• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Certificate request generation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "mbedtls/build_info.h"
21 
22 #if defined(MBEDTLS_PLATFORM_C)
23 #include "mbedtls/platform.h"
24 #else
25 #include <stdio.h>
26 #include <stdlib.h>
27 #define mbedtls_printf          printf
28 #define mbedtls_exit            exit
29 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
30 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
31 #endif /* MBEDTLS_PLATFORM_C */
32 
33 #if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_FS_IO) ||  \
34     !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_SHA256_C) || \
35     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
36     !defined(MBEDTLS_PEM_WRITE_C)
main(void)37 int main( void )
38 {
39     mbedtls_printf( "MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or "
40             "MBEDTLS_PK_PARSE_C and/or MBEDTLS_SHA256_C and/or "
41             "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
42             "not defined.\n");
43     mbedtls_exit( 0 );
44 }
45 #else
46 
47 #include "mbedtls/x509_csr.h"
48 #include "mbedtls/entropy.h"
49 #include "mbedtls/ctr_drbg.h"
50 #include "mbedtls/error.h"
51 
52 #include <stdio.h>
53 #include <stdlib.h>
54 #include <string.h>
55 
56 #define DFL_FILENAME            "keyfile.key"
57 #define DFL_PASSWORD            NULL
58 #define DFL_DEBUG_LEVEL         0
59 #define DFL_OUTPUT_FILENAME     "cert.req"
60 #define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
61 #define DFL_KEY_USAGE           0
62 #define DFL_FORCE_KEY_USAGE     0
63 #define DFL_NS_CERT_TYPE        0
64 #define DFL_FORCE_NS_CERT_TYPE  0
65 #define DFL_MD_ALG              MBEDTLS_MD_SHA256
66 
67 #define USAGE \
68     "\n usage: cert_req param=<>...\n"                  \
69     "\n acceptable parameters:\n"                       \
70     "    filename=%%s         default: keyfile.key\n"   \
71     "    password=%%s         default: NULL\n"          \
72     "    debug_level=%%d      default: 0 (disabled)\n"  \
73     "    output_file=%%s      default: cert.req\n"      \
74     "    subject_name=%%s     default: CN=Cert,O=mbed TLS,C=UK\n"   \
75     "    key_usage=%%s        default: (empty)\n"       \
76     "                        Comma-separated-list of values:\n"     \
77     "                          digital_signature\n"     \
78     "                          non_repudiation\n"       \
79     "                          key_encipherment\n"      \
80     "                          data_encipherment\n"     \
81     "                          key_agreement\n"         \
82     "                          key_cert_sign\n"  \
83     "                          crl_sign\n"              \
84     "    force_key_usage=0/1  default: off\n"           \
85     "                          Add KeyUsage even if it is empty\n"  \
86     "    ns_cert_type=%%s     default: (empty)\n"       \
87     "                        Comma-separated-list of values:\n"     \
88     "                          ssl_client\n"            \
89     "                          ssl_server\n"            \
90     "                          email\n"                 \
91     "                          object_signing\n"        \
92     "                          ssl_ca\n"                \
93     "                          email_ca\n"              \
94     "                          object_signing_ca\n"     \
95     "    force_ns_cert_type=0/1 default: off\n"         \
96     "                          Add NsCertType even if it is empty\n"    \
97     "    md=%%s               default: SHA256\n"       \
98     "                          possible values:\n"     \
99     "                          MD5, RIPEMD160, SHA1,\n" \
100     "                          SHA224, SHA256, SHA384, SHA512\n" \
101     "\n"
102 
103 
104 /*
105  * global options
106  */
107 struct options
108 {
109     const char *filename;       /* filename of the key file             */
110     const char *password;       /* password for the key file            */
111     int debug_level;            /* level of debugging                   */
112     const char *output_file;    /* where to store the constructed key file  */
113     const char *subject_name;   /* subject name for certificate request */
114     unsigned char key_usage;    /* key usage flags                      */
115     int force_key_usage;        /* Force adding the KeyUsage extension  */
116     unsigned char ns_cert_type; /* NS cert type                         */
117     int force_ns_cert_type;     /* Force adding NsCertType extension    */
118     mbedtls_md_type_t md_alg;   /* Hash algorithm used for signature.   */
119 } opt;
120 
write_certificate_request(mbedtls_x509write_csr * req,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)121 int write_certificate_request( mbedtls_x509write_csr *req, const char *output_file,
