smime.c@ 108403

最後變更在這個檔案從108403是 108206,由 vboxsync 提交於 6 週前
openssl-3.3.2: Exported all files to OSE and removed .scm-settings bugref:10757
屬性 svn:eol-style 設為 `native` 屬性 svn:keywords 設為 `Author Date Id Revision`
檔案大小: 23.5 KB

行
1	/*
2	* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/* S/MIME utility function */
11
12	#include <stdio.h>
13	#include <string.h>
14	#include "apps.h"
15	#include "progs.h"
16	#include <openssl/crypto.h>
17	#include <openssl/pem.h>
18	#include <openssl/err.h>
19	#include <openssl/x509_vfy.h>
20	#include <openssl/x509v3.h>
21
22	static int save_certs(char signerfile, STACK_OF(X509) signers);
23	static int smime_cb(int ok, X509_STORE_CTX *ctx);
24
25	#define SMIME_OP 0x10
26	#define SMIME_IP 0x20
27	#define SMIME_SIGNERS 0x40
28	#define SMIME_ENCRYPT (1 \| SMIME_OP)
29	#define SMIME_DECRYPT (2 \| SMIME_IP)
30	#define SMIME_SIGN (3 \| SMIME_OP \| SMIME_SIGNERS)
31	#define SMIME_RESIGN (6 \| SMIME_IP \| SMIME_OP \| SMIME_SIGNERS)
32	#define SMIME_VERIFY (4 \| SMIME_IP)
33	#define SMIME_PK7OUT (5 \| SMIME_IP \| SMIME_OP)
34
35	typedef enum OPTION_choice {
36	OPT_COMMON,
37	OPT_ENCRYPT, OPT_DECRYPT, OPT_SIGN, OPT_RESIGN, OPT_VERIFY,
38	OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN,
39	OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP,
40	OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF,
41	OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN,
42	OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD,
43	OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE,
44	OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE,
45	OPT_R_ENUM, OPT_PROV_ENUM, OPT_CONFIG,
46	OPT_V_ENUM,
47	OPT_IN, OPT_INFORM, OPT_OUT,
48	OPT_OUTFORM, OPT_CONTENT
49	} OPTION_CHOICE;
50
51	const OPTIONS smime_options[] = {
52	{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
53
54	OPT_SECTION("General"),
55	{"help", OPT_HELP, '-', "Display this summary"},
56	{"in", OPT_IN, '<', "Input file"},
57	{"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
58	{"out", OPT_OUT, '>', "Output file"},
59	{"outform", OPT_OUTFORM, 'c',
60	"Output format SMIME (default), PEM or DER"},
61	{"inkey", OPT_INKEY, 's',
62	"Input private key (if not signer or recipient)"},
63	{"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
64	#ifndef OPENSSL_NO_ENGINE
65	{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
66	#endif
67	{"stream", OPT_STREAM, '-', "Enable CMS streaming" },
68	{"indef", OPT_INDEF, '-', "Same as -stream" },
69	{"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
70	OPT_CONFIG_OPTION,
71
72	OPT_SECTION("Action"),
73	{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
74	{"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
75	{"sign", OPT_SIGN, '-', "Sign message"},
76	{"resign", OPT_RESIGN, '-', "Resign a signed message"},
77	{"verify", OPT_VERIFY, '-', "Verify signed message"},
78	{"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"},
79
80	OPT_SECTION("Signing/Encryption"),
81	{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
82	{"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
83	{"", OPT_CIPHER, '-', "Any supported cipher"},
84	{"nointern", OPT_NOINTERN, '-',
85	"Don't search certificates in message for signer"},
86	{"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
