FreeRDP
Loading...
Searching...
No Matches
makecert.c
1
20#include <errno.h>
21
22#include <winpr/assert.h>
23#include <winpr/crt.h>
24#include <winpr/path.h>
25#include <winpr/file.h>
26#include <winpr/cmdline.h>
27#include <winpr/sysinfo.h>
28#include <winpr/crypto.h>
29
30#ifdef WITH_OPENSSL
31#include <openssl/crypto.h>
32#include <openssl/conf.h>
33#include <openssl/pem.h>
34#include <openssl/err.h>
35#include <openssl/rsa.h>
36#include <openssl/pkcs12.h>
37#include <openssl/x509v3.h>
38#include <openssl/bn.h>
39#endif
40
41#include <winpr/tools/makecert.h>
42
43struct S_MAKECERT_CONTEXT
44{
45 int argc;
46 char** argv;
47
48#ifdef WITH_OPENSSL
49 X509* x509;
50 EVP_PKEY* pkey;
51 PKCS12* pkcs12;
52#endif
53
54 BOOL live;
55 BOOL silent;
56
57 BOOL crtFormat;
58 BOOL pemFormat;
59 BOOL pfxFormat;
60
61 char* password;
62
63 char* output_file;
64 char* output_path;
65 char* default_name;
66 char* common_name;
67
68 int duration_years;
69 int duration_months;
70};
71
72static char* makecert_read_str(BIO* bio, size_t* pOffset)
73{
74 int status = -1;
75 size_t offset = 0;
76 size_t length = 0;
77 char* x509_str = NULL;
78
79 while (offset >= length)
80 {
81 size_t readBytes = 0;
82 char* new_str = NULL;
83 size_t new_len = length + 2048ull;
84
85 if (new_len > INT_MAX)
86 {
87 status = -1;
88 break;
89 }
90
91 new_str = (char*)realloc(x509_str, new_len);
92
93 if (!new_str)
94 {
95 status = -1;
96 break;
97 }
98
99 length = new_len;
100 x509_str = new_str;
101 ERR_clear_error();
102#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
103 status = BIO_read_ex(bio, &x509_str[offset], length - offset, &readBytes);
104#else
105 status = BIO_read(bio, &x509_str[offset], length - offset);
106 readBytes = status;
107#endif
108 if (status <= 0)
109 break;
110
111 offset += readBytes;
112 }
113
114 if (status < 0)
115 {
116 free(x509_str);
117 if (pOffset)
118 *pOffset = 0;
119 return NULL;
120 }
121
122 x509_str[offset] = '\0';
123 if (pOffset)
124 *pOffset = offset + 1;
125 return x509_str;
126}
127
128static int makecert_print_command_line_help(COMMAND_LINE_ARGUMENT_A* args, int argc, char** argv)
129{
130 char* str = NULL;
131 const COMMAND_LINE_ARGUMENT_A* arg = NULL;
132
133 if (!argv || (argc < 1))
134 return -1;
135
136 printf("Usage: %s [options] [output file]\n", argv[0]);
137 printf("\n");
138 arg = args;
139
140 do
141 {
142 if (arg->Flags & COMMAND_LINE_VALUE_FLAG)
143 {
144 printf(" %s", "-");
145 printf("%-20s", arg->Name);
146 printf("\t%s\n", arg->Text);
147 }
148 else if ((arg->Flags & COMMAND_LINE_VALUE_REQUIRED) ||
149 (arg->Flags & COMMAND_LINE_VALUE_OPTIONAL))
150 {
151 printf(" %s", "-");
152
153 if (arg->Format)
154 {
155 size_t length = strlen(arg->Name) + strlen(arg->Format) + 2;
156 str = malloc(length + 1);
157
158 if (!str)
159 return -1;
160
161 (void)sprintf_s(str, length + 1, "%s %s", arg->Name, arg->Format);
162 (void)printf("%-20s", str);
163 free(str);
164 }
165 else
166 {
167 printf("%-20s", arg->Name);
168 }
169
170 printf("\t%s\n", arg->Text);
171 }
172 } while ((arg = CommandLineFindNextArgumentA(arg)) != NULL);
173
174 return 1;
175}
176
177#ifdef WITH_OPENSSL
178static int x509_add_ext(X509* cert, int nid, char* value)
179{
180 X509V3_CTX ctx;
181 X509_EXTENSION* ext = NULL;
182
183 if (!cert || !value)
184 return 0;
185
186 X509V3_set_ctx_nodb(&ctx) X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
187 ext = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
188
189 if (!ext)
190 return 0;
191
192 X509_add_ext(cert, ext, -1);
193 X509_EXTENSION_free(ext);
194 return 1;
195}
196#endif
197
198static char* x509_name_parse(char* name, char* txt, size_t* length)
199{
200 char* p = NULL;
201 char* entry = NULL;
202
203 if (!name || !txt || !length)
