1 /*
2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the License); you may
5 * not use this file except in compliance with the License.
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 */
9
10
11 #include <stdio.h>
12 #include <errno.h>
13 #include <string.h>
14 #include <stdlib.h>
15 #include <gmssl/mem.h>
16 #include <gmssl/rand.h>
17 #include <gmssl/pkcs8.h>
18 #include <gmssl/error.h>
19 #include <gmssl/x509.h>
20 #include <gmssl/x509_ext.h>
21
22
23 static const char *options =
24 "[-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -days num "
25 "-key file [-pass pass] "
26 "[-key_usage str]* [-out file]";
27
28
ext_key_usage_set(int * usages,const char * usage_name)29 static int ext_key_usage_set(int *usages, const char *usage_name)
30 {
31 int flag;
32 if (x509_key_usage_from_name(&flag, usage_name) != 1) {
33 error_print();
34 return -1;
35 }
36 *usages |= flag;
37 return 1;
38 }
39
certgen_main(int argc,char ** argv)40 int certgen_main(int argc, char **argv)
41 {
42 int ret = 1;
43 char *prog = argv[0];
44 char *country = NULL;
45 char *state = NULL;
46 char *locality = NULL;
47 char *org = NULL;
48 char *org_unit = NULL;
49 char *common_name = NULL;
50 int days = 0;
51 int key_usage = 0;
52 char *keyfile = NULL;
53 char *pass = NULL;
54 char *outfile = NULL;
55
56 uint8_t serial[12];
57 uint8_t name[256];
58 size_t namelen;
59 time_t not_before;
60 time_t not_after;
61 uint8_t uniq_id[32];
62 uint8_t exts[512];
63 size_t extslen = 0;
64 FILE *keyfp = NULL;
65 SM2_KEY sm2_key;
66 uint8_t cert[1024];
67 size_t certlen;
68 FILE *outfp = stdout;
69
70 argc--;
71 argv++;
72
73 if (argc < 1) {
74 fprintf(stderr, "usage: %s %s\n", prog, options);
75 return 1;
76 }
77
78 while (argc > 0) {
79 if (!strcmp(*argv, "-help")) {
80 printf("usage: %s %s\n", prog, options);
81 ret = 0;
82 goto end;
83 } else if (!strcmp(*argv, "-CN")) {
84 if (--argc < 1) goto bad;
85 common_name = *(++argv);
86 } else if (!strcmp(*argv, "-O")) {
87 if (--argc < 1) goto bad;
88 org = *(++argv);
89 } else if (!strcmp(*argv, "-OU")) {
90 if (--argc < 1) goto bad;
91 org_unit = *(++argv);
92 } else if (!strcmp(*argv, "-C")) {
93 if (--argc < 1) goto bad;
94 country = *(++argv);
95 } else if (!strcmp(*argv, "-ST")) {
96 if (--argc < 1) goto bad;
97 state = *(++argv);
98 } else if (!strcmp(*argv, "-L")) {
99 if (--argc < 1) goto bad;
100 locality = *(++argv);
101 } else if (!strcmp(*argv, "-days")) {
102 if (--argc < 1) goto bad;
103 days = atoi(*(++argv));
104 if (days <= 0) {
105 fprintf(stderr, "%s: invalid '-days' value\n", prog);
106 goto end;
107 }
108 } else if (!strcmp(*argv, "-key_usage")) {
109 char *usage;
110 if (--argc < 1) goto bad;
111 usage = *(++argv);
112 if (ext_key_usage_set(&key_usage, usage) != 1) {
113 fprintf(stderr, "%s: invalid -key_usage value '%s'\n", prog, usage);
114 goto end;
115 }
116 } else if (!strcmp(*argv, "-key")) {
117 if (--argc < 1) goto bad;
118 keyfile = *(++argv);
119 if (!(keyfp = fopen(keyfile, "r"))) {
120 fprintf(stderr, "%s: open '%s' failure : %s\n", prog, keyfile, strerror(errno));
121 goto end;
122 }
123 } else if (!strcmp(*argv, "-pass")) {
124 if (--argc < 1) goto bad;
125 pass = *(++argv);
126 } else if (!strcmp(*argv, "-out")) {
127 if (--argc < 1) goto bad;
128 outfile = *(++argv);
129 if (!(outfp = fopen(outfile, "w"))) {
130 fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
131 goto end;
132 }
133 } else {
134 fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
135 goto end;
136 bad:
137 fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
138 goto end;
139 }
140
141 argc--;
142 argv++;
143 }
144
145 if (!common_name) {
146 fprintf(stderr, "%s: '-CN' option required\n", prog);
147 goto end;
148 }
149 if (!days) {
150 fprintf(stderr, "%s: '-days' option required\n", prog);
151 goto end;
152 }
153 if (!keyfile) {
154 fprintf(stderr, "%s: '-key' option required\n", prog);
155 goto end;
156 }
157 if (!pass) {
158 fprintf(stderr, "%s: '-pass' option required\n", prog);
159 goto end;
160 }
161 if (!key_usage) {
162 fprintf(stderr, "%s: '-key_usage' option required\n", prog);
163 goto end;
164 }
165
166 if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
167 fprintf(stderr, "%s: load private key failed\n", prog);
168 goto end;
169 }
170
171 if (x509_exts_add_key_usage(exts, &extslen, sizeof(exts), 1, key_usage) != 1
172 || x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts), 1, 1, -1) != 1
173 || x509_exts_add_default_authority_key_identifier(exts, &extslen, sizeof(exts), &sm2_key) != 1) {
174 fprintf(stderr, "%s: inner error\n", prog);
175 goto end;
176 }
177
178 time(¬_before);
179 if (rand_bytes(serial, sizeof(serial)) != 1
180 || x509_name_set(name, &namelen, sizeof(name),
181 country, state, locality, org, org_unit, common_name) != 1
182 || x509_validity_add_days(¬_after, not_before, days) != 1
183 || x509_cert_sign(
184 cert, &certlen, sizeof(cert),
185 X509_version_v3,
186 serial, sizeof(serial),
187 OID_sm2sign_with_sm3,
188 name, namelen,
189 not_before, not_after,
190 name, namelen,
191 &sm2_key,
192 NULL, 0,
193 NULL, 0,
194 exts, extslen,
195 &sm2_key, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) != 1) {
196 fprintf(stderr, "%s: inner error\n", prog);
197 goto end;
198 }
199 if (x509_cert_to_pem(cert, certlen, outfp) != 1) {
200 fprintf(stderr, "%s: output certificate failed\n", prog);
201 goto end;
202 }
203 ret = 0;
204
205 end:
206 gmssl_secure_clear(&sm2_key, sizeof(SM2_KEY));
207 if (keyfp) fclose(keyfp);
208 if (outfile && outfp) fclose(outfp);
209 return ret;
210 }
211