cert_req.c (20456B)
1 /* 2 * Certificate request generation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8 #include "mbedtls/build_info.h" 9 10 #include "mbedtls/platform.h" 11 /* md.h is included this early since MD_CAN_XXX macros are defined there. */ 12 #include "mbedtls/md.h" 13 14 #if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ 15 !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ 16 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ 17 !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) || \ 18 !defined(MBEDTLS_MD_C) 19 int main(void) 20 { 21 mbedtls_printf("MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or " 22 "MBEDTLS_PK_PARSE_C and/or MBEDTLS_MD_CAN_SHA256 and/or " 23 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C " 24 "not defined.\n"); 25 mbedtls_exit(0); 26 } 27 #else 28 29 #include "mbedtls/x509_csr.h" 30 #include "mbedtls/entropy.h" 31 #include "mbedtls/ctr_drbg.h" 32 #include "mbedtls/error.h" 33 34 #include <stdio.h> 35 #include <stdlib.h> 36 #include <string.h> 37 38 #define DFL_FILENAME "keyfile.key" 39 #define DFL_PASSWORD NULL 40 #define DFL_DEBUG_LEVEL 0 41 #define DFL_OUTPUT_FILENAME "cert.req" 42 #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK" 43 #define DFL_KEY_USAGE 0 44 #define DFL_FORCE_KEY_USAGE 0 45 #define DFL_NS_CERT_TYPE 0 46 #define DFL_FORCE_NS_CERT_TYPE 0 47 #define DFL_MD_ALG MBEDTLS_MD_SHA256 48 49 #define USAGE \ 50 "\n usage: cert_req param=<>...\n" \ 51 "\n acceptable parameters:\n" \ 52 " filename=%%s default: keyfile.key\n" \ 53 " password=%%s default: NULL\n" \ 54 " debug_level=%%d default: 0 (disabled)\n" \ 55 " output_file=%%s default: cert.req\n" \ 56 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ 57 " san=%%s default: (none)\n" \ 58 " Semicolon-separated-list of values:\n" \ 59 " DNS:value\n" \ 60 " URI:value\n" \ 61 " RFC822:value\n" \ 62 " IP:value (Only IPv4 is supported)\n" \ 63 " DN:list of comma separated key=value pairs\n" \ 64 " key_usage=%%s default: (empty)\n" \ 65 " Comma-separated-list of values:\n" \ 66 " digital_signature\n" \ 67 " non_repudiation\n" \ 68 " key_encipherment\n" \ 69 " data_encipherment\n" \ 70 " key_agreement\n" \ 71 " key_cert_sign\n" \ 72 " crl_sign\n" \ 73 " force_key_usage=0/1 default: off\n" \ 74 " Add KeyUsage even if it is empty\n" \ 75 " ns_cert_type=%%s default: (empty)\n" \ 76 " Comma-separated-list of values:\n" \ 77 " ssl_client\n" \ 78 " ssl_server\n" \ 79 " email\n" \ 80 " object_signing\n" \ 81 " ssl_ca\n" \ 82 " email_ca\n" \ 83 " object_signing_ca\n" \ 84 " force_ns_cert_type=0/1 default: off\n" \ 85 " Add NsCertType even if it is empty\n" \ 86 " md=%%s default: SHA256\n" \ 87 " possible values:\n" \ 88 " MD5, RIPEMD160, SHA1,\n" \ 89 " SHA224, SHA256, SHA384, SHA512\n" \ 90 "\n" 91 92 93 /* 94 * global options 95 */ 96 struct options { 97 const char *filename; /* filename of the key file */ 98 const char *password; /* password for the key file */ 99 int debug_level; /* level of debugging */ 100 const char *output_file; /* where to store the constructed key file */ 101 const char *subject_name; /* subject name for certificate request */ 102 mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */ 103 unsigned char key_usage; /* key usage flags */ 104 int force_key_usage; /* Force adding the KeyUsage extension */ 105 unsigned char ns_cert_type; /* NS cert type */ 106 int force_ns_cert_type; /* Force adding NsCertType extension */ 107 mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ 108 } opt; 109 110 static int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file, 111 int (*f_rng)(void *, unsigned char *, size_t), 112 void *p_rng) 113 { 114 int ret; 115 FILE *f; 116 unsigned char output_buf[4096]; 117 size_t len = 0; 118 119 memset(output_buf, 0, 4096); 120 if ((ret = mbedtls_x509write_csr_pem(req, output_buf, 4096, f_rng, p_rng)) < 0) { 121 return ret; 122 } 123 124 len = strlen((char *) output_buf); 125 126 if ((f = fopen(output_file, "w")) == NULL) { 127 return -1; 128 } 129 130 if (fwrite(output_buf, 