1 /*
2 * Certificate generation and signing
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46
47 #if !defined(MBEDTLS_CONFIG_FILE)
48 #include "mbedtls/config.h"
49 #else
50 #include MBEDTLS_CONFIG_FILE
51 #endif
52
53 #if defined(MBEDTLS_PLATFORM_C)
54 #include "mbedtls/platform.h"
55 #else
56 #include <stdio.h>
57 #include <stdlib.h>
58 #define mbedtls_printf printf
59 #define mbedtls_exit exit
60 #define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
61 #define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
62 #endif /* MBEDTLS_PLATFORM_C */
63
64 #if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
65 !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
66 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
67 !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \
68 !defined(MBEDTLS_PEM_WRITE_C)
main(void)69 int main( void )
70 {
71 mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
72 "MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "
73 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
74 "MBEDTLS_ERROR_C not defined.\n");
75 mbedtls_exit( 0 );
76 }
77 #else
78
79 #include "mbedtls/x509_crt.h"
80 #include "mbedtls/x509_csr.h"
81 #include "mbedtls/entropy.h"
82 #include "mbedtls/ctr_drbg.h"
83 #include "mbedtls/md.h"
84 #include "mbedtls/error.h"
85
86 #include <stdio.h>
87 #include <stdlib.h>
88 #include <string.h>
89
90 #if defined(MBEDTLS_X509_CSR_PARSE_C)
91 #define USAGE_CSR \
92 " request_file=%%s default: (empty)\n" \
93 " If request_file is specified, subject_key,\n" \
94 " subject_pwd and subject_name are ignored!\n"
95 #else
96 #define USAGE_CSR ""
97 #endif /* MBEDTLS_X509_CSR_PARSE_C */
98
99 #define DFL_ISSUER_CRT ""
100 #define DFL_REQUEST_FILE ""
101 #define DFL_SUBJECT_KEY "subject.key"
102 #define DFL_ISSUER_KEY "ca.key"
103 #define DFL_SUBJECT_PWD ""
104 #define DFL_ISSUER_PWD ""
105 #define DFL_OUTPUT_FILENAME "cert.crt"
106 #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
107 #define DFL_ISSUER_NAME "CN=CA,O=mbed TLS,C=UK"
108 #define DFL_NOT_BEFORE "20010101000000"
109 #define DFL_NOT_AFTER "20301231235959"
110 #define DFL_SERIAL "1"
111 #define DFL_SELFSIGN 0
112 #define DFL_IS_CA 0
113 #define DFL_MAX_PATHLEN -1
114 #define DFL_KEY_USAGE 0
115 #define DFL_NS_CERT_TYPE 0
116 #define DFL_VERSION 3
117 #define DFL_AUTH_IDENT 1
118 #define DFL_SUBJ_IDENT 1
119 #define DFL_CONSTRAINTS 1
120 #define DFL_DIGEST MBEDTLS_MD_SHA256
121
122 #define USAGE \
123 "\n usage: cert_write param=<>...\n" \
124 "\n acceptable parameters:\n" \
125 USAGE_CSR \
126 " subject_key=%%s default: subject.key\n" \
127 " subject_pwd=%%s default: (empty)\n" \
128 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
129 "\n" \
130 " issuer_crt=%%s default: (empty)\n" \
131 " If issuer_crt is specified, issuer_name is\n" \
132 " ignored!\n" \
133 " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
134 "\n" \
135 " selfsign=%%d default: 0 (false)\n" \
136 " If selfsign is enabled, issuer_name and\n" \
137 " issuer_key are required (issuer_crt and\n" \
138 " subject_* are ignored\n" \
139 " issuer_key=%%s default: ca.key\n" \
140 " issuer_pwd=%%s default: (empty)\n" \
141 " output_file=%%s default: cert.crt\n" \
142 " serial=%%s default: 1\n" \
143 " not_before=%%s default: 20010101000000\n"\
144 " not_after=%%s default: 20301231235959\n"\
145 " is_ca=%%d default: 0 (disabled)\n" \
146 " max_pathlen=%%d default: -1 (none)\n" \
147 " md=%%s default: SHA256\n" \
148 " Supported values (if enabled):\n" \
149 " MD2, MD4, MD5, RIPEMD160, SHA1,\n" \
150 " SHA224, SHA256, SHA384, SHA512\n" \
151 " version=%%d default: 3\n" \
152 " Possible values: 1, 2, 3\n"\
153 " subject_identifier=%%s default: 1\n" \
154 " Possible values: 0, 1\n" \
155 " (Considered for v3 only)\n"\
156 " authority_identifier=%%s default: 1\n" \
