X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fcms.c;h=397071ca7f4985758e37f001880a07d8692d83a0;hp=08774269247e7660c63c2a0685b4fb9fd9123d79;hb=7e1b7485706c2b11091b5fa897fe496a2faa56cc;hpb=0dfb9398bb6493d5a56216e0c7039cb3f9fc88c6 diff --git a/apps/cms.c b/apps/cms.c index 0877426924..397071ca7f 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1,4 +1,3 @@ -/* apps/cms.c */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -67,8 +66,6 @@ # include # include -# undef PROG -# define PROG cms_main static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int cms_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); @@ -108,347 +105,456 @@ struct cms_key_param_st { cms_key_param *next; }; -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, + OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, + OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, + OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, + OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, + OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, + OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, + OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, + OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, + OPT_NOINDEF, OPT_NOOLDMIME, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, + OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_CAPATH, OPT_CONTENT, OPT_PRINT, OPT_SECRETKEY, + OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, OPT_RAND, + OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, + OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, + OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, + OPT_3DES_WRAP, OPT_ENGINE, + OPT_V_ENUM, + OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS cms_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', + " cert.pem... recipient certs for encryption\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format SMIME (default), PEM or DER"}, + {"outform", OPT_OUTFORM, 'F', + "Output format SMIME (default), PEM or DER"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, + {"sign", OPT_SIGN, '-', "Sign message"}, + {"sign_receipt", OPT_SIGN_RECEIPT, '-'}, + {"resign", OPT_RESIGN, '-'}, + {"verify", OPT_VERIFY, '-', "Verify signed message"}, + {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, + {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, + {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, + {"data_out", OPT_DATA_OUT, '-'}, + {"data_create", OPT_DATA_CREATE, '-'}, + {"digest_verify", OPT_DIGEST_VERIFY, '-'}, + {"digest_create", OPT_DIGEST_CREATE, '-'}, + {"compress", OPT_COMPRESS, '-'}, + {"uncompress", OPT_UNCOMPRESS, '-'}, + {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'}, + {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'}, + {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'}, + {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"asciicrlf", OPT_ASCIICRLF, '-'}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, + {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, + {"nosmimecap", OPT_NOSMIMECAP, '-'}, + {"binary", OPT_BINARY, '-', "Don't translate message to text"}, + {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'}, + {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'}, + {"stream", OPT_INDEF, '-'}, + {"indef", OPT_INDEF, '-'}, + {"noindef", OPT_NOINDEF, '-'}, + {"nooldmime", OPT_NOOLDMIME, '-'}, + {"crlfeol", OPT_CRLFEOL, '-'}, + {"noout", OPT_NOOUT, '-'}, + {"receipt_request_print", OPT_RR_PRINT, '-'}, + {"receipt_request_all", OPT_RR_ALL, '-'}, + {"receipt_request_first", OPT_RR_FIRST, '-'}, + {"rctform", OPT_RCTFORM, 'F'}, + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, + {"content", OPT_CONTENT, '<', + "Supply or override content for detached signature"}, + {"print", OPT_PRINT, '-'}, + {"secretkey", OPT_SECRETKEY, 's'}, + {"secretkeyid", OPT_SECRETKEYID, 's'}, + {"pwri_password", OPT_PWRI_PASSWORD, 's'}, + {"econtent_type", OPT_ECONTENT_TYPE, 's'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"to", OPT_TO, 's', "To address"}, + {"from", OPT_FROM, 's', "From