FreeRDP
Loading...
Searching...
No Matches
makecert.c
1
20#include <errno.h>
21
22#include <winpr/assert.h>
23#include <winpr/crt.h>
24#include <winpr/path.h>
25#include <winpr/file.h>
26#include <winpr/cmdline.h>
27#include <winpr/sysinfo.h>
28#include <winpr/crypto.h>
29
30#ifdef WITH_OPENSSL
31#include <openssl/crypto.h>
32#include <openssl/conf.h>
33#include <openssl/pem.h>
34#include <openssl/err.h>
35#include <openssl/rsa.h>
36#include <openssl/pkcs12.h>
37#include <openssl/x509v3.h>
38#include <openssl/bn.h>
39#endif
40
41#include <winpr/tools/makecert.h>
42
43struct S_MAKECERT_CONTEXT
44{
45 int argc;
46 char** argv;
47
48#ifdef WITH_OPENSSL
49 X509* x509;
50 EVP_PKEY* pkey;
51 PKCS12* pkcs12;
52#endif
53
54 BOOL live;
55 BOOL silent;
56
57 BOOL crtFormat;
58 BOOL pemFormat;
59 BOOL pfxFormat;
60
61 char* password;
62
63 char* output_file;
64 char* output_path;
65 char* default_name;
66 char* common_name;
67
68 int duration_years;
69 int duration_months;
70};
71
72static char* makecert_read_str(BIO* bio, size_t* pOffset)
73{
74 int status = -1;
75 size_t offset = 0;
76 size_t length = 0;
77 char* x509_str = NULL;
78
79 while (offset >= length)
80 {
81 size_t new_len = 0;
82 size_t readBytes = 0;
83 char* new_str = NULL;
84 new_len = length * 2;
85 if (new_len == 0)
86 new_len = 2048;
87
88 if (new_len > INT_MAX)
89 {
90 status = -1;
91 break;
92 }
93
94 new_str = (char*)realloc(x509_str, new_len);
95
96 if (!new_str)
97 {
98 status = -1;
99 break;
100 }
101
102 length = new_len;
103 x509_str = new_str;
104 ERR_clear_error();
105#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
106 status = BIO_read_ex(bio, &x509_str[offset], length - offset, &readBytes);
107#else
108 status = BIO_read(bio, &x509_str[offset], length - offset);
109 readBytes = status;
110#endif
111 if (status <= 0)
112 break;
113
114 offset += readBytes;
115 }
116
117 if (status < 0)
118 {
119 free(x509_str);
120 if (pOffset)
121 *pOffset = 0;
122 return NULL;
123 }
124
125 x509_str[offset] = '\0';
126 if (pOffset)
127 *pOffset = offset + 1;
128 return x509_str;
129}
130
131static int makecert_print_command_line_help(COMMAND_LINE_ARGUMENT_A* args, int argc, char** argv)
132{
133 char* str = NULL;
134 const COMMAND_LINE_ARGUMENT_A* arg = NULL;
135
136 if (!argv || (argc < 1))
137 return -1;
138
139 printf("Usage: %s [options] [output file]\n", argv[0]);
140 printf("\n");
141 arg = args;
142
143 do
144 {
145 if (arg->Flags & COMMAND_LINE_VALUE_FLAG)
146 {
147 printf(" %s", "-");
148 printf("%-20s", arg->Name);
149 printf("\t%s\n", arg->Text);
150 }
151 else if ((arg->Flags & COMMAND_LINE_VALUE_REQUIRED) ||
152 (arg->Flags & COMMAND_LINE_VALUE_OPTIONAL))
153 {
154 printf(" %s", "-");
155
156 if (arg->Format)
157 {
158 size_t length = strlen(arg->Name) + strlen(arg->Format) + 2;
159 str = malloc(length + 1);
160
161 if (!str)
162 return -1;
163
164 (void)sprintf_s(str, length + 1, "%s %s", arg->Name, arg->Format);
165 (void)printf("%-20s", str);
166 free(str);
167 }
168 else
169 {
170 printf("%-20s", arg->Name);
171 }
172
173 printf("\t%s\n", arg->Text);
174 }
175 } while ((arg = CommandLineFindNextArgumentA(arg)) != NULL);
176
177 return 1;
178}
179
180#ifdef WITH_OPENSSL
181static int x509_add_ext(X509* cert, int nid, char* value)
182{
183 X509V3_CTX ctx;
184 X509_EXTENSION* ext = NULL;
185
186 if (!cert || !value)
187 return 0;
188
189 X509V3_set_ctx_nodb(&ctx) X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
190 ext = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
191
192 if (!ext)
193 return 0;
194
195 X509_add_ext(cert, ext, -1);
196 X509_EXTENSION_free(ext);
197 return 1;
198}
199#endif
200
201static char* x509_name_parse(char* name, char* txt, size_t* length)
202{