157 " Possible values: 0, 1\n" \
158 " (Considered for v3 only)\n"\
159 " basic_constraints=%%d default: 1\n" \
160 " Possible values: 0, 1\n" \
161 " (Considered for v3 only)\n"\
162 " key_usage=%%s default: (empty)\n" \
163 " Comma-separated-list of values:\n" \
164 " digital_signature\n" \
165 " non_repudiation\n" \
166 " key_encipherment\n" \
167 " data_encipherment\n" \
168 " key_agreement\n" \
169 " key_cert_sign\n" \
170 " crl_sign\n" \
171 " (Considered for v3 only)\n"\
172 " ns_cert_type=%%s default: (empty)\n" \
173 " Comma-separated-list of values:\n" \
174 " ssl_client\n" \
175 " ssl_server\n" \
176 " email\n" \
177 " object_signing\n" \
178 " ssl_ca\n" \
179 " email_ca\n" \
180 " object_signing_ca\n" \
181 "\n"
182
183
184 /*
185 * global options
186 */
187 struct options
188 {
189 const char *issuer_crt; /* filename of the issuer certificate */
190 const char *request_file; /* filename of the certificate request */
191 const char *subject_key; /* filename of the subject key file */
192 const char *issuer_key; /* filename of the issuer key file */
193 const char *subject_pwd; /* password for the subject key file */
194 const char *issuer_pwd; /* password for the issuer key file */
195 const char *output_file; /* where to store the constructed CRT */
196 const char *subject_name; /* subject name for certificate */
197 const char *issuer_name; /* issuer name for certificate */
198 const char *not_before; /* validity period not before */
199 const char *not_after; /* validity period not after */
200 const char *serial; /* serial number string */
201 int selfsign; /* selfsign the certificate */
202 int is_ca; /* is a CA certificate */
203 int max_pathlen; /* maximum CA path length */
204 int authority_identifier; /* add authority identifier to CRT */
205 int subject_identifier; /* add subject identifier to CRT */
206 int basic_constraints; /* add basic constraints ext to CRT */
207 int version; /* CRT version */
208 mbedtls_md_type_t md; /* Hash used for signing */
209 unsigned char key_usage; /* key usage flags */
210 unsigned char ns_cert_type; /* NS cert type */
211 } opt;
212
write_certificate(mbedtls_x509write_cert * crt,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)213 int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
214 int (*f_rng)(void *, unsigned char *, size_t),
215 void *p_rng )
216 {
217 int ret;
218 FILE *f;
219 unsigned char output_buf[4096];
220 size_t len = 0;
221
222 memset( output_buf, 0, 4096 );
223 if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
224 f_rng, p_rng ) ) < 0 )
225 return( ret );
226
227 len = strlen( (char *) output_buf );
228
229 if( ( f = fopen( output_file, "w" ) ) == NULL )
230 return( -1 );
231
232 if( fwrite( output_buf, 1, len, f ) != len )
233 {
234 fclose( f );
235 return( -1 );
236 }
237
238 fclose( f );
239
240 return( 0 );
241 }
242
main(int argc,char * argv[])243 int main( int argc, char *argv[] )
244 {
245 int ret = 1;
246 int exit_code = MBEDTLS_EXIT_FAILURE;
247 mbedtls_x509_crt issuer_crt;
248 mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
249 mbedtls_pk_context *issuer_key = &loaded_issuer_key,
250 *subject_key = &loaded_subject_key;
251 char buf[1024];
252 char issuer_name[256];
253 int i;
254 char *p, *q, *r;
255 #if defined(MBEDTLS_X509_CSR_PARSE_C)
256 char subject_name[256];
257 mbedtls_x509_csr csr;
258 #endif
259 mbedtls_x509write_cert crt;
260 mbedtls_mpi serial;
261 mbedtls_entropy_context entropy;
262 mbedtls_ctr_drbg_context ctr_drbg;
263 const char *pers = "crt example app";
264
265 /*
266 * Set to sane values
267 */
268 mbedtls_x509write_crt_init( &crt );
269 mbedtls_pk_init( &loaded_issuer_key );
270 mbedtls_pk_init( &loaded_subject_key );
271 mbedtls_mpi_init( &serial );
272 mbedtls_ctr_drbg_init( &ctr_drbg );
273 mbedtls_entropy_init( &entropy );
