1 /*
2 * Certificate request generation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "mbedtls/build_info.h"
9
10 #include "mbedtls/platform.h"
11 /* md.h is included this early since MD_CAN_XXX macros are defined there. */
12 #include "mbedtls/md.h"
13
14 #if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
15 !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
16 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
17 !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) || \
18 !defined(MBEDTLS_MD_C)
main(void)19 int main(void)
20 {
21 mbedtls_printf("MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or "
22 "MBEDTLS_PK_PARSE_C and/or MBEDTLS_MD_CAN_SHA256 and/or "
23 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
24 "not defined.\n");
25 mbedtls_exit(0);
26 }
27 #else
28
29 #include "mbedtls/x509_csr.h"
30 #include "mbedtls/entropy.h"
31 #include "mbedtls/ctr_drbg.h"
32 #include "mbedtls/error.h"
33
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <string.h>
37
38 #define DFL_FILENAME "keyfile.key"
39 #define DFL_PASSWORD NULL
40 #define DFL_DEBUG_LEVEL 0
41 #define DFL_OUTPUT_FILENAME "cert.req"
42 #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
43 #define DFL_KEY_USAGE 0
44 #define DFL_FORCE_KEY_USAGE 0
45 #define DFL_NS_CERT_TYPE 0
46 #define DFL_FORCE_NS_CERT_TYPE 0
47 #define DFL_MD_ALG MBEDTLS_MD_SHA256
48
49 #define USAGE \
50 "\n usage: cert_req param=<>...\n" \
51 "\n acceptable parameters:\n" \
52 " filename=%%s default: keyfile.key\n" \
53 " password=%%s default: NULL\n" \
54 " debug_level=%%d default: 0 (disabled)\n" \
55 " output_file=%%s default: cert.req\n" \
56 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
57 " san=%%s default: (none)\n" \
58 " Semicolon-separated-list of values:\n" \
59 " DNS:value\n" \
60 " URI:value\n" \
61 " RFC822:value\n" \
62 " IP:value (Only IPv4 is supported)\n" \
63 " DN:list of comma separated key=value pairs\n" \
64 " key_usage=%%s default: (empty)\n" \
65 " Comma-separated-list of values:\n" \
66 " digital_signature\n" \
67 " non_repudiation\n" \
68 " key_encipherment\n" \
69 " data_encipherment\n" \
70 " key_agreement\n" \
71 " key_cert_sign\n" \
72 " crl_sign\n" \
73 " force_key_usage=0/1 default: off\n" \
74 " Add KeyUsage even if it is empty\n" \
75 " ns_cert_type=%%s default: (empty)\n" \
76 " Comma-separated-list of values:\n" \
77 " ssl_client\n" \
78 " ssl_server\n" \
79 " email\n" \
80 " object_signing\n" \
81 " ssl_ca\n" \
82 " email_ca\n" \
83 " object_signing_ca\n" \
84 " force_ns_cert_type=0/1 default: off\n" \
85 " Add NsCertType even if it is empty\n" \
86 " md=%%s default: SHA256\n" \
87 " possible values:\n" \
88 " MD5, RIPEMD160, SHA1,\n" \
89 " SHA224, SHA256, SHA384, SHA512\n" \
90 "\n"
91
92
93 /*
94 * global options
95 */
96 struct options {
97 const char *filename; /* filename of the key file */
98 const char *password; /* password for the key file */
99 int debug_level; /* level of debugging */
100 const char *output_file; /* where to store the constructed key file */
101 const char *subject_name; /* subject name for certificate request */
102 mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */
103 unsigned char key_usage; /* key usage flags */
104 int force_key_usage; /* Force adding the KeyUsage extension */
105 unsigned char ns_cert_type; /* NS cert type */
106 int force_ns_cert_type; /* Force adding NsCertType extension */
107 mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
108 } opt;
109
write_certificate_request(mbedtls_x509write_csr * req,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)110 int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
111 int (*f_rng)(void *, unsigned char *, size_t),
112 void *p_rng)
113 {
114 int ret;
115 FILE *f;
116 unsigned char output_buf[4096];
117 size_t len = 0;
