Blame - programs/x509/cert_write.c - mirror/mbed-tls

2013-09-06 09:55:26 +0200

[diff] [blame]

1

/*

2

* Certificate generation and signing

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

20

*/

21

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

22

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

23

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

24

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

25

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

26

#endif

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

27

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

28

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

29

#include "mbedtls/platform.h"

Rich Evans

f90016a

2015-01-19 14:26:37 +0000

[diff] [blame]

30

#else

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

31

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

32

#define mbedtls_printf printf

Rich Evans

f90016a

2015-01-19 14:26:37 +0000

[diff] [blame]

33

#endif

34

Simon Butcher

203a693

2016-10-07 15:00:17 +0100

[diff] [blame]

35

#if !defined(MBEDTLS_X509_CRT_WRITE_C) || \

36

!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \

37

!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \

38

!defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \

39

!defined(MBEDTLS_PEM_WRITE_C)

Manuel Pégourié-Gonnard

8d649c6

2015-03-31 15:10:03 +0200

[diff] [blame]

40

int main( void )

41

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

42

mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "

Manuel Pégourié-Gonnard

d738965

2015-08-06 18:22:26 +0200

[diff] [blame]

43

"MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

44

"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "

45

"MBEDTLS_ERROR_C not defined.\n");

Manuel Pégourié-Gonnard

8d649c6

2015-03-31 15:10:03 +0200

[diff] [blame]

return( 0 );

}

#else

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

50

#include "mbedtls/x509_crt.h"

51

#include "mbedtls/x509_csr.h"

52

#include "mbedtls/entropy.h"

53

#include "mbedtls/ctr_drbg.h"

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

54

#include "mbedtls/md.h"

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

55

#include "mbedtls/error.h"

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

56

#include "mbedtls/pk_info.h"

Manuel Pégourié-Gonnard

7831b0c

2013-09-20 12:29:56 +0200

[diff] [blame]

57

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

58

#include <stdio.h>

59

#include <stdlib.h>

60

#include <string.h>

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

61

#if defined(_WIN32)

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

62

#include <Windows.h>

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

63

#endif

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

64

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

65

#if defined(MBEDTLS_X509_CSR_PARSE_C)

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

66

#define USAGE_CSR \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

67

" request_file=%%s default: (empty)\n" \

68

" If request_file is specified, subject_key,\n" \

69

" subject_pwd and subject_name are ignored!\n"

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

70

#else

71

#define USAGE_CSR ""

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

72

#endif /* MBEDTLS_X509_CSR_PARSE_C */

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

73

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

74

#define DFL_ISSUER_CRT ""

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

75

#define DFL_REQUEST_FILE ""

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

76

#define DFL_SUBJECT_KEY "subject.key"

77

#define DFL_ISSUER_KEY "ca.key"

78

#define DFL_SUBJECT_PWD ""

79

#define DFL_ISSUER_PWD ""

80

#define DFL_OUTPUT_FILENAME "cert.crt"

Manuel Pégourié-Gonnard

9169921

2015-01-22 16:26:39 +0000

[diff] [blame]

81

#define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"

82

#define DFL_ISSUER_NAME "CN=CA,O=mbed TLS,C=UK"

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

83

#define DFL_NOT_BEFORE "20010101000000"

84

#define DFL_NOT_AFTER "20301231235959"

85

#define DFL_SERIAL "1"

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

86

#define DFL_SELFSIGN 0

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

87

#define DFL_IS_CA 0

88

#define DFL_MAX_PATHLEN -1

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

89

#define DFL_KEY_USAGE 0

90

#define DFL_NS_CERT_TYPE 0

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

91

#define DFL_VERSION 3

92

#define DFL_AUTH_IDENT 1

93

#define DFL_SUBJ_IDENT 1

94

#define DFL_CONSTRAINTS 1

95

#define DFL_DIGEST MBEDTLS_MD_SHA256

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

96

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

97

#define UNUSED(x) ((void)(x))

