2 * Copyright (C) 2009 Martin Willi
3 * Copyright (C) 2015-2017 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 #include <collections/linked_list.h>
23 #include <credentials/certificates/certificate.h>
24 #include <credentials/certificates/x509.h>
25 #include <selectors/traffic_selector.h>
26 #include <asn1/asn1.h>
29 * Free cert policy with OID
31 static void destroy_cert_policy(x509_cert_policy_t
*policy
)
33 free(policy
->oid
.ptr
);
40 static void destroy_policy_mapping(x509_policy_mapping_t
*mapping
)
42 free(mapping
->issuer
.ptr
);
43 free(mapping
->subject
.ptr
);
48 * Create a self signed certificate.
52 cred_encoding_type_t form
= CERT_ASN1_DER
;
53 key_type_t type
= KEY_ANY
;
54 hash_algorithm_t digest
= HASH_UNKNOWN
;
55 signature_params_t
*scheme
= NULL
;
56 certificate_t
*cert
= NULL
;
57 private_key_t
*private = NULL
;
58 public_key_t
*public = NULL
;
59 char *file
= NULL
, *dn
= NULL
, *hex
= NULL
, *error
= NULL
, *keyid
= NULL
;
60 identification_t
*id
= NULL
;
61 linked_list_t
*san
, *ocsp
, *permitted
, *excluded
, *policies
, *mappings
;
62 linked_list_t
*addrblocks
;
63 int pathlen
= X509_NO_CONSTRAINT
, inhibit_any
= X509_NO_CONSTRAINT
;
64 int inhibit_mapping
= X509_NO_CONSTRAINT
;
65 int require_explicit
= X509_NO_CONSTRAINT
;
66 chunk_t serial
= chunk_empty
;
67 chunk_t encoding
= chunk_empty
;
68 time_t not_before
, not_after
, lifetime
= 1095 * 24 * 60 * 60;
69 char *datenb
= NULL
, *datena
= NULL
, *dateform
= NULL
;
70 x509_flag_t flags
= 0;
71 x509_cert_policy_t
*policy
= NULL
;
72 traffic_selector_t
*ts
;
74 bool pss
= lib
->settings
->get_bool(lib
->settings
, "%s.rsa_pss", FALSE
,
77 san
= linked_list_create();
78 ocsp
= linked_list_create();
79 permitted
= linked_list_create();
80 excluded
= linked_list_create();
81 policies
= linked_list_create();
82 mappings
= linked_list_create();
83 addrblocks
= linked_list_create();
87 switch (command_getopt(&arg
))
92 if (streq(arg
, "rsa"))
96 else if (streq(arg
, "ecdsa"))
100 else if (streq(arg
, "ed25519"))
104 else if (streq(arg
, "bliss"))
108 else if (streq(arg
, "priv"))
114 error
= "invalid input type";
119 if (!enum_from_name(hash_algorithm_short_names
, arg
, &digest
))
121 error
= "invalid --digest type";
126 if (streq(arg
, "pss"))
130 else if (!streq(arg
, "pkcs1"))
132 error
= "invalid RSA padding";
146 san
->insert_last(san
, identification_create_from_string(arg
));
149 lifetime
= atoi(arg
) * 24 * 60 * 60;
152 error
= "invalid --lifetime value";
178 error
= "invalid addressBlock";
181 addrblocks
->insert_last(addrblocks
, ts
);
184 permitted
->insert_last(permitted
,
185 identification_create_from_string(arg
));
188 excluded
->insert_last(excluded
,
189 identification_create_from_string(arg
));
195 oid
= asn1_oid_from_string(arg
);
198 error
= "--cert-policy OID invalid";
204 policies
->insert_last(policies
, policy
);
210 error
= "--cps-uri must follow a --cert-policy";
213 policy
->cps_uri
= arg
;
218 error
= "--user-notice must follow a --cert-policy";
221 policy
->unotice_text
= arg
;
225 char *pos
= strchr(arg
, ':');
226 x509_policy_mapping_t
*mapping
;
227 chunk_t subject_oid
, issuer_oid
;
232 issuer_oid
= asn1_oid_from_string(arg
);
233 subject_oid
= asn1_oid_from_string(pos
);
235 if (!pos
|| !issuer_oid
.len
|| !subject_oid
.len
)
237 error
= "--policy-map OIDs invalid";
241 .issuer
= issuer_oid
,
242 .subject
= subject_oid