203 char* p = NULL;
204 char* entry = NULL;
205
206 if (!name || !txt || !length)
207 return NULL;
208
209 p = strstr(name, txt);
210
211 if (!p)
212 return NULL;
213
214 entry = p + strlen(txt) + 1;
215 p = strchr(entry, '=');
216
217 if (!p)
218 *length = strlen(entry);
219 else
220 *length = (size_t)(p - entry);
221
222 return entry;
223}
224
225static char* get_name(COMPUTER_NAME_FORMAT type)
226{
227 DWORD nSize = 0;
228
229 if (GetComputerNameExA(type, NULL, &nSize))
230 return NULL;
231
232 if (GetLastError() != ERROR_MORE_DATA)
233 return NULL;
234
235 char* computerName = calloc(1, nSize);
236
237 if (!computerName)
238 return NULL;
239
240 if (!GetComputerNameExA(type, computerName, &nSize))
241 {
242 free(computerName);
243 return NULL;
244 }
245
246 return computerName;
247}
248
249static char* x509_get_default_name(void)
250{
251 char* computerName = get_name(ComputerNamePhysicalDnsFullyQualified);
252 if (!computerName)
253 computerName = get_name(ComputerNamePhysicalNetBIOS);
254 return computerName;
255}
256
257static int command_line_pre_filter(void* pvctx, int index, int argc, LPSTR* argv)
258{
259 MAKECERT_CONTEXT* context = pvctx;
260 if (!context || !argv || (index < 0) || (argc < 0))
261 return -1;
262
263 if (index == (argc - 1))
264 {
265 if (argv[index][0] != '-')
266 {
267 context->output_file = _strdup(argv[index]);
268
269 if (!context->output_file)
270 return -1;
271
272 return 1;
273 }
274 }
275
276 return 0;
277}
278
279static int makecert_context_parse_arguments(MAKECERT_CONTEXT* context,
280 COMMAND_LINE_ARGUMENT_A* args, int argc, char** argv)
281{
282 int status = 0;
283 DWORD flags = 0;
284 const COMMAND_LINE_ARGUMENT_A* arg = NULL;
285
286 if (!context || !argv || (argc < 0))
287 return -1;
288
293 CommandLineClearArgumentsA(args);
294 flags = COMMAND_LINE_SEPARATOR_SPACE | COMMAND_LINE_SIGIL_DASH;
295 status =
296 CommandLineParseArgumentsA(argc, argv, args, flags, context, command_line_pre_filter, NULL);
297
298 if (status & COMMAND_LINE_STATUS_PRINT_HELP)
299 {
300 makecert_print_command_line_help(args, argc, argv);
301 return 0;
302 }
303
304 arg = args;
305 errno = 0;
306
307 do
308 {
309 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
310 continue;
311
312 CommandLineSwitchStart(arg)
313 /* Basic Options */
314 CommandLineSwitchCase(arg, "silent")
315 {
316 context->silent = TRUE;
317 }
318 CommandLineSwitchCase(arg, "live")
319 {
320 context->live = TRUE;
321 }
322 CommandLineSwitchCase(arg, "format")
323 {
324 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
325 continue;
326
327 if (strcmp(arg->Value, "crt") == 0)
328 {
329 context->crtFormat = TRUE;
330 context->pemFormat = FALSE;
331 context->pfxFormat = FALSE;
332 }
333 else if (strcmp(arg->Value, "pem") == 0)
334 {
335 context->crtFormat = FALSE;
336 context->pemFormat = TRUE;
337 context->pfxFormat = FALSE;
338 }
339 else if (strcmp(arg->Value, "pfx") == 0)
340 {
341 context->crtFormat = FALSE;
342 context->pemFormat = FALSE;
343 context->pfxFormat = TRUE;
344 }
345 else
346 return -1;
347 }
348 CommandLineSwitchCase(arg, "path")
349 {
350 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
351 continue;
352
353 context->output_path = _strdup(arg->Value);
354
355 if (!context->output_path)
356 return -1;
357 }
358 CommandLineSwitchCase(arg, "p")
359 {
360 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
361 continue;
362
363 context->password = _strdup(arg->Value);
364
365 if (!context->password)
366 return -1;
367 }
368 CommandLineSwitchCase(arg, "n")
369 {
370 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
371 continue;
372
373 context->common_name = _strdup(arg->Value);
374
375 if (!context->common_name)
376 return -1;
377 }
378 CommandLineSwitchCase(arg, "y")