98

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

99

#define USAGE \

100

"\n usage: cert_write param=<>...\n" \

101

"\n acceptable parameters:\n" \

102

USAGE_CSR \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

103

" subject_key=%%s default: subject.key\n" \

104

" subject_pwd=%%s default: (empty)\n" \

105

" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

106

"\n" \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

107

" issuer_crt=%%s default: (empty)\n" \

108

" If issuer_crt is specified, issuer_name is\n" \

109

" ignored!\n" \

110

" issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

111

"\n" \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

112

" selfsign=%%d default: 0 (false)\n" \

113

" If selfsign is enabled, issuer_name and\n" \

114

" issuer_key are required (issuer_crt and\n" \

115

" subject_* are ignored\n" \

116

" issuer_key=%%s default: ca.key\n" \

117

" issuer_pwd=%%s default: (empty)\n" \

118

" output_file=%%s default: cert.crt\n" \

119

" serial=%%s default: 1\n" \

120

" not_before=%%s default: 20010101000000\n"\

121

" not_after=%%s default: 20301231235959\n"\

122

" is_ca=%%d default: 0 (disabled)\n" \

123

" max_pathlen=%%d default: -1 (none)\n" \

124

" md=%%s default: SHA256\n" \

125

" Supported values:\n" \

126

" MD5, SHA1, SHA256, SHA512\n"\

127

" version=%%d default: 3\n" \

128

" Possible values: 1, 2, 3\n"\

129

" subject_identifier=%%s default: 1\n" \

130

" Possible values: 0, 1\n" \

131

" (Considered for v3 only)\n"\

132

" authority_identifier=%%s default: 1\n" \

133

" Possible values: 0, 1\n" \

134

" (Considered for v3 only)\n"\

135

" basic_constraints=%%d default: 1\n" \

136

" Possible values: 0, 1\n" \

137

" (Considered for v3 only)\n"\

138

" key_usage=%%s default: (empty)\n" \

139

" Comma-separated-list of values:\n" \

140

" digital_signature\n" \

141

" non_repudiation\n" \

142

" key_encipherment\n" \

143

" data_encipherment\n" \

" key_agreement\n" \

" key_cert_sign\n" \

" crl_sign\n" \

" (Considered for v3 only)\n"\

148

" ns_cert_type=%%s default: (empty)\n" \

149

" Comma-separated-list of values:\n" \

" ssl_client\n" \

" ssl_server\n" \

" email\n" \

" object_signing\n" \

154

" ssl_ca\n" \

155

" email_ca\n" \

156

" object_signing_ca\n" \

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

157

"\n"

Manuel Pégourié-Gonnard

6c5abfa

2015-02-13 14:12:07 +0000

[diff] [blame]

158

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

/*

* global options

*/

struct options

{

Paul Bakker

8fc30b1

2013-11-25 13:29:43 +0100

[diff] [blame]

164

const char *issuer_crt; /* filename of the issuer certificate */

165

const char *request_file; /* filename of the certificate request */

166

const char *subject_key; /* filename of the subject key file */

167

const char *issuer_key; /* filename of the issuer key file */

168

const char *subject_pwd; /* password for the subject key file */

169

const char *issuer_pwd; /* password for the issuer key file */

170

const char *output_file; /* where to store the constructed key file */

171

const char *subject_name; /* subject name for certificate */

172

const char *issuer_name; /* issuer name for certificate */

173

const char *not_before; /* validity period not before */

174

const char *not_after; /* validity period not after */

175

const char *serial; /* serial number string */

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

176

int selfsign; /* selfsign the certificate */

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

177

int is_ca; /* is a CA certificate */

178

int max_pathlen; /* maximum CA path length */

Hanno Becker

e1b1d0a

2017-09-22 15:35:16 +0100

[diff] [blame]

179

int authority_identifier; /* add authority identifier to CRT */

180

int subject_identifier; /* add subject identifier to CRT */

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

181

int basic_constraints; /* add basic constraints ext to CRT */

182

int version; /* CRT version */

183

mbedtls_md_type_t md; /* Hash used for signing */

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

184

unsigned char key_usage; /* key usage flags */

185

unsigned char ns_cert_type; /* NS cert type */

186

} opt;

187

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

188

#if defined(_WIN32)

189

/** Below are the constants used for remote Opaque key implementation.

190

*/

191

192

/* Remote cryptoprocessor sync pattern. Sent to sync with the device before

193

* sending commands. */

194

#define REMOTE_KEY_MAGIC_PATTERN "rEmOtEkEy"

195

#define REMOTE_KEY_CMD_TAG "//opaque_pk/ATCA"

196

#define REMOTE_KEY_ID_MIN 0

197

#define REMOTE_KEY_ID_MAX 7

198

#define REMOTE_KEY_SERIAL_BAUD CBR_9600

199

200

#define REMOTE_KEY_FUNC_GET_PUBKEY 0xA

201

#define REMOTE_KEY_FUNC_SIGN 0xB

202

203

int is_remote_key( const char *remote_info )

204

{

205

size_t tag_len = strlen( REMOTE_KEY_CMD_TAG );

206

if ( strlen( remote_info ) > tag_len &&

207

strncmp( remote_info, REMOTE_KEY_CMD_TAG, tag_len ) == 0 )

return( 1 );

return( 0 );

}

int parse_remote_info( const char *remote_info, int *key_idx, const char **serial_port )

213

{

Azim Khan

2018-02-22 11:09:40 +0000

[diff] [blame]

214

size_t offset = 0;

215

size_t remote_info_len = strlen( remote_info );

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

216

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

217

if( !is_remote_key( remote_info ) )

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

218

return( -1 );

219

220

offset = strlen( REMOTE_KEY_CMD_TAG );

221

offset++; // Skip the delimiter. FUTURE: Add validation.

222

if( offset >= remote_info_len )

223

return( -1 );

224

*key_idx = (int) remote_info[offset++];

225

offset++; // Skip the delimiter

226

if( offset >= remote_info_len )

227

return( -1 );

228

*key_idx = *key_idx - 48; // ascii to decimal

229

230

if ( *key_idx < REMOTE_KEY_ID_MIN || *key_idx > REMOTE_KEY_ID_MAX )

231

{

232

mbedtls_printf( " failed\n ! Invalid remote key index %d\n\n", *key_idx );

233

return( -1 );

234

}

235

*serial_port = remote_info + offset;

236

printf( "Got key id %d and com port %s\n", *key_idx, *serial_port );

return( 0 );

}

/**

* @brief Send a command to remote cryptoprocessor and receive response.

242

*

243

* It

244

* - first sends a sync pattern 'rEmOtEkEy' and waits for an echo to sync

245

* with the remote.

246

* - Then it sends the tx buf supplied by the caller.

247

* - It waits for a 4 byte length indicator. Value 0 means error.

248

* - Finally it reads no. of bytes specified in received Length indicator

249

* and fills received data in rx_buf and returns.

250

* Note: success is considered when a length indicator > 0 is received and

251

* data size == length indicator is successfully received.

252

*

253

*

254

* @param serial_port Serial port to send & recv data.

255

* @param tx_buf Command Tx buffer

256

* @param tx_buf_len Tx buffer length

257

* @param rx_buf Out response Rx buffer

258

* @param rx_buf_len Rx buffer length

259

* @param rx_len Received data length

260

*

261

* @retval 0 if success, or -1.

