1 /*
2 * Certificate generation and signing
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22 #if !defined(MBEDTLS_CONFIG_FILE)
23 #include "mbedtls/config.h"
24 #else
25 #include MBEDTLS_CONFIG_FILE
26 #endif
27
28 #if defined(MBEDTLS_PLATFORM_C)
29 #include "mbedtls/platform.h"
30 #else
31 #include <stdio.h>
32 #define mbedtls_printf printf
33 #endif
34
35 #if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
36 !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
37 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
38 !defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \
39 !defined(MBEDTLS_PEM_WRITE_C)
main(void)40 int main( void )
41 {
42 mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
43 "MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "
44 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
45 "MBEDTLS_ERROR_C not defined.\n");
46 return( 0 );
47 }
48 #else
49
50 #include "mbedtls/x509_crt.h"
51 #include "mbedtls/x509_csr.h"
52 #include "mbedtls/entropy.h"
53 #include "mbedtls/ctr_drbg.h"
54 #include "mbedtls/error.h"
55
56 #include <stdio.h>
57 #include <stdlib.h>
58 #include <string.h>
59
60 #if defined(MBEDTLS_X509_CSR_PARSE_C)
61 #define USAGE_CSR \
62 " request_file=%%s default: (empty)\n" \
63 " If request_file is specified, subject_key,\n" \
64 " subject_pwd and subject_name are ignored!\n"
65 #else
66 #define USAGE_CSR ""
67 #endif /* MBEDTLS_X509_CSR_PARSE_C */
68
69 #define DFL_ISSUER_CRT ""
70 #define DFL_REQUEST_FILE ""
71 #define DFL_SUBJECT_KEY "subject.key"
72 #define DFL_ISSUER_KEY "ca.key"
73 #define DFL_SUBJECT_PWD ""
74 #define DFL_ISSUER_PWD ""
75 #define DFL_OUTPUT_FILENAME "cert.crt"
76 #define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"
77 #define DFL_ISSUER_NAME "CN=CA,O=mbed TLS,C=UK"
78 #define DFL_NOT_BEFORE "20010101000000"
79 #define DFL_NOT_AFTER "20301231235959"
80 #define DFL_SERIAL "1"
81 #define DFL_SELFSIGN 0
82 #define DFL_IS_CA 0
83 #define DFL_MAX_PATHLEN -1
84 #define DFL_KEY_USAGE 0
85 #define DFL_NS_CERT_TYPE 0
86
87 #define USAGE \
88 "\n usage: cert_write param=<>...\n" \
89 "\n acceptable parameters:\n" \
90 USAGE_CSR \
91 " subject_key=%%s default: subject.key\n" \
92 " subject_pwd=%%s default: (empty)\n" \
93 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \
94 "\n" \
95 " issuer_crt=%%s default: (empty)\n" \
96 " If issuer_crt is specified, issuer_name is\n" \
97 " ignored!\n" \
98 " issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \
99 "\n" \
100 " selfsign=%%d default: 0 (false)\n" \
101 " If selfsign is enabled, issuer_name and\n" \
102 " issuer_key are required (issuer_crt and\n" \
103 " subject_* are ignored\n" \
104 " issuer_key=%%s default: ca.key\n" \
105 " issuer_pwd=%%s default: (empty)\n" \
106 " output_file=%%s default: cert.crt\n" \
107 " serial=%%s default: 1\n" \
108 " not_before=%%s default: 20010101000000\n"\
109 " not_after=%%s default: 20301231235959\n"\
110 " is_ca=%%d default: 0 (disabled)\n" \
111 " max_pathlen=%%d default: -1 (none)\n" \
112 " key_usage=%%s default: (empty)\n" \
113 " Comma-separated-list of values:\n" \
114 " digital_signature\n" \
115 " non_repudiation\n" \
116 " key_encipherment\n" \
117 " data_encipherment\n" \
118 " key_agreement\n" \
119 " key_cert_sign\n" \
120 " crl_sign\n" \
121 " ns_cert_type=%%s default: (empty)\n" \
122 " Comma-separated-list of values:\n" \
123 " ssl_client\n" \
124 " ssl_server\n" \
125 " email\n" \
126 " object_signing\n" \
127 " ssl_ca\n" \
128 " email_ca\n" \
129 " object_signing_ca\n" \
130 "\n"
131
132 /*
133 * global options
134 */
135 struct options
136 {
137 const char *issuer_crt; /* filename of the issuer certificate */
138 const char *request_file; /* filename of the certificate request */
