Remove apps cache for gethostbyname
[openssl.git] / apps / cms.c
index a280d8e..5eb5d2d 100644 (file)
@@ -1,5 +1,5 @@
-/* apps/cms.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
 /* ====================================================================
@@ -10,7 +10,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
 
 #ifndef OPENSSL_NO_CMS
 
-#include <openssl/crypto.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include <openssl/x509_vfy.h>
-#include <openssl/x509v3.h>
-#include <openssl/cms.h>
+# include <openssl/crypto.h>
+# include <openssl/pem.h>
+# include <openssl/err.h>
+# include <openssl/x509_vfy.h>
+# include <openssl/x509v3.h>
+# include <openssl/cms.h>
 
-#undef PROG
-#define PROG cms_main
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
-static int smime_cb(int ok, X509_STORE_CTX *ctx);
-
-#define SMIME_OP       0x10
-#define SMIME_IP       0x20
-#define SMIME_SIGNERS  0x40
-#define SMIME_ENCRYPT          (1 | SMIME_OP)
-#define SMIME_DECRYPT          (2 | SMIME_IP)
-#define SMIME_SIGN             (3 | SMIME_OP | SMIME_SIGNERS)
-#define SMIME_VERIFY           (4 | SMIME_IP)
-#define SMIME_CMSOUT           (5 | SMIME_IP | SMIME_OP)
-#define SMIME_RESIGN           (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
-#define SMIME_DATAOUT          (7 | SMIME_IP)
-#define SMIME_DATA_CREATE      (8 | SMIME_OP)
-#define SMIME_DIGEST_VERIFY    (9 | SMIME_IP)
-#define SMIME_DIGEST_CREATE    (10 | SMIME_OP)
-#define SMIME_UNCOMPRESS       (11 | SMIME_IP)
-#define SMIME_COMPRESS         (12 | SMIME_OP)
-#define SMIME_ENCRYPTED_DECRYPT        (13 | SMIME_IP)
-#define SMIME_ENCRYPTED_ENCRYPT        (14 | SMIME_OP)
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-       {
-       ENGINE *e = NULL;
-       int operation = 0;
-       int ret = 0;
-       char **args;
-       const char *inmode = "r", *outmode = "w";
-       char *infile = NULL, *outfile = NULL;
-       char *signerfile = NULL, *recipfile = NULL;
-       STACK *sksigners = NULL, *skkeys = NULL;
-       char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
-       const EVP_CIPHER *cipher = NULL;
-       CMS_ContentInfo *cms = NULL;
-       X509_STORE *store = NULL;
-       X509 *cert = NULL, *recip = NULL, *signer = NULL;
-       EVP_PKEY *key = NULL;
-       STACK_OF(X509) *encerts = NULL, *other = NULL;
-       BIO *in = NULL, *out = NULL, *indata = NULL;
-       int badarg = 0;
-       int flags = CMS_DETACHED;
-       char *to = NULL, *from = NULL, *subject = NULL;
-       char *CAfile = NULL, *CApath = NULL;
-       char *passargin = NULL, *passin = NULL;
-       char *inrand = NULL;
-       int need_rand = 0;
-       const EVP_MD *sign_md = NULL;
-       int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
-        int keyform = FORMAT_PEM;
-#ifndef OPENSSL_NO_ENGINE
-       char *engine=NULL;
-#endif
-       unsigned char *secret_key = NULL;
-       size_t secret_keylen = 0;
-
-       X509_VERIFY_PARAM *vpm = NULL;
-
-       args = argv + 1;
-       ret = 1;
-
-       apps_startup();
-
-       if (bio_err == NULL)
-               {
-               if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-                       BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
-               }
-
-       if (!load_config(bio_err, NULL))
-               goto end;
-
-       while (!badarg && *args && *args[0] == '-')
-               {
-               if (!strcmp (*args, "-encrypt"))
-                       operation = SMIME_ENCRYPT;
-               else if (!strcmp (*args, "-decrypt"))
-                       operation = SMIME_DECRYPT;
-               else if (!strcmp (*args, "-sign"))
-                       operation = SMIME_SIGN;
-               else if (!strcmp (*args, "-resign"))
-                       operation = SMIME_RESIGN;
-               else if (!strcmp (*args, "-verify"))
-                       operation = SMIME_VERIFY;
-               else if (!strcmp (*args, "-cmsout"))
-                       operation = SMIME_CMSOUT;
-               else if (!strcmp (*args, "-data_out"))
-                       operation = SMIME_DATAOUT;
-               else if (!strcmp (*args, "-data_create"))
-                       operation = SMIME_DATA_CREATE;
-               else if (!strcmp (*args, "-digest_verify"))
-                       operation = SMIME_DIGEST_VERIFY;
-               else if (!strcmp (*args, "-digest_create"))
-                       operation = SMIME_DIGEST_CREATE;
-               else if (!strcmp (*args, "-compress"))
-                       operation = SMIME_COMPRESS;
-               else if (!strcmp (*args, "-uncompress"))
-                       operation = SMIME_UNCOMPRESS;
-               else if (!strcmp (*args, "-EncryptedData_decrypt"))
-                       operation = SMIME_ENCRYPTED_DECRYPT;
-               else if (!strcmp (*args, "-EncryptedData_encrypt"))
-                       operation = SMIME_ENCRYPTED_ENCRYPT;
-#ifndef OPENSSL_NO_DES
-               else if (!strcmp (*args, "-des3")) 
-                               cipher = EVP_des_ede3_cbc();
-               else if (!strcmp (*args, "-des")) 
-                               cipher = EVP_des_cbc();
-#endif
-#ifndef OPENSSL_NO_SEED
-               else if (!strcmp (*args, "-seed")) 
-                               cipher = EVP_seed_cbc();
-#endif
-#ifndef OPENSSL_NO_RC2
-               else if (!strcmp (*args, "-rc2-40")) 
-                               cipher = EVP_rc2_40_cbc();
-               else if (!strcmp (*args, "-rc2-128")) 
-                               cipher = EVP_rc2_cbc();
-               else if (!strcmp (*args, "-rc2-64")) 
-                               cipher = EVP_rc2_64_cbc();
-#endif
-#ifndef OPENSSL_NO_AES
-               else if (!strcmp(*args,"-aes128"))
-                               cipher = EVP_aes_128_cbc();
-               else if (!strcmp(*args,"-aes192"))
-                               cipher = EVP_aes_192_cbc();
-               else if (!strcmp(*args,"-aes256"))
-                               cipher = EVP_aes_256_cbc();
-#endif
-#ifndef OPENSSL_NO_CAMELLIA
-               else if (!strcmp(*args,"-camellia128"))
-                               cipher = EVP_camellia_128_cbc();
-               else if (!strcmp(*args,"-camellia192"))
-                               cipher = EVP_camellia_192_cbc();
-               else if (!strcmp(*args,"-camellia256"))
-                               cipher = EVP_camellia_256_cbc();
-#endif
-               else if (!strcmp (*args, "-text")) 
-                               flags |= CMS_TEXT;
-               else if (!strcmp (*args, "-nointern")) 
-                               flags |= CMS_NOINTERN;
-               else if (!strcmp (*args, "-noverify") 
-                       || !strcmp (*args, "-no_signer_cert_verify")) 
-                               flags |= CMS_NO_SIGNER_CERT_VERIFY;
-               else if (!strcmp (*args, "-nocerts")) 
-                               flags |= CMS_NOCERTS;
-               else if (!strcmp (*args, "-noattr")) 
-                               flags |= CMS_NOATTR;
-               else if (!strcmp (*args, "-nodetach")) 
-                               flags &= ~CMS_DETACHED;
-               else if (!strcmp (*args, "-nosmimecap"))
-                               flags |= CMS_NOSMIMECAP;
-               else if (!strcmp (*args, "-binary"))
-                               flags |= CMS_BINARY;
-               else if (!strcmp (*args, "-keyid"))
-                               flags |= CMS_USE_KEYID;
-               else if (!strcmp (*args, "-nosigs"))
-                               flags |= CMS_NOSIGS;
-               else if (!strcmp (*args, "-no_content_verify"))
-                               flags |= CMS_NO_CONTENT_VERIFY;
-               else if (!strcmp (*args, "-no_attr_verify"))
-                               flags |= CMS_NO_ATTR_VERIFY;
-               else if (!strcmp (*args, "-stream"))
-                               flags |= CMS_STREAM;
-               else if (!strcmp (*args, "-indef"))
-                               flags |= CMS_STREAM;
-               else if (!strcmp (*args, "-noindef"))
-                               flags &= ~CMS_STREAM;
-               else if (!strcmp (*args, "-nooldmime"))
-                               flags |= CMS_NOOLDMIMETYPE;
-               else if (!strcmp (*args, "-crlfeol"))
-                               flags |= CMS_CRLFEOL;
-               else if (!strcmp(*args,"-secretkey"))
-                       {
-                       long ltmp;
-                       if (!args[1])
-                               goto argerr;
-                       args++;
-                       secret_key = string_to_hex(*args, &ltmp);
-                       if (!secret_key)
-                               {
-                               BIO_printf(bio_err, "Invalid key %s\n", *args);
-                               goto argerr;
-                               }
-                       secret_keylen = (size_t)ltmp;
-                       }
-               else if (!strcmp(*args,"-rand"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       args++;
-                       inrand = *args;
-                       need_rand = 1;
-                       }
-#ifndef OPENSSL_NO_ENGINE
-               else if (!strcmp(*args,"-engine"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       engine = *++args;
-                       }
-#endif
-               else if (!strcmp(*args,"-passin"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       passargin = *++args;
-                       }