1, len, f) != len) { 131 fclose(f); 132 return -1; 133 } 134 135 fclose(f); 136 137 return 0; 138 } 139 140 int main(int argc, char *argv[]) 141 { 142 int ret = 1; 143 int exit_code = MBEDTLS_EXIT_FAILURE; 144 mbedtls_pk_context key; 145 char buf[1024]; 146 int i; 147 char *p, *q, *r; 148 mbedtls_x509write_csr req; 149 mbedtls_entropy_context entropy; 150 mbedtls_ctr_drbg_context ctr_drbg; 151 const char *pers = "csr example app"; 152 mbedtls_x509_san_list *cur, *prev; 153 #if defined(MBEDTLS_X509_CRT_PARSE_C) 154 uint8_t ip[4] = { 0 }; 155 #endif 156 /* 157 * Set to sane values 158 */ 159 mbedtls_x509write_csr_init(&req); 160 mbedtls_pk_init(&key); 161 mbedtls_ctr_drbg_init(&ctr_drbg); 162 memset(buf, 0, sizeof(buf)); 163 mbedtls_entropy_init(&entropy); 164 165 #if defined(MBEDTLS_USE_PSA_CRYPTO) 166 psa_status_t status = psa_crypto_init(); 167 if (status != PSA_SUCCESS) { 168 mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", 169 (int) status); 170 goto exit; 171 } 172 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 173 174 if (argc < 2) { 175 usage: 176 mbedtls_printf(USAGE); 177 goto exit; 178 } 179 180 opt.filename = DFL_FILENAME; 181 opt.password = DFL_PASSWORD; 182 opt.debug_level = DFL_DEBUG_LEVEL; 183 opt.output_file = DFL_OUTPUT_FILENAME; 184 opt.subject_name = DFL_SUBJECT_NAME; 185 opt.key_usage = DFL_KEY_USAGE; 186 opt.force_key_usage = DFL_FORCE_KEY_USAGE; 187 opt.ns_cert_type = DFL_NS_CERT_TYPE; 188 opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; 189 opt.md_alg = DFL_MD_ALG; 190 opt.san_list = NULL; 191 192 for (i = 1; i < argc; i++) { 193 p = argv[i]; 194 if ((q = strchr(p, '=')) == NULL) { 195 goto usage; 196 } 197 *q++ = '\0'; 198 if (strcmp(p, "filename") == 0) { 199 opt.filename = q; 200 } else if (strcmp(p, "password") == 0) { 201 opt.password = q; 202 } else if (strcmp(p, "output_file") == 0) { 203 opt.output_file = q; 204 } else if (strcmp(p, "debug_level") == 0) { 205 opt.debug_level = atoi(q); 206 if (opt.debug_level < 0 || opt.debug_level > 65535) { 207 goto usage; 208 } 209 } else if (strcmp(p, "subject_name") == 0) { 210 opt.subject_name = q; 211 } else if (strcmp(p, "san") == 0) { 212 char *subtype_value; 213 prev = NULL; 214 215 while (q != NULL) { 216 char *semicolon; 217 r = q; 218 219 /* Find the first non-escaped ; occurrence and remove escaped ones */ 220 do { 221 if ((semicolon = strchr(r, ';')) != NULL) { 222 if (*(semicolon-1) != '\\') { 223 r = semicolon; 224 break; 225 } 226 /* Remove the escape character */ 227 size_t size_left = strlen(semicolon); 228 memmove(semicolon-1, semicolon, size_left); 229 *(semicolon + size_left - 1) = '\0'; 230 /* r will now point at the character after the semicolon */ 231 r = semicolon; 232 } 233 234 } while (semicolon != NULL); 235 236 if (semicolon != NULL) { 237 *r++ = '\0'; 238 } else { 239 r = NULL; 240 } 241 242 cur = mbedtls_calloc(1, sizeof(mbedtls_x509_san_list)); 243 if (cur == NULL) { 244 mbedtls_printf("Not enough memory for subjectAltName list\n"); 245 goto usage; 246 } 247 248 cur->next = NULL; 249 250 if ((subtype_value = strchr(q, ':')) != NULL) { 251 *subtype_value++ = '\0'; 252 } else { 253 mbedtls_printf( 254 "Invalid argument for option SAN: Entry must be of the form TYPE:value\n"); 255 goto usage; 256 } 257 if (strcmp(q, "RFC822") == 0) { 258 cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME; 259 } else if (strcmp(q, "URI") == 0) { 260 cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; 261 } else if (strcmp(q, "DNS") == 0) { 262 cur->node.type = MBEDTLS_X509_SAN_DNS_NAME; 263 } else if (strcmp(q, "IP") == 0) { 264 size_t ip_addr_len = 0; 265 cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS; 266 ip_addr_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip); 267 if (ip_addr_len == 0) { 268 mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n", 269 subtype_value); 270 goto exit; 271 } 272 cur->node.san.unstructured_name.p = (unsigned char *) ip; 273 cur->node.san.unstructured_name.len = sizeof(ip); 274 } else if (strcmp(q, "DN") == 0) { 275 