Add -clrext option to 'x509'
[openssl.git] / apps / smime.c
1 /* smime.c */
2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3  * project 1999.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58
59 /* S/MIME utility function */
60
61 #include <stdio.h>
62 #include <string.h>
63 #include "apps.h"
64 #include <openssl/crypto.h>
65 #include <openssl/pem.h>
66 #include <openssl/err.h>
67
68 #undef PROG
69 #define PROG smime_main
70 static X509 *load_cert(char *file);
71 static EVP_PKEY *load_key(char *file, char *pass);
72 static STACK_OF(X509) *load_certs(char *file);
73 static X509_STORE *setup_verify(char *CAfile, char *CApath);
74 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
75
76 #define SMIME_OP        0x10
77 #define SMIME_ENCRYPT   (1 | SMIME_OP)
78 #define SMIME_DECRYPT   2
79 #define SMIME_SIGN      (3 | SMIME_OP)
80 #define SMIME_VERIFY    4
81 #define SMIME_PK7OUT    5
82
83 int MAIN(int, char **);
84
85 int MAIN(int argc, char **argv)
86 {
87         int operation = 0;
88         int ret = 0;
89         char **args;
90         char *inmode = "r", *outmode = "w";
91         char *infile = NULL, *outfile = NULL;
92         char *signerfile = NULL, *recipfile = NULL;
93         char *certfile = NULL, *keyfile = NULL;
94         EVP_CIPHER *cipher = NULL;
95         PKCS7 *p7 = NULL;
96         X509_STORE *store = NULL;
97         X509 *cert = NULL, *recip = NULL, *signer = NULL;
98         EVP_PKEY *key = NULL;
99         STACK_OF(X509) *encerts = NULL, *other = NULL;
100         BIO *in = NULL, *out = NULL, *indata = NULL;
101         int badarg = 0;
102         int flags = PKCS7_DETACHED;
103         char *to = NULL, *from = NULL, *subject = NULL;
104         char *CAfile = NULL, *CApath = NULL;
105         char *passargin = NULL, *passin = NULL;
106         char *inrand = NULL;
107         int need_rand = 0;
108         args = argv + 1;
109
110         ret = 1;
111
112         while (!badarg && *args && *args[0] == '-') {
113                 if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
114                 else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
115                 else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN;
116                 else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY;
117                 else if (!strcmp (*args, "-pk7out")) operation = SMIME_PK7OUT;
118 #ifndef NO_DES
119                 else if (!strcmp (*args, "-des3")) 
120                                 cipher = EVP_des_ede3_cbc();
121                 else if (!strcmp (*args, "-des")) 
122                                 cipher = EVP_des_cbc();
123 #endif
124 #ifndef NO_RC2
125                 else if (!strcmp (*args, "-rc2-40")) 
126                                 cipher = EVP_rc2_40_cbc();
127                 else if (!strcmp (*args, "-rc2-128")) 
128                                 cipher = EVP_rc2_cbc();
129                 else if (!strcmp (*args, "-rc2-64")) 
130                                 cipher = EVP_rc2_64_cbc();
131 #endif
132                 else if (!strcmp (*args, "-text")) 
133                                 flags |= PKCS7_TEXT;
134                 else if (!strcmp (*args, "-nointern")) 
135                                 flags |= PKCS7_NOINTERN;
136                 else if (!strcmp (*args, "-noverify")) 
137                                 flags |= PKCS7_NOVERIFY;
138                 else if (!strcmp (*args, "-nochain")) 
139                                 flags |= PKCS7_NOCHAIN;
140                 else if (!strcmp (*args, "-nocerts")) 
141                                 flags |= PKCS7_NOCERTS;
142                 else if (!strcmp (*args, "-noattr")) 
143                                 flags |= PKCS7_NOATTR;
144                 else if (!strcmp (*args, "-nodetach")) 
145                                 flags &= ~PKCS7_DETACHED;
146                 else if (!strcmp (*args, "-binary"))
147                                 flags |= PKCS7_BINARY;
148                 else if (!strcmp (*args, "-nosigs"))
149                                 flags |= PKCS7_NOSIGS;
150                 else if (!strcmp(*args,"-rand")) {
151                         if (args[1]) {
152                                 args++;
153                                 inrand = *args;
154                         } else badarg = 1;
155                         need_rand = 1;
156                 } else if (!strcmp(*args,"-passin")) {
157                         if (args[1]) {
158                                 args++;
159                                 passargin = *args;
160                         } else badarg = 1;
161                 } else if (!strcmp (*args, "-to")) {
162                         if (args[1]) {
163                                 args++;
164                                 to = *args;
165                         } else badarg = 1;
