;
int ids1[]={CERTSTORE_MASTER , CERTSTORE_RANDOM, CERTSTORE_DEVICE, -1};
int ids2[]={CERTSTORE_REALM , CERTSTORE_MASTER, CERTSTORE_RANDOM, -1};
int ids3[]={CERTSTORE_DEVICE , CERTSTORE_REALM, -1};
int ids4[]={CERTSTORE_DEVICE, CERTSTORE_MASTER, -1};
int ids5[]={CERTSTORE_MASTER, -1};
int ids6[]={CERTSTORE_REALM, CERTSTORE_MASTER, -1};
STACK_OF(X509) *chain1 = get_cert_store(ids1);
STACK_OF(X509) *chain2 = get_cert_store(ids2);
STACK_OF(X509) *chain3 = get_cert_store(ids3);
STACK_OF(X509) *chain4 = get_cert_store(ids4);
STACK_OF(X509) *chain5 = get_cert_store(ids5);
STACK_OF(X509) *chain6 = get_cert_store(ids6);
fail_if(qeo_mgmt_cert_parse(chain1, &qmcc) == QCERT_OK);
fail_if(qeo_mgmt_cert_parse(chain2, &qmcc) == QCERT_OK);
fail_if(qeo_mgmt_cert_parse(chain3, &qmcc) == QCERT_OK);
fail_if(qeo_mgmt_cert_parse(chain4, &qmcc) == QCERT_OK);
fail_if(qeo_mgmt_cert_parse(chain5, &qmcc) == QCERT_OK);
fail_if(qeo_mgmt_cert_parse(chain6, &qmcc) == QCERT_OK);
sk_X509_free(chain1);
sk_X509_free(chain2);
sk_X509_free(chain3);
sk_X509_free(chain4);
sk_X509_free(chain5);
sk_X509_free(chain6);
}
int PKI_X509_PKCS7_clear_certs ( PKI_X509_PKCS7 *p7 ) {
STACK_OF(X509) *x_sk = NULL;
if ((x_sk = __get_chain ( p7 )) == NULL ) {
return PKI_ERR;
}
if ( !x_sk ) return ( PKI_OK );
sk_X509_free ( x_sk );
return ( PKI_OK );
}
void pki_pkcs7::encryptBio(pki_x509 *crt, BIO *bio)
{
STACK_OF(X509) *certstack;
if (!crt)
return;
certstack = sk_X509_new_null();
sk_X509_push(certstack, crt->getCert());
openssl_error();
if (p7)
PKCS7_free(p7);
p7 = PKCS7_encrypt(certstack, bio, EVP_des_ede3_cbc(), PKCS7_BINARY);
openssl_error();
sk_X509_free(certstack);
}
END_TEST
START_TEST(test_sunny_day)
{
int deviceids[]={CERTSTORE_MASTER , CERTSTORE_REALM, CERTSTORE_DEVICE, -1};
STACK_OF(X509) *devicechain = get_cert_store(deviceids);
qeo_mgmt_cert_contents qmcc;
fail_unless(qeo_mgmt_cert_parse(devicechain, &qmcc) == QCERT_OK);
ck_assert_int_eq(qmcc.device, 327);
ck_assert_int_eq(qmcc.user, 20);
ck_assert_int_eq(qmcc.realm, 20);
sk_X509_free(devicechain);
}
/**
* Returns a list of all x509 certificates in a PKCS12 object.
*/
static STACK_OF(X509) *pkcs12_listCerts(PKCS12 *p12) {
STACK_OF(X509) *x509s = sk_X509_new_null();
if (!x509s) return NULL;
// Extract all PKCS7 safes
STACK_OF(PKCS7) *pkcs7s = PKCS12_unpack_authsafes(p12);
if (!pkcs7s) {
certutil_updateErrorString();
sk_X509_free(x509s);
return NULL;
}
// For each PKCS7 safe
int nump = sk_PKCS7_num(pkcs7s);
for (int p = 0; p < nump; p++) {
PKCS7 *p7 = sk_PKCS7_value(pkcs7s, p);
if (!p7) continue;
STACK_OF(PKCS12_SAFEBAG) *safebags = PKCS12_unpack_p7data(p7);
if (!safebags) {
certutil_updateErrorString();
continue;
}
// For each PKCS12 safebag
int numb = sk_PKCS12_SAFEBAG_num(safebags);
for (int i = 0; i < numb; i++) {
PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(safebags, i);
if (!bag) continue;
if (M_PKCS12_bag_type(bag) == NID_certBag) {
// Extract x509 cert
X509 *x509 = PKCS12_certbag2x509(bag);
if (x509 == NULL) {
certutil_updateErrorString();
} else {
sk_X509_push(x509s, x509);
}
}
}
sk_PKCS12_SAFEBAG_pop_free(safebags, PKCS12_SAFEBAG_free);
}
sk_PKCS7_pop_free(pkcs7s, PKCS7_free);
return x509s;
}
static int test_resp_signer(void)
{
OCSP_BASICRESP *bs = NULL;
X509 *signer = NULL, *tmp;
EVP_PKEY *key = NULL;
STACK_OF(X509) *extra_certs = NULL;
int ret = 0;
/*
* Test a response with no certs at all; get the signer from the
* extra certs given to OCSP_resp_get0_signer().
*/
bs = make_dummy_resp();
extra_certs = sk_X509_new_null();
if (!TEST_ptr(bs)
|| !TEST_ptr(extra_certs)
|| !TEST_true(get_cert_and_key(&signer, &key))
|| !TEST_true(sk_X509_push(extra_certs, signer))
|| !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
NULL, OCSP_NOCERTS)))
goto err;
if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
|| !TEST_int_eq(X509_cmp(tmp, signer), 0))
goto err;
OCSP_BASICRESP_free(bs);
/* Do it again but include the signer cert */
bs = make_dummy_resp();
tmp = NULL;
if (!TEST_ptr(bs)
|| !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
NULL, 0)))
goto err;
if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
|| !TEST_int_eq(X509_cmp(tmp, signer), 0))
goto err;
ret = 1;
err:
OCSP_BASICRESP_free(bs);
sk_X509_free(extra_certs);
X509_free(signer);
EVP_PKEY_free(key);
return ret;
}
void Pkcs12::parse(string password) throw(Pkcs12Exception)
{
EVP_PKEY* pkey = NULL;
X509* cert = NULL;
STACK_OF(X509)* ca = NULL;
unsigned long opensslError = 0;
X509* tmp = NULL;
//Limpa fila de erros e carrega tabelas
ERR_clear_error();
//OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
if(!PKCS12_parse(this->pkcs12, password.c_str(), &pkey, &cert, &ca))
{
opensslError = ERR_get_error();
switch(ERR_GET_REASON(opensslError))
{
case PKCS12_R_MAC_VERIFY_FAILURE :
throw Pkcs12Exception(Pkcs12Exception::PARSE_ERROR, "Pkcs12::parse");
break;
case PKCS12_R_PARSE_ERROR :
throw Pkcs12Exception(Pkcs12Exception::MAC_VERIFY_FAILURE, "Pkcs12::parse");
break;
}
}
this->privKey = new PrivateKey(pkey);
this->cert = new Certificate(cert);
for(int i = 0 ; i < sk_X509_num(ca) ; i ++)
{
tmp = sk_X509_value(ca, i);
this->ca.push_back(new Certificate(tmp));
}
sk_X509_free(ca);
}
void openssl_pkcs12_cert()
{
FILE *tmpfile;
PKCS12 *pkcs12s;
EVP_PKEY *certprk;
X509 *cscert, *cacert;
STACK_OF(X509) * cacerts;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
certprk = EVP_PKEY_new();
tmpfile = fopen(PKEYF, "r");
certprk = PEM_read_PrivateKey(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
tmpfile = fopen(PCERTF, "r");
cscert = PEM_read_X509(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
tmpfile = fopen(RCERTF, "r");
cacert = PEM_read_X509(tmpfile, NULL, NULL, NULL);
fclose(tmpfile);
pkcs12s = PKCS12_new();
cacerts = sk_X509_new_null();
sk_X509_push(cacerts, cacert);
pkcs12s = PKCS12_create("beike2012", "mypkcs12", certprk, cscert,
cacerts, 0, 0, 0, 0, 0);
tmpfile = fopen(PKCS12F, "w");
if (i2d_PKCS12_fp(tmpfile, pkcs12s) <= 0)
openssl_error_show("i2d_PKCS12_fp", 1);
fclose(tmpfile);
sk_X509_free(cacerts);
PKCS12_free(pkcs12s);
}
// Encrypt a block of data for a target certificate
int __fastcall util_encrypt(struct util_cert cert, char* data, int datalen, char** encdata)
{
int size = 0;
BIO *in = NULL;
PKCS7 *message = NULL;
STACK_OF(X509) *encerts = NULL;
*encdata = NULL;
if (datalen == 0) return 0;
// Setup certificates
encerts = sk_X509_new_null();
sk_X509_push(encerts, cert.x509);
// Encrypt the block
*encdata = NULL;
in = BIO_new_mem_buf(data, datalen);
message = PKCS7_encrypt(encerts, in, EVP_aes_128_cbc(), PKCS7_BINARY);
if (message == NULL) return 0;
size = i2d_PKCS7(message, (unsigned char**)encdata);
BIO_free(in);
PKCS7_free(message);
sk_X509_free(encerts);
return size;
}
int X509_verify_cert(X509_STORE_CTX *ctx)
{
X509 *x,*xtmp,*chain_ss=NULL;
X509_NAME *xn;
int depth,i,ok=0;
int num;
int (*cb)();
STACK_OF(X509) *sktmp=NULL;
if (ctx->cert == NULL)
{
X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
return -1;
}
cb=ctx->verify_cb;
/* first we make sure the chain we are going to build is
* present and that the first entry is in place */
if (ctx->chain == NULL)
{
if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
(!sk_X509_push(ctx->chain,ctx->cert)))
{
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
}
CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
ctx->last_untrusted=1;
}
/* We use a temporary STACK so we can chop and hack at it */
if (ctx->untrusted != NULL
&& (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
{
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
}
num=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,num-1);
depth=ctx->depth;
for (;;)
{
/* If we have enough, we break */
if (depth < num) break; /* FIXME: If this happens, we should take
* note of it and, if appropriate, use the
* X509_V_ERR_CERT_CHAIN_TOO_LONG error
* code later.
*/
/* If we are self signed, we break */
xn=X509_get_issuer_name(x);
if (ctx->check_issued(ctx, x,x)) break;
/* If we were passed a cert chain, use it first */
if (ctx->untrusted != NULL)
{
xtmp=find_issuer(ctx, sktmp,x);
if (xtmp != NULL)
{
if (!sk_X509_push(ctx->chain,xtmp))
{
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
goto end;
}
CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
sk_X509_delete_ptr(sktmp,xtmp);
ctx->last_untrusted++;
x=xtmp;
num++;
/* reparse the full chain for
* the next one */
continue;
}
}
break;
}
/* at this point, chain should contain a list of untrusted
* certificates. We now need to add at least one trusted one,
* if possible, otherwise we complain. */
/* Examine last certificate in chain and see if it
* is self signed.
*/
i=sk_X509_num(ctx->chain);
x=sk_X509_value(ctx->chain,i-1);
xn = X509_get_subject_name(x);
if (ctx->check_issued(ctx, x, x))
{
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1)
{
/* We have a single self signed certificate: see if
* we can find it in the store. We must have an exact
* match to avoid possible impersonation.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
if ((ok <= 0) || X509_cmp(x, xtmp))
{
ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
ctx->current_cert=x;
ctx->error_depth=i-1;
if (ok == 1) X509_free(xtmp);
ok=cb(0,ctx);
if (!ok) goto end;
}
else
{
/* We have a match: replace certificate with store version
* so we get any trust settings.
*/
X509_free(x);
x = xtmp;
sk_X509_set(ctx->chain, i - 1, x);
ctx->last_untrusted=0;
}
}
else
{
/* extract and save self signed certificate for later use */
chain_ss=sk_X509_pop(ctx->chain);
ctx->last_untrusted--;
num--;
x=sk_X509_value(ctx->chain,num-1);
}
}
/* We now lookup certs from the certificate store */
for (;;)
{
/* If we have enough, we break */
if (depth < num) break;
/* If we are self signed, we break */
xn=X509_get_issuer_name(x);
if (ctx->check_issued(ctx,x,x)) break;
ok = ctx->get_issuer(&xtmp, ctx, x);
if (ok < 0) return ok;
if (ok == 0) break;
x = xtmp;
if (!sk_X509_push(ctx->chain,x))
{
X509_free(xtmp);
X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
return 0;
}
num++;
}
/* we now have our chain, lets check it... */
xn=X509_get_issuer_name(x);
/* Is last certificate looked up self signed? */
if (!ctx->check_issued(ctx,x,x))
{
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
{
if (ctx->last_untrusted >= num)
ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
ctx->current_cert=x;
}
else
{
sk_X509_push(ctx->chain,chain_ss);
num++;
ctx->last_untrusted=num;
ctx->current_cert=chain_ss;
ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
chain_ss=NULL;
}
ctx->error_depth=num-1;
ok=cb(0,ctx);
if (!ok) goto end;
}
/* We have the chain complete: now we need to check its purpose */
ok = check_chain_extensions(ctx);
if (!ok) goto end;
/* The chain extensions are OK: check trust */
if (ctx->trust > 0) ok = check_trust(ctx);
if (!ok) goto end;
/* We may as well copy down any DSA parameters that are required */
X509_get_pubkey_parameters(NULL,ctx->chain);
/* Check revocation status: we do this after copying parameters
* because they may be needed for CRL signature verification.