139 const char *subject_key; /* filename of the subject key file */
140 const char *issuer_key; /* filename of the issuer key file */
141 const char *subject_pwd; /* password for the subject key file */
142 const char *issuer_pwd; /* password for the issuer key file */
143 const char *output_file; /* where to store the constructed key file */
144 const char *subject_name; /* subject name for certificate */
145 const char *issuer_name; /* issuer name for certificate */
146 const char *not_before; /* validity period not before */
147 const char *not_after; /* validity period not after */
148 const char *serial; /* serial number string */
149 int selfsign; /* selfsign the certificate */
150 int is_ca; /* is a CA certificate */
151 int max_pathlen; /* maximum CA path length */
152 unsigned char key_usage; /* key usage flags */
153 unsigned char ns_cert_type; /* NS cert type */
154 } opt;
155
write_certificate(mbedtls_x509write_cert * crt,const char * output_file,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)156 int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
157 int (*f_rng)(void *, unsigned char *, size_t),
158 void *p_rng )
159 {
160 int ret;
161 FILE *f;
162 unsigned char output_buf[4096];
163 size_t len = 0;
164
165 memset( output_buf, 0, 4096 );
166 if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096, f_rng, p_rng ) ) < 0 )
167 return( ret );
168
169 len = strlen( (char *) output_buf );
170
171 if( ( f = fopen( output_file, "w" ) ) == NULL )
172 return( -1 );
173
174 if( fwrite( output_buf, 1, len, f ) != len )
175 {
176 fclose( f );
177 return( -1 );
178 }
179
180 fclose( f );
181
182 return( 0 );
183 }
184
main(int argc,char * argv[])185 int main( int argc, char *argv[] )
186 {
187 int ret = 0;
188 mbedtls_x509_crt issuer_crt;
189 mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
190 mbedtls_pk_context *issuer_key = &loaded_issuer_key,
191 *subject_key = &loaded_subject_key;
192 char buf[1024];
193 char issuer_name[256];
194 int i;
195 char *p, *q, *r;
196 #if defined(MBEDTLS_X509_CSR_PARSE_C)
197 char subject_name[256];
198 mbedtls_x509_csr csr;
199 #endif
200 mbedtls_x509write_cert crt;
201 mbedtls_mpi serial;
202 mbedtls_entropy_context entropy;
203 mbedtls_ctr_drbg_context ctr_drbg;
204 const char *pers = "crt example app";
205
206 /*
207 * Set to sane values
208 */
209 mbedtls_x509write_crt_init( &crt );
210 mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 );
211 mbedtls_pk_init( &loaded_issuer_key );
212 mbedtls_pk_init( &loaded_subject_key );
213 mbedtls_mpi_init( &serial );
214 mbedtls_ctr_drbg_init( &ctr_drbg );
215 #if defined(MBEDTLS_X509_CSR_PARSE_C)
216 mbedtls_x509_csr_init( &csr );
217 #endif
218 mbedtls_x509_crt_init( &issuer_crt );
219 memset( buf, 0, 1024 );
220
221 if( argc == 0 )
222 {
223 usage:
224 mbedtls_printf( USAGE );
225 ret = 1;
226 goto exit;
227 }
228
229 opt.issuer_crt = DFL_ISSUER_CRT;
230 opt.request_file = DFL_REQUEST_FILE;
231 opt.subject_key = DFL_SUBJECT_KEY;
232 opt.issuer_key = DFL_ISSUER_KEY;
233 opt.subject_pwd = DFL_SUBJECT_PWD;
234 opt.issuer_pwd = DFL_ISSUER_PWD;
235 opt.output_file = DFL_OUTPUT_FILENAME;
236 opt.subject_name = DFL_SUBJECT_NAME;
237 opt.issuer_name = DFL_ISSUER_NAME;
238 opt.not_before = DFL_NOT_BEFORE;
239 opt.not_after = DFL_NOT_AFTER;
240 opt.serial = DFL_SERIAL;
241 opt.selfsign = DFL_SELFSIGN;
242 opt.is_ca = DFL_IS_CA;
243 opt.max_pathlen = DFL_MAX_PATHLEN;
244 opt.key_usage = DFL_KEY_USAGE;
245 opt.ns_cert_type = DFL_NS_CERT_TYPE;
246
247 for( i = 1; i < argc; i++ )
248 {
249
250 p = argv[i];
251 if( ( q = strchr( p, '=' ) ) == NULL )
252 goto usage;
253 *q++ = '\0';
254
255 if( strcmp( p, "request_file" ) == 0 )
