1 /*
2 * Certificate generation and signing
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #if !defined(MBEDTLS_CONFIG_FILE)
21 #include "mbedtls/config.h"
22 #else
23 #include MBEDTLS_CONFIG_FILE
24 #endif
25
26 #if defined(MBEDTLS_PLATFORM_C)
27 #include "mbedtls/platform.h"
28 #else
29 #include <stdio.h>
30 #include <stdlib.h>
31 #define mbedtls_printf printf
32 #define mbedtls_exit exit
33 #define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
34 #define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
35 #endif /* MBEDTLS_PLATFORM_C */
36
37 #if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
38 !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
39 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
40 !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \
41 !defined(MBEDTLS_PEM_WRITE_C)
main(void)42 int main( void )
43 {
44 mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
45 "MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "
46 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
47 "MBEDTLS_ERROR_C not defined.\n");
48 mbedtls_exit( 0 );
49 }
50 #else
51
52 #include "mbedtls/x509_crt.h"
53 #include "mbedtls/x509_csr.h"
54 #include "mbedtls/entropy.h"
55 #include "mbedtls/ctr_drbg.h"
56 #include "mbedtls/md.h"
57 #include "mbedtls/error.h"
58
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62
63 #if defined(MBEDTLS_X509_CSR_PARSE_C)
64 #define USAGE_CSR \
65 " request_file=%%s default: (empty)\n" \
66 " If request_file is specified, subject_key,\n" \
67 " subject_pwd and subject_name are ignored!\n"
68 #else
69 #define USAGE_CSR ""
70 #endif /* MBEDTLS_X509_CSR_PARSE_C */
71
72 #define DFL_ISSUER_CRT ""
73 #define DFL_REQUEST_FILE ""
74 #define DFL_SUBJECT_KEY "subject.key"
75 #define DFL_ISSUER_KEY "ca.key"
76 #define DFL_SUBJECT_PWD ""
77 #define DFL_ISSUER_PWD ""
78 #define DFL_OUTPUT_FILENAME "cert.crt"
79 #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
80 #define DFL_ISSUER_NAME "CN=CA,O=mbed TLS,C=UK"
81 #define DFL_NOT_BEFORE "20010101000000"
82 #define DFL_NOT_AFTER "20301231235959"
83 #define DFL_SERIAL "1"
84 #define DFL_SELFSIGN 0
85 #define DFL_IS_CA 0
86 #define DFL_MAX_PATHLEN -1
87 #define DFL_KEY_USAGE 0
88 #define DFL_NS_CERT_TYPE 0
89 #define DFL_VERSION 3
90 #define DFL_AUTH_IDENT 1
91 #define DFL_SUBJ_IDENT 1
92 #define DFL_CONSTRAINTS 1
93 #define DFL_DIGEST MBEDTLS_MD_SHA256
94
95 #define USAGE \
96 "\n usage: cert_write param=<>...\n" \
97 "\n acceptable parameters:\n" \
98 USAGE_CSR \
99 " subject_key=%%s default: subject.key\n" \
100 " subject_pwd=%%s default: (empty)\n" \
101 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
102 "\n" \
103 " issuer_crt=%%s default: (empty)\n" \
104 " If issuer_crt is specified, issuer_name is\n" \
105 " ignored!\n" \
106 " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
107 "\n" \
108 " selfsign=%%d default: 0 (false)\n" \
109 " If selfsign is enabled, issuer_name and\n" \
110 " issuer_key are required (issuer_crt and\n" \
111 " subject_* are ignored\n" \
112 " issuer_key=%%s default: ca.key\n" \
113 " issuer_pwd=%%s default: (empty)\n" \
114 " output_file=%%s default: cert.crt\n" \
115 " serial=%%s default: 1\n" \
116 " not_before=%%s default: 20010101000000\n"\
117 " not_after=%%s default: 20301231235959\n"\
118 " is_ca=%%d default: 0 (disabled)\n" \
119 " max_pathlen=%%d default: -1 (none)\n" \
120 " md=%%s default: SHA256\n" \
121 " Supported values (if enabled):\n" \
122 " MD2, MD4, MD5, RIPEMD160, SHA1,\n" \
123 " SHA224, SHA256, SHA384, SHA512\n" \
124 " version=%%d default: 3\n" \
125 " Possible values: 1, 2, 3\n"\
126 " subject_identifier=%%s default: 1\n" \
127 " Possible values: 0, 1\n" \
128 " (Considered for v3 only)\n"\
129 " authority_identifier=%%s default: 1\n" \
130 " Possible values: 0, 1\n" \
131 " (Considered for v3 only)\n"\