*/
ok = ctx->check_revocation(ctx);
if(!ok) goto end;
/* At this point, we have a chain and just need to verify it */
if (ctx->verify != NULL)
ok=ctx->verify(ctx);
else
ok=internal_verify(ctx);
if (0)
{
end:
X509_get_pubkey_parameters(NULL,ctx->chain);
}
if (sktmp != NULL) sk_X509_free(sktmp);
if (chain_ss != NULL) X509_free(chain_ss);
return ok;
}
/*******************************************************************************
函数名称: cert_pkcs7_wrap
功能描述: 将要发送的消息采用PKCS#7格式进行编码
输入参数: struct scep *s, SCEP操作的结构体指针。
s32 hasra, 是否使用RA证书,1,使用;0,不使用
输出参数: 无
返 回 值: 1,成功;-1,失败
--------------------------------------------------------------------------------
最近一次修改记录:
修改作者:王朝
修改目的:添加新函数
修改日期:2009年12月28日
*********************************************************************************/
s32 cert_pkcs7_wrap(struct scep *s, s32 hasra)
{
BIO *databio = NULL;
BIO *encbio = NULL;
BIO *pkcs7bio = NULL;
BIO *memorybio = NULL;
BIO *outbio = NULL;
BIO *base64bio = NULL;
u8 *buffer = NULL;
s32 len = 0;
STACK_OF(X509) *recipients = NULL;
PKCS7 *p7enc = NULL;
PKCS7_SIGNER_INFO *si = NULL;
STACK_OF(X509_ATTRIBUTE) *attributes = NULL;
X509 *signercert = NULL;
EVP_PKEY *signerkey = NULL;
s32 retval = -1;
/* sender nonce */
s->sender_nonce_len = 16;
s->sender_nonce = (u8 *)malloc((u32)s->sender_nonce_len);
RAND_bytes(s->sender_nonce, s->sender_nonce_len);
/* Prepare data payload */
switch(s->request_type)
{
case SCEP_REQUEST_PKCSREQ:
s->request_type_str = SCEP_REQUEST_PKCSREQ_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read request in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_X509_REQ_bio(databio, cert_request)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
case SCEP_REQUEST_GETCERTINIT:
/* Set printable message type */
s->request_type_str = SCEP_REQUEST_GETCERTINIT_STR;
/* Signer cert */
signercert = s->signercert;
signerkey = s->signerkey;
/* Read data in memory bio */
databio = BIO_new(BIO_s_mem());
if ((i2d_pkcs7_issuer_and_subject_bio(databio, s->ias_getcertinit)) <= 0)
{
goto end;
}
(void)BIO_flush(databio);
BIO_set_flags(databio, BIO_FLAGS_MEM_RDONLY);
break;
default:
goto end;
}
/* Below this is the common code for all request_type */
/* Read in the payload */
s->request_len = BIO_get_mem_data(databio, &s->request_payload);
BIO_free(databio);
databio = NULL;
/* Create encryption certificate stack */
if (NULL == (recipients = sk_X509_new_null() ))
{
goto end;
}
/* Use different CA cert for encryption if requested */
if (1 == hasra)
{
if (sk_X509_push(recipients, cert_encert) <= 0)
{
goto end;
}
}
else
{
/* Use same CA cert also for encryption */
if (sk_X509_push(recipients, cert_cacert) <= 0)
{
goto end;
}
}
/* Create BIO for encryption */
if ((encbio = BIO_new_mem_buf(s->request_payload,s->request_len)) == NULL)
{
goto end;
}
/* Encrypt */
if (NULL == (p7enc = PKCS7_encrypt(recipients, encbio, cert_enc_alg, PKCS7_BINARY)))
{
goto end;
}
BIO_free(encbio);
encbio = NULL;
sk_X509_free(recipients);
recipients = NULL;
/* Write encrypted data */
memorybio = BIO_new(BIO_s_mem());
if (i2d_PKCS7_bio(memorybio, p7enc) <= 0)
{
goto end;
}
PKCS7_free(p7enc);
p7enc = NULL;
(void)BIO_flush(memorybio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
len = BIO_get_mem_data(memorybio, &buffer);
/* Create outer PKCS#7 */
s->request_p7 = PKCS7_new();
if (s->request_p7 == NULL)
{
goto end;
}
if (!PKCS7_set_type(s->request_p7, NID_pkcs7_signed))
{
goto end;
}
/* Add signer certificate and signature */
PKCS7_add_certificate(s->request_p7, signercert);
if ((si = PKCS7_add_signature(s->request_p7,signercert, signerkey, cert_sig_alg)) == NULL)
{
goto end;
}
/* Set signed attributes */
attributes = sk_X509_ATTRIBUTE_new_null();
cert_add_attribute_string(attributes, nid_transId, s->transaction_id);
cert_add_attribute_string(attributes, nid_messageType, s->request_type_str);
cert_add_attribute_octet(attributes, nid_senderNonce, (s8 *)(s->sender_nonce),s->sender_nonce_len);
PKCS7_set_signed_attributes(si, attributes);
sk_X509_ATTRIBUTE_free(attributes);
attributes = NULL;
/* Add contentType */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)))
{
goto end;
}
/* Create new content */
if (!PKCS7_content_new(s->request_p7, NID_pkcs7_data))
{
goto end;
}
/* Write data */
pkcs7bio = PKCS7_dataInit(s->request_p7, NULL);
if (pkcs7bio == NULL)
{
goto end;
}
if (len != BIO_write(pkcs7bio, buffer, len))
{
goto end;
}
BIO_free(memorybio);
memorybio = NULL;
/* Finalize PKCS#7 */
if (!PKCS7_dataFinal(s->request_p7, pkcs7bio))
{
goto end;
}
/* base64-encode the data */
/* Create base64 filtering bio */
memorybio = BIO_new(BIO_s_mem());
base64bio = BIO_new(BIO_f_base64());
outbio = BIO_push(base64bio, memorybio);
/* Copy PKCS#7 */
i2d_PKCS7_bio(outbio, s->request_p7);
(void)BIO_flush(outbio);
BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
s->request_len = BIO_get_mem_data(memorybio, &s->request_payload);
retval = 1;
end:
if(NULL != databio)
{
BIO_free(databio);
}
if(NULL != encbio)
{
BIO_free(encbio);
}
if(NULL != p7enc)
{
PKCS7_free(p7enc);
}
if(NULL != pkcs7bio)
{
BIO_free(pkcs7bio);
}
if(NULL != memorybio)
{
BIO_free(memorybio);
}
if(NULL != base64bio)
{
BIO_free(base64bio);
}
if(NULL != recipients)
{
sk_X509_free(recipients);
}
if(NULL != attributes)
{
sk_X509_ATTRIBUTE_free(attributes);
}
return retval;
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
char *infile=NULL, *outfile=NULL, *keyname = NULL;
char *certfile=NULL;
BIO *in=NULL, *out = NULL;
char **args;
char *name = NULL;
char *csp_name = NULL;
PKCS12 *p12 = NULL;
char pass[50], macpass[50];
int export_cert = 0;
int options = 0;
int chain = 0;
int badarg = 0;
int iter = PKCS12_DEFAULT_ITER;
int maciter = PKCS12_DEFAULT_ITER;
int twopass = 0;
int keytype = 0;
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1;
int macver = 1;
int noprompt = 0;
STACK *canames = NULL;
char *cpass = NULL, *mpass = NULL;
char *passargin = NULL, *passargout = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL;
char *inrand = NULL;
char *CApath = NULL, *CAfile = NULL;
char *engine=NULL;
apps_startup();
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
args = argv + 1;
while (*args) {
if (*args[0] == '-') {
if (!strcmp (*args, "-nokeys")) options |= NOKEYS;
else if (!strcmp (*args, "-keyex")) keytype = KEY_EX;
else if (!strcmp (*args, "-keysig")) keytype = KEY_SIG;
else if (!strcmp (*args, "-nocerts")) options |= NOCERTS;
else if (!strcmp (*args, "-clcerts")) options |= CLCERTS;
else if (!strcmp (*args, "-cacerts")) options |= CACERTS;
else if (!strcmp (*args, "-noout")) options |= (NOKEYS|NOCERTS);
else if (!strcmp (*args, "-info")) options |= INFO;
else if (!strcmp (*args, "-chain")) chain = 1;
else if (!strcmp (*args, "-twopass")) twopass = 1;
else if (!strcmp (*args, "-nomacver")) macver = 0;
else if (!strcmp (*args, "-descert"))
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else if (!strcmp (*args, "-export")) export_cert = 1;
else if (!strcmp (*args, "-des")) enc=EVP_des_cbc();
#ifndef OPENSSL_NO_IDEA
else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
#endif
else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
#ifndef OPENSSL_NO_AES
else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc();
#endif
else if (!strcmp (*args, "-noiter")) iter = 1;
else if (!strcmp (*args, "-maciter"))
maciter = PKCS12_DEFAULT_ITER;
else if (!strcmp (*args, "-nomaciter"))
maciter = 1;
else if (!strcmp (*args, "-nodes")) enc=NULL;
else if (!strcmp (*args, "-certpbe")) {
if (args[1]) {
args++;
cert_pbe=OBJ_txt2nid(*args);
if(cert_pbe == NID_undef) {
BIO_printf(bio_err,
"Unknown PBE algorithm %s\n", *args);
badarg = 1;
}
} else badarg = 1;
} else if (!strcmp (*args, "-keypbe")) {
if (args[1]) {
args++;
key_pbe=OBJ_txt2nid(*args);
if(key_pbe == NID_undef) {
BIO_printf(bio_err,
"Unknown PBE algorithm %s\n", *args);
badarg = 1;
}
} else badarg = 1;
} else if (!strcmp (*args, "-rand")) {
if (args[1]) {
args++;
inrand = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-inkey")) {
if (args[1]) {
args++;
keyname = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-certfile")) {
if (args[1]) {
args++;
certfile = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-name")) {
if (args[1]) {
args++;
name = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-CSP")) {
if (args[1]) {
args++;
csp_name = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-caname")) {
if (args[1]) {
args++;
if (!canames) canames = sk_new_null();
sk_push(canames, *args);
} else badarg = 1;
} else if (!strcmp (*args, "-in")) {
if (args[1]) {
args++;
infile = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-out")) {
if (args[1]) {
args++;
outfile = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-passin")) {
if (args[1]) {
args++;
passargin = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-passout")) {
if (args[1]) {
args++;
passargout = *args;
} else badarg = 1;
} else if (!strcmp (*args, "-password")) {
if (args[1]) {
args++;
passarg = *args;
noprompt = 1;
} else badarg = 1;
} else if (!strcmp(*args,"-CApath")) {
if (args[1]) {
args++;
CApath = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-CAfile")) {
if (args[1]) {
args++;
CAfile = *args;
} else badarg = 1;
} else if (!strcmp(*args,"-engine")) {
if (args[1]) {
args++;
engine = *args;
} else badarg = 1;
} else badarg = 1;
} else badarg = 1;
args++;
}
if (badarg) {
BIO_printf (bio_err, "Usage: pkcs12 [options]\n");
BIO_printf (bio_err, "where options are\n");
BIO_printf (bio_err, "-export output PKCS12 file\n");
BIO_printf (bio_err, "-chain add certificate chain\n");
BIO_printf (bio_err, "-inkey file private key if not infile\n");
BIO_printf (bio_err, "-certfile f add all certs in f\n");
BIO_printf (bio_err, "-CApath arg - PEM format directory of CA's\n");
BIO_printf (bio_err, "-CAfile arg - PEM format file of CA's\n");
BIO_printf (bio_err, "-name \"name\" use name as friendly name\n");
BIO_printf (bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
BIO_printf (bio_err, "-in infile input filename\n");
BIO_printf (bio_err, "-out outfile output filename\n");
BIO_printf (bio_err, "-noout don't output anything, just verify.\n");
BIO_printf (bio_err, "-nomacver don't verify MAC.\n");
BIO_printf (bio_err, "-nocerts don't output certificates.\n");
BIO_printf (bio_err, "-clcerts only output client certificates.\n");
BIO_printf (bio_err, "-cacerts only output CA certificates.\n");
BIO_printf (bio_err, "-nokeys don't output private keys.\n");
BIO_printf (bio_err, "-info give info about PKCS#12 structure.\n");
BIO_printf (bio_err, "-des encrypt private keys with DES\n");
BIO_printf (bio_err, "-des3 encrypt private keys with triple DES (default)\n");
#ifndef OPENSSL_NO_IDEA
BIO_printf (bio_err, "-idea encrypt private keys with idea\n");
#endif
#ifndef OPENSSL_NO_AES
BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
BIO_printf (bio_err, " encrypt PEM output with cbc aes\n");
#endif
BIO_printf (bio_err, "-nodes don't encrypt private keys\n");
BIO_printf (bio_err, "-noiter don't use encryption iteration\n");
BIO_printf (bio_err, "-maciter use MAC iteration\n");
BIO_printf (bio_err, "-twopass separate MAC, encryption passwords\n");
BIO_printf (bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
BIO_printf (bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
BIO_printf (bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
BIO_printf (bio_err, "-keyex set MS key exchange type\n");
BIO_printf (bio_err, "-keysig set MS key signature type\n");
BIO_printf (bio_err, "-password p set import/export password source\n");
BIO_printf (bio_err, "-passin p input file pass phrase source\n");
BIO_printf (bio_err, "-passout p output file pass phrase source\n");
BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n");
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
goto end;
}
e = setup_engine(bio_err, engine, 0);
if(passarg) {
if(export_cert) passargout = passarg;
else passargin = passarg;
}
if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
if(!cpass) {
if(export_cert) cpass = passout;
else cpass = passin;
}
if(cpass) {
mpass = cpass;
noprompt = 1;
} else {
cpass = pass;
mpass = macpass;
}
if(export_cert || inrand) {
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
if (inrand != NULL)
BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
}
ERR_load_crypto_strings();
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read files");
#endif
if (!infile) in = BIO_new_fp(stdin, BIO_NOCLOSE);
else in = BIO_new_file(infile, "rb");
if (!in) {
BIO_printf(bio_err, "Error opening input file %s\n",
infile ? infile : "<stdin>");
perror (infile);
goto end;
}
#if 0
if (certfile) {
if(!(certsin = BIO_new_file(certfile, "r"))) {
BIO_printf(bio_err, "Can't open certificate file %s\n", certfile);
perror (certfile);
goto end;
}
}
if (keyname) {
if(!(inkey = BIO_new_file(keyname, "r"))) {
BIO_printf(bio_err, "Can't key certificate file %s\n", keyname);
perror (keyname);
goto end;
}
}
#endif
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("write files");
#endif
if (!outfile) {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else out = BIO_new_file(outfile, "wb");
if (!out) {
BIO_printf(bio_err, "Error opening output file %s\n",
outfile ? outfile : "<stdout>");
perror (outfile);
goto end;
}
if (twopass) {
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read MAC password");
#endif
if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:"******"Can't read Password\n");
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
}
if (export_cert) {
EVP_PKEY *key = NULL;
STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
STACK_OF(PKCS7) *safes = NULL;
PKCS12_SAFEBAG *bag = NULL;
PKCS8_PRIV_KEY_INFO *p8 = NULL;
PKCS7 *authsafe = NULL;
X509 *ucert = NULL;
STACK_OF(X509) *certs=NULL;
char *catmp = NULL;
int i;
unsigned char keyid[EVP_MAX_MD_SIZE];
unsigned int keyidlen = 0;
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("process -export_cert");
CRYPTO_push_info("reading private key");
#endif
key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
passin, e, "private key");
if (!key) {
goto export_end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading certs from input");
#endif
/* Load in all certs in input file */
if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
"certificates"))) {
goto export_end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading certs from input 2");
#endif
for(i = 0; i < sk_X509_num(certs); i++) {
ucert = sk_X509_value(certs, i);
if(X509_check_private_key(ucert, key)) {
X509_digest(ucert, EVP_sha1(), keyid, &keyidlen);
break;
}
}
if(!keyidlen) {
ucert = NULL;
BIO_printf(bio_err, "No certificate matches private key\n");
goto export_end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading certs from certfile");
#endif
bags = sk_PKCS12_SAFEBAG_new_null ();
/* Add any more certificates asked for */
if (certfile) {
STACK_OF(X509) *morecerts=NULL;
if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
NULL, e,
"certificates from certfile"))) {
goto export_end;
}
while(sk_X509_num(morecerts) > 0) {
sk_X509_push(certs, sk_X509_shift(morecerts));
}
sk_X509_free(morecerts);
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("building chain");
#endif
/* If chaining get chain from user cert */
if (chain) {
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store = X509_STORE_new();
if (!store)
{
BIO_printf (bio_err, "Memory allocation error\n");
goto export_end;
}
if (!X509_STORE_load_locations(store, CAfile, CApath))
X509_STORE_set_default_paths (store);
vret = get_cert_chain (ucert, store, &chain2);
X509_STORE_free(store);
if (!vret) {
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num (chain2) ; i++)
sk_X509_push(certs, sk_X509_value (chain2, i));
