2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 #include <utils/linked_list.h>
21 #include <utils/optionsfrom.h>
22 #include <credentials/certificates/certificate.h>
23 #include <credentials/certificates/x509.h>
26 * Issue a certificate using a CA certificate and key
28 static int issue(int argc
, char *argv
[])
30 hash_algorithm_t digest
= HASH_SHA1
;
31 certificate_t
*cert
= NULL
, *ca
=NULL
;
32 private_key_t
*private = NULL
;
33 public_key_t
*public = NULL
;
34 char *file
= NULL
, *dn
= NULL
, *hex
= NULL
, *cacert
= NULL
, *cakey
= NULL
;
36 identification_t
*id
= NULL
;
37 linked_list_t
*san
, *cdps
, *ocsp
;
39 chunk_t serial
= chunk_empty
;
40 chunk_t encoding
= chunk_empty
;
41 time_t not_before
, not_after
;
42 x509_flag_t flags
= 0;
46 options
= options_create();
47 san
= linked_list_create();
48 cdps
= linked_list_create();
49 ocsp
= linked_list_create();
53 switch (getopt_long(argc
, argv
, "", command_opts
, NULL
))
58 if (!options
->from(options
, optarg
, &argc
, &argv
, optind
))
60 error
= "invalid options file";
65 if (!streq(optarg
, "pub"))
67 error
= "invalid input type";
72 digest
= get_digest(optarg
);
73 if (digest
== HASH_UNKNOWN
)
75 error
= "invalid --digest type";
92 san
->insert_last(san
, identification_create_from_string(optarg
));
95 lifetime
= atoi(optarg
);
98 error
= "invalid --lifetime value";
109 cdps
->insert_last(cdps
, optarg
);
112 ocsp
->insert_last(ocsp
, optarg
);
117 error
= "invalid --issue option";
125 error
= "--dn is required";
130 error
= "--cacert is required";
135 error
= "--cakey is required";
138 id
= identification_create_from_string(dn
);
139 if (id
->get_type(id
) != ID_DER_ASN1_DN
)
141 error
= "supplied --dn is not a distinguished name";
144 ca
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
145 BUILD_FROM_FILE
, cacert
, BUILD_END
);
148 error
= "parsing CA certificate failed";
152 if (!(x509
->get_flags(x509
) & X509_CA
))
154 error
= "CA certificate misses CA basicConstraint";
158 public = ca
->get_public_key(ca
);
161 error
= "extracting CA certificate public key failed";
164 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
165 public->get_type(public),
166 BUILD_FROM_FILE
, cakey
, BUILD_END
);
169 error
= "parsing CA private key failed";
172 if (!private->belongs_to(private, public))
174 error
= "CA private key does not match CA certificate";
177 public->destroy(public);
181 public = lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
, KEY_ANY
,
182 BUILD_FROM_FILE
, file
, BUILD_END
);
186 public = lib
->creds
->create(lib
->creds
, CRED_PUBLIC_KEY
, KEY_ANY
,
187 BUILD_FROM_FD
, 0, BUILD_END
);
191 error
= "parsing public key failed";
197 serial
= chunk_from_hex(chunk_create(hex
, strlen(hex
)), NULL
);
201 rng_t
*rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
205 error
= "no random number generator found";
208 rng
->allocate_bytes(rng
, 8, &serial
);
211 not_before
= time(NULL
);
212 not_after
= not_before
+ lifetime
* 24 * 60 * 60;
213 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
214 BUILD_SIGNING_KEY
, private, BUILD_SIGNING_CERT
, ca
,
215 BUILD_PUBLIC_KEY
, public, BUILD_SUBJECT
, id
,
216 BUILD_NOT_BEFORE_TIME
, not_before
, BUILD_DIGEST_ALG
, digest
,
217 BUILD_NOT_AFTER_TIME
, not_after
, BUILD_SERIAL
, serial
,
218 BUILD_SUBJECT_ALTNAMES
, san
, BUILD_X509_FLAG
, flags
,
219 BUILD_CRL_DISTRIBUTION_POINTS
, cdps
,
220 BUILD_OCSP_ACCESS_LOCATIONS
, ocsp
, BUILD_END
);
223 error
= "generating certificate failed";
226 encoding
= cert
->get_encoding(cert
);
229 error
= "encoding certificate failed";
232 if (fwrite(encoding
.ptr
, encoding
.len
, 1, stdout
) != 1)
234 error
= "writing certificate key failed";
244 san
->destroy_offset(san
, offsetof(identification_t
, destroy
));
247 options
->destroy(options
);
253 fprintf(stderr
, "%s\n", error
);
259 san
->destroy_offset(san
, offsetof(identification_t
, destroy
));
262 options
->destroy(options
);
263 return command_usage(error
);
267 * Register the command.
269 static void __attribute__ ((constructor
))reg()
271 command_register((command_t
) {
273 "issue a certificate using a CA certificate and key",
274 {"[--in file] [--type pub|pkcs10]",
275 " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+",
276 "[--lifetime days] [--serial hex] [--ca] [--crl uri]+ [--ocsp uri]+",
277 "[--digest md5|sha1|sha224|sha256|sha384|sha512]",
280 {"help", 'h', 0, "show usage information"},
281 {"in", 'i', 1, "public key/request file to issue, default: stdin"},
282 {"type", 't', 1, "type of input, default: pub"},
283 {"cacert", 'c', 1, "CA certificate file"},
284 {"cakey", 'k', 1, "CA private key file"},
285 {"dn", 'd', 1, "distinguished name to include as subject"},
286 {"san", 'a', 1, "subjectAltName to include in certificate"},
287 {"lifetime",'l', 1, "days the certificate is valid, default: 1080"},
288 {"serial", 's', 1, "serial number in hex, default: random"},
289 {"ca", 'b', 0, "include CA basicConstraint, default: no"},
290 {"crl", 'u', 1, "CRL distribution point URI to include"},
291 {"ocsp", 'o', 1, "OCSP AuthoritiyInfoAccess URI to include"},
292 {"digest", 'g', 1, "digest for signature creation, default: sha1"},
293 {"options", '+', 1, "read command line options from file"},