cert_req.c 10.8 KB
Newer Older
1 2 3
/*
 *  Certificate request generation
 *
4
 *  Copyright (C) 2006-2011, ARM Limited, All Rights Reserved
5
 *
6
 *  This file is part of mbed TLS (https://tls.mbed.org)
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

23
#if !defined(POLARSSL_CONFIG_FILE)
24
#include "polarssl/config.h"
25 26 27
#else
#include POLARSSL_CONFIG_FILE
#endif
28

29 30 31
#if defined(POLARSSL_PLATFORM_C)
#include "polarssl/platform.h"
#else
Rich Evans's avatar
Rich Evans committed
32
#include <stdio.h>
33 34 35
#define polarssl_printf     printf
#endif

Rich Evans's avatar
Rich Evans committed
36 37 38
#if defined(POLARSSL_X509_CSR_WRITE_C) && defined(POLARSSL_FS_IO) && \
    defined(POLARSSL_PK_PARSE_C) && \
    defined(POLARSSL_ENTROPY_C) && defined(POLARSSL_CTR_DRBG_C)
39
#include "polarssl/x509_csr.h"
40 41
#include "polarssl/entropy.h"
#include "polarssl/ctr_drbg.h"
42
#include "polarssl/error.h"
43

Rich Evans's avatar
Rich Evans committed
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#endif

#define DFL_FILENAME            "keyfile.key"
#define DFL_DEBUG_LEVEL         0
#define DFL_OUTPUT_FILENAME     "cert.req"
#define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
#define DFL_KEY_USAGE           0
#define DFL_NS_CERT_TYPE        0

#define USAGE \
    "\n usage: cert_req param=<>...\n"                  \
    "\n acceptable parameters:\n"                       \
    "    filename=%%s         default: keyfile.key\n"   \
    "    debug_level=%%d      default: 0 (disabled)\n"  \
    "    output_file=%%s      default: cert.req\n"      \
    "    subject_name=%%s     default: CN=Cert,O=mbed TLS,C=UK\n"   \
    "    key_usage=%%s        default: (empty)\n"       \
    "                        Comma-separated-list of values:\n"     \
    "                          digital_signature\n"     \
    "                          non_repudiation\n"       \
    "                          key_encipherment\n"      \
    "                          data_encipherment\n"     \
    "                          key_agreement\n"         \
    "                          key_certificate_sign\n"  \
    "                          crl_sign\n"              \
    "    ns_cert_type=%%s     default: (empty)\n"       \
    "                        Comma-separated-list of values:\n"     \
    "                          ssl_client\n"            \
    "                          ssl_server\n"            \
    "                          email\n"                 \
    "                          object_signing\n"        \
    "                          ssl_ca\n"                \
    "                          email_ca\n"              \
    "                          object_signing_ca\n"     \
    "\n"

83
#if !defined(POLARSSL_X509_CSR_WRITE_C) || !defined(POLARSSL_FS_IO) ||  \
84
    !defined(POLARSSL_PK_PARSE_C) ||                                    \
85
    !defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_CTR_DRBG_C)
Rich Evans's avatar
Rich Evans committed
86
int main( void )
87
{
88
    polarssl_printf( "POLARSSL_X509_CSR_WRITE_C and/or POLARSSL_FS_IO and/or "
89
            "POLARSSL_PK_PARSE_C and/or "
90 91
            "POLARSSL_ENTROPY_C and/or POLARSSL_CTR_DRBG_C "
            "not defined.\n");
92 93 94
    return( 0 );
}
#else
95 96 97 98 99
/*
 * global options
 */
struct options
{
Paul Bakker's avatar
Paul Bakker committed
100
    const char *filename;       /* filename of the key file             */
101
    int debug_level;            /* level of debugging                   */
Paul Bakker's avatar
Paul Bakker committed
102 103
    const char *output_file;    /* where to store the constructed key file  */
    const char *subject_name;   /* subject name for certificate request */
104 105
    unsigned char key_usage;    /* key usage flags                      */
    unsigned char ns_cert_type; /* NS cert type                         */
106 107
} opt;

