From: Dr. Stephen Henson Date: Wed, 19 Jun 2013 17:24:00 +0000 (+0100) Subject: Add -keyopt option to cms utility. X-Git-Tag: master-post-reformat~1278 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=02498cc885b801f38f33c0a0d08d4603fd6350c7;p=oweals%2Fopenssl.git Add -keyopt option to cms utility. Add support for custom public key parameters in the cms utility using the -keyopt switch. Works for -sign and also -encrypt if -recip is used. --- diff --git a/apps/cms.c b/apps/cms.c index 5f77f8fbb0..2e734bdf27 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -74,6 +74,8 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) *rr_from); +static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, + STACK_OF(OPENSSL_STRING) *param); #define SMIME_OP 0x10 #define SMIME_IP 0x20 @@ -97,6 +99,15 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int verify_err = 0; +typedef struct cms_key_param_st cms_key_param; + +struct cms_key_param_st + { + int idx; + STACK_OF(OPENSSL_STRING)*param; + cms_key_param *next; + }; + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -139,6 +150,8 @@ int MAIN(int argc, char **argv) unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; size_t secret_keylen = 0, secret_keyidlen = 0; + cms_key_param *key_first = NULL, *key_param = NULL; + ASN1_OBJECT *econtent_type = NULL; X509_VERIFY_PARAM *vpm = NULL; @@ -412,7 +425,20 @@ int MAIN(int argc, char **argv) { if (!args[1]) goto argerr; - recipfile = *++args; + if (operation == SMIME_ENCRYPT) + { + if (!encerts) + encerts = sk_X509_new_null(); + cert = load_cert(bio_err,*++args,FORMAT_PEM, + NULL, e, + "recipient certificate file"); + if (!cert) + goto end; + sk_X509_push(encerts, cert); + cert = NULL; + } + else + recipfile = *++args; } else if (!strcmp (*args, "-certsout")) { @@ -460,6 +486,43 @@ int MAIN(int argc, char **argv) goto argerr; keyform = str2fmt(*++args); } + else if (!strcmp (*args, "-keyopt")) + { + int keyidx = -1; + if (!args[1]) + goto argerr; + if (operation == SMIME_ENCRYPT) + { + if (encerts) + keyidx += sk_X509_num(encerts); + } + else + { + if (keyfile || signerfile) + keyidx++; + if (skkeys) + keyidx += sk_OPENSSL_STRING_num(skkeys); + } + if (keyidx < 0) + { + BIO_printf(bio_err, "No key specified\n"); + goto argerr; + } + if (key_param == NULL || key_param->idx != keyidx) + { + cms_key_param *nparam; + nparam = OPENSSL_malloc(sizeof(cms_key_param)); + nparam->idx = keyidx; + nparam->param = sk_OPENSSL_STRING_new_null(); + nparam->next = NULL; + if (key_first == NULL) + key_first = nparam; + else + key_param->next = nparam; + key_param = nparam; + } + sk_OPENSSL_STRING_push(key_param->param, *++args); + } else if (!strcmp (*args, "-rctform")) { if (!args[1]) @@ -577,7 +640,7 @@ int MAIN(int argc, char **argv) } else if (operation == SMIME_ENCRYPT) { - if (!*args && !secret_key && !pwri_pass) + if (!*args && !secret_key && !pwri_pass && !encerts) { BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); badarg = 1; @@ -633,6 +696,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n"); BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n"); BIO_printf (bio_err, "-keyform arg input private key format (PEM or ENGINE)\n"); + BIO_printf (bio_err, "-keyopt nm:v set public key parameters\n"); BIO_printf (bio_err, "-out file output file\n"); BIO_printf (bio_err, "-outform arg output format SMIME (default), PEM or DER\n"); BIO_printf (bio_err, "-content file supply or override content for detached signature\n"); @@ -718,7 +782,7 @@ int MAIN(int argc, char **argv) goto end; } - if (*args) + if (*args && !encerts) encerts = sk_X509_new_null(); while (*args) { @@ -912,10 +976,37 @@ int MAIN(int argc, char **argv) } else if (operation == SMIME_ENCRYPT) { + int i; flags |= CMS_PARTIAL; - cms = CMS_encrypt(encerts, in, cipher, flags); + cms = CMS_encrypt(NULL, in, cipher, flags); if (!cms) goto end; + for (i = 0; i < sk_X509_num(encerts); i++) + { + CMS_RecipientInfo *ri; + cms_key_param *kparam; + int tflags = flags; + X509 *x = sk_X509_value(encerts, i); + for(kparam = key_first; kparam; kparam = kparam->next) + { + if(kparam->idx == i) + { + tflags |= CMS_KEY_PARAM; + break; + } + } + ri = CMS_add1_recipient_cert(cms, x, tflags); + if (!ri) + goto end; + if (kparam) + { + EVP_PKEY_CTX *pctx; + pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (!cms_set_pkey_param(pctx, kparam->param)) + goto end; + } + } + if (secret_key) { if (!CMS_add0_recipient_key(cms, NID_undef, @@ -1004,8 +1095,11 @@ int MAIN(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { CMS_SignerInfo *si; + cms_key_param *kparam; + int tflags = flags; signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); + signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) @@ -1014,9 +1108,24 @@ int MAIN(int argc, char **argv) "signing key file"); if (!key) goto end; - si = CMS_add1_signer(cms, signer, key, sign_md, flags); + for(kparam = key_first; kparam; kparam = kparam->next) + { + if(kparam->idx == i) + { + tflags |= CMS_KEY_PARAM; + break; + } + } + si = CMS_add1_signer(cms, signer, key, sign_md, tflags); if (!si) goto end; + if (kparam) + { + EVP_PKEY_CTX *pctx; + pctx = CMS_SignerInfo_get0_pkey_ctx(si); + if (!cms_set_pkey_param(pctx, kparam->param)) + goto end; + } if (rr && !CMS_add1_ReceiptRequest(si, rr)) goto end; X509_free(signer); @@ -1210,6 +1319,14 @@ end: sk_OPENSSL_STRING_free(rr_to); if (rr_from) sk_OPENSSL_STRING_free(rr_from); + for(key_param = key_first; key_param;) + { + cms_key_param *tparam; + sk_OPENSSL_STRING_free(key_param->param); + tparam = key_param->next; + OPENSSL_free(key_param); + key_param = tparam; + } X509_STORE_free(store); X509_free(cert); X509_free(recip); @@ -1394,4 +1511,25 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, return NULL; } +static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, + STACK_OF(OPENSSL_STRING) *param) + { + char *keyopt; + int i; + if (sk_OPENSSL_STRING_num(param) <= 0) + return 1; + for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) + { + keyopt = sk_OPENSSL_STRING_value(param, i); + if (pkey_ctrl_string(pctx, keyopt) <= 0) + { + BIO_printf(bio_err, "parameter error \"%s\"\n", + keyopt); + ERR_print_errors(bio_err); + return 0; + } + } + return 1; + } + #endif