274 #if defined(MBEDTLS_X509_CSR_PARSE_C)
275 mbedtls_x509_csr_init( &csr );
276 #endif
277 mbedtls_x509_crt_init( &issuer_crt );
278 memset( buf, 0, 1024 );
279
280 if( argc == 0 )
281 {
282 usage:
283 mbedtls_printf( USAGE );
284 goto exit;
285 }
286
287 opt.issuer_crt = DFL_ISSUER_CRT;
288 opt.request_file = DFL_REQUEST_FILE;
289 opt.subject_key = DFL_SUBJECT_KEY;
290 opt.issuer_key = DFL_ISSUER_KEY;
291 opt.subject_pwd = DFL_SUBJECT_PWD;
292 opt.issuer_pwd = DFL_ISSUER_PWD;
293 opt.output_file = DFL_OUTPUT_FILENAME;
294 opt.subject_name = DFL_SUBJECT_NAME;
295 opt.issuer_name = DFL_ISSUER_NAME;
296 opt.not_before = DFL_NOT_BEFORE;
297 opt.not_after = DFL_NOT_AFTER;
298 opt.serial = DFL_SERIAL;
299 opt.selfsign = DFL_SELFSIGN;
300 opt.is_ca = DFL_IS_CA;
301 opt.max_pathlen = DFL_MAX_PATHLEN;
302 opt.key_usage = DFL_KEY_USAGE;
303 opt.ns_cert_type = DFL_NS_CERT_TYPE;
304 opt.version = DFL_VERSION - 1;
305 opt.md = DFL_DIGEST;
306 opt.subject_identifier = DFL_SUBJ_IDENT;
307 opt.authority_identifier = DFL_AUTH_IDENT;
308 opt.basic_constraints = DFL_CONSTRAINTS;
309
310 for( i = 1; i < argc; i++ )
311 {
312
313 p = argv[i];
314 if( ( q = strchr( p, '=' ) ) == NULL )
315 goto usage;
316 *q++ = '\0';
317
318 if( strcmp( p, "request_file" ) == 0 )
319 opt.request_file = q;
320 else if( strcmp( p, "subject_key" ) == 0 )
321 opt.subject_key = q;
322 else if( strcmp( p, "issuer_key" ) == 0 )
323 opt.issuer_key = q;
324 else if( strcmp( p, "subject_pwd" ) == 0 )
325 opt.subject_pwd = q;
326 else if( strcmp( p, "issuer_pwd" ) == 0 )
327 opt.issuer_pwd = q;
328 else if( strcmp( p, "issuer_crt" ) == 0 )
329 opt.issuer_crt = q;
330 else if( strcmp( p, "output_file" ) == 0 )
331 opt.output_file = q;
332 else if( strcmp( p, "subject_name" ) == 0 )
333 {
334 opt.subject_name = q;
335 }
336 else if( strcmp( p, "issuer_name" ) == 0 )
337 {
338 opt.issuer_name = q;
339 }
340 else if( strcmp( p, "not_before" ) == 0 )
341 {
342 opt.not_before = q;
343 }
344 else if( strcmp( p, "not_after" ) == 0 )
345 {
346 opt.not_after = q;
347 }
348 else if( strcmp( p, "serial" ) == 0 )
349 {
350 opt.serial = q;
351 }
352 else if( strcmp( p, "authority_identifier" ) == 0 )
353 {
354 opt.authority_identifier = atoi( q );
355 if( opt.authority_identifier != 0 &&
356 opt.authority_identifier != 1 )
357 {
358 mbedtls_printf( "Invalid argument for option %s\n", p );
359 goto usage;
360 }
361 }
362 else if( strcmp( p, "subject_identifier" ) == 0 )
363 {
364 opt.subject_identifier = atoi( q );
365 if( opt.subject_identifier != 0 &&
366 opt.subject_identifier != 1 )
367 {
368 mbedtls_printf( "Invalid argument for option %s\n", p );
369 goto usage;
370 }
371 }
372 else if( strcmp( p, "basic_constraints" ) == 0 )
373 {
374 opt.basic_constraints = atoi( q );
375 if( opt.basic_constraints != 0 &&
376 opt.basic_constraints != 1 )
377 {
378 mbedtls_printf( "Invalid argument for option %s\n", p );
379 goto usage;
380 }
381 }
382 else if( strcmp( p, "md" ) == 0 )
383 {
384 const mbedtls_md_info_t *md_info =
385 mbedtls_md_info_from_string( q );
386 if( md_info == NULL )
387 {
388 mbedtls_printf( "Invalid argument for option %s\n", p );
389 goto usage;
390 }
391 opt.md = mbedtls_md_get_type( md_info );
392 }
393 else if( strcmp( p, "version" ) == 0 )
394 {
395 opt.version = atoi( q );
396 if( opt.version < 1 || opt.version > 3 )
397 {
398 mbedtls_printf( "Invalid argument for option %s\n", p );
399 goto usage;
400 }
401 opt.version--;
402 }
403 else if( strcmp( p, "selfsign" ) == 0 )
404 {
405 opt.selfsign = atoi( q );
406 if( opt.selfsign < 0 || opt.selfsign > 1 )
407 {
408 mbedtls_printf( "Invalid argument for option %s\n", p );
409 goto usage;
410 }
411 }
412 else if( strcmp( p, "is_ca" ) == 0 )
413 {
414 opt.is_ca = atoi( q );
415 if( opt.is_ca < 0 || opt.is_ca > 1 )
416 {