,
244 mappings
->insert_last(mappings
, mapping
);
248 require_explicit
= atoi(arg
);
251 inhibit_mapping
= atoi(arg
);
254 inhibit_any
= atoi(arg
);
257 if (streq(arg
, "serverAuth"))
259 flags
|= X509_SERVER_AUTH
;
261 else if (streq(arg
, "clientAuth"))
263 flags
|= X509_CLIENT_AUTH
;
265 else if (streq(arg
, "ikeIntermediate"))
267 flags
|= X509_IKE_INTERMEDIATE
;
269 else if (streq(arg
, "crlSign"))
271 flags
|= X509_CRL_SIGN
;
273 else if (streq(arg
, "ocspSigning"))
275 flags
|= X509_OCSP_SIGNER
;
277 else if (streq(arg
, "msSmartcardLogon"))
279 flags
|= X509_MS_SMARTCARD_LOGON
;
283 if (!get_form(arg
, &form
, CRED_CERTIFICATE
))
285 error
= "invalid output format";
290 ocsp
->insert_last(ocsp
, arg
);
295 error
= "invalid --self option";
303 error
= "--dn is required";
306 if (!calculate_lifetime(dateform
, datenb
, datena
, lifetime
,
307 ¬_before
, ¬_after
))
309 error
= "invalid --not-before/after datetime";
312 id
= identification_create_from_string(dn
);
313 if (id
->get_type(id
) != ID_DER_ASN1_DN
)
315 error
= "supplied --dn is not a distinguished name";
320 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
, type
,
321 BUILD_FROM_FILE
, file
, BUILD_END
);
327 chunk
= chunk_from_hex(chunk_create(keyid
, strlen(keyid
)), NULL
);
328 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
, KEY_ANY
,
329 BUILD_PKCS11_KEYID
, chunk
, BUILD_END
);
336 set_file_mode(stdin
, CERT_ASN1_DER
);
337 if (!chunk_from_fd(0, &chunk
))
339 fprintf(stderr
, "%s: ", strerror(errno
));
340 error
= "reading private key failed";
343 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
, type
,
344 BUILD_BLOB
, chunk
, BUILD_END
);
349 error
= "loading private key failed";
352 public = private->get_public_key(private);
355 error
= "extracting public key failed";
360 serial
= chunk_from_hex(chunk_create(hex
, strlen(hex
)), NULL
);
364 rng_t
*rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
368 error
= "no random number generator found";
371 if (!rng_allocate_bytes_not_zero(rng
, 8, &serial
, FALSE
))
373 error
= "failed to generate serial number";
377 serial
.ptr
[0] &= 0x7F;
380 scheme
= get_signature_scheme(private, digest
, pss
);
383 error
= "no signature scheme found";
387 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
388 BUILD_SIGNING_KEY
, private, BUILD_PUBLIC_KEY
, public,
389 BUILD_SUBJECT
, id
, BUILD_NOT_BEFORE_TIME
, not_before
,
390 BUILD_NOT_AFTER_TIME
, not_after
, BUILD_SERIAL
, serial
,
391 BUILD_SIGNATURE_SCHEME
, scheme
, BUILD_X509_FLAG
, flags
,
392 BUILD_PATHLEN
, pathlen
, BUILD_SUBJECT_ALTNAMES
, san
,
393 BUILD_ADDRBLOCKS
, addrblocks
,
394 BUILD_OCSP_ACCESS_LOCATIONS
, ocsp
,
395 BUILD_PERMITTED_NAME_CONSTRAINTS
, permitted
,
396 BUILD_EXCLUDED_NAME_CONSTRAINTS
, excluded
,
397 BUILD_CERTIFICATE_POLICIES
, policies
,
398 BUILD_POLICY_MAPPINGS
, mappings
,
399 BUILD_POLICY_REQUIRE_EXPLICIT
, require_explicit
,
400 BUILD_POLICY_INHIBIT_MAPPING
, inhibit_mapping
,
401 BUILD_POLICY_INHIBIT_ANY
, inhibit_any
,
405 error
= "generating certificate failed";
408 if (!cert
->get_encoding(cert
, form
, &encoding
))
410 error
= "encoding certificate failed";
413 set_file_mode(stdout
, form
);
414 if (fwrite(encoding
.ptr
, encoding
.len
, 1, stdout
) != 1)
416 error
= "writing certificate key failed";
425 san
->destroy_offset(san
, offsetof(identification_t
, destroy
));
426 permitted
->destroy_offset(permitted
