diff options
| -rw-r--r-- | CHANGES | 8 | ||||
| -rw-r--r-- | STATUS | 5 | ||||
| -rw-r--r-- | apps/Makefile.ssl | 6 | ||||
| -rw-r--r-- | apps/progs.h | 2 | ||||
| -rw-r--r-- | apps/smime.c | 446 | ||||
| -rw-r--r-- | crypto/pkcs12/pk12err.c | 2 | ||||
| -rw-r--r-- | crypto/pkcs7/Makefile.ssl | 4 | ||||
| -rw-r--r-- | crypto/pkcs7/pk7_attr.c | 85 | ||||
| -rw-r--r-- | crypto/pkcs7/pk7_doit.c | 2 | ||||
| -rw-r--r-- | crypto/pkcs7/pk7_mime.c | 673 | ||||
| -rw-r--r-- | crypto/pkcs7/pk7_smime.c | 392 | ||||
| -rw-r--r-- | crypto/pkcs7/pkcs7.h | 75 | ||||
| -rw-r--r-- | crypto/pkcs7/pkcs7err.c | 35 |
13 files changed, 1726 insertions, 9 deletions
@@ -4,6 +4,14 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Merge in my S/MIME library for OpenSSL. This provides a simple + S/MIME API on top of the PKCS#7 code, a MIME parser (with enough + functionality to handle multipart/signed properly) and a utility + called 'smime' to call all this stuff. This is based on code I + originally wrote for Celo who have kindly allowed it to be + included in OpenSSL. + [Steve Henson] + *) Add variants des_set_key_checked and des_set_key_unchecked of des_set_key (aka des_key_sched). Global variable des_check_key decides which of these is called by des_set_key; this way @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 1999/11/11 13:58:22 $ + ______________ $Date: 1999/12/05 00:40:53 $ DEVELOPMENT STATE @@ -18,7 +18,6 @@ o shared libraries <behnke@trustcenter.de> o getenv in ca.c and x509_def.c (jaltman@watsun.cc.columbia.edu) o SMIME tool (demo), Sampo Kellomaki <sampo@iki.fi> - o OCSP patch, Massimiliano Pala (madwolf@openca.org) o CA.pl patch (Damien Miller) o FreeBSD 3.0 changes (Richard Levitte) @@ -27,7 +26,7 @@ o Steve is currently working on (in no particular order): Proper (or at least usable) certificate chain verification. Private key, certificate and CRL API and implementation. - Checking and bugfixing PKCS#7 (S/MIME code). + Developing and bugfixing PKCS#7 (S/MIME code). Various X509 issues: character sets, certificate request extensions. Documentation for the openssl utility. diff --git a/apps/Makefile.ssl b/apps/Makefile.ssl index 439f50dcb5..372358511a 100644 --- a/apps/Makefile.ssl +++ b/apps/Makefile.ssl @@ -38,7 +38,7 @@ E_EXE= verify asn1pars req dgst dh enc gendh errstr ca crl \ rsa dsa dsaparam \ x509 genrsa gendsa s_server s_client speed \ s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \ - pkcs8 spkac + pkcs8 spkac smime PROGS= $(PROGRAM).c @@ -54,7 +54,7 @@ E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o enc.o gendh.o errstr.o ca.o \ rsa.o dsa.o dsaparam.o \ x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \ s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \ - ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o + ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o # pem_mail.o @@ -63,7 +63,7 @@ E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c gendh.c errstr.c ca.c \ rsa.c dsa.c dsaparam.c \ x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \ s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \ - ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c + ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c # pem_mail.c diff --git a/apps/progs.h b/apps/progs.h index bd9e806bb7..e60df2a821 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -29,6 +29,7 @@ extern int nseq_main(int argc,char *argv[]); extern int pkcs12_main(int argc,char *argv[]); extern