1
0

px5g-wolfssl.c 10.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385
  1. // Copyright 2020 Paul Spooren <mail@aparcar.org>
  2. //
  3. // SPDX-License-Identifier: GPL-2.0-or-later
  4. #define _GNU_SOURCE
  5. #include <stdbool.h>
  6. #include <stdint.h>
  7. #include <stdio.h>
  8. #include <string.h>
  9. #include <fcntl.h>
  10. #include <unistd.h>
  11. #include <wolfssl/options.h>
  12. #include <wolfssl/wolfcrypt/asn.h>
  13. #include <wolfssl/wolfcrypt/asn_public.h>
  14. #include <wolfssl/wolfcrypt/ecc.h>
  15. #include <wolfssl/wolfcrypt/error-crypt.h>
  16. #include <wolfssl/wolfcrypt/rsa.h>
  17. #include <wolfssl/wolfcrypt/settings.h>
  18. #define HEAP_HINT NULL
  19. #define FOURK_SZ 4096
  20. #define WOLFSSL_MIN_RSA_BITS 2048
  21. enum {
  22. EC_KEY_TYPE = 0,
  23. RSA_KEY_TYPE = 1,
  24. };
  25. int write_file(byte *buf, int bufSz, char *path, bool cert) {
  26. mode_t mode = S_IRUSR | S_IWUSR;
  27. ssize_t written;
  28. int err;
  29. int fd;
  30. if (cert)
  31. mode |= S_IRGRP | S_IROTH;
  32. if (path) {
  33. fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, mode);
  34. if (fd < 0) {
  35. perror("Error opening file");
  36. exit(1);
  37. }
  38. } else {
  39. fd = STDERR_FILENO;
  40. }
  41. written = write(fd, buf, bufSz);
  42. if (written != bufSz) {
  43. perror("Error write file");
  44. exit(1);
  45. }
  46. err = fsync(fd);
  47. if (err < 0) {
  48. perror("Error fsync file");
  49. exit(1);
  50. }
  51. if (path) {
  52. close(fd);
  53. }
  54. return 0;
  55. }
  56. int write_key(ecc_key *ecKey, RsaKey *rsaKey, int type, int keySz, char *fName,
  57. bool write_pem) {
  58. int ret;
  59. byte der[FOURK_SZ] = {};
  60. byte pem[FOURK_SZ] = {};
  61. int derSz, pemSz;
  62. if (type == EC_KEY_TYPE) {
  63. ret = wc_EccKeyToDer(ecKey, der, sizeof(der));
  64. } else {
  65. ret = wc_RsaKeyToDer(rsaKey, der, sizeof(der));
  66. }
  67. if (ret <= 0) {
  68. fprintf(stderr, "Key To DER failed: %d\n", ret);
  69. }
  70. derSz = ret;
  71. if (write_pem) {
  72. if (type == EC_KEY_TYPE) {
  73. ret = wc_DerToPem(der, derSz, pem, sizeof(pem), ECC_PRIVATEKEY_TYPE);
  74. } else {
  75. ret = wc_DerToPem(der, derSz, pem, sizeof(pem), PRIVATEKEY_TYPE);
  76. }
  77. if (ret <= 0) {
  78. fprintf(stderr, "DER to PEM failed: %d\n", ret);
  79. }
  80. pemSz = ret;
  81. ret = write_file(pem, pemSz, fName, false);
  82. } else {
  83. ret = write_file(der, derSz, fName, false);
  84. }
  85. return ret;
  86. }
  87. int gen_key(WC_RNG *rng, ecc_key *ecKey, RsaKey *rsaKey, int type, int keySz,
  88. long exp, int curve) {
  89. int ret;
  90. if (type == EC_KEY_TYPE) {
  91. ret = wc_ecc_init(ecKey);
  92. (void)rsaKey;
  93. } else {
  94. ret = wc_InitRsaKey(rsaKey, NULL);
  95. (void)ecKey;
  96. }