118
119 memset(output_buf, 0, 4096);
120 if ((ret = mbedtls_x509write_csr_pem(req, output_buf, 4096, f_rng, p_rng)) < 0) {
121 return ret;
122 }
123
124 len = strlen((char *) output_buf);
125
126 if ((f = fopen(output_file, "w")) == NULL) {
127 return -1;
128 }
129
130 if (fwrite(output_buf, 1, len, f) != len) {
131 fclose(f);
132 return -1;
133 }
134
135 fclose(f);
136
137 return 0;
138 }
139
main(int argc,char * argv[])140 int main(int argc, char *argv[])
141 {
142 int ret = 1;
143 int exit_code = MBEDTLS_EXIT_FAILURE;
144 mbedtls_pk_context key;
145 char buf[1024];
146 int i;
147 char *p, *q, *r;
148 mbedtls_x509write_csr req;
149 mbedtls_entropy_context entropy;
150 mbedtls_ctr_drbg_context ctr_drbg;
151 const char *pers = "csr example app";
152 mbedtls_x509_san_list *cur, *prev;
153 mbedtls_asn1_named_data *ext_san_dirname = NULL;
154 #if defined(MBEDTLS_X509_CRT_PARSE_C)
155 uint8_t ip[4] = { 0 };
156 #endif
157 /*
158 * Set to sane values
159 */
160 mbedtls_x509write_csr_init(&req);
161 mbedtls_pk_init(&key);
162 mbedtls_ctr_drbg_init(&ctr_drbg);
163 memset(buf, 0, sizeof(buf));
164 mbedtls_entropy_init(&entropy);
165
166 #if defined(MBEDTLS_USE_PSA_CRYPTO)
167 psa_status_t status = psa_crypto_init();
168 if (status != PSA_SUCCESS) {
169 mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
170 (int) status);
171 goto exit;
172 }
173 #endif /* MBEDTLS_USE_PSA_CRYPTO */
174
175 if (argc < 2) {
176 usage:
177 mbedtls_printf(USAGE);
178 goto exit;
179 }
180
181 opt.filename = DFL_FILENAME;
182 opt.password = DFL_PASSWORD;
183 opt.debug_level = DFL_DEBUG_LEVEL;
184 opt.output_file = DFL_OUTPUT_FILENAME;
185 opt.subject_name = DFL_SUBJECT_NAME;
186 opt.key_usage = DFL_KEY_USAGE;
187 opt.force_key_usage = DFL_FORCE_KEY_USAGE;
188 opt.ns_cert_type = DFL_NS_CERT_TYPE;
189 opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE;
190 opt.md_alg = DFL_MD_ALG;
191 opt.san_list = NULL;
192
193 for (i = 1; i < argc; i++) {
194 p = argv[i];
195 if ((q = strchr(p, '=')) == NULL) {
196 goto usage;
197 }
198 *q++ = '\0';
199 if (strcmp(p, "filename") == 0) {
200 opt.filename = q;
201 } else if (strcmp(p, "password") == 0) {
202 opt.password = q;
203 } else if (strcmp(p, "output_file") == 0) {
204 opt.output_file = q;
205 } else if (strcmp(p, "debug_level") == 0) {
206 opt.debug_level = atoi(q);
207 if (opt.debug_level < 0 || opt.debug_level > 65535) {
208 goto usage;
209 }
210 } else if (strcmp(p, "subject_name") == 0) {
211 opt.subject_name = q;
212 } else if (strcmp(p, "san") == 0) {
213 char *subtype_value;
214 prev = NULL;
215
216 while (q != NULL) {
217 char *semicolon;
218 r = q;
219
220 /* Find the first non-escaped ; occurrence and remove escaped ones */
221 do {
222 if ((semicolon = strchr(r, ';')) != NULL) {
223 if (*(semicolon-1) != '\\') {
224 r = semicolon;
225 break;
226 }
227 /* Remove the escape character */
228 size_t size_left = strlen(semicolon);
229 memmove(semicolon-1, semicolon, size_left);
230 *(semicolon + size_left - 1) = '\0';
231 /* r will now point at the character after the semicolon */
232 r = semicolon;
233 }
234
235 } while (semicolon != NULL);
236
237 if (semicolon != NULL) {
238 *r++ = '\0';
239 } else {
240 r = NULL;
241 }
242
243 cur = mbedtls_calloc(1, sizeof(mbedtls_x509_san_list));
244 if (cur == NULL) {
245 mbedtls_printf("Not enough memory for subjectAltName list\n");
246 goto usage;
247 }
248
249 cur->next = NULL;
250
251 if ((subtype_value = strchr(q, ':')) != NULL) {
252 *subtype_value++ = '\0';
253 } else {
254 mbedtls_printf(
255 "Invalid argument for option SAN: Entry must be of the form TYPE:value\n");
256 goto usage;
257 }
258 if (strcmp(q, "RFC822") == 0) {
259 cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
260 } else if (strcmp(q, "URI") == 0) {
261 cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