132 " basic_constraints=%%d default: 1\n" \
133 " Possible values: 0, 1\n" \
134 " (Considered for v3 only)\n"\
135 " key_usage=%%s default: (empty)\n" \
136 " Comma-separated-list of values:\n" \
137 " digital_signature\n" \
138 " non_repudiation\n" \
139 " key_encipherment\n" \
140 " data_encipherment\n" \
141 " key_agreement\n" \
142 " key_cert_sign\n" \
143 " crl_sign\n" \
144 " (Considered for v3 only)\n"\
145 " ns_cert_type=%%s default: (empty)\n" \
146 " Comma-separated-list of values:\n" \
147 " ssl_client\n" \
148 " ssl_server\n" \
149 " email\n" \
150 " object_signing\n" \
151 " ssl_ca\n" \
152 " email_ca\n" \
153 " object_signing_ca\n" \
154 "\n"
155
156
157 /*
158 * global options
159 */
160 struct options
161 {
162 const char *issuer_crt; /* filename of the issuer certificate */
163 const char *request_file; /* filename of the certificate request */
164 const char *subject_key; /* filename of the subject key file */
165 const char *issuer_key; /* filename of the issuer key file */
166 const char *subject_pwd; /* password for the subject key file */
167 const char *issuer_pwd; /* password for the issuer key file */
168 const char *output_file; /* where to store the constructed CRT */
169 const char *subject_name; /* subject name for certificate */
170 const char *issuer_name; /* issuer name for certificate */
171 const char *not_before; /* validity period not before */
172 const char *not_after; /* validity period not after */
173 const char *serial; /* serial number string */
174 int selfsign; /* selfsign the certificate */
175 int is_ca; /* is a CA certificate */
176 int max_pathlen; /* maximum CA path length */
177 int authority_identifier; /* add authority identifier to CRT */
178 int subject_identifier; /* add subject identifier to CRT */
179 int basic_constraints; /* add basic constraints ext to CRT */
180 int version; /* CRT version */
181 mbedtls_md_type_t md; /* Hash used for signing */
182 unsigned char key_usage; /* key usage flags */
183 unsigned char ns_cert_type; /* NS cert type */
184 } opt;
185
write_certificate(mbedtls_x509write_cert * crt,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)186 int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
187 int (*f_rng)(void *, unsigned char *, size_t),
188 void *p_rng )
189 {
190 int ret;
191 FILE *f;
192 unsigned char output_buf[4096];
193 size_t len = 0;
194
195 memset( output_buf, 0, 4096 );
196 if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
197 f_rng, p_rng ) ) < 0 )
198 return( ret );
199
200 len = strlen( (char *) output_buf );
201
202 if( ( f = fopen( output_file, "w" ) ) == NULL )
203 return( -1 );
204
205 if( fwrite( output_buf, 1, len, f ) != len )
206 {
207 fclose( f );
208 return( -1 );
209 }
210
211 fclose( f );
212
213 return( 0 );
214 }
215
main(int argc,char * argv[])216 int main( int argc, char *argv[] )
217 {
218 int ret = 1;
219 int exit_code = MBEDTLS_EXIT_FAILURE;
220 mbedtls_x509_crt issuer_crt;
221 mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
222 mbedtls_pk_context *issuer_key = &loaded_issuer_key,
223 *subject_key = &loaded_subject_key;
224 char buf[1024];
225 char issuer_name[256];
226 int i;
227 char *p, *q, *r;
228 #if defined(MBEDTLS_X509_CSR_PARSE_C)
229 char subject_name[256];
230 mbedtls_x509_csr csr;
231 #endif
232 mbedtls_x509write_cert crt;
233 mbedtls_mpi serial;
234 mbedtls_entropy_context entropy;
235 mbedtls_ctr_drbg_context ctr_drbg;
236 const char *pers = "crt example app";
237
238 /*
239 * Set to sane values
240 */
241 mbedtls_x509write_crt_init( &crt );
242 mbedtls_pk_init( &loaded_issuer_key );
243 mbedtls_pk_init( &loaded_subject_key );
244 mbedtls_mpi_init( &serial );
245 mbedtls_ctr_drbg_init( &ctr_drbg );
246 mbedtls_entropy_init( &entropy );
247 #if defined(MBEDTLS_X509_CSR_PARSE_C)
248 mbedtls_x509_csr_init( &csr );
249 #endif