379 {
380 long val = 0;
381
382 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
383 continue;
384
385 val = strtol(arg->Value, NULL, 0);
386
387 if ((errno != 0) || (val < 0) || (val > INT32_MAX))
388 return -1;
389
390 context->duration_years = (int)val;
391 }
392 CommandLineSwitchCase(arg, "m")
393 {
394 long val = 0;
395
396 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
397 continue;
398
399 val = strtol(arg->Value, NULL, 0);
400
401 if ((errno != 0) || (val < 0))
402 return -1;
403
404 context->duration_months = (int)val;
405 }
406 CommandLineSwitchDefault(arg)
407 {
408 }
409 CommandLineSwitchEnd(arg)
410 } while ((arg = CommandLineFindNextArgumentA(arg)) != NULL);
411
412 return 1;
413}
414
415int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context, const char* name)
416{
417 if (!context)
418 return -1;
419
420 free(context->output_file);
421 context->output_file = NULL;
422
423 if (name)
424 context->output_file = _strdup(name);
425
426 if (!context->output_file)
427 return -1;
428
429 return 1;
430}
431
432int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, const char* path)
433{
434#ifdef WITH_OPENSSL
435 FILE* fp = NULL;
436 int status = 0;
437 size_t length = 0;
438 size_t offset = 0;
439 char* filename = NULL;
440 char* fullpath = NULL;
441 char* ext = NULL;
442 int ret = -1;
443 BIO* bio = NULL;
444 char* x509_str = NULL;
445
446 if (!context)
447 return -1;
448
449 if (!context->output_file)
450 {
451 context->output_file = _strdup(context->default_name);
452
453 if (!context->output_file)
454 return -1;
455 }
456
457 /*
458 * Output Certificate File
459 */
460 length = strlen(context->output_file);
461 filename = malloc(length + 8);
462
463 if (!filename)
464 return -1;
465
466 if (context->crtFormat)
467 ext = "crt";
468 else if (context->pemFormat)
469 ext = "pem";
470 else if (context->pfxFormat)
471 ext = "pfx";
472 else
473 goto out_fail;
474
475 (void)sprintf_s(filename, length + 8, "%s.%s", context->output_file, ext);
476
477 if (path)
478 fullpath = GetCombinedPath(path, filename);
479 else
480 fullpath = _strdup(filename);
481
482 if (!fullpath)
483 goto out_fail;
484
485 fp = winpr_fopen(fullpath, "w+");
486
487 if (fp)
488 {
489 if (context->pfxFormat)
490 {
491 if (!context->password)
492 {
493 context->password = _strdup("password");
494
495 if (!context->password)
496 goto out_fail;
497
498 printf("Using default export password \"password\"\n");
499 }
500
501#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
502 OpenSSL_add_all_algorithms();
503 OpenSSL_add_all_ciphers();
504 OpenSSL_add_all_digests();
505#else
506 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |
507 OPENSSL_INIT_LOAD_CONFIG,
508 NULL);
509#endif
510 context->pkcs12 = PKCS12_create(context->password, context->default_name, context->pkey,
511 context->x509, NULL, 0, 0, 0, 0, 0);
512
513 if (!context->pkcs12)
514 goto out_fail;
515
516 bio = BIO_new(BIO_s_mem());
517
518 if (!bio)
519 goto out_fail;
520
521 status = i2d_PKCS12_bio(bio, context->pkcs12);
522
523 if (status != 1)
524 goto out_fail;
525
526 x509_str = makecert_read_str(bio, &offset);
527
528 if (!x509_str)
529 goto out_fail;
530
531 length = offset;
532
533 if (fwrite((void*)x509_str, length, 1, fp) != 1)
534 goto out_fail;
535 }
536 else
537 {
538 bio = BIO_new(BIO_s_mem());
539
540 if (!bio)
541 goto out_fail;
542
543 if (!PEM_write_bio_X509(bio, context->x509))
544 goto out_fail;
545
546 x509_str = makecert_read_str(bio, &offset);
547
548 if (!x509_str)
549 goto out_fail;
550
551 length = offset;
552
553 if (fwrite(x509_str, length, 1, fp) != 1)
554 goto out_fail;
555
556 free(x509_str);
557 x509_str = NULL;
558 BIO_free_all(bio);
559 bio = NULL;
560