int pkcs8_main(int argc,char *argv[]); extern int spkac_main(int argc,char *argv[]); +extern int smime_main(int argc,char *argv[]); #ifdef SSLEAY_SRC /* Defined only in openssl.c. */ @@ -96,6 +97,7 @@ FUNCTION functions[] = { #endif {FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main}, {FUNC_TYPE_GENERAL,"spkac",spkac_main}, + {FUNC_TYPE_GENERAL,"smime",smime_main}, {FUNC_TYPE_MD,"md2",dgst_main}, {FUNC_TYPE_MD,"md5",dgst_main}, {FUNC_TYPE_MD,"sha",dgst_main}, diff --git a/apps/smime.c b/apps/smime.c new file mode 100644 index 0000000000..75087ea68f --- /dev/null +++ b/apps/smime.c @@ -0,0 +1,446 @@ +/* smime.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* S/MIME utility function */ + +#include <stdio.h> +#include <string.h> +#include <openssl/pem.h> +#include <openssl/err.h> +#include "apps.h" + +#undef PROG +#define PROG smime_main +static X509 *load_cert(char *file); +static EVP_PKEY *load_key(char *file); +static STACK_OF(X509) *load_certs(char *file); +static X509_STORE *setup_verify(char *CAfile, char *CApath); + +#define SMIME_OP 0x10 +#define SMIME_ENCRYPT (1 | SMIME_OP) +#define SMIME_DECRYPT 2 +#define SMIME_SIGN (3 | SMIME_OP) +#define SMIME_VERIFY 4 +#define SMIME_PK7OUT 5 + +int MAIN(int argc, char **argv) +{ + int operation = 0; + int ret = 0; + char **args; + char *inmode = "r", *outmode = "w"; + char *infile = NULL, *outfile = NULL; + char *signerfile = NULL, *recipfile = NULL; + char *certfile = NULL, *keyfile = NULL; + EVP_CIPHER *cipher = NULL; + PKCS7 *p7 = NULL; + X509_STORE *store = NULL; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + EVP_PKEY *key = NULL; + STACK_OF(X509) *encerts = NULL, *other = NULL; + BIO *in = NULL, *out = NULL, *indata = NULL; + int badarg = 0; + int flags = PKCS7_DETACHED; + char *to = NULL, *from = NULL, *subject = NULL; + char *CAfile = NULL, *CApath = NULL; + + args = argv + 1; + + ret = 1; + + while (!badarg && *args && *args[0] == '-') { + if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT; + else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT; + else if (!strcmp (*args, "-sign")) operation = SMIME_SIGN; + else if (!strcmp (*args, "-verify")) operation = SMIME_VERIFY; + else if (!strcmp (*args, "-pk7out")) operation = SMIME_PK7OUT; + else if (!strcmp (*args, "-des3")) + cipher = EVP_des_ede3_cbc(); + else if (!strcmp (*args, "-des")) + cipher = EVP_des_cbc(); + else if (!strcmp (*args, "-rc2-40")) + cipher = EVP_rc2_40_cbc(); + else if (!strcmp (*args, "-rc2-128")) + cipher = EVP_rc2_cbc(); + else if (!strcmp (*args, "-rc2-64")) + cipher = EVP_rc2_64_cbc(); + else if (!strcmp (*args, "-text")) + flags |= PKCS7_TEXT; + else if (!strcmp (*args, "-nointern")) + flags |= PKCS7_NOINTERN; + else if (!strcmp (*args, "-noverify")) + flags |= PKCS7_NOVERIFY; + else if (!strcmp (*args, "-nochain")) + flags |= PKCS7_NOCHAIN; + else if (!strcmp (*args, "-nocerts")) + flags |= PKCS7_NOCERTS; + else if (!strcmp (*args, "-noattr")) + flags |= PKCS7_NOATTR; + else if (!strcmp (*args, "-nodetach")) + flags &= ~PKCS7_DETACHED; + else if (!strcmp (*args, "-binary")) + flags |= PKCS7_BINARY; + else if (!strcmp (*args, "-to")) { + if (args[1]) { + args++; + to = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-from")) { + if (args[1]) { + args++; + from = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-subject")) { + if (args[1]) { + args++; + subject = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-signer")) { + if (args[1]) { + args++; + signerfile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-recip")) { + if (args[1]) { + args++; + recipfile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-inkey")) { + if (args[1]) { + args++; + keyfile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-certfile")) { + if (args[1]) { + args++; + certfile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-CAfile")) { + if (args[1]) { + args++; + CAfile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-CApath")) { + if (args[1]) { + args++; + CApath = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-in")) { + if (args[1]) { + args++; + infile = *args; + } else badarg = 1; + } else if (!strcmp (*args, "-out")) { + if (args[1]) { + args++; + outfile = *args; + } else badarg = 1; + } else badarg = 1; + args++; + } + + if(operation == SMIME_SIGN) { + if(!signerfile) { + BIO_printf(bio_err, "No signer certificate specified\n"); + badarg = 1; + } + } else if(operation == SMIME_DECRYPT) { + if(!recipfile) { + BIO_printf(bio_err, "No recipient certificate and key specified\n"); + badarg = 1; + } + } else if(operation == SMIME_ENCRYPT) { + if(!*args) { + BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); + badarg = 1; + } + } else if(!operation) badarg = 1; + + if (badarg) { + BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n"); + BIO_printf (bio_err, "where options are\n"); + BIO_printf (bio_err, "-encrypt encrypt message\n"); + BIO_printf (bio_err, "-decrypt decrypt encrypted message\n"); + BIO_printf (bio_err, "-sign sign message\n"); + BIO_printf (bio_err, "-verify verify signed message\n"); + BIO_printf (bio_err, "-pk7out output PKCS#7 structure\n"); + BIO_printf (bio_err, "-des3 encrypt with triple DES\n"); + BIO_printf (bio_err, "-rc2-40 encrypt with RC2-40\n"); + BIO_printf (bio_err, "-rc2-64 encrypt with RC2-64\n"); + BIO_printf (bio_err, "-rc2-128 encrypt with RC2-128\n"); + BIO_printf (bio_err, "-in file input file\n"); + BIO_printf (bio_err, "-certfile file other certificates file\n"); + BIO_printf (bio_err, "-signer file signer certificate file\n"); + BIO_printf (bio_err, "-recip file recipient certificate file\n"); + BIO_printf (bio_err, "-in file input file\n"); + BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n"); + BIO_printf (bio_err, "-out file output file\n"); + BIO_printf (bio_err, "-to addr to address\n"); + BIO_printf (bio_err, "-from ad from address\n"); + BIO_printf (bio_err, "-subject s subject\n"); + BIO_printf (bio_err, "-text include or delete text MIME headers\n"); + BIO_printf (bio_err, "cert.pem recipient certificate(s)\n"); + goto end; + } + + ret = 2; + + if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED; + + if(flags & PKCS7_BINARY) { + if(operation & SMIME_OP) inmode = "rb"; + else outmode = "rb"; + } + + if(operation == SMIME_ENCRYPT) { + if (!cipher) cipher = EVP_rc2_40_cbc(); + while (*args) { + encerts = sk_X509_new_null(); + if(!(cert = load_cert(*args))) { + BIO_printf(bio_err, "Can't read recipent certificate file %s\n", *args); + goto end; + } + sk_X509_push (encerts, cert); + cert = NULL; + args++; + } + } + + if(signerfile) { + if(!(signer = load_cert(signerfile))) { + BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile); + goto end; + } + } + + if(certfile) { + if(!(other = load_certs(certfile))) { + BIO_printf(bio_err, "Can't read certificate file %s\n", certfile); + ERR_print_errors(bio_err); + goto end; + } + } + + if(recipfile) { + if(!