262

*/

263

int serial_xfer( const char * serial_port, const unsigned char * tx_buf,

264

size_t tx_buf_len, unsigned char * rx_buf, size_t rx_buf_len,

265

size_t * rx_len )

266

{

267

char c, comm_name[20]; /* \\\\.\\COMxy = 11 characters at least */

268

HANDLE h_comm;

269

DCB dcb_config;

270

COMMTIMEOUTS comm_timeout;

271

DWORD xfer_len;

272

unsigned char len_buf[sizeof(size_t)];

273

int ret = -1;

274

size_t len = 0, sync_pattern_idx = 0;

do

{

sprintf( comm_name, "\\\\.\\%s", serial_port );

279

280

h_comm = CreateFile( comm_name, GENERIC_READ | GENERIC_WRITE, 0, 0,

281

OPEN_EXISTING, 0, 0 );

282

if ( h_comm == INVALID_HANDLE_VALUE )

283

{

284

mbedtls_printf( " failed\n ! failed to open port %s %lu\n\n", serial_port, GetLastError() );

break;

}

if( GetCommState( h_comm, &dcb_config ) )

289

{

290

dcb_config.BaudRate = REMOTE_KEY_SERIAL_BAUD;

291

dcb_config.Parity = NOPARITY;

292

dcb_config.ByteSize = 8;

293

dcb_config.StopBits = ONESTOPBIT;

294

dcb_config.fOutxCtsFlow = FALSE; // No CTS output flow control

295

dcb_config.fOutxDsrFlow = FALSE; // No DSR output flow control

296

dcb_config.fDtrControl = DTR_CONTROL_DISABLE; // DTR flow control type

297

dcb_config.fDsrSensitivity = FALSE; // DSR sensitivity

298

dcb_config.fTXContinueOnXoff = TRUE; // XOFF continues Tx

299

dcb_config.fOutX = FALSE; // No XON/XOFF out flow control

300

dcb_config.fInX = FALSE; // No XON/XOFF in flow control

301

dcb_config.fErrorChar = FALSE; // Disable error replacement

302

dcb_config.fNull = FALSE; // Disable null stripping

303

dcb_config.fRtsControl = RTS_CONTROL_DISABLE; // RTS flow control

304

dcb_config.fAbortOnError = FALSE; // Do not abort reads/writes on error

}

else

{

mbedtls_printf( " failed\n ! GetCommState returned error %lu\n\n", GetLastError() );

break;

}

if( !SetCommState( h_comm, &dcb_config ) )

313

{

314

mbedtls_printf( " failed\n ! SetCommState returned error %lu\n\n", GetLastError() );

break;

}

if( GetCommTimeouts( h_comm, &comm_timeout ) )

319

{

320

comm_timeout.ReadIntervalTimeout = 1000;

321

comm_timeout.ReadTotalTimeoutMultiplier = 10;

322

comm_timeout.ReadTotalTimeoutConstant = 1000;

323

comm_timeout.WriteTotalTimeoutConstant = 1000;

324

comm_timeout.WriteTotalTimeoutMultiplier = 10;

}

else

{

mbedtls_printf( " failed\n ! GetCommTimeouts returned error %lu\n\n", GetLastError() );

break;

}

if( !SetCommTimeouts( h_comm, &comm_timeout ) )

333

{

334

mbedtls_printf( " failed\n ! SetCommTimeouts returned error %lu\n\n", GetLastError() );

break;

}

/* Flush data on serial before sending sync pattern */

340

while( ReadFile( h_comm, &c, sizeof(c), &xfer_len, NULL ) && xfer_len != 0 );

341

/* Sync with peer */

Azim Khan

2018-02-22 11:09:40 +0000

[diff] [blame]

342

if( !WriteFile( h_comm, REMOTE_KEY_MAGIC_PATTERN, (DWORD)strlen(REMOTE_KEY_MAGIC_PATTERN),

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

343

&xfer_len, NULL ) )

344

{

345

mbedtls_printf( " failed\n ! WriteFile returned error %lu\n\n", GetLastError() );

break;

}

while( sync_pattern_idx != strlen(REMOTE_KEY_MAGIC_PATTERN) )

350

{

351

if( !ReadFile( h_comm, &c, sizeof(c), &xfer_len, NULL ) )

352

{

353

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

354

break;

355

}

356

if ( c == REMOTE_KEY_MAGIC_PATTERN[sync_pattern_idx] )

357

sync_pattern_idx++;

358

else

359

sync_pattern_idx = 0;

360

}

361

362

/* Exit if there was a read error */

363

if ( sync_pattern_idx != strlen(REMOTE_KEY_MAGIC_PATTERN) )

364

{

Azim Khan

2018-02-22 11:09:40 +0000

[diff] [blame]

365

mbedtls_printf("Failed to sync!\n");

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

break;

}

{

size_t i;

printf("Tx: ");

for (i = 0; i < tx_buf_len; i++)

373

printf ("0x%02x ", (tx_buf)[i]);

374

printf("\n");

375

}

Azim Khan

2018-02-22 11:09:40 +0000

[diff] [blame]

376

if( !WriteFile( h_comm, tx_buf, (DWORD)tx_buf_len,

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

377

&xfer_len, NULL ) )

378

{

379

mbedtls_printf( " failed\n ! WriteFile returned error %lu\n\n", GetLastError() );

break;

}

/* Read LI (length indicator) */

384

if( !ReadFile( h_comm, len_buf, sizeof(len_buf), &xfer_len, NULL ) ) /* Serial error */