561 if (context->pemFormat)
562 {
563 bio = BIO_new(BIO_s_mem());
564
565 if (!bio)
566 goto out_fail;
567
568 status = PEM_write_bio_PrivateKey(bio, context->pkey, NULL, NULL, 0, NULL, NULL);
569
570 if (status < 0)
571 goto out_fail;
572
573 x509_str = makecert_read_str(bio, &offset);
574 if (!x509_str)
575 goto out_fail;
576
577 length = offset;
578
579 if (fwrite(x509_str, length, 1, fp) != 1)
580 goto out_fail;
581 }
582 }
583 }
584
585 ret = 1;
586out_fail:
587 BIO_free_all(bio);
588
589 if (fp)
590 (void)fclose(fp);
591
592 free(x509_str);
593 free(filename);
594 free(fullpath);
595 return ret;
596#else
597 WLog_ERR(TAG, "%s only supported with OpenSSL", __func__);
598 return -1;
599#endif
600}
601
602int makecert_context_output_private_key_file(MAKECERT_CONTEXT* context, const char* path)
603{
604#ifdef WITH_OPENSSL
605 FILE* fp = NULL;
606 size_t length = 0;
607 size_t offset = 0;
608 char* filename = NULL;
609 char* fullpath = NULL;
610 int ret = -1;
611 BIO* bio = NULL;
612 char* x509_str = NULL;
613
614 if (!context->crtFormat)
615 return 1;
616
617 if (!context->output_file)
618 {
619 context->output_file = _strdup(context->default_name);
620
621 if (!context->output_file)
622 return -1;
623 }
624
628 length = strlen(context->output_file);
629 filename = malloc(length + 8);
630
631 if (!filename)
632 return -1;
633
634 (void)sprintf_s(filename, length + 8, "%s.key", context->output_file);
635
636 if (path)
637 fullpath = GetCombinedPath(path, filename);
638 else
639 fullpath = _strdup(filename);
640
641 if (!fullpath)
642 goto out_fail;
643
644 fp = winpr_fopen(fullpath, "w+");
645
646 if (!fp)
647 goto out_fail;
648
649 bio = BIO_new(BIO_s_mem());
650
651 if (!bio)
652 goto out_fail;
653
654 if (!PEM_write_bio_PrivateKey(bio, context->pkey, NULL, NULL, 0, NULL, NULL))
655 goto out_fail;
656
657 x509_str = makecert_read_str(bio, &offset);
658
659 if (!x509_str)
660 goto out_fail;
661
662 length = offset;
663
664 if (fwrite((void*)x509_str, length, 1, fp) != 1)
665 goto out_fail;
666
667 ret = 1;
668out_fail:
669
670 if (fp)
671 (void)fclose(fp);
672
673 BIO_free_all(bio);
674 free(x509_str);
675 free(filename);
676 free(fullpath);
677 return ret;
678#else
679 WLog_ERR(TAG, "%s only supported with OpenSSL", __func__);
680 return -1;
681#endif
682}
683
684#ifdef WITH_OPENSSL
685static BOOL makecert_create_rsa(EVP_PKEY** ppkey, size_t key_length)
686{
687 BOOL rc = FALSE;
688
689 WINPR_ASSERT(ppkey);
690
691#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
692 RSA* rsa = NULL;
693#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
694 rsa = RSA_generate_key(key_length, RSA_F4, NULL, NULL);
695#else
696 {
697 BIGNUM* bn = BN_secure_new();
698
699 if (!bn)
700 return FALSE;
701
702 rsa = RSA_new();
703
704 if (!rsa)
705 {
706 BN_clear_free(bn);
707 return FALSE;
708 }
709
710 BN_set_word(bn, RSA_F4);
711 const int res = RSA_generate_key_ex(rsa, key_length, bn, NULL);
712 BN_clear_free(bn);
713
714 if (res != 1)
715 return FALSE;
716 }
717#endif
718
719 if (!EVP_PKEY_assign_RSA(*ppkey, rsa))
720 {
721 RSA_free(rsa);
722 return FALSE;
723 }
724 rc = TRUE;
725#else
726 EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
727 if (!pctx)
728 return FALSE;
729
730 if (EVP_PKEY_keygen_init(pctx) != 1)
731 goto fail;
732
733 {
734 WINPR_ASSERT(key_length <= UINT_MAX);
735 unsigned int keylen = (unsigned int)key_length;
736 const OSSL_PARAM params[] = { OSSL_PARAM_construct_uint("bits", &keylen),
737 OSSL_PARAM_construct_end() };
738 if (EVP_PKEY_CTX_set_params(pctx, params) != 1)
739 goto fail;
740 }
741
742 if (EVP_PKEY_generate(pctx, ppkey) != 1)
743 goto fail;
744
745 rc = TRUE;
746fail:
747 EVP_PKEY_CTX_free(pctx);
748#endif
749 return rc;
750}
751#endif
752