(recip = load_cert(recipfile))) { + BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile); + ERR_print_errors(bio_err); + goto end; + } + } + + if(operation == SMIME_DECRYPT) { + if(!keyfile) keyfile = recipfile; + } else if(operation == SMIME_SIGN) { + if(!keyfile) keyfile = signerfile; + } else keyfile = NULL; + + if(keyfile) { + if(!(key = load_key(keyfile))) { + BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile); + ERR_print_errors(bio_err); + goto end; + } + } + + if (infile) { + if (!(in = BIO_new_file(infile, inmode))) { + BIO_printf (bio_err, + "Can't open input file %s\n", infile); + goto end; + } + } else in = BIO_new_fp(stdin, BIO_NOCLOSE); + + if (outfile) { + if (!(out = BIO_new_file(outfile, outmode))) { + BIO_printf (bio_err, + "Can't open output file %s\n", outfile); + goto end; + } + } else out = BIO_new_fp(stdout, BIO_NOCLOSE); + + if(operation == SMIME_VERIFY) + if(!(store = setup_verify(CAfile, CApath))) goto end; + + ret = 3; + if(operation == SMIME_ENCRYPT) { + p7 = PKCS7_encrypt(encerts, in, cipher, flags); + } else if(operation == SMIME_SIGN) { + p7 = PKCS7_sign(signer, key, other, in, flags); + BIO_reset(in); + } else { + if(!(p7 = SMIME_read_PKCS7(in, &indata))) { + BIO_printf(bio_err, "Error reading S/MIME message\n"); + ret = 4; + goto end; + } + } + + if(!p7) { + BIO_printf(bio_err, "Error creating PKCS#7 structure\n"); + goto end; + } + + if(operation == SMIME_DECRYPT) { + if(!PKCS7_decrypt(p7, key, recip, out, flags)) + BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n"); + else ret = 0; + } else if(operation == SMIME_VERIFY) { + if(PKCS7_verify(p7, other, store, indata, out, flags)) { + BIO_printf(bio_err, "Verification Successful\n"); + ret = 0; + } else { + BIO_printf(bio_err, "Verification Failure\n"); + ret = 5; + } + } else if(operation == SMIME_PK7OUT) { + PEM_write_bio_PKCS7(out, p7); + } else { + if(to) BIO_printf(out, "To: %s\n", to); + if(from) BIO_printf(out, "From: %s\n", from); + if(subject) BIO_printf(out, "Subject: %s\n", subject); + SMIME_write_PKCS7(out, p7, in, flags); + } +end: + if(ret) ERR_print_errors(bio_err); + sk_X509_pop_free(encerts, X509_free); + sk_X509_pop_free(other, X509_free); + X509_STORE_free(store); + X509_free(cert); + X509_free(recip); + X509_free(signer); + EVP_PKEY_free(key); + PKCS7_free(p7); + BIO_free(in); + BIO_free(indata); + BIO_free(out); + return (ret); +} + +static X509 *load_cert(char *file) +{ + BIO *in; + X509 *cert; + if(!(in = BIO_new_file(file, "r"))) return NULL; + cert = PEM_read_bio_X509(in, NULL, NULL,NULL); + BIO_free(in); + return cert; +} + +static EVP_PKEY *load_key(char *file) +{ + BIO *in; + EVP_PKEY *key; + if(!(in = BIO_new_file(file, "r"))) return NULL; + key = PEM_read_bio_PrivateKey(in, NULL, NULL,NULL); + BIO_free(in); + return key; +} + +static STACK_OF(X509) *load_certs(char *file) +{ + BIO *in; + int i; + STACK_OF(X509) *othercerts; + STACK_OF(X509_INFO) *allcerts; + X509_INFO *xi; + if(!(in = BIO_new_file(file, "r"))) return NULL; + othercerts = sk_X509_new(NULL); + if(!othercerts) return NULL; + allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); + for(i = 0; i < sk_X509_INFO_num(allcerts); i++) { + xi = sk_X509_INFO_value (allcerts, i); + if (xi->x509) { + sk_X509_push(othercerts, xi->x509); + xi->x509 = NULL; + } + } + sk_X509_INFO_pop_free(allcerts, X509_INFO_free); + BIO_free(in); + return othercerts; +} + +static X509_STORE *setup_verify(char *CAfile, char *CApath) +{ + X509_STORE *store; + X509_LOOKUP *lookup; + if(!