--- /dev/null
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation. Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above. If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL. If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Modifications Copyright (c) 2003-2009,2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * cmsutil -- A command to work with CMS data
+ */
+
+#include "security_tool.h"
+#include "keychain_utilities.h"
+#include "identity_find.h"
+
+#include <Security/SecCmsBase.h>
+#include <Security/SecCmsContentInfo.h>
+#include <Security/SecCmsDecoder.h>
+#include <Security/SecCmsDigestContext.h>
+#include <Security/SecCmsDigestedData.h>
+#include <Security/SecCmsEncoder.h>
+#include <Security/SecCmsEncryptedData.h>
+#include <Security/SecCmsEnvelopedData.h>
+#include <Security/SecCmsMessage.h>
+#include <Security/SecCmsRecipientInfo.h>
+#include <Security/SecCmsSignedData.h>
+#include <Security/SecCmsSignerInfo.h>
+#include <Security/SecSMIME.h>
+#include <Security/tsaSupport.h>
+
+#include <Security/oidsalg.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecKeychainSearch.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecIdentitySearch.h>
+#include <CoreFoundation/CFString.h>
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <utilities/SecCFRelease.h>
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "cmsutil.h"
+
+// SecPolicyCopy
+#include <Security/SecPolicyPriv.h>
+// SecKeychainSearchCreateForCertificateByEmail, SecCertificateFindBySubjectKeyID, SecCertificateFindByEmail
+#include <Security/SecCertificatePriv.h>
+// SecIdentitySearchCreateWithPolicy
+#include <Security/SecIdentitySearchPriv.h>
+
+#define SEC_CHECK0(CALL, ERROR) do { if (!(CALL)) { sec_error(ERROR); goto loser; } } while(0)
+#define SEC_CHECK(CALL, ERROR) do { rv = (CALL); if (rv) { sec_perror(ERROR, rv); goto loser; } } while(0)
+#define SEC_CHECK2(CALL, ERROR, ARG) do { rv = CALL; if (rv) \
+ { sec_error(ERROR ": %s", ARG, sec_errstr(rv)); goto loser; } } while(0)
+
+// @@@ Remove this
+#if 1
+
+static CSSM_KEYUSE CERT_KeyUsageForCertUsage(SECCertUsage certUsage)
+{
+ switch (certUsage)
+ {
+ case certUsageSSLClient: return CSSM_KEYUSE_SIGN;
+ case certUsageSSLServer: return CSSM_KEYUSE_SIGN;
+ case certUsageSSLServerWithStepUp: return CSSM_KEYUSE_SIGN;
+ case certUsageSSLCA: return CSSM_KEYUSE_SIGN;
+ case certUsageEmailSigner: return CSSM_KEYUSE_SIGN;
+ case certUsageEmailRecipient: return CSSM_KEYUSE_UNWRAP;
+ case certUsageObjectSigner: return CSSM_KEYUSE_SIGN;
+ case certUsageUserCertImport: return CSSM_KEYUSE_SIGN;
+ case certUsageVerifyCA: return CSSM_KEYUSE_SIGN;
+ case certUsageProtectedObjectSigner: return CSSM_KEYUSE_SIGN;
+ case certUsageStatusResponder: return CSSM_KEYUSE_SIGN;
+ case certUsageAnyCA: return CSSM_KEYUSE_SIGN;
+ default:
+ sec_error("CERT_PolicyForCertUsage %ld: unknown certUsage", certUsage);
+ return CSSM_KEYUSE_SIGN;
+ }
+}
+
+static SecPolicyRef CERT_PolicyForCertUsage(SECCertUsage certUsage, const char *emailAddress)
+{
+ SecPolicyRef policy = NULL;
+ const CSSM_OID *policyOID;
+ OSStatus rv;
+
+ switch (certUsage)
+ {
+ case certUsageSSLClient: policyOID = &CSSMOID_APPLE_TP_SSL; break;
+ case certUsageSSLServer: policyOID = &CSSMOID_APPLE_TP_SSL; break;
+ case certUsageSSLServerWithStepUp: policyOID = &CSSMOID_APPLE_TP_SSL; break;
+ case certUsageSSLCA: policyOID = &CSSMOID_APPLE_TP_SSL; break;
+ case certUsageEmailSigner: policyOID = &CSSMOID_APPLE_TP_SMIME; break;
+ case certUsageEmailRecipient: policyOID = &CSSMOID_APPLE_TP_SMIME; break;
+ case certUsageObjectSigner: policyOID = &CSSMOID_APPLE_TP_CODE_SIGN; break;
+ case certUsageUserCertImport: policyOID = &CSSMOID_APPLE_X509_BASIC; break;
+ case certUsageVerifyCA: policyOID = &CSSMOID_APPLE_X509_BASIC; break;
+ case certUsageProtectedObjectSigner: policyOID = &CSSMOID_APPLE_ISIGN; break;
+ case certUsageStatusResponder: policyOID = &CSSMOID_APPLE_TP_REVOCATION_OCSP; break;
+ case certUsageAnyCA: policyOID = &CSSMOID_APPLE_X509_BASIC; break;
+ default:
+ sec_error("CERT_PolicyForCertUsage %ld: unknown certUsage", certUsage);
+ goto loser;
+ }
+
+ SEC_CHECK(SecPolicyCopy(CSSM_CERT_X_509v3, policyOID, &policy), "SecPolicyCopy");
+ if (certUsage == certUsageEmailSigner || certUsage == certUsageEmailRecipient)
+ {
+ CSSM_APPLE_TP_SMIME_OPTIONS options =
+ {
+ CSSM_APPLE_TP_SMIME_OPTS_VERSION,
+ certUsage == certUsageEmailSigner
+ ? CE_KU_DigitalSignature | CE_KU_NonRepudiation
+ : CE_KU_KeyEncipherment,
+ emailAddress ? sizeof(emailAddress) : 0,
+ emailAddress
+ };
+ CSSM_DATA value = { sizeof(options), (uint8 *)&options };
+ if (SecPolicySetValue(policy, &value)) {
+ goto loser;
+ }
+ }
+
+ // @@@ Need to set values for SSL and other policies.
+ return policy;
+
+loser:
+ if (policy) CFRelease(policy);
+ return NULL;
+}
+
+static SecCertificateRef CERT_FindUserCertByUsage(CFTypeRef keychainOrArray, const char *emailAddress,
+ SECCertUsage certUsage, Boolean validOnly)
+{
+ SecKeychainSearchRef search = NULL;
+ SecCertificateRef cert = NULL;
+ SecPolicyRef policy;
+ OSStatus rv;
+
+ policy = CERT_PolicyForCertUsage(certUsage, emailAddress);
+ if (!policy)
+ goto loser;
+
+ SEC_CHECK2(SecKeychainSearchCreateForCertificateByEmail(keychainOrArray, emailAddress, &search),
+ "create search for certificate with email: \"%s\"", emailAddress);
+ for (;;)
+ {
+ SecKeychainItemRef item;
+ rv = SecKeychainSearchCopyNext(search, &item);
+ if (rv)
+ {
+ if (rv == errSecItemNotFound)
+ break;
+
+ sec_perror("error finding next matching certificate", rv);
+ goto loser;
+ }
+
+ cert = (SecCertificateRef)item;
+ // @@@ Check cert against policy.
