Extend cert_write example program by multiple cmd line options

This commit adds the following command line options to programs/x509/cert_write:
- version (val 1, 2, 3): Set the certificate's version (v1, v2, v3)
- authority_identifier (val 0, 1): Enable or disable the addition of the
                                   authority identifier extension.
- subject_identifier (val 0, 1): Enable or disable the addition of the
                                 subject identifier extension.
- basic_constraints (val 0, 1): Enable or disable the addition of the
                                basic constraints extension.
- md (val MD5, SHA1, SHA256, SHA512): Set the hash function used
                                      when creating the CRT.
This commit is contained in:
Hanno Becker 2017-09-13 12:49:22 +01:00
parent 72ea31b026
commit 6c13d37961

View file

@ -51,6 +51,7 @@ int main( void )
#include "mbedtls/x509_csr.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/md.h"
#include "mbedtls/error.h"
#include <stdio.h>
@ -83,6 +84,11 @@ int main( void )
#define DFL_MAX_PATHLEN -1
#define DFL_KEY_USAGE 0
#define DFL_NS_CERT_TYPE 0
#define DFL_VERSION 3
#define DFL_AUTH_IDENT 1
#define DFL_SUBJ_IDENT 1
#define DFL_CONSTRAINTS 1
#define DFL_DIGEST MBEDTLS_MD_SHA256
#define USAGE \
"\n usage: cert_write param=<>...\n" \
@ -109,6 +115,20 @@ int main( void )
" not_after=%%s default: 20301231235959\n"\
" is_ca=%%d default: 0 (disabled)\n" \
" max_pathlen=%%d default: -1 (none)\n" \
" md=%%s default: SHA256\n" \
" Supported values:\n" \
" MD5, SHA1, SHA256, SHA512\n"\
" version=%%d default: 3\n" \
" Possible values: 1, 2, 3\n"\
" subject_identifier default: 1\n" \
" Possible values: 0, 1\n" \
" (Considered for v3 only)\n"\
" authority_identifier default: 1\n" \
" Possible values: 0, 1\n" \
" (Considered for v3 only)\n"\
" basic_constraints default: 1\n" \
" Possible values: 0, 1\n" \
" (Considered for v3 only)\n"\
" key_usage=%%s default: (empty)\n" \
" Comma-separated-list of values:\n" \
" digital_signature\n" \
@ -118,6 +138,7 @@ int main( void )
" key_agreement\n" \
" key_cert_sign\n" \
" crl_sign\n" \
" (Considered for v3 only)\n"\
" ns_cert_type=%%s default: (empty)\n" \
" Comma-separated-list of values:\n" \
" ssl_client\n" \
@ -149,6 +170,11 @@ struct options
int selfsign; /* selfsign the certificate */
int is_ca; /* is a CA certificate */
int max_pathlen; /* maximum CA path length */
int authority_identifier; /* add authority identifier id to CRT */
int subject_identifier; /* add subject identifier id to CRT */
int basic_constraints; /* add basic constraints ext to CRT */
int version; /* CRT version */
mbedtls_md_type_t md; /* Hash used for signing */
unsigned char key_usage; /* key usage flags */
unsigned char ns_cert_type; /* NS cert type */
} opt;
@ -207,7 +233,6 @@ int main( int argc, char *argv[] )
* Set to sane values
*/
mbedtls_x509write_crt_init( &crt );
mbedtls_x509write_crt_set_md_alg( &crt, MBEDTLS_MD_SHA256 );
mbedtls_pk_init( &loaded_issuer_key );
mbedtls_pk_init( &loaded_subject_key );
mbedtls_mpi_init( &serial );
@ -243,6 +268,11 @@ int main( int argc, char *argv[] )
opt.max_pathlen = DFL_MAX_PATHLEN;
opt.key_usage = DFL_KEY_USAGE;
opt.ns_cert_type = DFL_NS_CERT_TYPE;
opt.version = DFL_VERSION;