204 return NULL;
205
206 p = strstr(name, txt);
207
208 if (!p)
209 return NULL;
210
211 entry = p + strlen(txt) + 1;
212 p = strchr(entry, '=');
213
214 if (!p)
215 *length = strlen(entry);
216 else
217 *length = (size_t)(p - entry);
218
219 return entry;
220}
221
222static char* get_name(COMPUTER_NAME_FORMAT type)
223{
224 DWORD nSize = 0;
225
226 if (GetComputerNameExA(type, NULL, &nSize))
227 return NULL;
228
229 if (GetLastError() != ERROR_MORE_DATA)
230 return NULL;
231
232 char* computerName = calloc(1, nSize);
233
234 if (!computerName)
235 return NULL;
236
237 if (!GetComputerNameExA(type, computerName, &nSize))
238 {
239 free(computerName);
240 return NULL;
241 }
242
243 return computerName;
244}
245
246static char* x509_get_default_name(void)
247{
248 char* computerName = get_name(ComputerNamePhysicalDnsFullyQualified);
249 if (!computerName)
250 computerName = get_name(ComputerNamePhysicalNetBIOS);
251 return computerName;
252}
253
254static int command_line_pre_filter(void* pvctx, int index, int argc, LPSTR* argv)
255{
256 MAKECERT_CONTEXT* context = pvctx;
257 if (!context || !argv || (index < 0) || (argc < 0))
258 return -1;
259
260 if (index == (argc - 1))
261 {
262 if (argv[index][0] != '-')
263 {
264 context->output_file = _strdup(argv[index]);
265
266 if (!context->output_file)
267 return -1;
268
269 return 1;
270 }
271 }
272
273 return 0;
274}
275
276static int makecert_context_parse_arguments(MAKECERT_CONTEXT* context,
277 COMMAND_LINE_ARGUMENT_A* args, int argc, char** argv)
278{
279 int status = 0;
280 DWORD flags = 0;
281 const COMMAND_LINE_ARGUMENT_A* arg = NULL;
282
283 if (!context || !argv || (argc < 0))
284 return -1;
285
290 CommandLineClearArgumentsA(args);
291 flags = COMMAND_LINE_SEPARATOR_SPACE | COMMAND_LINE_SIGIL_DASH;
292 status =
293 CommandLineParseArgumentsA(argc, argv, args, flags, context, command_line_pre_filter, NULL);
294
295 if (status & COMMAND_LINE_STATUS_PRINT_HELP)
296 {
297 makecert_print_command_line_help(args, argc, argv);
298 return 0;
299 }
300
301 arg = args;
302 errno = 0;
303
304 do
305 {
306 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
307 continue;
308
309 CommandLineSwitchStart(arg)
310 /* Basic Options */
311 CommandLineSwitchCase(arg, "silent")
312 {
313 context->silent = TRUE;
314 }
315 CommandLineSwitchCase(arg, "live")
316 {
317 context->live = TRUE;
318 }
319 CommandLineSwitchCase(arg, "format")
320 {
321 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
322 continue;
323
324 if (strcmp(arg->Value, "crt") == 0)
325 {
326 context->crtFormat = TRUE;
327 context->pemFormat = FALSE;
328 context->pfxFormat = FALSE;
329 }
330 else if (strcmp(arg->Value, "pem") == 0)
331 {
332 context->crtFormat = FALSE;
333 context->pemFormat = TRUE;
334 context->pfxFormat = FALSE;
335 }
336 else if (strcmp(arg->Value, "pfx") == 0)
337 {
338 context->crtFormat = FALSE;
339 context->pemFormat = FALSE;
340 context->pfxFormat = TRUE;
341 }
342 else
343 return -1;
344 }
345 CommandLineSwitchCase(arg, "path")
346 {
347 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
348 continue;
349
350 context->output_path = _strdup(arg->Value);
351
352 if (!context->output_path)
353 return -1;
354 }
355 CommandLineSwitchCase(arg, "p")
356 {
357 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
358 continue;
359
360 context->password = _strdup(arg->Value);
361
362 if (!context->password)
363 return -1;
364 }
365 CommandLineSwitchCase(arg, "n")
366 {
367 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
368 continue;
369
370 context->common_name = _strdup(arg->Value);
371
372 if (!context->common_name)
373 return -1;
374 }
375 CommandLineSwitchCase(arg, "y")
376 {
377 long val = 0;
378
379 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