/* Free first certificate */
X509_free(sk_X509_value(chain2, 0));
sk_X509_free(chain2);
} else {
BIO_printf (bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
goto export_end;
}
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("building bags");
#endif
/* We now have loads of certificates: include them all */
for(i = 0; i < sk_X509_num(certs); i++) {
X509 *cert = NULL;
cert = sk_X509_value(certs, i);
bag = PKCS12_x5092certbag(cert);
/* If it matches private key set id */
if(cert == ucert) {
if(name) PKCS12_add_friendlyname(bag, name, -1);
PKCS12_add_localkeyid(bag, keyid, keyidlen);
} else if((catmp = sk_shift(canames)))
PKCS12_add_friendlyname(bag, catmp, -1);
sk_PKCS12_SAFEBAG_push(bags, bag);
}
sk_X509_pop_free(certs, X509_free);
certs = NULL;
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("encrypting bags");
#endif
if(!noprompt &&
EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:"******"Can't read Password\n");
goto export_end;
}
if (!twopass) strcpy(macpass, pass);
/* Turn certbags into encrypted authsafe */
authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
iter, bags);
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
bags = NULL;
if (!authsafe) {
ERR_print_errors (bio_err);
goto export_end;
}
safes = sk_PKCS7_new_null ();
sk_PKCS7_push (safes, authsafe);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("building shrouded key bag");
#endif
/* Make a shrouded key bag */
p8 = EVP_PKEY2PKCS8 (key);
if(keytype) PKCS8_add_keyusage(p8, keytype);
bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
PKCS8_PRIV_KEY_INFO_free(p8);
p8 = NULL;
if (name) PKCS12_add_friendlyname (bag, name, -1);
if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1);
PKCS12_add_localkeyid (bag, keyid, keyidlen);
bags = sk_PKCS12_SAFEBAG_new_null();
sk_PKCS12_SAFEBAG_push (bags, bag);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("encrypting shrouded key bag");
#endif
/* Turn it into unencrypted safe bag */
authsafe = PKCS12_pack_p7data (bags);
sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
bags = NULL;
sk_PKCS7_push (safes, authsafe);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("building pkcs12");
#endif
p12 = PKCS12_init(NID_pkcs7_data);
PKCS12_pack_authsafes(p12, safes);
sk_PKCS7_pop_free(safes, PKCS7_free);
safes = NULL;
PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("writing pkcs12");
#endif
i2d_PKCS12_bio (out, p12);
ret = 0;
export_end:
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_pop_info();
CRYPTO_push_info("process -export_cert: freeing");
#endif
if (key) EVP_PKEY_free(key);
if (certs) sk_X509_pop_free(certs, X509_free);
if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
goto end;
}
if (!(p12 = d2i_PKCS12_bio (in, NULL))) {
ERR_print_errors(bio_err);
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read import password");
#endif
if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:"******"Can't read Password\n");
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
if (!twopass) strcpy(macpass, pass);
if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
if(macver) {
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("verify MAC");
#endif
/* If we enter empty password try no password first */
if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
/* If mac and crypto pass the same set it to NULL too */
if(!twopass) cpass = NULL;
} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
BIO_printf (bio_err, "Mac verify error: invalid password?\n");
ERR_print_errors (bio_err);
goto end;
}
BIO_printf (bio_err, "MAC verified OK\n");
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
}
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("output keys and certificates");
#endif
if (!dump_certs_keys_p12 (out, p12, cpass, -1, options, passout)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors (bio_err);
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
ret = 0;
end:
if (p12) PKCS12_free(p12);
if(export_cert || inrand) app_RAND_write_file(NULL, bio_err);
#ifdef CRYPTO_MDEBUG
CRYPTO_remove_all_info();
#endif
BIO_free(in);
BIO_free_all(out);
if (canames) sk_free(canames);
if(passin) OPENSSL_free(passin);
if(passout) OPENSSL_free(passout);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/* loads in the certificate from the server */
int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data)
{
STACK_OF(X509) *sk=NULL;
EVP_PKEY *pkey=NULL;
SESS_CERT *sc=NULL;
int i;
X509 *x509=NULL;
int ret=0;
x509=d2i_X509(NULL,&data,(long)len);
if (x509 == NULL)
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_X509_LIB);
goto err;
}
if ((sk=sk_X509_new_null()) == NULL || !sk_X509_push(sk,x509))
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_MALLOC_FAILURE);
goto err;
}
i=ssl_verify_cert_chain(s,sk);
if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
goto err;
}
ERR_clear_error(); /* but we keep s->verify_result */
s->session->verify_result = s->verify_result;
/* server's cert for this session */
sc=ssl_sess_cert_new();
if (sc == NULL)
{
ret= -1;
goto err;
}
if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
s->session->sess_cert=sc;
sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509=x509;
sc->peer_key= &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]);
pkey=X509_get_pubkey(x509);
x509=NULL;
if (pkey == NULL)
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY);
goto err;
}
if (pkey->type != EVP_PKEY_RSA)
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_PUBLIC_KEY_NOT_RSA);
goto err;
}
if (!ssl_set_peer_cert_type(sc,SSL2_CT_X509_CERTIFICATE))
goto err;
ret=1;
err:
sk_X509_free(sk);
X509_free(x509);
EVP_PKEY_free(pkey);
return(ret);
}
int
easy_pkcs7_sign(const char *content, size_t len,
char **signature, size_t *signature_len,
const char *key_file, const char *cert_file)
{
FILE *f;
X509 *certificate;
STACK_OF(X509) *c, *cert_chain;
EVP_PKEY *private_key;
char *tmp_sig;
BIO *out, *in;
PKCS7 *p7;
int status;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
status = -1;
private_key = NULL;
cert_chain = NULL;
in = NULL;
c = file_to_certs(cert_file);
if (sk_X509_num(c) != 1) {
warnx("More then one certificate in the certificate file");
goto cleanup;
}
certificate = sk_X509_value(c, 0);
/* Compute ex_kusage */
X509_check_purpose(certificate, -1, 0);
if (check_ca(certificate)) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
if (certificate->ex_xkusage != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
}
if (cert_chain_file)
cert_chain = file_to_certs(cert_chain_file);
if ((f = fopen(key_file, "r")) == NULL) {
warn("Failed to open private key file %s", key_file);
goto cleanup;
}
private_key = PEM_read_PrivateKey(f, NULL, ssl_pass_cb, NULL);
fclose(f);
if (private_key == NULL) {
warnx("Can't read private key: %s", key_file);
goto cleanup;
}
if (X509_check_private_key(certificate, private_key) != 1) {
warnx("The private key %s doesn't match the certificate %s",
key_file, cert_file);
goto cleanup;
}
in = BIO_new_mem_buf(__UNCONST(content), len);
p7 = PKCS7_sign(certificate, private_key, cert_chain, in,
PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
if (p7 == NULL) {
warnx("Failed to create signature structure");
goto cleanup;
}
out = BIO_new(BIO_s_mem());
PEM_write_bio_PKCS7(out, p7);
*signature_len = BIO_get_mem_data(out, &tmp_sig);
*signature = xmalloc(*signature_len);
memcpy(*signature, tmp_sig, *signature_len);
BIO_free_all(out);
PKCS7_free(p7);
status = 0;
cleanup:
sk_X509_free(c);
sk_X509_free(cert_chain);
EVP_PKEY_free(private_key);
BIO_free(in);
return status;
}
int
easy_pkcs7_verify(const char *content, size_t len,
const char *signature, size_t signature_len,
const char *anchor, int is_pkg)
{
STACK_OF(X509) *cert_chain, *signers;
X509_STORE *store;
BIO *sig, *in;
PKCS7 *p7;
int i, status;
X509_NAME *name;
char *subject;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
status = -1;
if (cert_chain_file)
cert_chain = file_to_certs(cert_chain_file);
else
cert_chain = NULL;
store = X509_STORE_new();
if (store == NULL) {
sk_X509_free(cert_chain);
warnx("Failed to create certificate store");
return -1;
}
X509_STORE_load_locations(store, anchor, NULL);
in = BIO_new_mem_buf(__UNCONST(content), len);
sig = BIO_new_mem_buf(__UNCONST(signature), signature_len);
signers = NULL;
p7 = PEM_read_bio_PKCS7(sig, NULL, NULL, NULL);
if (p7 == NULL) {
warnx("Failed to parse the signature");
goto cleanup;
}
if (PKCS7_verify(p7, cert_chain, store, in, NULL, 0) != 1) {
warnx("Failed to verify signature");
goto cleanup;
}
signers = PKCS7_get0_signers(p7, NULL, 0);
if (signers == NULL) {
warnx("Failed to get signers");
goto cleanup;
}
if (sk_X509_num(signers) == 0) {
warnx("No signers found");
goto cleanup;
}
for (i = 0; i < sk_X509_num(signers); i++) {
/* Compute ex_xkusage */
X509_check_purpose(sk_X509_value(signers, i), -1, -1);
if (check_ca(sk_X509_value(signers, i))) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
if (is_pkg) {
if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
}
} else {
if (sk_X509_value(signers, i)->ex_xkusage != 0) {
warnx("Certificate must not have any property");
goto cleanup;
}
}
}
printf("Sigature ok, signed by:\n");
for (i = 0; i < sk_X509_num(signers); i++) {
name = X509_get_subject_name(sk_X509_value(signers, i));
subject = X509_NAME_oneline(name, NULL, 0);
printf("\t%s\n", subject);
OPENSSL_free(subject);
}
status = 0;
cleanup:
sk_X509_free(cert_chain);
sk_X509_free(signers);
X509_STORE_free(store);
PKCS7_free(p7);
BIO_free(in);
BIO_free(sig);
return status;
}
int
pkcs12_main(int argc, char **argv)
{
ENGINE *e = NULL;
char *infile = NULL, *outfile = NULL, *keyname = NULL;
char *certfile = NULL;
BIO *in = NULL, *out = NULL;
char **args;
char *name = NULL;
char *csp_name = NULL;
int add_lmk = 0;
PKCS12 *p12 = NULL;
char pass[50], macpass[50];
int export_cert = 0;
int options = 0;
int chain = 0;
int badarg = 0;
int iter = PKCS12_DEFAULT_ITER;
int maciter = PKCS12_DEFAULT_ITER;
int twopass = 0;
int keytype = 0;
int cert_pbe;
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1;
int macver = 1;
int noprompt = 0;
STACK_OF(OPENSSL_STRING) * canames = NULL;
char *cpass = NULL, *mpass = NULL;
char *passargin = NULL, *passargout = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL;
char *inrand = NULL;
char *macalg = NULL;
char *CApath = NULL, *CAfile = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
#endif
signal(SIGPIPE, SIG_IGN);
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
enc = EVP_des_ede3_cbc();
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
if (!load_config(bio_err, NULL))
goto end;
args = argv + 1;
while (*args) {
if (*args[0] == '-') {
if (!strcmp(*args, "-nokeys"))
options |= NOKEYS;
else if (!strcmp(*args, "-keyex"))
keytype = KEY_EX;
else if (!strcmp(*args, "-keysig"))
keytype = KEY_SIG;
else if (!strcmp(*args, "-nocerts"))
options |= NOCERTS;
else if (!strcmp(*args, "-clcerts"))
options |= CLCERTS;
else if (!strcmp(*args, "-cacerts"))
options |= CACERTS;
else if (!strcmp(*args, "-noout"))
options |= (NOKEYS | NOCERTS);
else if (!strcmp(*args, "-info"))
options |= INFO;
else if (!strcmp(*args, "-chain"))
chain = 1;
else if (!strcmp(*args, "-twopass"))
twopass = 1;
else if (!strcmp(*args, "-nomacver"))
macver = 0;
else if (!strcmp(*args, "-descert"))
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
else if (!strcmp(*args, "-export"))
export_cert = 1;
else if (!strcmp(*args, "-des"))
enc = EVP_des_cbc();
else if (!strcmp(*args, "-des3"))
enc = EVP_des_ede3_cbc();
#ifndef OPENSSL_NO_IDEA
else if (!strcmp(*args, "-idea"))
enc = EVP_idea_cbc();
#endif
#ifndef OPENSSL_NO_SEED
else if (!strcmp(*args, "-seed"))
enc = EVP_seed_cbc();
#endif
#ifndef OPENSSL_NO_AES
else if (!strcmp(*args, "-aes128"))
enc = EVP_aes_128_cbc();
else if (!strcmp(*args, "-aes192"))
enc = EVP_aes_192_cbc();
else if (!strcmp(*args, "-aes256"))
enc = EVP_aes_256_cbc();
#endif
#ifndef OPENSSL_NO_CAMELLIA
else if (!strcmp(*args, "-camellia128"))
enc = EVP_camellia_128_cbc();
else if (!strcmp(*args, "-camellia192"))
enc = EVP_camellia_192_cbc();
else if (!strcmp(*args, "-camellia256"))
enc = EVP_camellia_256_cbc();
#endif
else if (!strcmp(*args, "-noiter"))
iter = 1;
else if (!strcmp(*args, "-maciter"))
maciter = PKCS12_DEFAULT_ITER;
else if (!strcmp(*args, "-nomaciter"))
maciter = 1;
else if (!strcmp(*args, "-nomac"))
maciter = -1;
else if (!strcmp(*args, "-macalg"))
if (args[1]) {
args++;
macalg = *args;
} else
badarg = 1;
else if (!strcmp(*args, "-nodes"))
enc = NULL;
else if (!strcmp(*args, "-certpbe")) {
if (!set_pbe(bio_err, &cert_pbe, *++args))
badarg = 1;
} else if (!strcmp(*args, "-keypbe")) {
if (!set_pbe(bio_err, &key_pbe, *++args))
badarg = 1;
} else if (!strcmp(*args, "-rand")) {
if (args[1]) {
args++;
inrand = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-inkey")) {
if (args[1]) {
args++;
keyname = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-certfile")) {
if (args[1]) {
args++;
certfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-name")) {
if (args[1]) {
args++;
name = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-LMK"))
add_lmk = 1;
else if (!strcmp(*args, "-CSP")) {
if (args[1]) {
args++;
csp_name = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-caname")) {
if (args[1]) {
args++;
if (!canames)
canames = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(canames, *args);
} else
badarg = 1;
} else if (!strcmp(*args, "-in")) {
if (args[1]) {
args++;
infile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-out")) {
if (args[1]) {
args++;
outfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-passin")) {
if (args[1]) {
args++;
passargin = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-passout")) {
if (args[1]) {
args++;
passargout = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-password")) {
if (args[1]) {
args++;
passarg = *args;
noprompt = 1;
} else
badarg = 1;
} else if (!strcmp(*args, "-CApath")) {
if (args[1]) {
args++;
CApath = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-CAfile")) {
if (args[1]) {
args++;
CAfile = *args;
} else
badarg = 1;
#ifndef OPENSSL_NO_ENGINE
} else if (!strcmp(*args, "-engine")) {
if (args[1]) {
args++;
engine = *args;
} else
badarg = 1;
#endif
} else
badarg = 1;
} else
badarg = 1;
args++;
}
if (badarg) {
BIO_printf(bio_err, "Usage: pkcs12 [options]\n");
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-export output PKCS12 file\n");
BIO_printf(bio_err, "-chain add certificate chain\n");
BIO_printf(bio_err, "-inkey file private key if not infile\n");
BIO_printf(bio_err, "-certfile f add all certs in f\n");
BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, "-name \"name\" use name as friendly name\n");
BIO_printf(bio_err, "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n");
BIO_printf(bio_err, "-in infile input filename\n");
BIO_printf(bio_err, "-out outfile output filename\n");
BIO_printf(bio_err, "-noout don't output anything, just verify.\n");
BIO_printf(bio_err, "-nomacver don't verify MAC.\n");
BIO_printf(bio_err, "-nocerts don't output certificates.\n");
BIO_printf(bio_err, "-clcerts only output client certificates.\n");
BIO_printf(bio_err, "-cacerts only output CA certificates.\n");
BIO_printf(bio_err, "-nokeys don't output private keys.\n");
BIO_printf(bio_err, "-info give info about PKCS#12 structure.\n");
BIO_printf(bio_err, "-des encrypt private keys with DES\n");
BIO_printf(bio_err, "-des3 encrypt private keys with triple DES (default)\n");
#ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err, "-idea encrypt private keys with idea\n");
#endif
#ifndef OPENSSL_NO_SEED
BIO_printf(bio_err, "-seed encrypt private keys with seed\n");
#endif