(store = X509_STORE_new())) goto end; + lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); + if (lookup == NULL) goto end; + if (CAfile) { + if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading file %s\n", CAfile); + goto end; + } + } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); + + lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); + if (lookup == NULL) goto end; + if (CApath) { + if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading directory %s\n", CApath); + goto end; + } + } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); + + ERR_clear_error(); + return store; + end: + X509_STORE_free(store); + return NULL; +} diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c index 00140a4779..9d8de10e1e 100644 --- a/crypto/pkcs12/pk12err.c +++ b/crypto/pkcs12/pk12err.c @@ -79,7 +79,7 @@ static ERR_STRING_DATA PKCS12_str_functs[]= {ERR_PACK(0,PKCS12_F_PKCS12_KEY_GEN_UNI,0), "PKCS12_key_gen_uni"}, {ERR_PACK(0,PKCS12_F_PKCS12_MAKE_KEYBAG,0), "PKCS12_MAKE_KEYBAG"}, {ERR_PACK(0,PKCS12_F_PKCS12_MAKE_SHKEYBAG,0), "PKCS12_MAKE_SHKEYBAG"}, -{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0), "PKCS12_NEWPASS"}, +{ERR_PACK(0,PKCS12_F_PKCS12_NEWPASS,0), "PKCS12_newpass"}, {ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7DATA,0), "PKCS12_pack_p7data"}, {ERR_PACK(0,PKCS12_F_PKCS12_PACK_P7ENCDATA,0), "PKCS12_pack_p7encdata"}, {ERR_PACK(0,PKCS12_F_PKCS12_PACK_SAFEBAG,0), "PKCS12_pack_safebag"}, diff --git a/crypto/pkcs7/Makefile.ssl b/crypto/pkcs7/Makefile.ssl index ea60491529..b57c68fd36 100644 --- a/crypto/pkcs7/Makefile.ssl +++ b/crypto/pkcs7/Makefile.ssl @@ -25,8 +25,8 @@ TEST= APPS= LIB=$(TOP)/libcrypto.a -LIBSRC= pk7_lib.c pkcs7err.c pk7_doit.c -LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o +LIBSRC= pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c pk7_mime.c +LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o pk7_mime.o SRC= $(LIBSRC) diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c new file mode 100644 index 0000000000..3b9c0fe3f2 --- /dev/null +++ b/crypto/pkcs7/pk7_attr.c @@ -0,0 +1,85 @@ +/* pk7_attr.c */ +/* S/MIME code. + * Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com) + * All Rights Reserved. + * Redistribution of this code without the authors permission is expressly + * prohibited. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <openssl/bio.h> +#include <openssl/asn1.h> +#include <openssl/pem.h> +#include <openssl/pkcs7.h> +#include <openssl/err.h> + +int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK *cap) +{ + ASN1_STRING *seq; + unsigned char *p, *pp; + int len; + len=i2d_ASN1_SET(cap,NULL,i2d_X509_ALGOR, V_ASN1_SEQUENCE, + V_ASN1_UNIVERSAL, IS_SEQUENCE); + if(!(pp=(unsigned char *)Malloc(len))) { + PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + p=pp; + i2d_ASN1_SET(cap,&p,i2d_X509_ALGOR, V_ASN1_SEQUENCE, + V_ASN1_UNIVERSAL, IS_SEQUENCE); + if(!(seq = ASN1_STRING_new())) { + PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + if(!ASN1_STRING_set (seq, pp, len)) { + PKCS7err(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + Free (pp); + return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities, + V_ASN1_SEQUENCE, seq); +} + +STACK *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) +{ + ASN1_TYPE *cap; + unsigned char *p; + cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); + if (!cap) return NULL; + p = cap->value.sequence->data; + return d2i_ASN1_SET (NULL, &p, cap->value.sequence->length, + (char *(*)())d2i_X509_ALGOR, X509_ALGOR_free, V_ASN1_SEQUENCE, + V_ASN1_UNIVERSAL); +} + +/* Basic smime-capabilities OID and optional integer arg */ +int PKCS7_simple_smimecap(STACK *sk, int nid, int arg) +{ + X509_ALGOR *alg; + if(!