+typedef enum OPTION_choice {
+ OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
+ OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN,
+ OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
+ OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
+ OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
+ OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT,
+ OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS,
+ OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID,
+ OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF,
+ OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT,
+ OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE,
+ OPT_CAPATH, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
+ OPT_CONTENT, OPT_PRINT, OPT_NAMEOPT,
+ OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE,
+ OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP,
+ OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM,
+ OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
+ OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
+ OPT_R_ENUM,
+ OPT_PROV_ENUM,
+ OPT_V_ENUM,
+ OPT_CIPHER,
+ OPT_ORIGINATOR
+} OPTION_CHOICE;
+
+const OPTIONS cms_options[] = {
+ {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert...]\n"},
+
+ OPT_SECTION("General"),
+ {"help", OPT_HELP, '-', "Display this summary"},
+ {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"},
+ {"outform", OPT_OUTFORM, 'c',
+ "Output format SMIME (default), PEM or DER"},
+ {"in", OPT_IN, '<', "Input file"},
+ {"out", OPT_OUT, '>', "Output file"},
+ {"debug_decrypt", OPT_DEBUG_DECRYPT, '-',
+ "Disable MMA protection and return an error if no recipient found"
+ " (see documentation)"},
+ {"stream", OPT_INDEF, '-', "Enable CMS streaming"},
+ {"indef", OPT_INDEF, '-', "Same as -stream"},
+ {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"},
+ {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" },
+ {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CApath", OPT_CAPATH, '/', "trusted certificates directory"},
+ {"CAstore", OPT_CASTORE, ':', "trusted certificates store URI"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
+ {"no-CAstore", OPT_NOCASTORE, '-',
+ "Do not load certificates from the default certificates store"},
+# ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+
+ OPT_SECTION("Action"),
+ {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
+ {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"},
+ {"sign", OPT_SIGN, '-', "Sign message"},
+ {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
+ {"resign", OPT_RESIGN, '-', "Resign a signed message"},
+ {"cades", OPT_CADES, '-', "Include signer certificate digest"},
+ {"verify", OPT_VERIFY, '-', "Verify signed message"},
+ {"verify_retcode", OPT_VERIFY_RETCODE, '-',
+ "Exit non-zero on verification failure"},
+ {"verify_receipt", OPT_VERIFY_RECEIPT, '<',
+ "Verify receipts; exit if receipt signatures do not verify"},
+ {"digest_verify", OPT_DIGEST_VERIFY, '-',
+ "Verify a CMS \"DigestedData\" object and output it"},
+ {"digest_create", OPT_DIGEST_CREATE, '-',
+ "Create a CMS \"DigestedData\" object"},
+ {"compress", OPT_COMPRESS, '-', "Create a CMS \"CompressedData\" object"},
+ {"uncompress", OPT_UNCOMPRESS, '-',
+ "Uncompress a CMS \"CompressedData\" object"},
+ {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-',
+ "Decrypt CMS \"EncryptedData\" object using symmetric key"},
+ {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-',
+ "Create CMS \"EncryptedData\" object using symmetric key"},
+ {"data_out", OPT_DATA_OUT, '-', "Copy CMS \"Data\" object to output"},
+ {"data_create", OPT_DATA_CREATE, '-', "Create a CMS \"Data\" object"},
+ {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"},
+ {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-',
+ "Do not verify signed content signatures"},
+ {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-',
+ "Do not verify signed attribute signatures"},
+ {"nointern", OPT_NOINTERN, '-',
+ "Don't search certificates in message for signer"},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"},
+
+ OPT_SECTION("Formatting"),
+ {"text", OPT_TEXT, '-', "Include or delete text MIME headers"},
+ {"asciicrlf", OPT_ASCIICRLF, '-',
+ "Perform CRLF canonicalisation when signing"},
+ {"nodetach", OPT_NODETACH, '-', "Use opaque signing"},
+ {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"},
+ {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"},
+ {"binary", OPT_BINARY, '-', "Don't translate message to text"},
+ {"keyid", OPT_KEYID, '-', "Use subject key identifier"},
+ {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"},
+ {"nocerts", OPT_NOCERTS, '-',
+ "Don't include signers certificate when signing"},
+ {"noout", OPT_NOOUT, '-',
+ "For the -cmsout operation do not output the parsed CMS structure"},
+ {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" },
+ {"receipt_request_all", OPT_RR_ALL, '-',
+ "When signing, create a receipt request for all recipients"},
+ {"receipt_request_first", OPT_RR_FIRST, '-',
+ "When signing, create a receipt request for first recipient"},
+ {"rctform", OPT_RCTFORM, 'F', "Receipt file format"},
+ {"certfile", OPT_CERTFILE, '<', "Other certificates file"},
+ {"content", OPT_CONTENT, '<',
+ "Supply or override content for detached signature"},
+ {"print", OPT_PRINT, '-',
+ "For the -cmsout operation print out all fields of the CMS structure"},
+ {"nameopt", OPT_NAMEOPT, 's',
+ "For the -print option specifies various strings printing options"},
+ {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
+
+ OPT_SECTION("Keying"),
+ {"secretkey", OPT_SECRETKEY, 's',
+ "Use specified hex-encoded key to decrypt/encrypt recipients or content"},
+ {"secretkeyid", OPT_SECRETKEYID, 's',
+ "Identity of the -secretkey for CMS \"KEKRecipientInfo\" object"},
+ {"pwri_password", OPT_PWRI_PASSWORD, 's',
+ "Specific password for recipient"},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ {"inkey", OPT_INKEY, 's',
+ "Input private key (if not signer or recipient)"},
+ {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"},
+ {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
+
+ OPT_SECTION("Mail header"),
+ {"econtent_type", OPT_ECONTENT_TYPE, 's', "OID for external content"},
+ {"to", OPT_TO, 's', "To address"},
+ {"from", OPT_FROM, 's', "From address"},
+ {"subject", OPT_SUBJECT, 's', "Subject"},
+ {"signer", OPT_SIGNER, 's', "Signer certificate file"},
+ {"originator", OPT_ORIGINATOR, 's', "Originator certificate file"},
+ {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
+ {"receipt_request_from", OPT_RR_FROM, 's',
+ "Create signed receipt request with specified email address"},
+ {"receipt_request_to", OPT_RR_TO, 's',
+ "Create signed receipt targeted to specified address"},
+
+ OPT_SECTION("Encryption"),
+ {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"},
+ {"", OPT_CIPHER, '-', "Any supported cipher"},
+
+ OPT_SECTION("Key-wrapping"),
+ {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
+ {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
+ {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
+# ifndef OPENSSL_NO_DES
+ {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
+# endif
+ {"wrap", OPT_WRAP, 's', "Any wrap cipher to wrap key"},
+
+ OPT_R_OPTIONS,
+ OPT_V_OPTIONS,
+ OPT_PROV_OPTIONS,