380 continue;
381
382 val = strtol(arg->Value, NULL, 0);
383
384 if ((errno != 0) || (val < 0) || (val > INT32_MAX))
385 return -1;
386
387 context->duration_years = (int)val;
388 }
389 CommandLineSwitchCase(arg, "m")
390 {
391 long val = 0;
392
393 if (!(arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT))
394 continue;
395
396 val = strtol(arg->Value, NULL, 0);
397
398 if ((errno != 0) || (val < 0))
399 return -1;
400
401 context->duration_months = (int)val;
402 }
403 CommandLineSwitchDefault(arg)
404 {
405 }
406 CommandLineSwitchEnd(arg)
407 } while ((arg = CommandLineFindNextArgumentA(arg)) != NULL);
408
409 return 1;
410}
411
412int makecert_context_set_output_file_name(MAKECERT_CONTEXT* context, const char* name)
413{
414 if (!context)
415 return -1;
416
417 free(context->output_file);
418 context->output_file = NULL;
419
420 if (name)
421 context->output_file = _strdup(name);
422
423 if (!context->output_file)
424 return -1;
425
426 return 1;
427}
428
429int makecert_context_output_certificate_file(MAKECERT_CONTEXT* context, const char* path)
430{
431#ifdef WITH_OPENSSL
432 FILE* fp = NULL;
433 int status = 0;
434 size_t length = 0;
435 size_t offset = 0;
436 char* filename = NULL;
437 char* fullpath = NULL;
438 char* ext = NULL;
439 int ret = -1;
440 BIO* bio = NULL;
441 char* x509_str = NULL;
442
443 if (!context)
444 return -1;
445
446 if (!context->output_file)
447 {
448 context->output_file = _strdup(context->default_name);
449
450 if (!context->output_file)
451 return -1;
452 }
453
454 /*
455 * Output Certificate File
456 */
457 length = strlen(context->output_file);
458 filename = malloc(length + 8);
459
460 if (!filename)
461 return -1;
462
463 if (context->crtFormat)
464 ext = "crt";
465 else if (context->pemFormat)
466 ext = "pem";
467 else if (context->pfxFormat)
468 ext = "pfx";
469 else
470 goto out_fail;
471
472 (void)sprintf_s(filename, length + 8, "%s.%s", context->output_file, ext);
473
474 if (path)
475 fullpath = GetCombinedPath(path, filename);
476 else
477 fullpath = _strdup(filename);
478
479 if (!fullpath)
480 goto out_fail;
481
482 fp = winpr_fopen(fullpath, "w+");
483
484 if (fp)
485 {
486 if (context->pfxFormat)
487 {
488 if (!context->password)
489 {
490 context->password = _strdup("password");
491
492 if (!context->password)
493 goto out_fail;
494
495 printf("Using default export password \"password\"\n");
496 }
497
498#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
499 OpenSSL_add_all_algorithms();
500 OpenSSL_add_all_ciphers();
501 OpenSSL_add_all_digests();
502#else
503 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |
504 OPENSSL_INIT_LOAD_CONFIG,
505 NULL);
506#endif
507 context->pkcs12 = PKCS12_create(context->password, context->default_name, context->pkey,
508 context->x509, NULL, 0, 0, 0, 0, 0);
509
510 if (!context->pkcs12)
511 goto out_fail;
512
513 bio = BIO_new(BIO_s_mem());
514
515 if (!bio)
516 goto out_fail;
517
518 status = i2d_PKCS12_bio(bio, context->pkcs12);
519
520 if (status != 1)
521 goto out_fail;
522
523 x509_str = makecert_read_str(bio, &offset);
524
525 if (!x509_str)
526 goto out_fail;
527
528 length = offset;
529
530 if (fwrite((void*)x509_str, length, 1, fp) != 1)
531 goto out_fail;
532 }
533 else
534 {
535 bio = BIO_new(BIO_s_mem());
536
537 if (!bio)
538 goto out_fail;
539
540 if (!PEM_write_bio_X509(bio, context->x509))
541 goto out_fail;
542
543 x509_str = makecert_read_str(bio, &offset);
544
545 if (!x509_str)
546 goto out_fail;
547
548 length = offset;
549
550 if (fwrite(x509_str, length, 1, fp) != 1)
551 goto out_fail;
552
553 free(x509_str);
554 x509_str = NULL;
555 BIO_free_all(bio);
556 bio = NULL;
557
558 if (context->pemFormat)
559 {
560 bio = BIO_new(BIO_s_mem());