385

{

386

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

break;

}

*rx_len = ( len_buf[0] << 24 ) | ( len_buf[1] << 16 ) | ( len_buf[2] << 8 ) | len_buf[3];

391

if ( *rx_len == 0 ) /* LI == 0 indicates remote error */

392

{

393

mbedtls_printf( " failed\n ! Received length indicator == 0\n\n" );

394

break;

395

}

396

if ( *rx_len > rx_buf_len ) /* Buffer too small */

397

{

398

mbedtls_printf( " failed\n ! Buffer too small to hold received data\n\n" );

break;

}

/* Read payload */

len = 0;

while( len < *rx_len )

404

{

Azim Khan

2018-02-22 11:09:40 +0000

[diff] [blame]

405

if( !ReadFile( h_comm, rx_buf + len, (DWORD)(*rx_len - len), &xfer_len, NULL ) )

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

406

{

407

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

break;

}

len += xfer_len;

}

if( len < *rx_len ) /* Serial error */

413

{

414

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

415

break;

416

}

417

printf("Received LI 0x%02x 0x%02x 0x%02x 0x%02x \n", len_buf[0], len_buf[1], len_buf[2], len_buf[3]);

{

size_t i;

printf("Rx: ");

for (i = 0; i < *rx_len; i++)

422

printf ("0x%02x ", (rx_buf)[i]);

printf("\n");

}

ret = 0;

} while( 0 );

if( h_comm != INVALID_HANDLE_VALUE )

430

{

431

CloseHandle( h_comm );

432

h_comm = INVALID_HANDLE_VALUE;

}

return( ret );

}

/** Load a transparent public key context with public key from remote device

439

* over serial.

440

* This function sends:

441

* rEmOtEkEy<char encoded function code=GetPubKey><char encoded private key ID>

442

* Receives:

443

* <4 bytes length indicator in network order><concatenated public key>

444

*/

445

int load_pubkey_from_remote( const char * remote_info, mbedtls_pk_context * ctx )

446

{

447

int key_idx = 0, offset = 0, ret = 0;

448

const char * serial_port = NULL;

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

449

unsigned char func_buffer[2]; /* Op code: 1 + key Id: 1 */

Azim Khan

88953b6

2018-02-22 17:46:48 +0000

[diff] [blame^]

450

unsigned char pub_key_buf[65]; /* ECDSA Pub key: 64 + EC octet string format tag: 1 */

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

451

size_t rx_len = 0;

452

static mbedtls_ecp_keypair ecp_key;

453

454

if( parse_remote_info( remote_info, &key_idx, &serial_port ) != 0 )

455

return( -1 );

456

457

/* Prepare command */

458

offset = 0;

459

func_buffer[offset++] = REMOTE_KEY_FUNC_GET_PUBKEY;

460

func_buffer[offset++] = key_idx;

461

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

462

if( serial_xfer( serial_port, func_buffer, offset, pub_key_buf,

463

sizeof( pub_key_buf ), &rx_len ) != 0 )

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

464

{

465

mbedtls_printf( " failed\n ! Serial error trying to get pulic key\n\n" );

return( -1 );

}

/* Import public key from received binary */

470

mbedtls_ecp_keypair_init(&ecp_key);

471

ret = mbedtls_ecp_group_load(&ecp_key.grp, MBEDTLS_ECP_DP_SECP256R1);

472

if( ret != 0 )

473

{

474

mbedtls_printf( " failed\n ! Failed to load ecp group\n\n" );

475

return( ret );

476

}

477

ret = mbedtls_ecp_point_read_binary(&ecp_key.grp, &ecp_key.Q, pub_key_buf, rx_len );

478

if( ret != 0 )

479

{

480

mbedtls_printf( " failed\n ! Failed to read ecp key from binary\n\n" );

481

return( ret );

482

}

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

483

mbedtls_pk_setup( ctx, mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY ) );

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

484

ctx->pk_ctx = &ecp_key;

return( 0 );

}

/**

* @brief Tell if the context can do the operation given by type

490

*

491

* @param ctx PK Context

492

* @param type Target type

493

*

494

* @return 0 if context can't do the operations,

495

* 1 otherwise.

496

*/

497

static int remote_can_do_func(const void *ctx, mbedtls_pk_type_t type)

498

{

499

UNUSED(ctx);

500

/* At the moment only ECDSA is supported */

501

return (MBEDTLS_PK_ECDSA == type);

}

typedef struct

{

const char *serial_port;

507

unsigned char key_idx;

508

} remote_serial_pk_context;

509

510

/**

511

* @brief Sign using remote cryptoprocessor accessed over serial.

512

*

513

* @param ctx ECDSA context

514

* @param md_alg Hash Algorithm that was used to hash the message.

515

* Only SHA256 is supported.

516

* @param hash Message hash

517

* @param hash_len Length of hash

518

* @param sig Buffer that will hold the signature

519

* @param sig_len Length of the signature written

520

* @param f_rng RNG function

521

* @param p_rng RNG parameter

522

*

523

* @retval 0 if successful, or 1.