122                                int (*f_rng)(void *, unsigned char *, size_t),
123                                void *p_rng )
124 {
125     int ret;
126     FILE *f;
127     unsigned char output_buf[4096];
128     size_t len = 0;
129 
130     memset( output_buf, 0, 4096 );
131     if( ( ret = mbedtls_x509write_csr_pem( req, output_buf, 4096, f_rng, p_rng ) ) < 0 )
132         return( ret );
133 
134     len = strlen( (char *) output_buf );
135 
136     if( ( f = fopen( output_file, "w" ) ) == NULL )
137         return( -1 );
138 
139     if( fwrite( output_buf, 1, len, f ) != len )
140     {
141         fclose( f );
142         return( -1 );
143     }
144 
145     fclose( f );
146 
147     return( 0 );
148 }
149 
main(int argc,char * argv[])150 int main( int argc, char *argv[] )
151 {
152     int ret = 1;
153     int exit_code = MBEDTLS_EXIT_FAILURE;
154     mbedtls_pk_context key;
155     char buf[1024];
156     int i;
157     char *p, *q, *r;
158     mbedtls_x509write_csr req;
159     mbedtls_entropy_context entropy;
160     mbedtls_ctr_drbg_context ctr_drbg;
161     const char *pers = "csr example app";
162 
163     /*
164      * Set to sane values
165      */
166     mbedtls_x509write_csr_init( &req );
167     mbedtls_pk_init( &key );
168     mbedtls_ctr_drbg_init( &ctr_drbg );
169     memset( buf, 0, sizeof( buf ) );
170 
171     if( argc == 0 )
172     {
173     usage:
174         mbedtls_printf( USAGE );
175         goto exit;
176     }
177 
178     opt.filename            = DFL_FILENAME;
179     opt.password            = DFL_PASSWORD;
180     opt.debug_level         = DFL_DEBUG_LEVEL;
181     opt.output_file         = DFL_OUTPUT_FILENAME;
182     opt.subject_name        = DFL_SUBJECT_NAME;
183     opt.key_usage           = DFL_KEY_USAGE;
184     opt.force_key_usage     = DFL_FORCE_KEY_USAGE;
185     opt.ns_cert_type        = DFL_NS_CERT_TYPE;
186     opt.force_ns_cert_type  = DFL_FORCE_NS_CERT_TYPE;
187     opt.md_alg              = DFL_MD_ALG;
188 
189     for( i = 1; i < argc; i++ )
190     {
191 
192         p = argv[i];
193         if( ( q = strchr( p, '=' ) ) == NULL )
194             goto usage;
195         *q++ = '\0';
196 
197         if( strcmp( p, "filename" ) == 0 )
198             opt.filename = q;
199         else if( strcmp( p, "password" ) == 0 )
200             opt.password = q;
201         else if( strcmp( p, "output_file" ) == 0 )
202             opt.output_file = q;
203         else if( strcmp( p, "debug_level" ) == 0 )
204         {
205             opt.debug_level = atoi( q );
206             if( opt.debug_level < 0 || opt.debug_level > 65535 )
207                 goto usage;
208         }
209         else if( strcmp( p, "subject_name" ) == 0 )
210         {
211             opt.subject_name = q;
212         }
213         else if( strcmp( p, "md" ) == 0 )
214         {
215             const mbedtls_md_info_t *md_info =
216                 mbedtls_md_info_from_string( q );
217             if( md_info == NULL )
218             {
219                 mbedtls_printf( "Invalid argument for option %s\n", p );
220                 goto usage;
221             }
222             opt.md_alg = mbedtls_md_get_type( md_info );
223         }
224         else if( strcmp( p, "key_usage" ) == 0 )
225         {
226             while( q != NULL )
227             {
228                 if( ( r = strchr( q, ',' ) ) != NULL )
229                     *r++ = '\0';
230 
231                 if( strcmp( q, "digital_signature" ) == 0 )
232                     opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
233                 else if( strcmp( q, "non_repudiation" ) == 0 )
234                     opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
235                 else if( strcmp( q, "key_encipherment" ) == 0 )
236                     opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
237                 else if( strcmp( q, "data_encipherment" ) == 0 )
238                     opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
239                 else if( strcmp( q, "key_agreement" ) == 0 )
240                     opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
241                 else if( strcmp( q, "key_cert_sign" ) == 0 )
242                     opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
243                 else if( strcmp( q, "crl_sign" ) == 0 )
244                     opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
245                 else
246                     goto usage;
247 
248                 q = r;
249             }
250         }
251         else if( strcmp( p, "force_key_usage" ) == 0 )
252         {
253             switch( atoi( q ) )
254             {
255                 case 0: opt.force_key_usage = 0; break;
256                 case 1: opt.force_key_usage = 1; break;
257                 default: goto usage;
258             }
