• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Certificate generation and signing
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "mbedtls/build_info.h"
21 
22 #if defined(MBEDTLS_PLATFORM_C)
23 #include "mbedtls/platform.h"
24 #else
25 #include <stdio.h>
26 #include <stdlib.h>
27 #define mbedtls_printf          printf
28 #define mbedtls_exit            exit
29 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
30 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
31 #endif /* MBEDTLS_PLATFORM_C */
32 
33 #if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
34     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
35     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
36     !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \
37     !defined(MBEDTLS_PEM_WRITE_C)
main(void)38 int main( void )
39 {
40     mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
41             "MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "
42             "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
43             "MBEDTLS_ERROR_C not defined.\n");
44     mbedtls_exit( 0 );
45 }
46 #else
47 
48 #include "mbedtls/x509_crt.h"
49 #include "mbedtls/x509_csr.h"
50 #include "mbedtls/entropy.h"
51 #include "mbedtls/ctr_drbg.h"
52 #include "mbedtls/md.h"
53 #include "mbedtls/error.h"
54 
55 #include <stdio.h>
56 #include <stdlib.h>
57 #include <string.h>
58 
59 #if defined(MBEDTLS_X509_CSR_PARSE_C)
60 #define USAGE_CSR                                                           \
61     "    request_file=%%s         default: (empty)\n"                           \
62     "                            If request_file is specified, subject_key,\n"  \
63     "                            subject_pwd and subject_name are ignored!\n"
64 #else
65 #define USAGE_CSR ""
66 #endif /* MBEDTLS_X509_CSR_PARSE_C */
67 
68 #define DFL_ISSUER_CRT          ""
69 #define DFL_REQUEST_FILE        ""
70 #define DFL_SUBJECT_KEY         "subject.key"
71 #define DFL_ISSUER_KEY          "ca.key"
72 #define DFL_SUBJECT_PWD         ""
73 #define DFL_ISSUER_PWD          ""
74 #define DFL_OUTPUT_FILENAME     "cert.crt"
75 #define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
76 #define DFL_ISSUER_NAME         "CN=CA,O=mbed TLS,C=UK"
77 #define DFL_NOT_BEFORE          "20010101000000"
78 #define DFL_NOT_AFTER           "20301231235959"
79 #define DFL_SERIAL              "1"
80 #define DFL_SELFSIGN            0
81 #define DFL_IS_CA               0
82 #define DFL_MAX_PATHLEN         -1
83 #define DFL_KEY_USAGE           0
84 #define DFL_NS_CERT_TYPE        0
85 #define DFL_VERSION             3
86 #define DFL_AUTH_IDENT          1
87 #define DFL_SUBJ_IDENT          1
88 #define DFL_CONSTRAINTS         1
89 #define DFL_DIGEST              MBEDTLS_MD_SHA256
90 
91 #define USAGE \
92     "\n usage: cert_write param=<>...\n"                \
93     "\n acceptable parameters:\n"                       \
94     USAGE_CSR                                           \
95     "    subject_key=%%s          default: subject.key\n"   \
96     "    subject_pwd=%%s          default: (empty)\n"       \
97     "    subject_name=%%s         default: CN=Cert,O=mbed TLS,C=UK\n"   \
98     "\n"                                                \
99     "    issuer_crt=%%s           default: (empty)\n"       \
100     "                            If issuer_crt is specified, issuer_name is\n"  \
101     "                            ignored!\n"                \
102     "    issuer_name=%%s          default: CN=CA,O=mbed TLS,C=UK\n"     \
103     "\n"                                                \
104     "    selfsign=%%d             default: 0 (false)\n"     \
105     "                            If selfsign is enabled, issuer_name and\n" \
106     "                            issuer_key are required (issuer_crt and\n" \
107     "                            subject_* are ignored\n"   \
108     "    issuer_key=%%s           default: ca.key\n"        \
109     "    issuer_pwd=%%s           default: (empty)\n"       \
110     "    output_file=%%s          default: cert.crt\n"      \
111     "    serial=%%s               default: 1\n"             \
112     "    not_before=%%s           default: 20010101000000\n"\
113     "    not_after=%%s            default: 20301231235959\n"\
114     "    is_ca=%%d                default: 0 (disabled)\n"  \
115     "    max_pathlen=%%d          default: -1 (none)\n"     \