753int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
754{
755 COMMAND_LINE_ARGUMENT_A args[] = {
756 /* Custom Options */
757
758 { "rdp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
759 "Unsupported - Generate certificate with required options for RDP usage." },
760 { "silent", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
761 "Silently generate certificate without verbose output." },
762 { "live", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
763 "Generate certificate live in memory when used as a library." },
764 { "format", COMMAND_LINE_VALUE_REQUIRED, "<crt|pem|pfx>", NULL, NULL, -1, NULL,
765 "Specify certificate file format" },
766 { "path", COMMAND_LINE_VALUE_REQUIRED, "<path>", NULL, NULL, -1, NULL,
767 "Specify certificate file output path" },
768 { "p", COMMAND_LINE_VALUE_REQUIRED, "<password>", NULL, NULL, -1, NULL,
769 "Specify certificate export password" },
770
771 /* Basic Options */
772
773 { "n", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
774 "Specifies the subject's certificate name. This name must conform to the X.500 standard. "
775 "The simplest method is to specify the name in double quotes, preceded by CN=; for "
776 "example, "
777 "-n \"CN=myName\"." },
778 { "pe", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
779 "Unsupported - Marks the generated private key as exportable. This allows the private "
780 "key to "
781 "be included in the certificate." },
782 { "sk", COMMAND_LINE_VALUE_REQUIRED, "<keyname>", NULL, NULL, -1, NULL,
783 "Unsupported - Specifies the subject's key container location, which contains the "
784 "private "
785 "key. "
786 "If a key container does not exist, it will be created." },
787 { "sr", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
788 "Unsupported - Specifies the subject's certificate store location. location can be "
789 "either "
790 "currentuser (the default) or localmachine." },
791 { "ss", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
792 "Unsupported - Specifies the subject's certificate store name that stores the output "
793 "certificate." },
794 { "#", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
795 "Specifies a serial number from 1 to 2,147,483,647. The default is a unique value "
796 "generated "
797 "by Makecert.exe." },
798 { "$", COMMAND_LINE_VALUE_REQUIRED, "<authority>", NULL, NULL, -1, NULL,
799 "Unsupported - Specifies the signing authority of the certificate, which must be set to "
800 "either commercial "
801 "(for certificates used by commercial software publishers) or individual (for "
802 "certificates "
803 "used by individual software publishers)." },
804
805 /* Extended Options */
806
807 { "a", COMMAND_LINE_VALUE_REQUIRED, "<algorithm>", NULL, NULL, -1, NULL,
808 "Specifies the signature algorithm. algorithm must be md5, sha1, sha256 (the default), "
809 "sha384, or sha512." },
810 { "b", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
811 "Unsupported - Specifies the start of the validity period. Defaults to the current "
812 "date." },
813 { "crl", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
814 "Unsupported - Generates a certificate relocation list (CRL) instead of a certificate." },
815 { "cy", COMMAND_LINE_VALUE_REQUIRED, "<certType>", NULL, NULL, -1, NULL,
816 "Unsupported - Specifies the certificate type. Valid values are end for end-entity and "
817 "authority for certification authority." },
818 { "e", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
819 "Unsupported - Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 "
820 "GMT." },
821 { "eku", COMMAND_LINE_VALUE_REQUIRED, "<oid[,oid…]>", NULL, NULL, -1, NULL,
822 "Unsupported - Inserts a list of comma-separated, enhanced key usage object identifiers "
