1 /*
2 * Certificate generation and signing
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
24 #else
25 #include MBEDTLS_CONFIG_FILE
26 #endif
27
28 #if defined(MBEDTLS_PLATFORM_C)
29 #include "mbedtls/platform.h"
30 #else
31 #include <stdio.h>
32 #include <stdlib.h>
33 #define mbedtls_printf printf
34 #define mbedtls_exit exit
35 #define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
36 #define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
37 #endif /* MBEDTLS_PLATFORM_C */
38
39 #if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
40 !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
41 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
42 !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \
43 !defined(MBEDTLS_PEM_WRITE_C)
main(void)44 int main( void )
45 {
46 mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
47 "MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "
48 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
49 "MBEDTLS_ERROR_C not defined.\n");
50 return( 0 );
51 }
52 #else
53
54 #include "mbedtls/x509_crt.h"
55 #include "mbedtls/x509_csr.h"
56 #include "mbedtls/entropy.h"
57 #include "mbedtls/ctr_drbg.h"
58 #include "mbedtls/md.h"
59 #include "mbedtls/error.h"
60
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64
65 #if defined(MBEDTLS_X509_CSR_PARSE_C)
66 #define USAGE_CSR \
67 " request_file=%%s default: (empty)\n" \
68 " If request_file is specified, subject_key,\n" \
69 " subject_pwd and subject_name are ignored!\n"
70 #else
71 #define USAGE_CSR ""
72 #endif /* MBEDTLS_X509_CSR_PARSE_C */
73
74 #define DFL_ISSUER_CRT ""
75 #define DFL_REQUEST_FILE ""
76 #define DFL_SUBJECT_KEY "subject.key"
77 #define DFL_ISSUER_KEY "ca.key"
78 #define DFL_SUBJECT_PWD ""
79 #define DFL_ISSUER_PWD ""
80 #define DFL_OUTPUT_FILENAME "cert.crt"
81 #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
82 #define DFL_ISSUER_NAME "CN=CA,O=mbed TLS,C=UK"
83 #define DFL_NOT_BEFORE "20010101000000"
84 #define DFL_NOT_AFTER "20301231235959"
85 #define DFL_SERIAL "1"
86 #define DFL_SELFSIGN 0
87 #define DFL_IS_CA 0
88 #define DFL_MAX_PATHLEN -1
89 #define DFL_KEY_USAGE 0
90 #define DFL_NS_CERT_TYPE 0
91 #define DFL_VERSION 3
92 #define DFL_AUTH_IDENT 1
93 #define DFL_SUBJ_IDENT 1
94 #define DFL_CONSTRAINTS 1
95 #define DFL_DIGEST MBEDTLS_MD_SHA256
96
97 #define USAGE \
98 "\n usage: cert_write param=<>...\n" \
99 "\n acceptable parameters:\n" \
100 USAGE_CSR \
101 " subject_key=%%s default: subject.key\n" \
102 " subject_pwd=%%s default: (empty)\n" \
103 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
104 "\n" \
105 " issuer_crt=%%s default: (empty)\n" \
106 " If issuer_crt is specified, issuer_name is\n" \
107 " ignored!\n" \
108 " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
109 "\n" \
110 " selfsign=%%d default: 0 (false)\n" \
111 " If selfsign is enabled, issuer_name and\n" \
112 " issuer_key are required (issuer_crt and\n" \
113 " subject_* are ignored\n" \
114 " issuer_key=%%s default: ca.key\n" \
115 " issuer_pwd=%%s default: (empty)\n" \
116 " output_file=%%s default: cert.crt\n" \
117 " serial=%%s default: 1\n" \
118 " not_before=%%s default: 20010101000000\n"\
119 " not_after=%%s default: 20301231235959\n"\
120 " is_ca=%%d default: 0 (disabled)\n" \
121 " max_pathlen=%%d default: -1 (none)\n" \
122 " md=%%s default: SHA256\n" \
123 " Supported values:\n" \
124 " MD5, SHA1, SHA256, SHA512\n"\
125 " version=%%d default: 3\n" \
126 " Possible values: 1, 2, 3\n"\
127 " subject_identifier=%%s default: 1\n" \
128 " Possible values: 0, 1\n" \
129 " (Considered for v3 only)\n"\
130 " authority_identifier=%%s default: 1\n" \
131 " Possible values: 0, 1\n" \
132 " (Considered for v3 only)\n"\
133 " basic_constraints=%%d default: 1\n" \
134 " Possible values: 0, 1\n" \
135 " (Considered for v3 only)\n"\
136 " key_usage=%%s default: (empty)\n" \
