cert_req.c 10.5 KB
Newer Older
1 2 3 4 5
/*
 *  Certificate request generation
 *
 *  Copyright (C) 2006-2011, Brainspark B.V.
 *
6
 *  This file is part of mbed TLS (http://www.polarssl.org)
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
 *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
 *
 *  All rights reserved.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

26
#if !defined(POLARSSL_CONFIG_FILE)
27
#include "polarssl/config.h"
28 29 30
#else
#include POLARSSL_CONFIG_FILE
#endif
31 32 33 34 35

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

36
#include "polarssl/x509_csr.h"
37 38
#include "polarssl/entropy.h"
#include "polarssl/ctr_drbg.h"
39
#include "polarssl/error.h"
40

41
#if !defined(POLARSSL_X509_CSR_WRITE_C) || !defined(POLARSSL_FS_IO) ||  \
42
    !defined(POLARSSL_PK_PARSE_C) ||                                    \
43
    !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C)
44 45 46 47 48
int main( int argc, char *argv[] )
{
    ((void) argc);
    ((void) argv);

49
    printf( "POLARSSL_X509_CSR_WRITE_C and/or POLARSSL_FS_IO and/or "
50
            "POLARSSL_PK_PARSE_C and/or "
51 52
            "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C "
            "not defined.\n");
53 54 55 56
    return( 0 );
}
#else

57 58 59
#define DFL_FILENAME            "keyfile.key"
#define DFL_DEBUG_LEVEL         0
#define DFL_OUTPUT_FILENAME     "cert.req"
60
#define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
61 62
#define DFL_KEY_USAGE           0
#define DFL_NS_CERT_TYPE        0
63 64 65 66 67 68

/*
 * global options
 */
struct options
{
Paul Bakker's avatar
Paul Bakker committed
69
    const char *filename;       /* filename of the key file             */
70
    int debug_level;            /* level of debugging                   */
Paul Bakker's avatar
Paul Bakker committed
71 72
    const char *output_file;    /* where to store the constructed key file  */
    const char *subject_name;   /* subject name for certificate request */
73 74
    unsigned char key_usage;    /* key usage flags                      */
    unsigned char ns_cert_type; /* NS cert type                         */
75 76
} opt;

Paul Bakker's avatar
Paul Bakker committed
77
int write_certificate_request( x509write_csr *req, const char *output_file,
78 79
                               int (*f_rng)(void *, unsigned char *, size_t),
                               void *p_rng )
80
{
81
    int ret;
82 83
    FILE *f;
    unsigned char output_buf[4096];
84
    size_t len = 0;
85

86
    memset( output_buf, 0, 4096 );
87
    if( ( ret = x509write_csr_pem( req, output_buf, 4096, f_rng, p_rng ) ) < 0 )
88
        return( ret );
89

90
    len = strlen( (char *) output_buf );
91

92 93 94
    if( ( f = fopen( output_file, "w" ) ) == NULL )
        return( -1 );

95
    if( fwrite( output_buf, 1, len, f ) != len )
96 97
    {
        fclose( f );
98
        return( -1 );
99
    }
100

101
    fclose( f );
102 103

    return( 0 );
104 105 106
}

#define USAGE \
107
    "\n usage: cert_req param=<>...\n"                  \
108 109 110 111
    "\n acceptable parameters:\n"                       \
    "    filename=%%s         default: keyfile.key\n"   \
    "    debug_level=%%d      default: 0 (disabled)\n"  \
    "    output_file=%%s      default: cert.req\n"      \
112
    "    subject_name=%%s     default: CN=Cert,O=mbed TLS,C=UK\n"   \
113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
    "    key_usage=%%s        default: (empty)\n"       \
    "                        Comma-separated-list of values:\n"     \
    "                          digital_signature\n"     \
    "                          non_repudiation\n"       \
    "                          key_encipherment\n"      \
    "                          data_encipherment\n"     \
    "                          key_agreement\n"         \
    "                          key_certificate_sign\n"  \
    "                          crl_sign\n"              \
    "    ns_cert_type=%%s     default: (empty)\n"       \
    "                        Comma-separated-list of values:\n"     \
    "                          ssl_client\n"            \
    "                          ssl_server\n"            \
    "                          email\n"                 \
    "                          object_signing\n"        \
    "                          ssl_ca\n"                \
    "                          email_ca\n"              \
    "                          object_signing_ca\n"     \
131 132 133 134 135
    "\n"

int main( int argc, char *argv[] )
{
    int ret = 0;
136
    pk_context key;
137
    char buf[1024];
138
    int i;
139
    char *p, *q, *r;
140
    x509write_csr req;
141 142 143
    entropy_context entropy;
    ctr_drbg_context ctr_drbg;
    const char *pers = "csr example app";
144 145 146 147

    /*
     * Set to sane values
     */
148 149
    x509write_csr_init( &req );
    x509write_csr_set_md_alg( &req, POLARSSL_MD_SHA1 );
150
    pk_init( &key );
151
    memset( buf, 0, sizeof( buf ) );
152 153 154 155 156

    if( argc == 0 )
    {
    usage:
        printf( USAGE );
157
        ret = 1;
158 159 160 161 162 163 164
        goto exit;
    }

    opt.filename            = DFL_FILENAME;
    opt.debug_level         = DFL_DEBUG_LEVEL;
    opt.output_file         = DFL_OUTPUT_FILENAME;
    opt.subject_name        = DFL_SUBJECT_NAME;
165 166
    opt.key_usage           = DFL_KEY_USAGE;
    opt.ns_cert_type        = DFL_NS_CERT_TYPE;
167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189