-               else if (!strcmp (*args, "-to"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       to = *++args;
-                       }
-               else if (!strcmp (*args, "-from"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       from = *++args;
-                       }
-               else if (!strcmp (*args, "-subject"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       subject = *++args;
-                       }
-               else if (!strcmp (*args, "-signer"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       /* If previous -signer argument add signer to list */
-
-                       if (signerfile)
-                               {
-                               if (!sksigners)
-                                       sksigners = sk_new_null();
-                               sk_push(sksigners, signerfile);
-                               if (!keyfile)
-                                       keyfile = signerfile;
-                               if (!skkeys)
-                                       skkeys = sk_new_null();
-                               sk_push(skkeys, keyfile);
-                               keyfile = NULL;
-                               }
-                       signerfile = *++args;
-                       }
-               else if (!strcmp (*args, "-recip"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       recipfile = *++args;
-                       }
-               else if (!strcmp (*args, "-md"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       sign_md = EVP_get_digestbyname(*++args);
-                       if (sign_md == NULL)
-                               {
-                               BIO_printf(bio_err, "Unknown digest %s\n",
-                                                       *args);
-                               goto argerr;
-                               }
-                       }
-               else if (!strcmp (*args, "-inkey"))
-                       {
-                       if (!args[1])   
-                               goto argerr;
-                       /* If previous -inkey arument add signer to list */
-                       if (keyfile)
-                               {
-                               if (!signerfile)
-                                       {
-                                       BIO_puts(bio_err, "Illegal -inkey without -signer\n");
-                                       goto argerr;
-                                       }
-                               if (!sksigners)
-                                       sksigners = sk_new_null();
-                               sk_push(sksigners, signerfile);
-                               signerfile = NULL;
-                               if (!skkeys)
-                                       skkeys = sk_new_null();
-                               sk_push(skkeys, keyfile);
-                               }
-                       keyfile = *++args;
-                       }
-               else if (!strcmp (*args, "-keyform"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       keyform = str2fmt(*++args);
-                       }
-               else if (!strcmp (*args, "-certfile"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       certfile = *++args;
-                       }
-               else if (!strcmp (*args, "-CAfile"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       CAfile = *++args;
-                       }
-               else if (!strcmp (*args, "-CApath"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       CApath = *++args;
-                       }
-               else if (!strcmp (*args, "-in"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       infile = *++args;
-                       }
-               else if (!strcmp (*args, "-inform"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       informat = str2fmt(*++args);
-                       }
-               else if (!strcmp (*args, "-outform"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       outformat = str2fmt(*++args);
-                       }
-               else if (!strcmp (*args, "-out"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       outfile = *++args;
-                       }
-               else if (!strcmp (*args, "-content"))
-                       {
-                       if (!args[1])
-                               goto argerr;
-                       contfile = *++args;
-                       }
-               else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
-                       continue;
-               else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
-                       badarg = 1;
-               args++;
-               }
-
-       if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners))
-               {
-               BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
-               goto argerr;
-               }
-
-       if (operation & SMIME_SIGNERS)
-               {
-               /* Check to see if any final signer needs to be appended */
-               if (keyfile && !signerfile)
-                       {
-                       BIO_puts(bio_err, "Illegal -inkey without -signer\n");
-                       goto argerr;
-                       }
-               if (signerfile)
-                       {
-                       if (!sksigners)
-                               sksigners = sk_new_null();
-                       sk_push(sksigners, signerfile);
-                       if (!skkeys)
-                               skkeys = sk_new_null();
-                       if (!keyfile)
-                               keyfile = signerfile;
-                       sk_push(skkeys, keyfile);
-                       }
-               if (!sksigners)
-                       {
-                       BIO_printf(bio_err, "No signer certificate specified\n");
-                       badarg = 1;
-                       }
-               signerfile = NULL;
-               keyfile = NULL;
-               need_rand = 1;
-               }
-       else if (operation == SMIME_DECRYPT)
-               {
-               if (!recipfile && !keyfile)
-                       {
-                       BIO_printf(bio_err, "No recipient certificate or key specified\n");
-                       badarg = 1;
-                       }
-               }
-       else if (operation == SMIME_ENCRYPT)
-               {
-               if (!*args)
-                       {
-                       BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
-                       badarg = 1;
-                       }
-               need_rand = 1;
-               }
-       else if (!operation)
-               badarg = 1;
-
-       if (badarg)
-               {
-               argerr:
-               BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n");
-               BIO_printf (bio_err, "where options are\n");
-               BIO_printf (bio_err, "-encrypt       encrypt message\n");
-               BIO_printf (bio_err, "-decrypt       decrypt encrypted message\n");
-               BIO_printf (bio_err, "-sign          sign message\n");
-               BIO_printf (bio_err, "-verify        verify signed message\n");
-               BIO_printf (bio_err, "-cmsout        output CMS structure\n");
-#ifndef OPENSSL_NO_DES
-               BIO_printf (bio_err, "-des3          encrypt with triple DES\n");
-               BIO_printf (bio_err, "-des           encrypt with DES\n");
-#endif
-#ifndef OPENSSL_NO_SEED
-               BIO_printf (bio_err, "-seed          encrypt with SEED\n");
-#endif
-#ifndef OPENSSL_NO_RC2
-               BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
-               BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
-               BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
-#endif
-#ifndef OPENSSL_NO_AES
-               BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
-               BIO_printf (bio_err, "               encrypt PEM output with cbc aes\n");
-#endif
-#ifndef OPENSSL_NO_CAMELLIA
-               BIO_printf (bio_err, "-camellia128, -camellia192, -camellia256\n");
-               BIO_printf (bio_err, "               encrypt PEM output with cbc camellia\n");
-#endif
-               BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
-               BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
-               BIO_printf (bio_err, "-noverify      don't verify signers certificate\n");
-               BIO_printf (bio_err, "-nocerts       don't include signers certificate when signing\n");
-               BIO_printf (bio_err, "-nodetach      use opaque signing\n");
-               BIO_printf (bio_err, "-noattr        don't include any signed attributes\n");
-               BIO_printf (bio_err, "-binary        don't translate message to text\n");
-               BIO_printf (bio_err, "-certfile file other certificates file\n");
-               BIO_printf (bio_err, "-signer file   signer certificate file\n");
-               BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
-               BIO_printf (bio_err, "-skeyid        use subject key identifier\n");
-               BIO_printf (bio_err, "-in file       input file\n");
-               BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
-               BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
-               BIO_printf (bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
-               BIO_printf (bio_err, "-out file      output file\n");
