ipsec pki --issue supports --flag ocspSigning option
[strongswan.git] / src / pki / commands / issue.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <time.h>
17
18 #include "pki.h"
19
20 #include <debug.h>
21 #include <utils/linked_list.h>
22 #include <credentials/certificates/certificate.h>
23 #include <credentials/certificates/x509.h>
24 #include <credentials/certificates/pkcs10.h>
25
26 /**
27 * Issue a certificate using a CA certificate and key
28 */
29 static int issue()
30 {
31 hash_algorithm_t digest = HASH_SHA1;
32 certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
33 private_key_t *private = NULL;
34 public_key_t *public = NULL;
35 bool pkcs10 = FALSE;
36 char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL;
37 char *error = NULL;
38 identification_t *id = NULL;
39 linked_list_t *san, *cdps, *ocsp;
40 int lifetime = 1080;
41 chunk_t serial = chunk_empty;
42 chunk_t encoding = chunk_empty;
43 time_t not_before, not_after;
44 x509_flag_t flags = 0;
45 x509_t *x509;
46 char *arg;
47
48 san = linked_list_create();
49 cdps = linked_list_create();
50 ocsp = linked_list_create();
51
52 while (TRUE)
53 {
54 switch (command_getopt(&arg))
55 {
56 case 'h':
57 goto usage;
58 case 't':
59 if (streq(arg, "pkcs10"))
60 {
61 pkcs10 = TRUE;
62 }
63 else if (!streq(arg, "pub"))
64 {
65 error = "invalid input type";
66 goto usage;
67 }
68 continue;
69 case 'g':
70 digest = get_digest(arg);
71 if (digest == HASH_UNKNOWN)
72 {
73 error = "invalid --digest type";
74 goto usage;
75 }
76 continue;
77 case 'i':
78 file = arg;
79 continue;
80 case 'c':
81 cacert = arg;
82 continue;
83 case 'k':
84 cakey = arg;
85 continue;
86 case 'd':
87 dn = arg;
88 continue;
89 case 'a':
90 san->insert_last(san, identification_create_from_string(arg));
91 continue;
92 case 'l':
93 lifetime = atoi(arg);
94 if (!lifetime)
95 {
96 error = "invalid --lifetime value";
97 goto usage;
98 }
99 continue;
100 case 's':
101 hex = arg;
102 continue;
103 case 'b':
104 flags |= X509_CA;
105 continue;
106 case 'f':
107 if (streq(arg, "ocspSigning"))
108 {
109 flags |= X509_OCSP_SIGNER;
110 }
111 continue;
112 case 'u':
113 cdps->insert_last(cdps, arg);
114 continue;
115 case 'o':
116 ocsp->insert_last(ocsp, arg);
117 continue;
118 case EOF:
119 break;
120 default:
121 error = "invalid --issue option";
122 goto usage;
123 }
124 break;
125 }
126
127 if (!pkcs10 && !dn)
128 {
129 error = "--dn is required";
130 goto usage;
131 }
132 if (!cacert)
133 {
134 error = "--cacert is required";
135 goto usage;
136 }
137 if (!cakey)
138 {
139 error = "--cakey is required";
140 goto usage;
141 }
142 if (dn)
143 {
144 id = identification_create_from_string(dn);
145 if (id->get_type(id) != ID_DER_ASN1_DN)
146 {
147 error = "supplied --dn is not a distinguished name";
148 goto end;
149 }
150 }
151
152 DBG2("Reading ca certificate:");
153 ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
154 BUILD_FROM_FILE, cacert, BUILD_END);
155 if (!ca)
156 {
157 error = "parsing CA certificate failed";
158 goto end;
159 }
160 x509 = (x509_t*)ca;
161 if (!(x509->get_flags(x509) & X509_CA))
162 {
163 error = "CA certificate misses CA basicConstraint";
164 goto end;
165 }
166 public = ca->get_public_key(ca);
167 if (!public)
168 {
169 error = "extracting CA certificate public key failed";
170 goto end;
171 }
172
173 DBG2("Reading ca private key:");
174 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
175 public->get_type(public),
176 BUILD_FROM_FILE, cakey, BUILD_END);
177 if (!private)
178 {
179 error = "parsing CA private key failed";
180 goto end;
181 }
182 if (!private->belongs_to(private, public))
183 {
184 error = "CA private key does not match CA certificate";
185 goto end;
186 }
187 public->destroy(public);
188
189 if (hex)
190 {
191 serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
192 }
193 else
194 {
195 rng_t *rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
196
197 if (!rng)
198 {
199 error = "no random number generator found";
200 goto end;
201 }
202 rng->allocate_bytes(rng, 8, &serial);
203 rng->destroy(rng);
204 }
205
206 if (pkcs10)
207 {
208 enumerator_t *enumerator;
209 identification_t *subjectAltName;
210 pkcs10_t *req;
211
212 DBG2("Reading certificate request");