166                 } else if (!strcmp (*args, "-from")) {
167                         if (args[1]) {
168                                 args++;
169                                 from = *args;
170                         } else badarg = 1;
171                 } else if (!strcmp (*args, "-subject")) {
172                         if (args[1]) {
173                                 args++;
174                                 subject = *args;
175                         } else badarg = 1;
176                 } else if (!strcmp (*args, "-signer")) {
177                         if (args[1]) {
178                                 args++;
179                                 signerfile = *args;
180                         } else badarg = 1;
181                 } else if (!strcmp (*args, "-recip")) {
182                         if (args[1]) {
183                                 args++;
184                                 recipfile = *args;
185                         } else badarg = 1;
186                 } else if (!strcmp (*args, "-inkey")) {
187                         if (args[1]) {
188                                 args++;
189                                 keyfile = *args;
190                         } else badarg = 1;
191                 } else if (!strcmp (*args, "-certfile")) {
192                         if (args[1]) {
193                                 args++;
194                                 certfile = *args;
195                         } else badarg = 1;
196                 } else if (!strcmp (*args, "-CAfile")) {
197                         if (args[1]) {
198                                 args++;
199                                 CAfile = *args;
200                         } else badarg = 1;
201                 } else if (!strcmp (*args, "-CApath")) {
202                         if (args[1]) {
203                                 args++;
204                                 CApath = *args;
205                         } else badarg = 1;
206                 } else if (!strcmp (*args, "-in")) {
207                         if (args[1]) {
208                                 args++;
209                                 infile = *args;
210                         } else badarg = 1;
211                 } else if (!strcmp (*args, "-out")) {
212                         if (args[1]) {
213                                 args++;
214                                 outfile = *args;
215                         } else badarg = 1;
216                 } else badarg = 1;
217                 args++;
218         }
219
220         if(operation == SMIME_SIGN) {
221                 if(!signerfile) {
222                         BIO_printf(bio_err, "No signer certificate specified\n");
223                         badarg = 1;
224                 }
225                 need_rand = 1;
226         } else if(operation == SMIME_DECRYPT) {
227                 if(!recipfile) {
228                         BIO_printf(bio_err, "No recipient certificate and key specified\n");
229                         badarg = 1;
230                 }
231         } else if(operation == SMIME_ENCRYPT) {
232                 if(!*args) {
233                         BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
234                         badarg = 1;
235                 }
236                 need_rand = 1;
237         } else if(!operation) badarg = 1;
238
239         if (badarg) {
240                 BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
241                 BIO_printf (bio_err, "where options are\n");
242                 BIO_printf (bio_err, "-encrypt       encrypt message\n");
243                 BIO_printf (bio_err, "-decrypt       decrypt encrypted message\n");
244                 BIO_printf (bio_err, "-sign          sign message\n");
245                 BIO_printf (bio_err, "-verify        verify signed message\n");
246                 BIO_printf (bio_err, "-pk7out        output PKCS#7 structure\n");
247 #ifndef NO_DES
248                 BIO_printf (bio_err, "-des3          encrypt with triple DES\n");
249                 BIO_printf (bio_err, "-des           encrypt with DES\n");
250 #endif
251 #ifndef NO_RC2
252                 BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
253                 BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
254                 BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
255 #endif
256                 BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
257                 BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
258                 BIO_printf (bio_err, "-noverify      don't verify signers certificate\n");
259                 BIO_printf (bio_err, "-nocerts       don't include signers certificate when signing\n");
260                 BIO_printf (bio_err, "-nodetach      use opaque signing\n");