137 " Comma-separated-list of values:\n" \
138 " digital_signature\n" \
139 " non_repudiation\n" \
140 " key_encipherment\n" \
141 " data_encipherment\n" \
142 " key_agreement\n" \
143 " key_cert_sign\n" \
144 " crl_sign\n" \
145 " (Considered for v3 only)\n"\
146 " ns_cert_type=%%s default: (empty)\n" \
147 " Comma-separated-list of values:\n" \
148 " ssl_client\n" \
149 " ssl_server\n" \
150 " email\n" \
151 " object_signing\n" \
152 " ssl_ca\n" \
153 " email_ca\n" \
154 " object_signing_ca\n" \
155 "\n"
156
157 #if defined(MBEDTLS_CHECK_PARAMS)
158 #define mbedtls_exit exit
mbedtls_param_failed(const char * failure_condition,const char * file,int line)159 void mbedtls_param_failed( const char *failure_condition,
160 const char *file,
161 int line )
162 {
163 mbedtls_printf( "%s:%i: Input param failed - %s\n",
164 file, line, failure_condition );
165 mbedtls_exit( MBEDTLS_EXIT_FAILURE );
166 }
167 #endif
168
169 /*
170 * global options
171 */
172 struct options
173 {
174 const char *issuer_crt; /* filename of the issuer certificate */
175 const char *request_file; /* filename of the certificate request */
176 const char *subject_key; /* filename of the subject key file */
177 const char *issuer_key; /* filename of the issuer key file */
178 const char *subject_pwd; /* password for the subject key file */
179 const char *issuer_pwd; /* password for the issuer key file */
180 const char *output_file; /* where to store the constructed CRT */
181 const char *subject_name; /* subject name for certificate */
182 const char *issuer_name; /* issuer name for certificate */
183 const char *not_before; /* validity period not before */
184 const char *not_after; /* validity period not after */
185 const char *serial; /* serial number string */
186 int selfsign; /* selfsign the certificate */
187 int is_ca; /* is a CA certificate */
188 int max_pathlen; /* maximum CA path length */
189 int authority_identifier; /* add authority identifier to CRT */
190 int subject_identifier; /* add subject identifier to CRT */
191 int basic_constraints; /* add basic constraints ext to CRT */
192 int version; /* CRT version */
193 mbedtls_md_type_t md; /* Hash used for signing */
194 unsigned char key_usage; /* key usage flags */
195 unsigned char ns_cert_type; /* NS cert type */
196 } opt;
197
write_certificate(mbedtls_x509write_cert * crt,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)198 int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
199 int (*f_rng)(void *, unsigned char *, size_t),
200 void *p_rng )
201 {
202 int ret;
203 FILE *f;
204 unsigned char output_buf[4096];
205 size_t len = 0;
206
207 memset( output_buf, 0, 4096 );
208 if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
209 f_rng, p_rng ) ) < 0 )
210 return( ret );
211
212 len = strlen( (char *) output_buf );
213
214 if( ( f = fopen( output_file, "w" ) ) == NULL )
215 return( -1 );
216
217 if( fwrite( output_buf, 1, len, f ) != len )
218 {
219 fclose( f );
220 return( -1 );
221 }
222
223 fclose( f );
224
225 return( 0 );
226 }
227
main(int argc,char * argv[])228 int main( int argc, char *argv[] )
229 {
230 int ret = 1;
231 int exit_code = MBEDTLS_EXIT_FAILURE;
232 mbedtls_x509_crt issuer_crt;
233 mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
234 mbedtls_pk_context *issuer_key = &loaded_issuer_key,
235 *subject_key = &loaded_subject_key;
236 char buf[1024];
237 char issuer_name[256];
238 int i;
239 char *p, *q, *r;
240 #if defined(MBEDTLS_X509_CSR_PARSE_C)
241 char subject_name[256];
242 mbedtls_x509_csr csr;
243 #endif
244 mbedtls_x509write_cert crt;
245 mbedtls_mpi serial;
246 mbedtls_entropy_context entropy;
247 mbedtls_ctr_drbg_context ctr_drbg;
248 const char *pers = "crt example app";
249
250 /*
251 * Set to sane values
252 */
253 mbedtls_x509write_crt_init( &crt );
254 mbedtls_pk_init( &loaded_issuer_key );
255 mbedtls_pk_init( &loaded_subject_key );