213 if (file)
214 {
215 cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
216 CERT_PKCS10_REQUEST,
217 BUILD_FROM_FILE, file, BUILD_END);
218 }
219 else
220 {
221 cert_req = lib->creds->create(lib->creds, CRED_CERTIFICATE,
222 CERT_PKCS10_REQUEST,
223 BUILD_FROM_FD, 0, BUILD_END);
224 }
225 if (!cert_req)
226 {
227 error = "parsing certificate request failed";
228 goto end;
229 }
230
231 /* If not set yet use subject from PKCS#10 certificate request as DN */
232 if (!id)
233 {
234 id = cert_req->get_subject(cert_req);
235 id = id->clone(id);
236 }
237
238 /* Add subjectAltNames from PKCS#10 certificate request */
239 req = (pkcs10_t*)cert_req;
240 enumerator = req->create_subjectAltName_enumerator(req);
241 while (enumerator->enumerate(enumerator, &subjectAltName))
242 {
243 san->insert_last(san, subjectAltName->clone(subjectAltName));
244 }
245 enumerator->destroy(enumerator);
246
247 /* Use public key from PKCS#10 certificate request */
248 public = cert_req->get_public_key(cert_req);
249 }
250 else
251 {
252 DBG2("Reading public key:");
253 if (file)
254 {
255 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
256 BUILD_FROM_FILE, file, BUILD_END);
257 }
258 else
259 {
260 public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
261 BUILD_FROM_FD, 0, BUILD_END);
262 }
263 }
264 if (!public)
265 {
266 error = "parsing public key failed";
267 goto end;
268 }
269
270 not_before = time(NULL);
271 not_after = not_before + lifetime * 24 * 60 * 60;
272
273 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
274 BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
275 BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
276 BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
277 BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
278 BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
279 BUILD_CRL_DISTRIBUTION_POINTS, cdps,
280 BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END);
281 if (!cert)
282 {
283 error = "generating certificate failed";
284 goto end;
285 }
286 encoding = cert->get_encoding(cert);
287 if (!encoding.ptr)
288 {
289 error = "encoding certificate failed";
290 goto end;
291 }
292 if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
293 {
294 error = "writing certificate key failed";
295 goto end;
296 }
297
298 end:
299 DESTROY_IF(id);
300 DESTROY_IF(cert_req);
301 DESTROY_IF(cert);
302 DESTROY_IF(ca);
303 DESTROY_IF(public);
304 DESTROY_IF(private);
305 san->destroy_offset(san, offsetof(identification_t, destroy));
306 cdps->destroy(cdps);
307 ocsp->destroy(ocsp);
308 free(encoding.ptr);
309 free(serial.ptr);
310
311 if (error)
312 {
313 fprintf(stderr, "%s\n", error);
314 return 1;
315 }
316 return 0;
317
318 usage:
319 san->destroy_offset(san, offsetof(identification_t, destroy));
320 cdps->destroy(cdps);
321 ocsp->destroy(ocsp);
322 return command_usage(error);
323 }
324
325 /**
326 * Register the command.
327 */
328 static void __attribute__ ((constructor))reg()
329 {
330 command_register((command_t) {
331 issue, 'i', "issue",
332 "issue a certificate using a CA certificate and key",
333 {"[--in file] [--type pub|pkcs10]",
334 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
335 "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
336 "[--flag serverAuth|ocspSigning]+",
337 "[--digest md5|sha1|sha224|sha256|sha384|sha512]"},
338 {
339 {"help", 'h', 0, "show usage information"},
340 {"in", 'i', 1, "public key/request file to issue, default: stdin"},
341 {"type", 't', 1, "type of input, default: pub"},
342 {"cacert", 'c', 1, "CA certificate file"},
343 {"cakey", 'k', 1, "CA private key file"},
344 {"dn", 'd', 1, "distinguished name to include as subject"},
345 {"san", 'a', 1, "subjectAltName to include in certificate"},
346 {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
347 {"serial", 's', 1, "serial number in hex, default: random"},
348 {"ca", 'b', 0, "include CA basicConstraint, default: no"},
349 {"flag", 'f', 1, "include extendedKeyUsage flag"},
350 {"crl", 'u', 1, "CRL distribution point URI to include"},
351 {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
352 {"digest", 'g', 1, "digest for signature creation, default: sha1"},
353 }
354 });
355 }
356