+ }
+
+loser:
+ if (policy) CFRelease(policy);
+ if (search) CFRelease(search);
+
+ return cert;
+}
+
+static SecIdentityRef CERT_FindIdentityByUsage(CFTypeRef keychainOrArray,
+ const char *emailAddress,
+ SECCertUsage certUsage,
+ Boolean validOnly)
+{
+ SecIdentitySearchRef search = NULL;
+ SecIdentityRef identity = NULL;
+ CFStringRef idString = CFStringCreateWithCString(NULL, emailAddress, kCFStringEncodingUTF8);
+ SecPolicyRef policy;
+ OSStatus rv;
+
+ policy = CERT_PolicyForCertUsage(certUsage, emailAddress);
+ if (!policy)
+ goto loser;
+
+
+ SEC_CHECK2(SecIdentitySearchCreateWithPolicy(policy, idString,
+ CERT_KeyUsageForCertUsage(certUsage), keychainOrArray, validOnly, &search),
+ "create search for identity with email: \"%s\"", emailAddress);
+ for (;;)
+ {
+ rv = SecIdentitySearchCopyNext(search, &identity);
+ if (rv)
+ {
+ if (rv == errSecItemNotFound)
+ break;
+
+ sec_perror("error finding next matching identity", rv);
+ goto loser;
+ }
+ }
+
+loser:
+ if (policy) CFRelease(policy);
+ if (search) CFRelease(search);
+ if (idString) CFRelease(idString);
+
+ return identity;
+
+
+#if 0
+ SecIdentityRef identity = NULL;
+ SecCertificateRef cert;
+ OSStatus rv;
+
+ cert = CERT_FindUserCertByUsage(keychainOrArray, emailAddress, certUsage, validOnly);
+ if (!cert)
+ goto loser;
+
+ SEC_CHECK2(SecIdentityCreateWithCertificate(keychainOrArray, cert, &identity),
+ "failed to find private key for certificate with email: \"%s\"", emailAddress);
+loser:
+ if (cert) CFRelease(cert);
+
+ return identity;
+#endif
+}
+
+static SecCertificateRef CERT_FindCertByNicknameOrEmailAddr(CFTypeRef keychainOrArray, const char *emailAddress)
+{
+ SecCertificateRef certificate = NULL;
+ OSStatus rv;
+
+ SEC_CHECK2(SecCertificateFindByEmail(keychainOrArray, emailAddress, &certificate),
+ "failed to find certificate with email: \"%s\"", emailAddress);
+
+loser:
+ return certificate;
+}
+
+static SecIdentityRef CERT_FindIdentityBySubjectKeyID(CFTypeRef keychainOrArray,
+ const char *subjectKeyIDString)
+{
+ // ss will be something like "B2ACD31AC8D0DA62E7679432ADDD3398EF66948B"
+
+ SecCertificateRef certificate = NULL;
+ SecIdentityRef identityRef = NULL;
+ OSStatus rv;
+
+ CSSM_SIZE len = strlen(subjectKeyIDString)/2;
+ CSSM_DATA subjectKeyID = {0,};
+ subjectKeyID.Length = len;
+ subjectKeyID.Data = (uint8 *)malloc(subjectKeyID.Length);
+ fromHex(subjectKeyIDString, &subjectKeyID);
+
+ SEC_CHECK2(SecCertificateFindBySubjectKeyID(keychainOrArray, &subjectKeyID, &certificate),
+ "failed to find identity with subject key ID: \"%s\"", subjectKeyIDString);
+
+ SEC_CHECK2(SecIdentityCreateWithCertificate(keychainOrArray, certificate, &identityRef),
+ "failed to find certificate with subject key ID: \"%s\"", subjectKeyIDString);
+loser:
+ return identityRef;
+}
+
+
+static OSStatus CERT_CheckCertUsage (SecCertificateRef cert,unsigned char usage)
+{
+ return 0;
+}
+
+#endif
+
+// @@@ Eleminate usage of this header.
+//#include "cert.h"
+//#include <security_asn1/secerr.h>
+//#include "plgetopt.h"
+//#include "secitem.h"
+
+#ifdef HAVE_DODUMPSTATES
+extern int doDumpStates;
+#endif /* HAVE_DODUMPSTATES */
+
+OSStatus SECU_FileToItem(CSSM_DATA *dst, FILE *src);
+
+
+extern void SEC_Init(void); /* XXX */
+static int cms_verbose = 0;
+static int cms_update_single_byte = 0;
+
+/* XXX stolen from cmsarray.c
+ * nss_CMSArray_Count - count number of elements in array
+ */
+static int nss_CMSArray_Count(void **array)
+{
+ int n = 0;
+ if (array == NULL)
+ return 0;
+ while (*array++ != NULL)
+ n++;
+ return n;
+}
+
+typedef OSStatus(update_func)(void *cx, const char *data, size_t len);
+
+static OSStatus do_update(update_func *update,
+ void *cx, const unsigned char *data, size_t len)
+{
+ OSStatus rv = noErr;
+ if (cms_update_single_byte)
+ {
+ for (;len; --len, ++data)
+ {
+ rv = update(cx, (const char *)data, 1);
+ if (rv)
+ break;
+ }
+ }
+ else
+ rv = update(cx, (const char *)data, len);
+
+ return rv;
+}
+
+
+static OSStatus DigestFile(SecArenaPoolRef poolp, CSSM_DATA ***digests, CSSM_DATA *input, SECAlgorithmID **algids)
+{
+ SecCmsDigestContextRef digcx = SecCmsDigestContextStartMultiple(algids);
+ if (digcx == NULL)
+ return paramErr;
+
+ do_update((update_func *)SecCmsDigestContextUpdate, digcx, input->Data, input->Length);
+
+ return SecCmsDigestContextFinishMultiple(digcx, poolp, digests);
+}
+
+static char *
+ownpw(void *info, Boolean retry, void *arg)
+{
+ char * passwd = NULL;
+
+ if ( (!retry) && arg ) {
+ passwd = strdup((char *)arg);
+ }
+
+ return passwd;
+}
+
+struct optionsStr {
+ PK11PasswordFunc password;
+ SECCertUsage certUsage;
+ SecKeychainRef certDBHandle;
+};
+
+struct decodeOptionsStr {
+ struct optionsStr *options;
+ FILE *contentFile;
+ int headerLevel;
+ Boolean suppressContent;
+ SecCmsGetDecryptKeyCallback dkcb;
+ SecSymmetricKeyRef bulkkey;
+};
+
+struct signOptionsStr {
+ struct optionsStr *options;
+ char *nickname;
+ char *encryptionKeyPreferenceNick;
+ char *subjectKeyID;
+ Boolean signingTime;
+ Boolean smimeProfile;
+ Boolean detached;
+ SECOidTag hashAlgTag;
+ Boolean wantTimestamping;
+ char *timestampingURL;
+};
+
+struct envelopeOptionsStr {
+ struct optionsStr *options;
+ char **recipients;
+};
+
+struct certsonlyOptionsStr {
+ struct optionsStr *options;
+ char **recipients;
+};
+
+struct encryptOptionsStr {
+ struct optionsStr *options;
+ char **recipients;
+ SecCmsMessageRef envmsg;
+ CSSM_DATA *input;
+ FILE *outfile;
+ FILE *envFile;
+ SecSymmetricKeyRef bulkkey;
+ SECOidTag bulkalgtag;
+ int keysize;
+};
+
+static SecCmsMessageRef decode(FILE *out, CSSM_DATA *output, CSSM_DATA *input,
+ const struct decodeOptionsStr *decodeOptions)
+{
+ SecCmsDecoderRef dcx;
+ SecCmsMessageRef cmsg=NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsSignedDataRef sigd = NULL;
+ SecCmsEnvelopedDataRef envd;
+ SecCmsEncryptedDataRef encd;
+ SECAlgorithmID **digestalgs;
+ int nlevels, i, nsigners, j;
+ CFStringRef signercn;
+ SecCmsSignerInfoRef si;
+ SECOidTag typetag;
+ CSSM_DATA **digests;
+ SecArenaPoolRef poolp = NULL;
+ PK11PasswordFunc pwcb;
+ void *pwcb_arg;
+ CSSM_DATA *item, sitem = { 0, };
+ CFTypeRef policy = NULL;
+ OSStatus rv;
+
+ pwcb = (PK11PasswordFunc)((decodeOptions->options->password != NULL) ? ownpw : NULL);
+ pwcb_arg = (decodeOptions->options->password != NULL) ?