561
562 if (!bio)
563 goto out_fail;
564
565 status = PEM_write_bio_PrivateKey(bio, context->pkey, NULL, NULL, 0, NULL, NULL);
566
567 if (status < 0)
568 goto out_fail;
569
570 x509_str = makecert_read_str(bio, &offset);
571 if (!x509_str)
572 goto out_fail;
573
574 length = offset;
575
576 if (fwrite(x509_str, length, 1, fp) != 1)
577 goto out_fail;
578 }
579 }
580 }
581
582 ret = 1;
583out_fail:
584 BIO_free_all(bio);
585
586 if (fp)
587 (void)fclose(fp);
588
589 free(x509_str);
590 free(filename);
591 free(fullpath);
592 return ret;
593#else
594 WLog_ERR(TAG, "%s only supported with OpenSSL", __func__);
595 return -1;
596#endif
597}
598
599int makecert_context_output_private_key_file(MAKECERT_CONTEXT* context, const char* path)
600{
601#ifdef WITH_OPENSSL
602 FILE* fp = NULL;
603 size_t length = 0;
604 size_t offset = 0;
605 char* filename = NULL;
606 char* fullpath = NULL;
607 int ret = -1;
608 BIO* bio = NULL;
609 char* x509_str = NULL;
610
611 if (!context->crtFormat)
612 return 1;
613
614 if (!context->output_file)
615 {
616 context->output_file = _strdup(context->default_name);
617
618 if (!context->output_file)
619 return -1;
620 }
621
625 length = strlen(context->output_file);
626 filename = malloc(length + 8);
627
628 if (!filename)
629 return -1;
630
631 (void)sprintf_s(filename, length + 8, "%s.key", context->output_file);
632
633 if (path)
634 fullpath = GetCombinedPath(path, filename);
635 else
636 fullpath = _strdup(filename);
637
638 if (!fullpath)
639 goto out_fail;
640
641 fp = winpr_fopen(fullpath, "w+");
642
643 if (!fp)
644 goto out_fail;
645
646 bio = BIO_new(BIO_s_mem());
647
648 if (!bio)
649 goto out_fail;
650
651 if (!PEM_write_bio_PrivateKey(bio, context->pkey, NULL, NULL, 0, NULL, NULL))
652 goto out_fail;
653
654 x509_str = makecert_read_str(bio, &offset);
655
656 if (!x509_str)
657 goto out_fail;
658
659 length = offset;
660
661 if (fwrite((void*)x509_str, length, 1, fp) != 1)
662 goto out_fail;
663
664 ret = 1;
665out_fail:
666
667 if (fp)
668 (void)fclose(fp);
669
670 BIO_free_all(bio);
671 free(x509_str);
672 free(filename);
673 free(fullpath);
674 return ret;
675#else
676 WLog_ERR(TAG, "%s only supported with OpenSSL", __func__);
677 return -1;
678#endif
679}
680
681#ifdef WITH_OPENSSL
682static BOOL makecert_create_rsa(EVP_PKEY** ppkey, size_t key_length)
683{
684 BOOL rc = FALSE;
685
686 WINPR_ASSERT(ppkey);
687
688#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
689 RSA* rsa = NULL;
690#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
691 rsa = RSA_generate_key(key_length, RSA_F4, NULL, NULL);
692#else
693 {
694 BIGNUM* bn = BN_secure_new();
695
696 if (!bn)
697 return FALSE;
698
699 rsa = RSA_new();
700
701 if (!rsa)
702 {
703 BN_clear_free(bn);
704 return FALSE;
705 }
706
707 BN_set_word(bn, RSA_F4);
708 const int res = RSA_generate_key_ex(rsa, key_length, bn, NULL);
709 BN_clear_free(bn);
710
711 if (res != 1)
712 return FALSE;
713 }
714#endif
715
716 if (!EVP_PKEY_assign_RSA(*ppkey, rsa))
717 {
718 RSA_free(rsa);
719 return FALSE;
720 }
721 rc = TRUE;
722#else
723 EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
724 if (!pctx)
725 return FALSE;
726
727 if (EVP_PKEY_keygen_init(pctx) != 1)
728 goto fail;
729
730 {
731 WINPR_ASSERT(key_length <= UINT_MAX);
732 unsigned int keylen = (unsigned int)key_length;
733 const OSSL_PARAM params[] = { OSSL_PARAM_construct_uint("bits", &keylen),
734 OSSL_PARAM_construct_end() };
735 if (EVP_PKEY_CTX_set_params(pctx, params) != 1)
736 goto fail;
737 }
738
739 if (EVP_PKEY_generate(pctx, ppkey) != 1)
740 goto fail;
741
742 rc = TRUE;
743fail:
744 EVP_PKEY_CTX_free(pctx);
745#endif
746 return rc;
747}
748#endif
749
750int makecert_context_process(MAKECERT_CONTEXT* context, int argc, char** argv)