261                 BIO_printf (bio_err, "-noattr        don't include any signed attributes\n");
262                 BIO_printf (bio_err, "-binary        don't translate message to text\n");
263                 BIO_printf (bio_err, "-certfile file other certificates file\n");
264                 BIO_printf (bio_err, "-signer file   signer certificate file\n");
265                 BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
266                 BIO_printf (bio_err, "-in file       input file\n");
267                 BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
268                 BIO_printf (bio_err, "-out file      output file\n");
269                 BIO_printf (bio_err, "-to addr       to address\n");
270                 BIO_printf (bio_err, "-from ad       from address\n");
271                 BIO_printf (bio_err, "-subject s     subject\n");
272                 BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
273                 BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
274                 BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
275                 BIO_printf(bio_err,  "-rand file:file:...\n");
276                 BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
277                 BIO_printf(bio_err,  "               the random number generator\n");
278                 BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
279                 goto end;
280         }
281
282         if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
283                 BIO_printf(bio_err, "Error getting password\n");
284                 goto end;
285         }
286
287         if (need_rand) {
288                 app_RAND_load_file(NULL, bio_err, (inrand != NULL));
289                 if (inrand != NULL)
290                         BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
291                                 app_RAND_load_files(inrand));
292         }
293
294         ret = 2;
295
296         if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
297
298         if(flags & PKCS7_BINARY) {
299                 if(operation & SMIME_OP) inmode = "rb";
300                 else outmode = "rb";
301         }
302
303         if(operation == SMIME_ENCRYPT) {
304                 if (!cipher) {
305 #ifndef NO_RC2                  
306                         cipher = EVP_rc2_40_cbc();
307 #else
308                         BIO_printf(bio_err, "No cipher selected\n");
309                         goto end;
310 #endif
311                 }
312 #ifdef CRYPTO_MDEBUG
313                 CRYPTO_push_info("load encryption certificates");
314 #endif          
315                 encerts = sk_X509_new_null();
316                 while (*args) {
317                         if(!(cert = load_cert(*args))) {
318                                 BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
319                                 goto end;
320                         }
321                         sk_X509_push(encerts, cert);
322                         cert = NULL;
323                         args++;
324                 }
325 #ifdef CRYPTO_MDEBUG
326                 CRYPTO_pop_info();
327 #endif          
328         }
329
330         if(signerfile && (operation == SMIME_SIGN)) {
331 #ifdef CRYPTO_MDEBUG
332                 CRYPTO_push_info("load signer certificate");
333 #endif          
334                 if(!(signer = load_cert(signerfile))) {
335                         BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
336                         goto end;
337                 }
338 #ifdef CRYPTO_MDEBUG
339                 CRYPTO_pop_info();
340 #endif          
341         }
342
343         if(certfile) {
344 #ifdef CRYPTO_MDEBUG
345                 CRYPTO_push_info("load other certfiles");
346 #endif          
347                 if(!(other = load_certs(certfile))) {
348                         BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
349                         ERR_print_errors(bio_err);
350                         goto end;
351                 }
352 #ifdef CRYPTO_MDEBUG
353                 CRYPTO_pop_info();
354 #endif          
355         }
356
357         if(recipfile && (operation == SMIME_DECRYPT)) {
358 #ifdef CRYPTO_MDEBUG
359                 CRYPTO_push_info("load recipient certificate");
360 #endif          
361                 if(!(recip = load_cert(recipfile))) {
362                         BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
363                         ERR_print_errors(bio_err);
364                         goto end;
365                 }
366 #ifdef CRYPTO_MDEBUG
367                 CRYPTO_pop_info();
368 #endif          
369         }
370
371         if(operation == SMIME_DECRYPT) {
372                 if(!keyfile) keyfile = recipfile;
373         } else if(operation == SMIME_SIGN) {
