From 6156097ae53296992463cb27d4cd81f9df1c2aac Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Mon, 12 Aug 2024 15:34:58 +0000
Subject: [PATCH] Add -CRLfile option to 'cms' sub command

This option allows to verify certs in a CMS object against additional
CRLs.

Ported from work by Tom Harrison from APNIC

OK tb@
---
 usr.bin/openssl/cms.c     | 37 ++++++++++++++++++++++++++++++++-----
 usr.bin/openssl/openssl.1 |  8 ++++++--
 2 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c
index b94e14675bb..7420d0ab8cc 100644
--- a/usr.bin/openssl/cms.c
+++ b/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.35 2023/11/21 17:56:19 tb Exp $ */
+/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -110,6 +110,7 @@ static struct {
 	X509 *cert;
 	char *certfile;
 	char *certsoutfile;
+	char *crlfile;
 	const EVP_CIPHER *cipher;
 	char *contfile;
 	ASN1_OBJECT *econtent_type;
@@ -547,6 +548,13 @@ static const struct option cms_options[] = {
 		.type = OPTION_ARG,
 		.opt.arg = &cfg.CApath,
 	},
+	{
+		.name = "CRLfile",
+		.argname = "file",
+		.desc = "Other certificate revocation lists file",
+		.type = OPTION_ARG,
+		.opt.arg = &cfg.crlfile,
+	},
 	{
 		.name = "binary",
 		.desc = "Do not translate message to text",
@@ -1111,10 +1119,10 @@ cms_usage(void)
 	    "[-aes128 | -aes192 | -aes256 | -camellia128 |\n"
 	    "    -camellia192 | -camellia256 | -des | -des3 |\n"
 	    "    -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n"
-	    "    [-CApath directory] [-binary] [-certfile file]\n"
-	    "    [-certsout file] [-cmsout] [-compress] [-content file]\n"
-	    "    [-crlfeol] [-data_create] [-data_out] [-debug_decrypt]\n"
-	    "    [-decrypt] [-digest_create] [-digest_verify]\n"
+	    "    [-CApath directory] [-CRLfile file] [-binary]\n"
+	    "    [-certfile file] [-certsout file] [-cmsout] [-compress]\n"
+	    "    [-content file] [-crlfeol] [-data_create] [-data_out]\n"
+	    "    [-debug_decrypt] [-decrypt] [-digest_create] [-digest_verify]\n"
 	    "    [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n"
 	    "    [-EncryptedData_encrypt] [-from addr] [-in file]\n"
 	    "    [-inform der | pem | smime] [-inkey file]\n"
@@ -1158,6 +1166,7 @@ cms_main(int argc, char **argv)
 	X509 *recip = NULL, *signer = NULL;
 	EVP_PKEY *key = NULL;
 	STACK_OF(X509) *other = NULL;
+	STACK_OF(X509_CRL) *crls = NULL;
 	BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
 	int badarg = 0;
 	CMS_ReceiptRequest *rr = NULL;
@@ -1316,6 +1325,14 @@ cms_main(int argc, char **argv)
 			goto end;
 		}
 	}
+
+	if (cfg.crlfile != NULL) {
+		crls = load_crls(bio_err, cfg.crlfile, FORMAT_PEM, NULL,
+		    "other CRLs");
+		if (crls == NULL)
+			goto end;
+	}
+
 	if (cfg.recipfile != NULL &&
 	    (cfg.operation == SMIME_DECRYPT)) {
 		if ((recip = load_cert(bio_err, cfg.recipfile,
@@ -1677,6 +1694,15 @@ cms_main(int argc, char **argv)
 		    cfg.secret_keylen, indata, out, cfg.flags))
 			goto end;
 	} else if (cfg.operation == SMIME_VERIFY) {
+		if (cfg.crlfile != NULL) {
+			int i;
+
+			for (i = 0; i < sk_X509_CRL_num(crls); i++) {
+				X509_CRL *crl = sk_X509_CRL_value(crls, i);
+				if (!CMS_add1_crl(cms, crl))
+					goto end;
+			}
+		}
 		if (CMS_verify(cms, other, store, indata, out,
 		    cfg.flags) > 0) {
 			BIO_printf(bio_err, "Verification successful\n");
@@ -1752,6 +1778,7 @@ cms_main(int argc, char **argv)
 
 	sk_X509_pop_free(cfg.encerts, X509_free);
 	sk_X509_pop_free(other, X509_free);
+	sk_X509_CRL_pop_free(crls, X509_CRL_free);
 	X509_VERIFY_PARAM_free(cfg.vpm);
 	sk_OPENSSL_STRING_free(cfg.sksigners);
 	sk_OPENSSL_STRING_free(cfg.skkeys);
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 90333098023..c185c7ebf79 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.157 2024/07/08 06:00:09 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.158 2024/08/12 15:34:58 job Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: July 8 2024 $
+.Dd $Mdocdate: August 12 2024 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -943,6 +943,7 @@ but without cipher suite codes.
 .Oc
 .Op Fl CAfile Ar file
 .Op Fl CApath Ar directory
+.Op Fl CRLfile Ar file
 .Op Fl binary
 .Op Fl certfile Ar file
 .Op Fl certsout Ar file
@@ -1133,6 +1134,9 @@ This directory must be a standard certificate directory: that is a hash
 of each subject name (using
 .Nm x509 Fl hash )
 should be linked to each certificate.
+.It Fl CRLfile Ar file
+Allows additional certificate revocation lists to be specified for verification.
+The CRLs should be in PEM format.
 .It Ar cert.pem ...
 One or more certificates of message recipients: used when encrypting a message.
 .It Fl certfile Ar file
-- 
2.20.1