116     "    md=%%s                   default: SHA256\n"        \
117     "                            Supported values (if enabled):\n"      \
118     "                            MD5, RIPEMD160, SHA1,\n" \
119     "                            SHA224, SHA256, SHA384, SHA512\n" \
120     "    version=%%d              default: 3\n"            \
121     "                            Possible values: 1, 2, 3\n"\
122     "    subject_identifier=%%s   default: 1\n"             \
123     "                            Possible values: 0, 1\n"   \
124     "                            (Considered for v3 only)\n"\
125     "    authority_identifier=%%s default: 1\n"             \
126     "                            Possible values: 0, 1\n"   \
127     "                            (Considered for v3 only)\n"\
128     "    basic_constraints=%%d    default: 1\n"             \
129     "                            Possible values: 0, 1\n"   \
130     "                            (Considered for v3 only)\n"\
131     "    key_usage=%%s            default: (empty)\n"       \
132     "                            Comma-separated-list of values:\n"     \
133     "                            digital_signature\n"     \
134     "                            non_repudiation\n"       \
135     "                            key_encipherment\n"      \
136     "                            data_encipherment\n"     \
137     "                            key_agreement\n"         \
138     "                            key_cert_sign\n"  \
139     "                            crl_sign\n"              \
140     "                            (Considered for v3 only)\n"\
141     "    ns_cert_type=%%s         default: (empty)\n"       \
142     "                            Comma-separated-list of values:\n"     \
143     "                            ssl_client\n"            \
144     "                            ssl_server\n"            \
145     "                            email\n"                 \
146     "                            object_signing\n"        \
147     "                            ssl_ca\n"                \
148     "                            email_ca\n"              \
149     "                            object_signing_ca\n"     \
150     "\n"
151 
152 
153 /*
154  * global options
155  */
156 struct options
157 {
158     const char *issuer_crt;     /* filename of the issuer certificate   */
159     const char *request_file;   /* filename of the certificate request  */
160     const char *subject_key;    /* filename of the subject key file     */
161     const char *issuer_key;     /* filename of the issuer key file      */
162     const char *subject_pwd;    /* password for the subject key file    */
163     const char *issuer_pwd;     /* password for the issuer key file     */
164     const char *output_file;    /* where to store the constructed CRT   */
165     const char *subject_name;   /* subject name for certificate         */
166     const char *issuer_name;    /* issuer name for certificate          */
167     const char *not_before;     /* validity period not before           */
168     const char *not_after;      /* validity period not after            */
169     const char *serial;         /* serial number string                 */
170     int selfsign;               /* selfsign the certificate             */
171     int is_ca;                  /* is a CA certificate                  */
172     int max_pathlen;            /* maximum CA path length               */
173     int authority_identifier;   /* add authority identifier to CRT      */
174     int subject_identifier;     /* add subject identifier to CRT        */
175     int basic_constraints;      /* add basic constraints ext to CRT     */
176     int version;                /* CRT version                          */
177     mbedtls_md_type_t md;       /* Hash used for signing                */
178     unsigned char key_usage;    /* key usage flags                      */
179     unsigned char ns_cert_type; /* NS cert type                         */
180 } opt;
181 
write_certificate(mbedtls_x509write_cert * crt,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)182 int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
183                        int (*f_rng)(void *, unsigned char *, size_t),
184                        void *p_rng )
185 {
186     int ret;
187     FILE *f;
188     unsigned char output_buf[4096];
189     size_t len = 0;
190 
191     memset( output_buf, 0, 4096 );