256 mbedtls_mpi_init( &serial );
257 mbedtls_ctr_drbg_init( &ctr_drbg );
258 mbedtls_entropy_init( &entropy );
259 #if defined(MBEDTLS_X509_CSR_PARSE_C)
260 mbedtls_x509_csr_init( &csr );
261 #endif
262 mbedtls_x509_crt_init( &issuer_crt );
263 memset( buf, 0, 1024 );
264
265 if( argc == 0 )
266 {
267 usage:
268 mbedtls_printf( USAGE );
269 goto exit;
270 }
271
272 opt.issuer_crt = DFL_ISSUER_CRT;
273 opt.request_file = DFL_REQUEST_FILE;
274 opt.subject_key = DFL_SUBJECT_KEY;
275 opt.issuer_key = DFL_ISSUER_KEY;
276 opt.subject_pwd = DFL_SUBJECT_PWD;
277 opt.issuer_pwd = DFL_ISSUER_PWD;
278 opt.output_file = DFL_OUTPUT_FILENAME;
279 opt.subject_name = DFL_SUBJECT_NAME;
280 opt.issuer_name = DFL_ISSUER_NAME;
281 opt.not_before = DFL_NOT_BEFORE;
282 opt.not_after = DFL_NOT_AFTER;
283 opt.serial = DFL_SERIAL;
284 opt.selfsign = DFL_SELFSIGN;
285 opt.is_ca = DFL_IS_CA;
286 opt.max_pathlen = DFL_MAX_PATHLEN;
287 opt.key_usage = DFL_KEY_USAGE;
288 opt.ns_cert_type = DFL_NS_CERT_TYPE;
289 opt.version = DFL_VERSION - 1;
290 opt.md = DFL_DIGEST;
291 opt.subject_identifier = DFL_SUBJ_IDENT;
292 opt.authority_identifier = DFL_AUTH_IDENT;
293 opt.basic_constraints = DFL_CONSTRAINTS;
294
295 for( i = 1; i < argc; i++ )
296 {
297
298 p = argv[i];
299 if( ( q = strchr( p, '=' ) ) == NULL )
300 goto usage;
301 *q++ = '\0';
302
303 if( strcmp( p, "request_file" ) == 0 )
304 opt.request_file = q;
305 else if( strcmp( p, "subject_key" ) == 0 )
306 opt.subject_key = q;
307 else if( strcmp( p, "issuer_key" ) == 0 )
308 opt.issuer_key = q;
309 else if( strcmp( p, "subject_pwd" ) == 0 )
310 opt.subject_pwd = q;
311 else if( strcmp( p, "issuer_pwd" ) == 0 )
312 opt.issuer_pwd = q;
313 else if( strcmp( p, "issuer_crt" ) == 0 )
314 opt.issuer_crt = q;
315 else if( strcmp( p, "output_file" ) == 0 )
316 opt.output_file = q;
317 else if( strcmp( p, "subject_name" ) == 0 )
318 {
319 opt.subject_name = q;
320 }
321 else if( strcmp( p, "issuer_name" ) == 0 )
322 {
323 opt.issuer_name = q;
324 }
325 else if( strcmp( p, "not_before" ) == 0 )
326 {
327 opt.not_before = q;
328 }
329 else if( strcmp( p, "not_after" ) == 0 )
330 {
331 opt.not_after = q;
332 }
333 else if( strcmp( p, "serial" ) == 0 )
334 {
335 opt.serial = q;
336 }
337 else if( strcmp( p, "authority_identifier" ) == 0 )
338 {
339 opt.authority_identifier = atoi( q );
340 if( opt.authority_identifier != 0 &&
341 opt.authority_identifier != 1 )
342 {
343 mbedtls_printf( "Invalid argument for option %s\n", p );
344 goto usage;
345 }
346 }
347 else if( strcmp( p, "subject_identifier" ) == 0 )
348 {
349 opt.subject_identifier = atoi( q );
350 if( opt.subject_identifier != 0 &&
351 opt.subject_identifier != 1 )
352 {
353 mbedtls_printf( "Invalid argument for option %s\n", p );
354 goto usage;
355 }
356 }
357 else if( strcmp( p, "basic_constraints" ) == 0 )
358 {
359 opt.basic_constraints = atoi( q );
360 if( opt.basic_constraints != 0 &&
361 opt.basic_constraints != 1 )
362 {
363 mbedtls_printf( "Invalid argument for option %s\n", p );
364 goto usage;
365 }
366 }
367 else if( strcmp( p, "md" ) == 0 )
368 {
369 if( strcmp( q, "SHA1" ) == 0 )
370 opt.md = MBEDTLS_MD_SHA1;
371 else if( strcmp( q, "SHA256" ) == 0 )
372 opt.md = MBEDTLS_MD_SHA256;
373 else if( strcmp( q, "SHA512" ) == 0 )
374 opt.md = MBEDTLS_MD_SHA512;
375 else if( strcmp( q, "MD5" ) == 0 )
376 opt.md = MBEDTLS_MD_MD5;
377 else
378 {
379 mbedtls_printf( "Invalid argument for option %s\n", p );
380 goto usage;
381 }
382 }
383 else if( strcmp( p, "version" ) == 0 )
384 {
385 opt.version = atoi( q );
386 if( opt.version < 1 || opt.version > 3 )
387 {
388 mbedtls_printf( "Invalid argument for option %s\n", p );
389 goto usage;
390 }
391 opt.version--;
392 }
393 else if( strcmp( p, "selfsign" ) == 0 )
394 {
395 opt.selfsign = atoi( q );
396 if( opt.selfsign < 0 || opt.selfsign > 1 )
397 {
398 mbedtls_printf( "Invalid argument for option %s\n", p );