+ (void *)decodeOptions->options->password : NULL;
+
+ if (decodeOptions->contentFile) // detached content: grab content file
+ SECU_FileToItem(&sitem, decodeOptions->contentFile);
+
+ SEC_CHECK(SecCmsDecoderCreate(NULL,
+ NULL, NULL, /* content callback */
+ pwcb, pwcb_arg, /* password callback */
+ decodeOptions->dkcb, /* decrypt key callback */
+ decodeOptions->bulkkey,
+ &dcx),
+ "failed to create to decoder");
+ SEC_CHECK(do_update((update_func *)SecCmsDecoderUpdate, dcx, input->Data, input->Length),
+ "failed to add data to decoder");
+ SEC_CHECK(SecCmsDecoderFinish(dcx, &cmsg),
+ "failed to decode message");
+
+ if (decodeOptions->headerLevel >= 0)
+ {
+ /*fprintf(out, "SMIME: ", decodeOptions->headerLevel, i);*/
+ fprintf(out, "SMIME: ");
+ }
+
+ nlevels = SecCmsMessageContentLevelCount(cmsg);
+ for (i = 0; i < nlevels; i++)
+ {
+ cinfo = SecCmsMessageContentLevel(cmsg, i);
+ typetag = SecCmsContentInfoGetContentTypeTag(cinfo);
+
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "\tlevel=%d.%d; ", decodeOptions->headerLevel, nlevels - i);
+
+ switch (typetag)
+ {
+ case SEC_OID_PKCS7_SIGNED_DATA:
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "type=signedData; ");
+
+ SEC_CHECK0(sigd = (SecCmsSignedDataRef )SecCmsContentInfoGetContent(cinfo),
+ "problem finding signedData component");
+ /* if we have a content file, but no digests for this signedData */
+ if (decodeOptions->contentFile != NULL && !SecCmsSignedDataHasDigests(sigd))
+ {
+ SEC_CHECK(SecArenaPoolCreate(1024, &poolp), "failed to create arenapool");
+ digestalgs = SecCmsSignedDataGetDigestAlgs(sigd);
+ SEC_CHECK(DigestFile(poolp, &digests, &sitem, digestalgs),
+ "problem computing message digest");
+ SEC_CHECK(SecCmsSignedDataSetDigests(sigd, digestalgs, digests),
+ "problem setting message digests");
+ SecArenaPoolFree(poolp, false);
+ }
+
+ policy = CERT_PolicyForCertUsage(decodeOptions->options->certUsage, NULL);
+ // import the certificates
+ SEC_CHECK(SecCmsSignedDataImportCerts(sigd,decodeOptions->options->certDBHandle,
+ decodeOptions->options->certUsage, true /* false */),
+ "cert import failed");
+
+ /* find out about signers */
+ nsigners = SecCmsSignedDataSignerInfoCount(sigd);
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "nsigners=%d; ", nsigners);
+ if (nsigners == 0)
+ {
+ /* must be a cert transport message */
+ OSStatus rv;
+ /* XXX workaround for bug #54014 */
+ SecCmsSignedDataImportCerts(sigd,decodeOptions->options->certDBHandle,
+ decodeOptions->options->certUsage,true);
+ SEC_CHECK(SecCmsSignedDataVerifyCertsOnly(sigd,decodeOptions->options->certDBHandle, policy),
+ "verify certs-only failed");
+ return cmsg;
+ }
+
+ SEC_CHECK0(SecCmsSignedDataHasDigests(sigd), "message has no digests");
+ for (j = 0; j < nsigners; j++)
+ {
+ si = SecCmsSignedDataGetSignerInfo(sigd, j);
+ signercn = SecCmsSignerInfoGetSignerCommonName(si);
+ if (decodeOptions->headerLevel >= 0)
+ {
+ const char *px = signercn ? CFStringGetCStringPtr(signercn,kCFStringEncodingMacRoman) : "<NULL>";
+ fprintf(out, "\n\t\tsigner%d.id=\"%s\"; ", j, px);
+ }
+ SecCmsSignedDataVerifySignerInfo(sigd, j, decodeOptions->options->certDBHandle,
+ policy, NULL);
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "signer%d.status=%s; ", j,
+ SecCmsUtilVerificationStatusToString(SecCmsSignerInfoGetVerificationStatus(si)));
+ /* XXX what do we do if we don't print headers? */
+ }
+ break;
+ case SEC_OID_PKCS7_ENVELOPED_DATA:
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "type=envelopedData; ");
+ envd = (SecCmsEnvelopedDataRef )SecCmsContentInfoGetContent(cinfo);
+ break;
+ case SEC_OID_PKCS7_ENCRYPTED_DATA:
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "type=encryptedData; ");
+ encd = (SecCmsEncryptedDataRef )SecCmsContentInfoGetContent(cinfo);
+ break;
+ case SEC_OID_PKCS7_DATA:
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "type=data; ");
+ break;
+ default:
+ break;
+ }
+ if (decodeOptions->headerLevel >= 0)
+ fprintf(out, "\n");
+ }
+
+ if (!decodeOptions->suppressContent)
+ {
+ item = decodeOptions->contentFile ? &sitem :
+ SecCmsMessageGetContent(cmsg);
+ /* Copy the data. */
+ output->Length = item->Length;
+ output->Data = malloc(output->Length);
+ memcpy(output->Data, item->Data, output->Length);
+ }
+
+ if (policy) CFRelease(policy);
+
+ return cmsg;
+loser:
+ if (policy) CFRelease(policy);
+ if (cmsg) SecCmsMessageDestroy(cmsg);
+ return NULL;
+}
+
+/* example of a callback function to use with encoder */
+/*
+static void
+writeout(void *arg, const char *buf, unsigned long len)
+{
+ FILE *f = (FILE *)arg;
+
+ if (f != NULL && buf != NULL)
+ (void)fwrite(buf, len, 1, f);
+}
+*/
+
+static SecCmsMessageRef signed_data(struct signOptionsStr *signOptions)
+{
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsSignedDataRef sigd;
+ SecCmsSignerInfoRef signerinfo;
+ SecIdentityRef identity = NULL;
+ SecCertificateRef cert = NULL, ekpcert = NULL;
+ OSStatus rv;
+
+ if (cms_verbose)
+ {
+ fprintf(stderr, "Input to signed_data:\n");
+ if (signOptions->options->password)
+ fprintf(stderr, "password [%s]\n", "***" /*signOptions->options->password*/);
+ else
+ fprintf(stderr, "password [NULL]\n");