250 mbedtls_x509_crt_init( &issuer_crt );
251 memset( buf, 0, 1024 );
252
253 if( argc == 0 )
254 {
255 usage:
256 mbedtls_printf( USAGE );
257 goto exit;
258 }
259
260 opt.issuer_crt = DFL_ISSUER_CRT;
261 opt.request_file = DFL_REQUEST_FILE;
262 opt.subject_key = DFL_SUBJECT_KEY;
263 opt.issuer_key = DFL_ISSUER_KEY;
264 opt.subject_pwd = DFL_SUBJECT_PWD;
265 opt.issuer_pwd = DFL_ISSUER_PWD;
266 opt.output_file = DFL_OUTPUT_FILENAME;
267 opt.subject_name = DFL_SUBJECT_NAME;
268 opt.issuer_name = DFL_ISSUER_NAME;
269 opt.not_before = DFL_NOT_BEFORE;
270 opt.not_after = DFL_NOT_AFTER;
271 opt.serial = DFL_SERIAL;
272 opt.selfsign = DFL_SELFSIGN;
273 opt.is_ca = DFL_IS_CA;
274 opt.max_pathlen = DFL_MAX_PATHLEN;
275 opt.key_usage = DFL_KEY_USAGE;
276 opt.ns_cert_type = DFL_NS_CERT_TYPE;
277 opt.version = DFL_VERSION - 1;
278 opt.md = DFL_DIGEST;
279 opt.subject_identifier = DFL_SUBJ_IDENT;
280 opt.authority_identifier = DFL_AUTH_IDENT;
281 opt.basic_constraints = DFL_CONSTRAINTS;
282
283 for( i = 1; i < argc; i++ )
284 {
285
286 p = argv[i];
287 if( ( q = strchr( p, '=' ) ) == NULL )
288 goto usage;
289 *q++ = '\0';
290
291 if( strcmp( p, "request_file" ) == 0 )
292 opt.request_file = q;
293 else if( strcmp( p, "subject_key" ) == 0 )
294 opt.subject_key = q;
295 else if( strcmp( p, "issuer_key" ) == 0 )
296 opt.issuer_key = q;
297 else if( strcmp( p, "subject_pwd" ) == 0 )
298 opt.subject_pwd = q;
299 else if( strcmp( p, "issuer_pwd" ) == 0 )
300 opt.issuer_pwd = q;
301 else if( strcmp( p, "issuer_crt" ) == 0 )
302 opt.issuer_crt = q;
303 else if( strcmp( p, "output_file" ) == 0 )
304 opt.output_file = q;
305 else if( strcmp( p, "subject_name" ) == 0 )
306 {
307 opt.subject_name = q;
308 }
309 else if( strcmp( p, "issuer_name" ) == 0 )
310 {
311 opt.issuer_name = q;
312 }
313 else if( strcmp( p, "not_before" ) == 0 )
314 {
315 opt.not_before = q;
316 }
317 else if( strcmp( p, "not_after" ) == 0 )
318 {
319 opt.not_after = q;
320 }
321 else if( strcmp( p, "serial" ) == 0 )
322 {
323 opt.serial = q;
324 }
325 else if( strcmp( p, "authority_identifier" ) == 0 )
326 {
327 opt.authority_identifier = atoi( q );
328 if( opt.authority_identifier != 0 &&
329 opt.authority_identifier != 1 )
330 {
331 mbedtls_printf( "Invalid argument for option %s\n", p );
332 goto usage;
333 }
334 }
335 else if( strcmp( p, "subject_identifier" ) == 0 )
336 {
337 opt.subject_identifier = atoi( q );
338 if( opt.subject_identifier != 0 &&
339 opt.subject_identifier != 1 )
340 {
341 mbedtls_printf( "Invalid argument for option %s\n", p );
342 goto usage;
343 }
344 }
345 else if( strcmp( p, "basic_constraints" ) == 0 )
346 {
347 opt.basic_constraints = atoi( q );
348 if( opt.basic_constraints != 0 &&
349 opt.basic_constraints != 1 )
350 {
351 mbedtls_printf( "Invalid argument for option %s\n", p );
352 goto usage;
353 }
354 }
355 else if( strcmp( p, "md" ) == 0 )
356 {
357 const mbedtls_md_info_t *md_info =
358 mbedtls_md_info_from_string( q );
359 if( md_info == NULL )
360 {
361 mbedtls_printf( "Invalid argument for option %s\n", p );
362 goto usage;
363 }
364 opt.md = mbedtls_md_get_type( md_info );
365 }
366 else if( strcmp( p, "version" ) == 0 )
367 {
368 opt.version = atoi( q );
369 if( opt.version < 1 || opt.version > 3 )
370 {
371 mbedtls_printf( "Invalid argument for option %s\n", p );
372 goto usage;
373 }
374 opt.version--;
375 }
376 else if( strcmp( p, "selfsign" ) == 0 )
377 {
378 opt.selfsign = atoi( q );
379 if( opt.selfsign < 0 || opt.selfsign > 1 )
380 {
381 mbedtls_printf( "Invalid argument for option %s\n", p );
382 goto usage;
383 }
384 }
385 else if( strcmp( p, "is_ca" ) == 0 )
386 {
387 opt.is_ca = atoi( q );
388 if( opt.is_ca < 0 || opt.is_ca > 1 )
389 {
390 mbedtls_printf( "Invalid argument for option %s\n", p );
391 goto usage;
392 }
393 }
394 else if( strcmp( p, "max_pathlen" ) == 0 )
395 {
