static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
-static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
+static void receipt_request_print(CMS_ContentInfo *cms);
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
*rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
*rr_from);
# define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP)
# define SMIME_VERIFY_RECEIPT (16 | SMIME_IP)
-int verify_err = 0;
+static int verify_err = 0;
typedef struct cms_key_param_st cms_key_param;
OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
OPT_NOINDEF, OPT_NOOLDMIME, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
- OPT_CAPATH, OPT_CONTENT, OPT_PRINT, OPT_SECRETKEY,
- OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, OPT_RAND,
- OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
+ OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT,
+ OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
+ OPT_RAND, OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
OPT_3DES_WRAP, OPT_ENGINE,
{"certfile", OPT_CERTFILE, '<', "Other certificates file"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
{"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"print", OPT_PRINT, '-'},
{"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
{"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
{"md", OPT_MD, 's'},
- {"inkey", OPT_INKEY, '<',
+ {"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
{"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
{"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
{"receipt_request_from", OPT_RR_FROM, 's'},
{"receipt_request_to", OPT_RR_TO, 's'},
+ {"", OPT_CIPHER, '-', "Any supported cipher"},
+ OPT_V_OPTIONS,
# ifndef OPENSSL_NO_AES
{"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
{"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
# ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
- {"", OPT_CIPHER, '-', "Any supported cipher"},
- OPT_V_OPTIONS,
- {NULL},
+ {NULL}
};
int cms_main(int argc, char **argv)
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
- char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL, *engine = NULL;
+ char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL;
+ int noCAfile = 0, noCApath = 0;
char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL;
char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile =
NULL;
char *to = NULL, *from = NULL, *subject = NULL, *prog;
cms_key_param *key_first = NULL, *key_param = NULL;
- const char *inmode = "r", *outmode = "w";
int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched =
0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_NOCAFILE:
+ noCAfile = 1;
+ break;
+ case OPT_NOCAPATH:
+ noCApath = 1;
+ break;
case OPT_IN:
infile = opt_arg();
break;
need_rand = 1;
break;
case OPT_ENGINE:
- engine = opt_arg();
+ e = setup_engine(opt_arg(), 0);
break;
case OPT_PASSIN:
passinarg = opt_arg();
if (operation == SMIME_ENCRYPT) {
if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
goto end;
- cert = load_cert(opt_arg(), FORMAT_PEM, NULL, e,
+ cert = load_cert(opt_arg(), FORMAT_PEM,
"recipient certificate file");
if (cert == NULL)
goto end;
}
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
- nparam = OPENSSL_malloc(sizeof(cms_key_param));
- if (!nparam) {
- BIO_printf(bio_err, "Out of memory\n");
- goto end;
- }
+ nparam = app_malloc(sizeof(*nparam), "key param buffer");
nparam->idx = keyidx;
if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
goto end;
vpmtouched++;
break;
-# ifndef OPENSSL_NO_DES
case OPT_3DES_WRAP:
+# ifndef OPENSSL_NO_DES
wrap_cipher = EVP_des_ede3_wrap();
- break;
# endif
+ break;
# ifndef OPENSSL_NO_AES
case OPT_AES128_WRAP:
wrap_cipher = EVP_aes_128_wrap();
case OPT_AES256_WRAP:
wrap_cipher = EVP_aes_256_wrap();
break;
+# else
+ case OPT_AES128_WRAP:
+ case OPT_AES192_WRAP:
+ case OPT_AES256_WRAP:
+ break;
# endif
}
}
} else if (!operation)
goto opthelp;
-# ifndef OPENSSL_NO_ENGINE
- e = setup_engine(engine, 0);
-# endif
-
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
if (!(operation & SMIME_SIGNERS))
flags &= ~CMS_DETACHED;
- if (operation & SMIME_OP) {
- if (outformat == FORMAT_ASN1)
- outmode = "wb";
- } else {
+ if (!(operation & SMIME_OP)) {
if (flags & CMS_BINARY)
- outmode = "wb";
+ outformat = FORMAT_BINARY;
}
- if (operation & SMIME_IP) {
- if (informat == FORMAT_ASN1)
- inmode = "rb";
- } else {
+ if (!(operation & SMIME_IP)) {
if (flags & CMS_BINARY)
- inmode = "rb";
+ informat = FORMAT_BINARY;
}
if (operation == SMIME_ENCRYPT) {
if ((encerts = sk_X509_new_null()) == NULL)
goto end;
while (*argv) {
- if (!(cert = load_cert(*argv, FORMAT_PEM,
- NULL, e, "recipient certificate file")))
+ if ((cert = load_cert(*argv, FORMAT_PEM,
+ "recipient certificate file")) == NULL)
goto end;
sk_X509_push(encerts, cert);
cert = NULL;
}
if (certfile) {
- if (!(other = load_certs(certfile, FORMAT_PEM, NULL,
- e, "certificate file"))) {
+ if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
+ "certificate file")) {
ERR_print_errors(bio_err);
goto end;
}
}
if (recipfile && (operation == SMIME_DECRYPT)) {
- if (!(recip = load_cert(recipfile, FORMAT_PEM, NULL,
- e, "recipient certificate file"))) {
+ if ((recip = load_cert(recipfile, FORMAT_PEM,