823 "(OIDs) into the certificate." },
824 { "h", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
825 "Unsupported - Specifies the maximum height of the tree below this certificate." },
826 { "ic", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
827 "Unsupported - Specifies the issuer's certificate file." },
828 { "ik", COMMAND_LINE_VALUE_REQUIRED, "<keyName>", NULL, NULL, -1, NULL,
829 "Unsupported - Specifies the issuer's key container name." },
830 { "iky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
831 "Unsupported - Specifies the issuer's key type, which must be one of the following: "
832 "signature (which indicates that the key is used for a digital signature), "
833 "exchange (which indicates that the key is used for key encryption and key exchange), "
834 "or an integer that represents a provider type. "
835 "By default, you can pass 1 for an exchange key or 2 for a signature key." },
836 { "in", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
837 "Unsupported - Specifies the issuer's certificate common name." },
838 { "ip", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
839 "Unsupported - Specifies the issuer's CryptoAPI provider name. For information about the "
840 "CryptoAPI provider name, see the –sp option." },
841 { "ir", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
842 "Unsupported - Specifies the location of the issuer's certificate store. location can be "
843 "either currentuser (the default) or localmachine." },
844 { "is", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
845 "Unsupported - Specifies the issuer's certificate store name." },
846 { "iv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
847 "Unsupported - Specifies the issuer's .pvk private key file." },
848 { "iy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
849 "Unsupported - Specifies the issuer's CryptoAPI provider type. For information about the "
850 "CryptoAPI provider type, see the –sy option." },
851 { "l", COMMAND_LINE_VALUE_REQUIRED, "<link>", NULL, NULL, -1, NULL,
852 "Unsupported - Links to policy information (for example, to a URL)." },
853 { "len", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
854 "Specifies the generated key length, in bits." },
855 { "m", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
856 "Specifies the duration, in months, of the certificate validity period." },
857 { "y", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
858 "Specifies the duration, in years, of the certificate validity period." },
859 { "nscp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
860 "Unsupported - Includes the Netscape client-authorization extension." },
861 { "r", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
862 "Unsupported - Creates a self-signed certificate." },
863 { "sc", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
864 "Unsupported - Specifies the subject's certificate file." },
865 { "sky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
866 "Unsupported - Specifies the subject's key type, which must be one of the following: "
867 "signature (which indicates that the key is used for a digital signature), "
868 "exchange (which indicates that the key is used for key encryption and key exchange), "
869 "or an integer that represents a provider type. "
870 "By default, you can pass 1 for an exchange key or 2 for a signature key." },
871 { "sp", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
872 "Unsupported - Specifies the subject's CryptoAPI provider name, which must be defined in "
873 "the "
874 "registry subkeys of "
875 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider. If both –sp "
876 "and "
877 "–sy are present, "