  97. if (ret != 0) {
  98. fprintf(stderr, "Key initialization failed: %d\n", ret);
  99. return ret;
  100. }
  101. if (type == EC_KEY_TYPE) {
  102. fprintf(stderr, "Generating EC private key\n");
  103. ret = wc_ecc_make_key_ex(rng, 32, ecKey, curve);
  104. } else {
  105. fprintf(stderr, "Generating RSA private key, %i bit long modulus\n", keySz);
  106. ret = wc_MakeRsaKey(rsaKey, keySz, WC_RSA_EXPONENT, rng);
  107. }
  108. if (ret != 0) {
  109. fprintf(stderr, "Key generation failed: %d\n", ret);
  110. }
  111. return ret;
  112. }
  113. int selfsigned(WC_RNG *rng, char **arg) {
  114. ecc_key ecKey;
  115. RsaKey rsaKey;
  116. int ret;
  117. char *subject = "";
  118. int keySz = WOLFSSL_MIN_RSA_BITS;
  119. int type = EC_KEY_TYPE;
  120. int exp = WC_RSA_EXPONENT;
  121. int curve = ECC_SECP256R1;
  122. unsigned int days = 3653; // 10 years
  123. char *keypath = NULL, *certpath = NULL;
  124. char fstr[20], tstr[20];
  125. bool pem = true;
  126. Cert newCert;
  127. #ifdef __USE_TIME_BITS64
  128. time_t to, from = time(NULL);
  129. #else
  130. unsigned long to, from = time(NULL);
  131. #endif
  132. byte derBuf[FOURK_SZ] = {};
  133. byte pemBuf[FOURK_SZ] = {};
  134. int pemSz = -1;
  135. int derSz = -1;
  136. char *key, *val, *tmp;
  137. ret = wc_InitCert(&newCert);
  138. if (ret != 0) {
  139. fprintf(stderr, "Init Cert failed: %d\n", ret);
  140. return ret;
  141. }
  142. newCert.isCA = 0;
  143. while (*arg && **arg == '-') {
  144. if (!strcmp(*arg, "-der")) {
  145. pem = false;
  146. } else if (!strcmp(*arg, "-newkey") && arg[1]) {
  147. if (!strncmp(arg[1], "rsa:", 4)) {
  148. type = RSA_KEY_TYPE;
  149. keySz = atoi(arg[1] + 4);
  150. } else if (!strcmp(arg[1], "ec")) {
  151. type = EC_KEY_TYPE;
  152. } else {
  153. fprintf(stderr, "error: invalid algorithm\n");
  154. return 1;
  155. }
  156. arg++;
  157. } else if (!strcmp(*arg, "-days") && arg[1]) {
  158. days = (unsigned int)atoi(arg[1]);
  159. arg++;
  160. } else if (!strcmp(*arg, "-pkeyopt") && arg[1]) {
  161. if (strncmp(arg[1], "ec_paramgen_curve:", 18)) {
  162. fprintf(stderr, "error: invalid pkey option: %s\n", arg[1]);
  163. return 1;
  164. }
  165. if (!strcmp(arg[1] + 18, "P-256")) {
  166. curve = ECC_SECP256R1;
  167. } else if (!strcmp(arg[1] + 18, "P-384")) {
  168. curve = ECC_SECP384R1;
  169. } else if (!strcmp(arg[1] + 18, "P-521")) {
  170. curve = ECC_SECP521R1;
  171. } else {
  172. fprintf(stderr, "error: invalid curve name: %s\n", arg[1] + 18);
  173. return 1;
  174. }
  175. arg++;
  176. } else if (!strcmp(*arg, "-keyout") && arg[1]) {
  177. keypath = arg[1];
  178. arg++;
  179. } else if (!strcmp(*arg, "-out") && arg[1]) {
  180. certpath = arg[1];
  181. arg++;
  182. } else if (!strcmp(*arg, "-subj") && arg[1]) {