399 goto usage;
400 }
401 }
402 else if( strcmp( p, "is_ca" ) == 0 )
403 {
404 opt.is_ca = atoi( q );
405 if( opt.is_ca < 0 || opt.is_ca > 1 )
406 {
407 mbedtls_printf( "Invalid argument for option %s\n", p );
408 goto usage;
409 }
410 }
411 else if( strcmp( p, "max_pathlen" ) == 0 )
412 {
413 opt.max_pathlen = atoi( q );
414 if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
415 {
416 mbedtls_printf( "Invalid argument for option %s\n", p );
417 goto usage;
418 }
419 }
420 else if( strcmp( p, "key_usage" ) == 0 )
421 {
422 while( q != NULL )
423 {
424 if( ( r = strchr( q, ',' ) ) != NULL )
425 *r++ = '\0';
426
427 if( strcmp( q, "digital_signature" ) == 0 )
428 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
429 else if( strcmp( q, "non_repudiation" ) == 0 )
430 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
431 else if( strcmp( q, "key_encipherment" ) == 0 )
432 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
433 else if( strcmp( q, "data_encipherment" ) == 0 )
434 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
435 else if( strcmp( q, "key_agreement" ) == 0 )
436 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
437 else if( strcmp( q, "key_cert_sign" ) == 0 )
438 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
439 else if( strcmp( q, "crl_sign" ) == 0 )
440 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
441 else
442 {
443 mbedtls_printf( "Invalid argument for option %s\n", p );
444 goto usage;
445 }
446
447 q = r;
448 }
449 }
450 else if( strcmp( p, "ns_cert_type" ) == 0 )
451 {
452 while( q != NULL )
453 {
454 if( ( r = strchr( q, ',' ) ) != NULL )
455 *r++ = '\0';
456
457 if( strcmp( q, "ssl_client" ) == 0 )
458 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
459 else if( strcmp( q, "ssl_server" ) == 0 )
460 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
461 else if( strcmp( q, "email" ) == 0 )
462 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
463 else if( strcmp( q, "object_signing" ) == 0 )
464 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
465 else if( strcmp( q, "ssl_ca" ) == 0 )
466 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
467 else if( strcmp( q, "email_ca" ) == 0 )
468 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
469 else if( strcmp( q, "object_signing_ca" ) == 0 )
470 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
471 else
472 {
473 mbedtls_printf( "Invalid argument for option %s\n", p );
474 goto usage;
475 }
476
477 q = r;
478 }
479 }
480 else
481 goto usage;
482 }
483
484 mbedtls_printf("\n");
485
486 /*
487 * 0. Seed the PRNG
488 */
489 mbedtls_printf( " . Seeding the random number generator..." );
490 fflush( stdout );
491
492 if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
493 (const unsigned char *) pers,
494 strlen( pers ) ) ) != 0 )
495 {
496 mbedtls_strerror( ret, buf, 1024 );
497 mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
498 ret, buf );
499 goto exit;
500 }
501
502 mbedtls_printf( " ok\n" );
503
504 // Parse serial to MPI
505 //
506 mbedtls_printf( " . Reading serial number..." );
507 fflush( stdout );
508
509 if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
510 {
511 mbedtls_strerror( ret, buf, 1024 );
512 mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
513 "returned -0x%04x - %s\n\n", -ret, buf );
514 goto exit;
515 }
516
517 mbedtls_printf( " ok\n" );
518
519 // Parse issuer certificate if present
520 //
521 if( !opt.selfsign && strlen( opt.issuer_crt ) )
522 {
523 /*
524 * 1.0.a. Load the certificates
525 */
526 mbedtls_printf( " . Loading the issuer certificate ..." );
527 fflush( stdout );
528
529 if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
530 {
531 mbedtls_strerror( ret, buf, 1024 );
532 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
533 "returned -0x%04x - %s\n\n", -ret, buf );
534 goto exit;
535 }
536