262 } else if (strcmp(q, "DNS") == 0) {
263 cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
264 } else if (strcmp(q, "IP") == 0) {
265 size_t ip_addr_len = 0;
266 cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
267 ip_addr_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
268 if (ip_addr_len == 0) {
269 mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
270 subtype_value);
271 goto exit;
272 }
273 cur->node.san.unstructured_name.p = (unsigned char *) ip;
274 cur->node.san.unstructured_name.len = sizeof(ip);
275 } else if (strcmp(q, "DN") == 0) {
276 cur->node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME;
277 if ((ret = mbedtls_x509_string_to_names(&ext_san_dirname,
278 subtype_value)) != 0) {
279 mbedtls_strerror(ret, buf, sizeof(buf));
280 mbedtls_printf(
281 " failed\n ! mbedtls_x509_string_to_names "
282 "returned -0x%04x - %s\n\n",
283 (unsigned int) -ret, buf);
284 goto exit;
285 }
286 cur->node.san.directory_name = *ext_san_dirname;
287 } else {
288 mbedtls_free(cur);
289 goto usage;
290 }
291
292 if (cur->node.type == MBEDTLS_X509_SAN_RFC822_NAME ||
293 cur->node.type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER ||
294 cur->node.type == MBEDTLS_X509_SAN_DNS_NAME) {
295 q = subtype_value;
296 cur->node.san.unstructured_name.p = (unsigned char *) q;
297 cur->node.san.unstructured_name.len = strlen(q);
298 }
299
300 if (prev == NULL) {
301 opt.san_list = cur;
302 } else {
303 prev->next = cur;
304 }
305
306 prev = cur;
307 q = r;
308 }
309 } else if (strcmp(p, "md") == 0) {
310 const mbedtls_md_info_t *md_info =
311 mbedtls_md_info_from_string(q);
312 if (md_info == NULL) {
313 mbedtls_printf("Invalid argument for option %s\n", p);
314 goto usage;
315 }
316 opt.md_alg = mbedtls_md_get_type(md_info);
317 } else if (strcmp(p, "key_usage") == 0) {
318 while (q != NULL) {
319 if ((r = strchr(q, ',')) != NULL) {
320 *r++ = '\0';
321 }
322
323 if (strcmp(q, "digital_signature") == 0) {
324 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
325 } else if (strcmp(q, "non_repudiation") == 0) {
326 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
327 } else if (strcmp(q, "key_encipherment") == 0) {
328 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
329 } else if (strcmp(q, "data_encipherment") == 0) {
330 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
331 } else if (strcmp(q, "key_agreement") == 0) {
332 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
333 } else if (strcmp(q, "key_cert_sign") == 0) {
334 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
335 } else if (strcmp(q, "crl_sign") == 0) {
336 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
337 } else {
338 goto usage;
339 }
340
341 q = r;
342 }
343 } else if (strcmp(p, "force_key_usage") == 0) {
344 switch (atoi(q)) {
345 case 0: opt.force_key_usage = 0; break;
346 case 1: opt.force_key_usage = 1; break;
347 default: goto usage;
348 }
349 } else if (strcmp(p, "ns_cert_type") == 0) {
350 while (q != NULL) {
351 if ((r = strchr(q, ',')) != NULL) {
352 *r++ = '\0';
353 }
354
355 if (strcmp(q, "ssl_client") == 0) {
356 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
357 } else if (strcmp(q, "ssl_server") == 0) {
358 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
359 } else if (strcmp(q, "email") == 0) {
360 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
361 } else if (strcmp(q, "object_signing") == 0) {
362 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
363 } else if (strcmp(q, "ssl_ca") == 0) {
364 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
365 } else if (strcmp(q, "email_ca") == 0) {
366 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
367 } else if (strcmp(q, "object_signing_ca") == 0) {
368 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
369 } else {