878 "the type of the CryptoAPI provider must correspond to the Type value of the provider's "
879 "subkey." },
880 { "sv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
881 "Unsupported - Specifies the subject's .pvk private key file. The file is created if "
882 "none "
883 "exists." },
884 { "sy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
885 "Unsupported - Specifies the subject's CryptoAPI provider type, which must be defined in "
886 "the "
887 "registry subkeys of "
888 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider Types. If "
889 "both "
890 "–sy and –sp are present, "
891 "the name of the CryptoAPI provider must correspond to the Name value of the provider "
892 "type "
893 "subkey." },
894 { "tbs", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
895 "Unsupported - Specifies the certificate or CRL file to be signed." },
896
897 /* Help */
898
899 { "?", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_HELP, NULL, NULL, NULL, -1, "help",
900 "print help" },
901 { "!", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_HELP, NULL, NULL, NULL, -1, "help-ext",
902 "print extended help" },
903 { NULL, 0, NULL, NULL, NULL, -1, NULL, NULL }
904 };
905#ifdef WITH_OPENSSL
906 size_t length = 0;
907 char* entry = NULL;
908 int key_length = 0;
909 long serial = 0;
910 X509_NAME* name = NULL;
911 const EVP_MD* md = NULL;
912 const COMMAND_LINE_ARGUMENT_A* arg = NULL;
913 int ret = 0;
914 ret = makecert_context_parse_arguments(context, args, argc, argv);
915
916 if (ret < 1)
917 {
918 return ret;
919 }
920
921 if (!context->default_name && !context->common_name)
922 {
923 context->default_name = x509_get_default_name();
924
925 if (!context->default_name)
926 return -1;
927 }
928 else
929 {
930 context->default_name = _strdup(context->common_name);
931
932 if (!context->default_name)
933 return -1;
934 }
935
936 if (!context->common_name)
937 {
938 context->common_name = _strdup(context->default_name);
939
940 if (!context->common_name)
941 return -1;
942 }
943
944 if (!context->pkey)
945 context->pkey = EVP_PKEY_new();
946
947 if (!context->pkey)
948 return -1;
949
950 if (!context->x509)
951 context->x509 = X509_new();
952
953 if (!context->x509)
954 return -1;
955
956 key_length = 2048;
957 arg = CommandLineFindArgumentA(args, "len");
958
959 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
960 {
961 unsigned long val = strtoul(arg->Value, NULL, 0);
962
963 if ((errno != 0) || (val > INT_MAX))
964 return -1;
965 key_length = (int)val;
966 }
967
968 if (!makecert_create_rsa(&context->pkey, WINPR_ASSERTING_INT_CAST(size_t, key_length)))
969 return -1;
970
971 X509_set_version(context->x509, 2);
972 arg = CommandLineFindArgumentA(args, "#");
973
974 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
975 {
976 serial = strtol(arg->Value, NULL, 0);
977
978 if (errno != 0)
979 return -1;
980 }
981 else
982 serial = (long)GetTickCount64();
983
984 ASN1_INTEGER_set(X509_get_serialNumber(context->x509), serial);
985 {
986 ASN1_TIME* before = NULL;
987 ASN1_TIME* after = NULL;
988#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
989 before = X509_get_notBefore(context->x509);
990 after = X509_get_notAfter(context->x509);
991#else
992 before = X509_getm_notBefore(context->x509);
993 after = X509_getm_notAfter(context->x509);
994#endif
995 X509_gmtime_adj(before, 0);
996
997 long duration = context->duration_months * 31l + context->duration_years * 365l;
998 duration *= 60l * 60l * 24l;
999 X509_gmtime_adj(after, duration);
1000 }
1001 X509_set_pubkey(context->x509, context->pkey);
1002 name = X509_get_subject_name(context->x509);
1003 arg = CommandLineFindArgumentA(args, "n");
1004
1005 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
1006 {