751{
752 COMMAND_LINE_ARGUMENT_A args[] = {
753 /* Custom Options */
754
755 { "rdp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
756 "Unsupported - Generate certificate with required options for RDP usage." },
757 { "silent", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
758 "Silently generate certificate without verbose output." },
759 { "live", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
760 "Generate certificate live in memory when used as a library." },
761 { "format", COMMAND_LINE_VALUE_REQUIRED, "<crt|pem|pfx>", NULL, NULL, -1, NULL,
762 "Specify certificate file format" },
763 { "path", COMMAND_LINE_VALUE_REQUIRED, "<path>", NULL, NULL, -1, NULL,
764 "Specify certificate file output path" },
765 { "p", COMMAND_LINE_VALUE_REQUIRED, "<password>", NULL, NULL, -1, NULL,
766 "Specify certificate export password" },
767
768 /* Basic Options */
769
770 { "n", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
771 "Specifies the subject's certificate name. This name must conform to the X.500 standard. "
772 "The simplest method is to specify the name in double quotes, preceded by CN=; for "
773 "example, "
774 "-n \"CN=myName\"." },
775 { "pe", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
776 "Unsupported - Marks the generated private key as exportable. This allows the private "
777 "key to "
778 "be included in the certificate." },
779 { "sk", COMMAND_LINE_VALUE_REQUIRED, "<keyname>", NULL, NULL, -1, NULL,
780 "Unsupported - Specifies the subject's key container location, which contains the "
781 "private "
782 "key. "
783 "If a key container does not exist, it will be created." },
784 { "sr", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
785 "Unsupported - Specifies the subject's certificate store location. location can be "
786 "either "
787 "currentuser (the default) or localmachine." },
788 { "ss", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
789 "Unsupported - Specifies the subject's certificate store name that stores the output "
790 "certificate." },
791 { "#", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
792 "Specifies a serial number from 1 to 2,147,483,647. The default is a unique value "
793 "generated "
794 "by Makecert.exe." },
795 { "$", COMMAND_LINE_VALUE_REQUIRED, "<authority>", NULL, NULL, -1, NULL,
796 "Unsupported - Specifies the signing authority of the certificate, which must be set to "
797 "either commercial "
798 "(for certificates used by commercial software publishers) or individual (for "
799 "certificates "
800 "used by individual software publishers)." },
801
802 /* Extended Options */
803
804 { "a", COMMAND_LINE_VALUE_REQUIRED, "<algorithm>", NULL, NULL, -1, NULL,
805 "Specifies the signature algorithm. algorithm must be md5, sha1, sha256 (the default), "
806 "sha384, or sha512." },
807 { "b", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
808 "Unsupported - Specifies the start of the validity period. Defaults to the current "
809 "date." },
810 { "crl", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
811 "Unsupported - Generates a certificate relocation list (CRL) instead of a certificate." },
812 { "cy", COMMAND_LINE_VALUE_REQUIRED, "<certType>", NULL, NULL, -1, NULL,
813 "Unsupported - Specifies the certificate type. Valid values are end for end-entity and "
814 "authority for certification authority." },
815 { "e", COMMAND_LINE_VALUE_REQUIRED, "<mm/dd/yyyy>", NULL, NULL, -1, NULL,
816 "Unsupported - Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 "
817 "GMT." },
818 { "eku", COMMAND_LINE_VALUE_REQUIRED, "<oid[,oid…]>", NULL, NULL, -1, NULL,
819 "Unsupported - Inserts a list of comma-separated, enhanced key usage object identifiers "
820 "(OIDs) into the certificate." },