524

*/

525

static int remote_sign_func(void *ctx, mbedtls_md_type_t md_alg,

526

const unsigned char *hash, size_t hash_len,

527

unsigned char *sig, size_t *sig_len,

528

int (*f_rng)(void *, unsigned char *, size_t),

529

void *p_rng)

530

{

531

remote_serial_pk_context * remote_ctx = (remote_serial_pk_context *)ctx;

532

/* Required buffer = func 1 byte + key Id 1 byte + hash len 4 bytes + hash */

533

unsigned char func_buffer[MBEDTLS_MD_MAX_SIZE + 4 + 1 + 1];

size_t offset = 0;

UNUSED( f_rng );

UNUSED( p_rng );

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

539

/* Currently this feature only supports Crypto chip ATCAECC508A that only

540

* supports SHA256. */

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

541

if( md_alg != MBEDTLS_MD_SHA256 )

542

return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );

543

544

if( hash_len + 4 + 1 + 1 > sizeof( func_buffer ) )

545

{

546

return( MBEDTLS_ERR_PK_BUFFER_TOO_SMALL );

547

}

548

549

func_buffer[offset++] = REMOTE_KEY_FUNC_SIGN;

550

func_buffer[offset++] = remote_ctx->key_idx;

Azim Khan

2018-02-22 11:09:40 +0000

[diff] [blame]

551

func_buffer[offset++] = (unsigned char)(hash_len >> 24);

552

func_buffer[offset++] = (unsigned char)(hash_len >> 16);

553

func_buffer[offset++] = (unsigned char)(hash_len >> 8);

554

func_buffer[offset++] = (unsigned char)(hash_len);

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

555

556

memcpy( func_buffer + offset, hash, hash_len );

557

offset += hash_len;

558

559

if( serial_xfer( remote_ctx->serial_port, func_buffer, offset, sig,

Azim Khan

eda800f

2018-02-21 10:39:44 +0000

[diff] [blame]

560

MBEDTLS_ECDSA_MAX_SIG_LEN(256), sig_len ) != 0 )

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

561

{

562

mbedtls_printf( " failed\n ! Serial error in signing\n\n" );

return( -1 );

}

return( 0 );

}

void remote_free( void *ctx )

570

{

571

/* Nothing to free since remote context is statically allocated.

572

* Within this app there is no need to scrub the memory.

*/

UNUSED( ctx );

}

int mbedtls_pk_remote_setup( mbedtls_pk_context * ctx, const char * serial_port,

578

unsigned char key_idx )

579

{

580

/* allocate remote serial context */

581

static remote_serial_pk_context remote;

582

/* Opaque private key */

583

static const mbedtls_pk_info_t remote_pk_info =

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

584

MBEDTLS_PK_OPAQUE_INFO_1(

"RemoteSerial",

NULL,

remote_can_do_func,

NULL,

NULL,

remote_sign_func,

NULL,

NULL,

NULL,

NULL,

remote_free,

NULL

);

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

if ( ctx == NULL )

return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );

602

603

remote.serial_port = serial_port;

604

remote.key_idx = key_idx;

Azim Khan

2018-02-22 13:24:16 +0000

[diff] [blame]

605

mbedtls_pk_setup( ctx, &remote_pk_info );

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

606

ctx->pk_ctx = (void *)&remote;

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

return( 0 );

}

int setup_opaque_privkey( const char * remote_info, mbedtls_pk_context * ctx )

612

{

613

int key_idx = 0, ret = 0;

614

const char * serial_port = NULL;

615

616

if( parse_remote_info( remote_info, &key_idx, &serial_port ) != 0 )

617

return( -1 );

618

619

ret = mbedtls_pk_remote_setup( ctx, serial_port, key_idx );

620

if( ret != 0 )

621

{

622

mbedtls_printf( " failed\n ! remote pk setup failure \n\n" );

return( ret );

}

return( 0 );

}

#endif /* _WIN32 */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

630

int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

631

int (*f_rng)(void *, unsigned char *, size_t),

632

void *p_rng )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

{

int ret;

FILE *f;

unsigned char output_buf[4096];

637

size_t len = 0;

638

639

memset( output_buf, 0, 4096 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

640

if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,

641

f_rng, p_rng ) ) < 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

642

return( ret );

643

644

len = strlen( (char *) output_buf );

645

646

if( ( f = fopen( output_file, "w" ) ) == NULL )

647

return( -1 );

648

649

if( fwrite( output_buf, 1, len, f ) != len )

Paul Bakker

0c22610

2014-04-17 16:02:36 +0200

[diff] [blame]

650

{

651

fclose( f );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

652

return( -1 );

Paul Bakker

0c22610

2014-04-17 16:02:36 +0200

[diff] [blame]

653

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

654

Paul Bakker

0c22610

2014-04-17 16:02:36 +0200

[diff] [blame]

655

fclose( f );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

return( 0 );

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

660

int main( int argc, char *argv[] )

661

{

662

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

663

mbedtls_x509_crt issuer_crt;

664

mbedtls_pk_context loaded_issuer_key, loaded_subject_key;

665

mbedtls_pk_context *issuer_key = &loaded_issuer_key,

Manuel Pégourié-Gonnard

f38e71a

2013-09-12 05:21:54 +0200

[diff] [blame]

666

*subject_key = &loaded_subject_key;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

667

char buf[1024];

Jonathan Leroy

bbc75d9

2015-10-10 21:58:07 +0200

[diff] [blame]

668

char issuer_name[256];

Paul Bakker

c97f9f6

2013-11-30 15:13:02 +0100

[diff] [blame]

669

int i;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

670

char *p, *q, *r;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

671

#if defined(MBEDTLS_X509_CSR_PARSE_C)

Jonathan Leroy

bbc75d9

2015-10-10 21:58:07 +0200

[diff] [blame]

672

char subject_name[256];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

673

mbedtls_x509_csr csr;

Paul Bakker

7fc7fa6

2013-09-17 14:44:00 +0200

[diff] [blame]

674

#endif

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

675

mbedtls_x509write_cert crt;

676

mbedtls_mpi serial;

677

mbedtls_entropy_context entropy;

678

mbedtls_ctr_drbg_context ctr_drbg;

