Blame - programs/x509/cert_write.c - mirror/mbed-tls

2013-09-06 09:55:26 +0200

[diff] [blame]

1

/*

2

* Certificate generation and signing

3

*

Manuel Pégourié-Gonnard

6fb8187

2015-07-27 11:11:48 +0200

[diff] [blame]

4

Manuel Pégourié-Gonnard

37ff140

2015-09-04 14:21:07 +0200

[diff] [blame]

5

* SPDX-License-Identifier: Apache-2.0

6

*

7

* Licensed under the Apache License, Version 2.0 (the "License"); you may

8

* not use this file except in compliance with the License.

9

* You may obtain a copy of the License at

10

*

11

* http://www.apache.org/licenses/LICENSE-2.0

12

*

13

* Unless required by applicable law or agreed to in writing, software

14

* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

15

* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

16

* See the License for the specific language governing permissions and

17

* limitations under the License.

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

18

*

Manuel Pégourié-Gonnard

fe44643

2015-03-06 13:17:10 +0000

[diff] [blame]

19

* This file is part of mbed TLS (https://tls.mbed.org)

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

20

*/

21

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

22

#if !defined(MBEDTLS_CONFIG_FILE)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

23

#include "mbedtls/config.h"

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

24

#else

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

25

#include MBEDTLS_CONFIG_FILE

Manuel Pégourié-Gonnard

cef4ad2

2014-04-29 12:39:06 +0200

[diff] [blame]

26

#endif

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

27

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

28

#if defined(MBEDTLS_PLATFORM_C)

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

29

#include "mbedtls/platform.h"

Rich Evans

f90016a

2015-01-19 14:26:37 +0000

[diff] [blame]

30

#else

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

31

#include <stdio.h>

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

32

#define mbedtls_printf printf

Rich Evans

f90016a

2015-01-19 14:26:37 +0000

[diff] [blame]

33

#endif

34

Simon Butcher

203a693

2016-10-07 15:00:17 +0100

[diff] [blame]

35

#if !defined(MBEDTLS_X509_CRT_WRITE_C) || \

36

!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \

37

!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \

38

!defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_SHA256_C) || \

39

!defined(MBEDTLS_PEM_WRITE_C)

Manuel Pégourié-Gonnard

8d649c6

2015-03-31 15:10:03 +0200

[diff] [blame]

40

int main( void )

41

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

42

mbedtls_printf( "MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "

Manuel Pégourié-Gonnard

d738965

2015-08-06 18:22:26 +0200

[diff] [blame]

43

"MBEDTLS_FS_IO and/or MBEDTLS_SHA256_C and/or "

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

44

"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "

45

"MBEDTLS_ERROR_C not defined.\n");

Manuel Pégourié-Gonnard

8d649c6

2015-03-31 15:10:03 +0200

[diff] [blame]

return( 0 );

}

#else

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

50

#include "mbedtls/x509_crt.h"

51

#include "mbedtls/x509_csr.h"

52

#include "mbedtls/entropy.h"

53

#include "mbedtls/ctr_drbg.h"

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

54

#include "mbedtls/md.h"

Manuel Pégourié-Gonnard

2015-03-09 17:05:11 +0000

[diff] [blame]

55

#include "mbedtls/error.h"

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

56

#include "mbedtls/pk_info.h"

Manuel Pégourié-Gonnard

7831b0c

2013-09-20 12:29:56 +0200

[diff] [blame]

57

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

58

#include <stdio.h>

59

#include <stdlib.h>

60

#include <string.h>

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

61

#if defined(_WIN32)

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

62

#include <Windows.h>

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

63

#endif

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

64

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

65

#if defined(MBEDTLS_X509_CSR_PARSE_C)

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

66

#define USAGE_CSR \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

67

" request_file=%%s default: (empty)\n" \

68

" If request_file is specified, subject_key,\n" \

69

" subject_pwd and subject_name are ignored!\n"

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

70

#else

71

#define USAGE_CSR ""

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

72

#endif /* MBEDTLS_X509_CSR_PARSE_C */

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

73

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

74

#define DFL_ISSUER_CRT ""

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

75

#define DFL_REQUEST_FILE ""

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

76

#define DFL_SUBJECT_KEY "subject.key"

77

#define DFL_ISSUER_KEY "ca.key"

78

#define DFL_SUBJECT_PWD ""

79

#define DFL_ISSUER_PWD ""

80

#define DFL_OUTPUT_FILENAME "cert.crt"

Manuel Pégourié-Gonnard

9169921

2015-01-22 16:26:39 +0000

[diff] [blame]

81

#define DFL_SUBJECT_NAME "CN=Cert,O=mbed TLS,C=UK"

82

#define DFL_ISSUER_NAME "CN=CA,O=mbed TLS,C=UK"

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

83

#define DFL_NOT_BEFORE "20010101000000"

84

#define DFL_NOT_AFTER "20301231235959"

85

#define DFL_SERIAL "1"

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

86

#define DFL_SELFSIGN 0

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

87

#define DFL_IS_CA 0

88

#define DFL_MAX_PATHLEN -1

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

89

#define DFL_KEY_USAGE 0

90

#define DFL_NS_CERT_TYPE 0

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

91

#define DFL_VERSION 3

92

#define DFL_AUTH_IDENT 1

93

#define DFL_SUBJ_IDENT 1

94

#define DFL_CONSTRAINTS 1

95

#define DFL_DIGEST MBEDTLS_MD_SHA256

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

96

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

97

#define UNUSED(x) ((void)(x))

