X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=apps%2Fcms.c;h=ddc3d5ec17554cb51b686cfad2b2decb90ae8c7d;hb=5219d3dd350cc74498dd49daef5e6ee8c34d9857;hp=3adcd78a9d1d1aec7365d269f33ff161a7437d8d;hpb=c869da8839ef5af9df5a4d98f518b079240a0d4b;p=openssl.git

diff --git a/apps/cms.c b/apps/cms.c
index 3adcd78a9d..ddc3d5ec17 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -74,6 +74,8 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
 						int rr_allorfirst,
 					STACK_OF(OPENSSL_STRING) *rr_from);
+static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
+			STACK_OF(OPENSSL_STRING) *param);
 
 #define SMIME_OP	0x10
 #define SMIME_IP	0x20
@@ -97,6 +99,15 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
 
 int verify_err = 0;
 
+typedef struct cms_key_param_st cms_key_param;
+
+struct cms_key_param_st
+	{
+	int idx;
+	STACK_OF(OPENSSL_STRING)*param;
+	cms_key_param *next;
+	};
+
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
@@ -111,7 +122,7 @@ int MAIN(int argc, char **argv)
 	STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
 	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
 	char *certsoutfile = NULL;
-	const EVP_CIPHER *cipher = NULL;
+	const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
 	CMS_ContentInfo *cms = NULL, *rcms = NULL;
 	X509_STORE *store = NULL;
 	X509 *cert = NULL, *recip = NULL, *signer = NULL;
@@ -136,8 +147,11 @@ int MAIN(int argc, char **argv)
 	char *engine=NULL;
 #endif
 	unsigned char *secret_key = NULL, *secret_keyid = NULL;
+	unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
 	size_t secret_keylen = 0, secret_keyidlen = 0;
 
+	cms_key_param *key_first = NULL, *key_param = NULL;
+
 	ASN1_OBJECT *econtent_type = NULL;
 
 	X509_VERIFY_PARAM *vpm = NULL;
@@ -203,6 +217,8 @@ int MAIN(int argc, char **argv)
 				cipher = EVP_des_ede3_cbc();
 		else if (!strcmp (*args, "-des")) 
 				cipher = EVP_des_cbc();
+		else if (!strcmp (*args, "-des3-wrap")) 
+				wrap_cipher = EVP_des_ede3_wrap();
 #endif
 #ifndef OPENSSL_NO_SEED
 		else if (!strcmp (*args, "-seed")) 
@@ -223,6 +239,12 @@ int MAIN(int argc, char **argv)
 				cipher = EVP_aes_192_cbc();
 		else if (!strcmp(*args,"-aes256"))
 				cipher = EVP_aes_256_cbc();
+		else if (!strcmp(*args,"-aes128-wrap"))
+				wrap_cipher = EVP_aes_128_wrap();
+		else if (!strcmp(*args,"-aes192-wrap"))
+				wrap_cipher = EVP_aes_192_wrap();
+		else if (!strcmp(*args,"-aes256-wrap"))
+				wrap_cipher = EVP_aes_256_wrap();
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		else if (!strcmp(*args,"-camellia128"))
@@ -232,8 +254,12 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp(*args,"-camellia256"))
 				cipher = EVP_camellia_256_cbc();
 #endif
+		else if (!strcmp (*args, "-debug_decrypt")) 
+				flags |= CMS_DEBUG_DECRYPT;
 		else if (!strcmp (*args, "-text")) 
 				flags |= CMS_TEXT;
+		else if (!strcmp (*args, "-asciicrlf")) 
+				flags |= CMS_ASCIICRLF;
 		else if (!strcmp (*args, "-nointern")) 
 				flags |= CMS_NOINTERN;
 		else if (!strcmp (*args, "-noverify") 
@@ -326,6 +352,13 @@ int MAIN(int argc, char **argv)
 				}
 			secret_keyidlen = (size_t)ltmp;
 			}
+		else if (!strcmp(*args,"-pwri_password"))
+			{
+			if (!args[1])
+				goto argerr;
+			args++;
+			pwri_pass = (unsigned char *)*args;
+			}
 		else if (!strcmp(*args,"-econtent_type"))
 			{
 			if (!args[1])
@@ -402,7 +435,20 @@ int MAIN(int argc, char **argv)
 			{
 			if (!args[1])
 				goto argerr;
-			recipfile = *++args;
+			if (operation == SMIME_ENCRYPT)
+				{
+				if (!encerts)
+					encerts = sk_X509_new_null();
+				cert = load_cert(bio_err,*++args,FORMAT_PEM,
+						NULL, e,
+						"recipient certificate file");
+				if (!cert)
+					goto end;
+				sk_X509_push(encerts, cert);
+				cert = NULL;
+				}
+			else	
+				recipfile = *++args;
 			}
 		else if (!strcmp (*args, "-certsout"))
 			{
@@ -450,6 +496,43 @@ int MAIN(int argc, char **argv)
 				goto argerr;
 			keyform = str2fmt(*++args);
 			}
+		else if (!strcmp (*args, "-keyopt"))
+			{
+			int keyidx = -1;
+			if (!args[1])
+				goto argerr;
+			if (operation == SMIME_ENCRYPT)
+				{
+				if (encerts)
+					keyidx += sk_X509_num(encerts);
+				}
+			else
+				{
+				if (keyfile || signerfile)
+					keyidx++;
+				if (skkeys)
+					keyidx += sk_OPENSSL_STRING_num(skkeys);
+				}
+			if (keyidx < 0)
+				{
+				BIO_printf(bio_err, "No key specified\n");
+				goto argerr;
+				}
+			if (key_param == NULL || key_param->idx != keyidx)
+				{
+				cms_key_param *nparam;
+				nparam = OPENSSL_malloc(sizeof(cms_key_param));
+				nparam->idx = keyidx;
+				nparam->param = sk_OPENSSL_STRING_new_null();
+				nparam->next = NULL;
+				if (key_first == NULL)
+					key_first = nparam;
+				else
+					key_param->next = nparam;
+				key_param = nparam;
+				}
+			sk_OPENSSL_STRING_push(key_param->param, *++args);
+			}
 		else if (!strcmp (*args, "-rctform"))
 			{
 			if (!args[1])
@@ -559,7 +642,7 @@ int MAIN(int argc, char **argv)
 