87	{"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
88	{"binary", OPT_BINARY, '-', "Don't translate message to text"},
89	{"signer", OPT_SIGNER, 's', "Signer certificate file"},
90	{"content", OPT_CONTENT, '<',
91	"Supply or override content for detached signature"},
92	{"nocerts", OPT_NOCERTS, '-',
93	"Don't include signers certificate when signing"},
94
95	OPT_SECTION("Verification/Decryption"),
96	{"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
97	{"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
98
99	{"certfile", OPT_CERTFILE, '<', "Other certificates file"},
100	{"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"},
101
102	OPT_SECTION("Email"),
103	{"to", OPT_TO, 's', "To address"},
104	{"from", OPT_FROM, 's', "From address"},
105	{"subject", OPT_SUBJECT, 's', "Subject"},
106	{"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
107	{"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
108
109	OPT_SECTION("Certificate chain"),
110	{"CApath", OPT_CAPATH, '/', "Trusted certificates directory"},
111	{"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
112	{"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"},
113	{"no-CAfile", OPT_NOCAFILE, '-',
114	"Do not load the default certificates file"},
115	{"no-CApath", OPT_NOCAPATH, '-',
116	"Do not load certificates from the default certificates directory"},
117	{"no-CAstore", OPT_NOCASTORE, '-',
118	"Do not load certificates from the default certificates store"},
119	{"nochain", OPT_NOCHAIN, '-',
120	"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
121	{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},
122
123	OPT_R_OPTIONS,
124	OPT_V_OPTIONS,
125	OPT_PROV_OPTIONS,
126
127	OPT_PARAMETERS(),
128	{"cert", 0, 0, "Recipient certs, used when encrypting"},
129	{NULL}
130	};
131
132	static const char *operation_name(int operation)
133	{
134	switch (operation) {
135	case SMIME_ENCRYPT:
136	return "encrypt";
137	case SMIME_DECRYPT:
138	return "decrypt";
139	case SMIME_SIGN:
140	return "sign";
141	case SMIME_RESIGN:
142	return "resign";
143	case SMIME_VERIFY:
144	return "verify";
145	case SMIME_PK7OUT:
146	return "pk7out";
147	default:
148	return "(invalid operation)";
149	}
150	}
151
152	#define SET_OPERATION(op) \
153	((operation != 0 && (operation != (op))) \
154	? 0 * BIO_printf(bio_err, "%s: Cannot use -%s together with -%s\n", \
155	prog, operation_name(op), operation_name(operation)) \
156	: (operation = (op)))
157
158	int smime_main(int argc, char **argv)
159	{
160	CONF *conf = NULL;
161	BIO in = NULL, out = NULL, *indata = NULL;
162	EVP_PKEY *key = NULL;
163	PKCS7 *p7 = NULL;
164	STACK_OF(OPENSSL_STRING) sksigners = NULL, skkeys = NULL;
165	STACK_OF(X509) encerts = NULL, other = NULL;
166	X509 cert = NULL, recip = NULL, *signer = NULL;
167	X509_STORE *store = NULL;
168	X509_VERIFY_PARAM *vpm = NULL;
169	EVP_CIPHER *cipher = NULL;
170	EVP_MD *sign_md = NULL;
171	const char CAfile = NULL, CApath = NULL, CAstore = NULL, prog = NULL;
172	char certfile = NULL, keyfile = NULL, *contfile = NULL;
173	char infile = NULL, outfile = NULL, signerfile = NULL, recipfile = NULL;
174	char passinarg = NULL, passin = NULL, to = NULL, from = NULL;
175	char subject = NULL, digestname = NULL, *ciphername = NULL;
176	OPTION_CHOICE o;
177	int noCApath = 0, noCAfile = 0, noCAstore = 0;