259         }
260         else if( strcmp( p, "ns_cert_type" ) == 0 )
261         {
262             while( q != NULL )
263             {
264                 if( ( r = strchr( q, ',' ) ) != NULL )
265                     *r++ = '\0';
266 
267                 if( strcmp( q, "ssl_client" ) == 0 )
268                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
269                 else if( strcmp( q, "ssl_server" ) == 0 )
270                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
271                 else if( strcmp( q, "email" ) == 0 )
272                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
273                 else if( strcmp( q, "object_signing" ) == 0 )
274                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
275                 else if( strcmp( q, "ssl_ca" ) == 0 )
276                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
277                 else if( strcmp( q, "email_ca" ) == 0 )
278                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
279                 else if( strcmp( q, "object_signing_ca" ) == 0 )
280                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
281                 else
282                     goto usage;
283 
284                 q = r;
285             }
286         }
287         else if( strcmp( p, "force_ns_cert_type" ) == 0 )
288         {
289             switch( atoi( q ) )
290             {
291                 case 0: opt.force_ns_cert_type = 0; break;
292                 case 1: opt.force_ns_cert_type = 1; break;
293                 default: goto usage;
294             }
295         }
296         else
297             goto usage;
298     }
299 
300     mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg );
301 
302     if( opt.key_usage || opt.force_key_usage == 1 )
303         mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage );
304 
305     if( opt.ns_cert_type || opt.force_ns_cert_type == 1 )
306         mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );
307 
308     /*
309      * 0. Seed the PRNG
310      */
311     mbedtls_printf( "  . Seeding the random number generator..." );
312     fflush( stdout );
313 
314     mbedtls_entropy_init( &entropy );
315     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
316                                (const unsigned char *) pers,
317                                strlen( pers ) ) ) != 0 )
318     {
319         mbedtls_printf( " failed\n  !  mbedtls_ctr_drbg_seed returned %d", ret );
320         goto exit;
321     }
322 
323     mbedtls_printf( " ok\n" );
324 
325     /*
326      * 1.0. Check the subject name for validity
327      */
328     mbedtls_printf( "  . Checking subject name..." );
329     fflush( stdout );
330 
331     if( ( ret = mbedtls_x509write_csr_set_subject_name( &req, opt.subject_name ) ) != 0 )
332     {
333         mbedtls_printf( " failed\n  !  mbedtls_x509write_csr_set_subject_name returned %d", ret );
334         goto exit;
335     }
336 
337     mbedtls_printf( " ok\n" );
338 
339     /*
340      * 1.1. Load the key
341      */
342     mbedtls_printf( "  . Loading the private key ..." );
343     fflush( stdout );
344 
345     ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password,
346                                     mbedtls_ctr_drbg_random, &ctr_drbg );
347 
348     if( ret != 0 )
349     {
350         mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile returned %d", ret );
351         goto exit;
352     }
353 
354     mbedtls_x509write_csr_set_key( &req, &key );
355 
356     mbedtls_printf( " ok\n" );
357 
358     /*
359      * 1.2. Writing the request
360      */
361     mbedtls_printf( "  . Writing the certificate request ..." );
362     fflush( stdout );
363 
364     if( ( ret = write_certificate_request( &req, opt.output_file,
365                                            mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
366     {
367         mbedtls_printf( " failed\n  !  write_certifcate_request %d", ret );
368         goto exit;
369     }
370 
371     mbedtls_printf( " ok\n" );
372 
373     exit_code = MBEDTLS_EXIT_SUCCESS;
374 
375 exit:
376 
377     if( exit_code != MBEDTLS_EXIT_SUCCESS )
378     {
379 #ifdef MBEDTLS_ERROR_C
380         mbedtls_strerror( ret, buf, sizeof( buf ) );
381         mbedtls_printf( " - %s\n", buf );
382 #else
383         mbedtls_printf("\n");
384 #endif
385     }
386 
387     mbedtls_x509write_csr_free( &req );
388     mbedtls_pk_free( &key );
389     mbedtls_ctr_drbg_free( &ctr_drbg );
390     mbedtls_entropy_free( &entropy );
391 
392 #if defined(_WIN32)
393     mbedtls_printf( "  + Press Enter to exit this program.\n" );
394     fflush( stdout ); getchar();
395 #endif
396 
397     mbedtls_exit( exit_code );
398 }
399 #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
400           MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_WRITE_C */
401