256 opt.request_file = q;
257 else if( strcmp( p, "subject_key" ) == 0 )
258 opt.subject_key = q;
259 else if( strcmp( p, "issuer_key" ) == 0 )
260 opt.issuer_key = q;
261 else if( strcmp( p, "subject_pwd" ) == 0 )
262 opt.subject_pwd = q;
263 else if( strcmp( p, "issuer_pwd" ) == 0 )
264 opt.issuer_pwd = q;
265 else if( strcmp( p, "issuer_crt" ) == 0 )
266 opt.issuer_crt = q;
267 else if( strcmp( p, "output_file" ) == 0 )
268 opt.output_file = q;
269 else if( strcmp( p, "subject_name" ) == 0 )
270 {
271 opt.subject_name = q;
272 }
273 else if( strcmp( p, "issuer_name" ) == 0 )
274 {
275 opt.issuer_name = q;
276 }
277 else if( strcmp( p, "not_before" ) == 0 )
278 {
279 opt.not_before = q;
280 }
281 else if( strcmp( p, "not_after" ) == 0 )
282 {
283 opt.not_after = q;
284 }
285 else if( strcmp( p, "serial" ) == 0 )
286 {
287 opt.serial = q;
288 }
289 else if( strcmp( p, "selfsign" ) == 0 )
290 {
291 opt.selfsign = atoi( q );
292 if( opt.selfsign < 0 || opt.selfsign > 1 )
293 goto usage;
294 }
295 else if( strcmp( p, "is_ca" ) == 0 )
296 {
297 opt.is_ca = atoi( q );
298 if( opt.is_ca < 0 || opt.is_ca > 1 )
299 goto usage;
300 }
301 else if( strcmp( p, "max_pathlen" ) == 0 )
302 {
303 opt.max_pathlen = atoi( q );
304 if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )
305 goto usage;
306 }
307 else if( strcmp( p, "key_usage" ) == 0 )
308 {
309 while( q != NULL )
310 {
311 if( ( r = strchr( q, ',' ) ) != NULL )
312 *r++ = '\0';
313
314 if( strcmp( q, "digital_signature" ) == 0 )
315 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
316 else if( strcmp( q, "non_repudiation" ) == 0 )
317 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;
318 else if( strcmp( q, "key_encipherment" ) == 0 )
319 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
320 else if( strcmp( q, "data_encipherment" ) == 0 )
321 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;
322 else if( strcmp( q, "key_agreement" ) == 0 )
323 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;
324 else if( strcmp( q, "key_cert_sign" ) == 0 )
325 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;
326 else if( strcmp( q, "crl_sign" ) == 0 )
327 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;
328 else
329 goto usage;
330
331 q = r;
332 }
333 }
334 else if( strcmp( p, "ns_cert_type" ) == 0 )
335 {
336 while( q != NULL )
337 {
338 if( ( r = strchr( q, ',' ) ) != NULL )
339 *r++ = '\0';
340
341 if( strcmp( q, "ssl_client" ) == 0 )
342 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;
343 else if( strcmp( q, "ssl_server" ) == 0 )
344 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;
345 else if( strcmp( q, "email" ) == 0 )
346 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;
347 else if( strcmp( q, "object_signing" ) == 0 )
348 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;
349 else if( strcmp( q, "ssl_ca" ) == 0 )
350 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;
351 else if( strcmp( q, "email_ca" ) == 0 )
352 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;
353 else if( strcmp( q, "object_signing_ca" ) == 0 )
354 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;
355 else
356 goto usage;
357
358 q = r;
359 }
360 }
361 else
362 goto usage;
363 }
364
365 mbedtls_printf("\n");
366
367 /*
368 * 0. Seed the PRNG
369 */
370 mbedtls_printf( " . Seeding the random number generator..." );
371 fflush( stdout );
372
373 mbedtls_entropy_init( &entropy );
374 if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
375 (const unsigned char *) pers,
376 strlen( pers ) ) ) != 0 )
377 {
378 mbedtls_strerror( ret, buf, 1024 );
379 mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n", ret, buf );
380 goto exit;
381 }
382