-               BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
-               BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
-               BIO_printf (bio_err, "-to addr       to address\n");
-               BIO_printf (bio_err, "-from ad       from address\n");
-               BIO_printf (bio_err, "-subject s     subject\n");
-               BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
-               BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
-               BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
-               BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
-               BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-#ifndef OPENSSL_NO_ENGINE
-               BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
-#endif
-               BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
-               BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-               BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
-               BIO_printf(bio_err,  "               the random number generator\n");
-               BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
-               goto end;
-               }
-
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
+static int cms_cb(int ok, X509_STORE_CTX *ctx);
+static void receipt_request_print(CMS_ContentInfo *cms);
+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
+                                                *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
+                                                *rr_from);
+static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
+                              STACK_OF(OPENSSL_STRING) *param);
 
-       if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
-               {
-               BIO_printf(bio_err, "Error getting password\n");
-               goto end;
-               }
-
-       if (need_rand)
-               {
-               app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-               if (inrand != NULL)
-                       BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
-                               app_RAND_load_files(inrand));
-               }
-
-       ret = 2;
-
-       if (!(operation & SMIME_SIGNERS))
-               flags &= ~CMS_DETACHED;
-
-       if (operation & SMIME_OP)
-               {
-               if (outformat == FORMAT_ASN1)
-                       outmode = "wb";
-               }
-       else
-               {
-               if (flags & CMS_BINARY)
-                       outmode = "wb";
-               }
-
-       if (operation & SMIME_IP)
-               {
-               if (informat == FORMAT_ASN1)
-                       inmode = "rb";
-               }
-       else
-               {
-               if (flags & CMS_BINARY)
-                       inmode = "rb";
-               }
-
-       if (operation == SMIME_ENCRYPT)
-               {
-               if (!cipher)
-                       {
-#ifndef OPENSSL_NO_DES                 
-                       cipher = EVP_des_ede3_cbc();
-#else
-                       BIO_printf(bio_err, "No cipher selected\n");
-                       goto end;
-#endif
-                       }
-               encerts = sk_X509_new_null();
-               while (*args)
-                       {
-                       if (!(cert = load_cert(bio_err,*args,FORMAT_PEM,
-                               NULL, e, "recipient certificate file")))
-                               {
-#if 0                          /* An appropriate message is already printed */
-                               BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
-#endif
-                               goto end;
-                               }
-                       sk_X509_push(encerts, cert);
-                       cert = NULL;
-                       args++;
-                       }
-               }
-
-       if (certfile)
-               {
-               if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,
-                       e, "certificate file")))
-                       {
-                       ERR_print_errors(bio_err);
-                       goto end;
-                       }
-               }
-
-       if (recipfile && (operation == SMIME_DECRYPT))
-               {
-               if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,
-                       e, "recipient certificate file")))
-                       {
-                       ERR_print_errors(bio_err);
-                       goto end;
-                       }
-               }
-
-       if (operation == SMIME_DECRYPT)
-               {
-               if (!keyfile)
-                       keyfile = recipfile;
-               }
-       else if (operation == SMIME_SIGN)
-               {
-               if (!keyfile)
-                       keyfile = signerfile;
-               }
-       else keyfile = NULL;
-
-       if (keyfile)
-               {
-               key = load_key(bio_err, keyfile, keyform, 0, passin, e,
-                              "signing key file");
-               if (!key)
-                       goto end;
-               }
-
-       if (infile)
-               {
-               if (!(in = BIO_new_file(infile, inmode)))
-                       {
-                       BIO_printf (bio_err,
-                                "Can't open input file %s\n", infile);
-                       goto end;
-                       }
-               }
-       else
-               in = BIO_new_fp(stdin, BIO_NOCLOSE);
-
-       if (operation & SMIME_IP)
-               {
-               if (informat == FORMAT_SMIME) 
-                       cms = SMIME_read_CMS(in, &indata);
-               else if (informat == FORMAT_PEM) 
-                       cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
-               else if (informat == FORMAT_ASN1) 
-                       cms = d2i_CMS_bio(in, NULL);
-               else
-                       {
-                       BIO_printf(bio_err, "Bad input format for CMS file\n");
-                       goto end;
-                       }
-
-               if (!cms)
-                       {
-                       BIO_printf(bio_err, "Error reading S/MIME message\n");
-                       goto end;
-                       }
-               if (contfile)
-                       {
-                       BIO_free(indata);
-                       if (!(indata = BIO_new_file(contfile, "rb")))
-                               {
-                               BIO_printf(bio_err, "Can't read content file %s\n", contfile);
-                               goto end;
-                               }
-                       }
-               }
-
-       if (outfile)
-               {
-               if (!(out = BIO_new_file(outfile, outmode)))
-                       {
-                       BIO_printf (bio_err,
-                                "Can't open output file %s\n", outfile);
-                       goto end;
-                       }
-               }
-       else
-               {
-               out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-               {
-                   BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-                   out = BIO_push(tmpbio, out);
-               }
-#endif
-               }
-
-       if (operation == SMIME_VERIFY)
-               {
-               if (!(store = setup_verify(bio_err, CAfile, CApath)))
-                       goto end;
-               X509_STORE_set_verify_cb_func(store, smime_cb);
-               if (vpm)
-                       X509_STORE_set1_param(store, vpm);
-               }
-
-
-       ret = 3;
-
-       if (operation == SMIME_DATA_CREATE)
-               {
-               cms = CMS_data_create(in, flags);
-               }
-       else if (operation == SMIME_DIGEST_CREATE)
-               {
-               cms = CMS_digest_create(in, sign_md, flags);
-               }
-       else if (operation == SMIME_COMPRESS)
-               {
-               cms = CMS_compress(in, -1, flags);
-               }
-       else if (operation == SMIME_ENCRYPT)
-               {
-               cms = CMS_encrypt(encerts, in, cipher, flags);
-               }
-       else if (operation == SMIME_ENCRYPTED_ENCRYPT)
-               {
-               cms = CMS_EncryptedData_encrypt(in, cipher,
-                                               secret_key, secret_keylen,
-                                               flags);
-               }
-       else if (operation & SMIME_SIGNERS)
-               {
-               int i;
-               /* If detached data content we only enable streaming if
-                * S/MIME output format.
-                */
-               if (operation == SMIME_SIGN)
-                       {
-                       if (flags & CMS_DETACHED)
-                               {
-                               if (outformat != FORMAT_SMIME)
-                                       flags &= ~CMS_STREAM;
-                               }
-                       flags |= CMS_PARTIAL;
-                       cms = CMS_sign(NULL, NULL, other, in, flags);
-                       if (!cms)
-                               goto end;
-                       }
-               else
-                       flags |= CMS_REUSE_DIGEST;
-               for (i = 0; i < sk_num(sksigners); i++)
-                       {
-                       signerfile = sk_value(sksigners, i);
-                       keyfile = sk_value(skkeys, i);