address"}, + {"subject", OPT_SUBJECT, 's', "Subject"}, + {"signer", OPT_SIGNER, 's', "Signer certificate file"}, + {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, + {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, + {"md", OPT_MD, 's'}, + {"inkey", OPT_INKEY, '<', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, + {"receipt_request_from", OPT_RR_FROM, 's'}, + {"receipt_request_to", OPT_RR_TO, 's'}, +# ifndef OPENSSL_NO_AES + {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, + {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, + {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, +# endif +# ifndef OPENSSL_NO_DES + {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {"", OPT_CIPHER, '-', "Any supported cipher"}, + OPT_V_OPTIONS, + {NULL}, +}; -int MAIN(int argc, char **argv) +int cms_main(int argc, char **argv) { - ENGINE *e = NULL; - int operation = 0; - int ret = 0; - char **args; - const char *inmode = "r", *outmode = "w"; - char *infile = NULL, *outfile = NULL, *rctfile = NULL; - char *signerfile = NULL, *recipfile = NULL; - STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile = NULL; - char *certsoutfile = NULL; - const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; - CMS_ContentInfo *cms = NULL, *rcms = NULL; - X509_STORE *store = NULL; - X509 *cert = NULL, *recip = NULL, *signer = NULL; - EVP_PKEY *key = NULL; - STACK_OF(X509) *encerts = NULL, *other = NULL; + ASN1_OBJECT *econtent_type = NULL; BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; - int badarg = 0; - int flags = CMS_DETACHED, noout = 0, print = 0; - int verify_retcode = 0; - int rr_print = 0, rr_allorfirst = -1; - STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + CMS_ContentInfo *cms = NULL, *rcms = NULL; CMS_ReceiptRequest *rr = NULL; - char *to = NULL, *from = NULL, *subject = NULL; - char *CAfile = NULL, *CApath = NULL; - char *passargin = NULL, *passin = NULL; - char *inrand = NULL; - int need_rand = 0; + ENGINE *e = NULL; + EVP_PKEY *key = NULL; + const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; const EVP_MD *sign_md = NULL; + STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + STACK_OF(X509) *encerts = NULL, *other = NULL; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL; + char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL, *engine = NULL; + char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL; + char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = + NULL; + char *to = NULL, *from = NULL, *subject = NULL, *prog; + cms_key_param *key_first = NULL, *key_param = NULL; + const char *inmode = "r", *outmode = "w"; + int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = + 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; - int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - unsigned char *secret_key = NULL, *secret_keyid = NULL; - unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; + int need_rand = 0, operation = 0, ret = 1, rr_print = 0, rr_allorfirst = + -1; + int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; size_t secret_keylen = 0, secret_keyidlen = 0; + unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; + unsigned char *secret_key = NULL, *secret_keyid = NULL; + long ltmp; + OPTION_CHOICE o; - cms_key_param *key_first = NULL, *key_param = NULL; - - ASN1_OBJECT *econtent_type = NULL; - - X509_VERIFY_PARAM *vpm = NULL; - - args = argv + 1; - ret = 1; - - apps_startup(); - - if (bio_err == NULL) { - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - } - - if (!load_config(bio_err, NULL)) - goto end; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-encrypt")) + prog = opt_init(argc, argv, cms_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(cms_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENCRYPT: operation = SMIME_ENCRYPT; - else if (!strcmp(*args, "-decrypt")) + break; + case OPT_DECRYPT: operation = SMIME_DECRYPT; - else if (!strcmp(*args, "-sign")) + break; + case OPT_SIGN: operation = SMIME_SIGN; - else if (!strcmp(*args, "-sign_receipt")) + break; + case OPT_SIGN_RECEIPT: operation = SMIME_SIGN_RECEIPT; - else if (!strcmp(*args, "-resign")) + break; + case OPT_RESIGN: operation = SMIME_RESIGN; - else if (!strcmp(*args, "-verify")) + break; + case OPT_VERIFY: operation = SMIME_VERIFY; - else if (!strcmp(*args, "-verify_retcode")) + break; + case OPT_VERIFY_RETCODE: verify_retcode = 1; - else if (!strcmp(*args, "-verify_receipt")) { + break; + case OPT_VERIFY_RECEIPT: operation = SMIME_VERIFY_RECEIPT; - if (!args[1]) - goto argerr; - args++; - rctfile = *args; - } else if (!strcmp(*args, "-cmsout")) + rctfile = opt_arg(); + break; + case OPT_CMSOUT: operation = SMIME_CMSOUT; - else if (!strcmp(*args, "-data_out")) + break; + case OPT_DATA_OUT: operation = SMIME_DATAOUT; - else if (!strcmp(*args, "-data_create")) + break; + case OPT_DATA_CREATE: operation = SMIME_DATA_CREATE; - else if (!strcmp(*args, "-digest_verify")) + break; + case OPT_DIGEST_VERIFY: operation = SMIME_DIGEST_VERIFY; - else if (!strcmp(*args, "-digest_create")) + break; + case OPT_DIGEST_CREATE: operation = SMIME_DIGEST_CREATE; - else if (!strcmp(*args, "-compress")) + break; + case OPT_COMPRESS: operation = SMIME_COMPRESS; - else if (!strcmp(*args, "-uncompress")) + break; + case OPT_UNCOMPRESS: operation = SMIME_UNCOMPRESS; - else if (!strcmp(*args, "-EncryptedData_decrypt")) + break; + case OPT_ED_DECRYPT: operation = SMIME_ENCRYPTED_DECRYPT; - else if (!strcmp(*args, "-EncryptedData_encrypt")) + break; + case OPT_ED_ENCRYPT: operation = SMIME_ENCRYPTED_ENCRYPT; -# ifndef OPENSSL_NO_DES - else if (!strcmp(*args, "-des3")) - cipher = EVP_des_ede3_cbc(); - else if (!strcmp(*args, "-des")) - cipher = EVP_des_cbc(); - else if (!strcmp(*args, "-des3-wrap")) - wrap_cipher = EVP_des_ede3_wrap(); -# endif -# ifndef OPENSSL_NO_SEED - else if (!strcmp(*args, "-seed")) - cipher = EVP_seed_cbc(); -# endif -# ifndef OPENSSL_NO_RC2 - else if (!strcmp(*args, "-rc2-40")) - cipher = EVP_rc2_40_cbc(); - else if (!strcmp(*args, "-rc2-128")) - cipher = EVP_rc2_cbc(); - else if (!strcmp(*args, "-rc2-64")) - cipher = EVP_rc2_64_cbc(); -# endif -# ifndef OPENSSL_NO_AES - else if (!strcmp(*args, "-aes128")) - cipher = EVP_aes_128_cbc(); - else if (!strcmp(*args, "-aes192")) - cipher = EVP_aes_192_cbc(); - else if (!strcmp(*args, "-aes256")) - cipher = EVP_aes_256_cbc(); - else if (!strcmp(*args, "-aes128-wrap")) - wrap_cipher = EVP_aes_128_wrap(); - else if (!strcmp(*args, "-aes192-wrap")) - wrap_cipher = EVP_aes_192_wrap(); - else if (!strcmp(*args, "-aes256-wrap")) - wrap_cipher = EVP_aes_256_wrap(); -# endif -# ifndef OPENSSL_NO_CAMELLIA - else if (!strcmp(*args, "-camellia128")) - cipher = EVP_camellia_128_cbc(); - else if (!strcmp(*args, "-camellia192")) - cipher = EVP_camellia_192_cbc(); - else if (!strcmp(*args, "-camellia256")) - cipher = EVP_camellia_256_cbc(); -# endif - else if (!strcmp(*args, "-debug_decrypt")) + break; + case OPT_DEBUG_DECRYPT: flags |= CMS_DEBUG_DECRYPT; - else if (!strcmp(*args, "-text")) + break; + case OPT_TEXT: flags |= CMS_TEXT; - else if (!strcmp(*args, "-asciicrlf")) + break; + case OPT_ASCIICRLF: flags |= CMS_ASCIICRLF; - else if (!strcmp(*args, "-nointern")) + break; + case OPT_NOINTERN: flags |= CMS_NOINTERN; - else if (!strcmp(*args, "-noverify") - || !strcmp(*args, "-no_signer_cert_verify")) + break; + case OPT_NOVERIFY: flags |= CMS_NO_SIGNER_CERT_VERIFY; - else if (!strcmp(*args, "-nocerts")) + break; + case OPT_NOCERTS: flags |= CMS_NOCERTS; - else if (!strcmp(*args, "-noattr")) + break; + case OPT_NOATTR: flags |= CMS_NOATTR; - else if (!strcmp(*args, "-nodetach")) + break; + case OPT_NODETACH: flags &= ~CMS_DETACHED; - else if (!strcmp(*args, "-nosmimecap")) + break; + case OPT_NOSMIMECAP: flags |= CMS_NOSMIMECAP; - else if (!strcmp(*args, "-binary")) + break; + case OPT_BINARY: flags |= CMS_BINARY; - else if (!strcmp(*args, "-keyid")) + break; + case OPT_KEYID: flags |= CMS_USE_KEYID; - else if (!strcmp(*args, "-nosigs")) + break; + case OPT_NOSIGS: flags |= CMS_NOSIGS; - else if (!strcmp(*args, "-no_content_verify")) + break; + case OPT_NO_CONTENT_VERIFY: flags |= CMS_NO_CONTENT_VERIFY; - else if (!strcmp(*args, "-no_attr_verify")) + break; + case OPT_NO_ATTR_VERIFY: flags |= CMS_NO_ATTR_VERIFY; - else if (!strcmp(*args, "-stream")) + break; + case OPT_INDEF: flags |= CMS_STREAM; - else if (!strcmp(*args, "-indef")) - flags |= CMS_STREAM; - else if (!strcmp(*args, "-noindef")) + break; + case OPT_NOINDEF: flags &= ~CMS_STREAM; - else if (!strcmp(*args, "-nooldmime")) + break; + case OPT_NOOLDMIME: flags |= CMS_NOOLDMIMETYPE; - else if (!strcmp(*args, "-crlfeol")) + break; + case OPT_CRLFEOL: flags |= CMS_CRLFEOL; - else if (!strcmp(*args, "-noout")) + break; + case OPT_NOOUT: noout = 1; - else if (!strcmp(*args, "-receipt_request_print")) + break; + case OPT_RR_PRINT: rr_print = 1; - else if (!strcmp(*args, "-receipt_request_all")) + break; + case OPT_RR_ALL: rr_allorfirst = 0; - else if (!strcmp(*args, "-receipt_request_first")) + break; + case OPT_RR_FIRST: rr_allorfirst = 1; - else if (!strcmp(*args, "-receipt_request_from")) { - if (!args[1]) - goto argerr; - args++; - if (!rr_from) - rr_from = sk_OPENSSL_STRING_new_null(); - sk_OPENSSL_STRING_push(rr_from, *args); - } else if (!strcmp(*args, "-receipt_request_to")) { - if (!args[1]) - goto argerr; - args++; - if (!rr_to) - rr_to = sk_OPENSSL_STRING_new_null(); - sk_OPENSSL_STRING_push(rr_to, *args); - } else if (!strcmp(*args, "-print")) { - noout = 1; - print = 1; - } else if (!strcmp(*args, "-secretkey")) { - long ltmp; - if (!args[1]) - goto argerr; - args++; - secret_key = string_to_hex(*args, <mp); - if (!secret_key) { - BIO_printf(bio_err, "Invalid key %s\n", *args); - goto argerr; + break; + case OPT_RCTFORM: + if (rctformat == FORMAT_SMIME) + rcms = SMIME_read_CMS(rctin, NULL); + else if (rctformat == FORMAT_PEM) + rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); + else if (rctformat == FORMAT_ASN1) + if (!opt_format(opt_arg(), + OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) + goto opthelp; + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_CONTENT: + contfile = opt_arg(); + break; + case OPT_RR_FROM: + if (rr_from == NULL + && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(rr_from, opt_arg()); + break; + case OPT_RR_TO: + if (rr_to == NULL + && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(rr_to, opt_arg()); + break; + case OPT_PRINT: + noout = print = 1; + break; + case OPT_SECRETKEY: + secret_key = string_to_hex(opt_arg(), <mp); + if (secret_key == NULL) { + BIO_printf(bio_err, "Invalid key %s\n", opt_arg()); + goto end; } secret_keylen = (size_t)ltmp; - } else if (!strcmp(*args, "-secretkeyid")) { - long ltmp; - if (!args[1]) - goto argerr; - args++; - secret_keyid = string_to_hex(*args, <mp); - if (!secret_keyid) { - BIO_printf(bio_err, "Invalid id %s\n", *args); - goto argerr; + break; + case OPT_SECRETKEYID: + secret_keyid = string_to_hex(opt_arg(), <mp); + if (secret_keyid == NULL) { + BIO_printf(bio_err, "Invalid id %s\n", opt_arg()); + goto opthelp; } secret_keyidlen = (size_t)ltmp; - } else if (!strcmp(*args, "-pwri_password")) { - if (!args[1]) - goto argerr; - args++; - pwri_pass = (unsigned char *)*args; - } else if (!strcmp(*args, "-econtent_type")) { - if (!args[1]) - goto argerr; - args++; - econtent_type = OBJ_txt2obj(*args, 0); - if (!econtent_type) { - BIO_printf(bio_err, "Invalid OID %s\n", *args); - goto argerr; + break; + case OPT_PWRI_PASSWORD: + pwri_pass = (unsigned char *)opt_arg(); + break; + case OPT_ECONTENT_TYPE: + econtent_type = OBJ_txt2obj(opt_arg(), 0); + if (econtent_type == NULL) { + BIO_printf(bio_err, "Invalid OID %s\n", opt_arg()); + goto opthelp; } - } else if (!strcmp(*args, "-rand")) { - if (!args[1]) - goto argerr; - args++; - inrand = *args; + break; + case OPT_RAND: + inrand = opt_arg(); need_rand = 1; - } -# ifndef OPENSSL_NO_ENGINE - else if (!strcmp(*args, "-engine")) { - if (!args[1]) - goto argerr; - engine = *++args; - } -# endif - else if (!strcmp(*args, "-passin")) { - if (!args[1]) - goto argerr; - passargin = *++args; - } else if (!strcmp(*args, "-to")) { - if (!args[1]) - goto argerr; - to = *++args; - } else if (!strcmp(*args, "-from")) { - if (!args[1]) - goto argerr; - from = *++args; - } else if (!strcmp(*args, "-subject")) { - if (!args[1]) - goto