178	int flags = PKCS7_DETACHED, operation = 0, ret = 0, indef = 0;
179	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform =
180	FORMAT_UNDEF;
181	int vpmtouched = 0, rv = 0;
182	ENGINE *e = NULL;
183	const char *mime_eol = "\n";
184	OSSL_LIB_CTX *libctx = app_get0_libctx();
185
186	if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
187	return 1;
188
189	opt_set_unknown_name("cipher");
190	prog = opt_init(argc, argv, smime_options);
191	while ((o = opt_next()) != OPT_EOF) {
192	switch (o) {
193	case OPT_EOF:
194	case OPT_ERR:
195	opthelp:
196	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
197	goto end;
198	case OPT_HELP:
199	opt_help(smime_options);
200	ret = 0;
201	goto end;
202	case OPT_INFORM:
203	if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat))
204	goto opthelp;
205	break;
206	case OPT_IN:
207	infile = opt_arg();
208	break;
209	case OPT_OUTFORM:
210	if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat))
211	goto opthelp;
212	break;
213	case OPT_OUT:
214	outfile = opt_arg();
215	break;
216	case OPT_ENCRYPT:
217	if (!SET_OPERATION(SMIME_ENCRYPT))
218	goto end;
219	break;
220	case OPT_DECRYPT:
221	if (!SET_OPERATION(SMIME_DECRYPT))
222	goto end;
223	break;
224	case OPT_SIGN:
225	if (!SET_OPERATION(SMIME_SIGN))
226	goto end;
227	break;
228	case OPT_RESIGN:
229	if (!SET_OPERATION(SMIME_RESIGN))
230	goto end;
231	break;
232	case OPT_VERIFY:
233	if (!SET_OPERATION(SMIME_VERIFY))
234	goto end;
235	break;
236	case OPT_PK7OUT:
237	if (!SET_OPERATION(SMIME_PK7OUT))
238	goto end;
239	break;
240	case OPT_TEXT:
241	flags \|= PKCS7_TEXT;
242	break;
243	case OPT_NOINTERN:
244	flags \|= PKCS7_NOINTERN;
245	break;
246	case OPT_NOVERIFY:
247	flags \|= PKCS7_NOVERIFY;
248	break;
249	case OPT_NOCHAIN:
250	flags \|= PKCS7_NOCHAIN;
251	break;
252	case OPT_NOCERTS:
253	flags \|= PKCS7_NOCERTS;
254	break;
255	case OPT_NOATTR:
256	flags \|= PKCS7_NOATTR;
257	break;
258	case OPT_NODETACH:
259	flags &= ~PKCS7_DETACHED;
260	break;
261	case OPT_NOSMIMECAP:
262	flags \|= PKCS7_NOSMIMECAP;
263	break;
264	case OPT_BINARY:
265	flags \|= PKCS7_BINARY;
266	break;
267	case OPT_NOSIGS:
268	flags \|= PKCS7_NOSIGS;
269	break;
270	case OPT_STREAM:
271	case OPT_INDEF:
272	indef = 1;
273	break;
274	case OPT_NOINDEF:
275	indef = 0;
276	break;
277	case OPT_CRLFEOL:
278	flags \|= PKCS7_CRLFEOL;
279	mime_eol = "\r\n";
280	break;
281	case OPT_R_CASES:
282	if (!opt_rand(o))
283	goto end;
284	break;
285	case OPT_PROV_CASES:
286	if (!opt_provider(o))
287	goto end;
288	break;
289	case OPT_CONFIG:
290	conf = app_load_config_modules(opt_arg());
291	if (conf == NULL)
292	goto end;
293	break;
294	case OPT_ENGINE:
295	e = setup_engine(opt_arg(), 0);
296	break;
297	case OPT_PASSIN:
298	passinarg = opt_arg();
299	break;
300	case OPT_TO:
301	to = opt_arg();
302	break;
303	case OPT_FROM:
304	from = opt_arg();
305	break;
306	case OPT_SUBJECT:
307	subject = opt_arg();
308	break;
309	case OPT_SIGNER:
310	/* If previous -signer argument add signer to list */
311	if (signerfile != NULL) {
312	if (sksigners == NULL
313	&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
314	goto end;
315	sk_OPENSSL_STRING_push(sksigners, signerfile);
316	if (keyfile == NULL)
317	keyfile = signerfile;
318	if (skkeys == NULL
319	&& (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
320	goto end;