(alg = X509_ALGOR_new())) { + PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + ASN1_OBJECT_free(alg->algorithm); + alg->algorithm = OBJ_nid2obj (nid); + if (arg > 0) { + ASN1_INTEGER *nbit; + if(!(alg->parameter = ASN1_TYPE_new())) { + PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + if(!(nbit = ASN1_INTEGER_new())) { + PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + if(!ASN1_INTEGER_set (nbit, arg)) { + PKCS7err(PKCS7_F_PKCS7_SIMPLE_SMIMECAP,ERR_R_MALLOC_FAILURE); + return 0; + } + alg->parameter->value.integer = nbit; + alg->parameter->type = V_ASN1_INTEGER; + } + sk_push (sk, (char *)alg); + return 1; +} diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 7feb01230e..acc9cc4a47 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -61,6 +61,7 @@ #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value); @@ -680,6 +681,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, /* Lets verify */ X509_STORE_CTX_init(ctx,cert_store,x509,cert); + X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); i=X509_verify_cert(ctx); if (i <= 0) { diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c new file mode 100644 index 0000000000..f346259b92 --- /dev/null +++ b/crypto/pkcs7/pk7_mime.c @@ -0,0 +1,673 @@ +/* pk7_mime.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 1999. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include <ctype.h> +#include "cryptlib.h" +#include <openssl/rand.h> +#include <openssl/x509.h> + +/* MIME and related routines */ + +/* MIME format structures + * Note that all are translated to lower case apart from + * parameter values. Quotes are stripped off + */ + +typedef struct { +char *name; /* Name of line e.g. "content-type" */ +char *value; /* Value of line e.g. "text/plain" */ +STACK /* MIME_PARAM */ *params; /* Zero or more parameters */ +} MIME_HEADER; + +typedef struct { +char *param_name; /* Param name e.g. "micalg" */ +char *param_value; /* Param value e.g. "sha1" */ +} MIME_PARAM; + + +static int B64_write_PKCS7(BIO *bio, PKCS7 *p7); +static PKCS7 *B64_read_PKCS7(BIO *bio); +static char * strip_ends(char *name); +static char * strip_start(char *name); +static char * strip_end(char *name); +static MIME_HEADER *mime_hdr_new(char *name, char *value); +static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value); +static STACK *mime_parse_hdr(BIO *bio); +static int mime_hdr_cmp(MIME_HEADER **a, MIME_HEADER **b); +static int mime_param_cmp(MIME_PARAM **a, MIME_PARAM **b); +static void mime_param_free(MIME_PARAM *param); +static int mime_bound_check(char *line, int linelen, char *bound, int blen); +static int multi_split(BIO *bio, char *bound, STACK **ret); +static int iscrlf(char c); +static MIME_HEADER *mime_hdr_find(STACK *hdrs, char *name); +static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name); +static void mime_hdr_free(MIME_HEADER *hdr); + +#define MAX_SMLEN 1024 +#define mime_debug(x) /* x */ + + +typedef void (*stkfree)(); + +/* Base 64 read and write of PKCS#7 structure */ + +static int B64_write_PKCS7(BIO *bio, PKCS7 *p7) +{ + BIO *b64; + if(!