argerr; - subject = *++args; - } else if (!strcmp(*args, "-signer")) { - if (!args[1]) - goto argerr; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_TO: + to = opt_arg(); + break; + case OPT_FROM: + from = opt_arg(); + break; + case OPT_SUBJECT: + subject = opt_arg(); + break; + case OPT_CERTSOUT: + certsoutfile = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &sign_md)) + goto end; + break; + case OPT_SIGNER: /* If previous -signer argument add signer to list */ - if (signerfile) { - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!keyfile) + if (keyfile == NULL) keyfile = signerfile; - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(skkeys, keyfile); keyfile = NULL; } - signerfile = *++args; - } else if (!strcmp(*args, "-recip")) { - if (!args[1]) - goto argerr; - if (operation == SMIME_ENCRYPT) { - if (!encerts) - encerts = sk_X509_new_null(); - cert = load_cert(bio_err, *++args, FORMAT_PEM, - NULL, e, "recipient certificate file"); - if (!cert) - goto end; - sk_X509_push(encerts, cert); - cert = NULL; - } else - recipfile = *++args; - } else if (!strcmp(*args, "-certsout")) { - if (!args[1]) - goto argerr; - certsoutfile = *++args; - } else if (!strcmp(*args, "-md")) { - if (!args[1]) - goto argerr; - sign_md = EVP_get_digestbyname(*++args); - if (sign_md == NULL) { - BIO_printf(bio_err, "Unknown digest %s\n", *args); - goto argerr; - } - } else if (!strcmp(*args, "-inkey")) { - if (!args[1]) - goto argerr; + signerfile = opt_arg(); + break; + case OPT_INKEY: /* If previous -inkey arument add signer to list */ if (keyfile) { - if (!signerfile) { + if (signerfile == NULL) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + goto end; } - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); signerfile = NULL; - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(skkeys, keyfile); } - keyfile = *++args; - } else if (!strcmp(*args, "-keyform")) { - if (!args[1]) - goto argerr; - keyform = str2fmt(*++args); - } else if (!strcmp(*args, "-keyopt")) { - int keyidx = -1; - if (!args[1]) - goto argerr; + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_RECIP: + if (operation == SMIME_ENCRYPT) { + if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) + goto end; + cert = load_cert(opt_arg(), FORMAT_PEM, NULL, e, + "recipient certificate file"); + if (cert == NULL) + goto end; + sk_X509_push(encerts, cert); + cert = NULL; + } else + recipfile = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher)) + goto end; + break; + case OPT_KEYOPT: + keyidx = -1; if (operation == SMIME_ENCRYPT) { if (encerts) keyidx += sk_X509_num(encerts); @@ -460,17 +566,18 @@ int MAIN(int argc, char **argv) } if (keyidx < 0) { BIO_printf(bio_err, "No key specified\n"); - goto argerr; + goto opthelp; } if (key_param == NULL || key_param->idx != keyidx) { cms_key_param *nparam; nparam = OPENSSL_malloc(sizeof(cms_key_param)); - if(!nparam) { + if (!nparam) { BIO_printf(bio_err, "Out of memory\n"); - goto argerr; + goto end; } nparam->idx = keyidx; - nparam->param = sk_OPENSSL_STRING_new_null(); + if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; nparam->next = NULL; if (key_first == NULL) key_first = nparam; @@ -478,83 +585,68 @@ int MAIN(int argc, char **argv) key_param->next = nparam; key_param = nparam; } - sk_OPENSSL_STRING_push(key_param->param, *++args); - } else if (!strcmp(*args, "-rctform")) { - if (!args[1]) - goto argerr; - rctformat = str2fmt(*++args); - } else if (!strcmp(*args, "-certfile")) { - if (!args[1]) - goto argerr; - certfile = *++args; - } else if (!strcmp(*args, "-CAfile")) { - if (!args[1]) - goto argerr; - CAfile = *++args; - } else if (!strcmp(*args, "-CApath")) { - if (!args[1]) - goto argerr; - CApath = *++args; - } else if (!strcmp(*args, "-in")) { - if (!args[1]) - goto argerr; - infile = *++args; - } else if (!strcmp(*args, "-inform")) { - if (!args[1]) - goto argerr; - informat = str2fmt(*++args); - } else if (!strcmp(*args, "-outform")) { - if (!args[1]) - goto argerr; - outformat = str2fmt(*++args); - } else if (!strcmp(*args, "-out")) { - if (!args[1]) - goto argerr; - outfile = *++args; - } else