374                 if(!keyfile) keyfile = signerfile;
375         } else keyfile = NULL;
376
377         if(keyfile) {
378 #ifdef CRYPTO_MDEBUG
379                 CRYPTO_push_info("load keyfile");
380 #endif          
381                 if(!(key = load_key(keyfile, passin))) {
382                         BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
383                         ERR_print_errors(bio_err);
384                         goto end;
385                 }
386 #ifdef CRYPTO_MDEBUG
387                 CRYPTO_pop_info();
388 #endif          
389         }
390
391 #ifdef CRYPTO_MDEBUG
392         CRYPTO_push_info("open input files");
393 #endif          
394         if (infile) {
395                 if (!(in = BIO_new_file(infile, inmode))) {
396                         BIO_printf (bio_err,
397                                  "Can't open input file %s\n", infile);
398                         goto end;
399                 }
400         } else in = BIO_new_fp(stdin, BIO_NOCLOSE);
401 #ifdef CRYPTO_MDEBUG
402         CRYPTO_pop_info();
403 #endif          
404
405 #ifdef CRYPTO_MDEBUG
406         CRYPTO_push_info("open output files");
407 #endif          
408         if (outfile) {
409                 if (!(out = BIO_new_file(outfile, outmode))) {
410                         BIO_printf (bio_err,
411                                  "Can't open output file %s\n", outfile);
412                         goto end;
413                 }
414         } else out = BIO_new_fp(stdout, BIO_NOCLOSE);
415 #ifdef CRYPTO_MDEBUG
416         CRYPTO_pop_info();
417 #endif          
418
419         if(operation == SMIME_VERIFY) {
420 #ifdef CRYPTO_MDEBUG
421                 CRYPTO_push_info("setup_verify");
422 #endif          
423                 if(!(store = setup_verify(CAfile, CApath))) goto end;
424 #ifdef CRYPTO_MDEBUG
425                 CRYPTO_pop_info();
426 #endif          
427         }
428
429         ret = 3;
430
431         if(operation == SMIME_ENCRYPT) {
432 #ifdef CRYPTO_MDEBUG
433                 CRYPTO_push_info("PKCS7_encrypt");
434 #endif          
435                 p7 = PKCS7_encrypt(encerts, in, cipher, flags);
436 #ifdef CRYPTO_MDEBUG
437                 CRYPTO_pop_info();
438 #endif          
439         } else if(operation == SMIME_SIGN) {
440 #ifdef CRYPTO_MDEBUG
441                 CRYPTO_push_info("PKCS7_sign");
442 #endif          
443                 p7 = PKCS7_sign(signer, key, other, in, flags);
444                 BIO_reset(in);
445 #ifdef CRYPTO_MDEBUG
446                 CRYPTO_pop_info();
447 #endif          
448         } else {
449 #ifdef CRYPTO_MDEBUG
450                 CRYPTO_push_info("SMIME_read_PKCS7");
451 #endif          
452                 if(!(p7 = SMIME_read_PKCS7(in, &indata))) {
453                         BIO_printf(bio_err, "Error reading S/MIME message\n");
454                         goto end;
455                 }
456 #ifdef CRYPTO_MDEBUG
457                 CRYPTO_pop_info();
458 #endif          
459         }
460
461         if(!p7) {
462                 BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
463                 goto end;
464         }
465
466         ret = 4;
467         if(operation == SMIME_DECRYPT) {
468 #ifdef CRYPTO_MDEBUG
469                 CRYPTO_push_info("PKCS7_decrypt");
470 #endif          
471                 if(!PKCS7_decrypt(p7, key, recip, out, flags)) {
472                         BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
473                         goto end;
474                 }
475 #ifdef CRYPTO_MDEBUG
476                 CRYPTO_pop_info();
477 #endif          
478         } else if(operation == SMIME_VERIFY) {
479                 STACK_OF(X509) *signers;
480 #ifdef CRYPTO_MDEBUG
481                 CRYPTO_push_info("PKCS7_verify");
482 #endif          
483                 if(PKCS7_verify(p7, other, store, indata, out, flags)) {
484                         BIO_printf(bio_err, "Verification Successful\n");
485                 } else {
486                         BIO_printf(bio_err, "Verification Failure\n");
487                         goto end;
488                 }
489 #ifdef CRYPTO_MDEBUG
490                 CRYPTO_pop_info();
491                 CRYPTO_push_info("PKCS7_iget_signers");
492 #endif          
493                 signers = PKCS7_iget_signers(p7, other, flags);
494 #ifdef CRYPTO_MDEBUG
495                 CRYPTO_pop_info();
496                 CRYPTO_push_info("save_certs");
497 #endif          
498                 if(!save_certs(signerfile, signers)) {
499                         BIO_printf(bio_err, "Error writing signers to %s\n",
500                                                                 signerfile);
501                         ret = 5;
502                         goto end;
503                 }
504 #ifdef CRYPTO_MDEBUG
505                 CRYPTO_pop_info();
