static int smime_cb(int ok, X509_STORE_CTX *ctx);
#define SMIME_OP 0x10
+#define SMIME_IP 0x20
+#define SMIME_SIGNERS 0x40
#define SMIME_ENCRYPT (1 | SMIME_OP)
-#define SMIME_DECRYPT 2
-#define SMIME_SIGN (3 | SMIME_OP)
-#define SMIME_VERIFY 4
-#define SMIME_PK7OUT 5
+#define SMIME_DECRYPT (2 | SMIME_IP)
+#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS)
+#define SMIME_VERIFY (4 | SMIME_IP)
+#define SMIME_PK7OUT (5 | SMIME_OP)
+#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
int MAIN(int, char **);
const char *inmode = "r", *outmode = "w";
char *infile = NULL, *outfile = NULL;
char *signerfile = NULL, *recipfile = NULL;
+ STACK *sksigners = NULL, *skkeys = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
const EVP_CIPHER *cipher = NULL;
PKCS7 *p7 = NULL;
char *passargin = NULL, *passin = NULL;
char *inrand = NULL;
int need_rand = 0;
+ const EVP_MD *sign_md = NULL;
int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
int keyform = FORMAT_PEM;
#ifndef OPENSSL_NO_ENGINE
operation = SMIME_DECRYPT;
else if (!strcmp (*args, "-sign"))
operation = SMIME_SIGN;
+ else if (!strcmp (*args, "-resign"))
+ operation = SMIME_RESIGN;
else if (!strcmp (*args, "-verify"))
operation = SMIME_VERIFY;
else if (!strcmp (*args, "-pk7out"))
{
if (!args[1])
goto argerr;
+ /* If previous -signer argument add signer to list */
+
+ if (signerfile)
+ {
+ if (!sksigners)
+ sksigners = sk_new_null();
+ sk_push(sksigners, signerfile);
+ if (!keyfile)
+ keyfile = signerfile;
+ if (!skkeys)
+ skkeys = sk_new_null();
+ sk_push(skkeys, keyfile);
+ keyfile = NULL;
+ }
signerfile = *++args;
}
else if (!strcmp (*args, "-recip"))
goto argerr;
recipfile = *++args;
}
+ else if (!strcmp (*args, "-md"))
+ {
+ if (!args[1])
+ goto argerr;
+ sign_md = EVP_get_digestbyname(*++args);
+ if (sign_md == NULL)
+ {
+ BIO_printf(bio_err, "Unknown digest %s\n",
+ *args);
+ goto argerr;
+ }
+ }
else if (!strcmp (*args, "-inkey"))
{
if (!args[1])
goto argerr;
+ /* If previous -inkey arument add signer to list */
+ if (keyfile)
+ {
+ if (!signerfile)
+ {
+ BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+ goto argerr;
+ }
+ if (!sksigners)
+ sksigners = sk_new_null();
+ sk_push(sksigners, signerfile);
+ signerfile = NULL;
+ if (!skkeys)
+ skkeys = sk_new_null();
+ sk_push(skkeys, keyfile);
+ }
keyfile = *++args;
}
else if (!strcmp (*args, "-keyform"))
args++;
}
+ if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners))
+ {
+ BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
+ goto argerr;
+ }
- if (operation == SMIME_SIGN)
+ if (operation & SMIME_SIGNERS)
{
- if (!signerfile)
+ /* Check to see if any final signer needs to be appended */
+ if (keyfile && !signerfile)
+ {
+ BIO_puts(bio_err, "Illegal -inkey without -signer\n");
+ goto argerr;
+ }
+ if (signerfile)
+ {
+ if (!sksigners)
+ sksigners = sk_new_null();
+ sk_push(sksigners, signerfile);
+ if (!skkeys)
+ skkeys = sk_new_null();
+ if (!keyfile)
+ keyfile = signerfile;
+ sk_push(skkeys, keyfile);
+ }
+ if (!sksigners)
{
BIO_printf(bio_err, "No signer certificate specified\n");
badarg = 1;
}
+ signerfile = NULL;
+ keyfile = NULL;
need_rand = 1;
}
else if (operation == SMIME_DECRYPT)
ret = 2;
- if (operation != SMIME_SIGN)
+ if (!(operation & SMIME_SIGNERS))
flags &= ~PKCS7_DETACHED;
if (operation & SMIME_OP)
{
- if (flags & PKCS7_BINARY)
- inmode = "rb";
if (outformat == FORMAT_ASN1)
outmode = "wb";
}
{
if (flags & PKCS7_BINARY)
outmode = "wb";
+ }
+
+ if (operation & SMIME_IP)
+ {
if (informat == FORMAT_ASN1)
inmode = "rb";
}
+ else
+ {
+ if (flags & PKCS7_BINARY)
+ inmode = "rb";
+ }
if (operation == SMIME_ENCRYPT)
{
}
}
- if (signerfile && (operation == SMIME_SIGN))
- {
- if (!(signer = load_cert(bio_err,signerfile,FORMAT_PEM, NULL,
- e, "signer certificate")))
- {
-#if 0 /* An appropri message has already been printed */
- BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
-#endif