+ fprintf(stderr, "certUsage [%d]\n", signOptions->options->certUsage);
+ if (signOptions->options->certDBHandle)
+ fprintf(stderr, "certdb [%p]\n", signOptions->options->certDBHandle);
+ else
+ fprintf(stderr, "certdb [NULL]\n");
+ if (signOptions->nickname)
+ fprintf(stderr, "nickname [%s]\n", signOptions->nickname);
+ else
+ fprintf(stderr, "nickname [NULL]\n");
+ if (signOptions->subjectKeyID)
+ fprintf(stderr, "subject Key ID [%s]\n", signOptions->subjectKeyID);
+ }
+
+ if (signOptions->subjectKeyID)
+ {
+ if ((identity = CERT_FindIdentityBySubjectKeyID(signOptions->options->certDBHandle,
+ signOptions->subjectKeyID)) == NULL)
+ {
+ sec_error("could not find signing identity for subject key ID: \"%s\"", signOptions->subjectKeyID);
+ return NULL;
+ }
+
+ if (cms_verbose)
+ fprintf(stderr, "Found identity for subject key ID %s\n", signOptions->subjectKeyID);
+ }
+ else if (signOptions->nickname)
+ {
+ if ((identity = CERT_FindIdentityByUsage(signOptions->options->certDBHandle,
+ signOptions->nickname,
+ signOptions->options->certUsage,
+ false)) == NULL)
+ {
+ // look for identity by common name rather than email address
+ if ((identity = CopyMatchingIdentity(signOptions->options->certDBHandle,
+ signOptions->nickname,
+ NULL,
+ signOptions->options->certUsage)) == NULL)
+ {
+ sec_error("could not find signing identity for name: \"%s\"", signOptions->nickname);
+ return NULL;
+ }
+ }
+
+ if (cms_verbose)
+ fprintf(stderr, "Found identity for %s\n", signOptions->nickname);
+ }
+ else
+ {
+ // no identity was specified
+ sec_error("no signing identity was specified");
+ return NULL;
+ }
+
+ // Get the cert from the identity
+ SEC_CHECK(SecIdentityCopyCertificate(identity, &cert),
+ "SecIdentityCopyCertificate");
+ // create the message object on its own pool
+ SEC_CHECK0(cmsg = SecCmsMessageCreate(NULL), "cannot create CMS message");
+ // build chain of objects: message->signedData->data
+ SEC_CHECK0(sigd = SecCmsSignedDataCreate(cmsg),
+ "cannot create CMS signedData object");
+ SEC_CHECK0(cinfo = SecCmsMessageGetContentInfo(cmsg),
+ "message has no content info");
+ SEC_CHECK(SecCmsContentInfoSetContentSignedData(cmsg, cinfo, sigd),
+ "cannot attach CMS signedData object");
+ SEC_CHECK0(cinfo = SecCmsSignedDataGetContentInfo(sigd),
+ "signed data has no content info");
+ /* we're always passing data in and detaching optionally */
+ SEC_CHECK(SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, signOptions->detached),
+ "cannot attach CMS data object");
+ // create & attach signer information
+ SEC_CHECK0(signerinfo = SecCmsSignerInfoCreate(cmsg, identity, signOptions->hashAlgTag),
+ "cannot create CMS signerInfo object");
+ if (cms_verbose)
+ fprintf(stderr,"Created CMS message, added signed data w/ signerinfo\n");
+
+ // we want the cert chain included for this one
+ SEC_CHECK(SecCmsSignerInfoIncludeCerts(signerinfo, SecCmsCMCertChain, signOptions->options->certUsage),
+ "cannot add cert chain");
+
+ if (cms_verbose)
+ fprintf(stderr, "imported certificate\n");
+
+ if (signOptions->signingTime)
+ SEC_CHECK(SecCmsSignerInfoAddSigningTime(signerinfo, CFAbsoluteTimeGetCurrent()),
+ "cannot add signingTime attribute");
+
+ if (signOptions->smimeProfile)
+ SEC_CHECK(SecCmsSignerInfoAddSMIMECaps(signerinfo),
+ "cannot add SMIMECaps attribute");
+
+ if (signOptions->wantTimestamping)
+ {
+ CFErrorRef error = NULL;
+ SecCmsMessageSetTSAContext(cmsg, SecCmsTSAGetDefaultContext(&error));
+ }
+
+ if (!signOptions->encryptionKeyPreferenceNick)
+ {
+ /* check signing cert for fitness as encryption cert */
+ OSStatus FitForEncrypt = CERT_CheckCertUsage(cert, certUsageEmailRecipient);
+
+ if (noErr == FitForEncrypt)
+ {
+ /* if yes, add signing cert as EncryptionKeyPreference */
+ SEC_CHECK(SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerinfo, cert, signOptions->options->certDBHandle),
+ "cannot add default SMIMEEncKeyPrefs attribute");
+ SEC_CHECK(SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerinfo, cert, signOptions->options->certDBHandle),
+ "cannot add default MS SMIMEEncKeyPrefs attribute");
+ }
+ else
+ {
+ /* this is a dual-key cert case, we need to look for the encryption
+ certificate under the same nickname as the signing cert */
+ /* get the cert, add it to the message */
+ if ((ekpcert = CERT_FindUserCertByUsage(
+ signOptions->options->certDBHandle,
+ signOptions->nickname,
+ certUsageEmailRecipient,
+ false)) == NULL)
+ {
+ sec_error("can find encryption cert for \"%s\"", signOptions->nickname);
+ goto loser;
+ }
+
+ SEC_CHECK(SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerinfo, ekpcert,signOptions->options->certDBHandle),
+ "cannot add SMIMEEncKeyPrefs attribute");
+ SEC_CHECK(SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerinfo, ekpcert,signOptions->options->certDBHandle),
+ "cannot add MS SMIMEEncKeyPrefs attribute");
+ SEC_CHECK(SecCmsSignedDataAddCertificate(sigd, ekpcert),
+ "cannot add encryption certificate");
+ }
+ }
+ else if (strcmp(signOptions->encryptionKeyPreferenceNick, "NONE") == 0)
+ {
+ /* No action */
+ }
+ else
+ {
+ /* specific email address for encryption preferred encryption cert specified.