192     if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
193                                            f_rng, p_rng ) ) < 0 )
194         return( ret );
195 
196     len = strlen( (char *) output_buf );
197 
198     if( ( f = fopen( output_file, "w" ) ) == NULL )
199         return( -1 );
200 
201     if( fwrite( output_buf, 1, len, f ) != len )
202     {
203         fclose( f );
204         return( -1 );
205     }
206 
207     fclose( f );
208 
209     return( 0 );
210 }
211 
main(int argc,char * argv[])212 int main( int argc, char *argv[] )
213 {
214     int ret = 1;
215     int exit_code = MBEDTLS_EXIT_FAILURE;
216     mbedtls_x509_crt issuer_crt;
217     mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
218     mbedtls_pk_context *issuer_key = &loaded_issuer_key,
219                 *subject_key = &loaded_subject_key;
220     char buf[1024];
221     char issuer_name[256];
222     int i;
223     char *p, *q, *r;
224 #if defined(MBEDTLS_X509_CSR_PARSE_C)
225     char subject_name[256];
226     mbedtls_x509_csr csr;
227 #endif
228     mbedtls_x509write_cert crt;
229     mbedtls_mpi serial;
230     mbedtls_entropy_context entropy;
231     mbedtls_ctr_drbg_context ctr_drbg;
232     const char *pers = "crt example app";
233 
234     /*
235      * Set to sane values
236      */
237     mbedtls_x509write_crt_init( &crt );
238     mbedtls_pk_init( &loaded_issuer_key );
239     mbedtls_pk_init( &loaded_subject_key );
240     mbedtls_mpi_init( &serial );
241     mbedtls_ctr_drbg_init( &ctr_drbg );
242     mbedtls_entropy_init( &entropy );
243 #if defined(MBEDTLS_X509_CSR_PARSE_C)
244     mbedtls_x509_csr_init( &csr );
245 #endif
246     mbedtls_x509_crt_init( &issuer_crt );
247     memset( buf, 0, 1024 );
248 
249     if( argc == 0 )
250     {
251     usage:
252         mbedtls_printf( USAGE );
253         goto exit;
254     }
255 
256     opt.issuer_crt          = DFL_ISSUER_CRT;
257     opt.request_file        = DFL_REQUEST_FILE;
258     opt.subject_key         = DFL_SUBJECT_KEY;
259     opt.issuer_key          = DFL_ISSUER_KEY;
260     opt.subject_pwd         = DFL_SUBJECT_PWD;
261     opt.issuer_pwd          = DFL_ISSUER_PWD;
262     opt.output_file         = DFL_OUTPUT_FILENAME;
263     opt.subject_name        = DFL_SUBJECT_NAME;
264     opt.issuer_name         = DFL_ISSUER_NAME;
265     opt.not_before          = DFL_NOT_BEFORE;
266     opt.not_after           = DFL_NOT_AFTER;
267     opt.serial              = DFL_SERIAL;
268     opt.selfsign            = DFL_SELFSIGN;
269     opt.is_ca               = DFL_IS_CA;
270     opt.max_pathlen         = DFL_MAX_PATHLEN;
271     opt.key_usage           = DFL_KEY_USAGE;
272     opt.ns_cert_type        = DFL_NS_CERT_TYPE;
273     opt.version             = DFL_VERSION - 1;
274     opt.md                  = DFL_DIGEST;
275     opt.subject_identifier   = DFL_SUBJ_IDENT;
276     opt.authority_identifier = DFL_AUTH_IDENT;
277     opt.basic_constraints    = DFL_CONSTRAINTS;
278 
279     for( i = 1; i < argc; i++ )
280     {
281 
282         p = argv[i];
283         if( ( q = strchr( p, '=' ) ) == NULL )
284             goto usage;
285         *q++ = '\0';
286 
287         if( strcmp( p, "request_file" ) == 0 )
288             opt.request_file = q;
289         else if( strcmp( p, "subject_key" ) == 0 )
290             opt.subject_key = q;
291         else if( strcmp( p, "issuer_key" ) == 0 )
292             opt.issuer_key = q;
293         else if( strcmp( p, "subject_pwd" ) == 0 )
294             opt.subject_pwd = q;
295         else if( strcmp( p, "issuer_pwd" ) == 0 )
296             opt.issuer_pwd = q;
297         else if( strcmp( p, "issuer_crt" ) == 0 )
298             opt.issuer_crt = q;
299         else if( strcmp( p, "output_file" ) == 0 )
300             opt.output_file = q;
301         else if( strcmp( p, "subject_name" ) == 0 )
302         {
303             opt.subject_name = q;
304         }
305         else if( strcmp( p, "issuer_name" ) == 0 )
306         {
307             opt.issuer_name = q;
308         }
309         else if( strcmp( p, "not_before" ) == 0 )
310         {
311             opt.not_before = q;
312         }
313         else if( strcmp( p, "not_after" ) == 0 )
314         {
315             opt.not_after = q;
316         }
317         else if( strcmp( p, "serial" ) == 0 )
318         {
319             opt.serial = q;
320         }
321         else if( strcmp( p, "authority_identifier" ) == 0 )
322         {