321	sk_OPENSSL_STRING_push(skkeys, keyfile);
322	keyfile = NULL;
323	}
324	signerfile = opt_arg();
325	break;
326	case OPT_RECIP:
327	recipfile = opt_arg();
328	break;
329	case OPT_MD:
330	digestname = opt_arg();
331	break;
332	case OPT_CIPHER:
333	ciphername = opt_unknown();
334	break;
335	case OPT_INKEY:
336	/* If previous -inkey argument add signer to list */
337	if (keyfile != NULL) {
338	if (signerfile == NULL) {
339	BIO_printf(bio_err,
340	"%s: Must have -signer before -inkey\n", prog);
341	goto opthelp;
342	}
343	if (sksigners == NULL
344	&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
345	goto end;
346	sk_OPENSSL_STRING_push(sksigners, signerfile);
347	signerfile = NULL;
348	if (skkeys == NULL
349	&& (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
350	goto end;
351	sk_OPENSSL_STRING_push(skkeys, keyfile);
352	}
353	keyfile = opt_arg();
354	break;
355	case OPT_KEYFORM:
356	if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
357	goto opthelp;
358	break;
359	case OPT_CERTFILE:
360	certfile = opt_arg();
361	break;
362	case OPT_CAFILE:
363	CAfile = opt_arg();
364	break;
365	case OPT_CAPATH:
366	CApath = opt_arg();
367	break;
368	case OPT_CASTORE:
369	CAstore = opt_arg();
370	break;
371	case OPT_NOCAFILE:
372	noCAfile = 1;
373	break;
374	case OPT_NOCAPATH:
375	noCApath = 1;
376	break;
377	case OPT_NOCASTORE:
378	noCAstore = 1;
379	break;
380	case OPT_CONTENT:
381	contfile = opt_arg();
382	break;
383	case OPT_V_CASES:
384	if (!opt_verify(o, vpm))
385	goto opthelp;
386	vpmtouched++;
387	break;
388	}
389	}
390
391	/* Extra arguments are files with recipient keys. */
392	argc = opt_num_rest();
393	argv = opt_rest();
394
395	if (!app_RAND_load())
396	goto end;
397
398	if (digestname != NULL) {
399	if (!opt_md(digestname, &sign_md))
400	goto opthelp;
401	}
402	if (!opt_cipher_any(ciphername, &cipher))
403	goto opthelp;
404	if (!(operation & SMIME_SIGNERS) && (skkeys != NULL \|\| sksigners != NULL)) {
405	BIO_puts(bio_err, "Multiple signers or keys not allowed\n");
406	goto opthelp;
407	}
408	if (!operation) {
409	BIO_puts(bio_err,
410	"No operation (-encrypt\|-sign\|...) specified\n");
411	goto opthelp;
412	}
413
414	if (operation & SMIME_SIGNERS) {
415	/* Check to see if any final signer needs to be appended */
416	if (keyfile && !signerfile) {
417	BIO_puts(bio_err, "Illegal -inkey without -signer\n");
418	goto opthelp;
419	}
420	if (signerfile != NULL) {
421	if (sksigners == NULL
422	&& (sksigners = sk_OPENSSL_STRING_new_null()) == NULL)
423	goto end;
424	sk_OPENSSL_STRING_push(sksigners, signerfile);
425	if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL)
426	goto end;
427	if (!keyfile)
428	keyfile = signerfile;
429	sk_OPENSSL_STRING_push(skkeys, keyfile);
430	}
431	if (sksigners == NULL) {
432	BIO_printf(bio_err, "No signer certificate specified\n");
433	goto opthelp;
434	}
435	signerfile = NULL;
436	keyfile = NULL;
437	} else if (operation == SMIME_DECRYPT) {
438	if (recipfile == NULL && keyfile == NULL) {
439	BIO_printf(bio_err,
440	"No recipient certificate or key specified\n");
441	goto opthelp;
442	}
443	} else if (operation == SMIME_ENCRYPT) {
444	if (argc == 0) {
445	BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
446	goto opthelp;
447	}
448	}
449
450	if (!app_passwd(passinarg, NULL, &passin, NULL)) {