#ifndef OPENSSL_NO_AES
BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
BIO_printf(bio_err, " encrypt PEM output with cbc aes\n");
#endif
#ifndef OPENSSL_NO_CAMELLIA
BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
BIO_printf(bio_err, " encrypt PEM output with cbc camellia\n");
#endif
BIO_printf(bio_err, "-nodes don't encrypt private keys\n");
BIO_printf(bio_err, "-noiter don't use encryption iteration\n");
BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n");
BIO_printf(bio_err, "-maciter use MAC iteration\n");
BIO_printf(bio_err, "-nomac don't generate MAC\n");
BIO_printf(bio_err, "-twopass separate MAC, encryption passwords\n");
BIO_printf(bio_err, "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
BIO_printf(bio_err, "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
BIO_printf(bio_err, "-keypbe alg specify private key PBE algorithm (default 3DES)\n");
BIO_printf(bio_err, "-macalg alg digest algorithm used in MAC (default SHA1)\n");
BIO_printf(bio_err, "-keyex set MS key exchange type\n");
BIO_printf(bio_err, "-keysig set MS key signature type\n");
BIO_printf(bio_err, "-password p set import/export password source\n");
BIO_printf(bio_err, "-passin p input file pass phrase source\n");
BIO_printf(bio_err, "-passout p output file pass phrase source\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, "-engine e use engine e, possibly a hardware device.\n");
#endif
BIO_printf(bio_err, "-rand file:file:...\n");
BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
BIO_printf(bio_err, "-CSP name Microsoft CSP name\n");
BIO_printf(bio_err, "-LMK Add local machine keyset attribute to private key\n");
goto end;
}
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if (passarg) {
if (export_cert)
passargout = passarg;
else
passargin = passarg;
}
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
if (!cpass) {
if (export_cert)
cpass = passout;
else
cpass = passin;
}
if (cpass) {
mpass = cpass;
noprompt = 1;
} else {
cpass = pass;
mpass = macpass;
}
ERR_load_crypto_strings();
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read files");
#endif
if (!infile)
in = BIO_new_fp(stdin, BIO_NOCLOSE);
else
in = BIO_new_file(infile, "rb");
if (!in) {
BIO_printf(bio_err, "Error opening input file %s\n",
infile ? infile : "<stdin>");
perror(infile);
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("write files");
#endif
if (!outfile) {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
} else
out = BIO_new_file(outfile, "wb");
if (!out) {
BIO_printf(bio_err, "Error opening output file %s\n",
outfile ? outfile : "<stdout>");
perror(outfile);
goto end;
}
if (twopass) {
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read MAC password");
#endif
if (EVP_read_pw_string(macpass, sizeof macpass, "Enter MAC Password:"******"Can't read Password\n");
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
}
if (export_cert) {
EVP_PKEY *key = NULL;
X509 *ucert = NULL, *x = NULL;
STACK_OF(X509) * certs = NULL;
const EVP_MD *macmd = NULL;
unsigned char *catmp = NULL;
int i;
if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
BIO_printf(bio_err, "Nothing to do!\n");
goto export_end;
}
if (options & NOCERTS)
chain = 0;
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("process -export_cert");
CRYPTO_push_info("reading private key");
#endif
if (!(options & NOKEYS)) {
key = load_key(bio_err, keyname ? keyname : infile,
FORMAT_PEM, 1, passin, e, "private key");
if (!key)
goto export_end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading certs from input");
#endif
/* Load in all certs in input file */
if (!(options & NOCERTS)) {
certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
"certificates");
if (!certs)
goto export_end;
if (key) {
/* Look for matching private key */
for (i = 0; i < sk_X509_num(certs); i++) {
x = sk_X509_value(certs, i);
if (X509_check_private_key(x, key)) {
ucert = x;
/* Zero keyid and alias */
X509_keyid_set1(ucert, NULL, 0);
X509_alias_set1(ucert, NULL, 0);
/* Remove from list */
(void) sk_X509_delete(certs, i);
break;
}
}
if (!ucert) {
BIO_printf(bio_err, "No certificate matches private key\n");
goto export_end;
}
}
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading certs from input 2");
#endif
/* Add any more certificates asked for */
if (certfile) {
STACK_OF(X509) * morecerts = NULL;
if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
NULL, e,
"certificates from certfile")))
goto export_end;
while (sk_X509_num(morecerts) > 0)
sk_X509_push(certs, sk_X509_shift(morecerts));
sk_X509_free(morecerts);
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading certs from certfile");
#endif
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("building chain");
#endif
/* If chaining get chain from user cert */
if (chain) {
int vret;
STACK_OF(X509) * chain2;
X509_STORE *store = X509_STORE_new();
if (!store) {
BIO_printf(bio_err, "Memory allocation error\n");
goto export_end;
}
if (!X509_STORE_load_locations(store, CAfile, CApath))
X509_STORE_set_default_paths(store);
vret = get_cert_chain(ucert, store, &chain2);
X509_STORE_free(store);
if (!vret) {
/* Exclude verified certificate */
for (i = 1; i < sk_X509_num(chain2); i++)
sk_X509_push(certs, sk_X509_value(chain2, i));
/* Free first certificate */
X509_free(sk_X509_value(chain2, 0));
sk_X509_free(chain2);
} else {
if (vret >= 0)
BIO_printf(bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
else
ERR_print_errors(bio_err);
goto export_end;
}
}
/* Add any CA names */
for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) {
catmp = (unsigned char *) sk_OPENSSL_STRING_value(canames, i);
X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
}
if (csp_name && key)
EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
MBSTRING_ASC, (unsigned char *) csp_name, -1);
if (add_lmk && key)
EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("reading password");
#endif
if (!noprompt &&
EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:"******"Can't read Password\n");
goto export_end;
}
if (!twopass)
strlcpy(macpass, pass, sizeof macpass);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("creating PKCS#12 structure");
#endif
p12 = PKCS12_create(cpass, name, key, ucert, certs,
key_pbe, cert_pbe, iter, -1, keytype);
if (!p12) {
ERR_print_errors(bio_err);
goto export_end;
}
if (macalg) {
macmd = EVP_get_digestbyname(macalg);
if (!macmd) {
BIO_printf(bio_err, "Unknown digest algorithm %s\n",
macalg);
}
}
if (maciter != -1)
PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_push_info("writing pkcs12");
#endif
i2d_PKCS12_bio(out, p12);
ret = 0;
export_end:
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
CRYPTO_pop_info();
CRYPTO_push_info("process -export_cert: freeing");
#endif
if (key)
EVP_PKEY_free(key);
if (certs)
sk_X509_pop_free(certs, X509_free);
if (ucert)
X509_free(ucert);
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
goto end;
}
if (!(p12 = d2i_PKCS12_bio(in, NULL))) {
ERR_print_errors(bio_err);
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("read import password");
#endif
if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:"******"Can't read Password\n");
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
if (!twopass)
strlcpy(macpass, pass, sizeof macpass);
if ((options & INFO) && p12->mac)
BIO_printf(bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
if (macver) {
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("verify MAC");
#endif
/* If we enter empty password try no password first */
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
/* If mac and crypto pass the same set it to NULL too */
if (!twopass)
cpass = NULL;
} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
BIO_printf(bio_err, "Mac verify error: invalid password?\n");
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(bio_err, "MAC verified OK\n");
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
}
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("output keys and certificates");
#endif
if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors(bio_err);
goto end;
}
#ifdef CRYPTO_MDEBUG
CRYPTO_pop_info();
#endif
ret = 0;
end:
if (p12)
PKCS12_free(p12);
#ifdef CRYPTO_MDEBUG
CRYPTO_remove_all_info();
#endif
BIO_free(in);
BIO_free_all(out);
if (canames)
sk_OPENSSL_STRING_free(canames);
if (passin)
free(passin);
if (passout)
free(passout);
return (ret);
}
int smime_main(int argc, char **argv)
{
BIO *in = NULL, *out = NULL, *indata = NULL;
EVP_PKEY *key = NULL;
PKCS7 *p7 = NULL;
STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
STACK_OF(X509) *encerts = NULL, *other = NULL;
X509 *cert = NULL, *recip = NULL, *signer = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
const EVP_CIPHER *cipher = NULL;
const EVP_MD *sign_md = NULL;
const char *CAfile = NULL, *CApath = NULL, *prog = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL, *inrand = NULL;
char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile =
NULL;
char *passinarg = NULL, *passin = NULL, *to = NULL, *from =
NULL, *subject = NULL;
OPTION_CHOICE o;
int noCApath = 0, noCAfile = 0;
int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef =
0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
FORMAT_PEM;
int vpmtouched = 0, rv = 0;
ENGINE *e = NULL;
const char *mime_eol = "\n";
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
return 1;
prog = opt_init(argc, argv, smime_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(smime_options);
ret = 0;
goto end;
case OPT_INFORM:
if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat))
goto opthelp;
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_ENCRYPT:
operation = SMIME_ENCRYPT;
break;
case OPT_DECRYPT:
operation = SMIME_DECRYPT;
break;
case OPT_SIGN:
operation = SMIME_SIGN;
break;
case OPT_RESIGN:
operation = SMIME_RESIGN;
break;
case OPT_VERIFY:
operation = SMIME_VERIFY;
break;
case OPT_PK7OUT:
operation = SMIME_PK7OUT;
break;
case OPT_TEXT:
flags |= PKCS7_TEXT;
break;
case OPT_NOINTERN:
flags |= PKCS7_NOINTERN;
break;
case OPT_NOVERIFY:
flags |= PKCS7_NOVERIFY;
break;
case OPT_NOCHAIN:
flags |= PKCS7_NOCHAIN;
break;
case OPT_NOCERTS:
flags |= PKCS7_NOCERTS;
break;
case OPT_NOATTR:
flags |= PKCS7_NOATTR;
break;
case OPT_NODETACH:
flags &= ~PKCS7_DETACHED;
break;
case OPT_NOSMIMECAP:
flags |= PKCS7_NOSMIMECAP;
break;
case OPT_BINARY:
flags |= PKCS7_BINARY;
break;
case OPT_NOSIGS:
flags |= PKCS7_NOSIGS;
break;
case OPT_STREAM:
case OPT_INDEF:
indef = 1;
break;
case OPT_NOINDEF:
indef = 0;
break;
case OPT_CRLFEOL:
flags |= PKCS7_CRLFEOL;
mime_eol = "\r\n";
break;
case OPT_RAND:
inrand = opt_arg();
need_rand = 1;
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
case OPT_PASSIN:
passinarg = opt_arg();
break;
case OPT_TO:
to = opt_arg();
break;
case OPT_FROM:
from = opt_arg();
break;
case OPT_SUBJECT:
subject = opt_arg();
break;
case OPT_SIGNER:
/* If previous -signer argument add signer to list */
if (signerfile) {
if (sksigners == NULL
&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
sk_OPENSSL_STRING_push(sksigners, signerfile);
if (keyfile == NULL)
keyfile = signerfile;
if (skkeys == NULL
&& (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
sk_OPENSSL_STRING_push(skkeys, keyfile);
keyfile = NULL;
}
signerfile = opt_arg();
break;
case OPT_RECIP:
recipfile = opt_arg();
break;
case OPT_MD:
if (!opt_md(opt_arg(), &sign_md))
goto opthelp;
break;
case OPT_CIPHER:
if (!opt_cipher(opt_unknown(), &cipher))
goto opthelp;
break;
case OPT_INKEY:
/* If previous -inkey argument add signer to list */
if (keyfile) {
if (signerfile == NULL) {
BIO_printf(bio_err,
"%s: Must have -signer before -inkey\n", prog);
goto opthelp;
}
if (sksigners == NULL
&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
sk_OPENSSL_STRING_push(sksigners, signerfile);
signerfile = NULL;
if (skkeys == NULL
&& (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
sk_OPENSSL_STRING_push(skkeys, keyfile);
}
keyfile = opt_arg();
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
goto opthelp;
break;
case OPT_CERTFILE:
certfile = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_CAPATH:
CApath = opt_arg();
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_CONTENT:
contfile = opt_arg();
break;
case OPT_V_CASES:
if (!opt_verify(o, vpm))
goto opthelp;
vpmtouched++;
break;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
goto opthelp;
}
if (operation & SMIME_SIGNERS) {
/* Check to see if any final signer needs to be appended */
if (keyfile && !signerfile) {
BIO_puts(bio_err, "Illegal -inkey without -signer\n");
goto opthelp;
}
if (signerfile) {
if (!sksigners
&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
sk_OPENSSL_STRING_push(sksigners, signerfile);
if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
if (!keyfile)
keyfile = signerfile;
sk_OPENSSL_STRING_push(skkeys, keyfile);
}
if (!sksigners) {
BIO_printf(bio_err, "No signer certificate specified\n");
goto opthelp;
}
signerfile = NULL;
keyfile = NULL;
need_rand = 1;
} else if (operation == SMIME_DECRYPT) {
if (!recipfile && !keyfile) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
goto opthelp;
}
} else if (operation == SMIME_ENCRYPT) {
if (argc == 0) {
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
goto opthelp;
}
need_rand = 1;
} else if (!operation)
goto opthelp;
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (need_rand) {
app_RAND_load_file(NULL, (inrand != NULL));
if (inrand != NULL)
BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
}
ret = 2;
if (!(operation & SMIME_SIGNERS))
flags &= ~PKCS7_DETACHED;
if (!(operation & SMIME_OP)) {
if (flags & PKCS7_BINARY)
outformat = FORMAT_BINARY;
}
if (!(operation & SMIME_IP)) {
if (flags & PKCS7_BINARY)
informat = FORMAT_BINARY;
}
if (operation == SMIME_ENCRYPT) {
if (!cipher) {
#ifndef OPENSSL_NO_DES
cipher = EVP_des_ede3_cbc();
#else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
#endif
}
encerts = sk_X509_new_null();
if (!encerts)
goto end;
while (*argv) {
cert = load_cert(*argv, FORMAT_PEM,
"recipient certificate file");
if (cert == NULL)
goto end;
sk_X509_push(encerts, cert);
cert = NULL;
argv++;
}
}
if (certfile) {
if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
"certificate file")) {
ERR_print_errors(bio_err);
goto end;
}
}
if (recipfile && (operation == SMIME_DECRYPT)) {
if ((recip = load_cert(recipfile, FORMAT_PEM,
"recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
}
if (operation == SMIME_DECRYPT) {
if (!keyfile)
keyfile = recipfile;
} else if (operation == SMIME_SIGN) {
if (!keyfile)
keyfile = signerfile;
} else
keyfile = NULL;
if (keyfile) {
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
if (!key)
goto end;
}
in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
if (operation & SMIME_IP) {
if (informat == FORMAT_SMIME)
p7 = SMIME_read_PKCS7(in, &indata);
else if (informat == FORMAT_PEM)
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
else if (informat == FORMAT_ASN1)
p7 = d2i_PKCS7_bio(in, NULL);
else {
BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
goto end;
}
if (!p7) {
BIO_printf(bio_err, "Error reading S/MIME message\n");
goto end;
}
if (contfile) {
BIO_free(indata);
if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;
}
}
}
out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
goto end;
if (operation == SMIME_VERIFY) {
if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, smime_cb);
if (vpmtouched)
X509_STORE_set1_param(store, vpm);
}
ret = 3;
if (operation == SMIME_ENCRYPT) {
if (indef)
flags |= PKCS7_STREAM;
p7 = PKCS7_encrypt(encerts, in, cipher, flags);
} else if (operation & SMIME_SIGNERS) {
int i;
/*
* If detached data content we only enable streaming if S/MIME output
* format.