-                       signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,
-                                       e, "signer certificate");
-                       if (!signer)
-                               goto end;
-                       key = load_key(bio_err, keyfile, keyform, 0, passin, e,
-                              "signing key file");
-                       if (!key)
-                               goto end;
-                       if (!CMS_add1_signer(cms, signer, key, sign_md, flags))
-                               goto end;
-                       X509_free(signer);
-                       signer = NULL;
-                       EVP_PKEY_free(key);
-                       key = NULL;
-                       }
-               /* If not streaming or resigning finalize structure */
-               if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM))
-                       {
-                       if (!CMS_final(cms, in, flags))
-                               goto end;
-                       }
-               }
-
-       if (!cms)
-               {
-               BIO_printf(bio_err, "Error creating CMS structure\n");
-               goto end;
-               }
-
-       ret = 4;
-       if (operation == SMIME_DECRYPT)
-               {
-               if (!CMS_decrypt(cms, key, recip, indata, out, flags))
-                       {
-                       BIO_printf(bio_err, "Error decrypting CMS structure\n");
-                       goto end;
-                       }
-               }
-       else if (operation == SMIME_DATAOUT)
-               {
-               if (!CMS_data(cms, out, flags))
-                       goto end;
-               }
-       else if (operation == SMIME_UNCOMPRESS)
-               {
-               if (!CMS_uncompress(cms, indata, out, flags))
-                       goto end;
-               }
-       else if (operation == SMIME_DIGEST_VERIFY)
-               {
-               if (CMS_digest_verify(cms, indata, out, flags) > 0)
-                       BIO_printf(bio_err, "Verification successful\n");
-               else
-                       {
-                       BIO_printf(bio_err, "Verification failure\n");
-                       goto end;
-                       }
-               }
-       else if (operation == SMIME_ENCRYPTED_DECRYPT)
-               {
-               if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
-                                               indata, out, flags))
-                       goto end;
-               }
-       else if (operation == SMIME_VERIFY)
-               {
-               if (CMS_verify(cms, other, store, indata, out, flags) > 0)
-                       BIO_printf(bio_err, "Verification successful\n");
-               else
-                       {
-                       BIO_printf(bio_err, "Verification failure\n");
-                       goto end;
-                       }
-               if (signerfile)
-                       {
-                       STACK_OF(X509) *signers;
-                       signers = CMS_get0_signers(cms);
-                       if (!save_certs(signerfile, signers))
-                               {
-                               BIO_printf(bio_err,
-                                               "Error writing signers to %s\n",
-                                                               signerfile);
-                               ret = 5;
-                               goto end;
-                               }
-                       sk_X509_free(signers);
-                       }
-               }
-       else
-               {
-               if (outformat == FORMAT_SMIME) 
-                       {
-                       if (to)
-                               BIO_printf(out, "To: %s\n", to);
-                       if (from)
-                               BIO_printf(out, "From: %s\n", from);
-                       if (subject)
-                               BIO_printf(out, "Subject: %s\n", subject);
-                       if (operation == SMIME_RESIGN)
-                               ret = SMIME_write_CMS(out, cms, indata, flags);
-                       else
-                               ret = SMIME_write_CMS(out, cms, in, flags);
-                       }
-               else if (outformat == FORMAT_PEM) 
-                       ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
-               else if (outformat == FORMAT_ASN1) 
-                       ret = i2d_CMS_bio_stream(out,cms, in, flags);
-               else
-                       {
-                       BIO_printf(bio_err, "Bad output format for CMS file\n");
-                       goto end;
-                       }
-               if (ret <= 0)
-                       {
-                       ret = 6;
-                       goto end;
-                       }
-               }
-       ret = 0;
-end:
-       if (ret)
-               ERR_print_errors(bio_err);
-       if (need_rand)
-               app_RAND_write_file(NULL, bio_err);
-       sk_X509_pop_free(encerts, X509_free);
-       sk_X509_pop_free(other, X509_free);
-       if (vpm)
-               X509_VERIFY_PARAM_free(vpm);
-       if (sksigners)
-               sk_free(sksigners);
-       if (skkeys)
-               sk_free(skkeys);
-       if (secret_key)
-               OPENSSL_free(secret_key);
-       X509_STORE_free(store);
-       X509_free(cert);
-       X509_free(recip);
-       X509_free(signer);
-       EVP_PKEY_free(key);
-       CMS_ContentInfo_free(cms);
-       BIO_free(in);
-       BIO_free(indata);
-       BIO_free_all(out);
-       if (passin) OPENSSL_free(passin);
-       return (ret);
+# define SMIME_OP        0x10
+# define SMIME_IP        0x20
+# define SMIME_SIGNERS   0x40
+# define SMIME_ENCRYPT           (1 | SMIME_OP)
+# define SMIME_DECRYPT           (2 | SMIME_IP)
+# define SMIME_SIGN              (3 | SMIME_OP | SMIME_SIGNERS)
+# define SMIME_VERIFY            (4 | SMIME_IP)
+# define SMIME_CMSOUT            (5 | SMIME_IP | SMIME_OP)
+# define SMIME_RESIGN            (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
+# define SMIME_DATAOUT           (7 | SMIME_IP)
+# define SMIME_DATA_CREATE       (8 | SMIME_OP)
+# define SMIME_DIGEST_VERIFY     (9 | SMIME_IP)
+# define SMIME_DIGEST_CREATE     (10 | SMIME_OP)
+# define SMIME_UNCOMPRESS        (11 | SMIME_IP)
+# define SMIME_COMPRESS          (12 | SMIME_OP)
+# define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
+# define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
+# define SMIME_SIGN_RECEIPT      (15 | SMIME_IP | SMIME_OP)
+# define SMIME_VERIFY_RECEIPT    (16 | SMIME_IP)
+
+int verify_err = 0;
+
+typedef struct cms_key_param_st cms_key_param;
+
+struct cms_key_param_st {
+    int idx;
+    STACK_OF(OPENSSL_STRING) *param;
+    cms_key_param *next;
+};
+
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
+    OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN,
+    OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
+    OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
+    OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
+    OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
+    OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
+    OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
+    OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
+    OPT_NOINDEF, OPT_NOOLDMIME, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
+    OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
+    OPT_CAPATH, OPT_CONTENT, OPT_PRINT, OPT_SECRETKEY,
+    OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, OPT_RAND,
+    OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
+    OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
+    OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
+    OPT_3DES_WRAP, OPT_ENGINE,
+    OPT_V_ENUM,
+    OPT_CIPHER
+} OPTION_CHOICE;
+
+OPTIONS cms_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
+    {OPT_HELP_STR, 1, '-',
+        "  cert.pem... recipient certs for encryption\n"},
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format SMIME (default), PEM or DER"},
+    {"outform", OPT_OUTFORM, 'F',
+     "Output format SMIME (default), PEM or DER"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
+    {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
+    {"sign", OPT_SIGN, '-', "Sign message"},
+    {"sign_receipt", OPT_SIGN_RECEIPT, '-'},
+    {"resign", OPT_RESIGN, '-'},
+    {"verify", OPT_VERIFY, '-', "Verify signed message"},
+    {"verify_retcode", OPT_VERIFY_RETCODE, '-'},
+    {"verify_receipt", OPT_VERIFY_RECEIPT, '<'},
+    {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
+    {"data_out", OPT_DATA_OUT, '-'},
+    {"data_create", OPT_DATA_CREATE, '-'},
+    {"digest_verify", OPT_DIGEST_VERIFY, '-'},
+    {"digest_create", OPT_DIGEST_CREATE, '-'},
+    {"compress", OPT_COMPRESS, '-'},
+    {"uncompress", OPT_UNCOMPRESS, '-'},
+    {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'},
+    {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'},
+    {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'},
+    {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
+    {"asciicrlf", OPT_ASCIICRLF, '-'},
+    {"nointern", OPT_NOINTERN, '-',
+     "Don't search certificates in message for signer"},
+    {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
+    {"nocerts", OPT_NOCERTS, '-',
+     "Don't include signers certificate when signing"},
+    {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