+ get the cert, add it to the message */
+ if ((ekpcert = CERT_FindUserCertByUsage(
+ signOptions->options->certDBHandle,
+ signOptions->encryptionKeyPreferenceNick,
+ certUsageEmailRecipient, false)) == NULL)
+ {
+ sec_error("can find encryption cert for \"%s\"", signOptions->encryptionKeyPreferenceNick);
+ goto loser;
+ }
+
+ SEC_CHECK(SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerinfo, ekpcert,signOptions->options->certDBHandle),
+ "cannot add SMIMEEncKeyPrefs attribute");
+ SEC_CHECK(SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerinfo, ekpcert,signOptions->options->certDBHandle),
+ "cannot add MS SMIMEEncKeyPrefs attribute");
+ SEC_CHECK(SecCmsSignedDataAddCertificate(sigd, ekpcert),
+ "cannot add encryption certificate");
+ }
+
+ SEC_CHECK(SecCmsSignedDataAddSignerInfo(sigd, signerinfo),
+ "cannot add CMS signerInfo object");
+
+ if (cms_verbose)
+ fprintf(stderr, "created signed-data message\n");
+
+ if (ekpcert) CFRelease(ekpcert);
+ if (cert) CFRelease(cert);
+ if (identity) CFRelease(identity);
+ return cmsg;
+
+loser:
+ if (ekpcert) CFRelease(ekpcert);
+ if (cert) CFRelease(cert);
+ if (identity) CFRelease(identity);
+ SecCmsMessageDestroy(cmsg);
+ return NULL;
+}
+
+static SecCmsMessageRef enveloped_data(struct envelopeOptionsStr *envelopeOptions)
+{
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsEnvelopedDataRef envd;
+ SecCmsRecipientInfoRef recipientinfo;
+ SecCertificateRef *recipientcerts = NULL;
+ SecKeychainRef dbhandle;
+ SECOidTag bulkalgtag;
+ OSStatus rv;
+ int keysize, i = 0;
+ int cnt;
+
+ dbhandle = envelopeOptions->options->certDBHandle;
+ /* count the recipients */
+ SEC_CHECK0(cnt = nss_CMSArray_Count((void **)envelopeOptions->recipients),
+ "please name at least one recipient");
+
+ // @@@ find the recipient's certs by email address or nickname
+ if ((recipientcerts = (SecCertificateRef *)calloc((cnt+1), sizeof(SecCertificateRef))) == NULL)
+ {
+ sec_error("failed to alloc certs array: %s", strerror(errno));
+ goto loser;
+ }
+
+ for (i = 0; envelopeOptions->recipients[i] != NULL; ++i)
+ {
+ if ((recipientcerts[i] =
+ CERT_FindCertByNicknameOrEmailAddr(dbhandle, envelopeOptions->recipients[i])) == NULL)
+ {
+ i = 0;
+ goto loser;
+ }
+ }
+
+ recipientcerts[i] = NULL;
+ i = 0;
+
+ // find a nice bulk algorithm
+ SEC_CHECK(SecSMIMEFindBulkAlgForRecipients(recipientcerts, &bulkalgtag, &keysize),
+ "cannot find common bulk algorithm");
+ // create the message object on its own pool
+ SEC_CHECK0(cmsg = SecCmsMessageCreate(NULL), "cannot create CMS message");
+ // build chain of objects: message->envelopedData->data
+ SEC_CHECK0(envd = SecCmsEnvelopedDataCreate(cmsg, bulkalgtag, keysize),
+ "cannot create CMS envelopedData object");
+ SEC_CHECK0(cinfo = SecCmsMessageGetContentInfo(cmsg),
+ "message has no content info");
+ SEC_CHECK(SecCmsContentInfoSetContentEnvelopedData(cmsg, cinfo, envd),
+ "cannot attach CMS envelopedData object");
+ SEC_CHECK0(cinfo = SecCmsEnvelopedDataGetContentInfo(envd),
+ "enveloped data has no content info");
+ // We're always passing data in, so the content is NULL
+ SEC_CHECK(SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, false),
+ "cannot attach CMS data object");
+
+ // create & attach recipient information
+ for (i = 0; recipientcerts[i] != NULL; i++)
+ {
+ SEC_CHECK0(recipientinfo = SecCmsRecipientInfoCreate(cmsg, recipientcerts[i]),
+ "cannot create CMS recipientInfo object");
+ SEC_CHECK(SecCmsEnvelopedDataAddRecipient(envd, recipientinfo),
+ "cannot add CMS recipientInfo object");
+ CFRelease(recipientcerts[i]);
+ }
+
+ if (recipientcerts)
+ free(recipientcerts);
+
+ return cmsg;
+loser:
+ if (recipientcerts)
+ {
+ for (; recipientcerts[i] != NULL; i++)
+ CFRelease(recipientcerts[i]);
+ }
+
+ if (cmsg)
+ SecCmsMessageDestroy(cmsg);
+
+ if (recipientcerts)
+ free(recipientcerts);
+
+ return NULL;
+}
+
+static SecSymmetricKeyRef dkcb(void *arg, SECAlgorithmID *algid)
+{
+ return (SecSymmetricKeyRef)arg;
+}
+
+static OSStatus get_enc_params(struct encryptOptionsStr *encryptOptions)
+{
+ struct envelopeOptionsStr envelopeOptions;
+ OSStatus rv = paramErr;
+ SecCmsMessageRef env_cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ int i, nlevels;
+
+ // construct an enveloped data message to obtain bulk keys
+ if (encryptOptions->envmsg)
+ env_cmsg = encryptOptions->envmsg; // get it from an old message
+ else
+ {
+ CSSM_DATA dummyOut = { 0, };
+ CSSM_DATA dummyIn = { 0, };
+ char str[] = "Hello!";
+ SecArenaPoolRef tmparena = NULL;
+
+ SEC_CHECK(SecArenaPoolCreate(1024, &tmparena), "failed to create arenapool");
+
+ dummyIn.Data = (unsigned char *)str;
+ dummyIn.Length = strlen(str);
+ envelopeOptions.options = encryptOptions->options;
+ envelopeOptions.recipients = encryptOptions->recipients;
+ env_cmsg = enveloped_data(&envelopeOptions);
+ rv = SecCmsMessageEncode(env_cmsg, &dummyIn, tmparena, &dummyOut);
+ if (rv) {
+ goto loser;
+ }
+ fwrite(dummyOut.Data, 1, dummyOut.Length,encryptOptions->envFile);
+
+ SecArenaPoolFree(tmparena, false);
+ }
+
+ // get the content info for the enveloped data
+ nlevels = SecCmsMessageContentLevelCount(env_cmsg);
+ for (i = 0; i < nlevels; i++)
+ {
+ SECOidTag typetag;
+ cinfo = SecCmsMessageContentLevel(env_cmsg, i);
+ typetag = SecCmsContentInfoGetContentTypeTag(cinfo);
+ if (typetag == SEC_OID_PKCS7_DATA)
+ {
+ // get the symmetric key
+ encryptOptions->bulkalgtag = SecCmsContentInfoGetContentEncAlgTag(cinfo);
+ encryptOptions->keysize = SecCmsContentInfoGetBulkKeySize(cinfo);
+ encryptOptions->bulkkey = SecCmsContentInfoGetBulkKey(cinfo);
+ rv = noErr;
+ break;
+ }
+ }
+ if (i == nlevels)
+ sec_error("could not retrieve enveloped data: messsage has: %ld levels", nlevels);
+
+loser:
+ if (env_cmsg)
+ SecCmsMessageDestroy(env_cmsg);
+