if (!strcmp(*args, "-content")) { - if (!args[1]) - goto argerr; - contfile = *++args; - } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) - continue; - else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) - badarg = 1; - args++; + sk_OPENSSL_STRING_push(key_param->param, opt_arg()); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; +# ifndef OPENSSL_NO_DES + case OPT_3DES_WRAP: + wrap_cipher = EVP_des_ede3_wrap(); + break; +# endif +# ifndef OPENSSL_NO_AES + case OPT_AES128_WRAP: + wrap_cipher = EVP_aes_128_wrap(); + break; + case OPT_AES192_WRAP: + wrap_cipher = EVP_aes_192_wrap(); + break; + case OPT_AES256_WRAP: + wrap_cipher = EVP_aes_256_wrap(); + break; +# endif + } } + argc = opt_num_rest(); + argv = opt_rest(); if (((rr_allorfirst != -1) || rr_from) && !rr_to) { BIO_puts(bio_err, "No Signed Receipts Recipients\n"); - goto argerr; + goto opthelp; } if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); - goto argerr; + goto opthelp; } if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); - goto argerr; + goto opthelp; } if (operation & SMIME_SIGNERS) { if (keyfile && !signerfile) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + goto opthelp; } /* Check to see if any final signer needs to be appended */ if (signerfile) { - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (!sksigners + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; if (!keyfile) keyfile = signerfile; sk_OPENSSL_STRING_push(skkeys, keyfile); } if (!sksigners) { BIO_printf(bio_err, "No signer certificate specified\n"); - badarg = 1; + goto opthelp; } signerfile = NULL; keyfile = NULL; @@ -565,121 +657,28 @@ int MAIN(int argc, char **argv) if (!recipfile && !keyfile && !secret_key && !pwri_pass) { BIO_printf(bio_err, "No recipient certificate or key specified\n"); - badarg = 1; + goto opthelp; } } else if (operation == SMIME_ENCRYPT) { - if (!*args && !secret_key && !pwri_pass && !encerts) { + if (*argv == NULL && !secret_key && !pwri_pass && !encerts) { BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); - badarg = 1; + goto opthelp; } need_rand = 1; } else if (!operation) - badarg = 1; - - if (badarg) { - argerr: - BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-encrypt encrypt message\n"); - BIO_printf(bio_err, "-decrypt decrypt encrypted message\n"); - BIO_printf(bio_err, "-sign sign message\n"); - BIO_printf(bio_err, "-verify verify signed message\n"); - BIO_printf(bio_err, "-cmsout output CMS structure\n"); -# ifndef OPENSSL_NO_DES - BIO_printf(bio_err, "-des3 encrypt with triple DES\n"); - BIO_printf(bio_err, "-des encrypt with DES\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, "-seed encrypt with SEED\n"); -# endif -# ifndef OPENSSL_NO_RC2 - BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n"); - BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n"); - BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif - BIO_printf(bio_err, - "-nointern don't search certificates in message for signer\n"); - BIO_printf(bio_err, - "-nosigs don't verify message signature\n"); - BIO_printf(bio_err, - "-noverify don't verify signers certificate\n"); - BIO_printf(bio_err, - "-nocerts don't include signers certificate when signing\n"); - BIO_printf(bio_err, "-nodetach use opaque signing\n"); - BIO_printf(bio_err, - "-noattr don't include any signed attributes\n"); - BIO_printf(bio_err, - "-binary don't translate message to text\n"); - BIO_printf(bio_err, "-certfile file other certificates file\n"); - BIO_printf(bio_err, "-certsout file certificate output file\n"); - BIO_printf(bio_err, "-signer file signer certificate file\n"); - BIO_printf(bio_err, - "-recip file recipient certificate file for decryption\n"); - BIO_printf(bio_err, "-keyid use subject key identifier\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, - "-inform arg input format SMIME (default), PEM or DER\n"); - BIO_printf(bio_err, - "-inkey file input private key (if not signer or recipient)\n"); - BIO_printf(bio_err, - "-keyform arg input private key format (PEM or ENGINE)\n"); - BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-outform