X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fsmime.c;h=6fd473775f45a4ac7fb49823c8e4949be391d82d;hp=d597ebf53479669b200004ddc3f042cfb837b5c0;hb=bd982b48dcb8952f51abad3040cee2c2354e6a54;hpb=d303b9d85e1888494785f87ebd9bd233e63564a9 diff --git a/apps/smime.c b/apps/smime.c index d597ebf534..6fd473775f 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -1,59 +1,10 @@ /* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ /* S/MIME utility function */ @@ -61,6 +12,7 @@ #include #include #include "apps.h" +#include "progs.h" #include #include #include @@ -86,14 +38,16 @@ typedef enum OPTION_choice { OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN, OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF, - OPT_NOOLDMIME, OPT_CRLFEOL, OPT_RAND, OPT_ENGINE, OPT_PASSIN, + OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD, OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_R_ENUM, OPT_V_ENUM, - OPT_CAPATH, OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTFORM, OPT_CONTENT + OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_IN, OPT_INFORM, OPT_OUT, + OPT_OUTFORM, OPT_CONTENT } OPTION_CHOICE; -OPTIONS smime_options[] = { +const OPTIONS smime_options[] = { {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, {OPT_HELP_STR, 1, '-', " cert.pem... recipient certs for encryption\n"}, @@ -114,15 +68,15 @@ OPTIONS smime_options[] = { {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, {"binary", OPT_BINARY, '-', "Don't translate message to text"}, {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, - {"signer", OPT_SIGNER, '<', "Signer certificate file"}, + {"signer", OPT_SIGNER, 's', "Signer certificate file"}, {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"}, {"in", OPT_IN, '<', "Input file"}, - {"inform", OPT_INFORM, 'F', "Input format SMIME (default), PEM or DER"}, - {"inkey", OPT_INKEY, '<', + {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, + {"inkey", OPT_INKEY, 's', "Input private key (if not signer or recipient)"}, {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, {"out", OPT_OUT, '>', "Output file"}, - {"outform", OPT_OUTFORM, 'F', + {"outform", OPT_OUTFORM, 'c', "Output format SMIME (default), PEM or DER"}, {"content", OPT_CONTENT, '<', "Supply or override content for detached signature"}, @@ -132,18 +86,21 @@ OPTIONS smime_options[] = { {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"}, {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, - {"resign", OPT_RESIGN, '-'}, - {"nochain", OPT_NOCHAIN, '-'}, - {"nosmimecap", OPT_NOSMIMECAP, '-'}, - {"stream", OPT_STREAM, '-'}, - {"indef", OPT_INDEF, '-'}, - {"noindef", OPT_NOINDEF, '-'}, - {"nooldmime", OPT_NOOLDMIME, '-'}, - {"crlfeol", OPT_CRLFEOL, '-'}, - {"rand", OPT_RAND, 's', - "Load the file(s) into the random number generator"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"resign", OPT_RESIGN, '-', "Resign a signed message"}, + {"nochain", OPT_NOCHAIN, '-', + "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" }, + {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, + {"stream", OPT_STREAM, '-', "Enable CMS streaming" }, + {"indef", OPT_INDEF, '-', "Same as -stream" }, + {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, + {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"}, + OPT_R_OPTIONS, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"md", OPT_MD, 's'}, + {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_V_OPTIONS, #ifndef OPENSSL_NO_ENGINE @@ -164,20 +121,18 @@ int smime_main(int argc, char **argv) X509_VERIFY_PARAM *vpm = NULL; const EVP_CIPHER *cipher = NULL; const EVP_MD *sign_md = NULL; - char *CAfile = NULL, *CApath = NULL, *inrand = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile = NULL, *prog; - char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = - NULL; - char *passinarg = NULL, *passin = NULL, *to = NULL, *from = - NULL, *subject = NULL; - const char *inmode = "r", *outmode = "w"; + const char *CAfile = NULL, *CApath = NULL, *prog = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL; + char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL; + char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL; OPTION_CHOICE o; - int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef = - 0; + int noCApath = 0, noCAfile = 0; + int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = FORMAT_PEM; int vpmtouched = 0, rv = 0; ENGINE *e = NULL; + const char *mime_eol = "\n"; if ((vpm = X509_VERIFY_PARAM_new()) == NULL) return 1; @@ -195,14 +150,14 @@ int smime_main(int