Support TLS client authentication Extended Key Usage in x509 generation
[strongswan.git] / src / pki / commands / issue.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <time.h>
17
18 #include "pki.h"
19
20 #include <debug.h>
21 #include <utils/linked_list.h>
22 #include <credentials/certificates/certificate.h>
23 #include <credentials/certificates/x509.h>
24 #include <credentials/certificates/pkcs10.h>
25
26 /**
27 * Issue a certificate using a CA certificate and key
28 */
29 static int issue()
30 {
31 hash_algorithm_t digest = HASH_SHA1;
32 certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
33 private_key_t *private = NULL;
34 public_key_t *public = NULL;
35 bool pkcs10 = FALSE;
36 char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
37 char *error = NULL;
38 identification_t *id = NULL;
39 linked_list_t *san, *cdps, *ocsp;
40 int lifetime = 1080;
41 int pathlen = X509_NO_PATH_LEN_CONSTRAINT;
42 chunk_t serial = chunk_empty;
43 chunk_t encoding = chunk_empty;
44 time_t not_before, not_after;
45 x509_flag_t flags = 0;
46 x509_t *x509;
47 char *arg;
48
49 san = linked_list_create();
50 cdps = linked_list_create();
51 ocsp = linked_list_create();
52
53 while (TRUE)
54 {
55 switch (command_getopt(&arg))
56 {
57 case 'h':
58 goto usage;
59 case 't':
60 if (streq(arg, "pkcs10"))
61 {
62 pkcs10 = TRUE;
63 }
64 else if (!streq(arg, "pub"))
65 {
66 error = "invalid input type";
67 goto usage;
68 }
69 continue;
70 case 'g':
71 digest = get_digest(arg);
72 if (digest == HASH_UNKNOWN)
73 {
74 error = "invalid --digest type";
75 goto usage;
76 }
77 continue;
78 case 'i':
79 file = arg;
80 continue;
81 case 'c':
82 cacert = arg;
83 continue;
84 case 'k':
85 cakey = arg;
86 continue;
87 case 'd':
88 dn = arg;
89 continue;
90 case 'a':
91 san->insert_last(san, identification_create_from_string(arg));
92 continue;
93 case 'l':
94 lifetime = atoi(arg);
95 if (!lifetime)
96 {
97 error = "invalid --lifetime value";
98 goto usage;
99 }
100 continue;
101 case 's':
102 hex = arg;
103 continue;
104 case 'b':
105 flags |= X509_CA;
106 continue;
107 case 'p':
108 pathlen = atoi(arg);
109 continue;
110 case 'f':
111 if (streq(arg, "serverAuth"))
112 {
113 flags |= X509_SERVER_AUTH;
114 }
115 else if (streq(arg, "clientAuth"))
116 {
117 flags |= X509_CLIENT_AUTH;
118 }
119 else if (streq(arg, "ocspSigning"))
120 {
121 flags |= X509_OCSP_SIGNER;
122 }
123 continue;
124 case 'u':
125 cdps->insert_last(cdps, arg);
126 continue;
127 case 'o':
128 ocsp->insert_last(ocsp, arg);
129 continue;
130 case EOF:
131 break;
132 default:
133 error = "invalid --issue option";
134 goto usage;
135 }
136 break;
137 }
138
139 if (!pkcs10 && !dn)
140 {
141 error = "--dn is required";
142 goto usage;
143 }
144 if (!cacert)
145 {
146 error = "--cacert is required";
147 goto usage;
148 }
149 if (!cakey)
150 {
151 error = "--cakey is required";
152 goto usage;
153 }
154 if (dn)
155 {
156 id = identification_create_from_string(dn);
157 if (id->get_type(id) != ID_DER_ASN1_DN)
158 {
159 error = "supplied --dn is not a distinguished name";
160 goto end;
161 }
162 }
163
164 DBG2("Reading ca certificate:");
165 ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
166 BUILD_FROM_FILE, cacert, BUILD_END);
167 if (!ca)
168 {
169 error = "parsing CA certificate failed";
170 goto end;
171 }
172 x509 = (x509_t*)ca;
173 if (!(x509->get_flags(x509) & X509_CA))
174 {
175 error = "CA certificate misses CA basicConstraint";
176 goto end;
177 }
178 public = ca->get_public_key(ca);
179 if (!public)
180 {
181 error = "extracting CA certificate public key failed";
182 goto end;
183 }
184
185 DBG2("Reading ca private key:");
186 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
187 public->get_type(public),
188 BUILD_FROM_FILE, cakey, BUILD_END);
189 if (!private)
190 {
191 error = "parsing CA private key failed";
192 goto end;
193 }
194 if (!private->belongs_to(private, public))
195 {
196 error = "CA private key does not match CA certificate";
197 goto end;
198 }
199 public->destroy(public);
200
201 if (hex)
202 {
203 serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
204 }
205 else
206 {
207 rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
208
209 if (!rng)
210 {
211 error = "no random number generator found";
212 goto end;
213 }
214 rng->allocate_bytes(rng, 8, &serial);
215 rng->destroy(rng);
216 }
217
218 if (pkcs10)
219 {
220 enumerator_t *enumerator;