+ return rv;
+}
+
+static SecCmsMessageRef encrypted_data(struct encryptOptionsStr *encryptOptions)
+{
+ OSStatus rv = paramErr;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsEncryptedDataRef encd;
+ SecCmsEncoderRef ecx = NULL;
+ SecArenaPoolRef tmppoolp = NULL;
+ CSSM_DATA derOut = { 0, };
+
+ /* arena for output */
+ SEC_CHECK(SecArenaPoolCreate(1024, &tmppoolp), "failed to create arenapool");
+ // create the message object on its own pool
+ SEC_CHECK0(cmsg = SecCmsMessageCreate(NULL), "cannot create CMS message");
+ // build chain of objects: message->encryptedData->data
+ SEC_CHECK0(encd = SecCmsEncryptedDataCreate(cmsg, encryptOptions->bulkalgtag,
+ encryptOptions->keysize),
+ "cannot create CMS encryptedData object");
+ SEC_CHECK0(cinfo = SecCmsMessageGetContentInfo(cmsg),
+ "message has no content info");
+ SEC_CHECK(SecCmsContentInfoSetContentEncryptedData(cmsg, cinfo, encd),
+ "cannot attach CMS encryptedData object");
+ SEC_CHECK0(cinfo = SecCmsEncryptedDataGetContentInfo(encd),
+ "encrypted data has no content info");
+ /* we're always passing data in, so the content is NULL */
+ SEC_CHECK(SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, false),
+ "cannot attach CMS data object");
+ SEC_CHECK(SecCmsEncoderCreate(cmsg, NULL, NULL, &derOut, tmppoolp, NULL, NULL,
+ dkcb, encryptOptions->bulkkey, NULL, NULL, &ecx),
+ "cannot create encoder context");
+ SEC_CHECK(do_update((update_func *)SecCmsEncoderUpdate, ecx, encryptOptions->input->Data,
+ encryptOptions->input->Length),
+ "failed to add data to encoder");
+ SEC_CHECK(SecCmsEncoderFinish(ecx), "failed to encrypt data");
+ fwrite(derOut.Data, derOut.Length, 1, encryptOptions->outfile);
+ /* @@@ Check and report write errors. */
+ /*
+ if (bulkkey)
+ CFRelease(bulkkey);
+ */
+
+ if (tmppoolp)
+ SecArenaPoolFree(tmppoolp, false);
+ return cmsg;
+loser:
+ /*
+ if (bulkkey)
+ CFRelease(bulkkey);
+ */
+ if (tmppoolp)
+ SecArenaPoolFree(tmppoolp, false);
+ if (cmsg)
+ SecCmsMessageDestroy(cmsg);
+
+ return NULL;
+}
+
+static SecCmsMessageRef signed_data_certsonly(struct certsonlyOptionsStr *certsonlyOptions)
+{
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsSignedDataRef sigd;
+ SecCertificateRef *certs = NULL;
+ SecKeychainRef dbhandle;
+ OSStatus rv;
+
+ int i = 0, cnt;
+ dbhandle = certsonlyOptions->options->certDBHandle;
+ SEC_CHECK0(cnt = nss_CMSArray_Count((void**)certsonlyOptions->recipients),
+ "please indicate the nickname of a certificate to sign with");
+ if ((certs = (SecCertificateRef *)calloc((cnt+1), sizeof(SecCertificateRef))) == NULL)
+ {
+ sec_error("failed to alloc certs array: %s", strerror(errno));
+ goto loser;
+ }
+ for (i=0; certsonlyOptions->recipients && certsonlyOptions->recipients[i] != NULL; i++)
+ {
+ if ((certs[i] = CERT_FindCertByNicknameOrEmailAddr(dbhandle,certsonlyOptions->recipients[i])) == NULL)
+ {
+ i=0;
+ goto loser;
+ }
+ }
+ certs[i] = NULL;
+ i = 0;
+ // create the message object on its own pool
+ SEC_CHECK0(cmsg = SecCmsMessageCreate(NULL), "cannot create CMS message");
+ // build chain of objects: message->signedData->data
+ SEC_CHECK0(sigd = SecCmsSignedDataCreateCertsOnly(cmsg, certs[0], true),
+ "cannot create certs only CMS signedData object");
+ CFReleaseNull(certs[0]);
+ for (i = 1; i < cnt; ++i)
+ {
+ SEC_CHECK2(SecCmsSignedDataAddCertChain(sigd, certs[i]),
+ "cannot add cert chain for \"%s\"", certsonlyOptions->recipients[i]);
+ CFReleaseNull(certs[i]);
+ }
+
+ SEC_CHECK0(cinfo = SecCmsMessageGetContentInfo(cmsg),
+ "message has no content info");
+ SEC_CHECK(SecCmsContentInfoSetContentSignedData(cmsg, cinfo, sigd),
+ "cannot attach CMS signedData object");
+ SEC_CHECK0(cinfo = SecCmsSignedDataGetContentInfo(sigd),
+ "signed data has no content info");
+ SEC_CHECK(SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, false),
+ "cannot attach CMS data object");
+
+ if (certs)
+ free(certs);
+
+ return cmsg;
+loser:
+ if (certs)
+ {
+ for (; i < cnt; ++i)
+ CFReleaseNull(certs[i]);
+
+ free(certs);
+ }
+ if (cmsg) SecCmsMessageDestroy(cmsg);
+
+ return NULL;
+}
+
+typedef enum { UNKNOWN, DECODE, SIGN, ENCRYPT, ENVELOPE, CERTSONLY } Mode;
+
+int cms_util(int argc, char * const *argv)
+{
+ FILE *outFile;
+ SecCmsMessageRef cmsg = NULL;
+ FILE *inFile;
+ int ch;
+ Mode mode = UNKNOWN;
+ PK11PasswordFunc pwcb;
+ void *pwcb_arg;
+ struct decodeOptionsStr decodeOptions = { 0 };
+ struct signOptionsStr signOptions = { 0 };
+ struct envelopeOptionsStr envelopeOptions = { 0 };
+ struct certsonlyOptionsStr certsonlyOptions = { 0 };
+ struct encryptOptionsStr encryptOptions = { 0 };
+ struct optionsStr options = { 0 };
+ int result = 1;
+ static char *ptrarray[128] = { 0 };
+ int nrecipients = 0;
+ char *str, *tok;
+ char *envFileName;
+ const char *keychainName = NULL;
+ CSSM_DATA input = { 0,};
+ CSSM_DATA output = { 0,};
+ CSSM_DATA dummy = { 0, };
+ CSSM_DATA envmsg = { 0, };
+ OSStatus rv;
+
+ inFile = stdin;
+ outFile = stdout;
+ envFileName = NULL;
+ mode = UNKNOWN;
+ decodeOptions.contentFile = NULL;
+ decodeOptions.suppressContent = false;
+ decodeOptions.headerLevel = -1;
+ options.certUsage = certUsageEmailSigner;
+ options.password = NULL;
+ signOptions.nickname = NULL;
+ signOptions.subjectKeyID = NULL;
+ signOptions.detached = false;
+ signOptions.signingTime = false;
+ signOptions.smimeProfile = false;
+ signOptions.encryptionKeyPreferenceNick = NULL;
+ signOptions.hashAlgTag = SEC_OID_SHA1;
+ envelopeOptions.recipients = NULL;
+ encryptOptions.recipients = NULL;
+ encryptOptions.envmsg = NULL;
+ encryptOptions.envFile = NULL;
+ encryptOptions.bulkalgtag = SEC_OID_UNKNOWN;
+ encryptOptions.bulkkey = NULL;
+ encryptOptions.keysize = -1;
+
+ // Parse command line arguments
+ while ((ch = getopt(argc, argv, "CDEGH:N:OPSTY:Z:c:de:h:i:k:no:p:r:su:vt:")) != -1)