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

679

const char *pers = "crt example app";

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

/*

* Set to sane values

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

684

mbedtls_x509write_crt_init( &crt );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

685

mbedtls_pk_init( &loaded_issuer_key );

686

mbedtls_pk_init( &loaded_subject_key );

687

mbedtls_mpi_init( &serial );

Manuel Pégourié-Gonnard

ec160c0

2015-04-28 22:52:30 +0200

[diff] [blame]

688

mbedtls_ctr_drbg_init( &ctr_drbg );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

689

#if defined(MBEDTLS_X509_CSR_PARSE_C)

690

mbedtls_x509_csr_init( &csr );

Paul Bakker

7fc7fa6

2013-09-17 14:44:00 +0200

[diff] [blame]

691

#endif

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

692

mbedtls_x509_crt_init( &issuer_crt );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

693

memset( buf, 0, 1024 );

if( argc == 0 )

{

usage:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

698

mbedtls_printf( USAGE );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

ret = 1;

goto exit;

}

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

703

opt.issuer_crt = DFL_ISSUER_CRT;

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

704

opt.request_file = DFL_REQUEST_FILE;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

705

opt.subject_key = DFL_SUBJECT_KEY;

706

opt.issuer_key = DFL_ISSUER_KEY;

707

opt.subject_pwd = DFL_SUBJECT_PWD;

708

opt.issuer_pwd = DFL_ISSUER_PWD;

709

opt.output_file = DFL_OUTPUT_FILENAME;

710

opt.subject_name = DFL_SUBJECT_NAME;

711

opt.issuer_name = DFL_ISSUER_NAME;

712

opt.not_before = DFL_NOT_BEFORE;

713

opt.not_after = DFL_NOT_AFTER;

714

opt.serial = DFL_SERIAL;

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

715

opt.selfsign = DFL_SELFSIGN;

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

716

opt.is_ca = DFL_IS_CA;

717

opt.max_pathlen = DFL_MAX_PATHLEN;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

718

opt.key_usage = DFL_KEY_USAGE;

719

opt.ns_cert_type = DFL_NS_CERT_TYPE;

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

720

opt.version = DFL_VERSION - 1;

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

721

opt.md = DFL_DIGEST;

722

opt.subject_identifier = DFL_SUBJ_IDENT;

723

opt.authority_identifier = DFL_AUTH_IDENT;

724

opt.basic_constraints = DFL_CONSTRAINTS;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

725

726

for( i = 1; i < argc; i++ )

{

p = argv[i];

if( ( q = strchr( p, '=' ) ) == NULL )

goto usage;

*q++ = '\0';

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

734

if( strcmp( p, "request_file" ) == 0 )

735

opt.request_file = q;

736

else if( strcmp( p, "subject_key" ) == 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

737

opt.subject_key = q;

738

else if( strcmp( p, "issuer_key" ) == 0 )

739

opt.issuer_key = q;

740

else if( strcmp( p, "subject_pwd" ) == 0 )

741

opt.subject_pwd = q;

742

else if( strcmp( p, "issuer_pwd" ) == 0 )

743

opt.issuer_pwd = q;

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

744

else if( strcmp( p, "issuer_crt" ) == 0 )

745

opt.issuer_crt = q;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

746

else if( strcmp( p, "output_file" ) == 0 )

747

opt.output_file = q;

748

else if( strcmp( p, "subject_name" ) == 0 )

749

{

750

opt.subject_name = q;

751

}

752

else if( strcmp( p, "issuer_name" ) == 0 )

{

opt.issuer_name = q;

}

else if( strcmp( p, "not_before" ) == 0 )

{

opt.not_before = q;

}

else if( strcmp( p, "not_after" ) == 0 )

{

opt.not_after = q;

}

else if( strcmp( p, "serial" ) == 0 )

765

{

766

opt.serial = q;

767

}

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

768

else if( strcmp( p, "authority_identifier" ) == 0 )

769

{

770

opt.authority_identifier = atoi( q );

771

if( opt.authority_identifier != 0 &&

772

opt.authority_identifier != 1 )

773

{

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

774

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto usage;

}

}

else if( strcmp( p, "subject_identifier" ) == 0 )

779

{

780

opt.subject_identifier = atoi( q );

781

if( opt.subject_identifier != 0 &&

782

opt.subject_identifier != 1 )

783

{

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

784

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto usage;

}

}

else if( strcmp( p, "basic_constraints" ) == 0 )

789

{

790

opt.basic_constraints = atoi( q );

791

if( opt.basic_constraints != 0 &&

792

opt.basic_constraints != 1 )

793

{

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

794

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto usage;

}

}

else if( strcmp( p, "md" ) == 0 )

799

{

800

if( strcmp( q, "SHA1" ) == 0 )

801

opt.md = MBEDTLS_MD_SHA1;

802

else if( strcmp( q, "SHA256" ) == 0 )

803

opt.md = MBEDTLS_MD_SHA256;

804

else if( strcmp( q, "SHA512" ) == 0 )

805

opt.md = MBEDTLS_MD_SHA512;

806

else if( strcmp( q, "MD5" ) == 0 )

807

opt.md = MBEDTLS_MD_MD5;

808

else

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

809

{

810

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

811

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

812

}

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

813

}

814

else if( strcmp( p, "version" ) == 0 )

815

{

816

opt.version = atoi( q );

817

if( opt.version < 1 || opt.version > 3 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

818

{

819

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

820

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

821

}

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

822

opt.version--;

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

823

}

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

824

else if( strcmp( p, "selfsign" ) == 0 )

825

{

826

opt.selfsign = atoi( q );