221 identification_t *subjectAltName;
222 pkcs10_t *req;
223
224 DBG2("Reading certificate request");
225 if (file)
226 {
227 cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
228 CERT_PKCS10_REQUEST,
229 BUILD_FROM_FILE, file, BUILD_END);
230 }
231 else
232 {
233 cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
234 CERT_PKCS10_REQUEST,
235 BUILD_FROM_FD, 0, BUILD_END);
236 }
237 if (!cert_req)
238 {
239 error = "parsing certificate request failed";
240 goto end;
241 }
242
243 /* If not set yet use subject from PKCS#10 certificate request as DN */
244 if (!id)
245 {
246 id = cert_req->get_subject(cert_req);
247 id = id->clone(id);
248 }
249
250 /* Add subjectAltNames from PKCS#10 certificate request */
251 req = (pkcs10_t*)cert_req;
252 enumerator = req->create_subjectAltName_enumerator(req);
253 while (enumerator->enumerate(enumerator, &subjectAltName))
254 {
255 san->insert_last(san, subjectAltName->clone(subjectAltName));
256 }
257 enumerator->destroy(enumerator);
258
259 /* Use public key from PKCS#10 certificate request */
260 public = cert_req->get_public_key(cert_req);
261 }
262 else
263 {
264 DBG2("Reading public key:");
265 if (file)
266 {
267 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
268 BUILD_FROM_FILE, file, BUILD_END);
269 }
270 else
271 {
272 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
273 BUILD_FROM_FD, 0, BUILD_END);
274 }
275 }
276 if (!public)
277 {
278 error = "parsing public key failed";
279 goto end;
280 }
281
282 not_before = time(NULL);
283 not_after = not_before + lifetime * 24 * 60 * 60;
284
285 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
286 BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
287 BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
288 BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
289 BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
290 BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
291 BUILD_PATHLEN, pathlen,
292 BUILD_CRL_DISTRIBUTION_POINTS, cdps,
293 BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
294 if (!cert)
295 {
296 error = "generating certificate failed";
297 goto end;
298 }
299 encoding = cert->get_encoding(cert);
300 if (!encoding.ptr)
301 {
302 error = "encoding certificate failed";
303 goto end;
304 }
305 if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
306 {
307 error = "writing certificate key failed";
308 goto end;
309 }
310
311 end:
312 DESTROY_IF(id);
313 DESTROY_IF(cert_req);
314 DESTROY_IF(cert);
315 DESTROY_IF(ca);
316 DESTROY_IF(public);
317 DESTROY_IF(private);
318 san->destroy_offset(san, offsetof(identification_t, destroy));
319 cdps->destroy(cdps);
320 ocsp->destroy(ocsp);
321 free(encoding.ptr);
322 free(serial.ptr);
323
324 if (error)
325 {
326 fprintf(stderr, "%s\n", error);
327 return 1;
328 }
329 return 0;
330
331 usage:
332 san->destroy_offset(san, offsetof(identification_t, destroy));
333 cdps->destroy(cdps);
334 ocsp->destroy(ocsp);
335 return command_usage(error);
336 }
337
338 /**
339 * Register the command.
340 */
341 static void __attribute__ ((constructor))reg()
342 {
343 command_register((command_t) {
344 issue, 'i', "issue",
345 "issue a certificate using a CA certificate and key",
346 {"[--in file] [--type pub|pkcs10]",
347 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
348 "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+",
349 "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+",
350 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
351 {
352 {"help", 'h', 0, "show usage information"},
353 {"in", 'i', 1, "public key/request file to issue, default: stdin"},
354 {"type", 't', 1, "type of input, default: pub"},
355 {"cacert", 'c', 1, "CA certificate file"},
356 {"cakey", 'k', 1, "CA private key file"},
357 {"dn", 'd', 1, "distinguished name to include as subject"},
358 {"san", 'a', 1, "subjectAltName to include in certificate"},
359 {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
360 {"serial", 's', 1, "serial number in hex, default: random"},
361 {"ca", 'b', 0, "include CA basicConstraint, default: no"},
362 {"pathlen", 'p', 1, "set path length constraint"},
363 {"flag", 'f', 1, "include extendedKeyUsage flag"},
364 {"crl", 'u', 1, "CRL distribution point URI to include"},
365 {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
366 {"digest", 'g', 1, "digest for signature creation, default: sha1"},
367 }
368 });
369 }
370