  183. subject = strdupa(arg[1]);
  184. key = arg[1];
  185. do {
  186. tmp = strchr(key, '/');
  187. if (tmp)
  188. *tmp = '\0';
  189. val = strchr(key, '=');
  190. if (val) {
  191. *val = '\0';
  192. ++val;
  193. if (!strcmp(key, "C"))
  194. strncpy(newCert.subject.country, val, CTC_NAME_SIZE);
  195. else if (!strcmp(key, "ST"))
  196. strncpy(newCert.subject.state, val, CTC_NAME_SIZE);
  197. else if (!strcmp(key, "L"))
  198. strncpy(newCert.subject.locality, val, CTC_NAME_SIZE);
  199. else if (!strcmp(key, "O"))
  200. strncpy(newCert.subject.org, val, CTC_NAME_SIZE);
  201. else if (!strcmp(key, "OU"))
  202. strncpy(newCert.subject.unit, val, CTC_NAME_SIZE);
  203. else if (!strcmp(key, "CN")) {
  204. strncpy(newCert.subject.commonName, val, CTC_NAME_SIZE);
  205. #ifdef WOLFSSL_ALT_NAMES
  206. if(strlen(val) + 2 > 256) {
  207. fprintf(stderr, "error: CN is too long: %s\n", val);
  208. return 1;
  209. }
  210. newCert.altNames[0] = 0x30; //Sequence with one element
  211. newCert.altNames[1] = strlen(val) + 2; // Length of entire sequence
  212. newCert.altNames[2] = 0x82; //8 - String, 2 - DNS Name
  213. newCert.altNames[3] = strlen(val); //DNS Name length
  214. memcpy(newCert.altNames + 4, val, strlen(val)); //DNS Name
  215. newCert.altNamesSz = strlen(val) + 4;
  216. #endif
  217. }
  218. else if (!strcmp(key, "EMAIL"))
  219. strncpy(newCert.subject.email, val, CTC_NAME_SIZE);
  220. else
  221. printf("warning: unknown attribute %s=%s\n", key, val);
  222. }
  223. } while (tmp && (key = ++tmp));
  224. }
  225. arg++;
  226. }
  227. newCert.daysValid = days;
  228. newCert.keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_CONTENT_COMMIT | KEYUSE_KEY_ENCIPHER;
  229. newCert.extKeyUsage = EXTKEYUSE_SERVER_AUTH;
  230. gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve);
  231. write_key(&ecKey, &rsaKey, type, keySz, keypath, pem);
  232. from = (from < 1000000000) ? 1000000000 : from;
  233. strftime(fstr, sizeof(fstr), "%Y%m%d%H%M%S", gmtime(&from));
  234. to = from + 60 * 60 * 24 * days;
  235. if (to < from)
  236. to = INT_MAX;
  237. strftime(tstr, sizeof(tstr), "%Y%m%d%H%M%S", gmtime(&to));
  238. fprintf(stderr,
  239. "Generating selfsigned certificate with subject '%s'"
  240. " and validity %s-%s\n",
  241. subject, fstr, tstr);
  242. if (type == EC_KEY_TYPE) {
  243. newCert.sigType = CTC_SHA256wECDSA;
  244. ret = wc_MakeCert(&newCert, derBuf, sizeof(derBuf), NULL, &ecKey, rng);
  245. } else {
  246. newCert.sigType = CTC_SHA256wRSA;
  247. ret = wc_MakeCert(&newCert, derBuf, sizeof(derBuf), &rsaKey, NULL, rng);
  248. }
  249. if (ret <= 0) {
  250. fprintf(stderr, "Make Cert failed: %d\n", ret);
  251. return ret;
  252. }
  253. if (type == EC_KEY_TYPE) {