- goto end;
- }
- }
-
if (certfile)
{
if (!(other = load_certs(bio_err,certfile,FORMAT_PEM, NULL,
e, "certificate file")))
{
-#if 0 /* An appropriate message has already been printed */
- BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
-#endif
ERR_print_errors(bio_err);
goto end;
}
if (!(recip = load_cert(bio_err,recipfile,FORMAT_PEM,NULL,
e, "recipient certificate file")))
{
-#if 0 /* An appropriate message has alrady been printed */
- BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
-#endif
ERR_print_errors(bio_err);
goto end;
}
else
in = BIO_new_fp(stdin, BIO_NOCLOSE);
+ if (operation & SMIME_IP)
+ {
+ if (informat == FORMAT_SMIME)
+ p7 = SMIME_read_PKCS7(in, &indata);
+ else if (informat == FORMAT_PEM)
+ p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+ else if (informat == FORMAT_ASN1)
+ p7 = d2i_PKCS7_bio(in, NULL);
+ else
+ {
+ BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
+ goto end;
+ }
+
+ if (!p7)
+ {
+ BIO_printf(bio_err, "Error reading S/MIME message\n");
+ goto end;
+ }
+ if (contfile)
+ {
+ BIO_free(indata);
+ if (!(indata = BIO_new_file(contfile, "rb")))
+ {
+ BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+ goto end;
+ }
+ }
+ }
+
if (outfile)
{
if (!(out = BIO_new_file(outfile, outmode)))
if (operation == SMIME_ENCRYPT)
p7 = PKCS7_encrypt(encerts, in, cipher, flags);
- else if (operation == SMIME_SIGN)
+ else if (operation & SMIME_SIGNERS)
{
+ int i;
/* If detached data and SMIME output enable partial
* signing.
*/
- if ((flags & PKCS7_DETACHED) && (outformat == FORMAT_SMIME))
- flags |= PKCS7_STREAM;
- p7 = PKCS7_sign(signer, key, other, in, flags);
- /* Don't need to rewind for partial signing */
- if (!(flags & PKCS7_STREAM) && (BIO_reset(in) != 0))
+ if (operation == SMIME_SIGN)
{
- BIO_printf(bio_err, "Can't rewind input file\n");
- goto end;
+ if ((flags & PKCS7_DETACHED)
+ && (outformat == FORMAT_SMIME))
+ flags |= PKCS7_STREAM;
+ flags |= PKCS7_PARTIAL;
+ p7 = PKCS7_sign(NULL, NULL, other, in, flags);
}
- }
- else
- {
- if (informat == FORMAT_SMIME)
- p7 = SMIME_read_PKCS7(in, &indata);
- else if (informat == FORMAT_PEM)
- p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
- else if (informat == FORMAT_ASN1)
- p7 = d2i_PKCS7_bio(in, NULL);
else
- {
- BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
- goto end;
- }
-
- if (!p7)
- {
- BIO_printf(bio_err, "Error reading S/MIME message\n");
- goto end;
+ flags |= PKCS7_REUSE_DIGEST;
+ for (i = 0; i < sk_num(sksigners); i++)
+ {
+ signerfile = sk_value(sksigners, i);
+ keyfile = sk_value(skkeys, i);
+ signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,
+ e, "signer certificate");
+ if (!signer)
+ goto end;
+ key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+ "signing key file");
+ if (!key)
+ goto end;
+ if (!PKCS7_sign_add_signer(p7, signer, key,
+ sign_md, flags))
+ goto end;
+ X509_free(signer);
+ signer = NULL;
+ EVP_PKEY_free(key);
+ key = NULL;
}
- if (contfile)
+ /* If not streaming or resigning finalize structure */
+ if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM))
{
- BIO_free(indata);
- if (!(indata = BIO_new_file(contfile, "rb")))
+ if (!PKCS7_final(p7, in, flags))
+ goto end;
+ if (BIO_reset(in) != 0)
{
- BIO_printf(bio_err, "Can't read content file %s\n", contfile);
+ BIO_puts(bio_err, "Can't rewind input file\n");
goto end;
}
}
if (subject)
BIO_printf(out, "Subject: %s\n", subject);
if (outformat == FORMAT_SMIME)
- SMIME_write_PKCS7(out, p7, in, flags);
+ {
+ if (operation == SMIME_RESIGN)
+ SMIME_write_PKCS7(out, p7, indata, flags);
+ else
+ SMIME_write_PKCS7(out, p7, in, flags);
+ }
else if (outformat == FORMAT_PEM)
PEM_write_bio_PKCS7(out,p7);
else if (outformat == FORMAT_ASN1)
sk_X509_pop_free(other, X509_free);
if (vpm)
X509_VERIFY_PARAM_free(vpm);
+ if (sksigners)
+ sk_free(sksigners);
+ if (skkeys)
+ sk_free(skkeys);
X509_STORE_free(store);
X509_free(cert);
X509_free(recip);