396 opt.max_pathlen = atoi( q );
397 if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
398 {
399 mbedtls_printf( "Invalid argument for option %s\n", p );
400 goto usage;
401 }
402 }
403 else if( strcmp( p, "key_usage" ) == 0 )
404 {
405 while( q != NULL )
406 {
407 if( ( r = strchr( q, ',' ) ) != NULL )
408 *r++ = '\0';
409
410 if( strcmp( q, "digital_signature" ) == 0 )
411 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
412 else if( strcmp( q, "non_repudiation" ) == 0 )
413 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
414 else if( strcmp( q, "key_encipherment" ) == 0 )
415 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
416 else if( strcmp( q, "data_encipherment" ) == 0 )
417 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
418 else if( strcmp( q, "key_agreement" ) == 0 )
419 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
420 else if( strcmp( q, "key_cert_sign" ) == 0 )
421 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
422 else if( strcmp( q, "crl_sign" ) == 0 )
423 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
424 else
425 {
426 mbedtls_printf( "Invalid argument for option %s\n", p );
427 goto usage;
428 }
429
430 q = r;
431 }
432 }
433 else if( strcmp( p, "ns_cert_type" ) == 0 )
434 {
435 while( q != NULL )
436 {
437 if( ( r = strchr( q, ',' ) ) != NULL )
438 *r++ = '\0';
439
440 if( strcmp( q, "ssl_client" ) == 0 )
441 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
442 else if( strcmp( q, "ssl_server" ) == 0 )
443 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
444 else if( strcmp( q, "email" ) == 0 )
445 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
446 else if( strcmp( q, "object_signing" ) == 0 )
447 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
448 else if( strcmp( q, "ssl_ca" ) == 0 )
449 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
450 else if( strcmp( q, "email_ca" ) == 0 )
451 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
452 else if( strcmp( q, "object_signing_ca" ) == 0 )
453 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
454 else
455 {
456 mbedtls_printf( "Invalid argument for option %s\n", p );
457 goto usage;
458 }
459
460 q = r;
461 }
462 }
463 else
464 goto usage;
465 }
466
467 mbedtls_printf("\n");
468
469 /*
470 * 0. Seed the PRNG
471 */
472 mbedtls_printf( " . Seeding the random number generator..." );
473 fflush( stdout );
474
475 if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
476 (const unsigned char *) pers,
477 strlen( pers ) ) ) != 0 )
478 {
479 mbedtls_strerror( ret, buf, 1024 );
480 mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
481 ret, buf );
482 goto exit;
483 }
484
485 mbedtls_printf( " ok\n" );
486
487 // Parse serial to MPI
488 //
489 mbedtls_printf( " . Reading serial number..." );
490 fflush( stdout );
491
492 if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
493 {
494 mbedtls_strerror( ret, buf, 1024 );
495 mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
496 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
497 goto exit;
498 }
499
500 mbedtls_printf( " ok\n" );
501
502 // Parse issuer certificate if present
503 //
504 if( !opt.selfsign && strlen( opt.issuer_crt ) )
505 {
506 /*
507 * 1.0.a. Load the certificates
508 */
509 mbedtls_printf( " . Loading the issuer certificate ..." );
510 fflush( stdout );
511
512 if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
513 {
514 mbedtls_strerror( ret, buf, 1024 );
515 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
516 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
517 goto exit;
518 }
519
520 ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
521 &issuer_crt.subject );
522 if( ret < 0 )
523 {
524 mbedtls_strerror( ret, buf, 1024 );
525 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
526 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