*/
if (operation == SMIME_SIGN) {
if (flags & PKCS7_DETACHED) {
if (outformat == FORMAT_SMIME)
flags |= PKCS7_STREAM;
} else if (indef)
flags |= PKCS7_STREAM;
flags |= PKCS7_PARTIAL;
p7 = PKCS7_sign(NULL, NULL, other, in, flags);
if (!p7)
goto end;
if (flags & PKCS7_NOCERTS) {
for (i = 0; i < sk_X509_num(other); i++) {
X509 *x = sk_X509_value(other, i);
PKCS7_add_certificate(p7, x);
}
}
} else
flags |= PKCS7_REUSE_DIGEST;
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
signer = load_cert(signerfile, FORMAT_PEM,
"signer certificate");
if (!signer)
goto end;
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
if (!key)
goto end;
if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags))
goto end;
X509_free(signer);
signer = NULL;
EVP_PKEY_free(key);
key = NULL;
}
/* If not streaming or resigning finalize structure */
if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) {
if (!PKCS7_final(p7, in, flags))
goto end;
}
}
if (!p7) {
BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
goto end;
}
ret = 4;
if (operation == SMIME_DECRYPT) {
if (!PKCS7_decrypt(p7, key, recip, out, flags)) {
BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
goto end;
}
} else if (operation == SMIME_VERIFY) {
STACK_OF(X509) *signers;
if (PKCS7_verify(p7, other, store, indata, out, flags))
BIO_printf(bio_err, "Verification successful\n");
else {
BIO_printf(bio_err, "Verification failure\n");
goto end;
}
signers = PKCS7_get0_signers(p7, other, flags);
if (!save_certs(signerfile, signers)) {
BIO_printf(bio_err, "Error writing signers to %s\n", signerfile);
ret = 5;
goto end;
}
sk_X509_free(signers);
} else if (operation == SMIME_PK7OUT)
PEM_write_bio_PKCS7(out, p7);
else {
if (to)
BIO_printf(out, "To: %s%s", to, mime_eol);
if (from)
BIO_printf(out, "From: %s%s", from, mime_eol);
if (subject)
BIO_printf(out, "Subject: %s%s", subject, mime_eol);
if (outformat == FORMAT_SMIME) {
if (operation == SMIME_RESIGN)
rv = SMIME_write_PKCS7(out, p7, indata, flags);
else
rv = SMIME_write_PKCS7(out, p7, in, flags);
} else if (outformat == FORMAT_PEM)
rv = PEM_write_bio_PKCS7_stream(out, p7, in, flags);
else if (outformat == FORMAT_ASN1)
rv = i2d_PKCS7_bio_stream(out, p7, in, flags);
else {
BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
goto end;
}
if (rv == 0) {
BIO_printf(bio_err, "Error writing output\n");
ret = 3;
goto end;
}
}
ret = 0;
end:
if (need_rand)
app_RAND_write_file(NULL);
if (ret)
ERR_print_errors(bio_err);
sk_X509_pop_free(encerts, X509_free);
sk_X509_pop_free(other, X509_free);
X509_VERIFY_PARAM_free(vpm);
sk_OPENSSL_STRING_free(sksigners);
sk_OPENSSL_STRING_free(skkeys);
X509_STORE_free(store);
X509_free(cert);
X509_free(recip);
X509_free(signer);
EVP_PKEY_free(key);
PKCS7_free(p7);
release_engine(e);
BIO_free(in);
BIO_free(indata);
BIO_free_all(out);
OPENSSL_free(passin);
return (ret);
}
int main(int argc, char *argv[])
{
char *delegation_id = "", *reqtxt, *certtxt, *valid = NULL,
*cert = NULL, *key = NULL, *capath = NULL, *keycert, timestr[81],
*vomsdir = "/etc/grid-security/vomsdir",
*executable, *keytxt, *proxychain, *ptr, *p;
struct ns__putProxyResponse *unused = NULL;
struct tm *finish_tm;
int option_index, c, noverify = 0, i, ret,
method = HTPROXY_PUT, verbose = 0, fd, minutes;
struct soap soap_get, soap_put;
struct ns__getNewProxyReqResponse getNewProxyReqResponse;
struct ns__renewProxyReqResponse renewProxyReqResponse;
struct ns__destroyResponse destroyResponse;
struct ns__getTerminationTimeResponse getTerminationTimeResponse;
FILE *ifp, *ofp;
STACK_OF(X509) *x509_certstack;
X509 *x509_cert;
BIO *certmem;
GRSTx509Chain *grst_chain = NULL;
GRSTx509Cert *grst_cert = NULL;
long ptrlen;
struct stat statbuf;
struct passwd *userpasswd;
struct option long_options[] = { {"verbose", 0, 0, 'v'},
{"cert", 1, 0, 0},
{"key", 1, 0, 0},
{"capath", 1, 0, 0},
{"destroy", 0, 0, 0},
{"time", 0, 0, 0},
{"no-verify", 0, 0, 0},
{"valid", 1, 0, 0},
{"delegation-id",1, 0, 0},
{"put", 0, 0, 0},
{"renew", 0, 0, 0},
{"unixtime", 0, 0, 0},
{"make", 0, 0, 0},
{"info", 0, 0, 0},
{0, 0, 0, 0} };
if (argc == 1)
{
printsyntax(argv[0]);
return 0;
}
while (1)
{
option_index = 0;
c = getopt_long(argc, argv, "v", long_options, &option_index);
if (c == -1) break;
else if (c == 0)
{
if (option_index == 1) cert = optarg;
else if (option_index == 2) key = optarg;
else if (option_index == 3) capath = optarg;
else if (option_index == 4) method = HTPROXY_DESTROY;
else if (option_index == 5) method = HTPROXY_TIME;
else if (option_index == 6) noverify = 1;
else if (option_index == 7) valid = optarg;
else if (option_index == 8) delegation_id = optarg;
else if (option_index == 9) method = HTPROXY_PUT;
else if (option_index == 10) method = HTPROXY_RENEW;
else if (option_index == 11) method = HTPROXY_UNIXTIME;
else if (option_index == 12) method = HTPROXY_MAKE;
else if (option_index == 13) method = HTPROXY_INFO;
}
else if (c == 'v')
{
GRSTerrorLogFunc = htproxy_logfunc;
++verbose;
}
}
executable = rindex(argv[0], '/');
if (executable != NULL) executable++;
else executable = argv[0];
if (strcmp(executable, "htproxydestroy") == 0) method = HTPROXY_DESTROY;
else if (strcmp(executable, "htproxyrenew") == 0) method = HTPROXY_RENEW;
else if (strcmp(executable, "htproxytime") == 0) method = HTPROXY_TIME;
else if (strcmp(executable, "htproxyunixtime") == 0)
method = HTPROXY_UNIXTIME;
else if (strcmp(executable, "htproxymake") == 0) method = HTPROXY_MAKE;
else if (strcmp(executable, "htproxyinfo") == 0) method = HTPROXY_INFO;
if ((method != HTPROXY_MAKE) &&
(method != HTPROXY_INFO) && (optind + 1 != argc))
{
fprintf(stderr, "Must specify a delegation service URL!\n");
return 1;
}
if ((method == HTPROXY_RENEW) && (delegation_id[0] == '\0'))
{
fprintf(stderr, "Must give a Delegation ID when renewing\n");
return 1;
}
if (valid == NULL) minutes = 60 * 12;
else minutes = atoi(valid);
if (verbose) fprintf(stderr, "Proxy valid for %d minutes\n", minutes);
ERR_load_crypto_strings ();
OpenSSL_add_all_algorithms();
if ((cert == NULL) && (key != NULL)) cert = key;
else if ((cert != NULL) && (key == NULL)) key = cert;
else if ((cert == NULL) && (key == NULL))
{
if (method != HTPROXY_MAKE) cert = getenv("X509_USER_PROXY");
if (cert != NULL) key = cert;
else
{
if (method != HTPROXY_MAKE)
asprintf(&(cert), "/tmp/x509up_u%d", geteuid());
/* one fine day, we will check the proxy file for
expiry too to avoid suprises when we try to use it ... */
if (stat(cert, &statbuf) == 0) key = cert;
else if (method != HTPROXY_INFO)
{
cert = getenv("X509_USER_CERT");
key = getenv("X509_USER_KEY");
userpasswd = getpwuid(geteuid());
if ((cert == NULL) &&
(userpasswd != NULL) &&
(userpasswd->pw_dir != NULL))
asprintf(&(cert), "%s/.globus/usercert.pem",
userpasswd->pw_dir);
if ((key == NULL) &&
(userpasswd != NULL) &&
(userpasswd->pw_dir != NULL))
asprintf(&(key), "%s/.globus/userkey.pem",
userpasswd->pw_dir);
}
}
}
if (capath == NULL) capath = getenv("X509_CERT_DIR");
if (capath == NULL) capath = "/etc/grid-security/certificates";
if (verbose) fprintf(stderr, "key=%s\ncert=%s\ncapath=%s\n",
key, cert, capath);
if ((key != NULL) && (cert != NULL) &&
(strcmp(key, cert) != 0)) /* we have to concatenate for gSOAP */
{
keycert = strdup("/tmp/.XXXXXX");
fd = mkstemp(keycert);
ofp = fdopen(fd, "w");
if (!ofp)
{
fprintf(stderr, "Cannot open tmp file for the key\n");
return 1;
}
ifp = fopen(key, "r");
{
fprintf(stderr, "Cannot open the file with the key\n");
return 1;
}
while ((c = fgetc(ifp)) != EOF) fputc(c, ofp);
fclose(ifp);
ifp = fopen(cert, "r");
{
fprintf(stderr, "Cannot open the file with the cert\n");
return 1;
}
while ((c = fgetc(ifp)) != EOF) fputc(c, ofp);
fclose(ifp);
fclose(ofp);
if (verbose) fprintf(stderr, "Created %s key/cert file\n", keycert);
}
else keycert = key;
if ((method == HTPROXY_PUT) || (method == HTPROXY_RENEW))
{
if (verbose)
{
fprintf(stderr, "Using SOAP delegation protocol\n");
fprintf(stderr, "Delegation-ID: %s\n", delegation_id);
}
soap_init(&soap_get);
if (soap_ssl_client_context(&soap_get,
SOAP_SSL_DEFAULT,
keycert,
"",
NULL,
capath,
NULL))
{
soap_print_fault(&soap_get, stderr);
return 1;
}
if ((method == HTPROXY_RENEW) && (delegation_id[0] != '\0'))
{
if (verbose) fprintf(stderr, "Send renewProxyReq to service\n");
soap_call_ns__renewProxyReq(&soap_get,
argv[optind], /* HTTPS url of service */
"http://www.gridsite.org/namespaces/delegation-1",
delegation_id,
&renewProxyReqResponse);
if (soap_get.error)
{
soap_print_fault(&soap_get, stderr);
return 1;
}
reqtxt = renewProxyReqResponse._renewProxyReqReturn;
}
else
{
if (verbose) fprintf(stderr, "Send getNewProxyReq to service\n");
soap_call_ns__getNewProxyReq(&soap_get,
argv[optind], /* HTTPS url of service */
"http://www.gridsite.org/namespaces/delegation-1",
&getNewProxyReqResponse);
if (soap_get.error)
{
soap_print_fault(&soap_get, stderr);
return 1;
}
if (!getNewProxyReqResponse.getNewProxyReqReturn)
{
fprintf(stderr, "Empty response from getNewProxyReq\n");
return 1;
}
reqtxt = getNewProxyReqResponse.getNewProxyReqReturn->proxyRequest;
delegation_id =
getNewProxyReqResponse.getNewProxyReqReturn->delegationID;
}
if (verbose) fprintf(stderr, "reqtxt:\n%s", reqtxt);
if (GRSTx509MakeProxyCert(&certtxt, stderr, reqtxt, cert, key, minutes)
!= GRST_RET_OK)
{
return 1;
}
soap_init(&soap_put);
if (verbose) fprintf(stderr, "Send putProxy to service:\n%s\n", certtxt);
if (soap_ssl_client_context(&soap_put,
SOAP_SSL_DEFAULT,
keycert,
"",
NULL,
capath,
NULL))
{
soap_print_fault(&soap_put, stderr);
return 1;
}
soap_call_ns__putProxy(&soap_put, argv[optind],
"http://www.gridsite.org/namespaces/delegation-1",
delegation_id,
certtxt, unused);
if (soap_put.error)
{
soap_print_fault(&soap_put, stderr);
return 1;
}
puts(delegation_id);
return 0;
}
else if (method == HTPROXY_DESTROY)
{
if (verbose)
{
fprintf(stderr, "Using SOAP proxy destroy protocol\n");
fprintf(stderr, "Delegation-ID: %s\n", delegation_id);
}
soap_init(&soap_put);
if (verbose) fprintf(stderr, "Send destroy to service:\n");
if (soap_ssl_client_context(&soap_put,
SOAP_SSL_DEFAULT,
keycert,
"",
NULL,
capath,
NULL))
{
soap_print_fault(&soap_put, stderr);
return 1;
}
soap_call_ns__destroy(&soap_put, argv[optind],
"http://www.gridsite.org/namespaces/delegation-1",
delegation_id,
&destroyResponse);
if (soap_put.error)
{
soap_print_fault(&soap_put, stderr);
return 1;
}
return 0;
}
else if ((method == HTPROXY_TIME) || (method == HTPROXY_UNIXTIME))
{
if (verbose)
{
fprintf(stderr, "Using SOAP proxy get expiration time protocol\n");
fprintf(stderr, "Delegation-ID: %s\n", delegation_id);
}
soap_init(&soap_put);
if (verbose) fprintf(stderr, "Send get time to service:\n");
if (soap_ssl_client_context(&soap_put,
SOAP_SSL_DEFAULT,
keycert,
"",
NULL,
capath,
NULL))
{
soap_print_fault(&soap_put, stderr);
return 1;
}
soap_call_ns__getTerminationTime(&soap_put, argv[optind],
"http://www.gridsite.org/namespaces/delegation-1",
delegation_id,
&getTerminationTimeResponse);
if (soap_put.error)
{
soap_print_fault(&soap_put, stderr);
return 1;
}
if (method == HTPROXY_UNIXTIME)
printf("%ld\n", getTerminationTimeResponse._getTerminationTimeReturn);
else
{
finish_tm =
localtime(&(getTerminationTimeResponse._getTerminationTimeReturn));
strftime(timestr, sizeof(timestr),
"%a %b %e %H:%M:%S %Z %Y\n", finish_tm);
fputs(timestr, stdout);
}
return 0;
}
else if (method == HTPROXY_MAKE)
#ifdef HT_LEAK_TEST
{
int ii;
FILE *ffpp;
char lineline[80];
for (ii=0; ii < 1000; ++ii)
#endif
{
if (GRSTx509CreateProxyRequestKS(&reqtxt, &keytxt, NULL, 0) != GRST_RET_OK)
{
fprintf(stderr, "Failed to create internal proxy cert request\n");
return 1;
}
#ifdef HT_LEAK_TEST
ffpp = fopen("/proc/self/statm", "r");
fgets(lineline, sizeof(lineline), ffpp);
fprintf(stderr, "%d a %s", ii, lineline);
fclose(ffpp);
#endif
if (GRSTx509MakeProxyCert(&proxychain, NULL, reqtxt, cert, key, minutes)
!= GRST_RET_OK)
{
fprintf(stderr, "Failed to sign internal proxy cert request\n");
return 2;
}
#ifdef HT_LEAK_TEST
ffpp = fopen("/proc/self/statm", "r");
fgets(lineline, sizeof(lineline), ffpp);
fprintf(stderr, "%d b %s", ii, lineline);
fclose(ffpp);
#endif
/* convert back to cert stack so can output in the right order */
if (GRSTx509StringToChain(&x509_certstack, proxychain) != GRST_RET_OK)
{
fprintf(stderr, "Failed to convert internal proxy chain\n");
return 3;
}
#ifdef HT_LEAK_TEST
ffpp = fopen("/proc/self/statm", "r");
fgets(lineline, sizeof(lineline), ffpp);
fprintf(stderr, "%d c %s", ii, lineline);
fclose(ffpp);
#endif
/* just the proxy certificate we have created */
if ((x509_cert = sk_X509_value(x509_certstack, 0)))
{
certmem = BIO_new(BIO_s_mem());
if (PEM_write_bio_X509(certmem, x509_cert) == 1)
{
ptrlen = BIO_get_mem_data(certmem, &ptr);
fwrite(ptr, 1, ptrlen, stdout);
}
BIO_free(certmem);
}
#ifdef HT_LEAK_TEST
ffpp = fopen("/proc/self/statm", "r");
fgets(lineline, sizeof(lineline), ffpp);
fprintf(stderr, "%d d %s", ii, lineline);
fclose(ffpp);
#endif
/* then the private key */
fputs(keytxt, stdout);
/* and only now the rest of the certificates */
for (i=1; i <= sk_X509_num(x509_certstack) - 1; ++i)
/* loop through the proxy chain starting at 2nd most recent proxy */
{
if ((x509_cert = sk_X509_value(x509_certstack, i)))
{
certmem = BIO_new(BIO_s_mem());
if (PEM_write_bio_X509(certmem, x509_cert) == 1)
{
ptrlen = BIO_get_mem_data(certmem, &ptr);
fwrite(ptr, 1, ptrlen, stdout);
}
BIO_free(certmem);
}
}
#ifdef HT_LEAK_TEST
ffpp = fopen("/proc/self/statm", "r");
fgets(lineline, sizeof(lineline), ffpp);
fprintf(stderr, "%d e %s", ii, lineline);
fclose(ffpp);
#endif
free(proxychain);
free(keytxt);
free(reqtxt);
sk_X509_free(x509_certstack);
#ifdef HT_LEAK_TEST
ffpp = fopen("/proc/self/statm", "r");
fgets(lineline, sizeof(lineline), ffpp);
fprintf(stderr, "%d f %s", ii, lineline);
fclose(ffpp);
}
#endif
return 0;
}
else if (method == HTPROXY_INFO)
{
if (cert != NULL)
{
if (verbose) fprintf(stderr, "Getting proxy info from %s\n", cert);
ifp = fopen(cert, "r");