537 ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
538 &issuer_crt.subject );
539 if( ret < 0 )
540 {
541 mbedtls_strerror( ret, buf, 1024 );
542 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
543 "returned -0x%04x - %s\n\n", -ret, buf );
544 goto exit;
545 }
546
547 opt.issuer_name = issuer_name;
548
549 mbedtls_printf( " ok\n" );
550 }
551
552 #if defined(MBEDTLS_X509_CSR_PARSE_C)
553 // Parse certificate request if present
554 //
555 if( !opt.selfsign && strlen( opt.request_file ) )
556 {
557 /*
558 * 1.0.b. Load the CSR
559 */
560 mbedtls_printf( " . Loading the certificate request ..." );
561 fflush( stdout );
562
563 if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
564 {
565 mbedtls_strerror( ret, buf, 1024 );
566 mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
567 "returned -0x%04x - %s\n\n", -ret, buf );
568 goto exit;
569 }
570
571 ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
572 &csr.subject );
573 if( ret < 0 )
574 {
575 mbedtls_strerror( ret, buf, 1024 );
576 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
577 "returned -0x%04x - %s\n\n", -ret, buf );
578 goto exit;
579 }
580
581 opt.subject_name = subject_name;
582 subject_key = &csr.pk;
583
584 mbedtls_printf( " ok\n" );
585 }
586 #endif /* MBEDTLS_X509_CSR_PARSE_C */
587
588 /*
589 * 1.1. Load the keys
590 */
591 if( !opt.selfsign && !strlen( opt.request_file ) )
592 {
593 mbedtls_printf( " . Loading the subject key ..." );
594 fflush( stdout );
595
596 ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,
597 opt.subject_pwd );
598 if( ret != 0 )
599 {
600 mbedtls_strerror( ret, buf, 1024 );
601 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
602 "returned -0x%04x - %s\n\n", -ret, buf );
603 goto exit;
604 }
605
606 mbedtls_printf( " ok\n" );
607 }
608
609 mbedtls_printf( " . Loading the issuer key ..." );
610 fflush( stdout );
611
612 ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,
613 opt.issuer_pwd );
614 if( ret != 0 )
615 {
616 mbedtls_strerror( ret, buf, 1024 );
617 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
618 "returned -x%02x - %s\n\n", -ret, buf );
619 goto exit;
620 }
621
622 // Check if key and issuer certificate match
623 //
624 if( strlen( opt.issuer_crt ) )
625 {
626 if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 )
627 {
628 mbedtls_printf( " failed\n ! issuer_key does not match "
629 "issuer certificate\n\n" );
630 goto exit;
631 }
632 }
633
634 mbedtls_printf( " ok\n" );
635
636 if( opt.selfsign )
637 {
638 opt.subject_name = opt.issuer_name;
639 subject_key = issuer_key;
640 }
641
642 mbedtls_x509write_crt_set_subject_key( &crt, subject_key );
643 mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );
644
645 /*
646 * 1.0. Check the names for validity
647 */
648 if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
649 {
650 mbedtls_strerror( ret, buf, 1024 );
651 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
652 "returned -0x%04x - %s\n\n", -ret, buf );
653 goto exit;
654 }
655
656 if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
657 {
658 mbedtls_strerror( ret, buf, 1024 );
659 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
660 "returned -0x%04x - %s\n\n", -ret, buf );
661 goto exit;
662 }
663
664 mbedtls_printf( " . Setting certificate values ..." );
665 fflush( stdout );
666
667 mbedtls_x509write_crt_set_version( &crt, opt.version );
668 mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
669
670 ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
671 if( ret != 0 )
672 {
673 mbedtls_strerror( ret, buf, 1024 );
674 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
675 "returned -0x%04x - %s\n\n", -ret, buf );
676 goto exit;
677 }
678
679 ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
680 if( ret != 0 )
681 {
682 mbedtls_strerror( ret, buf, 1024 );
683 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