98

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

99

#define USAGE \

100

"\n usage: cert_write param=<>...\n" \

101

"\n acceptable parameters:\n" \

102

USAGE_CSR \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

103

" subject_key=%%s default: subject.key\n" \

104

" subject_pwd=%%s default: (empty)\n" \

105

" subject_name=%%s default: CN=Cert,O=mbed TLS,C=UK\n" \

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

106

"\n" \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

107

" issuer_crt=%%s default: (empty)\n" \

108

" If issuer_crt is specified, issuer_name is\n" \

109

" ignored!\n" \

110

" issuer_name=%%s default: CN=CA,O=mbed TLS,C=UK\n" \

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

111

"\n" \

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

112

" selfsign=%%d default: 0 (false)\n" \

113

" If selfsign is enabled, issuer_name and\n" \

114

" issuer_key are required (issuer_crt and\n" \

115

" subject_* are ignored\n" \

116

" issuer_key=%%s default: ca.key\n" \

117

" issuer_pwd=%%s default: (empty)\n" \

118

" output_file=%%s default: cert.crt\n" \

119

" serial=%%s default: 1\n" \

120

" not_before=%%s default: 20010101000000\n"\

121

" not_after=%%s default: 20301231235959\n"\

122

" is_ca=%%d default: 0 (disabled)\n" \

123

" max_pathlen=%%d default: -1 (none)\n" \

124

" md=%%s default: SHA256\n" \

125

" Supported values:\n" \

126

" MD5, SHA1, SHA256, SHA512\n"\

127

" version=%%d default: 3\n" \

128

" Possible values: 1, 2, 3\n"\

129

" subject_identifier=%%s default: 1\n" \

130

" Possible values: 0, 1\n" \

131

" (Considered for v3 only)\n"\

132

" authority_identifier=%%s default: 1\n" \

133

" Possible values: 0, 1\n" \

134

" (Considered for v3 only)\n"\

135

" basic_constraints=%%d default: 1\n" \

136

" Possible values: 0, 1\n" \

137

" (Considered for v3 only)\n"\

138

" key_usage=%%s default: (empty)\n" \

139

" Comma-separated-list of values:\n" \

140

" digital_signature\n" \

141

" non_repudiation\n" \

142

" key_encipherment\n" \

143

" data_encipherment\n" \

" key_agreement\n" \

" key_cert_sign\n" \

" crl_sign\n" \

" (Considered for v3 only)\n"\

148

" ns_cert_type=%%s default: (empty)\n" \

149

" Comma-separated-list of values:\n" \

" ssl_client\n" \

" ssl_server\n" \

" email\n" \

" object_signing\n" \

154

" ssl_ca\n" \

155

" email_ca\n" \

156

" object_signing_ca\n" \

Rich Evans

2015-02-11 14:06:19 +0000

[diff] [blame]

157

"\n"

Manuel Pégourié-Gonnard

6c5abfa

2015-02-13 14:12:07 +0000

[diff] [blame]

158

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

/*

* global options

*/

struct options

{

Paul Bakker

8fc30b1

2013-11-25 13:29:43 +0100

[diff] [blame]

164

const char *issuer_crt; /* filename of the issuer certificate */

165

const char *request_file; /* filename of the certificate request */

166

const char *subject_key; /* filename of the subject key file */

167

const char *issuer_key; /* filename of the issuer key file */

168

const char *subject_pwd; /* password for the subject key file */

169

const char *issuer_pwd; /* password for the issuer key file */

170

const char *output_file; /* where to store the constructed key file */

171

const char *subject_name; /* subject name for certificate */

172

const char *issuer_name; /* issuer name for certificate */

173

const char *not_before; /* validity period not before */

174

const char *not_after; /* validity period not after */

175

const char *serial; /* serial number string */

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

176

int selfsign; /* selfsign the certificate */

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

177

int is_ca; /* is a CA certificate */

178

int max_pathlen; /* maximum CA path length */

Hanno Becker

e1b1d0a

2017-09-22 15:35:16 +0100

[diff] [blame]

179

int authority_identifier; /* add authority identifier to CRT */

180

int subject_identifier; /* add subject identifier to CRT */

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

181

int basic_constraints; /* add basic constraints ext to CRT */

182

int version; /* CRT version */

183

mbedtls_md_type_t md; /* Hash used for signing */

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

184

unsigned char key_usage; /* key usage flags */

185

unsigned char ns_cert_type; /* NS cert type */

186

} opt;

187

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

188

#if defined(_WIN32)

189

/** Below are the constants used for remote Opaque key implementation.

190

*/

191

192

/* Remote cryptoprocessor sync pattern. Sent to sync with the device before

193

* sending commands. */

194

#define REMOTE_KEY_MAGIC_PATTERN "rEmOtEkEy"

195

#define REMOTE_KEY_CMD_TAG "//opaque_pk/ATCA"

196

#define REMOTE_KEY_ID_MIN 0

197

#define REMOTE_KEY_ID_MAX 7

198

#define REMOTE_KEY_SERIAL_BAUD CBR_9600

199

200

#define REMOTE_KEY_FUNC_GET_PUBKEY 0xA

201

#define REMOTE_KEY_FUNC_SIGN 0xB

202

203

int is_remote_key( const char *remote_info )

204

{

205

size_t tag_len = strlen( REMOTE_KEY_CMD_TAG );

206

if ( strlen( remote_info ) > tag_len &&

207

strncmp( remote_info, REMOTE_KEY_CMD_TAG, tag_len ) == 0 )

return( 1 );

return( 0 );

}

int parse_remote_info( const char *remote_info, int *key_idx, const char **serial_port )

213

{

214

int offset = 0;

215

int remote_info_len = strlen( remote_info );

216

217

if( is_remote_key( remote_info ) == 0 )

218

return( -1 );

219

220

offset = strlen( REMOTE_KEY_CMD_TAG );

221

offset++; // Skip the delimiter. FUTURE: Add validation.

222

if( offset >= remote_info_len )

223

return( -1 );

224

*key_idx = (int) remote_info[offset++];

225

offset++; // Skip the delimiter

226

if( offset >= remote_info_len )

227

return( -1 );

228

*key_idx = *key_idx - 48; // ascii to decimal

229

230

if ( *key_idx < REMOTE_KEY_ID_MIN || *key_idx > REMOTE_KEY_ID_MAX )

231

{

232

mbedtls_printf( " failed\n ! Invalid remote key index %d\n\n", *key_idx );

233

return( -1 );

234

}

235

*serial_port = remote_info + offset;

236

printf( "Got key id %d and com port %s\n", *key_idx, *serial_port );

return( 0 );

}

/**

* @brief Send a command to remote cryptoprocessor and receive response.

