1/* 2 * Certificate request generation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 8#include "mbedtls/build_info.h" 9 10#include "mbedtls/platform.h" 11/* md.h is included this early since MD_CAN_XXX macros are defined there. */ 12#include "mbedtls/md.h" 13 14#if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ 15 !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \ 16 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ 17 !defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) || \ 18 !defined(MBEDTLS_MD_C) 19int main(void) 20{ 21 mbedtls_printf("MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or " 22 "MBEDTLS_PK_PARSE_C and/or MBEDTLS_MD_CAN_SHA256 and/or " 23 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C " 24 "not defined.\n"); 25 mbedtls_exit(0); 26} 27#else 28 29#include "mbedtls/x509_csr.h" 30#include "mbedtls/entropy.h" 31#include "mbedtls/ctr_drbg.h" 32#include "mbedtls/error.h" 33 34#include <stdio.h> 35#include <stdlib.h> 36#include <string.h> 37 38#define DFL_FILENAME "keyfile.key" 39#define DFL_PASSWORD NULL 40#define DFL_DEBUG_LEVEL 0 41#define DFL_OUTPUT_FILENAME "cert.req" 42#define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK" 43#define DFL_KEY_USAGE 0 44#define DFL_FORCE_KEY_USAGE 0 45#define DFL_NS_CERT_TYPE 0 46#define DFL_FORCE_NS_CERT_TYPE 0 47#define DFL_MD_ALG MBEDTLS_MD_SHA256 48 49#define USAGE \ 50 "\n usage: cert_req param=<>...\n" \ 51 "\n acceptable parameters:\n" \ 52 " filename=%%s default: keyfile.key\n" \ 53 " password=%%s default: NULL\n" \ 54 " debug_level=%%d default: 0 (disabled)\n" \ 55 " output_file=%%s default: cert.req\n" \ 56 " subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \ 57 " san=%%s default: (none)\n" \ 58 " Semicolon-separated-list of values:\n" \ 59 " DNS:value\n" \ 60 " URI:value\n" \ 61 " RFC822:value\n" \ 62 " IP:value (Only IPv4 is supported)\n" \ 63 " DN:list of comma separated key=value pairs\n" \ 64 " key_usage=%%s default: (empty)\n" \ 65 " Comma-separated-list of values:\n" \ 66 " digital_signature\n" \ 67 " non_repudiation\n" \ 68 " key_encipherment\n" \ 69 " data_encipherment\n" \ 70 " key_agreement\n" \ 71 " key_cert_sign\n" \ 72 " crl_sign\n" \ 73 " force_key_usage=0/1 default: off\n" \ 74 " Add KeyUsage even if it is empty\n" \ 75 " ns_cert_type=%%s default: (empty)\n" \ 76 " Comma-separated-list of values:\n" \ 77 " ssl_client\n" \ 78 " ssl_server\n" \ 79 " email\n" \ 80 " object_signing\n" \ 81 " ssl_ca\n" \ 82 " email_ca\n" \ 83 " object_signing_ca\n" \ 84 " force_ns_cert_type=0/1 default: off\n" \ 85 " Add NsCertType even if it is empty\n" \ 86 " md=%%s default: SHA256\n" \ 87 " possible values:\n" \ 88 " MD5, RIPEMD160, SHA1,\n" \ 89 " SHA224, SHA256, SHA384, SHA512\n" \ 90 "\n" 91 92 93/* 94 * global options 95 */ 96struct options { 97 const char *filename; /* filename of the key file */ 98 const char *password; /* password for the key file */ 99 int debug_level; /* level of debugging */ 100 const char *output_file; /* where to store the constructed key file */ 101 const char *subject_name; /* subject name for certificate request */ 102 mbedtls_x509_san_list *san_list; /* subjectAltName for certificate request */ 103 unsigned char key_usage; /* key usage flags */ 104 int force_key_usage; /* Force adding the KeyUsage extension */ 105 unsigned char ns_cert_type; /* NS cert type */ 106 int force_ns_cert_type; /* Force adding NsCertType extension */ 107 mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */ 108} opt; 109 110int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file, 111 int (*f_rng)(void *, unsigned char *, size_t), 112 void *p_rng) 113{ 114 int ret; 115 FILE *f; 116 unsigned char output_buf[4096]; 117 size_t len = 0; 118 119 memset(output_buf, 0, 4096); 120 if ((ret = mbedtls_x509write_csr_pem(req, output_buf, 4096, f_rng, p_rng)) < 0) { 121 return ret; 122 } 123 124 len = strlen((char *) output_buf); 125 126 if ((f = fopen(output_file, "w")) == NULL) { 127 return -1; 128 } 129 130 if (fwrite(output_buf, 1, len, f) != len) { 131 fclose(f); 132 return -1; 133 } 134 135 fclose(f); 136 137 return 0; 138} 139 140int main(int argc, char *argv[]) 141{ 142 int ret = 1; 143 int exit_code = MBEDTLS_EXIT_FAILURE; 144 mbedtls_pk_context key; 145 char buf[1024]; 146 int i; 147 char *p, *q, *r; 148 mbedtls_x509write_csr req; 149 mbedtls_entropy_context entropy; 150 mbedtls_ctr_drbg_context ctr_drbg; 151 const char *pers = "csr example app"; 152 mbedtls_x509_san_list *cur, *prev; 153 mbedtls_asn1_named_data *ext_san_dirname = NULL; 154#if defined(MBEDTLS_X509_CRT_PARSE_C) 155 uint8_t ip[4] = { 0 }; 156#endif 157 /* 158 * Set to sane values 159 */ 160 mbedtls_x509write_csr_init(&req); 161 mbedtls_pk_init(&key); 162 mbedtls_ctr_drbg_init(&ctr_drbg); 163 memset(buf, 0, sizeof(buf)); 164 mbedtls_entropy_init(&entropy); 165 166#if defined(MBEDTLS_USE_PSA_CRYPTO) 167 psa_status_t status = psa_crypto_init(); 168 if (status != PSA_SUCCESS) { 169 mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", 170 (int) status); 171 goto exit; 172 } 173#endif /* MBEDTLS_USE_PSA_CRYPTO */ 174 175 if (argc < 2) { 176usage: 177 mbedtls_printf(USAGE); 178 goto exit; 179 } 180 181 opt.filename = DFL_FILENAME; 182 opt.password = DFL_PASSWORD; 183 opt.debug_level = DFL_DEBUG_LEVEL; 184 opt.output_file = DFL_OUTPUT_FILENAME; 185 opt.subject_name = DFL_SUBJECT_NAME; 186 opt.key_usage = DFL_KEY_USAGE; 187 opt.force_key_usage = DFL_FORCE_KEY_USAGE; 188 opt.ns_cert_type = DFL_NS_CERT_TYPE; 189 opt.force_ns_cert_type = DFL_FORCE_NS_CERT_TYPE; 190 opt.md_alg = DFL_MD_ALG; 191 opt.san_list = NULL; 192 193 for (i = 1; i < argc; i++) { 194 p = argv[i]; 195 if ((q = strchr(p, '=')) == NULL) { 196 goto usage; 197 } 198 *q++ = '\0'; 199 if (strcmp(p, "filename") == 0) { 200 opt.filename = q; 201 } else if (strcmp(p, "password") == 0) { 202 opt.password = q; 203 } else if (strcmp(p, "output_file") == 0) { 204 opt.output_file = q; 205 } else if (strcmp(p, "debug_level") == 0) { 206 opt.debug_level = atoi(q); 207 if (opt.debug_level < 0 || opt.debug_level > 65535) { 208 goto usage; 209 } 210 } else if (strcmp(p, "subject_name") == 0) { 211 opt.subject_name = q; 212 } else if (strcmp(p, "san") == 0) { 213 char *subtype_value; 214 prev = NULL; 215 216 while (q != NULL) { 217 char *semicolon; 218 r = q; 219 220 /* Find the first non-escaped ; occurrence and remove escaped ones */ 221 do { 222 if ((semicolon = strchr(r, ';')) != NULL) { 223 if (*(semicolon-1) != '\\') { 224 r = semicolon; 225 break; 226 } 227 /* Remove the escape character */ 228 size_t size_left = strlen(semicolon); 229 memmove(semicolon-1, semicolon, size_left); 230 *(semicolon + size_left - 1) = '\0'; 231 /* r will now point at the character after the semicolon */ 232 r = semicolon; 233 } 234 235 } while (semicolon != NULL); 236 237 if (semicolon != NULL) { 238 *r++ = '\0'; 239 } else { 240 r = NULL; 241 } 242 243 cur = mbedtls_calloc(1, sizeof(mbedtls_x509_san_list)); 244 if (cur == NULL) { 245 mbedtls_printf("Not enough memory for subjectAltName list\n"); 246 goto usage; 247 } 248 249 cur->next = NULL; 250 251 if ((subtype_value = strchr(q, ':')) != NULL) { 252 *subtype_value++ = '\0'; 253 } else { 254 mbedtls_printf( 255 "Invalid argument for option SAN: Entry must be of the form TYPE:value\n"); 256 goto usage; 257 } 258 if (strcmp(q, "RFC822") == 0) { 259 cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME; 260 } else if (strcmp(q, "URI") == 0) { 261 cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER; 262 } else if (strcmp(q, "DNS") == 0) { 263 cur->node.type = MBEDTLS_X509_SAN_DNS_NAME; 