383 mbedtls_printf( " ok\n" );
384
385 // Parse serial to MPI
386 //
387 mbedtls_printf( " . Reading serial number..." );
388 fflush( stdout );
389
390 if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
391 {
392 mbedtls_strerror( ret, buf, 1024 );
393 mbedtls_printf( " failed\n ! mbedtls_mpi_read_string returned -0x%02x - %s\n\n", -ret, buf );
394 goto exit;
395 }
396
397 mbedtls_printf( " ok\n" );
398
399 // Parse issuer certificate if present
400 //
401 if( !opt.selfsign && strlen( opt.issuer_crt ) )
402 {
403 /*
404 * 1.0.a. Load the certificates
405 */
406 mbedtls_printf( " . Loading the issuer certificate ..." );
407 fflush( stdout );
408
409 if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
410 {
411 mbedtls_strerror( ret, buf, 1024 );
412 mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf );
413 goto exit;
414 }
415
416 ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),
417 &issuer_crt.subject );
418 if( ret < 0 )
419 {
420 mbedtls_strerror( ret, buf, 1024 );
421 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
422 goto exit;
423 }
424
425 opt.issuer_name = issuer_name;
426
427 mbedtls_printf( " ok\n" );
428 }
429
430 #if defined(MBEDTLS_X509_CSR_PARSE_C)
431 // Parse certificate request if present
432 //
433 if( !opt.selfsign && strlen( opt.request_file ) )
434 {
435 /*
436 * 1.0.b. Load the CSR
437 */
438 mbedtls_printf( " . Loading the certificate request ..." );
439 fflush( stdout );
440
441 if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
442 {
443 mbedtls_strerror( ret, buf, 1024 );
444 mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf );
445 goto exit;
446 }
447
448 ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),
449 &csr.subject );
450 if( ret < 0 )
451 {
452 mbedtls_strerror( ret, buf, 1024 );
453 mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
454 goto exit;
455 }
456
457 opt.subject_name = subject_name;
458 subject_key = &csr.pk;
459
460 mbedtls_printf( " ok\n" );
461 }
462 #endif /* MBEDTLS_X509_CSR_PARSE_C */
463
464 /*
465 * 1.1. Load the keys
466 */
467 if( !opt.selfsign && !strlen( opt.request_file ) )
468 {
469 mbedtls_printf( " . Loading the subject key ..." );
470 fflush( stdout );
471
472 ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,
473 opt.subject_pwd );
474 if( ret != 0 )
475 {
476 mbedtls_strerror( ret, buf, 1024 );
477 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf );
478 goto exit;
479 }
480
481 mbedtls_printf( " ok\n" );
482 }
483
484 mbedtls_printf( " . Loading the issuer key ..." );
485 fflush( stdout );
486
487 ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,
488 opt.issuer_pwd );
489 if( ret != 0 )
490 {
491 mbedtls_strerror( ret, buf, 1024 );
492 mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf );
493 goto exit;
494 }
495
496 // Check if key and issuer certificate match
497 //
498 if( strlen( opt.issuer_crt ) )
499 {
500 if( !mbedtls_pk_can_do( &issuer_crt.pk, MBEDTLS_PK_RSA ) ||
501 mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->N,
502 &mbedtls_pk_rsa( *issuer_key )->N ) != 0 ||
503 mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,
504 &mbedtls_pk_rsa( *issuer_key )->E ) != 0 )
505 {
506 mbedtls_printf( " failed\n ! issuer_key does not match issuer certificate\n\n" );
507 ret = -1;
508 goto exit;
509 }
510 }
511
512 mbedtls_printf( " ok\n" );
513
514 if( opt.selfsign )
515 {
516 opt.subject_name = opt.issuer_name;
517 subject_key = issuer_key;
518 }
519
520 mbedtls_x509write_crt_set_subject_key( &crt, subject_key );
521 mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );
522
523 /*
524 * 1.0. Check the names for validity
525 */
526 if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
527 {
528 mbedtls_strerror( ret, buf, 1024 );