323             opt.authority_identifier = atoi( q );
324             if( opt.authority_identifier != 0 &&
325                 opt.authority_identifier != 1 )
326             {
327                 mbedtls_printf( "Invalid argument for option %s\n", p );
328                 goto usage;
329             }
330         }
331         else if( strcmp( p, "subject_identifier" ) == 0 )
332         {
333             opt.subject_identifier = atoi( q );
334             if( opt.subject_identifier != 0 &&
335                 opt.subject_identifier != 1 )
336             {
337                 mbedtls_printf( "Invalid argument for option %s\n", p );
338                 goto usage;
339             }
340         }
341         else if( strcmp( p, "basic_constraints" ) == 0 )
342         {
343             opt.basic_constraints = atoi( q );
344             if( opt.basic_constraints != 0 &&
345                 opt.basic_constraints != 1 )
346             {
347                 mbedtls_printf( "Invalid argument for option %s\n", p );
348                 goto usage;
349             }
350         }
351         else if( strcmp( p, "md" ) == 0 )
352         {
353             const mbedtls_md_info_t *md_info =
354                 mbedtls_md_info_from_string( q );
355             if( md_info == NULL )
356             {
357                 mbedtls_printf( "Invalid argument for option %s\n", p );
358                 goto usage;
359             }
360             opt.md = mbedtls_md_get_type( md_info );
361         }
362         else if( strcmp( p, "version" ) == 0 )
363         {
364             opt.version = atoi( q );
365             if( opt.version < 1 || opt.version > 3 )
366             {
367                 mbedtls_printf( "Invalid argument for option %s\n", p );
368                 goto usage;
369             }
370             opt.version--;
371         }
372         else if( strcmp( p, "selfsign" ) == 0 )
373         {
374             opt.selfsign = atoi( q );
375             if( opt.selfsign < 0 || opt.selfsign > 1 )
376             {
377                 mbedtls_printf( "Invalid argument for option %s\n", p );
378                 goto usage;
379             }
380         }
381         else if( strcmp( p, "is_ca" ) == 0 )
382         {
383             opt.is_ca = atoi( q );
384             if( opt.is_ca < 0 || opt.is_ca > 1 )
385             {
386                 mbedtls_printf( "Invalid argument for option %s\n", p );
387                 goto usage;
388             }
389         }
390         else if( strcmp( p, "max_pathlen" ) == 0 )
391         {
392             opt.max_pathlen = atoi( q );
393             if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
394             {
395                 mbedtls_printf( "Invalid argument for option %s\n", p );
396                 goto usage;
397             }
398         }
399         else if( strcmp( p, "key_usage" ) == 0 )
400         {
401             while( q != NULL )
402             {
403                 if( ( r = strchr( q, ',' ) ) != NULL )
404                     *r++ = '\0';
405 
406                 if( strcmp( q, "digital_signature" ) == 0 )
407                     opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
408                 else if( strcmp( q, "non_repudiation" ) == 0 )
409                     opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
410                 else if( strcmp( q, "key_encipherment" ) == 0 )
411                     opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
412                 else if( strcmp( q, "data_encipherment" ) == 0 )
413                     opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
414                 else if( strcmp( q, "key_agreement" ) == 0 )
415                     opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
416                 else if( strcmp( q, "key_cert_sign" ) == 0 )
417                     opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
418                 else if( strcmp( q, "crl_sign" ) == 0 )
419                     opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
420                 else
421                 {
422                     mbedtls_printf( "Invalid argument for option %s\n", p );
423                     goto usage;
424                 }
425 
426                 q = r;
427             }
428         }
429         else if( strcmp( p, "ns_cert_type" ) == 0 )
430         {
431             while( q != NULL )
432             {
433                 if( ( r = strchr( q, ',' ) ) != NULL )