1007 entry = x509_name_parse(arg->Value, "C", &length);
1008
1009 if (entry)
1010 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_UTF8, (const unsigned char*)entry,
1011 (int)length, -1, 0);
1012
1013 entry = x509_name_parse(arg->Value, "ST", &length);
1014
1015 if (entry)
1016 X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_UTF8, (const unsigned char*)entry,
1017 (int)length, -1, 0);
1018
1019 entry = x509_name_parse(arg->Value, "L", &length);
1020
1021 if (entry)
1022 X509_NAME_add_entry_by_txt(name, "L", MBSTRING_UTF8, (const unsigned char*)entry,
1023 (int)length, -1, 0);
1024
1025 entry = x509_name_parse(arg->Value, "O", &length);
1026
1027 if (entry)
1028 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_UTF8, (const unsigned char*)entry,
1029 (int)length, -1, 0);
1030
1031 entry = x509_name_parse(arg->Value, "OU", &length);
1032
1033 if (entry)
1034 X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, (const unsigned char*)entry,
1035 (int)length, -1, 0);
1036
1037 entry = context->common_name;
1038 length = strlen(entry);
1039 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (const unsigned char*)entry,
1040 (int)length, -1, 0);
1041 }
1042 else
1043 {
1044 entry = context->common_name;
1045 length = strlen(entry);
1046 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (const unsigned char*)entry,
1047 (int)length, -1, 0);
1048 }
1049
1050 X509_set_issuer_name(context->x509, name);
1051 x509_add_ext(context->x509, NID_ext_key_usage, "serverAuth");
1052 arg = CommandLineFindArgumentA(args, "a");
1053 md = EVP_sha256();
1054
1055 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
1056 {
1057 md = EVP_get_digestbyname(arg->Value);
1058 if (!md)
1059 return -1;
1060 }
1061
1062 if (!X509_sign(context->x509, context->pkey, md))
1063 return -1;
1064
1069 if (!context->silent)
1070 {
1071 BIO* bio = NULL;
1072 int status = 0;
1073 char* x509_str = NULL;
1074 bio = BIO_new(BIO_s_mem());
1075
1076 if (!bio)
1077 return -1;
1078
1079 status = X509_print(bio, context->x509);
1080
1081 if (status < 0)
1082 {
1083 BIO_free_all(bio);
1084 return -1;
1085 }
1086
1087 x509_str = makecert_read_str(bio, NULL);
1088 if (!x509_str)
1089 {
1090 BIO_free_all(bio);
1091 return -1;
1092 }
1093
1094 printf("%s", x509_str);
1095 free(x509_str);
1096 BIO_free_all(bio);
1097 }
1098
1103 if (!context->live)
1104 {
1105 if (!winpr_PathFileExists(context->output_path))
1106 {
1107 if (!winpr_PathMakePath(context->output_path, NULL))
1108 return -1;
1109 }
1110
1111 if (makecert_context_output_certificate_file(context, context->output_path) != 1)
1112 return -1;
1113
1114 if (context->crtFormat)
1115 {
1116 if (makecert_context_output_private_key_file(context, context->output_path) < 0)
1117 return -1;
1118 }
1119 }
1120
1121 return 0;
1122#else
1123 WLog_ERR(TAG, "%s only supported with OpenSSL", __func__);
1124 return -1;
1125#endif
1126}
1127
1128MAKECERT_CONTEXT* makecert_context_new(void)
1129{
1130 MAKECERT_CONTEXT* context = (MAKECERT_CONTEXT*)calloc(1, sizeof(MAKECERT_CONTEXT));
1131
1132 if (context)
1133 {
1134 context->crtFormat = TRUE;
1135 context->duration_years = 1;
1136 }
1137
1138 return context;
1139}
1140
1141void makecert_context_free(MAKECERT_CONTEXT* context)
1142{
1143 if (context)
1144 {
1145 free(context->password);
1146 free(context->default_name);
1147 free(context->common_name);
1148 free(context->output_file);
1149 free(context->output_path);
1150#ifdef WITH_OPENSSL
1151 X509_free(context->x509);
1152 EVP_PKEY_free(context->pkey);
1153#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
1154 CRYPTO_cleanup_all_ex_data();
1155#endif
1156#endif
1157 free(context);
1158 }
1159}
COMMAND_LINE_ARGUMENT_A
Definition winpr/include/winpr/cmdline.h:100