242

*

243

* It

244

* - first sends a sync pattern 'rEmOtEkEy' and waits for an echo to sync

245

* with the remote.

246

* - Then it sends the tx buf supplied by the caller.

247

* - It waits for a 4 byte length indicator. Value 0 means error.

248

* - Finally it reads no. of bytes specified in received Length indicator

249

* and fills received data in rx_buf and returns.

250

* Note: success is considered when a length indicator > 0 is received and

251

* data size == length indicator is successfully received.

252

*

253

*

254

* @param serial_port Serial port to send & recv data.

255

* @param tx_buf Command Tx buffer

256

* @param tx_buf_len Tx buffer length

257

* @param rx_buf Out response Rx buffer

258

* @param rx_buf_len Rx buffer length

259

* @param rx_len Received data length

260

*

261

* @retval 0 if success, or -1.

262

*/

263

int serial_xfer( const char * serial_port, const unsigned char * tx_buf,

264

size_t tx_buf_len, unsigned char * rx_buf, size_t rx_buf_len,

265

size_t * rx_len )

266

{

267

char c, comm_name[20]; /* \\\\.\\COMxy = 11 characters at least */

268

HANDLE h_comm;

269

DCB dcb_config;

270

COMMTIMEOUTS comm_timeout;

271

DWORD xfer_len;

272

unsigned char len_buf[sizeof(size_t)];

273

int ret = -1;

274

size_t len = 0, sync_pattern_idx = 0;

do

{

sprintf( comm_name, "\\\\.\\%s", serial_port );

279

280

h_comm = CreateFile( comm_name, GENERIC_READ | GENERIC_WRITE, 0, 0,

281

OPEN_EXISTING, 0, 0 );

282

if ( h_comm == INVALID_HANDLE_VALUE )

283

{

284

mbedtls_printf( " failed\n ! failed to open port %s %lu\n\n", serial_port, GetLastError() );

break;

}

if( GetCommState( h_comm, &dcb_config ) )

289

{

290

dcb_config.BaudRate = REMOTE_KEY_SERIAL_BAUD;

291

dcb_config.Parity = NOPARITY;

292

dcb_config.ByteSize = 8;

293

dcb_config.StopBits = ONESTOPBIT;

294

dcb_config.fOutxCtsFlow = FALSE; // No CTS output flow control

295

dcb_config.fOutxDsrFlow = FALSE; // No DSR output flow control

296

dcb_config.fDtrControl = DTR_CONTROL_DISABLE; // DTR flow control type

297

dcb_config.fDsrSensitivity = FALSE; // DSR sensitivity

298

dcb_config.fTXContinueOnXoff = TRUE; // XOFF continues Tx

299

dcb_config.fOutX = FALSE; // No XON/XOFF out flow control

300

dcb_config.fInX = FALSE; // No XON/XOFF in flow control

301

dcb_config.fErrorChar = FALSE; // Disable error replacement

302

dcb_config.fNull = FALSE; // Disable null stripping

303

dcb_config.fRtsControl = RTS_CONTROL_DISABLE; // RTS flow control

304

dcb_config.fAbortOnError = FALSE; // Do not abort reads/writes on error

}

else

{

mbedtls_printf( " failed\n ! GetCommState returned error %lu\n\n", GetLastError() );

break;

}

if( !SetCommState( h_comm, &dcb_config ) )

313

{

314

mbedtls_printf( " failed\n ! SetCommState returned error %lu\n\n", GetLastError() );

break;

}

if( GetCommTimeouts( h_comm, &comm_timeout ) )

319

{

320

comm_timeout.ReadIntervalTimeout = 1000;

321

comm_timeout.ReadTotalTimeoutMultiplier = 10;

322

comm_timeout.ReadTotalTimeoutConstant = 1000;

323

comm_timeout.WriteTotalTimeoutConstant = 1000;

324

comm_timeout.WriteTotalTimeoutMultiplier = 10;

}

else

{

mbedtls_printf( " failed\n ! GetCommTimeouts returned error %lu\n\n", GetLastError() );

break;

}

if( !SetCommTimeouts( h_comm, &comm_timeout ) )

333

{

334

mbedtls_printf( " failed\n ! SetCommTimeouts returned error %lu\n\n", GetLastError() );

break;

}

/* Flush data on serial before sending sync pattern */

340

while( ReadFile( h_comm, &c, sizeof(c), &xfer_len, NULL ) && xfer_len != 0 );

341

/* Sync with peer */

342

if( !WriteFile( h_comm, REMOTE_KEY_MAGIC_PATTERN, strlen(REMOTE_KEY_MAGIC_PATTERN),

343

&xfer_len, NULL ) )

344

{

345

mbedtls_printf( " failed\n ! WriteFile returned error %lu\n\n", GetLastError() );

break;

}

while( sync_pattern_idx != strlen(REMOTE_KEY_MAGIC_PATTERN) )

350

{

351

if( !ReadFile( h_comm, &c, sizeof(c), &xfer_len, NULL ) )

352

{

353

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

354

break;

355

}

356

if ( c == REMOTE_KEY_MAGIC_PATTERN[sync_pattern_idx] )

357

sync_pattern_idx++;

358

else

359

sync_pattern_idx = 0;

360

}

361

362

/* Exit if there was a read error */

363

if ( sync_pattern_idx != strlen(REMOTE_KEY_MAGIC_PATTERN) )

364

{

365

mbedtls_printf("Failedi to sync!\n");

break;

}

{

size_t i;

printf("Tx: ");

for (i = 0; i < tx_buf_len; i++)

373

printf ("0x%02x ", (tx_buf)[i]);

374

printf("\n");

375

}

376

if( !WriteFile( h_comm, tx_buf, tx_buf_len,

377

&xfer_len, NULL ) )

378

{

379

mbedtls_printf( " failed\n ! WriteFile returned error %lu\n\n", GetLastError() );

break;