if (ifp == NULL)
{
fprintf(stderr, "Failed to open proxy file\n");
return 2;
}
}
else
{
if (verbose) fprintf(stderr, "Getting proxy info from stdin\n");
ifp = stdin;
}
ptrlen = 4096;
ptr = malloc(ptrlen);
i = 0;
while ((c = fgetc(ifp)) != EOF)
{
ptr[i] = c;
++i;
if (i >= ptrlen)
{
ptrlen += 4096;
ptr = realloc(ptr, ptrlen);
}
}
ptr[i] = '\0';
if (cert != NULL) fclose(ifp);
if ((GRSTx509StringToChain(&x509_certstack, ptr) != GRST_RET_OK) ||
(x509_certstack == NULL))
{
fprintf(stderr, "Failed to parse proxy file for certificate chain\n");
free(ptr);
return 2;
}
free(ptr);
if (verbose) fprintf(stderr, "Parsing certificate chain\n");
ret = GRSTx509ChainLoadCheck(&grst_chain, x509_certstack, NULL,
capath, vomsdir);
if ((ret != GRST_RET_OK) ||
(grst_chain == NULL) || (grst_chain->firstcert == NULL))
{
fprintf(stderr, "Failed parsing certificate chain\n");
return 3;
}
grst_cert = grst_chain->firstcert;
for (i=0; grst_cert != NULL; grst_cert = grst_cert->next, ++i)
{
if (grst_cert->type == GRST_CERT_TYPE_CA) p = "(CA) ";
else if (grst_cert->type == GRST_CERT_TYPE_EEC) p = "(EEC) ";
else if (grst_cert->type == GRST_CERT_TYPE_PROXY) p = "(PC) ";
else if (grst_cert->type == GRST_CERT_TYPE_VOMS) p = "(AC) ";
else p = "";
printf("%d %s%s\n", i, p,
(grst_cert->type == GRST_CERT_TYPE_VOMS)
? grst_cert->value : grst_cert->dn);
printf(" Status : %d ( %s%s%s%s%s%s)\n", grst_cert->errors,
(grst_cert->errors == 0) ? "OK " : "",
(grst_cert->errors & GRST_CERT_BAD_FORMAT) ? "BAD_FORMAT ":"",
(grst_cert->errors & GRST_CERT_BAD_CHAIN) ? "BAD_CHAIN ":"",
(grst_cert->errors & GRST_CERT_BAD_SIG) ? "BAD_SIG ":"",
(grst_cert->errors & GRST_CERT_BAD_TIME) ? "BAD_TIME ":"",
(grst_cert->errors & GRST_CERT_BAD_OCSP) ? "BAD_OCSP ":"");
printf(" Start : %s", ctime(&(grst_cert->notbefore)));
printf(" Finish : %s", ctime(&(grst_cert->notafter)));
printf(" Delegation : %d\n", grst_cert->delegation);
if (grst_cert->type == GRST_CERT_TYPE_VOMS)
{
printf(" User DN : %s\n", grst_cert->dn);
printf(" VOMS DN : %s\n\n", grst_cert->issuer);
}
else
{
printf(" Serial : %s\n", grst_cert->serial);
printf(" Issuer : %s\n\n", grst_cert->issuer);
}
}
GRSTx509ChainFree(grst_chain);
}
/* weirdness */
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int operation = 0;
int ret = 0;
char **args;
const char *inmode = "r", *outmode = "w";
char *infile = NULL, *outfile = NULL, *rctfile = NULL;
char *signerfile = NULL, *recipfile = NULL;
STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
char *certsoutfile = NULL;
const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
CMS_ContentInfo *cms = NULL, *rcms = NULL;
X509_STORE *store = NULL;
X509 *cert = NULL, *recip = NULL, *signer = NULL;
EVP_PKEY *key = NULL;
STACK_OF(X509) *encerts = NULL, *other = NULL;
BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
int badarg = 0;
int flags = CMS_DETACHED, noout = 0, print = 0;
int verify_retcode = 0;
int rr_print = 0, rr_allorfirst = -1;
STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
CMS_ReceiptRequest *rr = NULL;
char *to = NULL, *from = NULL, *subject = NULL;
char *CAfile = NULL, *CApath = NULL;
char *passargin = NULL, *passin = NULL;
char *inrand = NULL;
int need_rand = 0;
const EVP_MD *sign_md = NULL;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
# ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
# endif
unsigned char *secret_key = NULL, *secret_keyid = NULL;
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
size_t secret_keylen = 0, secret_keyidlen = 0;
cms_key_param *key_first = NULL, *key_param = NULL;
ASN1_OBJECT *econtent_type = NULL;
X509_VERIFY_PARAM *vpm = NULL;
args = argv + 1;
ret = 1;
apps_startup();
if (bio_err == NULL) {
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
}
if (!load_config(bio_err, NULL))
goto end;
while (!badarg && *args && *args[0] == '-') {
if (!strcmp(*args, "-encrypt"))
operation = SMIME_ENCRYPT;
else if (!strcmp(*args, "-decrypt"))
operation = SMIME_DECRYPT;
else if (!strcmp(*args, "-sign"))
operation = SMIME_SIGN;
else if (!strcmp(*args, "-sign_receipt"))
operation = SMIME_SIGN_RECEIPT;
else if (!strcmp(*args, "-resign"))
operation = SMIME_RESIGN;
else if (!strcmp(*args, "-verify"))
operation = SMIME_VERIFY;
else if (!strcmp(*args, "-verify_retcode"))
verify_retcode = 1;
else if (!strcmp(*args, "-verify_receipt")) {
operation = SMIME_VERIFY_RECEIPT;
if (!args[1])
goto argerr;
args++;
rctfile = *args;
} else if (!strcmp(*args, "-cmsout"))
operation = SMIME_CMSOUT;
else if (!strcmp(*args, "-data_out"))
operation = SMIME_DATAOUT;
else if (!strcmp(*args, "-data_create"))
operation = SMIME_DATA_CREATE;
else if (!strcmp(*args, "-digest_verify"))
operation = SMIME_DIGEST_VERIFY;
else if (!strcmp(*args, "-digest_create"))
operation = SMIME_DIGEST_CREATE;
else if (!strcmp(*args, "-compress"))
operation = SMIME_COMPRESS;
else if (!strcmp(*args, "-uncompress"))
operation = SMIME_UNCOMPRESS;
else if (!strcmp(*args, "-EncryptedData_decrypt"))
operation = SMIME_ENCRYPTED_DECRYPT;
else if (!strcmp(*args, "-EncryptedData_encrypt"))
operation = SMIME_ENCRYPTED_ENCRYPT;
# ifndef OPENSSL_NO_DES
else if (!strcmp(*args, "-des3"))
cipher = EVP_des_ede3_cbc();
else if (!strcmp(*args, "-des"))
cipher = EVP_des_cbc();
else if (!strcmp(*args, "-des3-wrap"))
wrap_cipher = EVP_des_ede3_wrap();
# endif
# ifndef OPENSSL_NO_SEED
else if (!strcmp(*args, "-seed"))
cipher = EVP_seed_cbc();
# endif
# ifndef OPENSSL_NO_RC2
else if (!strcmp(*args, "-rc2-40"))
cipher = EVP_rc2_40_cbc();
else if (!strcmp(*args, "-rc2-128"))
cipher = EVP_rc2_cbc();
else if (!strcmp(*args, "-rc2-64"))
cipher = EVP_rc2_64_cbc();
# endif
# ifndef OPENSSL_NO_AES
else if (!strcmp(*args, "-aes128"))
cipher = EVP_aes_128_cbc();
else if (!strcmp(*args, "-aes192"))
cipher = EVP_aes_192_cbc();
else if (!strcmp(*args, "-aes256"))
cipher = EVP_aes_256_cbc();
else if (!strcmp(*args, "-aes128-wrap"))
wrap_cipher = EVP_aes_128_wrap();
else if (!strcmp(*args, "-aes192-wrap"))
wrap_cipher = EVP_aes_192_wrap();
else if (!strcmp(*args, "-aes256-wrap"))
wrap_cipher = EVP_aes_256_wrap();
# endif
# ifndef OPENSSL_NO_CAMELLIA
else if (!strcmp(*args, "-camellia128"))
cipher = EVP_camellia_128_cbc();
else if (!strcmp(*args, "-camellia192"))
cipher = EVP_camellia_192_cbc();
else if (!strcmp(*args, "-camellia256"))
cipher = EVP_camellia_256_cbc();
# endif
else if (!strcmp(*args, "-debug_decrypt"))
flags |= CMS_DEBUG_DECRYPT;
else if (!strcmp(*args, "-text"))
flags |= CMS_TEXT;
else if (!strcmp(*args, "-nointern"))
flags |= CMS_NOINTERN;
else if (!strcmp(*args, "-noverify")
|| !strcmp(*args, "-no_signer_cert_verify"))
flags |= CMS_NO_SIGNER_CERT_VERIFY;
else if (!strcmp(*args, "-nocerts"))
flags |= CMS_NOCERTS;
else if (!strcmp(*args, "-noattr"))
flags |= CMS_NOATTR;
else if (!strcmp(*args, "-nodetach"))
flags &= ~CMS_DETACHED;
else if (!strcmp(*args, "-nosmimecap"))
flags |= CMS_NOSMIMECAP;
else if (!strcmp(*args, "-binary"))
flags |= CMS_BINARY;
else if (!strcmp(*args, "-keyid"))
flags |= CMS_USE_KEYID;
else if (!strcmp(*args, "-nosigs"))
flags |= CMS_NOSIGS;
else if (!strcmp(*args, "-no_content_verify"))
flags |= CMS_NO_CONTENT_VERIFY;
else if (!strcmp(*args, "-no_attr_verify"))
flags |= CMS_NO_ATTR_VERIFY;
else if (!strcmp(*args, "-stream"))
flags |= CMS_STREAM;
else if (!strcmp(*args, "-indef"))
flags |= CMS_STREAM;
else if (!strcmp(*args, "-noindef"))
flags &= ~CMS_STREAM;
else if (!strcmp(*args, "-nooldmime"))
flags |= CMS_NOOLDMIMETYPE;
else if (!strcmp(*args, "-crlfeol"))
flags |= CMS_CRLFEOL;
else if (!strcmp(*args, "-noout"))
noout = 1;
else if (!strcmp(*args, "-receipt_request_print"))
rr_print = 1;
else if (!strcmp(*args, "-receipt_request_all"))
rr_allorfirst = 0;
else if (!strcmp(*args, "-receipt_request_first"))
rr_allorfirst = 1;
else if (!strcmp(*args, "-receipt_request_from")) {
if (!args[1])
goto argerr;
args++;
if (!rr_from)
rr_from = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(rr_from, *args);
} else if (!strcmp(*args, "-receipt_request_to")) {
if (!args[1])
goto argerr;
args++;
if (!rr_to)
rr_to = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(rr_to, *args);
} else if (!strcmp(*args, "-print")) {
noout = 1;
print = 1;
} else if (!strcmp(*args, "-secretkey")) {
long ltmp;
if (!args[1])
goto argerr;
args++;
secret_key = string_to_hex(*args, <mp);
if (!secret_key) {
BIO_printf(bio_err, "Invalid key %s\n", *args);
goto argerr;
}
secret_keylen = (size_t)ltmp;
} else if (!strcmp(*args, "-secretkeyid")) {
long ltmp;
if (!args[1])
goto argerr;
args++;
secret_keyid = string_to_hex(*args, <mp);
if (!secret_keyid) {
BIO_printf(bio_err, "Invalid id %s\n", *args);
goto argerr;
}
secret_keyidlen = (size_t)ltmp;
} else if (!strcmp(*args, "-pwri_password")) {
if (!args[1])
goto argerr;
args++;
pwri_pass = (unsigned char *)*args;
} else if (!strcmp(*args, "-econtent_type")) {
if (!args[1])
goto argerr;
args++;
econtent_type = OBJ_txt2obj(*args, 0);
if (!econtent_type) {
BIO_printf(bio_err, "Invalid OID %s\n", *args);
goto argerr;
}
} else if (!strcmp(*args, "-rand")) {
if (!args[1])
goto argerr;
args++;
inrand = *args;
need_rand = 1;
}
# ifndef OPENSSL_NO_ENGINE
else if (!strcmp(*args, "-engine")) {
if (!args[1])
goto argerr;
engine = *++args;
}
# endif
else if (!strcmp(*args, "-passin")) {
if (!args[1])
goto argerr;
passargin = *++args;
} else if (!strcmp(*args, "-to")) {
if (!args[1])
goto argerr;
to = *++args;
} else if (!strcmp(*args, "-from")) {
if (!args[1])
goto argerr;
from = *++args;
} else if (!strcmp(*args, "-subject")) {
if (!args[1])
goto argerr;
subject = *++args;
} else if (!strcmp(*args, "-signer")) {
if (!args[1])
goto argerr;
/* If previous -signer argument add signer to list */
if (signerfile) {
if (!sksigners)
sksigners = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(sksigners, signerfile);
if (!keyfile)
keyfile = signerfile;
if (!skkeys)
skkeys = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(skkeys, keyfile);
keyfile = NULL;
}
signerfile = *++args;
} else if (!strcmp(*args, "-recip")) {
if (!args[1])
goto argerr;
if (operation == SMIME_ENCRYPT) {
if (!encerts)
encerts = sk_X509_new_null();
cert = load_cert(bio_err, *++args, FORMAT_PEM,
NULL, e, "recipient certificate file");
if (!cert)
goto end;
sk_X509_push(encerts, cert);
cert = NULL;
} else
recipfile = *++args;
} else if (!strcmp(*args, "-certsout")) {
if (!args[1])
goto argerr;
certsoutfile = *++args;
} else if (!strcmp(*args, "-md")) {
if (!args[1])
goto argerr;
sign_md = EVP_get_digestbyname(*++args);
if (sign_md == NULL) {
BIO_printf(bio_err, "Unknown digest %s\n", *args);
goto argerr;
}
} else if (!strcmp(*args, "-inkey")) {
if (!args[1])
goto argerr;
/* If previous -inkey arument add signer to list */
if (keyfile) {
if (!signerfile) {
BIO_puts(bio_err, "Illegal -inkey without -signer\n");
goto argerr;
}
if (!sksigners)
sksigners = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(sksigners, signerfile);
signerfile = NULL;
if (!skkeys)
skkeys = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(skkeys, keyfile);
}
keyfile = *++args;
} else if (!strcmp(*args, "-keyform")) {
if (!args[1])
goto argerr;
keyform = str2fmt(*++args);
} else if (!strcmp(*args, "-keyopt")) {
int keyidx = -1;
if (!args[1])
goto argerr;
if (operation == SMIME_ENCRYPT) {
if (encerts)
keyidx += sk_X509_num(encerts);
} else {
if (keyfile || signerfile)
keyidx++;
if (skkeys)
keyidx += sk_OPENSSL_STRING_num(skkeys);
}
if (keyidx < 0) {
BIO_printf(bio_err, "No key specified\n");
goto argerr;
}
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = OPENSSL_malloc(sizeof(cms_key_param));
if (!nparam) {
BIO_printf(bio_err, "Out of memory\n");
goto argerr;
}
nparam->idx = keyidx;
nparam->param = sk_OPENSSL_STRING_new_null();
nparam->next = NULL;
if (key_first == NULL)
key_first = nparam;
else
key_param->next = nparam;
key_param = nparam;
}
sk_OPENSSL_STRING_push(key_param->param, *++args);
} else if (!strcmp(*args, "-rctform")) {
if (!args[1])
goto argerr;
rctformat = str2fmt(*++args);
} else if (!strcmp(*args, "-certfile")) {
if (!args[1])
goto argerr;
certfile = *++args;
} else if (!strcmp(*args, "-CAfile")) {
if (!args[1])
goto argerr;
CAfile = *++args;
} else if (!strcmp(*args, "-CApath")) {
if (!args[1])
goto argerr;
CApath = *++args;
} else if (!strcmp(*args, "-in")) {
if (!args[1])
goto argerr;
infile = *++args;
} else if (!strcmp(*args, "-inform")) {
if (!args[1])
goto argerr;
informat = str2fmt(*++args);
} else if (!strcmp(*args, "-outform")) {
if (!args[1])
goto argerr;
outformat = str2fmt(*++args);
} else if (!strcmp(*args, "-out")) {
if (!args[1])
goto argerr;
outfile = *++args;
} else if (!strcmp(*args, "-content")) {
if (!args[1])
goto argerr;
contfile = *++args;
} else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
continue;
else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
badarg = 1;
args++;
}
if (((rr_allorfirst != -1) || rr_from) && !rr_to) {
BIO_puts(bio_err, "No Signed Receipts Recipients\n");
goto argerr;
}
if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) {
BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
goto argerr;
}
if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
goto argerr;
}
if (operation & SMIME_SIGNERS) {
if (keyfile && !signerfile) {
BIO_puts(bio_err, "Illegal -inkey without -signer\n");
goto argerr;
}
/* Check to see if any final signer needs to be appended */
if (signerfile) {
if (!sksigners)
sksigners = sk_OPENSSL_STRING_new_null();
sk_OPENSSL_STRING_push(sksigners, signerfile);
if (!skkeys)
skkeys = sk_OPENSSL_STRING_new_null();
if (!keyfile)
keyfile = signerfile;
sk_OPENSSL_STRING_push(skkeys, keyfile);
}
if (!sksigners) {
BIO_printf(bio_err, "No signer certificate specified\n");
badarg = 1;
}
signerfile = NULL;
keyfile = NULL;
need_rand = 1;
}
else if (operation == SMIME_DECRYPT) {
if (!recipfile && !keyfile && !secret_key && !pwri_pass) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
badarg = 1;
}
} else if (operation == SMIME_ENCRYPT) {