arg output format SMIME (default), PEM or DER\n"); - BIO_printf(bio_err, - "-content file supply or override content for detached signature\n"); - BIO_printf(bio_err, "-to addr to address\n"); - BIO_printf(bio_err, "-from ad from address\n"); - BIO_printf(bio_err, "-subject s subject\n"); - BIO_printf(bio_err, - "-text include or delete text MIME headers\n"); - BIO_printf(bio_err, - "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, - "-trusted_first use locally trusted certificates first when building trust chain\n"); - BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); - BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, - "cert.pem recipient certificate(s) for encryption\n"); - goto end; - } + goto opthelp; + # ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } if (need_rand) { - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); @@ -721,20 +720,21 @@ int MAIN(int argc, char **argv) goto end; } - if (*args && !encerts) - encerts = sk_X509_new_null(); - while (*args) { - if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, + if (*argv && !encerts) + if ((encerts = sk_X509_new_null()) == NULL) + goto end; + while (*argv) { + if (!(cert = load_cert(*argv, FORMAT_PEM, NULL, e, "recipient certificate file"))) goto end; sk_X509_push(encerts, cert); cert = NULL; - args++; + argv++; } } if (certfile) { - if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, + if (!(other = load_certs(certfile, FORMAT_PEM, NULL, e, "certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -742,7 +742,7 @@ int MAIN(int argc, char **argv) } if (recipfile && (operation == SMIME_DECRYPT)) { - if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, + if (!(recip = load_cert(recipfile, FORMAT_PEM, NULL, e, "recipient certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -750,7 +750,7 @@ int MAIN(int argc, char **argv) } if (operation == SMIME_SIGN_RECEIPT) { - if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, + if (!(signer = load_cert(signerfile, FORMAT_PEM, NULL, e, "receipt signer certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -767,19 +767,14 @@ int MAIN(int argc, char **argv) keyfile = NULL; if (keyfile) { - key = load_key(bio_err, keyfile, keyform, 0, passin, e, - "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (!key) goto end; } - if (infile) { - if (!(in = BIO_new_file(infile, inmode))) { - BIO_printf(bio_err, "Can't open input file %s\n", infile); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); + in = bio_open_default(infile, inmode); + if (in == NULL) + goto end; if (operation & SMIME_IP) { if (informat == FORMAT_SMIME) @@ -841,26 +836,15 @@ int MAIN(int argc, char **argv) } } - if (outfile) { - if (!(out = BIO_new_file(outfile, outmode))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } + out = bio_open_default(outfile, outmode); + if (out == NULL) + goto end; if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { - if (!(store = setup_verify(bio_err, CAfile, CApath))) + if (!(store = setup_verify(CAfile, CApath))) goto end; X509_STORE_set_verify_cb(store, cms_cb); - if (vpm) + if (vpmtouched) X509_STORE_set1_param(store, vpm); } @@ -983,12 +967,11 @@ int MAIN(int argc, char **argv) signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, + signer = load_cert(signerfile, FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) goto end; - key = load_key(bio_err, keyfile, keyform, 0, passin, e, - "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (!key) goto end; for (kparam = key_first; kparam; kparam = kparam->next) { @@ -1137,11 +1120,10 @@ int MAIN(int argc, char **argv) if (ret) ERR_print_errors(bio_err); if (need_rand) - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); sk_X509_pop_free(encerts, X509_free); sk_X509_pop_free(other, X509_free); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); if (sksigners) sk_OPENSSL_STRING_free(sksigners); if (skkeys) @@ -1211,7 +1193,8 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx) && ((error != X509_V_OK) || (ok != 2))) return ok; - policies_print(NULL, ctx); + /* Should be bio_err? */ + policies_print(bio_out, ctx); return ok;