417 mbedtls_printf( "Invalid argument for option %s\n", p );
418 goto usage;
419 }
420 }
421 else if( strcmp( p, "max_pathlen" ) == 0 )
422 {
423 opt.max_pathlen = atoi( q );
424 if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
425 {
426 mbedtls_printf( "Invalid argument for option %s\n", p );
427 goto usage;
428 }
429 }
430 else if( strcmp( p, "key_usage" ) == 0 )
431 {
432 while( q != NULL )
433 {
434 if( ( r = strchr( q, ',' ) ) != NULL )
435 *r++ = '\0';
436
437 if( strcmp( q, "digital_signature" ) == 0 )
438 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
439 else if( strcmp( q, "non_repudiation" ) == 0 )
440 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
441 else if( strcmp( q, "key_encipherment" ) == 0 )
442 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
443 else if( strcmp( q, "data_encipherment" ) == 0 )
444 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
445 else if( strcmp( q, "key_agreement" ) == 0 )
446 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
447 else if( strcmp( q, "key_cert_sign" ) == 0 )
448 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
449 else if( strcmp( q, "crl_sign" ) == 0 )
450 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
451 else
452 {
453 mbedtls_printf( "Invalid argument for option %s\n", p );
454 goto usage;
455 }
456
457 q = r;
458 }
459 }
460 else if( strcmp( p, "ns_cert_type" ) == 0 )
461 {
462 while( q != NULL )
463 {
464 if( ( r = strchr( q, ',' ) ) != NULL )
465 *r++ = '\0';
466
467 if( strcmp( q, "ssl_client" ) == 0 )
468 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
469 else if( strcmp( q, "ssl_server" ) == 0 )
470 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
471 else if( strcmp( q, "email" ) == 0 )
472 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
473 else if( strcmp( q, "object_signing" ) == 0 )
474 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
475 else if( strcmp( q, "ssl_ca" ) == 0 )
476 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
477 else if( strcmp( q, "email_ca" ) == 0 )
478 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
479 else if( strcmp( q, "object_signing_ca" ) == 0 )
480 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
481 else
482 {
483 mbedtls_printf( "Invalid argument for option %s\n", p );
484 goto usage;
485 }
486
487 q = r;
488 }
489 }
490 else
491 goto usage;
492 }
493
494 mbedtls_printf("\n");
495
496 /*
497 * 0. Seed the PRNG
498 */
499 mbedtls_printf( " . Seeding the random number generator..." );
500 fflush( stdout );
501
502 if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
503 (const unsigned char *) pers,
504 strlen( pers ) ) ) != 0 )
505 {
506 mbedtls_strerror( ret, buf, 1024 );
507 mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
508 ret, buf );
509 goto exit;
510 }
511
512 mbedtls_printf( " ok\n" );
513
514 // Parse serial to MPI
515 //
516 mbedtls_printf( " . Reading serial number..." );
517 fflush( stdout );
518
519 if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
520 {
521 mbedtls_strerror( ret, buf, 1024 );
522 mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
523 "returned -0x%04x - %s\n\n", -ret, buf );
524 goto exit;
525 }
526
527 mbedtls_printf( " ok\n" );
528
529 // Parse issuer certificate if present
530 //
531 if( !opt.selfsign && strlen( opt.issuer_crt ) )
532 {
533 /*
534 * 1.0.a. Load the certificates
535 */
536 mbedtls_printf( " . Loading the issuer certificate ..." );
537 fflush( stdout );
538
539 if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
540 {
541 mbedtls_strerror( ret, buf, 1024 );
542 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
543 "returned -0x%04x - %s\n\n", -ret, buf );
544 goto exit;
545 }
546
547 ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
548 &issuer_crt.subject );
549 if( ret < 0 )
550 {
