1 /*
2  *  Certificate request generation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #if !defined(MBEDTLS_CONFIG_FILE)
21 #include "mbedtls/config.h"
22 #else
23 #include MBEDTLS_CONFIG_FILE
24 #endif
25 
26 #if defined(MBEDTLS_PLATFORM_C)
27 #include "mbedtls/platform.h"
28 #else
29 #include <stdio.h>
30 #include <stdlib.h>
31 #define mbedtls_printf          printf
32 #define mbedtls_exit            exit
33 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
34 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
35 #endif /* MBEDTLS_PLATFORM_C */
36 
37 #if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_FS_IO) ||  \
38     !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_SHA256_C) || \
39     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
40     !defined(MBEDTLS_PEM_WRITE_C)
main(void)41 int main( void )
42 {
43     mbedtls_printf( "MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or "
44             "MBEDTLS_PK_PARSE_C and/or MBEDTLS_SHA256_C and/or "
45             "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
46             "not defined.\n");
47     mbedtls_exit( 0 );
48 }
49 #else
50 
51 #include "mbedtls/x509_csr.h"
52 #include "mbedtls/entropy.h"
53 #include "mbedtls/ctr_drbg.h"
54 #include "mbedtls/error.h"
55 
56 #include <stdio.h>
57 #include <stdlib.h>
58 #include <string.h>
59 
60 #define DFL_FILENAME            "keyfile.key"
61 #define DFL_PASSWORD            NULL
62 #define DFL_DEBUG_LEVEL         0
63 #define DFL_OUTPUT_FILENAME     "cert.req"
64 #define DFL_SUBJECT_NAME        "CN=Cert,O=mbed TLS,C=UK"
65 #define DFL_KEY_USAGE           0
66 #define DFL_FORCE_KEY_USAGE     0
67 #define DFL_NS_CERT_TYPE        0
68 #define DFL_FORCE_NS_CERT_TYPE  0
69 #define DFL_MD_ALG              MBEDTLS_MD_SHA256
70 
71 #define USAGE \
72     "\n usage: cert_req param=<>...\n"                  \
73     "\n acceptable parameters:\n"                       \
74     "    filename=%%s         default: keyfile.key\n"   \
75     "    password=%%s         default: NULL\n"          \
76     "    debug_level=%%d      default: 0 (disabled)\n"  \
77     "    output_file=%%s      default: cert.req\n"      \
78     "    subject_name=%%s     default: CN=Cert,O=mbed TLS,C=UK\n"   \
79     "    key_usage=%%s        default: (empty)\n"       \
80     "                        Comma-separated-list of values:\n"     \
81     "                          digital_signature\n"     \
82     "                          non_repudiation\n"       \
83     "                          key_encipherment\n"      \
84     "                          data_encipherment\n"     \
85     "                          key_agreement\n"         \
86     "                          key_cert_sign\n"  \
87     "                          crl_sign\n"              \
88     "    force_key_usage=0/1  default: off\n"           \
89     "                          Add KeyUsage even if it is empty\n"  \
90     "    ns_cert_type=%%s     default: (empty)\n"       \
91     "                        Comma-separated-list of values:\n"     \
92     "                          ssl_client\n"            \
93     "                          ssl_server\n"            \
94     "                          email\n"                 \
95     "                          object_signing\n"        \
96     "                          ssl_ca\n"                \
97     "                          email_ca\n"              \
98     "                          object_signing_ca\n"     \
99     "    force_ns_cert_type=0/1 default: off\n"         \
100     "                          Add NsCertType even if it is empty\n"    \
101     "    md=%%s               default: SHA256\n"       \
102     "                          possible values:\n"     \
103     "                          MD2, MD4, MD5, RIPEMD160, SHA1,\n" \
104     "                          SHA224, SHA256, SHA384, SHA512\n" \
105     "\n"
106 
107 
108 /*
109  * global options
110  */
111 struct options
112 {
113     const char *filename;       /* filename of the key file             */
114     const char *password;       /* password for the key file            */
115     int debug_level;            /* level of debugging                   */
116     const char *output_file;    /* where to store the constructed key file  */
117     const char *subject_name;   /* subject name for certificate request */
118     unsigned char key_usage;    /* key usage flags                      */
119     int force_key_usage;        /* Force adding the KeyUsage extension  */
120     unsigned char ns_cert_type; /* NS cert type                         */
121     int force_ns_cert_type;     /* Force adding NsCertType extension    */
122     mbedtls_md_type_t md_alg;   /* Hash algorithm used for signature.   */
123 } opt;
124 
write_certificate_request(mbedtls_x509write_csr * req,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)125 int write_certificate_request( mbedtls_x509write_csr *req, const char *output_file,