}

/* Read LI (length indicator) */

384

if( !ReadFile( h_comm, len_buf, sizeof(len_buf), &xfer_len, NULL ) ) /* Serial error */

385

{

386

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

break;

}

*rx_len = ( len_buf[0] << 24 ) | ( len_buf[1] << 16 ) | ( len_buf[2] << 8 ) | len_buf[3];

391

if ( *rx_len == 0 ) /* LI == 0 indicates remote error */

392

{

393

mbedtls_printf( " failed\n ! Received length indicator == 0\n\n" );

394

break;

395

}

396

if ( *rx_len > rx_buf_len ) /* Buffer too small */

397

{

398

mbedtls_printf( " failed\n ! Buffer too small to hold received data\n\n" );

break;

}

/* Read payload */

len = 0;

while( len < *rx_len )

404

{

405

if( !ReadFile( h_comm, rx_buf + len, *rx_len - len, &xfer_len, NULL ) )

406

{

407

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

break;

}

len += xfer_len;

}

if( len < *rx_len ) /* Serial error */

413

{

414

mbedtls_printf( " failed\n ! ReadFile returned error %lu\n\n", GetLastError() );

415

break;

416

}

417

printf("Received LI 0x%02x 0x%02x 0x%02x 0x%02x \n", len_buf[0], len_buf[1], len_buf[2], len_buf[3]);

{

size_t i;

printf("Rx: ");

for (i = 0; i < *rx_len; i++)

422

printf ("0x%02x ", (rx_buf)[i]);

printf("\n");

}

ret = 0;

} while( 0 );

if( h_comm != INVALID_HANDLE_VALUE )

430

{

431

CloseHandle( h_comm );

432

h_comm = INVALID_HANDLE_VALUE;

}

return( ret );

}

/** Load a transparent public key context with public key from remote device

439

* over serial.

440

* This function sends:

441

* rEmOtEkEy<char encoded function code=GetPubKey><char encoded private key ID>

442

* Receives:

443

* <4 bytes length indicator in network order><concatenated public key>

444

*/

445

int load_pubkey_from_remote( const char * remote_info, mbedtls_pk_context * ctx )

446

{

447

int key_idx = 0, offset = 0, ret = 0;

448

const char * serial_port = NULL;

449

unsigned char func_buffer[10];

450

unsigned char pub_key_buf[100];

451

size_t rx_len = 0;

452

static mbedtls_ecp_keypair ecp_key;

453

454

if( parse_remote_info( remote_info, &key_idx, &serial_port ) != 0 )

455

return( -1 );

456

457

/* Prepare command */

458

offset = 0;

459

func_buffer[offset++] = REMOTE_KEY_FUNC_GET_PUBKEY;

460

func_buffer[offset++] = key_idx;

461

462

if( serial_xfer( serial_port, func_buffer, offset, pub_key_buf, sizeof( pub_key_buf ), &rx_len ) != 0 )

463

{

464

mbedtls_printf( " failed\n ! Serial error trying to get pulic key\n\n" );

return( -1 );

}

/* Import public key from received binary */

469

mbedtls_ecp_keypair_init(&ecp_key);

470

ret = mbedtls_ecp_group_load(&ecp_key.grp, MBEDTLS_ECP_DP_SECP256R1);

471

if( ret != 0 )

472

{

473

mbedtls_printf( " failed\n ! Failed to load ecp group\n\n" );

474

return( ret );

475

}

476

ret = mbedtls_ecp_point_read_binary(&ecp_key.grp, &ecp_key.Q, pub_key_buf, rx_len );

477

if( ret != 0 )

478

{

479

mbedtls_printf( " failed\n ! Failed to read ecp key from binary\n\n" );

480

return( ret );

481

}

482

ctx->pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );

483

ctx->pk_ctx = &ecp_key;

return( 0 );

}

/**

* @brief Tell if the context can do the operation given by type

489

*

490

* @param ctx PK Context

491

* @param type Target type

492

*

493

* @return 0 if context can't do the operations,

494

* 1 otherwise.

495

*/

496

static int remote_can_do_func(const void *ctx, mbedtls_pk_type_t type)

497

{

498

UNUSED(ctx);

499

/* At the moment only ECDSA is supported */

500

return (MBEDTLS_PK_ECDSA == type);

}

typedef struct

{

const char *serial_port;

506

unsigned char key_idx;

507

} remote_serial_pk_context;

508

509

/**

510

* @brief Sign using remote cryptoprocessor accessed over serial.

511

*

512

* @param ctx ECDSA context

513

* @param md_alg Hash Algorithm that was used to hash the message.

514

* Only SHA256 is supported.

515

* @param hash Message hash

516

* @param hash_len Length of hash

517

* @param sig Buffer that will hold the signature

518

* @param sig_len Length of the signature written

519

* @param f_rng RNG function

520

* @param p_rng RNG parameter

521

*

522

* @retval 0 if successful, or 1.

523

*/

524

static int remote_sign_func(void *ctx, mbedtls_md_type_t md_alg,

525

const unsigned char *hash, size_t hash_len,

526

unsigned char *sig, size_t *sig_len,

527

int (*f_rng)(void *, unsigned char *, size_t),

528

void *p_rng)

529

{

530

remote_serial_pk_context * remote_ctx = (remote_serial_pk_context *)ctx;

531

/* Required buffer = func 1 byte + key Id 1 byte + hash len 4 bytes + hash */

532

unsigned char func_buffer[MBEDTLS_MD_MAX_SIZE + 4 + 1 + 1];

size_t offset = 0;

UNUSED( f_rng );

UNUSED( p_rng );

if( md_alg != MBEDTLS_MD_SHA256 )

539

return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );

540

541

if( hash_len + 4 + 1 + 1 > sizeof( func_buffer ) )

542

{

543

return( MBEDTLS_ERR_PK_BUFFER_TOO_SMALL );

544

}

545

546

func_buffer[offset++] = REMOTE_KEY_FUNC_SIGN;

547

func_buffer[offset++] = remote_ctx->key_idx;

548

func_buffer[offset++] = hash_len >> 24;

549

func_buffer[offset++] = hash_len >> 16;

550

func_buffer[offset++] = hash_len >> 8;

551

func_buffer[offset++] = hash_len;

552

553

memcpy( func_buffer + offset, hash, hash_len );

554

offset += hash_len;

555

556

if( serial_xfer( remote_ctx->serial_port, func_buffer, offset, sig,

557

100/* FIXME */, sig_len ) != 0 )

558

{

559

mbedtls_printf( " failed\n ! Serial error in signing\n\n" );

return( -1 );

}

return( 0 );

}

void remote_free( void *ctx )

567

{

568

/* Nothing to free since remote context is statically allocated.