529 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf );
530 goto exit;
531 }
532
533 if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
534 {
535 mbedtls_strerror( ret, buf, 1024 );
536 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf );
537 goto exit;
538 }
539
540 mbedtls_printf( " . Setting certificate values ..." );
541 fflush( stdout );
542
543 ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
544 if( ret != 0 )
545 {
546 mbedtls_strerror( ret, buf, 1024 );
547 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf );
548 goto exit;
549 }
550
551 ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
552 if( ret != 0 )
553 {
554 mbedtls_strerror( ret, buf, 1024 );
555 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf );
556 goto exit;
557 }
558
559 mbedtls_printf( " ok\n" );
560
561 mbedtls_printf( " . Adding the Basic Constraints extension ..." );
562 fflush( stdout );
563
564 ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,
565 opt.max_pathlen );
566 if( ret != 0 )
567 {
568 mbedtls_strerror( ret, buf, 1024 );
569 mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf );
570 goto exit;
571 }
572
573 mbedtls_printf( " ok\n" );
574
575 #if defined(MBEDTLS_SHA1_C)
576 mbedtls_printf( " . Adding the Subject Key Identifier ..." );
577 fflush( stdout );
578
579 ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
580 if( ret != 0 )
581 {
582 mbedtls_strerror( ret, buf, 1024 );
583 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
584 goto exit;
585 }
586
587 mbedtls_printf( " ok\n" );
588
589 mbedtls_printf( " . Adding the Authority Key Identifier ..." );
590 fflush( stdout );
591
592 ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
593 if( ret != 0 )
594 {
595 mbedtls_strerror( ret, buf, 1024 );
596 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
597 goto exit;
598 }
599
600 mbedtls_printf( " ok\n" );
601 #endif /* MBEDTLS_SHA1_C */
602
603 if( opt.key_usage )
604 {
605 mbedtls_printf( " . Adding the Key Usage extension ..." );
606 fflush( stdout );
607
608 ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );
609 if( ret != 0 )
610 {
611 mbedtls_strerror( ret, buf, 1024 );
612 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf );
613 goto exit;
614 }
615
616 mbedtls_printf( " ok\n" );
617 }
618
619 if( opt.ns_cert_type )
620 {
621 mbedtls_printf( " . Adding the NS Cert Type extension ..." );
622 fflush( stdout );
623
624 ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
625 if( ret != 0 )
626 {
627 mbedtls_strerror( ret, buf, 1024 );
628 mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf );
629 goto exit;
630 }
631
632 mbedtls_printf( " ok\n" );
633 }
634
635 /*
636 * 1.2. Writing the request
637 */
638 mbedtls_printf( " . Writing the certificate..." );
639 fflush( stdout );
640
641 if( ( ret = write_certificate( &crt, opt.output_file,
642 mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
643 {
644 mbedtls_strerror( ret, buf, 1024 );
645 mbedtls_printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf );
646 goto exit;
647 }
648
649 mbedtls_printf( " ok\n" );
650
651 exit:
652 mbedtls_x509write_crt_free( &crt );
653 mbedtls_pk_free( &loaded_subject_key );
654 mbedtls_pk_free( &loaded_issuer_key );
655 mbedtls_mpi_free( &serial );
656 mbedtls_ctr_drbg_free( &ctr_drbg );
657 mbedtls_entropy_free( &entropy );
658
659 #if defined(_WIN32)
660 mbedtls_printf( " + Press Enter to exit this program.\n" );
661 fflush( stdout ); getchar();
662 #endif
663
664 return( ret );
665 }
666 #endif /* MBEDTLS_X509_CRT_WRITE_C && MBEDTLS_X509_CRT_PARSE_C &&
667 MBEDTLS_FS_IO && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
668 MBEDTLS_ERROR_C && MBEDTLS_PEM_WRITE_C */
669
