From f5e2354c9d46c3abbc0afcab704ea4fb051d3c76 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 26 Mar 2008 17:40:22 +0000 Subject: Add support for signed receipt request printout and generation. --- apps/cms.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++--- crypto/cms/cms.h | 12 ++++- crypto/cms/cms_env.c | 3 -- crypto/cms/cms_err.c | 3 +- crypto/cms/cms_ess.c | 49 ++++++++++-------- 5 files changed, 171 insertions(+), 34 deletions(-) diff --git a/apps/cms.c b/apps/cms.c index eb1dc3e9d9..7a637786d2 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -71,6 +71,8 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int smime_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); +static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, + STACK *rr_from); #define SMIME_OP 0x10 #define SMIME_IP 0x20 @@ -112,7 +114,9 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL, *indata = NULL; int badarg = 0; int flags = CMS_DETACHED, noout = 0, print = 0; - int rr_print = 0; + int rr_print = 0, rr_allorfirst = -1; + STACK *rr_to = NULL, *rr_from = NULL; + CMS_ReceiptRequest *rr = NULL; char *to = NULL, *from = NULL, *subject = NULL; char *CAfile = NULL, *CApath = NULL; char *passargin = NULL, *passin = NULL; @@ -248,6 +252,28 @@ int MAIN(int argc, char **argv) noout = 1; else if (!strcmp (*args, "-receipt_request_print")) rr_print = 1; + else if (!strcmp (*args, "-receipt_request_all")) + rr_allorfirst = 0; + else if (!strcmp (*args, "-receipt_request_first")) + rr_allorfirst = 1; + else if (!strcmp(*args,"-receipt_request_from")) + { + if (!args[1]) + goto argerr; + args++; + if (!rr_from) + rr_from = sk_new_null(); + sk_push(rr_from, *args); + } + else if (!strcmp(*args,"-receipt_request_to")) + { + if (!args[1]) + goto argerr; + args++; + if (!rr_to) + rr_to = sk_new_null(); + sk_push(rr_to, *args); + } else if (!strcmp (*args, "-print")) { noout = 1; @@ -454,6 +480,17 @@ int MAIN(int argc, char **argv) args++; } + if (((rr_allorfirst != -1) || rr_from) && !rr_to) + { + BIO_puts(bio_err, "No Signed Receipts Recipients\n"); + goto argerr; + } + + if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) + { + BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); + goto argerr; + } if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); @@ -462,12 +499,12 @@ int MAIN(int argc, char **argv) if (operation & SMIME_SIGNERS) { - /* Check to see if any final signer needs to be appended */ if (keyfile && !signerfile) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); goto argerr; } + /* Check to see if any final signer needs to be appended */ if (signerfile) { if (!sksigners) @@ -810,27 +847,41 @@ int MAIN(int argc, char **argv) else if (operation & SMIME_SIGNERS) { int i; - /* If detached data content we only enable streaming if + /* If detached data content we enable streaming if * S/MIME output format. */ if (operation == SMIME_SIGN) { + if (flags & CMS_DETACHED) { - if (outformat != FORMAT_SMIME) - flags &= ~CMS_STREAM; + if (outformat == FORMAT_SMIME) + flags |= CMS_STREAM; } flags |= CMS_PARTIAL; cms = CMS_sign(NULL, NULL, other, in, flags); - if (econtent_type) - CMS_set1_eContentType(cms, econtent_type); if (!cms) goto end; + if (econtent_type) + CMS_set1_eContentType(cms, econtent_type); + + if (rr_to) + { + rr = make_receipt_request(rr_to, rr_allorfirst, + rr_from); + if (!rr) + { + BIO_puts(bio_err, + "Signed Receipt Request Creation Error\n"); + goto end; + } + } } else flags |= CMS_REUSE_DIGEST; for (i = 0; i < sk_num(sksigners); i++) { + CMS_SignerInfo *si; signerfile = sk_value(sksigners, i); keyfile = sk_value(skkeys, i); signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, @@ -841,7 +892,10 @@ int MAIN(int argc, char **argv) "signing key file"); if (!key) goto end; - if (!CMS_add1_signer(cms, signer, key, sign_md, flags)) + si = CMS_add1_signer(cms, signer, key, sign_md, flags); + if (!si) + goto end; + if (rr && !CMS_add1_ReceiptRequest(si, rr)) goto end; X509_free(signer); signer = NULL; @@ -1002,6 +1056,12 @@ end: OPENSSL_free(secret_keyid); if (econtent_type) ASN1_OBJECT_free(econtent_type); + if (rr) + CMS_ReceiptRequest_free(rr); + if (rr_to) + sk_free(rr_to); + if (rr_from) + sk_free(rr_from); X509_STORE_free(store); X509_free(cert); X509_free(recip); @@ -1119,4 +1179,66 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) } } +static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns) + { + int i; + STACK_OF(GENERAL_NAMES) *ret; + GENERAL_NAMES *gens = NULL; + GENERAL_NAME *gen = NULL; + ret = sk_GENERAL_NAMES_new_null(); + if (!ret) + goto err; + for (i = 0; i < sk_num(ns); i++) + { + char *str = sk_value(ns, i); + gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); + if (!gen) + goto err; + gens = GENERAL_NAMES_new(); + if (!gens) + goto err; + if (!sk_GENERAL_NAME_push(gens, gen)) + goto err; + gen = NULL; + if (!sk_GENERAL_NAMES_push(ret, gens)) + goto err; + gens = NULL; + } + + return ret; + + err: + if (ret) + sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); + if (gens) + GENERAL_NAMES_free(gens); + if (gen) + GENERAL_NAME_free(gen); + return NULL; + } + + +static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst, + STACK *rr_from) + { + STACK_OF(GENERAL_NAMES) *rct_to, *rct_from; + CMS_ReceiptRequest *rr; + rct_to = make_names_stack(rr_to); + if (!rct_to) + goto