+    {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
+    {"nosmimecap", OPT_NOSMIMECAP, '-'},
+    {"binary", OPT_BINARY, '-', "Don't translate message to text"},
+    {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
+    {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
+    {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'},
+    {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'},
+    {"stream", OPT_INDEF, '-'},
+    {"indef", OPT_INDEF, '-'},
+    {"noindef", OPT_NOINDEF, '-'},
+    {"nooldmime", OPT_NOOLDMIME, '-'},
+    {"crlfeol", OPT_CRLFEOL, '-'},
+    {"noout", OPT_NOOUT, '-'},
+    {"receipt_request_print", OPT_RR_PRINT, '-'},
+    {"receipt_request_all", OPT_RR_ALL, '-'},
+    {"receipt_request_first", OPT_RR_FIRST, '-'},
+    {"rctform", OPT_RCTFORM, 'F'},
+    {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
+    {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+    {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+    {"content", OPT_CONTENT, '<',
+     "Supply or override content for detached signature"},
+    {"print", OPT_PRINT, '-'},
+    {"secretkey", OPT_SECRETKEY, 's'},
+    {"secretkeyid", OPT_SECRETKEYID, 's'},
+    {"pwri_password", OPT_PWRI_PASSWORD, 's'},
+    {"econtent_type", OPT_ECONTENT_TYPE, 's'},
+    {"rand", OPT_RAND, 's',
+     "Load the file(s) into the random number generator"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"to", OPT_TO, 's', "To address"},
+    {"from", OPT_FROM, 's', "From address"},
+    {"subject", OPT_SUBJECT, 's', "Subject"},
+    {"signer", OPT_SIGNER, 's', "Signer certificate file"},
+    {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
+    {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+    {"md", OPT_MD, 's'},
+    {"inkey", OPT_INKEY, '<',
+     "Input private key (if not signer or recipient)"},
+    {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
+    {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
+    {"receipt_request_from", OPT_RR_FROM, 's'},
+    {"receipt_request_to", OPT_RR_TO, 's'},
+# ifndef OPENSSL_NO_AES
+    {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
+    {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
+    {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
+# endif
+# ifndef OPENSSL_NO_DES
+    {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
+# endif
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
+    OPT_V_OPTIONS,
+    {NULL},
+};
+
+int cms_main(int argc, char **argv)
+{
+    ASN1_OBJECT *econtent_type = NULL;
+    BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
+    CMS_ContentInfo *cms = NULL, *rcms = NULL;
+    CMS_ReceiptRequest *rr = NULL;
+    ENGINE *e = NULL;
+    EVP_PKEY *key = NULL;
+    const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
+    const EVP_MD *sign_md = NULL;
+    STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
+    STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
+    STACK_OF(X509) *encerts = NULL, *other = NULL;
+    X509 *cert = NULL, *recip = NULL, *signer = NULL;
+    X509_STORE *store = NULL;
+    X509_VERIFY_PARAM *vpm = NULL;
+    char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
+    char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL;
+    char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL;
+    char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile =
+        NULL;
+    char *to = NULL, *from = NULL, *subject = NULL, *prog;
+    cms_key_param *key_first = NULL, *key_param = NULL;
+    const char *inmode = "r", *outmode = "w";
+    int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched =
+        0;
+    int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
+    int need_rand = 0, operation = 0, ret = 1, rr_print = 0, rr_allorfirst =
+        -1;
+    int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
+    size_t secret_keylen = 0, secret_keyidlen = 0;
+    unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
+    unsigned char *secret_key = NULL, *secret_keyid = NULL;
+    long ltmp;
+    OPTION_CHOICE o;
+
+    if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+        return 1;
+
+    prog = opt_init(argc, argv, cms_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(cms_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENCRYPT:
+            operation = SMIME_ENCRYPT;
+            break;
+        case OPT_DECRYPT:
+            operation = SMIME_DECRYPT;
+            break;
+        case OPT_SIGN:
+            operation = SMIME_SIGN;
+            break;
+        case OPT_SIGN_RECEIPT:
+            operation = SMIME_SIGN_RECEIPT;
+            break;
+        case OPT_RESIGN:
+            operation = SMIME_RESIGN;
+            break;
+        case OPT_VERIFY:
+            operation = SMIME_VERIFY;
+            break;
+        case OPT_VERIFY_RETCODE:
+            verify_retcode = 1;
+            break;
+        case OPT_VERIFY_RECEIPT:
+            operation = SMIME_VERIFY_RECEIPT;
+            rctfile = opt_arg();
+            break;
+        case OPT_CMSOUT:
+            operation = SMIME_CMSOUT;
+            break;
+        case OPT_DATA_OUT:
+            operation = SMIME_DATAOUT;
+            break;
+        case OPT_DATA_CREATE:
+            operation = SMIME_DATA_CREATE;
+            break;
+        case OPT_DIGEST_VERIFY:
+            operation = SMIME_DIGEST_VERIFY;
+            break;
+        case OPT_DIGEST_CREATE:
+            operation = SMIME_DIGEST_CREATE;
+            break;
+        case OPT_COMPRESS:
+            operation = SMIME_COMPRESS;
+            break;
+        case OPT_UNCOMPRESS:
+            operation = SMIME_UNCOMPRESS;
+            break;
+        case OPT_ED_DECRYPT:
+            operation = SMIME_ENCRYPTED_DECRYPT;
+            break;
+        case OPT_ED_ENCRYPT:
+            operation = SMIME_ENCRYPTED_ENCRYPT;
+            break;
+        case OPT_DEBUG_DECRYPT:
+            flags |= CMS_DEBUG_DECRYPT;
+            break;
+        case OPT_TEXT:
+            flags |= CMS_TEXT;
+            break;
+        case OPT_ASCIICRLF:
+            flags |= CMS_ASCIICRLF;
+            break;
+        case OPT_NOINTERN:
+            flags |= CMS_NOINTERN;
+            break;
+        case OPT_NOVERIFY:
+            flags |= CMS_NO_SIGNER_CERT_VERIFY;
+            break;
+        case OPT_NOCERTS:
+            flags |= CMS_NOCERTS;
+            break;
+        case OPT_NOATTR:
+            flags |= CMS_NOATTR;
+            break;
+        case OPT_NODETACH:
+            flags &= ~CMS_DETACHED;
+            break;
+        case OPT_NOSMIMECAP:
+            flags |= CMS_NOSMIMECAP;
+            break;
+        case OPT_BINARY:
+            flags |= CMS_BINARY;
+            break;
+        case OPT_KEYID:
+            flags |= CMS_USE_KEYID;
+            break;
+        case OPT_NOSIGS:
+            flags |= CMS_NOSIGS;
+            break;
+        case OPT_NO_CONTENT_VERIFY:
+            flags |= CMS_NO_CONTENT_VERIFY;
+            break;
+        case OPT_NO_ATTR_VERIFY:
+            flags |= CMS_NO_ATTR_VERIFY;
+            break;
+        case OPT_INDEF:
+            flags |= CMS_STREAM;
+            break;
+        case OPT_NOINDEF:
+            flags &= ~CMS_STREAM;
+            break;
+        case OPT_NOOLDMIME:
+            flags |= CMS_NOOLDMIMETYPE;
+            break;
+        case OPT_CRLFEOL:
+            flags |= CMS_CRLFEOL;
+            break;
+        case OPT_NOOUT:
+            noout = 1;
+            break;
+        case OPT_RR_PRINT:
+            rr_print = 1;
+            break;
+        case OPT_RR_ALL:
+            rr_allorfirst = 0;
+            break;
+        case OPT_RR_FIRST:
+            rr_allorfirst = 1;
+            break;
+        case OPT_RCTFORM:
+            if (rctformat == FORMAT_SMIME)
+                rcms = SMIME_read_CMS(rctin, NULL);
+            else if (rctformat == FORMAT_PEM)
+                rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
+            else if (rctformat == FORMAT_ASN1)
+                if (!opt_format(opt_arg(),
+                                OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
+                    goto opthelp;
+            break;
+        case OPT_CERTFILE:
+            certfile = opt_arg();
+            break;
+        case OPT_CAFILE:
+            CAfile = opt_arg();
+            break;
+        case OPT_CAPATH:
+            CApath = opt_arg();
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_CONTENT:
+            contfile = opt_arg();
+            break;
+        case OPT_RR_FROM:
+            if (rr_from == NULL
+                && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL)
+                goto end;
+            sk_OPENSSL_STRING_push(rr_from, opt_arg());
+            break;
+        case OPT_RR_TO:
+            if (rr_to == NULL
+                && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL)
+                goto end;
+            sk_OPENSSL_STRING_push(rr_to, opt_arg());
+            break;
+        case OPT_PRINT:
+            noout = print = 1;
+            break;
+        case OPT_SECRETKEY:
+            secret_key = string_to_hex(opt_arg(), &ltmp);
+            if (secret_key == NULL) {
+                BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
+                goto end;
+            }
+            secret_keylen = (size_t)ltmp;
+            break;
+        case OPT_SECRETKEYID:
+            secret_keyid = string_to_hex(opt_arg(), &ltmp);
+            if (secret_keyid == NULL) {
+                BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