551 mbedtls_strerror( ret, buf, 1024 );
552 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
553 "returned -0x%04x - %s\n\n", -ret, buf );
554 goto exit;
555 }
556
557 opt.issuer_name = issuer_name;
558
559 mbedtls_printf( " ok\n" );
560 }
561
562 #if defined(MBEDTLS_X509_CSR_PARSE_C)
563 // Parse certificate request if present
564 //
565 if( !opt.selfsign && strlen( opt.request_file ) )
566 {
567 /*
568 * 1.0.b. Load the CSR
569 */
570 mbedtls_printf( " . Loading the certificate request ..." );
571 fflush( stdout );
572
573 if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
574 {
575 mbedtls_strerror( ret, buf, 1024 );
576 mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
577 "returned -0x%04x - %s\n\n", -ret, buf );
578 goto exit;
579 }
580
581 ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
582 &csr.subject );
583 if( ret < 0 )
584 {
585 mbedtls_strerror( ret, buf, 1024 );
586 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
587 "returned -0x%04x - %s\n\n", -ret, buf );
588 goto exit;
589 }
590
591 opt.subject_name = subject_name;
592 subject_key = &csr.pk;
593
594 mbedtls_printf( " ok\n" );
595 }
596 #endif /* MBEDTLS_X509_CSR_PARSE_C */
597
598 /*
599 * 1.1. Load the keys
600 */
601 if( !opt.selfsign && !strlen( opt.request_file ) )
602 {
603 mbedtls_printf( " . Loading the subject key ..." );
604 fflush( stdout );
605
606 ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,
607 opt.subject_pwd );
608 if( ret != 0 )
609 {
610 mbedtls_strerror( ret, buf, 1024 );
611 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
612 "returned -0x%04x - %s\n\n", -ret, buf );
613 goto exit;
614 }
615
616 mbedtls_printf( " ok\n" );
617 }
618
619 mbedtls_printf( " . Loading the issuer key ..." );
620 fflush( stdout );
621
622 ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,
623 opt.issuer_pwd );
624 if( ret != 0 )
625 {
626 mbedtls_strerror( ret, buf, 1024 );
627 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
628 "returned -x%02x - %s\n\n", -ret, buf );
629 goto exit;
630 }
631
632 // Check if key and issuer certificate match
633 //
634 if( strlen( opt.issuer_crt ) )
635 {
636 if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 )
637 {
638 mbedtls_printf( " failed\n ! issuer_key does not match "
639 "issuer certificate\n\n" );
640 goto exit;
641 }
642 }
643
644 mbedtls_printf( " ok\n" );
645
646 if( opt.selfsign )
647 {
648 opt.subject_name = opt.issuer_name;
649 subject_key = issuer_key;
650 }
651
652 mbedtls_x509write_crt_set_subject_key( &crt, subject_key );
653 mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );
654
655 /*
656 * 1.0. Check the names for validity
657 */
658 if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
659 {
660 mbedtls_strerror( ret, buf, 1024 );
661 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
662 "returned -0x%04x - %s\n\n", -ret, buf );
663 goto exit;
664 }
665
666 if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
667 {
668 mbedtls_strerror( ret, buf, 1024 );
669 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
670 "returned -0x%04x - %s\n\n", -ret, buf );
671 goto exit;
672 }
673
674 mbedtls_printf( " . Setting certificate values ..." );
675 fflush( stdout );
676
677 mbedtls_x509write_crt_set_version( &crt, opt.version );
678 mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
679
680 ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
681 if( ret != 0 )
682 {
683 mbedtls_strerror( ret, buf, 1024 );
684 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
685 "returned -0x%04x - %s\n\n", -ret, buf );
686 goto exit;
687 }
688
689 ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
690 if( ret != 0 )
691 {
692 mbedtls_strerror( ret, buf, 1024 );
693 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
694 "returned -0x%04x - %s\n\n", -ret, buf );
695 goto exit;
696 }