+ {
+ switch (ch)
+ {
+ case 'C':
+ mode = ENCRYPT;
+ break;
+ case 'D':
+ mode = DECODE;
+ break;
+ case 'E':
+ mode = ENVELOPE;
+ break;
+ case 'G':
+ if (mode != SIGN) {
+ sec_error("option -G only supported with option -S");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ signOptions.signingTime = true;
+ break;
+ case 'H':
+ if (mode != SIGN) {
+ sec_error("option -n only supported with option -D");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ if(!optarg) {
+ result = 2;
+ goto loser;
+ }
+ decodeOptions.suppressContent = true;
+ if (!strcmp(optarg, "MD2"))
+ signOptions.hashAlgTag = SEC_OID_MD2;
+ else if (!strcmp(optarg, "MD4"))
+ signOptions.hashAlgTag = SEC_OID_MD4;
+ else if (!strcmp(optarg, "MD5"))
+ signOptions.hashAlgTag = SEC_OID_MD5;
+ else if (!strcmp(optarg, "SHA1"))
+ signOptions.hashAlgTag = SEC_OID_SHA1;
+ else if (!strcmp(optarg, "SHA256"))
+ signOptions.hashAlgTag = SEC_OID_SHA256;
+ else if (!strcmp(optarg, "SHA384"))
+ signOptions.hashAlgTag = SEC_OID_SHA384;
+ else if (!strcmp(optarg, "SHA512"))
+ signOptions.hashAlgTag = SEC_OID_SHA512;
+ else {
+ sec_error("option -H requires one of MD2,MD4,MD5,SHA1,SHA256,SHA384,SHA512");
+ goto loser;
+ }
+ break;
+ case 'N':
+ if (mode != SIGN) {
+ sec_error("option -N only supported with option -S");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ signOptions.nickname = strdup(optarg);
+ break;
+ case 'O':
+ mode = CERTSONLY;
+ break;
+ case 'P':
+ if (mode != SIGN) {
+ sec_error("option -P only supported with option -S");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ signOptions.smimeProfile = true;
+ break;
+ case 'S':
+ mode = SIGN;
+ break;
+ case 'T':
+ if (mode != SIGN) {
+ sec_error("option -T only supported with option -S");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ signOptions.detached = true;
+ break;
+ case 'Y':
+ if (mode != SIGN) {
+ sec_error("option -Y only supported with option -S");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ signOptions.encryptionKeyPreferenceNick = strdup(optarg);
+ break;
+
+ case 'c':
+ if (mode != DECODE)
+ {
+ sec_error("option -c only supported with option -D");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ if ((decodeOptions.contentFile = fopen(optarg, "rb")) == NULL)
+ {
+ sec_error("unable to open \"%s\" for reading: %s", optarg, strerror(errno));
+ result = 1;
+ goto loser;
+ }
+ break;
+
+#ifdef HAVE_DODUMPSTATES
+ case 'd':
+ doDumpStates++;
+ break;
+#endif /* HAVE_DODUMPSTATES */
+
+ case 'e':
+ envFileName = strdup(optarg);
+ encryptOptions.envFile = fopen(envFileName, "rb"); // PR_RDONLY, 00660);
+ break;
+
+ case 'h':
+ if (mode != DECODE) {
+ sec_error("option -h only supported with option -D");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ decodeOptions.headerLevel = atoi(optarg);
+ if (decodeOptions.headerLevel < 0) {
+ sec_error("option -h cannot have a negative value");
+ goto loser;
+ }
+ break;
+ case 'i':
+ inFile = fopen(optarg,"rb"); // PR_RDONLY, 00660);
+ if (inFile == NULL)
+ {
+ sec_error("unable to open \"%s\" for reading: %s", optarg, strerror(errno));
+ goto loser;
+ }
+ break;
+
+ case 'k':
+ keychainName = optarg;
+ break;
+
+ case 'n':
+ if (mode != DECODE)
+ {
+ sec_error("option -n only supported with option -D");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ decodeOptions.suppressContent = true;
+ break;
+ case 'o':
+ outFile = fopen(optarg, "wb");
+ if (outFile == NULL)
+ {
+ sec_error("unable to open \"%s\" for writing: %s", optarg, strerror(errno));
+ goto loser;
+ }
+ break;
+ case 'p':
+ if (!optarg)
+ {
+ sec_error("option -p must have a value");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+
+ options.password = (PK11PasswordFunc)ownpw;//strdup(optarg);
+ break;
+
+ case 'r':
+ if (!optarg)
+ {
+ sec_error("option -r must have a value");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+
+ envelopeOptions.recipients = ptrarray;
+ str = (char *)optarg;
+ do {
+ tok = strchr(str, ',');
+ if (tok) *tok = '\0';
+ envelopeOptions.recipients[nrecipients++] = strdup(str);
+ if (tok) str = tok + 1;
+ } while (tok);
+ envelopeOptions.recipients[nrecipients] = NULL;
+ encryptOptions.recipients = envelopeOptions.recipients;
+ certsonlyOptions.recipients = envelopeOptions.recipients;
+ break;
+
+ case 's':
+ cms_update_single_byte = 1;
+ break;
+
+ case 'Z':
+ if (!optarg)
+ {
+ sec_error("option -Z must have a value");
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ signOptions.subjectKeyID = strdup(optarg);
+
+ break;
+
+ case 'u':
+ {
+ int usageType = atoi (optarg);
+ if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
+ {
+ result = 1;
+ goto loser;
+ }
+ options.certUsage = (SECCertUsage)usageType;
+ break;
+ }
+ case 'v':
+ cms_verbose = 1;
+ break;
+ case 't':
+ if (optarg)
+ signOptions.timestampingURL = strdup(optarg);
+ signOptions.wantTimestamping = true;
+ break;
+ default:
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc != 0 || mode == UNKNOWN)
+ {
+ result = 2; /* Trigger usage message. */
+ goto loser;
+ }
+
+ result = 0;
+
+ if (mode != CERTSONLY)
+ SECU_FileToItem(&input, inFile);
+ if (inFile != stdin)
+ fclose(inFile);
+ if (cms_verbose)
+ fprintf(stderr, "received commands\n");
+
+ /* Call the libsec initialization routines */
+ if (keychainName)
+ {
+ check_obsolete_keychain(keychainName);
+ options.certDBHandle = keychain_open(keychainName);
+ if (!options.certDBHandle)
+ {
+ sec_perror("SecKeychainOpen", errSecInvalidKeychain);
+ result = 1;
+ goto loser;
+ }
+ }
+
+ if (cms_verbose)
+ fprintf(stderr, "Got default certdb\n");
+
+ switch (mode)
+ {
+ case DECODE:
+ decodeOptions.options = &options;
+ if (encryptOptions.envFile)
+ {
+ /* Decoding encrypted-data, so get the bulkkey from an
+ * enveloped-data message.