+                goto opthelp;
+            }
+            secret_keyidlen = (size_t)ltmp;
+            break;
+        case OPT_PWRI_PASSWORD:
+            pwri_pass = (unsigned char *)opt_arg();
+            break;
+        case OPT_ECONTENT_TYPE:
+            econtent_type = OBJ_txt2obj(opt_arg(), 0);
+            if (econtent_type == NULL) {
+                BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
+                goto opthelp;
+            }
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
+            need_rand = 1;
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_TO:
+            to = opt_arg();
+            break;
+        case OPT_FROM:
+            from = opt_arg();
+            break;
+        case OPT_SUBJECT:
+            subject = opt_arg();
+            break;
+        case OPT_CERTSOUT:
+            certsoutfile = opt_arg();
+            break;
+        case OPT_MD:
+            if (!opt_md(opt_arg(), &sign_md))
+                goto end;
+            break;
+        case OPT_SIGNER:
+            /* If previous -signer argument add signer to list */
+            if (signerfile) {
+                if (sksigners == NULL
+                    && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
+                    goto end;
+                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                if (keyfile == NULL)
+                    keyfile = signerfile;
+                if (skkeys == NULL
+                    && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
+                    goto end;
+                sk_OPENSSL_STRING_push(skkeys, keyfile);
+                keyfile = NULL;
+            }
+            signerfile = opt_arg();
+            break;
+        case OPT_INKEY:
+            /* If previous -inkey arument add signer to list */
+            if (keyfile) {
+                if (signerfile == NULL) {
+                    BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+                    goto end;
+                }
+                if (sksigners == NULL
+                    && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
+                    goto end;
+                sk_OPENSSL_STRING_push(sksigners, signerfile);
+                signerfile = NULL;
+                if (skkeys == NULL
+                    && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
+                    goto end;
+                sk_OPENSSL_STRING_push(skkeys, keyfile);
+            }
+            keyfile = opt_arg();
+            break;
+        case OPT_KEYFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
+                goto opthelp;
+            break;
+        case OPT_RECIP:
+            if (operation == SMIME_ENCRYPT) {
+                if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
+                    goto end;
+                cert = load_cert(opt_arg(), FORMAT_PEM, NULL, e,
+                                 "recipient certificate file");
+                if (cert == NULL)
+                    goto end;
+                sk_X509_push(encerts, cert);
+                cert = NULL;
+            } else
+                recipfile = opt_arg();
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &cipher))
+                goto end;
+            break;
+        case OPT_KEYOPT:
+            keyidx = -1;
+            if (operation == SMIME_ENCRYPT) {
+                if (encerts)
+                    keyidx += sk_X509_num(encerts);
+            } else {
+                if (keyfile || signerfile)
+                    keyidx++;
+                if (skkeys)
+                    keyidx += sk_OPENSSL_STRING_num(skkeys);
+            }
+            if (keyidx < 0) {
+                BIO_printf(bio_err, "No key specified\n");
+                goto opthelp;
+            }
+            if (key_param == NULL || key_param->idx != keyidx) {
+                cms_key_param *nparam;
+                nparam = app_malloc(sizeof(*nparam), "key param buffer");
+                nparam->idx = keyidx;
+                if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
+                    goto end;
+                nparam->next = NULL;
+                if (key_first == NULL)
+                    key_first = nparam;
+                else
+                    key_param->next = nparam;
+                key_param = nparam;
+            }
+            sk_OPENSSL_STRING_push(key_param->param, opt_arg());
+            break;
+        case OPT_V_CASES:
+            if (!opt_verify(o, vpm))
+                goto end;
+            vpmtouched++;
+            break;
+# ifndef OPENSSL_NO_DES
+        case OPT_3DES_WRAP:
+            wrap_cipher = EVP_des_ede3_wrap();
+            break;
+# endif
+# ifndef OPENSSL_NO_AES
+        case OPT_AES128_WRAP:
+            wrap_cipher = EVP_aes_128_wrap();
+            break;
+        case OPT_AES192_WRAP:
+            wrap_cipher = EVP_aes_192_wrap();
+            break;
+        case OPT_AES256_WRAP:
+            wrap_cipher = EVP_aes_256_wrap();
+            break;
+# endif
+        }
+    }
+    argc = opt_num_rest();
+    argv = opt_rest();
+
+    if (((rr_allorfirst != -1) || rr_from) && !rr_to) {
+        BIO_puts(bio_err, "No Signed Receipts Recipients\n");
+        goto opthelp;
+    }
+
+    if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) {
+        BIO_puts(bio_err, "Signed receipts only allowed with -sign\n");
+        goto opthelp;
+    }
+    if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
+        BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
+        goto opthelp;
+    }
+
+    if (operation & SMIME_SIGNERS) {
+        if (keyfile && !signerfile) {
+            BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+            goto opthelp;
+        }
+        /* Check to see if any final signer needs to be appended */
+        if (signerfile) {
+            if (!sksigners
+                && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
+                goto end;
+            sk_OPENSSL_STRING_push(sksigners, signerfile);
+            if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
+                goto end;
+            if (!keyfile)
+                keyfile = signerfile;
+            sk_OPENSSL_STRING_push(skkeys, keyfile);
+        }
+        if (!sksigners) {
+            BIO_printf(bio_err, "No signer certificate specified\n");
+            goto opthelp;
+        }
+        signerfile = NULL;
+        keyfile = NULL;
+        need_rand = 1;
+    }
+
+    else if (operation == SMIME_DECRYPT) {
+        if (!recipfile && !keyfile && !secret_key && !pwri_pass) {
+            BIO_printf(bio_err,
+                       "No recipient certificate or key specified\n");
+            goto opthelp;
+        }
+    } else if (operation == SMIME_ENCRYPT) {
+        if (*argv == NULL && !secret_key && !pwri_pass && !encerts) {
+            BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
+            goto opthelp;
+        }
+        need_rand = 1;
+    } else if (!operation)
+        goto opthelp;
+
+
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
+        BIO_printf(bio_err, "Error getting password\n");
+        goto end;
+    }
+
+    if (need_rand) {
+        app_RAND_load_file(NULL, (inrand != NULL));
+        if (inrand != NULL)
+            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+                       app_RAND_load_files(inrand));
+    }
+
+    ret = 2;
+
+    if (!(operation & SMIME_SIGNERS))
+        flags &= ~CMS_DETACHED;
+
+    if (operation & SMIME_OP) {
+        if (outformat == FORMAT_ASN1)
+            outmode = "wb";
+    } else {
+        if (flags & CMS_BINARY)
+            outmode = "wb";
+    }
+
+    if (operation & SMIME_IP) {
+        if (informat == FORMAT_ASN1)
+            inmode = "rb";
+    } else {
+        if (flags & CMS_BINARY)
+            inmode = "rb";
+    }
+
+    if (operation == SMIME_ENCRYPT) {
+        if (!cipher) {
+# ifndef OPENSSL_NO_DES
+            cipher = EVP_des_ede3_cbc();
+# else
+            BIO_printf(bio_err, "No cipher selected\n");
+            goto end;
+# endif
+        }
+
+        if (secret_key && !secret_keyid) {
+            BIO_printf(bio_err, "No secret key id\n");
+            goto end;
+        }
+
+        if (*argv && !encerts)
+            if ((encerts = sk_X509_new_null()) == NULL)
+                goto end;
+        while (*argv) {
+            if (!(cert = load_cert(*argv, FORMAT_PEM,
+                                   NULL, e, "recipient certificate file")))
+                goto end;
+            sk_X509_push(encerts, cert);
+            cert = NULL;
+            argv++;
+        }
+    }
+
+    if (certfile) {
+        if (!(other = load_certs(certfile, FORMAT_PEM, NULL,
+                                 e, "certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (recipfile && (operation == SMIME_DECRYPT)) {
+        if (!(recip = load_cert(recipfile, FORMAT_PEM, NULL,
+                                e, "recipient certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (operation == SMIME_SIGN_RECEIPT) {
+        if (!(signer = load_cert(signerfile, FORMAT_PEM, NULL,
+                                 e, "receipt signer certificate file"))) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+    }
+
+    if (operation == SMIME_DECRYPT) {
+        if (!keyfile)
+            keyfile = recipfile;
+    } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) {
+        if (!keyfile)
+            keyfile = signerfile;
+    } else
+        keyfile = NULL;
+
+    if (keyfile) {