err; + if (rr_from) + { + rct_from = make_names_stack(rr_from); + if (!rct_from) + goto err; + } + else + rct_from = NULL; + rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, + rct_to); + return rr; + err: + return NULL; + } + #endif diff --git a/crypto/cms/cms.h b/crypto/cms/cms.h index 15205bba47..4cc5d93bcf 100644 --- a/crypto/cms/cms.h +++ b/crypto/cms/cms.h @@ -197,6 +197,13 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType); +int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, + X509_ALGOR **palg, + ASN1_OCTET_STRING **pid, + ASN1_GENERALIZEDTIME **pdate, + ASN1_OBJECT **potherid, + ASN1_TYPE **pothertype); + int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, size_t keylen); @@ -288,11 +295,11 @@ void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, #ifdef HEADER_X509V3_H int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr); -int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, - unsigned char *id, int idlen, +CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo); +int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr); void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, int *pallorfirst, @@ -346,6 +353,7 @@ void ERR_load_CMS_strings(void); #define CMS_F_CMS_GET0_ENVELOPED 131 #define CMS_F_CMS_GET0_REVOCATION_CHOICES 132 #define CMS_F_CMS_GET0_SIGNED 133 +#define CMS_F_CMS_RECEIPTREQUEST_CREATE0 159 #define CMS_F_CMS_RECIPIENTINFO_DECRYPT 134 #define CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT 135 #define CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT 136 diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 0a0b772ded..b3237d4b94 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -581,7 +581,6 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, } -#if 0 int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, ASN1_OCTET_STRING **pid, @@ -618,8 +617,6 @@ int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, } return 1; } -#endif - int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, size_t keylen) diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c index 7b1294cac0..93e15e33fc 100644 --- a/crypto/cms/cms_err.c +++ b/crypto/cms/cms_err.c @@ -72,7 +72,7 @@ static ERR_STRING_DATA CMS_str_functs[]= { {ERR_FUNC(CMS_F_CHECK_CONTENT), "CHECK_CONTENT"}, {ERR_FUNC(CMS_F_CMS_ADD0_RECIPIENT_KEY), "CMS_add0_recipient_key"}, -{ERR_FUNC(CMS_F_CMS_ADD1_RECEIPTREQUEST), "CMS_ADD1_RECEIPTREQUEST"}, +{ERR_FUNC(CMS_F_CMS_ADD1_RECEIPTREQUEST), "CMS_add1_ReceiptRequest"}, {ERR_FUNC(CMS_F_CMS_ADD1_RECIPIENT_CERT), "CMS_add1_recipient_cert"}, {ERR_FUNC(CMS_F_CMS_ADD1_SIGNER), "CMS_add1_signer"}, {ERR_FUNC(CMS_F_CMS_ADD1_SIGNINGTIME), "CMS_ADD1_SIGNINGTIME"}, @@ -106,6 +106,7 @@ static ERR_STRING_DATA CMS_str_functs[]= {ERR_FUNC(CMS_F_CMS_GET0_ENVELOPED), "CMS_GET0_ENVELOPED"}, {ERR_FUNC(CMS_F_CMS_GET0_REVOCATION_CHOICES), "CMS_GET0_REVOCATION_CHOICES"}, {ERR_FUNC(CMS_F_CMS_GET0_SIGNED), "CMS_GET0_SIGNED"}, +{ERR_FUNC(CMS_F_CMS_RECEIPTREQUEST_CREATE0), "CMS_ReceiptRequest_create0"}, {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_DECRYPT), "CMS_RecipientInfo_decrypt"}, {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT), "CMS_RECIPIENTINFO_KEKRI_DECRYPT"}, {ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT), "CMS_RECIPIENTINFO_KEKRI_ENCRYPT"}, diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 00cd9dcb43..9377217e33 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -89,26 +89,18 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) return 1; } -int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, - unsigned char *id, int idlen, +CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo) { CMS_ReceiptRequest *rr = NULL; - STACK_OF(GENERAL_NAMES) *tmpto = NULL; - unsigned char *rrder = NULL; - int rrderlen; - int r = 0; rr = CMS_ReceiptRequest_new(); if (!rr) goto merr; if (id) - { - if (!ASN1_STRING_set(rr->signedContentIdentifier, id, idlen)) - goto merr; - } + ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen); else { if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) @@ -118,7 +110,7 @@ int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, goto err; } - tmpto = rr->receiptsTo; + sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free); rr->receiptsTo = receiptsTo; if (receiptList) @@ -132,21 +124,38 @@ int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, rr->receiptsFrom->d.allOrFirstTier = allorfirst; } - rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder); - - r = CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest, - V_ASN1_SEQUENCE, rrder, rrderlen); + return rr; merr: - CMSerr(CMS_F_CMS_ADD1_RECEIPTREQUEST, ERR_R_MALLOC_FAILURE); + CMSerr(CMS_F_CMS_RECEIPTREQUEST_CREATE0, ERR_R_MALLOC_FAILURE); err: if (rr) - { - rr->receiptsTo = tmpto; - rr->receiptsFrom->type = 0; CMS_ReceiptRequest_free(rr); - } + + return NULL; + + } + +int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr) + { + unsigned char *rrder = NULL; + int rrderlen, r = 0; + + rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder); + if (rrderlen < 0) + goto merr; + + if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest, + V_ASN1_SEQUENCE, rrder, rrderlen)) + goto merr; + + r = 1; + + merr: + if (!r) + CMSerr(CMS_F_CMS_ADD1_RECEIPTREQUEST, ERR_R_MALLOC_FAILURE); + if (rrder) OPENSSL_free(rrder); -- cgit v1.2.3