+ "recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
}
if (operation == SMIME_SIGN_RECEIPT) {
- if (!(signer = load_cert(signerfile, FORMAT_PEM, NULL,
- e, "receipt signer certificate file"))) {
+ if ((signer = load_cert(signerfile, FORMAT_PEM,
+ "receipt signer certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
goto end;
}
- in = bio_open_default(infile, inmode);
+ in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
}
if (contfile) {
BIO_free(indata);
- if (!(indata = BIO_new_file(contfile, "rb"))) {
+ if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;
}
if (rctfile) {
char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r";
- if (!(rctin = BIO_new_file(rctfile, rctmode))) {
+ if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) {
BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile);
goto end;
}
}
}
- out = bio_open_default(outfile, outmode);
+ out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
goto end;
if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) {
- if (!(store = setup_verify(CAfile, CApath)))
+ if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, cms_cb);
if (vpmtouched)
secret_keyid = NULL;
}
if (pwri_pass) {
- pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
+ pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass);
if (!pwri_tmp)
goto end;
if (!CMS_add0_recipient_password(cms,
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, FORMAT_PEM, NULL,
- e, "signer certificate");
+ signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
if (!signer)
goto end;
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
sk_X509_free(signers);
}
if (rr_print)
- receipt_request_print(bio_err, cms);
+ receipt_request_print(cms);
} else if (operation == SMIME_VERIFY_RECEIPT) {
if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0)
sk_X509_pop_free(encerts, X509_free);
sk_X509_pop_free(other, X509_free);
X509_VERIFY_PARAM_free(vpm);
- if (sksigners)
- sk_OPENSSL_STRING_free(sksigners);
- if (skkeys)
- sk_OPENSSL_STRING_free(skkeys);
- if (secret_key)
- OPENSSL_free(secret_key);
- if (secret_keyid)
- OPENSSL_free(secret_keyid);
- if (pwri_tmp)
- OPENSSL_free(pwri_tmp);
+ sk_OPENSSL_STRING_free(sksigners);
+ sk_OPENSSL_STRING_free(skkeys);
+ OPENSSL_free(secret_key);
+ OPENSSL_free(secret_keyid);
+ OPENSSL_free(pwri_tmp);
ASN1_OBJECT_free(econtent_type);
- if (rr)
- CMS_ReceiptRequest_free(rr);
- if (rr_to)
- sk_OPENSSL_STRING_free(rr_to);
- if (rr_from)
- sk_OPENSSL_STRING_free(rr_from);
+ CMS_ReceiptRequest_free(rr);
+ sk_OPENSSL_STRING_free(rr_to);
+ sk_OPENSSL_STRING_free(rr_from);
for (key_param = key_first; key_param;) {
cms_key_param *tparam;
sk_OPENSSL_STRING_free(key_param->param);
BIO_free(in);
BIO_free(indata);
BIO_free_all(out);
- if (passin)
- OPENSSL_free(passin);
+ OPENSSL_free(passin);
return (ret);
}
&& ((error != X509_V_OK) || (ok != 2)))
return ok;
- /* Should be bio_err? */
- policies_print(bio_out, ctx);
+ policies_print(ctx);
return ok;
}
-static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns)
+static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns)
{
STACK_OF(GENERAL_NAME) *gens;
GENERAL_NAME *gen;
int i, j;
+
for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) {
gens = sk_GENERAL_NAMES_value(gns, i);
for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
gen = sk_GENERAL_NAME_value(gens, j);
- BIO_puts(out, " ");
- GENERAL_NAME_print(out, gen);
- BIO_puts(out, "\n");
+ BIO_puts(bio_err, " ");
+ GENERAL_NAME_print(bio_err, gen);
+ BIO_puts(bio_err, "\n");
}
}
return;
}
-static void receipt_request_print(BIO *out, CMS_ContentInfo *cms)
+static void receipt_request_print(CMS_ContentInfo *cms)
{
STACK_OF(CMS_SignerInfo) *sis;
CMS_SignerInfo *si;
int idlen;
CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
&rlist, &rto);
- BIO_puts(out, " Signed Content ID:\n");
+ BIO_puts(bio_err, " Signed Content ID:\n");
idlen = ASN1_STRING_length(scid);
id = (char *)ASN1_STRING_data(scid);
- BIO_dump_indent(out, id, idlen, 4);
- BIO_puts(out, " Receipts From");
+ BIO_dump_indent(bio_err, id, idlen, 4);
+ BIO_puts(bio_err, " Receipts From");
if (rlist) {
- BIO_puts(out, " List:\n");
- gnames_stack_print(out, rlist);
+ BIO_puts(bio_err, " List:\n");
+ gnames_stack_print(rlist);
} else if (allorfirst == 1)
- BIO_puts(out, ": First Tier\n");
+ BIO_puts(bio_err, ": First Tier\n");
else if (allorfirst == 0)
- BIO_puts(out, ": All\n");
+ BIO_puts(bio_err, ": All\n");
else
- BIO_printf(out, " Unknown (%d)\n", allorfirst);
- BIO_puts(out, " Receipts To:\n");
- gnames_stack_print(out, rto);
+ BIO_printf(bio_err, " Unknown (%d)\n", allorfirst);
+ BIO_puts(bio_err, " Receipts To:\n");
+ gnames_stack_print(rto);
}
- if (rr)
- CMS_ReceiptRequest_free(rr);
+ CMS_ReceiptRequest_free(rr);
}
}
if (!gen)
goto err;
gens = GENERAL_NAMES_new();
- if (!gens)
+ if (gens == NULL)
goto err;
if (!sk_GENERAL_NAME_push(gens, gen))
goto err;
return ret;
err:
- if (ret)
- sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
- if (gens)
- GENERAL_NAMES_free(gens);
- if (gen)
- GENERAL_NAME_free(gen);
+ sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free);
+ GENERAL_NAMES_free(gens);
+ GENERAL_NAME_free(gen);
return NULL;
}