Paul Bakker's avatar
Paul Bakker committed
108
int write_certificate_request( x509write_csr *req, const char *output_file,
109 110
                               int (*f_rng)(void *, unsigned char *, size_t),
                               void *p_rng )
111
{
112
    int ret;
113 114
    FILE *f;
    unsigned char output_buf[4096];
115
    size_t len = 0;
116

117
    memset( output_buf, 0, 4096 );
118
    if( ( ret = x509write_csr_pem( req, output_buf, 4096, f_rng, p_rng ) ) < 0 )
119
        return( ret );
120

121
    len = strlen( (char *) output_buf );
122

123 124 125
    if( ( f = fopen( output_file, "w" ) ) == NULL )
        return( -1 );

126
    if( fwrite( output_buf, 1, len, f ) != len )
127 128
    {
        fclose( f );
129
        return( -1 );
130
    }
131

132
    fclose( f );
133 134

    return( 0 );
135 136 137 138 139
}

int main( int argc, char *argv[] )
{
    int ret = 0;
140
    pk_context key;
141
    char buf[1024];
142
    int i;
143
    char *p, *q, *r;
144
    x509write_csr req;
145 146 147
    entropy_context entropy;
    ctr_drbg_context ctr_drbg;
    const char *pers = "csr example app";
148 149 150 151

    /*
     * Set to sane values
     */
152
    x509write_csr_init( &req );
153
    x509write_csr_set_md_alg( &req, POLARSSL_MD_SHA256 );
154
    pk_init( &key );
155
    memset( buf, 0, sizeof( buf ) );
156 157 158 159

    if( argc == 0 )
    {
    usage:
160
        polarssl_printf( USAGE );
161
        ret = 1;
162 163 164 165 166 167 168
        goto exit;
    }

    opt.filename            = DFL_FILENAME;
    opt.debug_level         = DFL_DEBUG_LEVEL;
    opt.output_file         = DFL_OUTPUT_FILENAME;
    opt.subject_name        = DFL_SUBJECT_NAME;
169 170
    opt.key_usage           = DFL_KEY_USAGE;
    opt.ns_cert_type        = DFL_NS_CERT_TYPE;
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193

    for( i = 1; i < argc; i++ )
    {

        p = argv[i];
        if( ( q = strchr( p, '=' ) ) == NULL )
            goto usage;
        *q++ = '\0';

        if( strcmp( p, "filename" ) == 0 )
            opt.filename = q;
        else if( strcmp( p, "output_file" ) == 0 )
            opt.output_file = q;
        else if( strcmp( p, "debug_level" ) == 0 )
        {
            opt.debug_level = atoi( q );
            if( opt.debug_level < 0 || opt.debug_level > 65535 )
                goto usage;
        }
        else if( strcmp( p, "subject_name" ) == 0 )
        {
            opt.subject_name = q;
        }
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247
        else if( strcmp( p, "key_usage" ) == 0 )
        {
            while( q != NULL )
            {
                if( ( r = strchr( q, ',' ) ) != NULL )
                    *r++ = '\0';

                if( strcmp( q, "digital_signature" ) == 0 )
                    opt.key_usage |= KU_DIGITAL_SIGNATURE;
                else if( strcmp( q, "non_repudiation" ) == 0 )
                    opt.key_usage |= KU_NON_REPUDIATION;
                else if( strcmp( q, "key_encipherment" ) == 0 )
                    opt.key_usage |= KU_KEY_ENCIPHERMENT;
                else if( strcmp( q, "data_encipherment" ) == 0 )
                    opt.key_usage |= KU_DATA_ENCIPHERMENT;
                else if( strcmp( q, "key_agreement" ) == 0 )
                    opt.key_usage |= KU_KEY_AGREEMENT;
                else if( strcmp( q, "key_cert_sign" ) == 0 )
                    opt.key_usage |= KU_KEY_CERT_SIGN;
                else if( strcmp( q, "crl_sign" ) == 0 )
                    opt.key_usage |= KU_CRL_SIGN;
                else
                    goto usage;