cur->node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME; 276 /* Work around an API mismatch between string_to_names() and 277 * mbedtls_x509_subject_alternative_name, which holds an 278 * actual mbedtls_x509_name while a pointer to one would be 279 * more convenient here. (Note mbedtls_x509_name and 280 * mbedtls_asn1_named_data are synonymous, again 281 * string_to_names() uses one while 282 * cur->node.san.directory_name is nominally the other.) */ 283 mbedtls_asn1_named_data *tmp_san_dirname = NULL; 284 if ((ret = mbedtls_x509_string_to_names(&tmp_san_dirname, 285 subtype_value)) != 0) { 286 mbedtls_strerror(ret, buf, sizeof(buf)); 287 mbedtls_printf( 288 " failed\n ! mbedtls_x509_string_to_names " 289 "returned -0x%04x - %s\n\n", 290 (unsigned int) -ret, buf); 291 goto exit; 292 } 293 cur->node.san.directory_name = *tmp_san_dirname; 294 mbedtls_free(tmp_san_dirname); 295 tmp_san_dirname = NULL; 296 } else { 297 mbedtls_free(cur); 298 goto usage; 299 } 300 301 if (cur->node.type == MBEDTLS_X509_SAN_RFC822_NAME || 302 cur->node.type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER || 303 cur->node.type == MBEDTLS_X509_SAN_DNS_NAME) { 304 q = subtype_value; 305 cur->node.san.unstructured_name.p = (unsigned char *) q; 306 cur->node.san.unstructured_name.len = strlen(q); 307 } 308 309 if (prev == NULL) { 310 opt.san_list = cur; 311 } else { 312 prev->next = cur; 313 } 314 315 prev = cur; 316 q = r; 317 } 318 } else if (strcmp(p, "md") == 0) { 319 const mbedtls_md_info_t *md_info = 320 mbedtls_md_info_from_string(q); 321 if (md_info == NULL) { 322 mbedtls_printf("Invalid argument for option %s\n", p); 323 goto usage; 324 } 325 opt.md_alg = mbedtls_md_get_type(md_info); 326 } else if (strcmp(p, "key_usage") == 0) { 327 while (q != NULL) { 328 if ((r = strchr(q, ',')) != NULL) { 329 *r++ = '\0'; 330 } 331 332 if (strcmp(q, "digital_signature") == 0) { 333 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 334 } else if (strcmp(q, "non_repudiation") == 0) { 335 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION; 336 } else if (strcmp(q, "key_encipherment") == 0) { 337 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 338 } else if (strcmp(q, "data_encipherment") == 0) { 339 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT; 340 } else if (strcmp(q, "key_agreement") == 0) { 341 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT; 342 } else if (strcmp(q, "key_cert_sign") == 0) { 343 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN; 344 } else if (strcmp(q, "crl_sign") == 0) { 345 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN; 346 } else { 347 goto usage; 348 } 349 350 q = r; 351 } 352 } else if (strcmp(p, "force_key_usage") == 0) { 353 switch (atoi(q)) { 354 case 0: opt.force_key_usage = 0; break; 355 case 1: opt.force_key_usage = 1; break; 356 default: goto usage; 357 } 358 } else if (strcmp(p, "ns_cert_type") == 0) { 359 while (q != NULL) { 360 if ((r = strchr(q, ',')) != NULL) { 361 *r++ = '\0'; 362 } 363 364 if (strcmp(q, "ssl_client") == 0) { 365 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT; 366 } else if (strcmp(q, "ssl_server") == 0) { 367 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER; 368 } else if (strcmp(q, "email") == 0) { 369 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL; 370 } else if (strcmp(q, "object_signing") == 0) { 371 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING; 372 } else if (strcmp(q, "ssl_ca") == 0) { 373 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA; 374 } else if (strcmp(q, "email_ca") == 0) { 375 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA; 376 } else if (strcmp(q, "object_signing_ca") == 0) { 377 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA; 378 } else { 379 goto usage; 380 } 381 382 q = r; 383 } 384 } else if (strcmp(p, "force_ns_cert_type") == 0) { 385 switch (atoi(q)) { 386 case 0: opt.force_ns_cert_type = 0; break; 387 case 1: opt.force_ns_cert_type = 1; break; 388 default: goto usage; 389 } 390 } else { 391 goto usage; 392 } 393 } 394 395 /* Set the MD algorithm to use for the signature in the CSR */ 396 mbedtls_x509write_csr_set_md_alg(&req, opt.md_alg); 397 398 /* Set the Key Usage Extension flags in the CSR */ 399 if (opt.key_usage || opt.force_key_usage == 1) { 400 ret = mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage); 401 402 if (ret != 0) { 403 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_key_usage returned %d", ret); 404 goto exit; 405 } 406 } 407 408 /* Set the Cert Type flags in the CSR */ 409 if (opt.ns_cert_type || opt.force_ns_cert_type == 1) { 410 ret = mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type); 411 412 if (ret != 0) { 413 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_ns_cert_type returned %d", ret); 414 goto exit; 415 } 416 } 417 418 /* Set the SubjectAltName in the CSR */ 419 if (opt.san_list != NULL) { 420 ret = mbedtls_x509write_csr_set_subject_alternative_name(&req, opt.san_list); 421 422 if (ret != 0) { 423 mbedtls_printf( 424 " failed\n ! mbedtls_x509write_csr_set_subject_alternative_name returned %d", 425 ret); 426 goto exit; 427 } 428 } 429 430 /* 431 * 0. Seed the PRNG 432 */ 433 mbedtls_printf(" . Seeding the random number generator..."); 434 fflush(stdout); 435 436 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, 437 (const unsigned char *) pers, 438 strlen(pers))) != 0) { 439 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d", ret); 440 goto exit; 441 } 442 443 mbedtls_printf(" ok\n"); 444 445 /* 446 * 1.0. Check the subject name for validity 447 */ 448 mbedtls_printf(" . Checking subject name..."); 449 fflush(stdout); 450 451 if ((ret = mbedtls_x509write_csr_set_subject_name(&req, opt.subject_name)) != 0) { 452 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_subject_name returned %d", ret); 453 goto exit; 454 } 455 456 mbedtls_printf(" ok\n"); 457 458 /* 459 * 1.1. Load the key 460 */ 461 mbedtls_printf(" . Loading the private key ..."); 462 fflush(stdout); 463 464 ret = mbedtls_pk_parse_keyfile(&key, opt.filename, opt.password, 465 mbedtls_ctr_drbg_random, &ctr_drbg); 466 467 if (ret != 0) { 468 mbedtls_printf(" failed\n ! mbedtls_pk_parse_keyfile returned %d", ret); 469 goto exit; 470 } 471 472 mbedtls_x509write_csr_set_key(&req, &key); 473 474 mbedtls_printf(" ok\n"); 475 476 /* 477 * 1.2. Writing the request 478 */ 479 mbedtls_printf(" . Writing the certificate request ..."); 480 fflush(stdout); 481 482 if ((ret = write_certificate_request(&req, opt.output_file, 483 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { 484 mbedtls_printf(" failed\n ! write_certificate_request %d", ret); 485 goto exit; 486 } 487 488 mbedtls_printf(" ok\n"); 489 490 exit_code = MBEDTLS_EXIT_SUCCESS; 491 492 exit: 493 494 if (exit_code != MBEDTLS_EXIT_SUCCESS) { 495 #ifdef MBEDTLS_ERROR_C 496 mbedtls_strerror(ret, buf, sizeof(buf)); 497 mbedtls_printf(" - %s\n", buf); 498 #else 499 mbedtls_printf("\n"); 500 #endif 501 } 502 503 mbedtls_x509write_csr_free(&req); 504 mbedtls_pk_free(&key); 505 mbedtls_ctr_drbg_free(&ctr_drbg); 506 mbedtls_entropy_free(&entropy); 507 #if defined(MBEDTLS_USE_PSA_CRYPTO) 508 mbedtls_psa_crypto_free(); 509 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 510 511 cur = opt.san_list; 512 while (cur != NULL) { 513 mbedtls_x509_san_list *next = cur->next; 514 /* Note: mbedtls_x509_free_subject_alt_name() is not what we want here. 515 * It's the right thing for entries that were parsed from a certificate, 516 * where pointers are to the raw certificate, but here all the 517 * pointers were allocated while parsing from a user-provided string. */ 518 if (cur->node.type == MBEDTLS_X509_SAN_DIRECTORY_NAME) { 519 mbedtls_x509_name *dn = &cur->node.san.directory_name; 520 mbedtls_free(dn->oid.p); 521 mbedtls_free(dn->val.p); 522 mbedtls_asn1_free_named_data_list(&dn->next); 523 } 524 mbedtls_free(cur); 525 cur = next; 526 } 527 528 mbedtls_exit(exit_code); 529 } 530 #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && 531 MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_WRITE_C */