  254. ret = wc_SignCert(newCert.bodySz, newCert.sigType, derBuf, sizeof(derBuf),
  255. NULL, &ecKey, rng);
  256. } else {
  257. ret = wc_SignCert(newCert.bodySz, newCert.sigType, derBuf, sizeof(derBuf),
  258. &rsaKey, NULL, rng);
  259. }
  260. if (ret <= 0) {
  261. fprintf(stderr, "Sign Cert failed: %d\n", ret);
  262. return ret;
  263. }
  264. derSz = ret;
  265. ret = wc_DerToPem(derBuf, derSz, pemBuf, sizeof(pemBuf), CERT_TYPE);
  266. if (ret <= 0) {
  267. fprintf(stderr, "DER to PEM failed: %d\n", ret);
  268. return ret;
  269. }
  270. pemSz = ret;
  271. ret = write_file(pemBuf, pemSz, certpath, true);
  272. if (ret != 0) {
  273. fprintf(stderr, "Write Cert failed: %d\n", ret);
  274. return ret;
  275. }
  276. if (type == EC_KEY_TYPE) {
  277. wc_ecc_free(&ecKey);
  278. } else {
  279. wc_FreeRsaKey(&rsaKey);
  280. }
  281. return 0;
  282. }
  283. int dokey(WC_RNG *rng, int type, char **arg) {
  284. ecc_key ecKey;
  285. RsaKey rsaKey;
  286. int ret;
  287. int curve = ECC_SECP256R1;
  288. int keySz = WOLFSSL_MIN_RSA_BITS;
  289. int exp = WC_RSA_EXPONENT;
  290. char *path = NULL;
  291. bool pem = true;
  292. while (*arg && **arg == '-') {
  293. if (!strcmp(*arg, "-out") && arg[1]) {
  294. path = arg[1];
  295. arg++;
  296. } else if (!strcmp(*arg, "-3")) {
  297. exp = 3;
  298. } else if (!strcmp(*arg, "-der")) {
  299. pem = false;
  300. }
  301. arg++;
  302. }
  303. if (*arg && type == RSA_KEY_TYPE) {
  304. keySz = atoi(*arg);
  305. } else if (*arg) {
  306. if (!strcmp(*arg, "P-256")) {
  307. curve = ECC_SECP256R1;
  308. } else if (!strcmp(*arg, "P-384")) {
  309. curve = ECC_SECP384R1;
  310. } else if (!strcmp(*arg, "P-521")) {
  311. curve = ECC_SECP521R1;
  312. } else {
  313. fprintf(stderr, "Invalid Curve Name: %s\n", *arg);
  314. return 1;
  315. }
  316. }
  317. ret = gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve);
  318. if (ret != 0)
  319. return ret;
  320. ret = write_key(&ecKey, &rsaKey, type, keySz, path, pem);
  321. if (type == EC_KEY_TYPE) {
  322. wc_ecc_free(&ecKey);
  323. } else {
  324. wc_FreeRsaKey(&rsaKey);
  325. }
  326. return ret;
  327. }
  328. int main(int argc, char *argv[]) {
  329. int ret;
  330. WC_RNG rng;
  331. ret = wc_InitRng(&rng);
  332. if (ret != 0) {
  333. fprintf(stderr, "Init Rng failed: %d\n", ret);
  334. return ret;
  335. }
  336. if (argv[1]) {
  337. if (!strcmp(argv[1], "eckey"))
  338. return dokey(&rng, EC_KEY_TYPE, argv + 2);
  339. if (!strcmp(argv[1], "rsakey"))
  340. return dokey(&rng, RSA_KEY_TYPE, argv + 2);
  341. if (!strcmp(argv[1], "selfsigned"))
  342. return selfsigned(&rng, argv + 2);
  343. }
  344. fprintf(stderr, "PX5G X.509 Certificate Generator Utilit using WolfSSL\n\n");
  345. fprintf(stderr, "Usage: [eckey|rsakey|selfsigned]\n");
  346. return 1;
  347. }