opt.md = DFL_DIGEST;
opt.subject_identifier = DFL_SUBJ_IDENT;
opt.authority_identifier = DFL_AUTH_IDENT;
opt.basic_constraints = DFL_CONSTRAINTS;
for( i = 1; i < argc; i++ )
{
@ -286,6 +316,52 @@ int main( int argc, char *argv[] )
{
opt.serial = q;
}
else if( strcmp( p, "authority_identifier" ) == 0 )
{
opt.authority_identifier = atoi( q );
if( opt.authority_identifier != 0 &&
opt.authority_identifier != 1 )
{
goto usage;
}
}
else if( strcmp( p, "subject_identifier" ) == 0 )
{
opt.subject_identifier = atoi( q );
if( opt.subject_identifier != 0 &&
opt.subject_identifier != 1 )
{
goto usage;
}
}
else if( strcmp( p, "basic_constraints" ) == 0 )
{
opt.basic_constraints = atoi( q );
if( opt.basic_constraints != 0 &&
opt.basic_constraints != 1 )
{
goto usage;
}
}
else if( strcmp( p, "md" ) == 0 )
{
if( strcmp( q, "SHA1" ) == 0 )
opt.md = MBEDTLS_MD_SHA1;
else if( strcmp( q, "SHA256" ) == 0 )
opt.md = MBEDTLS_MD_SHA256;
else if( strcmp( q, "SHA512" ) == 0 )
opt.md = MBEDTLS_MD_SHA512;
else if( strcmp( q, "MD5" ) == 0 )
opt.md = MBEDTLS_MD_MD5;
else
goto usage;
}
else if( strcmp( p, "version" ) == 0 )
{
opt.version = atoi( q );
if( opt.version < 1 || opt.version > 3 )
goto usage;
}
else if( strcmp( p, "selfsign" ) == 0 )
{
opt.selfsign = atoi( q );
@ -540,6 +616,9 @@ int main( int argc, char *argv[] )
mbedtls_printf( " . Setting certificate values ..." );
fflush( stdout );
mbedtls_x509write_crt_set_version( &crt, opt.version - 1 );
mbedtls_x509write_crt_set_md_alg( &crt, opt.md );
ret = mbedtls_x509write_crt_set_serial( &crt, &serial );
if( ret != 0 )
{
@ -558,6 +637,8 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
if( opt.version == 3 && opt.basic_constraints )
{
mbedtls_printf( " . Adding the Basic Constraints extension ..." );
fflush( stdout );
@ -566,13 +647,17 @@ int main( int argc, char *argv[] )
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf );
mbedtls_printf( " failed\n ! x509write_crt_set_basic_contraints "
"returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
mbedtls_printf( " ok\n" );
}
#if defined(MBEDTLS_SHA1_C)
if( opt.version == 3 && opt.subject_identifier )
{
mbedtls_printf( " . Adding the Subject Key Identifier ..." );
fflush( stdout );
@ -580,12 +665,17 @@ int main( int argc, char *argv[] )
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_subject"
"_key_identifier returned -0x%02x - %s\n\n",
-ret, buf );
goto exit;
}
mbedtls_printf( " ok\n" );
}
if( opt.version == 3 && opt.authority_identifier )
{
mbedtls_printf( " . Adding the Authority Key Identifier ..." );
fflush( stdout );
@ -593,14 +683,17 @@ int main( int argc, char *argv[] )
if( ret != 0 )
{
mbedtls_strerror( ret, buf, 1024 );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
mbedtls_printf( " failed\n ! mbedtls_x509write_crt_set_authority_"
"key_identifier returned -0x%02x - %s\n\n",
-ret, buf );
goto exit;
}
mbedtls_printf( " ok\n" );
}
#endif /* MBEDTLS_SHA1_C */
if( opt.key_usage )
if( opt.version == 3 && opt.key_usage )
{
mbedtls_printf( " . Adding the Key Usage extension ..." );
fflush( stdout );
@ -616,7 +709,7 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
}
if( opt.ns_cert_type )
if( opt.version == 3 && opt.ns_cert_type )
{
mbedtls_printf( " . Adding the NS Cert Type extension ..." );
fflush( stdout );