821 { "h", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
822 "Unsupported - Specifies the maximum height of the tree below this certificate." },
823 { "ic", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
824 "Unsupported - Specifies the issuer's certificate file." },
825 { "ik", COMMAND_LINE_VALUE_REQUIRED, "<keyName>", NULL, NULL, -1, NULL,
826 "Unsupported - Specifies the issuer's key container name." },
827 { "iky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
828 "Unsupported - Specifies the issuer's key type, which must be one of the following: "
829 "signature (which indicates that the key is used for a digital signature), "
830 "exchange (which indicates that the key is used for key encryption and key exchange), "
831 "or an integer that represents a provider type. "
832 "By default, you can pass 1 for an exchange key or 2 for a signature key." },
833 { "in", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL,
834 "Unsupported - Specifies the issuer's certificate common name." },
835 { "ip", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
836 "Unsupported - Specifies the issuer's CryptoAPI provider name. For information about the "
837 "CryptoAPI provider name, see the –sp option." },
838 { "ir", COMMAND_LINE_VALUE_REQUIRED, "<location>", NULL, NULL, -1, NULL,
839 "Unsupported - Specifies the location of the issuer's certificate store. location can be "
840 "either currentuser (the default) or localmachine." },
841 { "is", COMMAND_LINE_VALUE_REQUIRED, "<store>", NULL, NULL, -1, NULL,
842 "Unsupported - Specifies the issuer's certificate store name." },
843 { "iv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
844 "Unsupported - Specifies the issuer's .pvk private key file." },
845 { "iy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
846 "Unsupported - Specifies the issuer's CryptoAPI provider type. For information about the "
847 "CryptoAPI provider type, see the –sy option." },
848 { "l", COMMAND_LINE_VALUE_REQUIRED, "<link>", NULL, NULL, -1, NULL,
849 "Unsupported - Links to policy information (for example, to a URL)." },
850 { "len", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
851 "Specifies the generated key length, in bits." },
852 { "m", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
853 "Specifies the duration, in months, of the certificate validity period." },
854 { "y", COMMAND_LINE_VALUE_REQUIRED, "<number>", NULL, NULL, -1, NULL,
855 "Specifies the duration, in years, of the certificate validity period." },
856 { "nscp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
857 "Unsupported - Includes the Netscape client-authorization extension." },
858 { "r", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL,
859 "Unsupported - Creates a self-signed certificate." },
860 { "sc", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
861 "Unsupported - Specifies the subject's certificate file." },
862 { "sky", COMMAND_LINE_VALUE_REQUIRED, "<keyType>", NULL, NULL, -1, NULL,
863 "Unsupported - Specifies the subject's key type, which must be one of the following: "
864 "signature (which indicates that the key is used for a digital signature), "
865 "exchange (which indicates that the key is used for key encryption and key exchange), "
866 "or an integer that represents a provider type. "
867 "By default, you can pass 1 for an exchange key or 2 for a signature key." },
868 { "sp", COMMAND_LINE_VALUE_REQUIRED, "<provider>", NULL, NULL, -1, NULL,
869 "Unsupported - Specifies the subject's CryptoAPI provider name, which must be defined in "
870 "the "
871 "registry subkeys of "
872 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider. If both –sp "
873 "and "
874 "–sy are present, "