434                     *r++ = '\0';
435 
436                 if( strcmp( q, "ssl_client" ) == 0 )
437                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
438                 else if( strcmp( q, "ssl_server" ) == 0 )
439                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
440                 else if( strcmp( q, "email" ) == 0 )
441                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
442                 else if( strcmp( q, "object_signing" ) == 0 )
443                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
444                 else if( strcmp( q, "ssl_ca" ) == 0 )
445                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
446                 else if( strcmp( q, "email_ca" ) == 0 )
447                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
448                 else if( strcmp( q, "object_signing_ca" ) == 0 )
449                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
450                 else
451                 {
452                     mbedtls_printf( "Invalid argument for option %s\n", p );
453                     goto usage;
454                 }
455 
456                 q = r;
457             }
458         }
459         else
460             goto usage;
461     }
462 
463     mbedtls_printf("\n");
464 
465     /*
466      * 0. Seed the PRNG
467      */
468     mbedtls_printf( "  . Seeding the random number generator..." );
469     fflush( stdout );
470 
471     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
472                                (const unsigned char *) pers,
473                                strlen( pers ) ) ) != 0 )
474     {
475         mbedtls_strerror( ret, buf, 1024 );
476         mbedtls_printf( " failed\n  !  mbedtls_ctr_drbg_seed returned %d - %s\n",
477                         ret, buf );
478         goto exit;
479     }
480 
481     mbedtls_printf( " ok\n" );
482 
483     // Parse serial to MPI
484     //
485     mbedtls_printf( "  . Reading serial number..." );
486     fflush( stdout );
487 
488     if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
489     {
490         mbedtls_strerror( ret, buf, 1024 );
491         mbedtls_printf( " failed\n  !  mbedtls_mpi_read_string "
492                         "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
493         goto exit;
494     }
495 
496     mbedtls_printf( " ok\n" );
497 
498     // Parse issuer certificate if present
499     //
500     if( !opt.selfsign && strlen( opt.issuer_crt ) )
501     {
502         /*
503          * 1.0.a. Load the certificates
504          */
505         mbedtls_printf( "  . Loading the issuer certificate ..." );
506         fflush( stdout );
507 
508         if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
509         {
510             mbedtls_strerror( ret, buf, 1024 );
511             mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse_file "
512                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
513             goto exit;
514         }
515 
516         ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
517                                  &issuer_crt.subject );
518         if( ret < 0 )
519         {
520             mbedtls_strerror( ret, buf, 1024 );
521             mbedtls_printf( " failed\n  !  mbedtls_x509_dn_gets "
522                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
523             goto exit;
524         }
525 
526         opt.issuer_name = issuer_name;
527 
528         mbedtls_printf( " ok\n" );
529     }
530 
531 #if defined(MBEDTLS_X509_CSR_PARSE_C)
532     // Parse certificate request if present
533     //
534     if( !opt.selfsign && strlen( opt.request_file ) )
535     {
536         /*
537          * 1.0.b. Load the CSR
538          */
539         mbedtls_printf( "  . Loading the certificate request ..." );
540         fflush( stdout );
541 
542         if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
543         {
544             mbedtls_strerror( ret, buf, 1024 );
545             mbedtls_printf( " failed\n  !  mbedtls_x509_csr_parse_file "
546                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
547             goto exit;
548         }
549 
550         ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
551                                  &csr.subject );
552         if( ret < 0 )
553         {
554             mbedtls_strerror( ret, buf, 1024 );
