crypto/openssl/demos/x509/mkcert.c

   1 /* Certificate creation. Demonstrates some certificate related
   2  * operations.
   3  */
   4
   5
   6 #include <stdio.h>
   7 #include <stdlib.h>
   8
   9 #include <openssl/pem.h>
  10 #include <openssl/conf.h>
  11 #include <openssl/x509v3.h>
  12 #ifndef OPENSSL_NO_ENGINE
  13 #include <openssl/engine.h>
  14 #endif
  15
  16 int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
  17 int add_ext(X509 *cert, int nid, char *value);
  18
  19 int main(int argc, char **argv)
  20         {
  21         BIO *bio_err;
  22         X509 *x509=NULL;
  23         EVP_PKEY *pkey=NULL;
  24
  25         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
  26
  27         bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
  28
  29         mkcert(&x509,&pkey,512,0,365);
  30
  31         RSA_print_fp(stdout,pkey->pkey.rsa,0);
  32         X509_print_fp(stdout,x509);
  33
  34         PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL);
  35         PEM_write_X509(stdout,x509);
  36
  37         X509_free(x509);
  38         EVP_PKEY_free(pkey);
  39
  40 #ifndef OPENSSL_NO_ENGINE
  41         ENGINE_cleanup();
  42 #endif
  43         CRYPTO_cleanup_all_ex_data();
  44
  45         CRYPTO_mem_leaks(bio_err);
  46         BIO_free(bio_err);
  47         return(0);
  48         }
  49
  50 static void callback(int p, int n, void *arg)
  51         {
  52         char c='B';
  53
  54         if (p == 0) c='.';
  55         if (p == 1) c='+';
  56         if (p == 2) c='*';
  57         if (p == 3) c='\n';
  58         fputc(c,stderr);
  59         }
  60
  61 int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days)
  62         {
  63         X509 *x;
  64         EVP_PKEY *pk;
  65         RSA *rsa;
  66         X509_NAME *name=NULL;
  67
  68         if ((pkeyp == NULL) || (*pkeyp == NULL))
  69                 {
  70                 if ((pk=EVP_PKEY_new()) == NULL)
  71                         {
  72                         abort();
  73                         return(0);
  74                         }
  75                 }
  76         else
  77                 pk= *pkeyp;
  78
  79         if ((x509p == NULL) || (*x509p == NULL))
  80                 {
  81                 if ((x=X509_new()) == NULL)
  82                         goto err;
  83                 }
  84         else
  85                 x= *x509p;
  86
  87         rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
  88         if (!EVP_PKEY_assign_RSA(pk,rsa))
  89                 {
  90                 abort();
  91                 goto err;
  92                 }
  93         rsa=NULL;
  94
  95         X509_set_version(x,2);
  96         ASN1_INTEGER_set(X509_get_serialNumber(x),serial);
  97         X509_gmtime_adj(X509_get_notBefore(x),0);
  98         X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
  99         X509_set_pubkey(x,pk);
 100
 101         name=X509_get_subject_name(x);
 102
 103         /* This function creates and adds the entry, working out the
 104          * correct string type and performing checks on its length.
 105          * Normally we'd check the return value for errors...
 106          */
 107         X509_NAME_add_entry_by_txt(name,"C",
 108                                 MBSTRING_ASC, "UK", -1, -1, 0);
 109         X509_NAME_add_entry_by_txt(name,"CN",
 110                                 MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
 111
 112         /* Its self signed so set the issuer name to be the same as the
 113          * subject.
 114          */
 115         X509_set_issuer_name(x,name);
 116
 117         /* Add various extensions: standard extensions */
 118         add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
 119         add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign");
 120
 121         add_ext(x, NID_subject_key_identifier, "hash");
 122
 123         /* Some Netscape specific extensions */
 124         add_ext(x, NID_netscape_cert_type, "sslCA");
 125
 126         add_ext(x, NID_netscape_comment, "example comment extension");
 127
 128
 129 #ifdef CUSTOM_EXT
 130         /* Maybe even add our own extension based on existing */
 131         {
 132                 int nid;
 133                 nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
 134                 X509V3_EXT_add_alias(nid, NID_netscape_comment);
 135                 add_ext(x, nid, "example comment alias");
 136         }
 137 #endif
 138
 139         if (!X509_sign(x,pk,EVP_md5()))
 140                 goto err;
 141
 142         *x509p=x;
 143         *pkeyp=pk;
 144         return(1);
 145 err:
 146         return(0);
 147         }
 148
 149 /* Add extension using V3 code: we can set the config file as NULL
 150  * because we wont reference any other sections.
 151  */
 152
 153 int add_ext(X509 *cert, int nid, char *value)
 154         {
 155         X509_EXTENSION *ex;
 156         X509V3_CTX ctx;
 157         /* This sets the 'context' of the extensions. */
 158         /* No configuration database */
 159         X509V3_set_ctx_nodb(&ctx);
 160         /* Issuer and subject certs: both the target since it is self signed,
 161          * no request and no CRL
 162          */
 163         X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
 164         ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
 165         if (!ex)
 166                 return 0;
 167
 168         X509_add_ext(cert,ex,-1);
 169         X509_EXTENSION_free(ex);
 170         return 1;
 171         }
 172