, offsetof(identification_t
, destroy
));
427 excluded
->destroy_offset(excluded
, offsetof(identification_t
, destroy
));
428 addrblocks
->destroy_offset(addrblocks
, offsetof(traffic_selector_t
, destroy
));
429 policies
->destroy_function(policies
, (void*)destroy_cert_policy
);
430 mappings
->destroy_function(mappings
, (void*)destroy_policy_mapping
);
432 signature_params_destroy(scheme
);
438 fprintf(stderr
, "%s\n", error
);
444 san
->destroy_offset(san
, offsetof(identification_t
, destroy
));
445 permitted
->destroy_offset(permitted
, offsetof(identification_t
, destroy
));
446 excluded
->destroy_offset(excluded
, offsetof(identification_t
, destroy
));
447 addrblocks
->destroy_offset(addrblocks
, offsetof(traffic_selector_t
, destroy
));
448 policies
->destroy_function(policies
, (void*)destroy_cert_policy
);
449 mappings
->destroy_function(mappings
, (void*)destroy_policy_mapping
);
451 return command_usage(error
);
455 * Register the command.
457 static void __attribute__ ((constructor
))reg()
459 command_register((command_t
) {
461 "create a self signed certificate",
462 {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
463 " --dn distinguished-name [--san subjectAltName]+",
464 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
465 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
466 "[--nc-permitted name] [--nc-excluded name]",
467 "[--policy-map issuer-oid:subject-oid]",
468 "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]",
469 "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+",
470 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
471 "[--rsa-padding pkcs1|pss]",
472 "[--outform der|pem]"},
474 {"help", 'h', 0, "show usage information"},
475 {"in", 'i', 1, "private key input file, default: stdin"},
476 {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
477 {"type", 't', 1, "type of input key, default: priv"},
478 {"dn", 'd', 1, "subject and issuer distinguished name"},
479 {"san", 'a', 1, "subjectAltName to include in certificate"},
480 {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
481 {"not-before", 'F', 1, "date/time the validity of the cert starts"},
482 {"not-after", 'T', 1, "date/time the validity of the cert ends"},
483 {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
484 {"serial", 's', 1, "serial number in hex, default: random"},
485 {"ca", 'b', 0, "include CA basicConstraint, default: no"},
486 {"pathlen", 'p', 1, "set path length constraint"},
487 {"addrblock", 'B', 1, "RFC 3779 addrBlock to include"},
488 {"nc-permitted", 'n', 1, "add permitted NameConstraint"},
489 {"nc-excluded", 'N', 1, "add excluded NameConstraint"},
490 {"cert-policy", 'P', 1, "certificatePolicy OID to include"},
491 {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"},
492 {"user-notice", 'U', 1, "user notice for certificatePolicy"},
493 {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"},
494 {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"},
495 {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"},
496 {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
497 {"flag", 'e', 1, "include extendedKeyUsage flag"},
498 {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
499 {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
500 {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"},
501 {"outform", 'f', 1, "encoding of generated cert, default: der"},