527 goto exit;
528 }
529
530 opt.issuer_name = issuer_name;
531
532 mbedtls_printf( " ok\n" );
533 }
534
535 #if defined(MBEDTLS_X509_CSR_PARSE_C)
536 // Parse certificate request if present
537 //
538 if( !opt.selfsign && strlen( opt.request_file ) )
539 {
540 /*
541 * 1.0.b. Load the CSR
542 */
543 mbedtls_printf( " . Loading the certificate request ..." );
544 fflush( stdout );
545
546 if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
547 {
548 mbedtls_strerror( ret, buf, 1024 );
549 mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
550 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
551 goto exit;
552 }
553
554 ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
555 &csr.subject );
556 if( ret < 0 )
557 {
558 mbedtls_strerror( ret, buf, 1024 );
559 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
560 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
561 goto exit;
562 }
563
564 opt.subject_name = subject_name;
565 subject_key = &csr.pk;
566
567 mbedtls_printf( " ok\n" );
568 }
569 #endif /* MBEDTLS_X509_CSR_PARSE_C */
570
571 /*
572 * 1.1. Load the keys
573 */
574 if( !opt.selfsign && !strlen( opt.request_file ) )
575 {
576 mbedtls_printf( " . Loading the subject key ..." );
577 fflush( stdout );
578
579 ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,
580 opt.subject_pwd );
581 if( ret != 0 )
582 {
583 mbedtls_strerror( ret, buf, 1024 );
584 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
585 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
586 goto exit;
587 }
588
589 mbedtls_printf( " ok\n" );
590 }
591
592 mbedtls_printf( " . Loading the issuer key ..." );
593 fflush( stdout );
594
595 ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,
596 opt.issuer_pwd );
597 if( ret != 0 )
598 {
599 mbedtls_strerror( ret, buf, 1024 );
600 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
601 "returned -x%02x - %s\n\n", (unsigned int) -ret, buf );
602 goto exit;
603 }
604
605 // Check if key and issuer certificate match
606 //
607 if( strlen( opt.issuer_crt ) )
608 {
609 if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 )
610 {
611 mbedtls_printf( " failed\n ! issuer_key does not match "
612 "issuer certificate\n\n" );
613 goto exit;
614 }
615 }
616
617 mbedtls_printf( " ok\n" );
618
619 if( opt.selfsign )
620 {
621 opt.subject_name = opt.issuer_name;
622 subject_key = issuer_key;
623 }
624
625 mbedtls_x509write_crt_set_subject_key( &crt, subject_key );
626 mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );
627
628 /*
629 * 1.0. Check the names for validity
630 */
631 if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
632 {
633 mbedtls_strerror( ret, buf, 1024 );
634 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
635 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
636 goto exit;
637 }
638
639 if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
640 {
641 mbedtls_strerror( ret, buf, 1024 );
642 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
643 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
644 goto exit;
645 }
646
647 mbedtls_printf( " . Setting certificate values ..." );
648 fflush( stdout );
649
650 mbedtls_x509write_crt_set_version( &crt, opt.version );
651 mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
652
653 ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
654 if( ret != 0 )
655 {
656 mbedtls_strerror( ret, buf, 1024 );
657 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
658 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
659 goto exit;
660 }
661
662 ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
663 if( ret != 0 )
664 {
665 mbedtls_strerror( ret, buf, 1024 );
666 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
667 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
668 goto exit;
669 }
670
671 mbedtls_printf( " ok\n" );
672