 	else if (operation == SMIME_DECRYPT)
 		{
-		if (!recipfile && !keyfile && !secret_key)
+		if (!recipfile && !keyfile && !secret_key && !pwri_pass)
 			{
 			BIO_printf(bio_err, "No recipient certificate or key specified\n");
 			badarg = 1;
@@ -567,7 +650,7 @@ int MAIN(int argc, char **argv)
 		}
 	else if (operation == SMIME_ENCRYPT)
 		{
-		if (!*args && !secret_key)
+		if (!*args && !secret_key && !pwri_pass && !encerts)
 			{
 			BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
 			badarg = 1;
@@ -618,11 +701,12 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-certsout file certificate output file\n");
 		BIO_printf (bio_err, "-signer file   signer certificate file\n");
 		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
-		BIO_printf (bio_err, "-skeyid        use subject key identifier\n");
+		BIO_printf (bio_err, "-keyid         use subject key identifier\n");
 		BIO_printf (bio_err, "-in file       input file\n");
 		BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
 		BIO_printf (bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
+		BIO_printf (bio_err, "-keyopt nm:v   set public key parameters\n");
 		BIO_printf (bio_err, "-out file      output file\n");
 		BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
@@ -708,7 +792,7 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}
 
-		if (*args)
+		if (*args && !encerts)
 			encerts = sk_X509_new_null();
 		while (*args)
 			{
@@ -880,7 +964,7 @@ int MAIN(int argc, char **argv)
 		{
 		if (!(store = setup_verify(bio_err, CAfile, CApath)))
 			goto end;
-		X509_STORE_set_verify_cb_func(store, cms_cb);
+		X509_STORE_set_verify_cb(store, cms_cb);
 		if (vpm)
 			X509_STORE_set1_param(store, vpm);
 		}
@@ -902,10 +986,45 @@ int MAIN(int argc, char **argv)
 		}
 	else if (operation == SMIME_ENCRYPT)
 		{
+		int i;
 		flags |= CMS_PARTIAL;
-		cms = CMS_encrypt(encerts, in, cipher, flags);
+		cms = CMS_encrypt(NULL, in, cipher, flags);
 		if (!cms)
 			goto end;
+		for (i = 0; i < sk_X509_num(encerts); i++)
+			{
+			CMS_RecipientInfo *ri;
+			cms_key_param *kparam;
+			int tflags = flags;
+			X509 *x = sk_X509_value(encerts, i);
+			for(kparam = key_first; kparam; kparam = kparam->next)
+				{
+				if(kparam->idx == i)
+					{
+					tflags |= CMS_KEY_PARAM;
+					break;
+					}
+				}
+			ri = CMS_add1_recipient_cert(cms, x, tflags);
+			if (!ri)
+				goto end;
+			if (kparam)
+				{
+				EVP_PKEY_CTX *pctx;
+				pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
+				if (!cms_set_pkey_param(pctx, kparam->param))
+					goto end;
+				}
+			if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
+				&& wrap_cipher)
+				{
+				EVP_CIPHER_CTX *wctx;
+				wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
+				EVP_EncryptInit_ex(wctx, wrap_cipher,
+							NULL, NULL, NULL);
+				}
+			}
+
 		if (secret_key)
 			{
 			if (!CMS_add0_recipient_key(cms, NID_undef, 
@@ -917,6 +1036,17 @@ int MAIN(int argc, char **argv)
 			secret_key = NULL;
 			secret_keyid = NULL;
 			}
+		if (pwri_pass)
+			{
+			pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
+			if (!pwri_tmp)