697
698 mbedtls_printf( " ok\n" );
699
700 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
701 opt.basic_constraints != 0 )
702 {
703 mbedtls_printf( " . Adding the Basic Constraints extension ..." );
704 fflush( stdout );
705
706 ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
707 opt.max_pathlen );
708 if( ret != 0 )
709 {
710 mbedtls_strerror( ret, buf, 1024 );
711 mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
712 "returned -0x%04x - %s\n\n", -ret, buf );
713 goto exit;
714 }
715
716 mbedtls_printf( " ok\n" );
717 }
718
719 #if defined(MBEDTLS_SHA1_C)
720 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
721 opt.subject_identifier != 0 )
722 {
723 mbedtls_printf( " . Adding the Subject Key Identifier ..." );
724 fflush( stdout );
725
726 ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
727 if( ret != 0 )
728 {
729 mbedtls_strerror( ret, buf, 1024 );
730 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
731 "_key_identifier returned -0x%04x - %s\n\n",
732 -ret, buf );
733 goto exit;
734 }
735
736 mbedtls_printf( " ok\n" );
737 }
738
739 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
740 opt.authority_identifier != 0 )
741 {
742 mbedtls_printf( " . Adding the Authority Key Identifier ..." );
743 fflush( stdout );
744
745 ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
746 if( ret != 0 )
747 {
748 mbedtls_strerror( ret, buf, 1024 );
749 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
750 "key_identifier returned -0x%04x - %s\n\n",
751 -ret, buf );
752 goto exit;
753 }
754
755 mbedtls_printf( " ok\n" );
756 }
757 #endif /* MBEDTLS_SHA1_C */
758
759 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
760 opt.key_usage != 0 )
761 {
762 mbedtls_printf( " . Adding the Key Usage extension ..." );
763 fflush( stdout );
764
765 ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );
766 if( ret != 0 )
767 {
768 mbedtls_strerror( ret, buf, 1024 );
769 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
770 "returned -0x%04x - %s\n\n", -ret, buf );
771 goto exit;
772 }
773
774 mbedtls_printf( " ok\n" );
775 }
776
777 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
778 opt.ns_cert_type != 0 )
779 {
780 mbedtls_printf( " . Adding the NS Cert Type extension ..." );
781 fflush( stdout );
782
783 ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
784 if( ret != 0 )
785 {
786 mbedtls_strerror( ret, buf, 1024 );
787 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
788 "returned -0x%04x - %s\n\n", -ret, buf );
789 goto exit;
790 }
791
792 mbedtls_printf( " ok\n" );
793 }
794
795 /*
796 * 1.2. Writing the certificate
797 */
798 mbedtls_printf( " . Writing the certificate..." );
799 fflush( stdout );
800
801 if( ( ret = write_certificate( &crt, opt.output_file,
802 mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
803 {
804 mbedtls_strerror( ret, buf, 1024 );
805 mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
806 -ret, buf );
807 goto exit;
808 }
809
810 mbedtls_printf( " ok\n" );
811
812 exit_code = MBEDTLS_EXIT_SUCCESS;
813
814 exit:
815 #if defined(MBEDTLS_X509_CSR_PARSE_C)
816 mbedtls_x509_csr_free( &csr );
817 #endif /* MBEDTLS_X509_CSR_PARSE_C */
818 mbedtls_x509_crt_free( &issuer_crt );
819 mbedtls_x509write_crt_free( &crt );
820 mbedtls_pk_free( &loaded_subject_key );
821 mbedtls_pk_free( &loaded_issuer_key );
822 mbedtls_mpi_free( &serial );
823 mbedtls_ctr_drbg_free( &ctr_drbg );
824 mbedtls_entropy_free( &entropy );
825
826 #if defined(_WIN32)
827 mbedtls_printf( " + Press Enter to exit this program.\n" );
828 fflush( stdout ); getchar();
829 #endif
830
831 mbedtls_exit( exit_code );
832 }
833 #endif /* MBEDTLS_X509_CRT_WRITE_C && MBEDTLS_X509_CRT_PARSE_C &&
834 MBEDTLS_FS_IO && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
835 MBEDTLS_ERROR_C && MBEDTLS_PEM_WRITE_C */
836