    for( i = 1; i < argc; i++ )
    {

        p = argv[i];
        if( ( q = strchr( p, '=' ) ) == NULL )
            goto usage;
        *q++ = '\0';

        if( strcmp( p, "filename" ) == 0 )
            opt.filename = q;
        else if( strcmp( p, "output_file" ) == 0 )
            opt.output_file = q;
        else if( strcmp( p, "debug_level" ) == 0 )
        {
            opt.debug_level = atoi( q );
            if( opt.debug_level < 0 || opt.debug_level > 65535 )
                goto usage;
        }
        else if( strcmp( p, "subject_name" ) == 0 )
        {
            opt.subject_name = q;
        }
190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
        else if( strcmp( p, "key_usage" ) == 0 )
        {
            while( q != NULL )
            {
                if( ( r = strchr( q, ',' ) ) != NULL )
                    *r++ = '\0';

                if( strcmp( q, "digital_signature" ) == 0 )
                    opt.key_usage |= KU_DIGITAL_SIGNATURE;
                else if( strcmp( q, "non_repudiation" ) == 0 )
                    opt.key_usage |= KU_NON_REPUDIATION;
                else if( strcmp( q, "key_encipherment" ) == 0 )
                    opt.key_usage |= KU_KEY_ENCIPHERMENT;
                else if( strcmp( q, "data_encipherment" ) == 0 )
                    opt.key_usage |= KU_DATA_ENCIPHERMENT;
                else if( strcmp( q, "key_agreement" ) == 0 )
                    opt.key_usage |= KU_KEY_AGREEMENT;
                else if( strcmp( q, "key_cert_sign" ) == 0 )
                    opt.key_usage |= KU_KEY_CERT_SIGN;
                else if( strcmp( q, "crl_sign" ) == 0 )
                    opt.key_usage |= KU_CRL_SIGN;
                else
                    goto usage;

                q = r;
            }
        }
        else if( strcmp( p, "ns_cert_type" ) == 0 )
        {
            while( q != NULL )
            {
                if( ( r = strchr( q, ',' ) ) != NULL )
                    *r++ = '\0';

                if( strcmp( q, "ssl_client" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_SSL_CLIENT;
                else if( strcmp( q, "ssl_server" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_SSL_SERVER;
                else if( strcmp( q, "email" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_EMAIL;
                else if( strcmp( q, "object_signing" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_OBJECT_SIGNING;
                else if( strcmp( q, "ssl_ca" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_SSL_CA;
                else if( strcmp( q, "email_ca" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_EMAIL_CA;
                else if( strcmp( q, "object_signing_ca" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
                else
                    goto usage;

                q = r;
            }
        }
244 245 246 247
        else
            goto usage;
    }

248 249 250 251 252 253
    if( opt.key_usage )
        x509write_csr_set_key_usage( &req, opt.key_usage );

    if( opt.ns_cert_type )
        x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );

254 255 256 257 258 259 260 261 262 263 264
    /*
     * 0. Seed the PRNG
     */
    printf( "  . Seeding the random number generator..." );
    fflush( stdout );

    entropy_init( &entropy );
    if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
                               (const unsigned char *) pers,
                               strlen( pers ) ) ) != 0 )
    {
265
        printf( " failed\n  !  ctr_drbg_init returned %d", ret );
266 267 268 269 270
        goto exit;
    }

    printf( " ok\n" );

271 272 273
    /*
     * 1.0. Check the subject name for validity
     */
274 275 276
    printf( "  . Checking subjet name..." );
    fflush( stdout );

277
    if( ( ret = x509write_csr_set_subject_name( &req, opt.subject_name ) ) != 0 )
278
    {
279
        printf( " failed\n  !  x509write_csr_set_subject_name returned %d", ret );
280
        goto exit;
281 282
    }

283 284
    printf( " ok\n" );

285 286 287
    /*
     * 1.1. Load the key
     */
288
    printf( "  . Loading the private key ..." );
289 290
    fflush( stdout );

291
    ret = pk_parse_keyfile( &key, opt.filename, NULL );
292 293 294

    if( ret != 0 )
    {
295
        printf( " failed\n  !  pk_parse_keyfile returned %d", ret );
296 297 298
        goto exit;
    }

299
    x509write_csr_set_key( &req, &key );
300

301 302
    printf( " ok\n" );

303 304 305 306 307
    /*
     * 1.2. Writing the request
     */
    printf( "  . Writing the certificate request ..." );
    fflush( stdout );
308

309 310
    if( ( ret = write_certificate_request( &req, opt.output_file,
                                           ctr_drbg_random, &ctr_drbg ) ) != 0 )
311
    {
312
        printf( " failed\n  !  write_certifcate_request %d", ret );
313 314
        goto exit;
    }
315

316 317 318
    printf( " ok\n" );

exit:
319 320 321 322 323 324 325 326 327 328 329

    if( ret != 0 && ret != 1)
    {
#ifdef POLARSSL_ERROR_C
        polarssl_strerror( ret, buf, sizeof( buf ) );
        printf( " - %s\n", buf );
#else
        printf("\n");
#endif
    }

330
    x509write_csr_free( &req );
331
    pk_free( &key );
332
    ctr_drbg_free( &ctr_drbg );
Paul Bakker's avatar
Paul Bakker committed
333
    entropy_free( &entropy );
334 335 336 337 338 339 340 341

#if defined(_WIN32)
    printf( "  + Press Enter to exit this program.\n" );
    fflush( stdout ); getchar();
#endif

    return( ret );
}
342
#endif /* POLARSSL_X509_CSR_WRITE_C && POLARSSL_PK_PARSE_C && POLARSSL_FS_IO &&
343
          POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C */