+				goto end;
+			if (!CMS_add0_recipient_password(cms,
+						-1, NID_undef, NID_undef,
+						 pwri_tmp, -1, NULL))
+				goto end;
+			pwri_tmp = NULL;
+			}
 		if (!(flags & CMS_STREAM))
 			{
 			if (!CMS_final(cms, in, NULL, flags))
@@ -983,8 +1113,11 @@ int MAIN(int argc, char **argv)
 		for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++)
 			{
 			CMS_SignerInfo *si;
+			cms_key_param *kparam;
+			int tflags = flags;
 			signerfile = sk_OPENSSL_STRING_value(sksigners, i);
 			keyfile = sk_OPENSSL_STRING_value(skkeys, i);
+
 			signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,
 					e, "signer certificate");
 			if (!signer)
@@ -993,9 +1126,24 @@ int MAIN(int argc, char **argv)
 			       "signing key file");
 			if (!key)
 				goto end;
-			si = CMS_add1_signer(cms, signer, key, sign_md, flags);
+			for(kparam = key_first; kparam; kparam = kparam->next)
+				{
+				if(kparam->idx == i)
+					{
+					tflags |= CMS_KEY_PARAM;
+					break;
+					}
+				}
+			si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
 			if (!si)
 				goto end;
+			if (kparam)
+				{
+				EVP_PKEY_CTX *pctx;
+				pctx = CMS_SignerInfo_get0_pkey_ctx(si);
+				if (!cms_set_pkey_param(pctx, kparam->param))
+					goto end;
+				}
 			if (rr && !CMS_add1_ReceiptRequest(si, rr))
 				goto end;
 			X509_free(signer);
@@ -1020,6 +1168,8 @@ int MAIN(int argc, char **argv)
 	ret = 4;
 	if (operation == SMIME_DECRYPT)
 		{
+		if (flags & CMS_DEBUG_DECRYPT)
+			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
 
 		if (secret_key)
 			{
@@ -1043,6 +1193,16 @@ int MAIN(int argc, char **argv)
 				}
 			}
 
+		if (pwri_pass)
+			{
+			if (!CMS_decrypt_set1_password(cms, pwri_pass, -1))
+				{
+				BIO_puts(bio_err,
+					"Error decrypting CMS using password\n");
+				goto end;
+				}
+			}
+
 		if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags))
 			{
 			BIO_printf(bio_err, "Error decrypting CMS structure\n");
@@ -1167,6 +1327,8 @@ end:
 		OPENSSL_free(secret_key);
 	if (secret_keyid)
 		OPENSSL_free(secret_keyid);
+	if (pwri_tmp)
+		OPENSSL_free(pwri_tmp);
 	if (econtent_type)
 		ASN1_OBJECT_free(econtent_type);
 	if (rr)
@@ -1175,6 +1337,14 @@ end:
 		sk_OPENSSL_STRING_free(rr_to);
 	if (rr_from)
 		sk_OPENSSL_STRING_free(rr_from);
+	for(key_param = key_first; key_param;)
+		{
+		cms_key_param *tparam;
+		sk_OPENSSL_STRING_free(key_param->param);
+		tparam = key_param->next;
+		OPENSSL_free(key_param);
+		key_param = tparam;
+		}
 	X509_STORE_free(store);
 	X509_free(cert);
 	X509_free(recip);
@@ -1359,4 +1529,25 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
 	return NULL;
 	}
 
+static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
+			STACK_OF(OPENSSL_STRING) *param)
+	{
+	char *keyopt;
+	int i;
+	if (sk_OPENSSL_STRING_num(param) <= 0)
+		return 1;
+	for (i = 0; i < sk_OPENSSL_STRING_num(param); i++)
+		{
+		keyopt = sk_OPENSSL_STRING_value(param, i);
+		if (pkey_ctrl_string(pctx, keyopt) <= 0)
+			{
+			BIO_printf(bio_err, "parameter error \"%s\"\n",
+						keyopt);
+			ERR_print_errors(bio_err);
+			return 0;
+			}
+		}
+	return 1;
+	}
+
 #endif