569

* Within this app there is no need to scrub the memory.

*/

UNUSED( ctx );

}

int mbedtls_pk_remote_setup( mbedtls_pk_context * ctx, const char * serial_port,

575

unsigned char key_idx )

576

{

577

/* allocate remote serial context */

578

static remote_serial_pk_context remote;

579

/* Opaque private key */

580

static const mbedtls_pk_info_t remote_pk_info =

581

{

582

/* MBEDTLS_PK_ECKEY, */

MBEDTLS_PK_OPAQUE,

"RemoteSerial",

NULL,

remote_can_do_func,

NULL,

NULL,

remote_sign_func,

NULL,

NULL,

NULL,

NULL,

remote_free,

NULL

};

if ( ctx == NULL )

return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );

601

602

remote.serial_port = serial_port;

603

remote.key_idx = key_idx;

604

ctx->pk_ctx = (void *)&remote;

605

ctx->pk_info = &remote_pk_info;

return( 0 );

}

int setup_opaque_privkey( const char * remote_info, mbedtls_pk_context * ctx )

611

{

612

int key_idx = 0, ret = 0;

613

const char * serial_port = NULL;

614

615

if( parse_remote_info( remote_info, &key_idx, &serial_port ) != 0 )

616

return( -1 );

617

618

ret = mbedtls_pk_remote_setup( ctx, serial_port, key_idx );

619

if( ret != 0 )

620

{

621

mbedtls_printf( " failed\n ! remote pk setup failure \n\n" );

return( ret );

}

return( 0 );

}

#endif /* _WIN32 */

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

629

int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

630

int (*f_rng)(void *, unsigned char *, size_t),

631

void *p_rng )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

{

int ret;

FILE *f;

unsigned char output_buf[4096];

636

size_t len = 0;

637

638

memset( output_buf, 0, 4096 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

639

if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,

640

f_rng, p_rng ) ) < 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

641

return( ret );

642

643

len = strlen( (char *) output_buf );

644

645

if( ( f = fopen( output_file, "w" ) ) == NULL )

646

return( -1 );

647

648

if( fwrite( output_buf, 1, len, f ) != len )

Paul Bakker

0c22610

2014-04-17 16:02:36 +0200

[diff] [blame]

649

{

650

fclose( f );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

651

return( -1 );

Paul Bakker

0c22610

2014-04-17 16:02:36 +0200

[diff] [blame]

652

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

653

Paul Bakker

0c22610

2014-04-17 16:02:36 +0200

[diff] [blame]

654

fclose( f );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

return( 0 );

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

659

int main( int argc, char *argv[] )

660

{

661

int ret = 0;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

662

mbedtls_x509_crt issuer_crt;

663

mbedtls_pk_context loaded_issuer_key, loaded_subject_key;

664

mbedtls_pk_context *issuer_key = &loaded_issuer_key,

Manuel Pégourié-Gonnard

f38e71a

2013-09-12 05:21:54 +0200

[diff] [blame]

665

*subject_key = &loaded_subject_key;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

666

char buf[1024];

Jonathan Leroy

bbc75d9

2015-10-10 21:58:07 +0200

[diff] [blame]

667

char issuer_name[256];

Paul Bakker

c97f9f6

2013-11-30 15:13:02 +0100

[diff] [blame]

668

int i;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

669

char *p, *q, *r;

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

670

#if defined(MBEDTLS_X509_CSR_PARSE_C)

Jonathan Leroy

bbc75d9

2015-10-10 21:58:07 +0200

[diff] [blame]

671

char subject_name[256];

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

672

mbedtls_x509_csr csr;

Paul Bakker

7fc7fa6

2013-09-17 14:44:00 +0200

[diff] [blame]

673

#endif

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

674

mbedtls_x509write_cert crt;

675

mbedtls_mpi serial;

676

mbedtls_entropy_context entropy;

677

mbedtls_ctr_drbg_context ctr_drbg;

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

678

const char *pers = "crt example app";

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

/*

* Set to sane values

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

683

mbedtls_x509write_crt_init( &crt );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

684

mbedtls_pk_init( &loaded_issuer_key );

685

mbedtls_pk_init( &loaded_subject_key );

686

mbedtls_mpi_init( &serial );

Manuel Pégourié-Gonnard

ec160c0

2015-04-28 22:52:30 +0200

[diff] [blame]

687

mbedtls_ctr_drbg_init( &ctr_drbg );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

688

#if defined(MBEDTLS_X509_CSR_PARSE_C)

689

mbedtls_x509_csr_init( &csr );

Paul Bakker

7fc7fa6

2013-09-17 14:44:00 +0200

[diff] [blame]

690

#endif

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

691

mbedtls_x509_crt_init( &issuer_crt );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

692

memset( buf, 0, 1024 );

if( argc == 0 )

{

usage:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

697

mbedtls_printf( USAGE );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

ret = 1;

goto exit;

}

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

702

opt.issuer_crt = DFL_ISSUER_CRT;

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

703

opt.request_file = DFL_REQUEST_FILE;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

704

opt.subject_key = DFL_SUBJECT_KEY;

705

opt.issuer_key = DFL_ISSUER_KEY;

706

opt.subject_pwd = DFL_SUBJECT_PWD;

707

opt.issuer_pwd = DFL_ISSUER_PWD;

708

opt.output_file = DFL_OUTPUT_FILENAME;

709

opt.subject_name = DFL_SUBJECT_NAME;

710

opt.issuer_name = DFL_ISSUER_NAME;