827

if( opt.selfsign < 0 || opt.selfsign > 1 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

828

{

829

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

830

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

831

}

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

832

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

833

else if( strcmp( p, "is_ca" ) == 0 )

834

{

835

opt.is_ca = atoi( q );

836

if( opt.is_ca < 0 || opt.is_ca > 1 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

837

{

838

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

839

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

840

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

841

}

842

else if( strcmp( p, "max_pathlen" ) == 0 )

843

{

844

opt.max_pathlen = atoi( q );

845

if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

846

{

847

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

848

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

849

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

850

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

851

else if( strcmp( p, "key_usage" ) == 0 )

{

while( q != NULL )

{

if( ( r = strchr( q, ',' ) ) != NULL )

856

*r++ = '\0';

857

858

if( strcmp( q, "digital_signature" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

859

opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

860

else if( strcmp( q, "non_repudiation" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

861

opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

862

else if( strcmp( q, "key_encipherment" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

863

opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

864

else if( strcmp( q, "data_encipherment" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

865

opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

866

else if( strcmp( q, "key_agreement" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

867

opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

868

else if( strcmp( q, "key_cert_sign" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

869

opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

870

else if( strcmp( q, "crl_sign" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

871

opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

872

else

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

873

{

874

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

875

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

876

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

q = r;

}

}

else if( strcmp( p, "ns_cert_type" ) == 0 )

{

while( q != NULL )

{

if( ( r = strchr( q, ',' ) ) != NULL )

886

*r++ = '\0';

887

888

if( strcmp( q, "ssl_client" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

889

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

890

else if( strcmp( q, "ssl_server" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

891

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

892

else if( strcmp( q, "email" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

893

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

894

else if( strcmp( q, "object_signing" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

895

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

896

else if( strcmp( q, "ssl_ca" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

897

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

898

else if( strcmp( q, "email_ca" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

899

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

900

else if( strcmp( q, "object_signing_ca" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

901

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

902

else

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

903

{

904

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

905

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

906

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

q = r;

}

}

else

goto usage;

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

915

mbedtls_printf("\n");

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

916

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

917

/*

918

* 0. Seed the PRNG

919

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

920

mbedtls_printf( " . Seeding the random number generator..." );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

921

fflush( stdout );

922

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

923

mbedtls_entropy_init( &entropy );

Manuel Pégourié-Gonnard

ec160c0

2015-04-28 22:52:30 +0200

[diff] [blame]

924

if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

925

(const unsigned char *) pers,

926

strlen( pers ) ) ) != 0 )

927

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

928

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

929

mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",

930

ret, buf );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

931

goto exit;

932

}

933

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

934

mbedtls_printf( " ok\n" );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

935

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

936

// Parse serial to MPI

937

//

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

938

mbedtls_printf( " . Reading serial number..." );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

939

fflush( stdout );

940

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

941

if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

942

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

943

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

944

mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

945

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

946

goto exit;

947

}

948

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

949

mbedtls_printf( " ok\n" );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

950

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

951

// Parse issuer certificate if present

952

//

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

953

if( !opt.selfsign && strlen( opt.issuer_crt ) )

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

954

{

955

/*

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

956

* 1.0.a. Load the certificates

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

957

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

958

mbedtls_printf( " . Loading the issuer certificate ..." );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

959

fflush( stdout );

960

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

961

if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

962

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

963

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

964

mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

965

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

966

goto exit;

967

}

968

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

969

ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),

Paul Bakker

fdba468

2014-04-25 11:48:35 +0200

[diff] [blame]

970

&issuer_crt.subject );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

971

if( ret < 0 )

972

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

973

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

974

mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

975

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

goto exit;

}

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

979

opt.issuer_name = issuer_name;

980

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

981

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

982

}

983

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

984

#if defined(MBEDTLS_X509_CSR_PARSE_C)

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

985

// Parse certificate request if present

986

//

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

987

if( !opt.selfsign && strlen( opt.request_file ) )

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

988

{

989

/*

990

* 1.0.b. Load the CSR

991

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

992

mbedtls_printf( " . Loading the certificate request ..." );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

993

fflush( stdout );

994

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

995

if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

996

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

997

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

998

mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

999

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1000

goto exit;

1001

}

1002

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1003

ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1004

&csr.subject );

1005

if( ret < 0 )

1006

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1007

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1008

mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1009

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

goto exit;

}

opt.subject_name = subject_name;

Manuel Pégourié-Gonnard

f38e71a

2013-09-12 05:21:54 +0200

[diff] [blame]

1014

subject_key = &csr.pk;

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1015

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1016

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1017

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1018

#endif /* MBEDTLS_X509_CSR_PARSE_C */

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

/*

* 1.1. Load the keys

*/

if( !opt.selfsign && !strlen( opt.request_file ) )

1024

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1025

mbedtls_printf( " . Loading the subject key ..." );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1026

fflush( stdout );

1027

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

1028

#if defined(_WIN32)

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1029

if ( is_remote_key( opt.subject_key ) )

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1030

{

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1031

ret = load_pubkey_from_remote( opt.subject_key, &loaded_subject_key );

if ( ret != 0 )

goto exit;

}

else

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

1036

#endif

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1037

{

1038

ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,

opt.subject_pwd );

if( ret != 0 )

{

mbedtls_strerror( ret, buf, 1024 );

1043

mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "

1044

"returned -0x%04x - %s\n\n", -ret, buf );

1045

goto exit;

1046

}

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1047

}

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

1048

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1049

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

1050

}

1051

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1052

mbedtls_printf( " . Loading the issuer key ..." );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1053

fflush( stdout );