506 #endif          
507                 sk_X509_free(signers);
508         } else if(operation == SMIME_PK7OUT) {
509                 PEM_write_bio_PKCS7(out, p7);
510         } else {
511                 if(to) BIO_printf(out, "To: %s\n", to);
512                 if(from) BIO_printf(out, "From: %s\n", from);
513                 if(subject) BIO_printf(out, "Subject: %s\n", subject);
514                 SMIME_write_PKCS7(out, p7, in, flags);
515         }
516         ret = 0;
517 end:
518 #ifdef CRYPTO_MDEBUG
519         CRYPTO_remove_all_info();
520 #endif
521         if (need_rand)
522                 app_RAND_write_file(NULL, bio_err);
523         if(ret) ERR_print_errors(bio_err);
524         sk_X509_pop_free(encerts, X509_free);
525         sk_X509_pop_free(other, X509_free);
526         X509_STORE_free(store);
527         X509_free(cert);
528         X509_free(recip);
529         X509_free(signer);
530         EVP_PKEY_free(key);
531         PKCS7_free(p7);
532         BIO_free(in);
533         BIO_free(indata);
534         BIO_free(out);
535         if(passin) Free(passin);
536         return (ret);
537 }
538
539 static X509 *load_cert(char *file)
540 {
541         BIO *in;
542         X509 *cert;
543         if(!(in = BIO_new_file(file, "r"))) return NULL;
544         cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
545         BIO_free(in);
546         return cert;
547 }
548
549 static EVP_PKEY *load_key(char *file, char *pass)
550 {
551         BIO *in;
552         EVP_PKEY *key;
553         if(!(in = BIO_new_file(file, "r"))) return NULL;
554         key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
555         BIO_free(in);
556         return key;
557 }
558
559 static STACK_OF(X509) *load_certs(char *file)
560 {
561         BIO *in;
562         int i;
563         STACK_OF(X509) *othercerts;
564         STACK_OF(X509_INFO) *allcerts;
565         X509_INFO *xi;
566         if(!(in = BIO_new_file(file, "r"))) return NULL;
567         othercerts = sk_X509_new(NULL);
568         if(!othercerts) return NULL;
569         allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
570         for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
571                 xi = sk_X509_INFO_value (allcerts, i);
572                 if (xi->x509) {
573                         sk_X509_push(othercerts, xi->x509);
574                         xi->x509 = NULL;
575                 }
576         }
577         sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
578         BIO_free(in);
579         return othercerts;
580 }
581
582 static X509_STORE *setup_verify(char *CAfile, char *CApath)
583 {
584         X509_STORE *store;
585         X509_LOOKUP *lookup;
586 #ifdef CRYPTO_MDEBUG
587         CRYPTO_push_info("X509_STORE_new");
588 #endif  
589         if(!(store = X509_STORE_new())) goto end;
590 #ifdef CRYPTO_MDEBUG
591         CRYPTO_pop_info();
592         CRYPTO_push_info("X509_STORE_add_lookup(...file)");
593 #endif  
594         lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
595         if (lookup == NULL) goto end;
596 #ifdef CRYPTO_MDEBUG
597         CRYPTO_pop_info();
598         CRYPTO_push_info("X509_LOOKUP_load_file");
599 #endif  
600         if (CAfile) {
601                 if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
602                         BIO_printf(bio_err, "Error loading file %s\n", CAfile);
603                         goto end;
604                 }
605         } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
606                 
607 #ifdef CRYPTO_MDEBUG
608         CRYPTO_pop_info();
609         CRYPTO_push_info("X509_STORE_add_lookup(...hash_dir)");
610 #endif  
611         lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
612         if (lookup == NULL) goto end;
613 #ifdef CRYPTO_MDEBUG
614         CRYPTO_pop_info();
615         CRYPTO_push_info("X509_LOOKUP_add_dir");
616 #endif  
617         if (CApath) {
618                 if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
619                         BIO_printf(bio_err, "Error loading directory %s\n", CApath);
620                         goto end;
621                 }
622         } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
623 #ifdef CRYPTO_MDEBUG
624         CRYPTO_pop_info();
625 #endif  
626
627         ERR_clear_error();
628         return store;
629         end:
630         X509_STORE_free(store);
631         return NULL;
632 }
633
634 static int save_certs(char *signerfile, STACK_OF(X509) *signers)
635 {
636         int i;
637         BIO *tmp;
638         if(!signerfile) return 1;
639         tmp = BIO_new_file(signerfile, "w");
640         if(!tmp) return 0;
641         for(i = 0; i < sk_X509_num(signers); i++)
642                 PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
643         BIO_free(tmp);
644         return 1;
645 }
646