+        key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
+        if (!key)
+            goto end;
+    }
+
+    in = bio_open_default(infile, inmode);
+    if (in == NULL)
+        goto end;
+
+    if (operation & SMIME_IP) {
+        if (informat == FORMAT_SMIME)
+            cms = SMIME_read_CMS(in, &indata);
+        else if (informat == FORMAT_PEM)
+            cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
+        else if (informat == FORMAT_ASN1)
+            cms = d2i_CMS_bio(in, NULL);
+        else {
+            BIO_printf(bio_err, "Bad input format for CMS file\n");
+            goto end;
+        }
+
+        if (!cms) {
+            BIO_printf(bio_err, "Error reading S/MIME message\n");
+            goto end;
+        }
+        if (contfile) {
+            BIO_free(indata);
+            if (!(indata = BIO_new_file(contfile, "rb"))) {
+                BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+                goto end;
+            }
+        }
+        if (certsoutfile) {
+            STACK_OF(X509) *allcerts;
+            allcerts = CMS_get1_certs(cms);
+            if (!save_certs(certsoutfile, allcerts)) {
+                BIO_printf(bio_err,
+                           "Error writing certs to %s\n", certsoutfile);
+                ret = 5;
+                goto end;
+            }
+            sk_X509_pop_free(allcerts, X509_free);
+        }
+    }
+
+    if (rctfile) {
+        char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
+        if (!(rctin = BIO_new_file(rctfile, rctmode))) {
+            BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
+            goto end;
+        }
+
+        if (rctformat == FORMAT_SMIME)
+            rcms = SMIME_read_CMS(rctin, NULL);
+        else if (rctformat == FORMAT_PEM)
+            rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
+        else if (rctformat == FORMAT_ASN1)
+            rcms = d2i_CMS_bio(rctin, NULL);
+        else {
+            BIO_printf(bio_err, "Bad input format for receipt\n");
+            goto end;
+        }
+
+        if (!rcms) {
+            BIO_printf(bio_err, "Error reading receipt\n");
+            goto end;
+        }
+    }
+
+    out = bio_open_default(outfile, outmode);
+    if (out == NULL)
+        goto end;
+
+    if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
+        if (!(store = setup_verify(CAfile, CApath)))
+            goto end;
+        X509_STORE_set_verify_cb(store, cms_cb);
+        if (vpmtouched)
+            X509_STORE_set1_param(store, vpm);
+    }
+
+    ret = 3;
+
+    if (operation == SMIME_DATA_CREATE) {
+        cms = CMS_data_create(in, flags);
+    } else if (operation == SMIME_DIGEST_CREATE) {
+        cms = CMS_digest_create(in, sign_md, flags);
+    } else if (operation == SMIME_COMPRESS) {
+        cms = CMS_compress(in, -1, flags);
+    } else if (operation == SMIME_ENCRYPT) {
+        int i;
+        flags |= CMS_PARTIAL;
+        cms = CMS_encrypt(NULL, in, cipher, flags);
+        if (!cms)
+            goto end;
+        for (i = 0; i < sk_X509_num(encerts); i++) {
+            CMS_RecipientInfo *ri;
+            cms_key_param *kparam;
+            int tflags = flags;
+            X509 *x = sk_X509_value(encerts, i);
+            for (kparam = key_first; kparam; kparam = kparam->next) {
+                if (kparam->idx == i) {
+                    tflags |= CMS_KEY_PARAM;
+                    break;
+                }
+            }
+            ri = CMS_add1_recipient_cert(cms, x, tflags);
+            if (!ri)
+                goto end;
+            if (kparam) {
+                EVP_PKEY_CTX *pctx;
+                pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+                if (!cms_set_pkey_param(pctx, kparam->param))
+                    goto end;
+            }
+            if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
+                && wrap_cipher) {
+                EVP_CIPHER_CTX *wctx;
+                wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
+                EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
+            }
+        }
+
+        if (secret_key) {
+            if (!CMS_add0_recipient_key(cms, NID_undef,
+                                        secret_key, secret_keylen,
+                                        secret_keyid, secret_keyidlen,
+                                        NULL, NULL, NULL))
+                goto end;
+            /* NULL these because call absorbs them */
+            secret_key = NULL;
+            secret_keyid = NULL;
+        }
+        if (pwri_pass) {
+            pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
+            if (!pwri_tmp)
+                goto end;
+            if (!CMS_add0_recipient_password(cms,
+                                             -1, NID_undef, NID_undef,
+                                             pwri_tmp, -1, NULL))
+                goto end;
+            pwri_tmp = NULL;
+        }
+        if (!(flags & CMS_STREAM)) {
+            if (!CMS_final(cms, in, NULL, flags))
+                goto end;
+        }
+    } else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
+        cms = CMS_EncryptedData_encrypt(in, cipher,
+                                        secret_key, secret_keylen, flags);
+
+    } else if (operation == SMIME_SIGN_RECEIPT) {
+        CMS_ContentInfo *srcms = NULL;
+        STACK_OF(CMS_SignerInfo) *sis;
+        CMS_SignerInfo *si;
+        sis = CMS_get0_SignerInfos(cms);
+        if (!sis)
+            goto end;
+        si = sk_CMS_SignerInfo_value(sis, 0);
+        srcms = CMS_sign_receipt(si, signer, key, other, flags);
+        if (!srcms)
+            goto end;
+        CMS_ContentInfo_free(cms);
+        cms = srcms;
+    } else if (operation & SMIME_SIGNERS) {
+        int i;
+        /*
+         * If detached data content we enable streaming if S/MIME output
+         * format.
+         */
+        if (operation == SMIME_SIGN) {
+
+            if (flags & CMS_DETACHED) {
+                if (outformat == FORMAT_SMIME)
+                    flags |= CMS_STREAM;
+            }
+            flags |= CMS_PARTIAL;
+            cms = CMS_sign(NULL, NULL, other, in, flags);
+            if (!cms)
+                goto end;
+            if (econtent_type)
+                CMS_set1_eContentType(cms, econtent_type);
+
+            if (rr_to) {
+                rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
+                if (!rr) {
+                    BIO_puts(bio_err,
+                             "Signed Receipt Request Creation Error\n");
+                    goto end;
+                }
+            }
+        } else
+            flags |= CMS_REUSE_DIGEST;
+        for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
+            CMS_SignerInfo *si;
+            cms_key_param *kparam;
+            int tflags = flags;
+            signerfile = sk_OPENSSL_STRING_value(sksigners, i);
+            keyfile = sk_OPENSSL_STRING_value(skkeys, i);
+
+            signer = load_cert(signerfile, FORMAT_PEM, NULL,
+                               e, "signer certificate");
+            if (!signer)
+                goto end;
+            key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
+            if (!key)
+                goto end;
+            for (kparam = key_first; kparam; kparam = kparam->next) {
+                if (kparam->idx == i) {
+                    tflags |= CMS_KEY_PARAM;
+                    break;
+                }
+            }
+            si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
+            if (!si)
+                goto end;
+            if (kparam) {
+                EVP_PKEY_CTX *pctx;
+                pctx = CMS_SignerInfo_get0_pkey_ctx(si);
+                if (!cms_set_pkey_param(pctx, kparam->param))
+                    goto end;
+            }
+            if (rr && !CMS_add1_ReceiptRequest(si, rr))
+                goto end;
+            X509_free(signer);
+            signer = NULL;
+            EVP_PKEY_free(key);
+            key = NULL;
+        }
+        /* If not streaming or resigning finalize structure */
+        if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) {
+            if (!CMS_final(cms, in, NULL, flags))
+                goto end;
+        }
+    }
+
+    if (!cms) {
+        BIO_printf(bio_err, "Error creating CMS structure\n");
+        goto end;
+    }
+
+    ret = 4;
+    if (operation == SMIME_DECRYPT) {
+        if (flags & CMS_DEBUG_DECRYPT)
+            CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
+
+        if (secret_key) {
+            if (!CMS_decrypt_set1_key(cms,
+                                      secret_key, secret_keylen,
+                                      secret_keyid, secret_keyidlen)) {
+                BIO_puts(bio_err, "Error decrypting CMS using secret key\n");
+                goto end;
+            }
+        }
+
+        if (key) {
+            if (!CMS_decrypt_set1_pkey(cms, key, recip)) {
+                BIO_puts(bio_err, "Error decrypting CMS using private key\n");
+                goto end;
+            }
+        }
+
+        if (pwri_pass) {
+            if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) {
+                BIO_puts(bio_err, "Error decrypting CMS using password\n");
+                goto end;
+            }
+        }
+
+        if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) {
+            BIO_printf(bio_err, "Error decrypting CMS structure\n");
+            goto end;
+        }
+    } else if (operation == SMIME_DATAOUT) {