673 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
674 opt.basic_constraints != 0 )
675 {
676 mbedtls_printf( " . Adding the Basic Constraints extension ..." );
677 fflush( stdout );
678
679 ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
680 opt.max_pathlen );
681 if( ret != 0 )
682 {
683 mbedtls_strerror( ret, buf, 1024 );
684 mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
685 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
686 goto exit;
687 }
688
689 mbedtls_printf( " ok\n" );
690 }
691
692 #if defined(MBEDTLS_SHA1_C)
693 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
694 opt.subject_identifier != 0 )
695 {
696 mbedtls_printf( " . Adding the Subject Key Identifier ..." );
697 fflush( stdout );
698
699 ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
700 if( ret != 0 )
701 {
702 mbedtls_strerror( ret, buf, 1024 );
703 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
704 "_key_identifier returned -0x%04x - %s\n\n",
705 (unsigned int) -ret, buf );
706 goto exit;
707 }
708
709 mbedtls_printf( " ok\n" );
710 }
711
712 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
713 opt.authority_identifier != 0 )
714 {
715 mbedtls_printf( " . Adding the Authority Key Identifier ..." );
716 fflush( stdout );
717
718 ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
719 if( ret != 0 )
720 {
721 mbedtls_strerror( ret, buf, 1024 );
722 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
723 "key_identifier returned -0x%04x - %s\n\n",
724 (unsigned int) -ret, buf );
725 goto exit;
726 }
727
728 mbedtls_printf( " ok\n" );
729 }
730 #endif /* MBEDTLS_SHA1_C */
731
732 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
733 opt.key_usage != 0 )
734 {
735 mbedtls_printf( " . Adding the Key Usage extension ..." );
736 fflush( stdout );
737
738 ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );
739 if( ret != 0 )
740 {
741 mbedtls_strerror( ret, buf, 1024 );
742 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
743 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
744 goto exit;
745 }
746
747 mbedtls_printf( " ok\n" );
748 }
749
750 if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
751 opt.ns_cert_type != 0 )
752 {
753 mbedtls_printf( " . Adding the NS Cert Type extension ..." );
754 fflush( stdout );
755
756 ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
757 if( ret != 0 )
758 {
759 mbedtls_strerror( ret, buf, 1024 );
760 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
761 "returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
762 goto exit;
763 }
764
765 mbedtls_printf( " ok\n" );
766 }
767
768 /*
769 * 1.2. Writing the certificate
770 */
771 mbedtls_printf( " . Writing the certificate..." );
772 fflush( stdout );
773
774 if( ( ret = write_certificate( &crt, opt.output_file,
775 mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
776 {
777 mbedtls_strerror( ret, buf, 1024 );
778 mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
779 (unsigned int) -ret, buf );
780 goto exit;
781 }
782
783 mbedtls_printf( " ok\n" );
784
785 exit_code = MBEDTLS_EXIT_SUCCESS;
786
787 exit:
788 #if defined(MBEDTLS_X509_CSR_PARSE_C)
789 mbedtls_x509_csr_free( &csr );
790 #endif /* MBEDTLS_X509_CSR_PARSE_C */
791 mbedtls_x509_crt_free( &issuer_crt );
792 mbedtls_x509write_crt_free( &crt );
793 mbedtls_pk_free( &loaded_subject_key );
794 mbedtls_pk_free( &loaded_issuer_key );
795 mbedtls_mpi_free( &serial );
796 mbedtls_ctr_drbg_free( &ctr_drbg );
797 mbedtls_entropy_free( &entropy );
798
799 #if defined(_WIN32)
800 mbedtls_printf( " + Press Enter to exit this program.\n" );
801 fflush( stdout ); getchar();
802 #endif
803
804 mbedtls_exit( exit_code );
805 }
806 #endif /* MBEDTLS_X509_CRT_WRITE_C && MBEDTLS_X509_CRT_PARSE_C &&
807 MBEDTLS_FS_IO && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
808 MBEDTLS_ERROR_C && MBEDTLS_PEM_WRITE_C */
809