875 "the type of the CryptoAPI provider must correspond to the Type value of the provider's "
876 "subkey." },
877 { "sv", COMMAND_LINE_VALUE_REQUIRED, "<pvkFile>", NULL, NULL, -1, NULL,
878 "Unsupported - Specifies the subject's .pvk private key file. The file is created if "
879 "none "
880 "exists." },
881 { "sy", COMMAND_LINE_VALUE_REQUIRED, "<type>", NULL, NULL, -1, NULL,
882 "Unsupported - Specifies the subject's CryptoAPI provider type, which must be defined in "
883 "the "
884 "registry subkeys of "
885 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider Types. If "
886 "both "
887 "–sy and –sp are present, "
888 "the name of the CryptoAPI provider must correspond to the Name value of the provider "
889 "type "
890 "subkey." },
891 { "tbs", COMMAND_LINE_VALUE_REQUIRED, "<file>", NULL, NULL, -1, NULL,
892 "Unsupported - Specifies the certificate or CRL file to be signed." },
893
894 /* Help */
895
896 { "?", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_HELP, NULL, NULL, NULL, -1, "help",
897 "print help" },
898 { "!", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_HELP, NULL, NULL, NULL, -1, "help-ext",
899 "print extended help" },
900 { NULL, 0, NULL, NULL, NULL, -1, NULL, NULL }
901 };
902#ifdef WITH_OPENSSL
903 size_t length = 0;
904 char* entry = NULL;
905 int key_length = 0;
906 long serial = 0;
907 X509_NAME* name = NULL;
908 const EVP_MD* md = NULL;
909 const COMMAND_LINE_ARGUMENT_A* arg = NULL;
910 int ret = 0;
911 ret = makecert_context_parse_arguments(context, args, argc, argv);
912
913 if (ret < 1)
914 {
915 return ret;
916 }
917
918 if (!context->default_name && !context->common_name)
919 {
920 context->default_name = x509_get_default_name();
921
922 if (!context->default_name)
923 return -1;
924 }
925 else
926 {
927 context->default_name = _strdup(context->common_name);
928
929 if (!context->default_name)
930 return -1;
931 }
932
933 if (!context->common_name)
934 {
935 context->common_name = _strdup(context->default_name);
936
937 if (!context->common_name)
938 return -1;
939 }
940
941 if (!context->pkey)
942 context->pkey = EVP_PKEY_new();
943
944 if (!context->pkey)
945 return -1;
946
947 if (!context->x509)
948 context->x509 = X509_new();
949
950 if (!context->x509)
951 return -1;
952
953 key_length = 2048;
954 arg = CommandLineFindArgumentA(args, "len");
955
956 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
957 {
958 unsigned long val = strtoul(arg->Value, NULL, 0);
959
960 if ((errno != 0) || (val > INT_MAX))
961 return -1;
962 key_length = (int)val;
963 }
964
965 if (!makecert_create_rsa(&context->pkey, WINPR_ASSERTING_INT_CAST(size_t, key_length)))
966 return -1;
967
968 X509_set_version(context->x509, 2);
969 arg = CommandLineFindArgumentA(args, "#");
970
971 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
972 {
973 serial = strtol(arg->Value, NULL, 0);
974
975 if (errno != 0)
976 return -1;
977 }
978 else
979 serial = (long)GetTickCount64();
980
981 ASN1_INTEGER_set(X509_get_serialNumber(context->x509), serial);
982 {
983 ASN1_TIME* before = NULL;
984 ASN1_TIME* after = NULL;
985#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
986 before = X509_get_notBefore(context->x509);
987 after = X509_get_notAfter(context->x509);
988#else
989 before = X509_getm_notBefore(context->x509);
990 after = X509_getm_notAfter(context->x509);
991#endif
992 X509_gmtime_adj(before, 0);
993
994 long duration = context->duration_months * 31l + context->duration_years * 365l;
995 duration *= 60l * 60l * 24l;
996 X509_gmtime_adj(after, duration);
997 }
998 X509_set_pubkey(context->x509, context->pkey);
999 name = X509_get_subject_name(context->x509);
1000 arg = CommandLineFindArgumentA(args, "n");
1001
1002 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