711

opt.not_before = DFL_NOT_BEFORE;

712

opt.not_after = DFL_NOT_AFTER;

713

opt.serial = DFL_SERIAL;

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

714

opt.selfsign = DFL_SELFSIGN;

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

715

opt.is_ca = DFL_IS_CA;

716

opt.max_pathlen = DFL_MAX_PATHLEN;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

717

opt.key_usage = DFL_KEY_USAGE;

718

opt.ns_cert_type = DFL_NS_CERT_TYPE;

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

719

opt.version = DFL_VERSION - 1;

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

720

opt.md = DFL_DIGEST;

721

opt.subject_identifier = DFL_SUBJ_IDENT;

722

opt.authority_identifier = DFL_AUTH_IDENT;

723

opt.basic_constraints = DFL_CONSTRAINTS;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

724

725

for( i = 1; i < argc; i++ )

{

p = argv[i];

if( ( q = strchr( p, '=' ) ) == NULL )

goto usage;

*q++ = '\0';

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

733

if( strcmp( p, "request_file" ) == 0 )

734

opt.request_file = q;

735

else if( strcmp( p, "subject_key" ) == 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

736

opt.subject_key = q;

737

else if( strcmp( p, "issuer_key" ) == 0 )

738

opt.issuer_key = q;

739

else if( strcmp( p, "subject_pwd" ) == 0 )

740

opt.subject_pwd = q;

741

else if( strcmp( p, "issuer_pwd" ) == 0 )

742

opt.issuer_pwd = q;

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

743

else if( strcmp( p, "issuer_crt" ) == 0 )

744

opt.issuer_crt = q;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

745

else if( strcmp( p, "output_file" ) == 0 )

746

opt.output_file = q;

747

else if( strcmp( p, "subject_name" ) == 0 )

748

{

749

opt.subject_name = q;

750

}

751

else if( strcmp( p, "issuer_name" ) == 0 )

{

opt.issuer_name = q;

}

else if( strcmp( p, "not_before" ) == 0 )

{

opt.not_before = q;

}

else if( strcmp( p, "not_after" ) == 0 )

{

opt.not_after = q;

}

else if( strcmp( p, "serial" ) == 0 )

764

{

765

opt.serial = q;

766

}

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

767

else if( strcmp( p, "authority_identifier" ) == 0 )

768

{

769

opt.authority_identifier = atoi( q );

770

if( opt.authority_identifier != 0 &&

771

opt.authority_identifier != 1 )

772

{

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

773

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto usage;

}

}

else if( strcmp( p, "subject_identifier" ) == 0 )

778

{

779

opt.subject_identifier = atoi( q );

780

if( opt.subject_identifier != 0 &&

781

opt.subject_identifier != 1 )

782

{

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

783

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto usage;

}

}

else if( strcmp( p, "basic_constraints" ) == 0 )

788

{

789

opt.basic_constraints = atoi( q );

790

if( opt.basic_constraints != 0 &&

791

opt.basic_constraints != 1 )

792

{

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

793

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto usage;

}

}

else if( strcmp( p, "md" ) == 0 )

798

{

799

if( strcmp( q, "SHA1" ) == 0 )

800

opt.md = MBEDTLS_MD_SHA1;

801

else if( strcmp( q, "SHA256" ) == 0 )

802

opt.md = MBEDTLS_MD_SHA256;

803

else if( strcmp( q, "SHA512" ) == 0 )

804

opt.md = MBEDTLS_MD_SHA512;

805

else if( strcmp( q, "MD5" ) == 0 )

806

opt.md = MBEDTLS_MD_MD5;

807

else

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

808

{

809

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

810

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

811

}

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

812

}

813

else if( strcmp( p, "version" ) == 0 )

814

{

815

opt.version = atoi( q );

816

if( opt.version < 1 || opt.version > 3 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

817

{

818

mbedtls_printf( "Invalid argument for option %s\n", p );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

819

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

820

}

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

821

opt.version--;

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

822

}

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

823

else if( strcmp( p, "selfsign" ) == 0 )

824

{

825

opt.selfsign = atoi( q );

826

if( opt.selfsign < 0 || opt.selfsign > 1 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

827

{

828

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

829

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

830

}

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

831

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

832

else if( strcmp( p, "is_ca" ) == 0 )

833

{

834

opt.is_ca = atoi( q );

835

if( opt.is_ca < 0 || opt.is_ca > 1 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

836

{

837

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

838

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

839

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

840

}

841

else if( strcmp( p, "max_pathlen" ) == 0 )

842

{

843

opt.max_pathlen = atoi( q );

844

if( opt.max_pathlen < -1 || opt.max_pathlen > 127 )

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

845

{

846

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

847

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

848

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

849

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

850

else if( strcmp( p, "key_usage" ) == 0 )

{

while( q != NULL )

{

if( ( r = strchr( q, ',' ) ) != NULL )

855

*r++ = '\0';

856

857

if( strcmp( q, "digital_signature" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

858

opt.key_usage |= MBEDTLS_X509_KU_DIGITAL_SIGNATURE;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

859

else if( strcmp( q, "non_repudiation" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

860

opt.key_usage |= MBEDTLS_X509_KU_NON_REPUDIATION;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

861

else if( strcmp( q, "key_encipherment" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

862

opt.key_usage |= MBEDTLS_X509_KU_KEY_ENCIPHERMENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

863

else if( strcmp( q, "data_encipherment" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

864

opt.key_usage |= MBEDTLS_X509_KU_DATA_ENCIPHERMENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

865

else if( strcmp( q, "key_agreement" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

866

opt.key_usage |= MBEDTLS_X509_KU_KEY_AGREEMENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

867

else if( strcmp( q, "key_cert_sign" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

868

opt.key_usage |= MBEDTLS_X509_KU_KEY_CERT_SIGN;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

869

else if( strcmp( q, "crl_sign" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

870

opt.key_usage |= MBEDTLS_X509_KU_CRL_SIGN;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

871

else

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

872

{

873

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

874

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

875

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

q = r;