argc, char **argv) ret = 0; goto end; case OPT_INFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) goto opthelp; break; case OPT_IN: infile = opt_arg(); break; case OPT_OUTFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) goto opthelp; break; case OPT_OUT: @@ -263,15 +218,13 @@ int smime_main(int argc, char **argv) case OPT_NOINDEF: indef = 0; break; - case OPT_NOOLDMIME: - flags |= PKCS7_NOOLDMIMETYPE; - break; case OPT_CRLFEOL: flags |= PKCS7_CRLFEOL; + mime_eol = "\r\n"; break; - case OPT_RAND: - inrand = opt_arg(); - need_rand = 1; + case OPT_R_CASES: + if (!opt_rand(o)) + goto end; break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); @@ -290,7 +243,7 @@ int smime_main(int argc, char **argv) break; case OPT_SIGNER: /* If previous -signer argument add signer to list */ - if (signerfile) { + if (signerfile != NULL) { if (sksigners == NULL && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) goto end; @@ -317,8 +270,8 @@ int smime_main(int argc, char **argv) goto opthelp; break; case OPT_INKEY: - /* If previous -inkey arument add signer to list */ - if (keyfile) { + /* If previous -inkey argument add signer to list */ + if (keyfile != NULL) { if (signerfile == NULL) { BIO_printf(bio_err, "%s: Must have -signer before -inkey\n", prog); @@ -349,6 +302,12 @@ int smime_main(int argc, char **argv) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_CONTENT: contfile = opt_arg(); break; @@ -362,7 +321,7 @@ int smime_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); - if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { + if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); goto opthelp; } @@ -373,8 +332,8 @@ int smime_main(int argc, char **argv) BIO_puts(bio_err, "Illegal -inkey without -signer\n"); goto opthelp; } - if (signerfile) { - if (!sksigners + if (signerfile != NULL) { + if (sksigners == NULL && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); @@ -384,15 +343,14 @@ int smime_main(int argc, char **argv) keyfile = signerfile; sk_OPENSSL_STRING_push(skkeys, keyfile); } - if (!sksigners) { + if (sksigners == NULL) { BIO_printf(bio_err, "No signer certificate specified\n"); goto opthelp; } signerfile = NULL; keyfile = NULL; - need_rand = 1; } else if (operation == SMIME_DECRYPT) { - if (!recipfile && !keyfile) { + if (recipfile == NULL && keyfile == NULL) { BIO_printf(bio_err, "No recipient certificate or key specified\n"); goto opthelp; @@ -402,46 +360,32 @@ int smime_main(int argc, char **argv) BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); goto opthelp; } - need_rand = 1; - } else if (!operation) + } else if (!operation) { goto opthelp; + } if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } - if (!app_load_modules(NULL)) - goto end; - - if (need_rand) { - app_RAND_load_file(NULL, (inrand != NULL)); - if (inrand != NULL) - BIO_printf(bio_err, "%ld semi-random bytes loaded\n", - app_RAND_load_files(inrand)); - } - ret = 2; if (!(operation & SMIME_SIGNERS)) flags &= ~PKCS7_DETACHED; - if (operation & SMIME_OP) { - outmode = WB(outformat); - } else { + if (!(operation & SMIME_OP)) { if (flags & PKCS7_BINARY) - outmode = "wb"; + outformat = FORMAT_BINARY; } - if (operation & SMIME_IP) { - inmode = RB(informat); - } else { + if (!(operation & SMIME_IP)) { if (flags & PKCS7_BINARY) - inmode = "rb"; + informat = FORMAT_BINARY; } if (operation == SMIME_ENCRYPT) { - if (!cipher) { + if (cipher == NULL) { #ifndef OPENSSL_NO_DES cipher = EVP_des_ede3_cbc(); #else @@ -450,11 +394,11 @@ int smime_main(int argc, char **argv) #endif } encerts = sk_X509_new_null(); - if (!encerts) + if (encerts == NULL) goto end; - while (*argv) { + while (*argv != NULL) { cert = load_cert(*argv, FORMAT_PEM, - NULL, e, "recipient certificate file"); + "recipient certificate file"); if (cert == NULL) goto end; sk_X509_push(encerts, cert); @@ -463,58 +407,59 @@ int smime_main(int argc, char **argv) } } - if (certfile) { - if ((other = load_certs(certfile, FORMAT_PEM, NULL, - e, "certificate file")) == NULL) { + if (certfile != NULL) { + if (!load_certs(certfile, &other, FORMAT_PEM, NULL, + "certificate file")) { ERR_print_errors(bio_err); goto end; } } - if (recipfile && (operation == SMIME_DECRYPT)) { - if ((recip = load_cert(recipfile, FORMAT_PEM, NULL, - e, "recipient certificate file")) == NULL) { + if (recipfile != NULL && (operation == SMIME_DECRYPT)) { + if ((recip = load_cert(recipfile, FORMAT_PEM, + "recipient certificate file")) == NULL) { ERR_print_errors(bio_err); goto end; } } if (operation == SMIME_DECRYPT) { - if (!keyfile) + if (keyfile == NULL) keyfile = recipfile; } else if (operation == SMIME_SIGN) { - if (!keyfile) + if (keyfile == NULL) keyfile = signerfile; - } else + } else { keyfile = NULL; + } - if (keyfile) { + if (keyfile != NULL) { key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); - if (!key) + if (key == NULL) goto end; } - in = bio_open_default(infile, inmode); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; if (operation & SMIME_IP) { - if (informat == FORMAT_SMIME) + if (informat == FORMAT_SMIME) { p7 = SMIME_read_PKCS7(in, &indata); - else if (informat == FORMAT_PEM) + } else if (informat == FORMAT_PEM) { p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); - else if (informat == FORMAT_ASN1) + } else if (informat == FORMAT_ASN1) { p7 = d2i_PKCS7_bio(in, NULL); - else { + } else { BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); goto end; } - if (!p7) { + if (p7 == NULL) { BIO_printf(bio_err, "Error reading S/MIME message\n"); goto end; } - if (contfile) { + if (contfile != NULL) { BIO_free(indata); if ((indata = BIO_new_file(contfile, "rb")) == NULL) { BIO_printf(bio_err, "Can't read content file %s\n", contfile); @@ -523,12 +468,12 @@ int smime_main(int argc, char **argv) } } - out = bio_open_default(outfile, outmode); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; if (operation == SMIME_VERIFY) { - if ((store = setup_verify(CAfile, CApath)) == NULL) + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) goto end; X509_STORE_set_verify_cb(store, smime_cb); if (vpmtouched) @@ -551,11 +496,12 @@ int smime_main(int argc, char **argv) if (flags & PKCS7_DETACHED) { if (outformat == FORMAT_SMIME) flags |= PKCS7_STREAM; - } else if (indef) + } else if (indef) { flags |= PKCS7_STREAM; + } flags |= PKCS7_PARTIAL; p7 = PKCS7_sign(NULL, NULL, other, in, flags); - if (!p7) + if (p7 == NULL) goto end; if (flags & PKCS7_NOCERTS) { for (i = 0; i < sk_X509_num(other); i++) { @@ -563,17 +509,18 @@ int smime_main(int argc, char **argv) PKCS7_add_certificate(p7, x); } } - } else + } else { flags |= PKCS7_REUSE_DIGEST; + } for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(signerfile, FORMAT_PEM, NULL, - e, "signer certificate"); - if (!signer) + signer = load_cert(signerfile, FORMAT_PEM, + "signer certificate"); + if (signer == NULL) goto end; key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); - if (!key) + if (key == NULL) goto end; if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags)) goto end; @@ -589,7 +536,7 @@ int smime_main(int argc, char **argv) } } - if (!p7) { + if (p7 == NULL) { BIO_printf(bio_err, "Error creating PKCS#7 structure\n"); goto end; } @@ -615,25 +562,25 @@ int smime_main(int argc, char **argv) goto end; } sk_X509_free(signers); - } else if (operation == SMIME_PK7OUT) + } else if (operation == SMIME_PK7OUT) { PEM_write_bio_PKCS7(out, p7); - else { + } else { if (to) - BIO_printf(out, "To: %s\n", to); + BIO_printf(out, "To: %s%s", to, mime_eol); if (from) - BIO_printf(out, "From: %s\n", from); + BIO_printf(out, "From: %s%s", from, mime_eol); if (subject) - BIO_printf(out, "Subject: %s\n", subject); + BIO_printf(out, "Subject: %s%s", subject, mime_eol); if (outformat == FORMAT_SMIME) { if (operation == SMIME_RESIGN) rv = SMIME_write_PKCS7(out, p7, indata, flags); else rv = SMIME_write_PKCS7(out, p7, in, flags); - } else if (outformat == FORMAT_PEM) + } else if (outformat == FORMAT_PEM) { rv = PEM_write_bio_PKCS7_stream(out, p7, in, flags); - else if (outformat == FORMAT_ASN1) + } else if (outformat == FORMAT_ASN1) { rv = i2d_PKCS7_bio_stream(out, p7, in, flags); - else { + } else { BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); goto end; } @@ -645,8 +592,6 @@ int smime_main(int argc, char **argv) } ret = 0; end: - if (need_rand) - app_RAND_write_file(NULL); if (ret) ERR_print_errors(bio_err); sk_X509_pop_free(encerts, X509_free); @@ -660,21 +605,23 @@ int smime_main(int argc, char **argv) X509_free(signer); EVP_PKEY_free(key); PKCS7_free(p7); + release_engine(e); BIO_free(in); BIO_free(indata); BIO_free_all(out); OPENSSL_free(passin); - return (ret); + return ret; } static int save_certs(char *signerfile, STACK_OF(X509) *signers) { int i; BIO *tmp; - if (!signerfile) + + if (signerfile == NULL) return 1; tmp = BIO_new_file(signerfile, "w"); - if (!tmp) + if (tmp == NULL) return 0; for (i = 0; i < sk_X509_num(signers); i++) PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); @@ -697,5 +644,4 @@ static int smime_cb(int ok, X509_STORE_CTX *ctx) policies_print(ctx); return ok; - }