1003 {
1004 entry = x509_name_parse(arg->Value, "C", &length);
1005
1006 if (entry)
1007 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_UTF8, (const unsigned char*)entry,
1008 (int)length, -1, 0);
1009
1010 entry = x509_name_parse(arg->Value, "ST", &length);
1011
1012 if (entry)
1013 X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_UTF8, (const unsigned char*)entry,
1014 (int)length, -1, 0);
1015
1016 entry = x509_name_parse(arg->Value, "L", &length);
1017
1018 if (entry)
1019 X509_NAME_add_entry_by_txt(name, "L", MBSTRING_UTF8, (const unsigned char*)entry,
1020 (int)length, -1, 0);
1021
1022 entry = x509_name_parse(arg->Value, "O", &length);
1023
1024 if (entry)
1025 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_UTF8, (const unsigned char*)entry,
1026 (int)length, -1, 0);
1027
1028 entry = x509_name_parse(arg->Value, "OU", &length);
1029
1030 if (entry)
1031 X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, (const unsigned char*)entry,
1032 (int)length, -1, 0);
1033
1034 entry = context->common_name;
1035 length = strlen(entry);
1036 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (const unsigned char*)entry,
1037 (int)length, -1, 0);
1038 }
1039 else
1040 {
1041 entry = context->common_name;
1042 length = strlen(entry);
1043 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (const unsigned char*)entry,
1044 (int)length, -1, 0);
1045 }
1046
1047 X509_set_issuer_name(context->x509, name);
1048 x509_add_ext(context->x509, NID_ext_key_usage, "serverAuth");
1049 arg = CommandLineFindArgumentA(args, "a");
1050 md = EVP_sha256();
1051
1052 if (arg->Flags & COMMAND_LINE_VALUE_PRESENT)
1053 {
1054 md = EVP_get_digestbyname(arg->Value);
1055 if (!md)
1056 return -1;
1057 }
1058
1059 if (!X509_sign(context->x509, context->pkey, md))
1060 return -1;
1061
1066 if (!context->silent)
1067 {
1068 BIO* bio = NULL;
1069 int status = 0;
1070 char* x509_str = NULL;
1071 bio = BIO_new(BIO_s_mem());
1072
1073 if (!bio)
1074 return -1;
1075
1076 status = X509_print(bio, context->x509);
1077
1078 if (status < 0)
1079 {
1080 BIO_free_all(bio);
1081 return -1;
1082 }
1083
1084 x509_str = makecert_read_str(bio, NULL);
1085 if (!x509_str)
1086 {
1087 BIO_free_all(bio);
1088 return -1;
1089 }
1090
1091 printf("%s", x509_str);
1092 free(x509_str);
1093 BIO_free_all(bio);
1094 }
1095
1100 if (!context->live)
1101 {
1102 if (!winpr_PathFileExists(context->output_path))
1103 {
1104 if (!winpr_PathMakePath(context->output_path, NULL))
1105 return -1;
1106 }
1107
1108 if (makecert_context_output_certificate_file(context, context->output_path) != 1)
1109 return -1;
1110
1111 if (context->crtFormat)
1112 {
1113 if (makecert_context_output_private_key_file(context, context->output_path) < 0)
1114 return -1;
1115 }
1116 }
1117
1118 return 0;
1119#else
1120 WLog_ERR(TAG, "%s only supported with OpenSSL", __func__);
1121 return -1;
1122#endif
1123}
1124
1125MAKECERT_CONTEXT* makecert_context_new(void)
1126{
1127 MAKECERT_CONTEXT* context = (MAKECERT_CONTEXT*)calloc(1, sizeof(MAKECERT_CONTEXT));
1128
1129 if (context)
1130 {
1131 context->crtFormat = TRUE;
1132 context->duration_years = 1;
1133 }
1134
1135 return context;
1136}
1137
1138void makecert_context_free(MAKECERT_CONTEXT* context)
1139{
1140 if (context)
1141 {
1142 free(context->password);
1143 free(context->default_name);
1144 free(context->common_name);
1145 free(context->output_file);
1146 free(context->output_path);
1147#ifdef WITH_OPENSSL
1148 X509_free(context->x509);
1149 EVP_PKEY_free(context->pkey);
1150#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
1151 CRYPTO_cleanup_all_ex_data();
1152#endif
1153#endif
1154 free(context);
1155 }
1156}
COMMAND_LINE_ARGUMENT_A
Definition winpr/include/winpr/cmdline.h:100