1054

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

1055

#if defined(_WIN32)

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1056

if ( is_remote_key( opt.issuer_key ) )

1057

{

1058

ret = setup_opaque_privkey( opt.issuer_key, &loaded_issuer_key );

if ( ret != 0 )

goto exit;

}

else

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

1063

#endif

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1064

{

1065

ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,

opt.issuer_pwd );

}

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1069

if( ret != 0 )

1070

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1071

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1072

mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "

1073

"returned -x%02x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

goto exit;

}

// Check if key and issuer certificate match

1078

//

1079

if( strlen( opt.issuer_crt ) )

1080

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1081

if( !mbedtls_pk_can_do( &issuer_crt.pk, MBEDTLS_PK_RSA ) ||

1082

mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->N,

1083

&mbedtls_pk_rsa( *issuer_key )->N ) != 0 ||

1084

mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,

1085

&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1086

{

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1087

mbedtls_printf( " failed\n ! issuer_key does not match "

1088

"issuer certificate\n\n" );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

ret = -1;

goto exit;

}

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1094

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1095

1096

if( opt.selfsign )

1097

{

Paul Bakker

93c6aa4

2013-10-28 22:28:09 +0100

[diff] [blame]

1098

opt.subject_name = opt.issuer_name;

Manuel Pégourié-Gonnard

f38e71a

2013-09-12 05:21:54 +0200

[diff] [blame]

1099

subject_key = issuer_key;

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1100

}

1101

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1102

mbedtls_x509write_crt_set_subject_key( &crt, subject_key );

1103

mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1104

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1105

/*

1106

* 1.0. Check the names for validity

1107

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1108

if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1109

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1110

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1111

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1112

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1113

goto exit;

1114

}

1115

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1116

if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1117

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1118

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1119

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1120

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1121

goto exit;

1122

}

1123

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1124

mbedtls_printf( " . Setting certificate values ..." );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1125

fflush( stdout );

1126

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1127

mbedtls_x509write_crt_set_version( &crt, opt.version );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1128

mbedtls_x509write_crt_set_md_alg( &crt, opt.md );

1129

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1130

ret = mbedtls_x509write_crt_set_serial( &crt, &serial );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1131

if( ret != 0 )

1132

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1133

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1134

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1135

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1136

goto exit;

1137

}

1138

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1139

ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1140

if( ret != 0 )

1141

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1142

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1143

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1144

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1145

goto exit;

1146

}

1147

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1148

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1149

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1150

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1151

opt.basic_constraints != 0 )

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1152

{

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1153

mbedtls_printf( " . Adding the Basic Constraints extension ..." );

1154

fflush( stdout );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1155

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1156

ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,

opt.max_pathlen );

if( ret != 0 )

{

mbedtls_strerror( ret, buf, 1024 );

1161

mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1162

"returned -0x%04x - %s\n\n", -ret, buf );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto exit;

}

mbedtls_printf( " ok\n" );

1167

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1168

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1169

#if defined(MBEDTLS_SHA1_C)

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1170

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1171

opt.subject_identifier != 0 )

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1172

{

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1173

mbedtls_printf( " . Adding the Subject Key Identifier ..." );

1174

fflush( stdout );

1175

1176

ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );

1177

if( ret != 0 )

1178

{

1179

mbedtls_strerror( ret, buf, 1024 );

1180

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1181

"_key_identifier returned -0x%04x - %s\n\n",

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

-ret, buf );

goto exit;

}

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1187

}

1188

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1189

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1190

opt.authority_identifier != 0 )

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1191

{

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1192

mbedtls_printf( " . Adding the Authority Key Identifier ..." );

1193

fflush( stdout );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1194

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1195

ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );

1196

if( ret != 0 )

1197

{

1198

mbedtls_strerror( ret, buf, 1024 );

1199

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1200

"key_identifier returned -0x%04x - %s\n\n",

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

-ret, buf );

goto exit;

}

mbedtls_printf( " ok\n" );

1206

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1207

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1208

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1209

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1210

opt.key_usage != 0 )

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1211

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1212

mbedtls_printf( " . Adding the Key Usage extension ..." );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1213

fflush( stdout );

1214

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1215

ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1216

if( ret != 0 )

1217

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1218

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1219

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1220

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1221

goto exit;

1222

}

1223

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1224

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1225

}

1226

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1227

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1228

opt.ns_cert_type != 0 )

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1229

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1230

mbedtls_printf( " . Adding the NS Cert Type extension ..." );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1231

fflush( stdout );

1232

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1233

ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1234

if( ret != 0 )

1235

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1236

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1237

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1238

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1239

goto exit;

1240

}

1241

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1242

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1243

}

1244

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1245

/*

1246

* 1.2. Writing the request

1247

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1248

mbedtls_printf( " . Writing the certificate..." );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1249

fflush( stdout );

1250

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

1251

if( ( ret = write_certificate( &crt, opt.output_file,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1252

mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1253

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1254

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1255

mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1256

-ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1257

goto exit;

1258

}

1259

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1260

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1261

1262

exit:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1263

mbedtls_x509write_crt_free( &crt );

1264

mbedtls_pk_free( &loaded_subject_key );

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame]

1265

mbedtls_pk_free( &loaded_issuer_key );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1266

mbedtls_mpi_free( &serial );

1267

mbedtls_ctr_drbg_free( &ctr_drbg );

1268

mbedtls_entropy_free( &entropy );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1269

1270

#if defined(_WIN32)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1271

mbedtls_printf( " + Press Enter to exit this program.\n" );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1272

fflush( stdout ); getchar();

#endif

return( ret );

}

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1277

Manuel Pégourié-Gonnard