lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Merge pull request #6121 from daverodgman/pr277

Browse Source 
cert_write - add a way to set extended key usages - rebase
This commit is contained in:
Dave Rodgman
2022-10-31 13:27:49 +00:00
committed by GitHub
parent 7d8b3c9342 b3166f4b2f
commit 55fd0b9fc1
8 changed files with 275 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
programs/x509/cert_write.c
View File

@ -38,6 +38,7 @@ int main( void )
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_csr.h"
#include "mbedtls/oid.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/md.h"
@ -47,6 +48,9 @@ int main( void )
#include <stdlib.h>
#include <string.h>
#define SET_OID(x, oid) \
do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char*)oid; } while( 0 )
#if defined(MBEDTLS_X509_CSR_PARSE_C)
#define USAGE_CSR \
" request_file=%%s default: (empty)\n" \
@ -56,6 +60,9 @@ int main( void )
#define USAGE_CSR ""
#endif /* MBEDTLS_X509_CSR_PARSE_C */
#define FORMAT_PEM 0
#define FORMAT_DER 1
#define DFL_ISSUER_CRT ""
#define DFL_REQUEST_FILE ""
#define DFL_SUBJECT_KEY "subject.key"
@ -71,13 +78,16 @@ int main( void )
#define DFL_SELFSIGN 0
#define DFL_IS_CA 0
#define DFL_MAX_PATHLEN -1
#define DFL_SIG_ALG MBEDTLS_MD_SHA256
#define DFL_KEY_USAGE 0
#define DFL_EXT_KEY_USAGE NULL
#define DFL_NS_CERT_TYPE 0
#define DFL_VERSION 3
#define DFL_AUTH_IDENT 1
#define DFL_SUBJ_IDENT 1
#define DFL_CONSTRAINTS 1
#define DFL_DIGEST MBEDTLS_MD_SHA256
#define DFL_FORMAT FORMAT_PEM
#define USAGE \
"\n usage: cert_write param=<>...\n" \
@ -129,6 +139,14 @@ int main( void )
" key_cert_sign\n" \
" crl_sign\n" \
" (Considered for v3 only)\n"\
" ext_key_usage=%%s default: (empty)\n" \
" Comma-separated-list of values:\n" \
" serverAuth\n" \
" clientAuth\n" \
" codeSigning\n" \
" emailProtection\n" \
" timeStamping\n" \
" OCSPSigning\n" \
" ns_cert_type=%%s default: (empty)\n" \
" Comma-separated-list of values:\n" \
" ssl_client\n" \
@ -138,6 +156,7 @@ int main( void )
" ssl_ca\n" \
" email_ca\n" \
" object_signing_ca\n" \
" format=pem|der default: pem\n" \
"\n"
@ -167,7 +186,9 @@ struct options
int version; /* CRT version */
mbedtls_md_type_t md; /* Hash used for signing */
unsigned char key_usage; /* key usage flags */
mbedtls_asn1_sequence *ext_key_usage; /* extended key usages */
unsigned char ns_cert_type; /* NS cert type */
int format; /* format */
} opt;
int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
@ -177,19 +198,33 @@ int write_certificate( mbedtls_x509write_cert *crt, const char *output_file,
int ret;
FILE *f;
unsigned char output_buf[4096];
unsigned char *output_start;
size_t len = 0;
memset( output_buf, 0, 4096 );
if( ( ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
f_rng, p_rng ) ) < 0 )
return( ret );
if ( opt.format == FORMAT_DER )
{
ret = mbedtls_x509write_crt_der( crt, output_buf, 4096,
f_rng, p_rng );
if( ret < 0 )
return( ret );
len = strlen( (char *) output_buf );
len = ret;
output_start = output_buf + 4096 - len;
} else {
ret = mbedtls_x509write_crt_pem( crt, output_buf, 4096,
f_rng, p_rng );
if( ret < 0 )
return( ret );
len = strlen( (char *) output_buf );
output_start = output_buf;
}
if( ( f = fopen( output_file, "w" ) ) == NULL )
return( -1 );
if( fwrite( output_buf, 1, len, f ) != len )
if( fwrite( output_start, 1, len, f ) != len )
{
fclose( f );
return( -1 );
@ -218,6 +253,7 @@ int main( int argc, char *argv[] )
#endif
mbedtls_x509write_cert crt;
mbedtls_mpi serial;
mbedtls_asn1_sequence *ext_key_usage;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "crt example app";
@ -235,7 +271,7 @@ int main( int argc, char *argv[] )
mbedtls_x509_csr_init( &csr );
#endif
mbedtls_x509_crt_init( &issuer_crt );
memset( buf, 0, 1024 );
memset( buf, 0, sizeof(buf) );
if( argc == 0 )
{
@ -260,12 +296,14 @@ int main( int argc, char *argv[] )
opt.is_ca = DFL_IS_CA;
opt.max_pathlen = DFL_MAX_PATHLEN;
opt.key_usage = DFL_KEY_USAGE;
opt.ext_key_usage = DFL_EXT_KEY_USAGE;
opt.ns_cert_type = DFL_NS_CERT_TYPE;
opt.version = DFL_VERSION - 1;
opt.md = DFL_DIGEST;
opt.subject_identifier = DFL_SUBJ_IDENT;
opt.authority_identifier = DFL_AUTH_IDENT;
opt.basic_constraints = DFL_CONSTRAINTS;
opt.format = DFL_FORMAT;
for( i = 1; i < argc; i++ )
{
@ -417,6 +455,41 @@ int main( int argc, char *argv[] )
q = r;
}
}
else if( strcmp( p, "ext_key_usage" ) == 0 )
{
mbedtls_asn1_sequence **tail = &opt.ext_key_usage;
while( q != NULL )
{
if( ( r = strchr( q, ',' ) ) != NULL )
*r++ = '\0';
ext_key_usage = mbedtls_calloc( 1, sizeof(mbedtls_asn1_sequence) );
ext_key_usage->buf.tag = MBEDTLS_ASN1_OID;
if( strcmp( q, "serverAuth" ) == 0 )
SET_OID( ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH );
else if( strcmp( q, "clientAuth" ) == 0 )
SET_OID( ext_key_usage->buf, MBEDTLS_OID_CLIENT_AUTH );
else if( strcmp( q, "codeSigning" ) == 0 )
SET_OID( ext_key_usage->buf, MBEDTLS_OID_CODE_SIGNING );
else if( strcmp( q, "emailProtection" ) == 0 )
SET_OID( ext_key_usage->buf, MBEDTLS_OID_EMAIL_PROTECTION );
else if( strcmp( q, "timeStamping" ) == 0 )
SET_OID( ext_key_usage->buf, MBEDTLS_OID_TIME_STAMPING );
else if( strcmp( q, "OCSPSigning" ) == 0 )
SET_OID( ext_key_usage->buf, MBEDTLS_OID_OCSP_SIGNING );
else
{
mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
}
*tail = ext_key_usage;
tail = &ext_key_usage->next;
q = r;
}
}
else if( strcmp( p, "ns_cert_type" ) == 0 )
{
while( q != NULL )
@ -447,6 +520,16 @@ int main( int argc, char *argv[] )
q = r;
}
}
else if( strcmp( p, "format" ) == 0 )
{
if ( strcmp(q, "der" ) == 0 ) opt.format = FORMAT_DER;
else if ( strcmp(q, "pem" ) == 0 ) opt.format = FORMAT_PEM;
else
{
mbedtls_printf( "Invalid argument for option %s\n", p );
goto usage;
}
}
else
goto usage;
}
@ -463,7 +546,7 @@ int main( int argc, char *argv[] )
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d - %s\n",
ret, buf );
goto exit;
@ -478,7 +561,7 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_mpi_read_string "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -498,7 +581,7 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -508,7 +591,7 @@ int main( int argc, char *argv[] )
&issuer_crt.subject );
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -532,7 +615,7 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509_csr_parse_file "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -542,7 +625,7 @@ int main( int argc, char *argv[] )
&csr.subject );
if( ret < 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509_dn_gets "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -567,7 +650,7 @@ int main( int argc, char *argv[] )
opt.subject_pwd, mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -583,7 +666,7 @@ int main( int argc, char *argv[] )
opt.issuer_pwd, mbedtls_ctr_drbg_random, &ctr_drbg );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile "
"returned -x%02x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -618,7 +701,7 @@ int main( int argc, char *argv[] )
*/
if( ( ret = mbedtls_x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_name "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -626,7 +709,7 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_issuer_name "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -641,7 +724,7 @@ int main( int argc, char *argv[] )
ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_serial "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -650,7 +733,7 @@ int main( int argc, char *argv[] )
ret = mbedtls_x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_validity "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -668,7 +751,7 @@ int main( int argc, char *argv[] )
opt.max_pathlen );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -687,7 +770,7 @@ int main( int argc, char *argv[] )
ret = mbedtls_x509write_crt_set_subject_key_identifier( &crt );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
"_key_identifier returned -0x%04x - %s\n\n",
(unsigned int) -ret, buf );
@ -706,7 +789,7 @@ int main( int argc, char *argv[] )
ret = mbedtls_x509write_crt_set_authority_key_identifier( &crt );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
"key_identifier returned -0x%04x - %s\n\n",
(unsigned int) -ret, buf );
@ -726,7 +809,7 @@ int main( int argc, char *argv[] )
ret = mbedtls_x509write_crt_set_key_usage( &crt, opt.key_usage );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_key_usage "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -735,6 +818,22 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
}
if( opt.ext_key_usage )
{
mbedtls_printf( " . Adding the Extended Key Usage extension ..." );
fflush( stdout );
ret = mbedtls_x509write_crt_set_ext_key_usage( &crt, opt.ext_key_usage );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ext_key_usage returned -0x%02x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
}
mbedtls_printf( " ok\n" );
}
if( opt.version == MBEDTLS_X509_CRT_VERSION_3 &&
opt.ns_cert_type != 0 )
{
@ -744,7 +843,7 @@ int main( int argc, char *argv[] )
ret = mbedtls_x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_ns_cert_type "
"returned -0x%04x - %s\n\n", (unsigned int) -ret, buf );
goto exit;
@ -762,7 +861,7 @@ int main( int argc, char *argv[] )
if( ( ret = write_certificate( &crt, opt.output_file,
mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_strerror( ret, buf, sizeof(buf) );
mbedtls_printf( " failed\n ! write_certificate -0x%04x - %s\n\n",
(unsigned int) -ret, buf );
goto exit;