                q = r;
            }
        }
        else if( strcmp( p, "ns_cert_type" ) == 0 )
        {
            while( q != NULL )
            {
                if( ( r = strchr( q, ',' ) ) != NULL )
                    *r++ = '\0';

                if( strcmp( q, "ssl_client" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_SSL_CLIENT;
                else if( strcmp( q, "ssl_server" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_SSL_SERVER;
                else if( strcmp( q, "email" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_EMAIL;
                else if( strcmp( q, "object_signing" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_OBJECT_SIGNING;
                else if( strcmp( q, "ssl_ca" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_SSL_CA;
                else if( strcmp( q, "email_ca" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_EMAIL_CA;
                else if( strcmp( q, "object_signing_ca" ) == 0 )
                    opt.ns_cert_type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
                else
                    goto usage;

                q = r;
            }
        }
248 249 250 251
        else
            goto usage;
    }

252 253 254 255 256 257
    if( opt.key_usage )
        x509write_csr_set_key_usage( &req, opt.key_usage );

    if( opt.ns_cert_type )
        x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );

258 259 260
    /*
     * 0. Seed the PRNG
     */
261
    polarssl_printf( "  . Seeding the random number generator..." );
262 263 264 265 266 267 268
    fflush( stdout );

    entropy_init( &entropy );
    if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
                               (const unsigned char *) pers,
                               strlen( pers ) ) ) != 0 )
    {
269
        polarssl_printf( " failed\n  !  ctr_drbg_init returned %d", ret );
270 271 272
        goto exit;
    }

273
    polarssl_printf( " ok\n" );
274

275 276 277
    /*
     * 1.0. Check the subject name for validity
     */
278
    polarssl_printf( "  . Checking subjet name..." );
279 280
    fflush( stdout );

281
    if( ( ret = x509write_csr_set_subject_name( &req, opt.subject_name ) ) != 0 )
282
    {
283
        polarssl_printf( " failed\n  !  x509write_csr_set_subject_name returned %d", ret );
284
        goto exit;
285 286
    }

287
    polarssl_printf( " ok\n" );
288

289 290 291
    /*
     * 1.1. Load the key
     */
292
    polarssl_printf( "  . Loading the private key ..." );
293 294
    fflush( stdout );

295
    ret = pk_parse_keyfile( &key, opt.filename, NULL );
296 297 298

    if( ret != 0 )
    {
299
        polarssl_printf( " failed\n  !  pk_parse_keyfile returned %d", ret );
300 301 302
        goto exit;
    }

303
    x509write_csr_set_key( &req, &key );
304

305
    polarssl_printf( " ok\n" );
306

307 308 309
    /*
     * 1.2. Writing the request
     */
310
    polarssl_printf( "  . Writing the certificate request ..." );
311
    fflush( stdout );
312

313 314
    if( ( ret = write_certificate_request( &req, opt.output_file,
                                           ctr_drbg_random, &ctr_drbg ) ) != 0 )
315
    {
316
        polarssl_printf( " failed\n  !  write_certifcate_request %d", ret );
317 318
        goto exit;
    }
319

320
    polarssl_printf( " ok\n" );
321 322

exit:
323 324 325 326 327

    if( ret != 0 && ret != 1)
    {
#ifdef POLARSSL_ERROR_C
        polarssl_strerror( ret, buf, sizeof( buf ) );
328
        polarssl_printf( " - %s\n", buf );
329
#else
330
        polarssl_printf("\n");
331 332 333
#endif
    }

334
    x509write_csr_free( &req );
335
    pk_free( &key );
336
    ctr_drbg_free( &ctr_drbg );
Paul Bakker's avatar
Paul Bakker committed
337
    entropy_free( &entropy );
338 339

#if defined(_WIN32)
340
    polarssl_printf( "  + Press Enter to exit this program.\n" );
341 342 343 344 345
    fflush( stdout ); getchar();
#endif

    return( ret );
}
346
#endif /* POLARSSL_X509_CSR_WRITE_C && POLARSSL_PK_PARSE_C && POLARSSL_FS_IO &&
347
          POLARSSL_ENTROPY_C && POLARSSL_CTR_DRBG_C */