126                                int (*f_rng)(void *, unsigned char *, size_t),
127                                void *p_rng )
128 {
129     int ret;
130     FILE *f;
131     unsigned char output_buf[4096];
132     size_t len = 0;
133 
134     memset( output_buf, 0, 4096 );
135     if( ( ret = mbedtls_x509write_csr_pem( req, output_buf, 4096, f_rng, p_rng ) ) < 0 )
136         return( ret );
137 
138     len = strlen( (char *) output_buf );
139 
140     if( ( f = fopen( output_file, "w" ) ) == NULL )
141         return( -1 );
142 
143     if( fwrite( output_buf, 1, len, f ) != len )
144     {
145         fclose( f );
146         return( -1 );
147     }
148 
149     fclose( f );
150 
151     return( 0 );
152 }
153 
main(int argc,char * argv[])154 int main( int argc, char *argv[] )
155 {
156     int ret = 1;
157     int exit_code = MBEDTLS_EXIT_FAILURE;
158     mbedtls_pk_context key;
159     char buf[1024];
160     int i;
161     char *p, *q, *r;
162     mbedtls_x509write_csr req;
163     mbedtls_entropy_context entropy;
164     mbedtls_ctr_drbg_context ctr_drbg;
165     const char *pers = "csr example app";
166 
167     /*
168      * Set to sane values
169      */
170     mbedtls_x509write_csr_init( &req );
171     mbedtls_pk_init( &key );
172     mbedtls_ctr_drbg_init( &ctr_drbg );
173     memset( buf, 0, sizeof( buf ) );
174 
175     if( argc == 0 )
176     {
177     usage:
178         mbedtls_printf( USAGE );
179         goto exit;
180     }
181 
182     opt.filename            = DFL_FILENAME;
183     opt.password            = DFL_PASSWORD;
184     opt.debug_level         = DFL_DEBUG_LEVEL;
185     opt.output_file         = DFL_OUTPUT_FILENAME;
186     opt.subject_name        = DFL_SUBJECT_NAME;
187     opt.key_usage           = DFL_KEY_USAGE;
188     opt.force_key_usage     = DFL_FORCE_KEY_USAGE;
189     opt.ns_cert_type        = DFL_NS_CERT_TYPE;
190     opt.force_ns_cert_type  = DFL_FORCE_NS_CERT_TYPE;
191     opt.md_alg              = DFL_MD_ALG;
192 
193     for( i = 1; i < argc; i++ )
194     {
195 
196         p = argv[i];
197         if( ( q = strchr( p, '=' ) ) == NULL )
198             goto usage;
199         *q++ = '\0';
200 
201         if( strcmp( p, "filename" ) == 0 )
202             opt.filename = q;
203         else if( strcmp( p, "password" ) == 0 )
204             opt.password = q;
205         else if( strcmp( p, "output_file" ) == 0 )
206             opt.output_file = q;
207         else if( strcmp( p, "debug_level" ) == 0 )
208         {
209             opt.debug_level = atoi( q );
210             if( opt.debug_level < 0 || opt.debug_level > 65535 )
211                 goto usage;
212         }
213         else if( strcmp( p, "subject_name" ) == 0 )
214         {
215             opt.subject_name = q;
216         }
217         else if( strcmp( p, "md" ) == 0 )
218         {
219             const mbedtls_md_info_t *md_info =
220                 mbedtls_md_info_from_string( q );
221             if( md_info == NULL )
222             {
223                 mbedtls_printf( "Invalid argument for option %s\n", p );
224                 goto usage;
225             }
226             opt.md_alg = mbedtls_md_get_type( md_info );
227         }
228         else if( strcmp( p, "key_usage" ) == 0 )
229         {
230             while( q != NULL )
231             {
232                 if( ( r = strchr( q, ',' ) ) != NULL )
233                     *r++ = '\0';
234 
235                 if( strcmp( q, "digital_signature" ) == 0 )
236                     opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
237                 else if( strcmp( q, "non_repudiation" ) == 0 )
238                     opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
239                 else if( strcmp( q, "key_encipherment" ) == 0 )
240                     opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
241                 else if( strcmp( q, "data_encipherment" ) == 0 )
242                     opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
243                 else if( strcmp( q, "key_agreement" ) == 0 )
244                     opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
245                 else if( strcmp( q, "key_cert_sign" ) == 0 )
246                     opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
247                 else if( strcmp( q, "crl_sign" ) == 0 )
248                     opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
249                 else
250                     goto usage;
251 
252                 q = r;
253             }
254         }
255         else if( strcmp( p, "force_key_usage" ) == 0 )
256         {
257             switch( atoi( q ) )
258             {
259                 case 0: opt.force_key_usage = 0; break;
260                 case 1: opt.force_key_usage = 1; break;