264 } else if (strcmp(q, "IP") == 0) { 265 size_t ip_addr_len = 0; 266 cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS; 267 ip_addr_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip); 268 if (ip_addr_len == 0) { 269 mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n", 270 subtype_value); 271 goto exit; 272 } 273 cur->node.san.unstructured_name.p = (unsigned char *) ip; 274 cur->node.san.unstructured_name.len = sizeof(ip); 275 } else if (strcmp(q, "DN") == 0) { 276 cur->node.type = MBEDTLS_X509_SAN_DIRECTORY_NAME; 277 if ((ret = mbedtls_x509_string_to_names(&ext_san_dirname, 278 subtype_value)) != 0) { 279 mbedtls_strerror(ret, buf, sizeof(buf)); 280 mbedtls_printf( 281 " failed\n ! mbedtls_x509_string_to_names " 282 "returned -0x%04x - %s\n\n", 283 (unsigned int) -ret, buf); 284 goto exit; 285 } 286 cur->node.san.directory_name = *ext_san_dirname; 287 } else { 288 mbedtls_free(cur); 289 goto usage; 290 } 291 292 if (cur->node.type == MBEDTLS_X509_SAN_RFC822_NAME || 293 cur->node.type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER || 294 cur->node.type == MBEDTLS_X509_SAN_DNS_NAME) { 295 q = subtype_value; 296 cur->node.san.unstructured_name.p = (unsigned char *) q; 297 cur->node.san.unstructured_name.len = strlen(q); 298 } 299 300 if (prev == NULL) { 301 opt.san_list = cur; 302 } else { 303 prev->next = cur; 304 } 305 306 prev = cur; 307 q = r; 308 } 309 } else if (strcmp(p, "md") == 0) { 310 const mbedtls_md_info_t *md_info = 311 mbedtls_md_info_from_string(q); 312 if (md_info == NULL) { 313 mbedtls_printf("Invalid argument for option %s\n", p); 314 goto usage; 315 } 316 opt.md_alg = mbedtls_md_get_type(md_info); 317 } else if (strcmp(p, "key_usage") == 0) { 318 while (q != NULL) { 319 if ((r = strchr(q, ',')) != NULL) { 320 *r++ = '\0'; 321 } 322 323 if (strcmp(q, "digital_signature") == 0) { 324 opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 325 } else if (strcmp(q, "non_repudiation") == 0) { 326 opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION; 327 } else if (strcmp(q, "key_encipherment") == 0) { 328 opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 329 } else if (strcmp(q, "data_encipherment") == 0) { 330 opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT; 331 } else if (strcmp(q, "key_agreement") == 0) { 332 opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT; 333 } else if (strcmp(q, "key_cert_sign") == 0) { 334 opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN; 335 } else if (strcmp(q, "crl_sign") == 0) { 336 opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN; 337 } else { 338 goto usage; 339 } 340 341 q = r; 342 } 343 } else if (strcmp(p, "force_key_usage") == 0) { 344 switch (atoi(q)) { 345 case 0: opt.force_key_usage = 0; break; 346 case 1: opt.force_key_usage = 1; break; 347 default: goto usage; 348 } 349 } else if (strcmp(p, "ns_cert_type") == 0) { 350 while (q != NULL) { 351 if ((r = strchr(q, ',')) != NULL) { 352 *r++ = '\0'; 353 } 354 355 if (strcmp(q, "ssl_client") == 0) { 356 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT; 357 } else if (strcmp(q, "ssl_server") == 0) { 358 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER; 359 } else if (strcmp(q, "email") == 0) { 360 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL; 361 } else if (strcmp(q, "object_signing") == 0) { 362 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING; 363 } else if (strcmp(q, "ssl_ca") == 0) { 364 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA; 365 } else if (strcmp(q, "email_ca") == 0) { 366 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA; 367 } else if (strcmp(q, "object_signing_ca") == 0) { 368 opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA; 369 } else { 370 goto usage; 371 } 372 373 q = r; 374 } 375 } else if (strcmp(p, "force_ns_cert_type") == 0) { 376 switch (atoi(q)) { 377 case 0: opt.force_ns_cert_type = 0; break; 378 case 1: opt.force_ns_cert_type = 1; break; 379 default: goto usage; 380 } 381 } else { 382 goto usage; 383 } 384 } 385 386 /* Set the MD algorithm to use for the signature in the CSR */ 387 mbedtls_x509write_csr_set_md_alg(&req, opt.md_alg); 388 389 /* Set the Key Usage Extension flags in the CSR */ 390 if (opt.key_usage || opt.force_key_usage == 1) { 391 ret = mbedtls_x509write_csr_set_key_usage(&req, opt.key_usage); 392 393 if (ret != 0) { 394 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_key_usage returned %d", ret); 395 goto exit; 396 } 397 } 398 399 /* Set the Cert Type flags in the CSR */ 400 if (opt.ns_cert_type || opt.force_ns_cert_type == 1) { 401 ret = mbedtls_x509write_csr_set_ns_cert_type(&req, opt.ns_cert_type); 402 403 if (ret != 0) { 404 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_ns_cert_type returned %d", ret); 405 goto exit; 406 } 407 } 408 409 /* Set the SubjectAltName in the CSR */ 410 if (opt.san_list != NULL) { 411 ret = mbedtls_x509write_csr_set_subject_alternative_name(&req, opt.san_list); 412 413 if (ret != 0) { 414 mbedtls_printf( 415 " failed\n ! mbedtls_x509write_csr_set_subject_alternative_name returned %d", 416 ret); 417 goto exit; 418 } 419 } 420 421 /* 422 * 0. Seed the PRNG 423 */ 424 mbedtls_printf(" . Seeding the random number generator..."); 425 fflush(stdout); 426 427 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, 428 (const unsigned char *) pers, 429 strlen(pers))) != 0) { 430 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d", ret); 431 goto exit; 432 } 433 434 mbedtls_printf(" ok\n"); 435 436 /* 437 * 1.0. Check the subject name for validity 438 */ 439 mbedtls_printf(" . Checking subject name..."); 440 fflush(stdout); 441 442 if ((ret = mbedtls_x509write_csr_set_subject_name(&req, opt.subject_name)) != 0) { 443 mbedtls_printf(" failed\n ! mbedtls_x509write_csr_set_subject_name returned %d", ret); 444 goto exit; 445 } 446 447 mbedtls_printf(" ok\n"); 448 449 /* 450 * 1.1. Load the key 451 */ 452 mbedtls_printf(" . Loading the private key ..."); 453 fflush(stdout); 454 455 ret = mbedtls_pk_parse_keyfile(&key, opt.filename, opt.password, 456 mbedtls_ctr_drbg_random, &ctr_drbg); 457 458 if (ret != 0) { 459 mbedtls_printf(" failed\n ! mbedtls_pk_parse_keyfile returned %d", ret); 460 goto exit; 461 } 462 463 mbedtls_x509write_csr_set_key(&req, &key); 464 465 mbedtls_printf(" ok\n"); 466 467 /* 468 * 1.2. Writing the request 469 */ 470 mbedtls_printf(" . Writing the certificate request ..."); 471 fflush(stdout); 472 473 if ((ret = write_certificate_request(&req, opt.output_file, 474 mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { 475 mbedtls_printf(" failed\n ! write_certificate_request %d", ret); 476 goto exit; 477 } 478 479 mbedtls_printf(" ok\n"); 480 481 exit_code = MBEDTLS_EXIT_SUCCESS; 482 483exit: 484 485 if (exit_code != MBEDTLS_EXIT_SUCCESS) { 486#ifdef MBEDTLS_ERROR_C 487 mbedtls_strerror(ret, buf, sizeof(buf)); 488 mbedtls_printf(" - %s\n", buf); 489#else 490 mbedtls_printf("\n"); 491#endif 492 } 493 494 mbedtls_x509write_csr_free(&req); 495 mbedtls_asn1_free_named_data_list(&ext_san_dirname); 496 mbedtls_pk_free(&key); 497 mbedtls_ctr_drbg_free(&ctr_drbg); 498 mbedtls_entropy_free(&entropy); 499#if defined(MBEDTLS_USE_PSA_CRYPTO) 500 mbedtls_psa_crypto_free(); 501#endif /* MBEDTLS_USE_PSA_CRYPTO */ 502 503 cur = opt.san_list; 504 while (cur != NULL) { 505 prev = cur; 506 cur = cur->next; 507 mbedtls_free(prev); 508 } 509 510 511 mbedtls_exit(exit_code); 512} 513#endif /* MBEDTLS_X509_CSR_WRITE_C && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && 514 MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_WRITE_C */ 515