684 "returned -0x%04x - %s\n\n", -ret, buf );
685 goto exit;
686 }
687
688 mbedtls_printf( " ok\n" );
689
690 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
691 opt.basic_constraints != 0 )
692 {
693 mbedtls_printf( " . Adding the Basic Constraints extension ..." );
694 fflush( stdout );
695
696 ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
697 opt.max_pathlen );
698 if( ret != 0 )
699 {
700 mbedtls_strerror( ret, buf, 1024 );
701 mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
702 "returned -0x%04x - %s\n\n", -ret, buf );
703 goto exit;
704 }
705
706 mbedtls_printf( " ok\n" );
707 }
708
709 #if defined(MBEDTLS_SHA1_C)
710 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
711 opt.subject_identifier != 0 )
712 {
713 mbedtls_printf( " . Adding the Subject Key Identifier ..." );
714 fflush( stdout );
715
716 ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
717 if( ret != 0 )
718 {
719 mbedtls_strerror( ret, buf, 1024 );
720 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
721 "_key_identifier returned -0x%04x - %s\n\n",
722 -ret, buf );
723 goto exit;
724 }
725
726 mbedtls_printf( " ok\n" );
727 }
728
729 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
730 opt.authority_identifier != 0 )
731 {
732 mbedtls_printf( " . Adding the Authority Key Identifier ..." );
733 fflush( stdout );
734
735 ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
736 if( ret != 0 )
737 {
738 mbedtls_strerror( ret, buf, 1024 );
739 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
740 "key_identifier returned -0x%04x - %s\n\n",
741 -ret, buf );
742 goto exit;
743 }
744
745 mbedtls_printf( " ok\n" );
746 }
747 #endif /* MBEDTLS_SHA1_C */
748
749 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
750 opt.key_usage != 0 )
751 {
752 mbedtls_printf( " . Adding the Key Usage extension ..." );
753 fflush( stdout );
754
755 ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );
756 if( ret != 0 )
757 {
758 mbedtls_strerror( ret, buf, 1024 );
759 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
760 "returned -0x%04x - %s\n\n", -ret, buf );
761 goto exit;
762 }
763
764 mbedtls_printf( " ok\n" );
765 }
766
767 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
768 opt.ns_cert_type != 0 )
769 {
770 mbedtls_printf( " . Adding the NS Cert Type extension ..." );
771 fflush( stdout );
772
773 ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
774 if( ret != 0 )
775 {
776 mbedtls_strerror( ret, buf, 1024 );
777 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
778 "returned -0x%04x - %s\n\n", -ret, buf );
779 goto exit;
780 }
781
782 mbedtls_printf( " ok\n" );
783 }
784
785 /*
786 * 1.2. Writing the certificate
787 */
788 mbedtls_printf( " . Writing the certificate..." );
789 fflush( stdout );
790
791 if( ( ret = write_certificate( &crt, opt.output_file,
792 mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
793 {
794 mbedtls_strerror( ret, buf, 1024 );
795 mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
796 -ret, buf );
797 goto exit;
798 }
799
800 mbedtls_printf( " ok\n" );
801
802 exit_code = MBEDTLS_EXIT_SUCCESS;
803
804 exit:
805 #if defined(MBEDTLS_X509_CSR_PARSE_C)
806 mbedtls_x509_csr_free( &csr );
807 #endif /* MBEDTLS_X509_CSR_PARSE_C */
808 mbedtls_x509_crt_free( &issuer_crt );
809 mbedtls_x509write_crt_free( &crt );
810 mbedtls_pk_free( &loaded_subject_key );
811 mbedtls_pk_free( &loaded_issuer_key );
812 mbedtls_mpi_free( &serial );
813 mbedtls_ctr_drbg_free( &ctr_drbg );
814 mbedtls_entropy_free( &entropy );
815
816 #if defined(_WIN32)
817 mbedtls_printf( " + Press Enter to exit this program.\n" );
818 fflush( stdout ); getchar();
819 #endif
820
821 return( exit_code );
822 }
823 #endif /* MBEDTLS_X509_CRT_WRITE_C && MBEDTLS_X509_CRT_PARSE_C &&
824 MBEDTLS_FS_IO && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
825 MBEDTLS_ERROR_C && MBEDTLS_PEM_WRITE_C */
826