555             mbedtls_printf( " failed\n  !  mbedtls_x509_dn_gets "
556                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
557             goto exit;
558         }
559 
560         opt.subject_name = subject_name;
561         subject_key = &csr.pk;
562 
563         mbedtls_printf( " ok\n" );
564     }
565 #endif /* MBEDTLS_X509_CSR_PARSE_C */
566 
567     /*
568      * 1.1. Load the keys
569      */
570     if( !opt.selfsign && !strlen( opt.request_file ) )
571     {
572         mbedtls_printf( "  . Loading the subject key ..." );
573         fflush( stdout );
574 
575         ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,
576                 opt.subject_pwd, mbedtls_ctr_drbg_random, &ctr_drbg );
577         if( ret != 0 )
578         {
579             mbedtls_strerror( ret, buf, 1024 );
580             mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile "
581                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
582             goto exit;
583         }
584 
585         mbedtls_printf( " ok\n" );
586     }
587 
588     mbedtls_printf( "  . Loading the issuer key ..." );
589     fflush( stdout );
590 
591     ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,
592             opt.issuer_pwd, mbedtls_ctr_drbg_random, &ctr_drbg );
593     if( ret != 0 )
594     {
595         mbedtls_strerror( ret, buf, 1024 );
596         mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile "
597                         "returned -x%02x - %s\n\n", (unsigned int) -ret, buf );
598         goto exit;
599     }
600 
601     // Check if key and issuer certificate match
602     //
603     if( strlen( opt.issuer_crt ) )
604     {
605         if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key,
606                                    mbedtls_ctr_drbg_random, &ctr_drbg ) != 0 )
607         {
608             mbedtls_printf( " failed\n  !  issuer_key does not match "
609                             "issuer certificate\n\n" );
610             goto exit;
611         }
612     }
613 
614     mbedtls_printf( " ok\n" );
615 
616     if( opt.selfsign )
617     {
618         opt.subject_name = opt.issuer_name;
619         subject_key = issuer_key;
620     }
621 
622     mbedtls_x509write_crt_set_subject_key( &crt, subject_key );
623     mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );
624 
625     /*
626      * 1.0. Check the names for validity
627      */
628     if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
629     {
630         mbedtls_strerror( ret, buf, 1024 );
631         mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_subject_name "
632                         "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
633         goto exit;
634     }
635 
636     if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
637     {
638         mbedtls_strerror( ret, buf, 1024 );
639         mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_issuer_name "
640                         "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
641         goto exit;
642     }
643 
644     mbedtls_printf( "  . Setting certificate values ..." );
645     fflush( stdout );
646 
647     mbedtls_x509write_crt_set_version( &crt, opt.version );
648     mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
649 
650     ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
651     if( ret != 0 )
652     {
653         mbedtls_strerror( ret, buf, 1024 );
654         mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_serial "
655                         "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
656         goto exit;
657     }
658 
659     ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
660     if( ret != 0 )
661     {
662         mbedtls_strerror( ret, buf, 1024 );
663         mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_validity "
664                         "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
665         goto exit;
666     }
667 
668     mbedtls_printf( " ok\n" );
669 
670     if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
671         opt.basic_constraints != 0 )
672     {
673         mbedtls_printf( "  . Adding the Basic Constraints extension ..." );
674         fflush( stdout );
675 
676         ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
677                                                            opt.max_pathlen );
678         if( ret != 0 )
679         {
680             mbedtls_strerror( ret, buf, 1024 );