451	BIO_printf(bio_err, "Error getting password\n");
452	goto end;
453	}
454
455	ret = 2;
456
457	if (!(operation & SMIME_SIGNERS))
458	flags &= ~PKCS7_DETACHED;
459
460	if (!(operation & SMIME_OP)) {
461	if (flags & PKCS7_BINARY)
462	outformat = FORMAT_BINARY;
463	}
464
465	if (!(operation & SMIME_IP)) {
466	if (flags & PKCS7_BINARY)
467	informat = FORMAT_BINARY;
468	}
469
470	if (operation == SMIME_ENCRYPT) {
471	if (cipher == NULL) {
472	#ifndef OPENSSL_NO_DES
473	cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
474	#else
475	BIO_printf(bio_err, "No cipher selected\n");
476	goto end;
477	#endif
478	}
479	encerts = sk_X509_new_null();
480	if (encerts == NULL)
481	goto end;
482	while (*argv != NULL) {
483	cert = load_cert(*argv, FORMAT_UNDEF,
484	"recipient certificate file");
485	if (cert == NULL)
486	goto end;
487	if (!sk_X509_push(encerts, cert))
488	goto end;
489	cert = NULL;
490	argv++;
491	}
492	}
493
494	if (certfile != NULL) {
495	if (!load_certs(certfile, 0, &other, NULL, "certificates")) {
496	ERR_print_errors(bio_err);
497	goto end;
498	}
499	}
500
501	if (recipfile != NULL && (operation == SMIME_DECRYPT)) {
502	if ((recip = load_cert(recipfile, FORMAT_UNDEF,
503	"recipient certificate file")) == NULL) {
504	ERR_print_errors(bio_err);
505	goto end;
506	}
507	}
508
509	if (operation == SMIME_DECRYPT) {
510	if (keyfile == NULL)
511	keyfile = recipfile;
512	} else if (operation == SMIME_SIGN) {
513	if (keyfile == NULL)
514	keyfile = signerfile;
515	} else {
516	keyfile = NULL;
517	}
518
519	if (keyfile != NULL) {
520	key = load_key(keyfile, keyform, 0, passin, e, "signing key");
521	if (key == NULL)
522	goto end;
523	}
524
525	in = bio_open_default(infile, 'r', informat);
526	if (in == NULL)
527	goto end;
528
529	if (operation & SMIME_IP) {
530	PKCS7 *p7_in = NULL;
531
532	p7 = PKCS7_new_ex(libctx, app_get0_propq());
533	if (p7 == NULL) {
534	BIO_printf(bio_err, "Error allocating PKCS7 object\n");
535	goto end;
536	}
537	if (informat == FORMAT_SMIME) {
538	p7_in = SMIME_read_PKCS7_ex(in, &indata, &p7);
539	} else if (informat == FORMAT_PEM) {
540	p7_in = PEM_read_bio_PKCS7(in, &p7, NULL, NULL);
541	} else if (informat == FORMAT_ASN1) {
542	p7_in = d2i_PKCS7_bio(in, &p7);
543	} else {
544	BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
545	goto end;
546	}
547
548	if (p7_in == NULL) {
549	BIO_printf(bio_err, "Error reading S/MIME message\n");
550	goto end;
551	}
552	if (contfile != NULL) {
553	BIO_free(indata);
554	if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
555	BIO_printf(bio_err, "Can't read content file %s\n", contfile);
556	goto end;
557	}
558	}
559	}
560
561	out = bio_open_default(outfile, 'w', outformat);
562	if (out == NULL)
563	goto end;
564
565	if (operation == SMIME_VERIFY) {
566	if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
567	CAstore, noCAstore)) == NULL)
568	goto end;
569	X509_STORE_set_verify_cb(store, smime_cb);
570	if (vpmtouched)
571	X509_STORE_set1_param(store, vpm);
572	}
573
574	ret = 3;
575
576	if (operation == SMIME_ENCRYPT) {
577	if (indef)
578	flags \|= PKCS7_STREAM;
579	p7 = PKCS7_encrypt_ex(encerts, in, cipher, flags, libctx, app_get0_propq());
580	} else if (operation & SMIME_SIGNERS) {
581	int i;
582	/*
583	* If detached data content we only enable streaming if S/MIME output
584	* format.