370 goto usage;
371 }
372
373 q = r;
374 }
375 } else if (strcmp(p, "force_ns_cert_type") == 0) {
376 switch (atoi(q)) {
377 case 0: opt.force_ns_cert_type = 0; break;
378 case 1: opt.force_ns_cert_type = 1; break;
379 default: goto usage;
380 }
381 } else {
382 goto usage;
383 }
384 }
385
386 /* Set the MD algorithm to use for the signature in the CSR */
387 mbedtls_x509write_csr_set_md_alg(&req, opt.md_alg);
388
389 /* Set the Key Usage Extension flags in the CSR */
390 if (opt.key_usage || opt.force_key_usage == 1) {
391 ret = mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage);
392
393 if (ret != 0) {
394 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_key_usage returned %d", ret);
395 goto exit;
396 }
397 }
398
399 /* Set the Cert Type flags in the CSR */
400 if (opt.ns_cert_type || opt.force_ns_cert_type == 1) {
401 ret = mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type);
402
403 if (ret != 0) {
404 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_ns_cert_type returned %d", ret);
405 goto exit;
406 }
407 }
408
409 /* Set the SubjectAltName in the CSR */
410 if (opt.san_list != NULL) {
411 ret = mbedtls_x509write_csr_set_subject_alternative_name(&req, opt.san_list);
412
413 if (ret != 0) {
414 mbedtls_printf(
415 " failed\n ! mbedtls_x509write_csr_set_subject_alternative_name returned %d",
416 ret);
417 goto exit;
418 }
419 }
420
421 /*
422 * 0. Seed the PRNG
423 */
424 mbedtls_printf(" . Seeding the random number generator...");
425 fflush(stdout);
426
427 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
428 (const unsigned char *) pers,
429 strlen(pers))) != 0) {
430 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d", ret);
431 goto exit;
432 }
433
434 mbedtls_printf(" ok\n");
435
436 /*
437 * 1.0. Check the subject name for validity
438 */
439 mbedtls_printf(" . Checking subject name...");
440 fflush(stdout);
441
442 if ((ret = mbedtls_x509write_csr_set_subject_name(&req, opt.subject_name)) != 0) {
443 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_subject_name returned %d", ret);
444 goto exit;
445 }
446
447 mbedtls_printf(" ok\n");
448
449 /*
450 * 1.1. Load the key
451 */
452 mbedtls_printf(" . Loading the private key ...");
453 fflush(stdout);
454
455 ret = mbedtls_pk_parse_keyfile(&key, opt.filename, opt.password,
456 mbedtls_ctr_drbg_random, &ctr_drbg);
457
458 if (ret != 0) {
459 mbedtls_printf(" failed\n ! mbedtls_pk_parse_keyfile returned %d", ret);
460 goto exit;
461 }
462
463 mbedtls_x509write_csr_set_key(&req, &key);
464
465 mbedtls_printf(" ok\n");
466
467 /*
468 * 1.2. Writing the request
469 */
470 mbedtls_printf(" . Writing the certificate request ...");
471 fflush(stdout);
472
473 if ((ret = write_certificate_request(&req, opt.output_file,
474 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) {
475 mbedtls_printf(" failed\n ! write_certificate_request %d", ret);
476 goto exit;
477 }
478
479 mbedtls_printf(" ok\n");
480
481 exit_code = MBEDTLS_EXIT_SUCCESS;
482
483 exit:
484
485 if (exit_code != MBEDTLS_EXIT_SUCCESS) {
486 #ifdef MBEDTLS_ERROR_C
487 mbedtls_strerror(ret, buf, sizeof(buf));
488 mbedtls_printf(" - %s\n", buf);
489 #else
490 mbedtls_printf("\n");
491 #endif
492 }
493
494 mbedtls_x509write_csr_free(&req);
495 mbedtls_asn1_free_named_data_list(&ext_san_dirname);
496 mbedtls_pk_free(&key);
497 mbedtls_ctr_drbg_free(&ctr_drbg);
498 mbedtls_entropy_free(&entropy);
499 #if defined(MBEDTLS_USE_PSA_CRYPTO)
500 mbedtls_psa_crypto_free();
501 #endif /* MBEDTLS_USE_PSA_CRYPTO */
502
503 cur = opt.san_list;
504 while (cur != NULL) {
505 prev = cur;
506 cur = cur->next;
507 mbedtls_free(prev);
508 }
509
510
511 mbedtls_exit(exit_code);
512 }
513 #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
514 MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_WRITE_C */
515