+        if (!CMS_data(cms, out, flags))
+            goto end;
+    } else if (operation == SMIME_UNCOMPRESS) {
+        if (!CMS_uncompress(cms, indata, out, flags))
+            goto end;
+    } else if (operation == SMIME_DIGEST_VERIFY) {
+        if (CMS_digest_verify(cms, indata, out, flags) > 0)
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            goto end;
+        }
+    } else if (operation == SMIME_ENCRYPTED_DECRYPT) {
+        if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen,
+                                       indata, out, flags))
+            goto end;
+    } else if (operation == SMIME_VERIFY) {
+        if (CMS_verify(cms, other, store, indata, out, flags) > 0)
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            if (verify_retcode)
+                ret = verify_err + 32;
+            goto end;
+        }
+        if (signerfile) {
+            STACK_OF(X509) *signers;
+            signers = CMS_get0_signers(cms);
+            if (!save_certs(signerfile, signers)) {
+                BIO_printf(bio_err,
+                           "Error writing signers to %s\n", signerfile);
+                ret = 5;
+                goto end;
+            }
+            sk_X509_free(signers);
+        }
+        if (rr_print)
+            receipt_request_print(cms);
+
+    } else if (operation == SMIME_VERIFY_RECEIPT) {
+        if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
+            BIO_printf(bio_err, "Verification successful\n");
+        else {
+            BIO_printf(bio_err, "Verification failure\n");
+            goto end;
+        }
+    } else {
+        if (noout) {
+            if (print)
+                CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
+        } else if (outformat == FORMAT_SMIME) {
+            if (to)
+                BIO_printf(out, "To: %s\n", to);
+            if (from)
+                BIO_printf(out, "From: %s\n", from);
+            if (subject)
+                BIO_printf(out, "Subject: %s\n", subject);
+            if (operation == SMIME_RESIGN)
+                ret = SMIME_write_CMS(out, cms, indata, flags);
+            else
+                ret = SMIME_write_CMS(out, cms, in, flags);
+        } else if (outformat == FORMAT_PEM)
+            ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
+        else if (outformat == FORMAT_ASN1)
+            ret = i2d_CMS_bio_stream(out, cms, in, flags);
+        else {
+            BIO_printf(bio_err, "Bad output format for CMS file\n");
+            goto end;
+        }
+        if (ret <= 0) {
+            ret = 6;
+            goto end;
+        }
+    }
+    ret = 0;
+ end:
+    if (ret)
+        ERR_print_errors(bio_err);
+    if (need_rand)
+        app_RAND_write_file(NULL);
+    sk_X509_pop_free(encerts, X509_free);
+    sk_X509_pop_free(other, X509_free);
+    X509_VERIFY_PARAM_free(vpm);
+    sk_OPENSSL_STRING_free(sksigners);
+    sk_OPENSSL_STRING_free(skkeys);
+    OPENSSL_free(secret_key);
+    OPENSSL_free(secret_keyid);
+    OPENSSL_free(pwri_tmp);
+    ASN1_OBJECT_free(econtent_type);
+    CMS_ReceiptRequest_free(rr);
+    sk_OPENSSL_STRING_free(rr_to);
+    sk_OPENSSL_STRING_free(rr_from);
+    for (key_param = key_first; key_param;) {
+        cms_key_param *tparam;
+        sk_OPENSSL_STRING_free(key_param->param);
+        tparam = key_param->next;
+        OPENSSL_free(key_param);
+        key_param = tparam;
+    }
+    X509_STORE_free(store);
+    X509_free(cert);
+    X509_free(recip);
+    X509_free(signer);
+    EVP_PKEY_free(key);
+    CMS_ContentInfo_free(cms);
+    CMS_ContentInfo_free(rcms);
+    BIO_free(rctin);
+    BIO_free(in);
+    BIO_free(indata);
+    BIO_free_all(out);
+    OPENSSL_free(passin);
+    return (ret);
 }
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers)
-       {
-       int i;
-       BIO *tmp;
-       if (!signerfile)
-               return 1;
-       tmp = BIO_new_file(signerfile, "w");
-       if (!tmp) return 0;
-       for(i = 0; i < sk_X509_num(signers); i++)
-               PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
-       BIO_free(tmp);
-       return 1;
-       }
-       
+{
+    int i;
+    BIO *tmp;
+    if (!signerfile)
+        return 1;
+    tmp = BIO_new_file(signerfile, "w");
+    if (!tmp)
+        return 0;
+    for (i = 0; i < sk_X509_num(signers); i++)
+        PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
+    BIO_free(tmp);
+    return 1;
+}
 
 /* Minimal callback just to output policy info (if any) */
 
-static int smime_cb(int ok, X509_STORE_CTX *ctx)
-       {
-       int error;
+static int cms_cb(int ok, X509_STORE_CTX *ctx)
+{
+    int error;
+
+    error = X509_STORE_CTX_get_error(ctx);
+
+    verify_err = error;
+
+    if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
+        && ((error != X509_V_OK) || (ok != 2)))
+        return ok;
+
+    policies_print(ctx);
+
+    return ok;
 
-       error = X509_STORE_CTX_get_error(ctx);
+}
+
+static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
+{
+    STACK_OF(GENERAL_NAME) *gens;
+    GENERAL_NAME *gen;
+    int i, j;
+
+    for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
+        gens = sk_GENERAL_NAMES_value(gns, i);
+        for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
+            gen = sk_GENERAL_NAME_value(gens, j);
+            BIO_puts(bio_err, "    ");
+            GENERAL_NAME_print(bio_err, gen);
+            BIO_puts(bio_err, "\n");
+        }
+    }
+    return;
+}
+
+static void receipt_request_print(CMS_ContentInfo *cms)
+{
+    STACK_OF(CMS_SignerInfo) *sis;
+    CMS_SignerInfo *si;
+    CMS_ReceiptRequest *rr;
+    int allorfirst;
+    STACK_OF(GENERAL_NAMES) *rto, *rlist;
+    ASN1_STRING *scid;
+    int i, rv;
+    sis = CMS_get0_SignerInfos(cms);
+    for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) {
+        si = sk_CMS_SignerInfo_value(sis, i);
+        rv = CMS_get1_ReceiptRequest(si, &rr);
+        BIO_printf(bio_err, "Signer %d:\n", i + 1);
+        if (rv == 0)
+            BIO_puts(bio_err, "  No Receipt Request\n");
+        else if (rv < 0) {
+            BIO_puts(bio_err, "  Receipt Request Parse Error\n");
+            ERR_print_errors(bio_err);
+        } else {
+            char *id;
+            int idlen;
+            CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
+                                           &rlist, &rto);
+            BIO_puts(bio_err, "  Signed Content ID:\n");
+            idlen = ASN1_STRING_length(scid);
+            id = (char *)ASN1_STRING_data(scid);
+            BIO_dump_indent(bio_err, id, idlen, 4);
+            BIO_puts(bio_err, "  Receipts From");
+            if (rlist) {
+                BIO_puts(bio_err, " List:\n");
+                gnames_stack_print(rlist);
+            } else if (allorfirst == 1)
+                BIO_puts(bio_err, ": First Tier\n");
+            else if (allorfirst == 0)
+                BIO_puts(bio_err, ": All\n");
+            else
+                BIO_printf(bio_err, " Unknown (%d)\n", allorfirst);
+            BIO_puts(bio_err, "  Receipts To:\n");
+            gnames_stack_print(rto);
+        }
+        CMS_ReceiptRequest_free(rr);
+    }
+}
 
-       if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
-               && ((error != X509_V_OK) || (ok != 2)))
-               return ok;
+static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
+{
+    int i;
+    STACK_OF(GENERAL_NAMES) *ret;
+    GENERAL_NAMES *gens = NULL;
+    GENERAL_NAME *gen = NULL;
+    ret = sk_GENERAL_NAMES_new_null();
+    if (!ret)
+        goto err;
+    for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) {
+        char *str = sk_OPENSSL_STRING_value(ns, i);
+        gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
+        if (!gen)
+            goto err;
+        gens = GENERAL_NAMES_new();
+        if (!gens)
+            goto err;
+        if (!sk_GENERAL_NAME_push(gens, gen))
+            goto err;
+        gen = NULL;
+        if (!sk_GENERAL_NAMES_push(ret, gens))
+            goto err;
+        gens = NULL;
+    }
 
-       policies_print(NULL, ctx);
+    return ret;
 
-       return ok;
+ err:
+    sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
+    GENERAL_NAMES_free(gens);
+    GENERAL_NAME_free(gen);
+    return NULL;
+}
 
-       }
+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
+                                                *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
+                                                *rr_from)
+{
+    STACK_OF(GENERAL_NAMES) *rct_to, *rct_from;
+    CMS_ReceiptRequest *rr;
+    rct_to = make_names_stack(rr_to);
+    if (!rct_to)
+        goto err;
+    if (rr_from) {
+        rct_from = make_names_stack(rr_from);
+        if (!rct_from)
+            goto err;
+    } else
+        rct_from = NULL;
+    rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
+                                    rct_to);
+    return rr;
+ err:
+    return NULL;
+}
+
+static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
+                              STACK_OF(OPENSSL_STRING) *param)
+{
+    char *keyopt;
+    int i;
+    if (sk_OPENSSL_STRING_num(param) <= 0)
+        return 1;
+    for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
+        keyopt = sk_OPENSSL_STRING_value(param, i);
+        if (pkey_ctrl_string(pctx, keyopt) <= 0) {
+            BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
+            ERR_print_errors(bio_err);
+            return 0;
+        }
+    }
+    return 1;
+}
 
 #endif