585	*/
586	if (operation == SMIME_SIGN) {
587	if (flags & PKCS7_DETACHED) {
588	if (outformat == FORMAT_SMIME)
589	flags \|= PKCS7_STREAM;
590	} else if (indef) {
591	flags \|= PKCS7_STREAM;
592	}
593	flags \|= PKCS7_PARTIAL;
594	p7 = PKCS7_sign_ex(NULL, NULL, other, in, flags, libctx, app_get0_propq());
595	if (p7 == NULL)
596	goto end;
597	if (flags & PKCS7_NOCERTS) {
598	for (i = 0; i < sk_X509_num(other); i++) {
599	X509 *x = sk_X509_value(other, i);
600	PKCS7_add_certificate(p7, x);
601	}
602	}
603	} else {
604	flags \|= PKCS7_REUSE_DIGEST;
605	}
606	for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
607	signerfile = sk_OPENSSL_STRING_value(sksigners, i);
608	keyfile = sk_OPENSSL_STRING_value(skkeys, i);
609	signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate");
610	if (signer == NULL)
611	goto end;
612	key = load_key(keyfile, keyform, 0, passin, e, "signing key");
613	if (key == NULL)
614	goto end;
615
616	if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags))
617	goto end;
618	X509_free(signer);
619	signer = NULL;
620	EVP_PKEY_free(key);
621	key = NULL;
622	}
623	/* If not streaming or resigning finalize structure */
624	if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) {
625	if (!PKCS7_final(p7, in, flags))
626	goto end;
627	}
628	}
629
630	if (p7 == NULL) {
631	BIO_printf(bio_err, "Error creating PKCS#7 structure\n");
632	goto end;
633	}
634
635	ret = 4;
636	if (operation == SMIME_DECRYPT) {
637	if (!PKCS7_decrypt(p7, key, recip, out, flags)) {
638	BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
639	goto end;
640	}
641	} else if (operation == SMIME_VERIFY) {
642	STACK_OF(X509) *signers;
643	if (PKCS7_verify(p7, other, store, indata, out, flags))
644	BIO_printf(bio_err, "Verification successful\n");
645	else {
646	BIO_printf(bio_err, "Verification failure\n");
647	goto end;
648	}
649	signers = PKCS7_get0_signers(p7, other, flags);
650	if (!save_certs(signerfile, signers)) {
651	BIO_printf(bio_err, "Error writing signers to %s\n", signerfile);
652	ret = 5;
653	goto end;
654	}
655	sk_X509_free(signers);
656	} else if (operation == SMIME_PK7OUT) {
657	PEM_write_bio_PKCS7(out, p7);
658	} else {
659	if (to)
660	BIO_printf(out, "To: %s%s", to, mime_eol);
661	if (from)
662	BIO_printf(out, "From: %s%s", from, mime_eol);
663	if (subject)
664	BIO_printf(out, "Subject: %s%s", subject, mime_eol);
665	if (outformat == FORMAT_SMIME) {
666	if (operation == SMIME_RESIGN)
667	rv = SMIME_write_PKCS7(out, p7, indata, flags);
668	else
669	rv = SMIME_write_PKCS7(out, p7, in, flags);
670	} else if (outformat == FORMAT_PEM) {
671	rv = PEM_write_bio_PKCS7_stream(out, p7, in, flags);
672	} else if (outformat == FORMAT_ASN1) {
673	rv = i2d_PKCS7_bio_stream(out, p7, in, flags);
674	} else {
675	BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
676	goto end;
677	}
678	if (rv == 0) {
679	BIO_printf(bio_err, "Error writing output\n");
680	ret = 3;
681	goto end;
682	}
683	}
684	ret = 0;
685	end:
686	if (ret)
687	ERR_print_errors(bio_err);
688	OSSL_STACK_OF_X509_free(encerts);
689	OSSL_STACK_OF_X509_free(other);
690	X509_VERIFY_PARAM_free(vpm);
691	sk_OPENSSL_STRING_free(sksigners);
692	sk_OPENSSL_STRING_free(skkeys);
693	X509_STORE_free(store);
694	X509_free(cert);
695	X509_free(recip);
696	X509_free(signer);
697	EVP_PKEY_free(key);
698	EVP_MD_free(sign_md);
699	EVP_CIPHER_free(cipher);
700	PKCS7_free(p7);
701	release_engine(e);
702	BIO_free(in);
703	BIO_free(indata);
704	BIO_free_all(out);
705	OPENSSL_free(passin);
706	NCONF_free(conf);
707	return ret;
708	}
709
710	static int save_certs(char signerfile, STACK_OF(X509) signers)
711	{
712	int i;
713	BIO *tmp;
714
715	if (signerfile == NULL)
716	return 1;
717	tmp = BIO_new_file(signerfile, "w");
718	if (tmp == NULL)
719	return 0;
720	for (i = 0; i < sk_X509_num(signers); i++)
721	PEM_write_bio_X509(tmp, sk_X509_value(signers, i));
722	BIO_free(tmp);
723	return 1;
724	}
725
726	/* Minimal callback just to output policy info (if any) */
727
728	static int smime_cb(int ok, X509_STORE_CTX *ctx)
729	{
730	int error;
731
732	error = X509_STORE_CTX_get_error(ctx);
733
734	if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
735	&& ((error != X509_V_OK) \|\| (ok != 2)))
736	return ok;
737
738	policies_print(ctx);
739
740	return ok;
741	}

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/libs/openssl-3.3.2/apps/smime.c@ 108403

以其他格式下載: