/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
/* S/MIME utility function */
OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN,
OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP,
OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF,
- OPT_NOOLDMIME, OPT_CRLFEOL, OPT_RAND, OPT_ENGINE, OPT_PASSIN,
+ OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN,
OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
+ OPT_R_ENUM,
OPT_V_ENUM,
- OPT_CAPATH, OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTFORM, OPT_CONTENT
+ OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_IN, OPT_INFORM, OPT_OUT,
+ OPT_OUTFORM, OPT_CONTENT
} OPTION_CHOICE;
-OPTIONS smime_options[] = {
+const OPTIONS smime_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"},
{OPT_HELP_STR, 1, '-',
" cert.pem... recipient certs for encryption\n"},
{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
{"binary", OPT_BINARY, '-', "Don't translate message to text"},
{"certfile", OPT_CERTFILE, '<', "Other certificates file"},
- {"signer", OPT_SIGNER, '<', "Signer certificate file"},
+ {"signer", OPT_SIGNER, 's', "Signer certificate file"},
{"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
{"in", OPT_IN, '<', "Input file"},
- {"inform", OPT_INFORM, 'F', "Input format SMIME (default), PEM or DER"},
- {"inkey", OPT_INKEY, '<',
+ {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
+ {"inkey", OPT_INKEY, 's',
"Input private key (if not signer or recipient)"},
{"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
{"out", OPT_OUT, '>', "Output file"},
- {"outform", OPT_OUTFORM, 'F',
+ {"outform", OPT_OUTFORM, 'c',
"Output format SMIME (default), PEM or DER"},
{"content", OPT_CONTENT, '<',
"Supply or override content for detached signature"},
{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
- {"resign", OPT_RESIGN, '-'},
- {"nochain", OPT_NOCHAIN, '-'},
- {"nosmimecap", OPT_NOSMIMECAP, '-'},
- {"stream", OPT_STREAM, '-'},
- {"indef", OPT_INDEF, '-'},
- {"noindef", OPT_NOINDEF, '-'},
- {"nooldmime", OPT_NOOLDMIME, '-'},
- {"crlfeol", OPT_CRLFEOL, '-'},
- {"rand", OPT_RAND, 's',
- "Load the file(s) into the random number generator"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"resign", OPT_RESIGN, '-', "Resign a signed message"},
+ {"nochain", OPT_NOCHAIN, '-',
+ "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
+ {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+ {"stream", OPT_STREAM, '-', "Enable CMS streaming" },
+ {"indef", OPT_INDEF, '-', "Same as -stream" },
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
+ {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
+ OPT_R_OPTIONS,
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- {"md", OPT_MD, 's'},
+ {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
OPT_V_OPTIONS,
#ifndef OPENSSL_NO_ENGINE
X509_VERIFY_PARAM *vpm = NULL;
const EVP_CIPHER *cipher = NULL;
const EVP_MD *sign_md = NULL;
- char *CAfile = NULL, *CApath = NULL, *inrand = NULL;
- char *certfile = NULL, *keyfile = NULL, *contfile = NULL, *prog;
- char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile =
- NULL;
- char *passinarg = NULL, *passin = NULL, *to = NULL, *from =
- NULL, *subject = NULL;
- const char *inmode = "r", *outmode = "w";
+ const char *CAfile = NULL, *CApath = NULL, *prog = NULL;
+ char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
+ char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL;
+ char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL;
OPTION_CHOICE o;
- int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef =
- 0;
+ int noCApath = 0, noCAfile = 0;
+ int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
FORMAT_PEM;
int vpmtouched = 0, rv = 0;
ENGINE *e = NULL;
+ const char *mime_eol = "\n";
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
return 1;
ret = 0;
goto end;
case OPT_INFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+ if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUTFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+ if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat))
goto opthelp;
break;
case OPT_OUT:
case OPT_NOINDEF:
indef = 0;
break;
- case OPT_NOOLDMIME:
- flags |= PKCS7_NOOLDMIMETYPE;
- break;
case OPT_CRLFEOL:
flags |= PKCS7_CRLFEOL;
+ mime_eol = "\r\n";
break;
- case OPT_RAND:
- inrand = opt_arg();
- need_rand = 1;
+ case OPT_R_CASES:
+ if (!opt_rand(o))
+ goto end;
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
break;
case OPT_SIGNER:
/* If previous -signer argument add signer to list */
- if (signerfile) {
+ if (signerfile != NULL) {
if (sksigners == NULL
&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
goto opthelp;
break;
case OPT_INKEY:
- /* If previous -inkey arument add signer to list */
- if (keyfile) {
+ /* If previous -inkey argument add signer to list */
+ if (keyfile != NULL) {
if (signerfile == NULL) {
BIO_printf(bio_err,
"%s: Must have -signer before -inkey\n", prog);
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_NOCAFILE:
+ noCAfile = 1;
+ break;
+ case OPT_NOCAPATH:
+ noCApath = 1;
+ break;
case OPT_CONTENT:
contfile = opt_arg();
break;
argc = opt_num_rest();
argv = opt_rest();
- if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) {
+ if (!(operation & SMIME_SIGNERS) && (skkeys != NULL || sksigners != NULL)) {
BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
goto opthelp;
}
BIO_puts(bio_err, "Illegal -inkey without -signer\n");
goto opthelp;
}
- if (signerfile) {
- if (!sksigners
+ if (signerfile != NULL) {
+ if (sksigners == NULL
&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
sk_OPENSSL_STRING_push(sksigners, signerfile);
keyfile = signerfile;
sk_OPENSSL_STRING_push(skkeys, keyfile);
}
- if (!sksigners) {
+ if (sksigners == NULL) {
BIO_printf(bio_err, "No signer certificate specified\n");
goto opthelp;
}
signerfile = NULL;
keyfile = NULL;
- need_rand = 1;
} else if (operation == SMIME_DECRYPT) {
- if (!recipfile && !keyfile) {
+ if (recipfile == NULL && keyfile == NULL) {
BIO_printf(bio_err,
"No recipient certificate or key specified\n");
goto opthelp;
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
goto opthelp;
}
- need_rand = 1;
- } else if (!operation)
+ } else if (!operation) {
goto opthelp;
+ }
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
- if (need_rand) {
- app_RAND_load_file(NULL, (inrand != NULL));
- if (inrand != NULL)
- BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
- app_RAND_load_files(inrand));
- }
-
ret = 2;
if (!(operation & SMIME_SIGNERS))
flags &= ~PKCS7_DETACHED;
- if (operation & SMIME_OP) {
- if (outformat == FORMAT_ASN1)
- outmode = "wb";
- } else {
+ if (!(operation & SMIME_OP)) {
if (flags & PKCS7_BINARY)
- outmode = "wb";
+ outformat = FORMAT_BINARY;
}
- if (operation & SMIME_IP) {
- if (informat == FORMAT_ASN1)
- inmode = "rb";
- } else {
+ if (!(operation & SMIME_IP)) {
if (flags & PKCS7_BINARY)
- inmode = "rb";
+ informat = FORMAT_BINARY;
}
if (operation == SMIME_ENCRYPT) {
- if (!cipher) {
+ if (cipher == NULL) {
#ifndef OPENSSL_NO_DES
cipher = EVP_des_ede3_cbc();
#else
#endif
}
encerts = sk_X509_new_null();
- if (!encerts)
+ if (encerts == NULL)
goto end;
- while (*argv) {
+ while (*argv != NULL) {
cert = load_cert(*argv, FORMAT_PEM,
- NULL, e, "recipient certificate file");
+ "recipient certificate file");
if (cert == NULL)
goto end;
sk_X509_push(encerts, cert);
}
}
- if (certfile) {
- if (!(other = load_certs(certfile, FORMAT_PEM, NULL,
- e, "certificate file"))) {
+ if (certfile != NULL) {
+ if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
+ "certificate file")) {
ERR_print_errors(bio_err);
goto end;
}
}
- if (recipfile && (operation == SMIME_DECRYPT)) {
- if (!(recip = load_cert(recipfile, FORMAT_PEM, NULL,
- e, "recipient certificate file"))) {
+ if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
+ if ((recip = load_cert(recipfile, FORMAT_PEM,
+ "recipient certificate file")) == NULL) {
ERR_print_errors(bio_err);
goto end;
}
}
if (operation == SMIME_DECRYPT) {
- if (!keyfile)
+ if (keyfile == NULL)
keyfile = recipfile;
} else if (operation == SMIME_SIGN) {
- if (!keyfile)
+ if (keyfile == NULL)
keyfile = signerfile;
- } else
+ } else {
keyfile = NULL;
+ }
- if (keyfile) {
+ if (keyfile != NULL) {
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
- if (!key)
+ if (key == NULL)
goto end;
}
- in = bio_open_default(infile, inmode);
+ in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
if (operation & SMIME_IP) {
- if (informat == FORMAT_SMIME)
+ if (informat == FORMAT_SMIME) {
p7 = SMIME_read_PKCS7(in, &indata);
- else if (informat == FORMAT_PEM)
+ } else if (informat == FORMAT_PEM) {
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
- else if (informat == FORMAT_ASN1)
+ } else if (informat == FORMAT_ASN1) {
p7 = d2i_PKCS7_bio(in, NULL);
- else {
+ } else {
BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
goto end;
}
- if (!p7) {
+ if (p7 == NULL) {
BIO_printf(bio_err, "Error reading S/MIME message\n");
goto end;
}
- if (contfile) {
+ if (contfile != NULL) {
BIO_free(indata);
- if (!(indata = BIO_new_file(contfile, "rb"))) {
+ if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;
}
}
}
- out = bio_open_default(outfile, outmode);
+ out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
goto end;
if (operation == SMIME_VERIFY) {
- if (!(store = setup_verify(CAfile, CApath)))
+ if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
goto end;
X509_STORE_set_verify_cb(store, smime_cb);
if (vpmtouched)
if (flags & PKCS7_DETACHED) {
if (outformat == FORMAT_SMIME)
flags |= PKCS7_STREAM;
- } else if (indef)
+ } else if (indef) {
flags |= PKCS7_STREAM;
+ }
flags |= PKCS7_PARTIAL;
p7 = PKCS7_sign(NULL, NULL, other, in, flags);
- if (!p7)
+ if (p7 == NULL)
goto end;
if (flags & PKCS7_NOCERTS) {
for (i = 0; i < sk_X509_num(other); i++) {
PKCS7_add_certificate(p7, x);
}
}
- } else
+ } else {
flags |= PKCS7_REUSE_DIGEST;
+ }
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
- signer = load_cert(signerfile, FORMAT_PEM, NULL,
- e, "signer certificate");
- if (!signer)
+ signer = load_cert(signerfile, FORMAT_PEM,
+ "signer certificate");
+ if (signer == NULL)
goto end;
key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
- if (!key)
+ if (key == NULL)
goto end;
if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags))
goto end;
}
}
- if (!p7) {
+ if (p7 == NULL) {
BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
goto end;
}
goto end;
}
sk_X509_free(signers);
- } else if (operation == SMIME_PK7OUT)
+ } else if (operation == SMIME_PK7OUT) {
PEM_write_bio_PKCS7(out, p7);
- else {
+ } else {
if (to)
- BIO_printf(out, "To: %s\n", to);
+ BIO_printf(out, "To: %s%s", to, mime_eol);
if (from)
- BIO_printf(out, "From: %s\n", from);
+ BIO_printf(out, "From: %s%s", from, mime_eol);
if (subject)
- BIO_printf(out, "Subject: %s\n", subject);
+ BIO_printf(out, "Subject: %s%s", subject, mime_eol);
if (outformat == FORMAT_SMIME) {
if (operation == SMIME_RESIGN)
rv = SMIME_write_PKCS7(out, p7, indata, flags);
else
rv = SMIME_write_PKCS7(out, p7, in, flags);
- } else if (outformat == FORMAT_PEM)
+ } else if (outformat == FORMAT_PEM) {
rv = PEM_write_bio_PKCS7_stream(out, p7, in, flags);
- else if (outformat == FORMAT_ASN1)
+ } else if (outformat == FORMAT_ASN1) {
rv = i2d_PKCS7_bio_stream(out, p7, in, flags);
- else {
+ } else {
BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
goto end;
}
}
ret = 0;
end:
- if (need_rand)
- app_RAND_write_file(NULL);
if (ret)
ERR_print_errors(bio_err);
sk_X509_pop_free(encerts, X509_free);
sk_X509_pop_free(other, X509_free);
- if (vpm)
- X509_VERIFY_PARAM_free(vpm);
- if (sksigners)
- sk_OPENSSL_STRING_free(sksigners);
- if (skkeys)
- sk_OPENSSL_STRING_free(skkeys);
+ X509_VERIFY_PARAM_free(vpm);
+ sk_OPENSSL_STRING_free(sksigners);
+ sk_OPENSSL_STRING_free(skkeys);
X509_STORE_free(store);
X509_free(cert);
X509_free(recip);
X509_free(signer);
EVP_PKEY_free(key);
PKCS7_free(p7);
+ release_engine(e);
BIO_free(in);
BIO_free(indata);
BIO_free_all(out);
- if (passin)
- OPENSSL_free(passin);
- return (ret);
+ OPENSSL_free(passin);
+ return ret;
}
static int save_certs(char *signerfile, STACK_OF(X509) *signers)
{
int i;
BIO *tmp;
- if (!signerfile)
+
+ if (signerfile == NULL)
return 1;
tmp = BIO_new_file(signerfile, "w");
- if (!tmp)
+ if (tmp == NULL)
return 0;
for (i = 0; i < sk_X509_num(signers); i++)
PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
policies_print(ctx);
return ok;
-
}
projects / openssl.git / blobdiff