}

}

else if( strcmp( p, "ns_cert_type" ) == 0 )

{

while( q != NULL )

{

if( ( r = strchr( q, ',' ) ) != NULL )

885

*r++ = '\0';

886

887

if( strcmp( q, "ssl_client" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

888

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

889

else if( strcmp( q, "ssl_server" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

890

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

891

else if( strcmp( q, "email" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

892

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

893

else if( strcmp( q, "object_signing" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

894

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

895

else if( strcmp( q, "ssl_ca" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

896

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_SSL_CA;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

897

else if( strcmp( q, "email_ca" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

898

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

899

else if( strcmp( q, "object_signing_ca" ) == 0 )

Manuel Pégourié-Gonnard

2015-04-20 12:19:02 +0100

[diff] [blame]

900

opt.ns_cert_type |= MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA;

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

901

else

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

902

{

903

mbedtls_printf( "Invalid argument for option %s\n", p );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

904

goto usage;

Hanno Becker

2017-10-03 14:56:04 +0100

[diff] [blame]

905

}

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

q = r;

}

}

else

goto usage;

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

914

mbedtls_printf("\n");

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

915

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

916

/*

917

* 0. Seed the PRNG

918

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

919

mbedtls_printf( " . Seeding the random number generator..." );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

920

fflush( stdout );

921

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

922

mbedtls_entropy_init( &entropy );

Manuel Pégourié-Gonnard

ec160c0

2015-04-28 22:52:30 +0200

[diff] [blame]

923

if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

924

(const unsigned char *) pers,

925

strlen( pers ) ) ) != 0 )

926

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

927

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

928

mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",

929

ret, buf );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

930

goto exit;

931

}

932

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

933

mbedtls_printf( " ok\n" );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

934

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

935

// Parse serial to MPI

936

//

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

937

mbedtls_printf( " . Reading serial number..." );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

938

fflush( stdout );

939

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

940

if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

941

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

942

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

943

mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

944

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

945

goto exit;

946

}

947

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

948

mbedtls_printf( " ok\n" );

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

949

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

950

// Parse issuer certificate if present

951

//

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

952

if( !opt.selfsign && strlen( opt.issuer_crt ) )

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

953

{

954

/*

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

955

* 1.0.a. Load the certificates

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

956

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

957

mbedtls_printf( " . Loading the issuer certificate ..." );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

958

fflush( stdout );

959

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

960

if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

961

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

962

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

963

mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

964

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

965

goto exit;

966

}

967

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

968

ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name),

Paul Bakker

fdba468

2014-04-25 11:48:35 +0200

[diff] [blame]

969

&issuer_crt.subject );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

970

if( ret < 0 )

971

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

972

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

973

mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

974

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

goto exit;

}

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

978

opt.issuer_name = issuer_name;

979

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

980

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

981

}

982

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

983

#if defined(MBEDTLS_X509_CSR_PARSE_C)

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

984

// Parse certificate request if present

985

//

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

986

if( !opt.selfsign && strlen( opt.request_file ) )

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

987

{

988

/*

989

* 1.0.b. Load the CSR

990

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

991

mbedtls_printf( " . Loading the certificate request ..." );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

992

fflush( stdout );

993

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

994

if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

995

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

996

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

997

mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

998

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

999

goto exit;

1000

}

1001

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1002

ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name),

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1003

&csr.subject );

1004

if( ret < 0 )

1005

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1006

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1007

mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1008

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

goto exit;

}

opt.subject_name = subject_name;

Manuel Pégourié-Gonnard

f38e71a

2013-09-12 05:21:54 +0200

[diff] [blame]

1013

subject_key = &csr.pk;

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1014

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1015

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1016

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1017

#endif /* MBEDTLS_X509_CSR_PARSE_C */

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

/*

* 1.1. Load the keys

*/

if( !opt.selfsign && !strlen( opt.request_file ) )

1023

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1024

mbedtls_printf( " . Loading the subject key ..." );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1025

fflush( stdout );

1026

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

1027

#if defined(_WIN32)

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1028

if ( is_remote_key( opt.subject_key ) )

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1029

{

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1030

ret = load_pubkey_from_remote( opt.subject_key, &loaded_subject_key );

if ( ret != 0 )

goto exit;

}

else

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

1035

#endif

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1036

{

1037

ret = mbedtls_pk_parse_keyfile( &loaded_subject_key, opt.subject_key,

opt.subject_pwd );

if( ret != 0 )

{

mbedtls_strerror( ret, buf, 1024 );

1042

mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "

1043

"returned -0x%04x - %s\n\n", -ret, buf );

1044

goto exit;

1045

}

Paul Bakker

2013-09-09 15:52:07 +0200

[diff] [blame]

1046

}

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

1047

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1048

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 13:59:42 +0200

[diff] [blame]

1049

}

1050

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1051

mbedtls_printf( " . Loading the issuer key ..." );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1052

fflush( stdout );

1053

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

1054

#if defined(_WIN32)

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1055

if ( is_remote_key( opt.issuer_key ) )

1056

{

1057

ret = setup_opaque_privkey( opt.issuer_key, &loaded_issuer_key );

if ( ret != 0 )

goto exit;

}

else

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

1062

#endif

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1063

{

1064

ret = mbedtls_pk_parse_keyfile( &loaded_issuer_key, opt.issuer_key,

opt.issuer_pwd );

}

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1068

if( ret != 0 )

1069

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1070

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1071

mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "

1072

"returned -x%02x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

goto exit;

}

// Check if key and issuer certificate match

1077

//

1078

if( strlen( opt.issuer_crt ) )

1079

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1080

if( !mbedtls_pk_can_do( &issuer_crt.pk, MBEDTLS_PK_RSA ) ||

1081

mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->N,

1082

&mbedtls_pk_rsa( *issuer_key )->N ) != 0 ||

1083

mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa( issuer_crt.pk )->E,

1084

&mbedtls_pk_rsa( *issuer_key )->E ) != 0 )

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1085

{

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1086

mbedtls_printf( " failed\n ! issuer_key does not match "

1087

"issuer certificate\n\n" );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

ret = -1;

goto exit;