(b64 = BIO_new(BIO_f_base64()))) { + PKCS7err(PKCS7_F_B64_WRITE_PKCS7,ERR_R_MALLOC_FAILURE); + return 0; + } + bio = BIO_push(b64, bio); + i2d_PKCS7_bio(bio, p7); + BIO_flush(bio); + bio = BIO_pop(bio); + BIO_free(b64); + return 1; +} + +static PKCS7 *B64_read_PKCS7(BIO *bio) +{ + BIO *b64; + PKCS7 *p7; + if(!(b64 = BIO_new(BIO_f_base64()))) { + PKCS7err(PKCS7_F_B64_READ_PKCS7,ERR_R_MALLOC_FAILURE); + return 0; + } + bio = BIO_push(b64, bio); + if(!(p7 = d2i_PKCS7_bio(bio, NULL))) + PKCS7err(PKCS7_F_B64_READ_PKCS7,PKCS7_R_DECODE_ERROR); + BIO_flush(bio); + bio = BIO_pop(bio); + BIO_free(b64); + return p7; +} + +/* SMIME sender */ + +int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) +{ + char linebuf[MAX_SMLEN]; + char bound[33], c; + int i; + if((flags & PKCS7_DETACHED) && data) { + /* We want multipart/signed */ + /* Generate a random boundary */ + RAND_bytes((unsigned char *)bound, 32); + for(i = 0; i < 32; i++) { + c = bound[i] & 0xf; + if(c < 10) c += '0'; + else c += 'A' - 10; + bound[i] = c; + } + bound[32] = 0; + BIO_printf(bio, "MIME-Version: 1.0\n"); + BIO_printf(bio, "Content-Type: multipart/signed ; "); + BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; "); + BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound); + BIO_printf(bio, "This is an S/MIME signed message\n\n"); + /* Now write out the first part */ + BIO_printf(bio, "------%s\r\n", bound); + if(flags & PKCS7_TEXT) BIO_printf(bio, "Content-Type: text/plain\n\n"); + while((i = BIO_read(data, linebuf, MAX_SMLEN)) > 0) + BIO_write(bio, linebuf, i); + BIO_printf(bio, "\n------%s\n", bound); + + /* Headers for signature */ + + BIO_printf(bio, "Content-Type: application/x-pkcs7-signature; name=\"smime.p7s\"\n"); + BIO_printf(bio, "Content-Transfer-Encoding: base64\n"); + BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7s\"\n\n"); + B64_write_PKCS7(bio, p7); + BIO_printf(bio,"\n------%s--\n\n", bound); + return 1; + } + /* MIME headers */ + BIO_printf(bio, "MIME-Version: 1.0\n"); + BIO_printf(bio, "Content-Disposition: attachment; filename=\"smime.p7m\"\n"); + BIO_printf(bio, "Content-Type: application/x-pkcs7-mime; name=\"smime.p7m\"\n"); + BIO_printf(bio, "Content-Transfer-Encoding: base64\n\n"); + B64_write_PKCS7(bio, p7); + BIO_printf(bio, "\n"); + return 1; +} + +/* SMIME reader: handle multipart/signed and opaque signing. + * in multipart case the content is placed in a memory BIO + * pointed to by "bcont". In opaque this is set to NULL + */ + +PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont) +{ + BIO *p7in; + STACK *headers = NULL; + STACK *parts = NULL; + MIME_HEADER *hdr; + MIME_PARAM *prm; + PKCS7 *p7; + int ret; + + if(bcont) *bcont = NULL; + + if (!(headers = mime_parse_hdr(bio))) { + PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_PARSE_ERROR); + return NULL; + } + + if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) { + sk_pop_free(headers, mime_hdr_free); + PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_CONTENT_TYPE); + return NULL; + } + + /* Handle multipart/signed */ + + if(!strcmp(hdr->value, "multipart/signed")) { + /* Split into two parts */ + prm = mime_param_find(hdr, "boundary"); + if(!prm || !prm->param_value) { + sk_pop_free(headers, mime_hdr_free); + PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BOUNDARY); + return NULL; + } + ret = multi_split(bio, prm->param_value, &parts); + sk_pop_free(headers, mime_hdr_free); + if(!ret || (sk_num(parts) != 2) ) { + PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_ |