if (!*args && !secret_key && !pwri_pass && !encerts) {
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
badarg = 1;
}
need_rand = 1;
} else if (!operation)
badarg = 1;
if (badarg) {
argerr:
BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n");
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-encrypt encrypt message\n");
BIO_printf(bio_err, "-decrypt decrypt encrypted message\n");
BIO_printf(bio_err, "-sign sign message\n");
BIO_printf(bio_err, "-verify verify signed message\n");
BIO_printf(bio_err, "-cmsout output CMS structure\n");
# ifndef OPENSSL_NO_DES
BIO_printf(bio_err, "-des3 encrypt with triple DES\n");
BIO_printf(bio_err, "-des encrypt with DES\n");
# endif
# ifndef OPENSSL_NO_SEED
BIO_printf(bio_err, "-seed encrypt with SEED\n");
# endif
# ifndef OPENSSL_NO_RC2
BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n");
BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n");
# endif
# ifndef OPENSSL_NO_AES
BIO_printf(bio_err, "-aes128, -aes192, -aes256\n");
BIO_printf(bio_err,
" encrypt PEM output with cbc aes\n");
# endif
# ifndef OPENSSL_NO_CAMELLIA
BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n");
BIO_printf(bio_err,
" encrypt PEM output with cbc camellia\n");
# endif
BIO_printf(bio_err,
"-nointern don't search certificates in message for signer\n");
BIO_printf(bio_err,
"-nosigs don't verify message signature\n");
BIO_printf(bio_err,
"-noverify don't verify signers certificate\n");
BIO_printf(bio_err,
"-nocerts don't include signers certificate when signing\n");
BIO_printf(bio_err, "-nodetach use opaque signing\n");
BIO_printf(bio_err,
"-noattr don't include any signed attributes\n");
BIO_printf(bio_err,
"-binary don't translate message to text\n");
BIO_printf(bio_err, "-certfile file other certificates file\n");
BIO_printf(bio_err, "-certsout file certificate output file\n");
BIO_printf(bio_err, "-signer file signer certificate file\n");
BIO_printf(bio_err,
"-recip file recipient certificate file for decryption\n");
BIO_printf(bio_err, "-keyid use subject key identifier\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err,
"-inform arg input format SMIME (default), PEM or DER\n");
BIO_printf(bio_err,
"-inkey file input private key (if not signer or recipient)\n");
BIO_printf(bio_err,
"-keyform arg input private key format (PEM or ENGINE)\n");
BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n");
BIO_printf(bio_err, "-out file output file\n");
BIO_printf(bio_err,
"-outform arg output format SMIME (default), PEM or DER\n");
BIO_printf(bio_err,
"-content file supply or override content for detached signature\n");
BIO_printf(bio_err, "-to addr to address\n");
BIO_printf(bio_err, "-from ad from address\n");
BIO_printf(bio_err, "-subject s subject\n");
BIO_printf(bio_err,
"-text include or delete text MIME headers\n");
BIO_printf(bio_err,
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err,
"-trusted_first use trusted certificates first when building the trust chain\n");
BIO_printf(bio_err,
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
# ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
"-engine e use engine e, possibly a hardware device.\n");
# endif
BIO_printf(bio_err, "-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
LIST_SEPARATOR_CHAR);
BIO_printf(bio_err,
" load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
BIO_printf(bio_err,
"cert.pem recipient certificate(s) for encryption\n");
goto end;
}
# ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
# endif
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (need_rand) {
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
if (inrand != NULL)
BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
}
ret = 2;
if (!(operation & SMIME_SIGNERS))
flags &= ~CMS_DETACHED;
if (operation & SMIME_OP) {
if (outformat == FORMAT_ASN1)
outmode = "wb";
} else {
if (flags & CMS_BINARY)
outmode = "wb";
}
if (operation & SMIME_IP) {
if (informat == FORMAT_ASN1)
inmode = "rb";
} else {
if (flags & CMS_BINARY)
inmode = "rb";
}
if (operation == SMIME_ENCRYPT) {
if (!cipher) {
# ifndef OPENSSL_NO_DES
cipher = EVP_des_ede3_cbc();
# else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
# endif
}
if (secret_key && !secret_keyid) {
BIO_printf(bio_err, "No secret key id\n");
goto end;
}
if (*args && !encerts)
encerts = sk_X509_new_null();
while (*args) {
if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
NULL, e, "recipient certificate file")))
goto end;
sk_X509_push(encerts, cert);
cert = NULL;
args++;
}
}
if (certfile) {
if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
e, "certificate file"))) {
ERR_print_errors(bio_err);
goto end;
}
}
if (recipfile && (operation == SMIME_DECRYPT)) {
if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
e, "recipient certificate file"))) {
ERR_print_errors(bio_err);
goto end;
}
}
if (operation == SMIME_SIGN_RECEIPT) {
if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
e, "receipt signer certificate file"))) {
ERR_print_errors(bio_err);
goto end;
}
}
if (operation == SMIME_DECRYPT) {
if (!keyfile)
keyfile = recipfile;
} else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
if (!keyfile)
keyfile = signerfile;
} else
keyfile = NULL;
if (keyfile) {
key = load_key(bio_err, keyfile, keyform, 0, passin, e,
"signing key file");
if (!key)
goto end;
}
if (infile) {
if (!(in = BIO_new_file(infile, inmode))) {
BIO_printf(bio_err, "Can't open input file %s\n", infile);
goto end;
}
} else
in = BIO_new_fp(stdin, BIO_NOCLOSE);
if (operation & SMIME_IP) {
if (informat == FORMAT_SMIME)
cms = SMIME_read_CMS(in, &indata);
else if (informat == FORMAT_PEM)
cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
else if (informat == FORMAT_ASN1)
cms = d2i_CMS_bio(in, NULL);
else {
BIO_printf(bio_err, "Bad input format for CMS file\n");
goto end;
}
if (!cms) {
BIO_printf(bio_err, "Error reading S/MIME message\n");
goto end;
}
if (contfile) {
BIO_free(indata);
if (!(indata = BIO_new_file(contfile, "rb"))) {
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;
}
}
if (certsoutfile) {
STACK_OF(X509) *allcerts;
allcerts = CMS_get1_certs(cms);
if (!save_certs(certsoutfile, allcerts)) {
BIO_printf(bio_err,
"Error writing certs to %s\n", certsoutfile);
ret = 5;
goto end;
}
sk_X509_pop_free(allcerts, X509_free);
}
}
if (rctfile) {
char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
if (!(rctin = BIO_new_file(rctfile, rctmode))) {
BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
goto end;
}
if (rctformat == FORMAT_SMIME)
rcms = SMIME_read_CMS(rctin, NULL);
else if (rctformat == FORMAT_PEM)
rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
else if (rctformat == FORMAT_ASN1)
rcms = d2i_CMS_bio(rctin, NULL);
else {
BIO_printf(bio_err, "Bad input format for receipt\n");
goto end;
}
if (!rcms) {
BIO_printf(bio_err, "Error reading receipt\n");
goto end;
}
}
if (outfile) {
if (!(out = BIO_new_file(outfile, outmode))) {
BIO_printf(bio_err, "Can't open output file %s\n", outfile);
goto end;
}
} else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
# ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
# endif
}
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
if (!(store = setup_verify(bio_err, CAfile, CApath)))
goto end;
X509_STORE_set_verify_cb(store, cms_cb);
if (vpm)
X509_STORE_set1_param(store, vpm);
}
ret = 3;
if (operation == SMIME_DATA_CREATE) {
cms = CMS_data_create(in, flags);
} else if (operation == SMIME_DIGEST_CREATE) {
cms = CMS_digest_create(in, sign_md, flags);
} else if (operation == SMIME_COMPRESS) {
cms = CMS_compress(in, -1, flags);
} else if (operation == SMIME_ENCRYPT) {
int i;
flags |= CMS_PARTIAL;
cms = CMS_encrypt(NULL, in, cipher, flags);
if (!cms)
goto end;
for (i = 0; i < sk_X509_num(encerts); i++) {
CMS_RecipientInfo *ri;
cms_key_param *kparam;
int tflags = flags;
X509 *x = sk_X509_value(encerts, i);
for (kparam = key_first; kparam; kparam = kparam->next) {
if (kparam->idx == i) {
tflags |= CMS_KEY_PARAM;
break;
}
}
ri = CMS_add1_recipient_cert(cms, x, tflags);
if (!ri)
goto end;
if (kparam) {
EVP_PKEY_CTX *pctx;
pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
if (!cms_set_pkey_param(pctx, kparam->param))
goto end;
}
if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
&& wrap_cipher) {
EVP_CIPHER_CTX *wctx;
wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
}
}
if (secret_key) {
if (!CMS_add0_recipient_key(cms, NID_undef,
secret_key, secret_keylen,
secret_keyid, secret_keyidlen,
NULL, NULL, NULL))
goto end;
/* NULL these because call absorbs them */
secret_key = NULL;
secret_keyid = NULL;
}
if (pwri_pass) {
pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
if (!pwri_tmp)
goto end;
if (!CMS_add0_recipient_password(cms,
-1, NID_undef, NID_undef,
pwri_tmp, -1, NULL))
goto end;
pwri_tmp = NULL;
}
if (!(flags & CMS_STREAM)) {
if (!CMS_final(cms, in, NULL, flags))
goto end;
}
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
cms = CMS_EncryptedData_encrypt(in, cipher,
secret_key, secret_keylen, flags);
} else if (operation == SMIME_SIGN_RECEIPT) {
CMS_ContentInfo *srcms = NULL;
STACK_OF(CMS_SignerInfo) *sis;
CMS_SignerInfo *si;
sis = CMS_get0_SignerInfos(cms);
if (!sis)
goto end;
si = sk_CMS_SignerInfo_value(sis, 0);
srcms = CMS_sign_receipt(si, signer, key, other, flags);
if (!srcms)
goto end;
CMS_ContentInfo_free(cms);
cms = srcms;
} else if (operation & SMIME_SIGNERS) {
int i;
/*
* If detached data content we enable streaming if S/MIME output
* format.
*/
if (operation == SMIME_SIGN) {
if (flags & CMS_DETACHED) {
if (outformat == FORMAT_SMIME)
flags |= CMS_STREAM;
}
flags |= CMS_PARTIAL;
cms = CMS_sign(NULL, NULL, other, in, flags);
if (!cms)
goto end;
if (econtent_type)
CMS_set1_eContentType(cms, econtent_type);
if (rr_to) {
rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
if (!rr) {
BIO_puts(bio_err,
"Signed Receipt Request Creation Error\n");
goto end;
}
}
} else
flags |= CMS_REUSE_DIGEST;
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
CMS_SignerInfo *si;
cms_key_param *kparam;
int tflags = flags;
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
e, "signer certificate");
if (!signer)
goto end;
key = load_key(bio_err, keyfile, keyform, 0, passin, e,
"signing key file");
if (!key)
goto end;
for (kparam = key_first; kparam; kparam = kparam->next) {
if (kparam->idx == i) {
tflags |= CMS_KEY_PARAM;
break;
}
}
si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
if (!si)
goto end;
if (kparam) {
EVP_PKEY_CTX *pctx;
pctx = CMS_SignerInfo_get0_pkey_ctx(si);
if (!cms_set_pkey_param(pctx, kparam->param))
goto end;
}
if (rr && !CMS_add1_ReceiptRequest(si, rr))
goto end;
X509_free(signer);
signer = NULL;
EVP_PKEY_free(key);
key = NULL;
}
/* If not streaming or resigning finalize structure */
if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
if (!CMS_final(cms, in, NULL, flags))
goto end;
}
}
if (!cms) {
BIO_printf(bio_err, "Error creating CMS structure\n");
goto end;
}
ret = 4;
if (operation == SMIME_DECRYPT) {
if (flags & CMS_DEBUG_DECRYPT)
CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
if (secret_key) {
if (!CMS_decrypt_set1_key(cms,
secret_key, secret_keylen,
secret_keyid, secret_keyidlen)) {
BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
goto end;
}
}
if (key) {
if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
BIO_puts(bio_err, "Error decrypting CMS using private key\n");
goto end;
}
}
if (pwri_pass) {
if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
BIO_puts(bio_err, "Error decrypting CMS using password\n");
goto end;
}
}
if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
BIO_printf(bio_err, "Error decrypting CMS structure\n");
goto end;
}
} else if (operation == SMIME_DATAOUT) {
if (!CMS_data(cms, out, flags))
goto end;
} else if (operation == SMIME_UNCOMPRESS) {
if (!CMS_uncompress(cms, indata, out, flags))
goto end;
} else if (operation == SMIME_DIGEST_VERIFY) {
if (CMS_digest_verify(cms, indata, out, flags) > 0)
BIO_printf(bio_err, "Verification successful\n");
else {
BIO_printf(bio_err, "Verification failure\n");
goto end;
}
} else if (operation == SMIME_ENCRYPTED_DECRYPT) {
if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
indata, out, flags))
goto end;
} else if (operation == SMIME_VERIFY) {
if (CMS_verify(cms, other, store, indata, out, flags) > 0)
BIO_printf(bio_err, "Verification successful\n");
else {
BIO_printf(bio_err, "Verification failure\n");
if (verify_retcode)
ret = verify_err + 32;
goto end;
}
if (signerfile) {
STACK_OF(X509) *signers;
signers = CMS_get0_signers(cms);
if (!save_certs(signerfile, signers)) {
BIO_printf(bio_err,
"Error writing signers to %s\n", signerfile);
ret = 5;
goto end;
}
sk_X509_free(signers);
}
if (rr_print)
receipt_request_print(bio_err, cms);
} else if (operation == SMIME_VERIFY_RECEIPT) {
if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
BIO_printf(bio_err, "Verification successful\n");
else {
BIO_printf(bio_err, "Verification failure\n");
goto end;
}
} else {
if (noout) {
if (print)
CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
} else if (outformat == FORMAT_SMIME) {
if (to)
BIO_printf(out, "To: %s\n", to);
if (from)
BIO_printf(out, "From: %s\n", from);
if (subject)
BIO_printf(out, "Subject: %s\n", subject);
if (operation == SMIME_RESIGN)
ret = SMIME_write_CMS(out, cms, indata, flags);
else
ret = SMIME_write_CMS(out, cms, in, flags);
} else if (outformat == FORMAT_PEM)
ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
else if (outformat == FORMAT_ASN1)
ret = i2d_CMS_bio_stream(out, cms, in, flags);
else {
BIO_printf(bio_err, "Bad output format for CMS file\n");
goto end;
}
if (ret <= 0) {
ret = 6;
goto end;
}
}
ret = 0;
end:
if (ret)
ERR_print_errors(bio_err);
if (need_rand)
app_RAND_write_file(NULL, bio_err);
sk_X509_pop_free(encerts, X509_free);
sk_X509_pop_free(other, X509_free);
if (vpm)
X509_VERIFY_PARAM_free(vpm);
if (sksigners)
sk_OPENSSL_STRING_free(sksigners);
if (skkeys)
sk_OPENSSL_STRING_free(skkeys);
if (secret_key)
OPENSSL_free(secret_key);
if (secret_keyid)
OPENSSL_free(secret_keyid);
if (pwri_tmp)
OPENSSL_free(pwri_tmp);
if (econtent_type)
ASN1_OBJECT_free(econtent_type);
if (rr)
CMS_ReceiptRequest_free(rr);
if (rr_to)
sk_OPENSSL_STRING_free(rr_to);
if (rr_from)
sk_OPENSSL_STRING_free(rr_from);
for (key_param = key_first; key_param;) {
cms_key_param *tparam;
sk_OPENSSL_STRING_free(key_param->param);
tparam = key_param->next;
OPENSSL_free(key_param);
key_param = tparam;
}
X509_STORE_free(store);
X509_free(cert);
X509_free(recip);
X509_free(signer);
EVP_PKEY_free(key);
CMS_ContentInfo_free(cms);
CMS_ContentInfo_free(rcms);
BIO_free(rctin);
BIO_free(in);
BIO_free(indata);
BIO_free_all(out);
if (passin)
OPENSSL_free(passin);
return (ret);
}
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int operation = 0;
int ret = 0;
char **args;
const char *inmode = "r", *outmode = "w";
char *infile = NULL, *outfile = NULL;
char *signerfile = NULL, *recipfile = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
const EVP_CIPHER *cipher = NULL;
PKCS7 *p7 = NULL;
X509_STORE *store = NULL;
X509 *cert = NULL, *recip = NULL, *signer = NULL;
EVP_PKEY *key = NULL;
STACK_OF(X509) *encerts = NULL, *other = NULL;
BIO *in = NULL, *out = NULL, *indata = NULL;
int badarg = 0;
int flags = PKCS7_DETACHED;
char *to = NULL, *from = NULL, *subject = NULL;
char *CAfile = NULL, *CApath = NULL;
char *passargin = NULL, *passin = NULL;
char *inrand = NULL;
int need_rand = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
int keyform = FORMAT_PEM;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
X509_VERIFY_PARAM *vpm = NULL;
args = argv + 1;
ret = 1;
apps_startup();
if (bio_err == NULL)
{
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
}
if (!load_config(bio_err, NULL))
goto end;
while (!badarg && *args && *args[0] == '-')
{
if (!strcmp (*args, "-encrypt"))
operation = SMIME_ENCRYPT;
else if (!strcmp (*args, "-decrypt"))
operation = SMIME_DECRYPT;
else if (!strcmp (*args, "-sign"))
operation = SMIME_SIGN;
else if (!strcmp (*args, "-verify"))
operation = SMIME_VERIFY;
else if (!strcmp (*args, "-pk7out"))
operation = SMIME_PK7OUT;
#ifndef OPENSSL_NO_DES
else if (!strcmp (*args, "-des3"))
cipher = EVP_des_ede3_cbc();
else if (!strcmp (*args, "-des"))
cipher = EVP_des_cbc();
#endif
#ifndef OPENSSL_NO_SEED
else if (!strcmp (*args, "-seed"))
cipher = EVP_seed_cbc();
#endif
#ifndef OPENSSL_NO_RC2
else if (!strcmp (*args, "-rc2-40"))
cipher = EVP_rc2_40_cbc();
else if (!strcmp (*args, "-rc2-128"))
cipher = EVP_rc2_cbc();
else if (!strcmp (*args, "-rc2-64"))
cipher = EVP_rc2_64_cbc();
#endif
#ifndef OPENSSL_NO_AES
else if (!strcmp(*args,"-aes128"))
cipher = EVP_aes_128_cbc();
else if (!strcmp(*args,"-aes192"))
cipher = EVP_aes_192_cbc();
else if (!strcmp(*args,"-aes256"))
cipher = EVP_aes_256_cbc();
#endif
#ifndef OPENSSL_NO_CAMELLIA
else if (!strcmp(*args,"-camellia128"))
cipher = EVP_camellia_128_cbc();
else if (!strcmp(*args,"-camellia192"))
cipher = EVP_camellia_192_cbc();
else if (!strcmp(*args,"-camellia256"))
cipher = EVP_camellia_256_cbc();
#endif
else if (!strcmp (*args, "-text"))
flags |= PKCS7_TEXT;
else if (!strcmp (*args, "-nointern"))
flags |= PKCS7_NOINTERN;
else if (!strcmp (*args, "-noverify"))
flags |= PKCS7_NOVERIFY;
else if (!strcmp (*args, "-nochain"))
flags |= PKCS7_NOCHAIN;
else if (!strcmp (*args, "-nocerts"))
flags |= PKCS7_NOCERTS;
else if (!strcmp (*args, "-noattr"))
flags |= PKCS7_NOATTR;
else if (!strcmp (*args, "-nodetach"))
flags &= ~PKCS7_DETACHED;
else if (!strcmp (*args, "-nosmimecap"))
flags |= PKCS7_NOSMIMECAP;
else if (!strcmp (*args, "-binary"))
flags |= PKCS7_BINARY;
else if (!strcmp (*args, "-nosigs"))
flags |= PKCS7_NOSIGS;
else if (!strcmp (*args, "-nooldmime"))
flags |= PKCS7_NOOLDMIMETYPE;
else if (!strcmp (*args, "-crlfeol"))
flags |= PKCS7_CRLFEOL;
else if (!strcmp(*args,"-rand"))
{
if (args[1])
{
args++;
inrand = *args;
}
else
badarg = 1;
need_rand = 1;
}
#ifndef OPENSSL_NO_ENGINE
else if (!strcmp(*args,"-engine"))
{
if (args[1])
{
args++;
engine = *args;
}
else badarg = 1;
}
#endif
else if (!strcmp(*args,"-passin"))
{
if (args[1])
{
args++;
passargin = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-to"))
{
if (args[1])
{
args++;
to = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-from"))
{
if (args[1])
{
args++;
from = *args;
}
else badarg = 1;
}
else if (!strcmp (*args, "-subject"))
{
if (args[1])
{
args++;
subject = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-signer"))
{
if (args[1])
{
args++;
signerfile = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-recip"))
{
if (args[1])
{
args++;
recipfile = *args;
}
else badarg = 1;
}
else if (!strcmp (*args, "-inkey"))
{
if (args[1])
{
args++;
keyfile = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-keyform"))
{
if (args[1])
{
args++;
keyform = str2fmt(*args);
}
else
badarg = 1;
}
else if (!strcmp (*args, "-certfile"))
{
if (args[1])
{
args++;
certfile = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-CAfile"))
{
if (args[1])
{
args++;
CAfile = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-CApath"))
{
if (args[1])
{
args++;
CApath = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-in"))
{
if (args[1])
{
args++;
infile = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-inform"))
{
if (args[1])
{
args++;
informat = str2fmt(*args);
}
else
badarg = 1;
}
else if (!strcmp (*args, "-outform"))
{
if (args[1])
{
args++;
outformat = str2fmt(*args);
}
else
badarg = 1;
}
else if (!strcmp (*args, "-out"))
{
if (args[1])
{
args++;
outfile = *args;
}
else
badarg = 1;
}
else if (!strcmp (*args, "-content"))
{
if (args[1])
{
args++;
contfile = *args;
}
else
badarg = 1;
}
else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
continue;
else
badarg = 1;
args++;
}
if (operation == SMIME_SIGN)
{
if (!signerfile)
{
BIO_printf(bio_err, "No signer certificate specified\n");
badarg = 1;
}
need_rand = 1;
}
else if (operation == SMIME_DECRYPT)
{
if (!recipfile && !keyfile)
{
BIO_printf(bio_err, "No recipient certificate or key specified\n");
badarg = 1;
}
}
else if (operation == SMIME_ENCRYPT)
{
if (!*args)
{
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
badarg = 1;
}
need_rand = 1;
}
else if (!operation)
badarg = 1;
if (badarg)
{
BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
BIO_printf (bio_err, "where options are\n");
BIO_printf (bio_err, "-encrypt encrypt message\n");
BIO_printf (bio_err, "-decrypt decrypt encrypted message\n");
BIO_printf (bio_err, "-sign sign message\n");
BIO_printf (bio_err, "-verify verify signed message\n");
BIO_printf (bio_err, "-pk7out output PKCS#7 structure\n");
#ifndef OPENSSL_NO_DES
BIO_printf (bio_err, "-des3 encrypt with triple DES\n");
BIO_printf (bio_err, "-des encrypt with DES\n");
#endif
#ifndef OPENSSL_NO_SEED
BIO_printf (bio_err, "-seed encrypt with SEED\n");
#endif
#ifndef OPENSSL_NO_RC2
BIO_printf (bio_err, "-rc2-40 encrypt with RC2-40 (default)\n");
BIO_printf (bio_err, "-rc2-64 encrypt with RC2-64\n");
BIO_printf (bio_err, "-rc2-128 encrypt with RC2-128\n");
#endif
#ifndef OPENSSL_NO_AES
BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
BIO_printf (bio_err, " encrypt PEM output with cbc aes\n");
#endif
#ifndef OPENSSL_NO_CAMELLIA
BIO_printf (bio_err, "-camellia128, -camellia192, -camellia256\n");
BIO_printf (bio_err, " encrypt PEM output with cbc camellia\n");
#endif
BIO_printf (bio_err, "-nointern don't search certificates in message for signer\n");
BIO_printf (bio_err, "-nosigs don't verify message signature\n");
BIO_printf (bio_err, "-noverify don't verify signers certificate\n");
BIO_printf (bio_err, "-nocerts don't include signers certificate when signing\n");
BIO_printf (bio_err, "-nodetach use opaque signing\n");
BIO_printf (bio_err, "-noattr don't include any signed attributes\n");
BIO_printf (bio_err, "-binary don't translate message to text\n");
BIO_printf (bio_err, "-certfile file other certificates file\n");
BIO_printf (bio_err, "-signer file signer certificate file\n");
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
BIO_printf (bio_err, "-in file input file\n");
BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
BIO_printf (bio_err, "-keyform arg input private key format (PEM or ENGINE)\n");
BIO_printf (bio_err, "-out file output file\n");
BIO_printf (bio_err, "-outform arg output format SMIME (default), PEM or DER\n");
BIO_printf (bio_err, "-content file supply or override content for detached signature\n");
BIO_printf (bio_err, "-to addr to address\n");
BIO_printf (bio_err, "-from ad from address\n");
BIO_printf (bio_err, "-subject s subject\n");
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n");
#endif
BIO_printf (bio_err, "-passin arg input file pass phrase source\n");
BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
BIO_printf (bio_err, "cert.pem recipient certificate(s) for encryption\n");
goto end;
}
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (need_rand)
{
app_RAND_load_file(NULL, bio_err, (inrand != NULL));
if (inrand != NULL)
BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
}
ret = 2;
if (operation != SMIME_SIGN)
flags &= ~PKCS7_DETACHED;
if (operation & SMIME_OP)
{
if (flags & PKCS7_BINARY)
inmode = "rb";
if (outformat == FORMAT_ASN1)
outmode = "wb";
}
else
{
if (flags & PKCS7_BINARY)
outmode = "wb";
if (informat == FORMAT_ASN1)
inmode = "rb";
}
if (operation == SMIME_ENCRYPT)
{
if (!cipher)
{
#ifndef OPENSSL_NO_RC2
cipher = EVP_rc2_40_cbc();
#else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
#endif
}
encerts = sk_X509_new_null();
while (*args)
{
if (!(cert = load_cert(bio_err,*args,FORMAT_PEM,
NULL, e, "recipient certificate file")))
{
#if 0 /* An appropriate message is already printed */
BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
#endif
goto end;
}
sk_X509_push(encerts, cert);
cert = NULL;
args++;
}
}
if (signerfile && (operation == SMIME_SIGN))
{
if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL,
e, "signer certificate")))
{
#if 0 /* An appropri message has already been printed */
BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
#endif
goto end;
}
}
if (certfile)
{
if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,
e, "certificate file")))
{
#if 0 /* An appropriate message has already been printed */
BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
#endif
ERR_print_errors(bio_err);
goto end;
}
}
if (recipfile && (operation == SMIME_DECRYPT))
{
if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,
e, "recipient certificate file")))
{
#if 0 /* An appropriate message has alrady been printed */
BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
#endif
ERR_print_errors(bio_err);
goto end;
}
}
if (operation == SMIME_DECRYPT)
{
if (!keyfile)
keyfile = recipfile;
}
else if (operation == SMIME_SIGN)
{
if (!keyfile)
keyfile = signerfile;
}
else keyfile = NULL;
if (keyfile)
{
key = load_key(bio_err, keyfile, keyform, 0, passin, e,
"signing key file");
if (!key)
goto end;
}
if (infile)
{
if (!(in = BIO_new_file(infile, inmode)))
{
BIO_printf (bio_err,
"Can't open input file %s\n", infile);
goto end;
}
}
else
in = BIO_new_fp(stdin, BIO_NOCLOSE);
if (outfile)
{
if (!(out = BIO_new_file(outfile, outmode)))
{
BIO_printf (bio_err,
"Can't open output file %s\n", outfile);
goto end;
}
}
else
{
out = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if (operation == SMIME_VERIFY)
{
if (!(store = setup_verify(bio_err, CAfile, CApath)))
goto end;
X509_STORE_set_verify_cb_func(store, smime_cb);
if (vpm)
X509_STORE_set1_param(store, vpm);
}
ret = 3;
if (operation == SMIME_ENCRYPT)
p7 = PKCS7_encrypt(encerts, in, cipher, flags);
else if (operation == SMIME_SIGN)
{
/* If detached data and SMIME output enable partial
* signing.
*/
if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
flags |= PKCS7_STREAM;
p7 = PKCS7_sign(signer, key, other, in, flags);
}
else
{
if (informat == FORMAT_SMIME)
p7 = SMIME_read_PKCS7(in, &indata);
else if (informat == FORMAT_PEM)
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
else if (informat == FORMAT_ASN1)
p7 = d2i_PKCS7_bio(in, NULL);
else
{
BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
goto end;
}
if (!p7)
{
BIO_printf(bio_err, "Error reading S/MIME message\n");
goto end;
}
if (contfile)
{
BIO_free(indata);
if (!(indata = BIO_new_file(contfile, "rb")))
{
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;
}
}
}
if (!p7)
{
BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
goto end;
}
ret = 4;
if (operation == SMIME_DECRYPT)
{
if (!PKCS7_decrypt(p7, key, recip, out, flags))
{
BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
goto end;
}
}
else if (operation == SMIME_VERIFY)
{
STACK_OF(X509) *signers;
if (PKCS7_verify(p7, other, store, indata, out, flags))
BIO_printf(bio_err, "Verification successful\n");
else
{
BIO_printf(bio_err, "Verification failure\n");
goto end;
}
signers = PKCS7_get0_signers(p7, other, flags);
if (!save_certs(signerfile, signers))
{
BIO_printf(bio_err, "Error writing signers to %s\n",
signerfile);
ret = 5;
goto end;
}
sk_X509_free(signers);
}
else if (operation == SMIME_PK7OUT)
PEM_write_bio_PKCS7(out, p7);
else
{
if (to)
BIO_printf(out, "To: %s\n", to);
if (from)
BIO_printf(out, "From: %s\n", from);
if (subject)
BIO_printf(out, "Subject: %s\n", subject);
if (outformat == FORMAT_SMIME)
SMIME_write_PKCS7(out, p7, in, flags);
else if (outformat == FORMAT_PEM)
PEM_write_bio_PKCS7(out,p7);
else if (outformat == FORMAT_ASN1)
i2d_PKCS7_bio(out,p7);
else
{
BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
goto end;
}
}
ret = 0;
end:
if (need_rand)
app_RAND_write_file(NULL, bio_err);
if (ret) ERR_print_errors(bio_err);
sk_X509_pop_free(encerts, X509_free);
sk_X509_pop_free(other, X509_free);
if (vpm)
X509_VERIFY_PARAM_free(vpm);
X509_STORE_free(store);
X509_free(cert);
X509_free(recip);
X509_free(signer);
EVP_PKEY_free(key);
PKCS7_free(p7);
BIO_free(in);
BIO_free(indata);
BIO_free_all(out);
if (passin) OPENSSL_free(passin);
return (ret);
}