681             mbedtls_printf( " failed\n  !  x509write_crt_set_basic_contraints "
682                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
683             goto exit;
684         }
685 
686         mbedtls_printf( " ok\n" );
687     }
688 
689 #if defined(MBEDTLS_SHA1_C)
690     if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
691         opt.subject_identifier != 0 )
692     {
693         mbedtls_printf( "  . Adding the Subject Key Identifier ..." );
694         fflush( stdout );
695 
696         ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
697         if( ret != 0 )
698         {
699             mbedtls_strerror( ret, buf, 1024 );
700             mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_subject"
701                             "_key_identifier returned -0x%04x - %s\n\n",
702                             (unsigned int) -ret, buf );
703             goto exit;
704         }
705 
706         mbedtls_printf( " ok\n" );
707     }
708 
709     if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
710         opt.authority_identifier != 0 )
711     {
712         mbedtls_printf( "  . Adding the Authority Key Identifier ..." );
713         fflush( stdout );
714 
715         ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
716         if( ret != 0 )
717         {
718             mbedtls_strerror( ret, buf, 1024 );
719             mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_authority_"
720                             "key_identifier returned -0x%04x - %s\n\n",
721                             (unsigned int) -ret, buf );
722             goto exit;
723         }
724 
725         mbedtls_printf( " ok\n" );
726     }
727 #endif /* MBEDTLS_SHA1_C */
728 
729     if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
730         opt.key_usage != 0 )
731     {
732         mbedtls_printf( "  . Adding the Key Usage extension ..." );
733         fflush( stdout );
734 
735         ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );
736         if( ret != 0 )
737         {
738             mbedtls_strerror( ret, buf, 1024 );
739             mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_key_usage "
740                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
741             goto exit;
742         }
743 
744         mbedtls_printf( " ok\n" );
745     }
746 
747     if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
748         opt.ns_cert_type != 0 )
749     {
750         mbedtls_printf( "  . Adding the NS Cert Type extension ..." );
751         fflush( stdout );
752 
753         ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
754         if( ret != 0 )
755         {
756             mbedtls_strerror( ret, buf, 1024 );
757             mbedtls_printf( " failed\n  !  mbedtls_x509write_crt_set_ns_cert_type "
758                             "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
759             goto exit;
760         }
761 
762         mbedtls_printf( " ok\n" );
763     }
764 
765     /*
766      * 1.2. Writing the certificate
767      */
768     mbedtls_printf( "  . Writing the certificate..." );
769     fflush( stdout );
770 
771     if( ( ret = write_certificate( &crt, opt.output_file,
772                                    mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
773     {
774         mbedtls_strerror( ret, buf, 1024 );
775         mbedtls_printf( " failed\n  !  write_certificate -0x%04x - %s\n\n",
776                         (unsigned int) -ret, buf );
777         goto exit;
778     }
779 
780     mbedtls_printf( " ok\n" );
781 
782     exit_code = MBEDTLS_EXIT_SUCCESS;
783 
784 exit:
785 #if defined(MBEDTLS_X509_CSR_PARSE_C)
786     mbedtls_x509_csr_free( &csr );
787 #endif /* MBEDTLS_X509_CSR_PARSE_C */
788     mbedtls_x509_crt_free( &issuer_crt );
789     mbedtls_x509write_crt_free( &crt );
790     mbedtls_pk_free( &loaded_subject_key );
791     mbedtls_pk_free( &loaded_issuer_key );
792     mbedtls_mpi_free( &serial );
793     mbedtls_ctr_drbg_free( &ctr_drbg );
794     mbedtls_entropy_free( &entropy );
795 
796 #if defined(_WIN32)
797     mbedtls_printf( "  + Press Enter to exit this program.\n" );
798     fflush( stdout ); getchar();
799 #endif
800 
801     mbedtls_exit( exit_code );
802 }
803 #endif /* MBEDTLS_X509_CRT_WRITE_C && MBEDTLS_X509_CRT_PARSE_C &&
804           MBEDTLS_FS_IO && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
805           MBEDTLS_ERROR_C && MBEDTLS_PEM_WRITE_C */
806