}

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1093

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1094

1095

if( opt.selfsign )

1096

{

Paul Bakker

93c6aa4

2013-10-28 22:28:09 +0100

[diff] [blame]

1097

opt.subject_name = opt.issuer_name;

Manuel Pégourié-Gonnard

f38e71a

2013-09-12 05:21:54 +0200

[diff] [blame]

1098

subject_key = issuer_key;

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1099

}

1100

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1101

mbedtls_x509write_crt_set_subject_key( &crt, subject_key );

1102

mbedtls_x509write_crt_set_issuer_key( &crt, issuer_key );

Paul Bakker

2013-09-09 16:24:18 +0200

[diff] [blame]

1103

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1104

/*

1105

* 1.0. Check the names for validity

1106

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1107

if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1108

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1109

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1110

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1111

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1112

goto exit;

1113

}

1114

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1115

if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1116

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1117

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1118

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1119

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1120

goto exit;

1121

}

1122

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1123

mbedtls_printf( " . Setting certificate values ..." );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1124

fflush( stdout );

1125

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1126

mbedtls_x509write_crt_set_version( &crt, opt.version );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1127

mbedtls_x509write_crt_set_md_alg( &crt, opt.md );

1128

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1129

ret = mbedtls_x509write_crt_set_serial( &crt, &serial );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1130

if( ret != 0 )

1131

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1132

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1133

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1134

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1135

goto exit;

1136

}

1137

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1138

ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1139

if( ret != 0 )

1140

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1141

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1142

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1143

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1144

goto exit;

1145

}

1146

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1147

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1148

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1149

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1150

opt.basic_constraints != 0 )

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1151

{

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1152

mbedtls_printf( " . Adding the Basic Constraints extension ..." );

1153

fflush( stdout );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1154

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1155

ret = mbedtls_x509write_crt_set_basic_constraints( &crt, opt.is_ca,

opt.max_pathlen );

if( ret != 0 )

{

mbedtls_strerror( ret, buf, 1024 );

1160

mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1161

"returned -0x%04x - %s\n\n", -ret, buf );

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

goto exit;

}

mbedtls_printf( " ok\n" );

1166

}

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1167

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1168

#if defined(MBEDTLS_SHA1_C)

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1169

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1170

opt.subject_identifier != 0 )

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1171

{

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1172

mbedtls_printf( " . Adding the Subject Key Identifier ..." );

1173

fflush( stdout );

1174

1175

ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );

1176

if( ret != 0 )

1177

{

1178

mbedtls_strerror( ret, buf, 1024 );

1179

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1180

"_key_identifier returned -0x%04x - %s\n\n",

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

-ret, buf );

goto exit;

}

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1186

}

1187

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1188

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1189

opt.authority_identifier != 0 )

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1190

{

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1191

mbedtls_printf( " . Adding the Authority Key Identifier ..." );

1192

fflush( stdout );

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1193

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

1194

ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );

1195

if( ret != 0 )

1196

{

1197

mbedtls_strerror( ret, buf, 1024 );

1198

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1199

"key_identifier returned -0x%04x - %s\n\n",

Hanno Becker

2017-09-13 12:49:22 +0100

[diff] [blame]

-ret, buf );

goto exit;

}

mbedtls_printf( " ok\n" );

1205

}

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1206

#endif /* MBEDTLS_SHA1_C */

Paul Bakker

2013-09-06 19:27:21 +0200

[diff] [blame]

1207

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1208

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1209

opt.key_usage != 0 )

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1210

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1211

mbedtls_printf( " . Adding the Key Usage extension ..." );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1212

fflush( stdout );

1213

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1214

ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1215

if( ret != 0 )

1216

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1217

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1218

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1219

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1220

goto exit;

1221

}

1222

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1223

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1224

}

1225

Hanno Becker

2017-09-22 15:38:20 +0100

[diff] [blame]

1226

if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&

1227

opt.ns_cert_type != 0 )

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1228

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1229

mbedtls_printf( " . Adding the NS Cert Type extension ..." );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1230

fflush( stdout );

1231

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1232

ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1233

if( ret != 0 )

1234

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1235

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1236

mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1237

"returned -0x%04x - %s\n\n", -ret, buf );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1238

goto exit;

1239

}

1240

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1241

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-09 12:37:54 +0200

[diff] [blame]

1242

}

1243

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1244

/*

1245

* 1.2. Writing the request

1246

*/

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1247

mbedtls_printf( " . Writing the certificate..." );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1248

fflush( stdout );

1249

Manuel Pégourié-Gonnard

2013-09-12 05:59:05 +0200

[diff] [blame]

1250

if( ( ret = write_certificate( &crt, opt.output_file,

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1251

mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1252

{

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1253

mbedtls_strerror( ret, buf, 1024 );

Hanno Becker

2017-09-22 15:39:02 +0100

[diff] [blame]

1254

mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",

Hanno Becker

2017-09-13 15:39:59 +0100

[diff] [blame]

1255

-ret, buf );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1256

goto exit;

1257

}

1258

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1259

mbedtls_printf( " ok\n" );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1260

1261

exit:

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1262

mbedtls_x509write_crt_free( &crt );

1263

mbedtls_pk_free( &loaded_subject_key );

Azim Khan

2018-02-21 01:05:21 +0000

[diff] [blame^]

1264

mbedtls_pk_free( &loaded_issuer_key );

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1265

mbedtls_mpi_free( &serial );

1266

mbedtls_ctr_drbg_free( &ctr_drbg );

1267

mbedtls_entropy_free( &entropy );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1268

1269

#if defined(_WIN32)

Manuel Pégourié-Gonnard

2015-04-08 12:49:31 +0200

[diff] [blame]

1270

mbedtls_printf( " + Press Enter to exit this program.\n" );

Paul Bakker

2013-09-06 09:55:26 +0200

[diff] [blame]

1271

fflush( stdout ); getchar();

#endif

return( ret );

}

Azim Khan

2018-02-07 11:11:17 +0000

[diff] [blame]

1276

Manuel Pégourié-Gonnard