261                 default: goto usage;
262             }
263         }
264         else if( strcmp( p, "ns_cert_type" ) == 0 )
265         {
266             while( q != NULL )
267             {
268                 if( ( r = strchr( q, ',' ) ) != NULL )
269                     *r++ = '\0';
270 
271                 if( strcmp( q, "ssl_client" ) == 0 )
272                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
273                 else if( strcmp( q, "ssl_server" ) == 0 )
274                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
275                 else if( strcmp( q, "email" ) == 0 )
276                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
277                 else if( strcmp( q, "object_signing" ) == 0 )
278                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
279                 else if( strcmp( q, "ssl_ca" ) == 0 )
280                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
281                 else if( strcmp( q, "email_ca" ) == 0 )
282                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
283                 else if( strcmp( q, "object_signing_ca" ) == 0 )
284                     opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
285                 else
286                     goto usage;
287 
288                 q = r;
289             }
290         }
291         else if( strcmp( p, "force_ns_cert_type" ) == 0 )
292         {
293             switch( atoi( q ) )
294             {
295                 case 0: opt.force_ns_cert_type = 0; break;
296                 case 1: opt.force_ns_cert_type = 1; break;
297                 default: goto usage;
298             }
299         }
300         else
301             goto usage;
302     }
303 
304     mbedtls_x509write_csr_set_md_alg( &req, opt.md_alg );
305 
306     if( opt.key_usage || opt.force_key_usage == 1 )
307         mbedtls_x509write_csr_set_key_usage( &req, opt.key_usage );
308 
309     if( opt.ns_cert_type || opt.force_ns_cert_type == 1 )
310         mbedtls_x509write_csr_set_ns_cert_type( &req, opt.ns_cert_type );
311 
312     /*
313      * 0. Seed the PRNG
314      */
315     mbedtls_printf( "  . Seeding the random number generator..." );
316     fflush( stdout );
317 
318     mbedtls_entropy_init( &entropy );
319     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
320                                (const unsigned char *) pers,
321                                strlen( pers ) ) ) != 0 )
322     {
323         mbedtls_printf( " failed\n  !  mbedtls_ctr_drbg_seed returned %d", ret );
324         goto exit;
325     }
326 
327     mbedtls_printf( " ok\n" );
328 
329     /*
330      * 1.0. Check the subject name for validity
331      */
332     mbedtls_printf( "  . Checking subject name..." );
333     fflush( stdout );
334 
335     if( ( ret = mbedtls_x509write_csr_set_subject_name( &req, opt.subject_name ) ) != 0 )
336     {
337         mbedtls_printf( " failed\n  !  mbedtls_x509write_csr_set_subject_name returned %d", ret );
338         goto exit;
339     }
340 
341     mbedtls_printf( " ok\n" );
342 
343     /*
344      * 1.1. Load the key
345      */
346     mbedtls_printf( "  . Loading the private key ..." );
347     fflush( stdout );
348 
349     ret = mbedtls_pk_parse_keyfile( &key, opt.filename, opt.password );
350 
351     if( ret != 0 )
352     {
353         mbedtls_printf( " failed\n  !  mbedtls_pk_parse_keyfile returned %d", ret );
354         goto exit;
355     }
356 
357     mbedtls_x509write_csr_set_key( &req, &key );
358 
359     mbedtls_printf( " ok\n" );
360 
361     /*
362      * 1.2. Writing the request
363      */
364     mbedtls_printf( "  . Writing the certificate request ..." );
365     fflush( stdout );
366 
367     if( ( ret = write_certificate_request( &req, opt.output_file,
368                                            mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
369     {
370         mbedtls_printf( " failed\n  !  write_certifcate_request %d", ret );
371         goto exit;
372     }
373 
374     mbedtls_printf( " ok\n" );
375 
376     exit_code = MBEDTLS_EXIT_SUCCESS;
377 
378 exit:
379 
380     if( exit_code != MBEDTLS_EXIT_SUCCESS )
381     {
382 #ifdef MBEDTLS_ERROR_C
383         mbedtls_strerror( ret, buf, sizeof( buf ) );
384         mbedtls_printf( " - %s\n", buf );
385 #else
386         mbedtls_printf("\n");
387 #endif
388     }
389 
390     mbedtls_x509write_csr_free( &req );
391     mbedtls_pk_free( &key );
392     mbedtls_ctr_drbg_free( &ctr_drbg );
393     mbedtls_entropy_free( &entropy );
394 
395 #if defined(_WIN32)
396     mbedtls_printf( "  + Press Enter to exit this program.\n" );
397     fflush( stdout ); getchar();
398 #endif
399 
400     mbedtls_exit( exit_code );
401 }
402 #endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
403           MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_WRITE_C */
404