2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 #include <utils/linked_list.h>
21 #include <utils/optionsfrom.h>
22 #include <credentials/certificates/certificate.h>
23 #include <credentials/certificates/x509.h>
26 * Issue a certificate using a CA certificate and key
28 static int issue(int argc
, char *argv
[])
30 hash_algorithm_t digest
= HASH_SHA1
;
31 certificate_t
*cert
= NULL
, *ca
=NULL
;
32 private_key_t
*private = NULL
;
33 public_key_t
*public = NULL
;
34 char *file
= NULL
, *dn
= NULL
, *hex
= NULL
, *cacert
= NULL
, *cakey
= NULL
;
36 identification_t
*id
= NULL
;
37 linked_list_t
*san
, *cdps
;
39 chunk_t serial
= chunk_empty
;
40 chunk_t encoding
= chunk_empty
;
41 time_t not_before
, not_after
;
42 x509_flag_t flags
= 0;
46 options
= options_create();
47 san
= linked_list_create();
48 cdps
= linked_list_create();
52 switch (getopt_long(argc
, argv
, "", command_opts
, NULL
))
57 if (!options
->from(options
, optarg
, &argc
, &argv
, optind
))
59 error
= "invalid options file";
64 if (!streq(optarg
, "pub"))
66 error
= "invalid input type";
71 digest
= get_digest(optarg
);
72 if (digest
== HASH_UNKNOWN
)
74 error
= "invalid --digest type";
88 cdps
->insert_last(cdps
, optarg
);
94 san
->insert_last(san
, identification_create_from_string(optarg
));
97 lifetime
= atoi(optarg
);
100 error
= "invalid --lifetime value";
113 error
= "invalid --issue option";
121 error
= "--dn is required";
126 error
= "--cacert is required";
131 error
= "--cakey is required";
134 id
= identification_create_from_string(dn
);
135 if (id
->get_type(id
) != ID_DER_ASN1_DN
)
137 error
= "supplied --dn is not a distinguished name";
140 ca
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
141 BUILD_FROM_FILE
, cacert
, BUILD_END
);
144 error
= "parsing CA certificate failed";
148 if (!(x509
->get_flags(x509
) & X509_CA
))
150 error
= "CA certificate misses CA basicConstraint";
154 public = ca
->get_public_key(ca
);
157 error
= "extracting CA certificate public key failed";
160 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
161 public->get_type(public),
162 BUILD_FROM_FILE
, cakey
, BUILD_END
);
165 error
= "parsing CA private key failed";
168 if (!private->belongs_to(private, public))
170 error
= "CA private key does not match CA certificate";
173 public->destroy(public);
177 public = lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
, KEY_ANY
,
178 BUILD_FROM_FILE
, file
, BUILD_END
);
182 public = lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
, KEY_ANY
,
183 BUILD_FROM_FD
, 0, BUILD_END
);
187 error
= "parsing public key failed";
193 serial
= chunk_from_hex(chunk_create(hex
, strlen(hex
)), NULL
);
197 rng_t
*rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
201 error
= "no random number generator found";
204 rng
->allocate_bytes(rng
, 8, &serial
);
207 not_before
= time(NULL
);
208 not_after
= not_before
+ lifetime
* 24 * 60 * 60;
209 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
210 BUILD_SIGNING_KEY
, private, BUILD_SIGNING_CERT
, ca
,
211 BUILD_PUBLIC_KEY
, public, BUILD_SUBJECT
, id
,
212 BUILD_NOT_BEFORE_TIME
, not_before
, BUILD_DIGEST_ALG
, digest
,
213 BUILD_NOT_AFTER_TIME
, not_after
, BUILD_SERIAL
, serial
,
214 BUILD_SUBJECT_ALTNAMES
, san
, BUILD_X509_FLAG
, flags
,
215 BUILD_CRL_DISTRIBUTION_POINTS
, cdps
, BUILD_END
);
218 error
= "generating certificate failed";
221 encoding
= cert
->get_encoding(cert
);
224 error
= "encoding certificate failed";
227 if (fwrite(encoding
.ptr
, encoding
.len
, 1, stdout
) != 1)
229 error
= "writing certificate key failed";
239 san
->destroy_offset(san
, offsetof(identification_t
, destroy
));
241 options
->destroy(options
);
247 fprintf(stderr
, "%s\n", error
);
253 san
->destroy_offset(san
, offsetof(identification_t
, destroy
));
255 options
->destroy(options
);
256 return command_usage(error
);
260 * Register the command.
262 static void __attribute__ ((constructor
))reg()
264 command_register((command_t
) {
266 "issue a certificate using a CA certificate and key",
267 {"[--in file] [--type pub|pkcs10]",
268 " --cacert file --cakey file [--cdp uri]+",
269 " --dn subject-dn [--san subjectAltName]+",
270 "[--lifetime days] [--serial hex] [--ca]",
271 "[--digest md5|sha1|sha224|sha256|sha384|sha512]",
274 {"help", 'h', 0, "show usage information"},
275 {"in", 'i', 1, "public key/request file to issue, default: stdin"},
276 {"type", 't', 1, "type of input, default: pub"},
277 {"cacert", 'c', 1, "CA certificate file"},
278 {"cakey", 'k', 1, "CA private key file"},
279 {"cdp", 'u', 1, "CRL distribution point URI to include"},
280 {"dn", 'd', 1, "distinguished name to include as subject"},
281 {"san", 'a', 1, "subjectAltName to include in certificate"},
282 {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
283 {"serial", 's', 1, "serial number in hex, default: random"},
284 {"ca", 'b', 0, "include CA basicConstraint, default: no"},
285 {"digest", 'g', 1, "digest for signature creation, default: sha1"},
286 {"options", '+', 1, "read command line options from file"},