diff --git a/certgen/Makefile b/certgen/Makefile index 80d110df5..6ea1fbb14 100644 --- a/certgen/Makefile +++ b/certgen/Makefile @@ -29,11 +29,14 @@ CFLAGS+=$(OPTIMIZE) #LIBS+=$(STATIC_LIB) LIBS+=$(DYN_LIB) -all:certgen_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb custom_ext custom_ext_callback +all:certgen_example certgen_ca_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb custom_ext custom_ext_callback certgen_example:certgen_example.o $(CC) -o $@ $^ $(CFLAGS) $(CPPFLAGS) $(LIBS) +certgen_ca_example:certgen_ca_example.o + $(CC) -o $@ $^ $(CFLAGS) $(CPPFLAGS) $(LIBS) + csr_example:csr_example.o $(CC) -o $@ $^ $(CFLAGS) $(CPPFLAGS) $(LIBS) @@ -55,5 +58,5 @@ custom_ext_callback:custom_ext_callback.o .PHONY: clean all clean: - rm -f *.o certgen_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb custom_ext custom_ext_callback + rm -f *.o certgen_example certgen_ca_example csr_example csr_w_ed25519_example csr_sign csr_cryptocb custom_ext custom_ext_callback rm -f newCert.* diff --git a/certgen/certgen_ca_example.c b/certgen/certgen_ca_example.c new file mode 100644 index 000000000..534a2e875 --- /dev/null +++ b/certgen/certgen_ca_example.c @@ -0,0 +1,241 @@ +/* certgen_ca_example.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef WOLFSSL_CAAM + #include +#endif + +#if defined(WOLFSSL_CERT_REQ) && defined(WOLFSSL_CERT_GEN) && \ + defined(WOLFSSL_KEY_GEN) && defined(HAVE_ECC) + +#define HEAP_HINT NULL +#define LARGE_TEMP_SZ 4096 +static int devId = WOLFSSL_CAAM_DEVID; + +static int do_cagen(int argc, char** argv) +{ + int ret = 0; + + Cert newCert; + + FILE* file; + int derBufSz; + int caKeySz = 4096; + + byte* derBuf = NULL; + byte* pemBuf = NULL; + + /* for MakeCert and SignCert */ + WC_RNG rng; + RsaKey newKey; + int initRng = 0, initNewKey = 0; + char newCertOutput[] = "./ca-rsa-cert.der"; + char newKeyOutput[] = "./ca-rsa-key.der"; + +#ifdef WOLFSSL_DER_TO_PEM + char pemOutput[] = "./ca-rsa-cert.pem"; + char pemKeyOutput[] = "./ca-rsa-key.pem"; + int pemBufSz; +#endif + + ret = wolfCrypt_Init(); + if (ret != 0) goto exit; + + ret = wc_InitRng(&rng); + if (ret != 0) goto exit; + initRng = 1; + + printf("Creating the CA RSA private key of size %d\n", caKeySz); + ret = wc_InitRsaKey_ex(&newKey, HEAP_HINT, devId); + if (ret != 0) goto exit; + initNewKey = 1; + + ret = wc_MakeRsaKey(&newKey, caKeySz, WC_RSA_EXPONENT, &rng); + if (ret != 0) goto exit; + +#ifdef WOLFSSL_CAAM + printf("Black key value = %u\n", newKey.blackKey); +#endif + + printf("Successfully created CA Key\n\n"); + + derBuf = (byte*)XMALLOC(LARGE_TEMP_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (derBuf == NULL) goto exit; + + /*------------------------------------------------------------------------*/ + /* write the new key to file in der format */ + /*------------------------------------------------------------------------*/ + printf("Writing newly generated DER key to file \"%s\"\n", + newKeyOutput); + file = fopen(newKeyOutput, "wb"); + if (!file) { + printf("failed to open file: %s\n", newKeyOutput); + goto exit; + } + + ret = wc_RsaKeyToDer(&newKey, derBuf, LARGE_TEMP_SZ); + if (ret < 0) { + goto exit; + } + derBufSz = ret; + + ret = (int)fwrite(derBuf, 1, derBufSz, file); + fclose(file); + printf("Successfully output %d bytes\n", ret); + +#ifdef WOLFSSL_DER_TO_PEM + /*------------------------------------------------------------------------*/ + /* convert the der to a pem and write it to a file */ + /*------------------------------------------------------------------------*/ + printf("Convert the DER key to PEM formatted key\n"); + + pemBuf = (byte*)XMALLOC(LARGE_TEMP_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pemBuf == NULL) goto exit; + XMEMSET(pemBuf, 0, LARGE_TEMP_SZ); + + pemBufSz = wc_DerToPem(derBuf, derBufSz, pemBuf, LARGE_TEMP_SZ, PRIVATEKEY_TYPE); + if (pemBufSz < 0) goto exit; + + printf("Resulting PEM buffer is %d bytes\n", pemBufSz); + + file = fopen(pemKeyOutput, "wb"); + if (!file) { + printf("failed to open file: %s\n", pemKeyOutput); + goto exit; + } + fwrite(pemBuf, 1, pemBufSz, file); + fclose(file); + printf("Successfully converted the DER to PEM to \"%s\"\n\n", + pemKeyOutput); + XFREE(pemBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + pemBuf = NULL; +#endif + + /*------------------------------------------------------------------------*/ + /* Create a new certificate using SUBJECT information from ca cert + * for ISSUER information in generated cert */ + /*------------------------------------------------------------------------*/ + printf("Setting up new cert\n"); + + wc_InitCert(&newCert); + + strncpy(newCert.subject.country, "US", CTC_NAME_SIZE); + strncpy(newCert.subject.state, "MT", CTC_NAME_SIZE); + strncpy(newCert.subject.locality, "Bozeman", CTC_NAME_SIZE); + strncpy(newCert.subject.org, "yourOrgNameHere", CTC_NAME_SIZE); + strncpy(newCert.subject.unit, "yourUnitNameHere", CTC_NAME_SIZE); + strncpy(newCert.subject.commonName, "www.yourDomain.com", CTC_NAME_SIZE); + strncpy(newCert.subject.email, "yourEmail@yourDomain.com", CTC_NAME_SIZE); + + newCert.isCA = 1; + newCert.sigType = CTC_SHA256wRSA; + + ret = wc_MakeSelfCert(&newCert, derBuf, LARGE_TEMP_SZ, &newKey, &rng); + if (ret < 0) goto exit; + printf("Make Self Cert returned %d\n", ret); + derBufSz = ret; + + printf("Successfully created new ca certificate\n\n"); + + /*------------------------------------------------------------------------*/ + /* write the new cert to file in der format */ + /*------------------------------------------------------------------------*/ + printf("Writing newly generated DER certificate to file \"%s\"\n", + newCertOutput); + file = fopen(newCertOutput, "wb"); + if (!file) { + printf("failed to open file: %s\n", newCertOutput); + goto exit; + } + + ret = (int)fwrite(derBuf, 1, derBufSz, file); + fclose(file); + printf("Successfully output %d bytes\n", ret); + +#ifdef WOLFSSL_DER_TO_PEM + /*------------------------------------------------------------------------*/ + /* convert the der to a pem and write it to a file */ + /*------------------------------------------------------------------------*/ + printf("Convert the DER cert to PEM formatted cert\n"); + + pemBuf = (byte*)XMALLOC(LARGE_TEMP_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pemBuf == NULL) goto exit; + XMEMSET(pemBuf, 0, LARGE_TEMP_SZ); + + pemBufSz = wc_DerToPem(derBuf, derBufSz, pemBuf, LARGE_TEMP_SZ, CERT_TYPE); + if (pemBufSz < 0) goto exit; + + printf("Resulting PEM buffer is %d bytes\n", pemBufSz); + + file = fopen(pemOutput, "wb"); + if (!file) { + printf("failed to open file: %s\n", pemOutput); + goto exit; + } + fwrite(pemBuf, 1, pemBufSz, file); + fclose(file); + printf("Successfully converted the DER to PEM to \"%s\"\n\n", + pemOutput); +#endif + + ret = 0; /* success */ + +exit: + + XFREE(derBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pemBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + if (initNewKey) + wc_FreeRsaKey(&newKey); + if (initRng) { + wc_FreeRng(&rng); + } + + if (ret == 0) + printf("Tests passed\n"); + else + printf("Failure code was %d\n", ret); + + wolfCrypt_Cleanup(); + return ret; +} +#endif + +int main(int argc, char** argv) +{ +#if !defined(WOLFSSL_CERT_REQ) || !defined(WOLFSSL_CERT_GEN) || \ + !defined(WOLFSSL_KEY_GEN) || defined(NO_RSA) + printf("Please compile wolfSSL with --enable-certreq --enable-certgen " + "--enable-keygen --enable-rsa\n"); + return 0; +#else + return do_cagen(argc, argv); +#endif +} diff --git a/crypto/pkcs12/pkcs12-create-example.c b/crypto/pkcs12/pkcs12-create-example.c index f992ffe73..e117be625 100644 --- a/crypto/pkcs12/pkcs12-create-example.c +++ b/crypto/pkcs12/pkcs12-create-example.c @@ -19,15 +19,24 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#include #include #include #include #include #include #include +#include #define WC_RSA_KEYSIZE 2048 #define HEAP_HINT NULL +#ifndef CA_CERT + #define CA_CERT "../../certs/ca-cert.der" +#endif +#ifndef CA_KEY + #define CA_KEY "../../certs/ca-key.der" +#endif +static int devId = INVALID_DEVID; /* set to alternate dev id if wanted */ #if defined(HAVE_PKCS12) && defined(WOLFSSL_KEY_GEN) && \ defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) @@ -38,9 +47,9 @@ static int createKey(byte** keyDer, word32* keySz, RsaKey* key, WC_RNG* rng) *keyDer = NULL; *keySz = 0; - ret = wc_InitRsaKey(key, HEAP_HINT); + ret = wc_InitRsaKey_ex(key, HEAP_HINT, devId); if (ret == 0) { - ret = wc_InitRng(rng); + ret = wc_InitRng_ex(rng, HEAP_HINT, devId); } if (ret == 0) { @@ -125,11 +134,38 @@ static int readFile(byte** out, word32* outSz, char* fileName) } +static int loadKey(byte** keyDer, word32* keySz, RsaKey* key, const char* f) +{ + int ret; + + *keyDer = NULL; + *keySz = 0; + + ret = wc_InitRsaKey_ex(key, HEAP_HINT, devId); + if (ret == 0) { + ret = readFile(keyDer, keySz, (char*)f); + } + + if (ret == 0) { + word32 idx = 0; + ret = wc_RsaPrivateKeyDecode(*keyDer, &idx, key, *keySz); + printf("return from loading in private key = %d\n", ret); + } + + if (*keySz < 0) { + printf("unable to decode private key\n"); + ret = *keySz; + } + + return ret; +} + + static int getCa(byte** caCert, word32* caCertSz, RsaKey* caKey) { int ret; - char caCertFile[] = "../../certs/ca-cert.der"; - char caKeyFile[] = "../../certs/ca-key.der"; + char caCertFile[] = CA_CERT; + char caKeyFile[] = CA_KEY; byte* caKeyDer = NULL; word32 caKeyDerSz; @@ -138,11 +174,10 @@ static int getCa(byte** caCert, word32* caCertSz, RsaKey* caKey) *caCert = NULL; *caCertSz = 0; - printf("Getting the caKey from %s\n", caKeyFile); ret = readFile(&caKeyDer, &caKeyDerSz, caKeyFile); if (ret == 0) { - ret = wc_InitRsaKey(caKey, HEAP_HINT); + ret = wc_InitRsaKey_ex(caKey, HEAP_HINT, devId); } if (ret == 0) { @@ -233,11 +268,28 @@ int main(int argc, char* argv[]) byte* certDer = NULL; word32 certSz; - if (createKey(&keyDer, &keySz, &rsa, &rng) != 0) { - printf("Unable to create RSA key\n"); + if (wolfCrypt_Init() != 0) { + printf("issue with wolfCrypt_Init()\n"); return -1; } + if (argc == 2) { + if (loadKey(&keyDer, &keySz, &rsa, argv[1]) != 0) { + printf("Unable to create RSA key\n"); + return -1; + } + else { + printf("loaded in key %s\n", argv[1]); + wc_InitRng_ex(&rng, HEAP_HINT, devId); + } + } + else { + if (createKey(&keyDer, &keySz, &rsa, &rng) != 0) { + printf("Unable to create RSA key\n"); + return -1; + } + } + if (createCert(&certDer, &certSz, &rsa, &rng) != 0) { printf("Unable to create certificate\n"); wc_FreeRsaKey(&rsa); @@ -246,7 +298,7 @@ int main(int argc, char* argv[]) return -1; } - pkcs12 = wc_PKCS12_create("test password", strlen("test password"), + pkcs12 = wc_PKCS12_create("wolfSSL test", strlen("wolfSSL test"), NULL, keyDer, keySz, certDer, certSz, NULL, PBE_SHA1_DES3, PBE_SHA1_DES3, 100, 100, 0, HEAP_HINT); @@ -267,11 +319,16 @@ int main(int argc, char* argv[]) } wc_PKCS12_free(pkcs12); } + else { + printf("Issue creating new PKCS12 structure\n"); + } wc_FreeRsaKey(&rsa); wc_FreeRng(&rng); XFREE(keyDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); XFREE(certDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + wolfCrypt_Cleanup(); #else printf("pkcs12-create-key requires wolfssl to be built with:\n"); printf("\t./configure --enable-pkcs12 --enable-pwdbased --enable-des3 --enable-keygen --enable-certgen\n"); diff --git a/crypto/pkcs12/pkcs12-example.c b/crypto/pkcs12/pkcs12-example.c index b2e03fcec..1fbc072e4 100644 --- a/crypto/pkcs12/pkcs12-example.c +++ b/crypto/pkcs12/pkcs12-example.c @@ -20,13 +20,15 @@ */ +#include #include #include #include +#include /* This is an example with using wc_ function for PKCS12. To see an example of * wolfSSL_PKCS12 functions look in tests/api.c */ -int main() +int main(int argc, char** argv) { #if defined(HAVE_PKCS12) && !defined(NO_RSA) WC_DerCertList* list; @@ -37,10 +39,16 @@ int main() word32 certSz; word32 i; byte buffer[5300]; - char file[] = "./test-servercert.p12"; + char *file; + char defaultFile[] = "./test-servercert.p12"; FILE *f; int bytes, ret; + if (wolfCrypt_Init() != 0) { + printf("issue with wolfCrypt_Init()\n"); + return -1; + } + printf("extracting private key and certificate from PKCS12 (test-servercert.p12)\n"); pkcs12 = wc_PKCS12_new(); @@ -49,10 +57,17 @@ int main() return -1; } + if (argc == 2) { + file = argv[1]; + } + else { + file = defaultFile; + } + /* open PKCS12 file */ f = fopen(file, "rb"); if (f == NULL) { - printf("error opening test-servercert.p12\n"); + printf("error opening file %s\n", file); wc_PKCS12_free(pkcs12); return -1; } @@ -61,7 +76,7 @@ int main() /* convert the DER file into an internal structure */ ret = wc_d2i_PKCS12(buffer, bytes, pkcs12); - printf("return value of d2i pkcs12 = %d %s\n", ret, (ret == 1)? "SUCCESS": "FAIL"); + printf("return value of d2i pkcs12 = %d %s\n", ret, (ret == 0)? "SUCCESS": "FAIL"); if (ret != 0) { printf("\t error converting pkcs12 to an internal structure\n"); wc_PKCS12_free(pkcs12); @@ -71,7 +86,7 @@ int main() /* parse the internal structure into its parts */ ret = wc_PKCS12_parse(pkcs12, "wolfSSL test", &keyDer, &keySz, &certDer, &certSz, &list); - printf("return value of parsing pkcs12 = %d %s\n", ret, (ret == 1)? "SUCCESS": "FAIL"); + printf("return value of parsing pkcs12 = %d %s\n", ret, (ret == 0)? "SUCCESS": "FAIL"); if (ret != 0 || keyDer == NULL || certDer == NULL) { printf("\t error parsing pkcs12\n"); wc_PKCS12_free(pkcs12); @@ -116,6 +131,7 @@ int main() } wc_PKCS12_free(pkcs12); + wolfCrypt_Cleanup(); #else printf("pkcs12-example requires wolfssl to be built with:\n"); printf("\t./configure --enable-pkcs12 --enable-pwdbased --enable-des3\n");