+ */
+ SECU_FileToItem(&envmsg, encryptOptions.envFile);
+ decodeOptions.options = &options;
+ encryptOptions.envmsg = decode(NULL, &dummy, &envmsg, &decodeOptions);
+ if (!encryptOptions.envmsg)
+ {
+ sec_error("problem decoding env msg");
+ result = 1;
+ break;
+ }
+ rv = get_enc_params(&encryptOptions);
+ decodeOptions.dkcb = dkcb;
+ decodeOptions.bulkkey = encryptOptions.bulkkey;
+ }
+ cmsg = decode(outFile, &output, &input, &decodeOptions);
+ if (!cmsg)
+ {
+ sec_error("problem decoding");
+ result = 1;
+ }
+ fwrite(output.Data, output.Length, 1, outFile);
+ break;
+ case SIGN:
+ signOptions.options = &options;
+ cmsg = signed_data(&signOptions);
+ if (!cmsg)
+ {
+ sec_error("problem signing");
+ result = 1;
+ }
+ break;
+ case ENCRYPT:
+ if (!envFileName)
+ {
+ sec_error("you must specify an envelope file with -e");
+ result = 1;
+ goto loser;
+ }
+ encryptOptions.options = &options;
+ encryptOptions.input = &input;
+ encryptOptions.outfile = outFile;
+ if (!encryptOptions.envFile) {
+ encryptOptions.envFile = fopen(envFileName,"wb"); //PR_WRONLY|PR_CREATE_FILE, 00660);
+ if (!encryptOptions.envFile)
+ {
+ sec_error("failed to create file %s: %s", envFileName, strerror(errno));
+ result = 1;
+ goto loser;
+ }
+ }
+ else
+ {
+ SECU_FileToItem(&envmsg, encryptOptions.envFile);
+ decodeOptions.options = &options;
+ encryptOptions.envmsg = decode(NULL, &dummy, &envmsg,
+ &decodeOptions);
+ if (encryptOptions.envmsg == NULL)
+ {
+ sec_error("problem decrypting env msg");
+ result = 1;
+ break;
+ }
+ }
+
+ /* decode an enveloped-data message to get the bulkkey (create
+ * a new one if neccessary)
+ */
+ rv = get_enc_params(&encryptOptions);
+ /* create the encrypted-data message */
+ cmsg = encrypted_data(&encryptOptions);
+ if (!cmsg)
+ {
+ sec_error("problem encrypting");
+ result = 1;
+ }
+
+ if (encryptOptions.bulkkey)
+ {
+ CFRelease(encryptOptions.bulkkey);
+ encryptOptions.bulkkey = NULL;
+ }
+ break;
+ case ENVELOPE:
+ envelopeOptions.options = &options;
+ cmsg = enveloped_data(&envelopeOptions);
+ if (!cmsg)
+ {
+ sec_error("problem enveloping");
+ result = 1;
+ }
+ break;
+ case CERTSONLY:
+ certsonlyOptions.options = &options;
+ cmsg = signed_data_certsonly(&certsonlyOptions);
+ if (!cmsg)
+ {
+ sec_error("problem with certs-only");
+ result = 1;
+ }
+ break;
+ case UNKNOWN:
+ /* Already handled above. */
+ break;
+ }
+
+ if ( (mode == SIGN || mode == ENVELOPE || mode == CERTSONLY)
+ && (!result) )
+ {
+ SecArenaPoolRef arena = NULL;
+ SecCmsEncoderRef ecx;
+ CSSM_DATA output = {};
+
+ SEC_CHECK(SecArenaPoolCreate(1024, &arena), "failed to create arenapool");
+ pwcb = (PK11PasswordFunc)((options.password != NULL) ? ownpw : NULL);
+ pwcb_arg = (options.password != NULL) ? (void *)options.password : NULL;
+ if (cms_verbose) {
+ fprintf(stderr, "cmsg [%p]\n", cmsg);
+ fprintf(stderr, "arena [%p]\n", arena);
+ if (pwcb_arg)
+ fprintf(stderr, "password [%s]\n", (char *)pwcb_arg);
+ else
+ fprintf(stderr, "password [NULL]\n");
+ }
+
+ SEC_CHECK(SecCmsEncoderCreate(cmsg,
+ NULL, NULL, /* DER output callback */
+ &output, arena, /* destination storage */
+ pwcb, pwcb_arg, /* password callback */
+ NULL, NULL, /* decrypt key callback */
+ NULL, NULL, /* detached digests */
+ &ecx),
+ "cannot create encoder context");
+ if (cms_verbose)
+ {
+ fprintf(stderr, "input len [%ld]\n", input.Length);
+ {
+ unsigned int j;
+ for (j = 0; j < input.Length; ++j)
+ fprintf(stderr, "%2x%c", input.Data[j], (j>0&&j%35==0)?'\n':' ');
+ }
+ }
+
+ if (input.Length > 0) { /* skip if certs-only (or other zero content) */
+ SEC_CHECK(SecCmsEncoderUpdate(ecx, (char *)input.Data, input.Length),
+ "failed to add data to encoder");
+ }
+
+ SEC_CHECK(SecCmsEncoderFinish(ecx), "failed to encode data");
+
+ if (cms_verbose) {
+ fprintf(stderr, "encoding passed\n");
+ }
+
+ /*PR_Write(output.data, output.len);*/
+ fwrite(output.Data, output.Length, 1, outFile);
+ if (cms_verbose) {
+ fprintf(stderr, "wrote to file\n");
+ }
+ SecArenaPoolFree(arena, false);
+ }
+
+loser:
+ if(signOptions.encryptionKeyPreferenceNick) {
+ free(signOptions.encryptionKeyPreferenceNick);
+ }
+ if(signOptions.nickname) {
+ free(signOptions.nickname);
+ }
+ if(signOptions.subjectKeyID) {
+ free(signOptions.subjectKeyID);
+ }
+ if(signOptions.timestampingURL) {
+ free(signOptions.timestampingURL);
+ }
+ if(envFileName) {
+ free(envFileName);
+ }
+ if (cmsg)
+ SecCmsMessageDestroy(cmsg);
+ if (outFile != stdout)
+ fclose(outFile);
+
+ if (decodeOptions.contentFile)
+ fclose(decodeOptions.contentFile);
+
+ return result;
+}
+
+
+#pragma mark ================ Misc from NSS ===================
+// from /security/nss/cmd/lib/secutil.c
+
+OSStatus
+SECU_FileToItem(CSSM_DATA *dst, FILE *src)
+{
+ const int kReadSize = 4096;
+ size_t bytesRead, totalRead = 0;
+
+ do
+ {
+ /* Make room in dst for the new data. */
+ dst->Length += kReadSize;
+ dst->Data = realloc(dst->Data, dst->Length);
+ if (!dst->Data)
+ return 1 /* @@@ memFullErr */;
+
+ bytesRead = fread (&dst->Data[totalRead], 1, kReadSize, src);
+ totalRead += bytesRead;
+ } while (bytesRead == kReadSize);
+
+ if (!feof (src))
+ {
+ /* We are here, but there's no EOF. This is bad */
+ if (dst->Data) {
+ free(dst->Data);
+ dst->Data = NULL;
+ dst->Length = 0;
+ }
+ return 1 /* @@@ ioErr */;
+ }
+
+ /* Trim down the buffer. */
+ dst->Length = totalRead;
+ dst->Data = realloc(dst->Data, totalRead);
+ if (!dst->Data)
+ return 1 /* @@@ memFullErr */;
+
+ return noErr;
+}
projects / apple / security.git / blobdiff