#include <mbedtls/ecp.h>
#include <mbedtls/rsa.h>
#include <mbedtls/pk.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/oid.h>
-#define PX5G_VERSION "0.2"
+#define SET_OID(x, oid) \
+ do { x.len = MBEDTLS_OID_SIZE(oid); x.p = (unsigned char *) oid; } while (0)
+
+#define PX5G_VERSION "0.3"
#define PX5G_COPY "Copyright (c) 2009 Steven Barth <steven@midlink.org>"
#define PX5G_LICENSE "Licensed under the GNU Lesser General Public License v2.1"
mbedtls_pk_context key;
mbedtls_x509write_cert cert;
mbedtls_mpi serial;
+ mbedtls_x509_san_list *san_list = NULL, *san_prev = NULL, *san_cur = NULL;
+ /*support
+ - MBEDTLS_X509_SAN_DNS_NAME
+ - MBEDTLS_X509_SAN_IP_ADDRESS
+ - MBEDTLS_X509_SAN_RFC822_NAME
+ - MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER
+ */
+ mbedtls_asn1_sequence *eku = NULL, *ext_key_usage = NULL;
+ char *sanval, *santype;
+ uint8_t ipaddr[16] = { 0 };
char *subject = "";
unsigned int ksize = 512;
oldc = delim + 1;
} while(*delim);
arg++;
+ } else if (!strcmp(*arg, "-addext") && arg[1]) {
+ mbedtls_asn1_sequence **tail = &eku;
+ if (!strncmp(arg[1], "extendedKeyUsage=", strlen("extendedKeyUsage="))) {
+ ext_key_usage = calloc(1, sizeof(mbedtls_asn1_sequence));
+ ext_key_usage->buf.tag = MBEDTLS_ASN1_OID;
+ if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "serverAuth", strlen("serverAuth"))) {
+ SET_OID(ext_key_usage->buf, MBEDTLS_OID_SERVER_AUTH);
+ } else if (!strncmp(arg[1] + strlen("extendedKeyUsage="), "any", strlen("any"))) {
+ SET_OID(ext_key_usage->buf, MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE);
+ } // there are other extendedKeyUsage OIDs but none conceivably useful here
+ *tail = ext_key_usage;
+ tail = &ext_key_usage->next;
+ arg++;
+ } else if (!strncmp(arg[1], "subjectAltName=", strlen("subjectAltName=")) && strchr(arg[1], ':') != NULL) {
+ santype = strchr(arg[1], '=') + 1;
+ sanval = strchr(arg[1], ':') + 1;
+ //build sAN list
+ san_cur = calloc(1, sizeof(mbedtls_x509_san_list));
+ san_cur->next = NULL;
+ if (!strncmp(santype, "DNS:", strlen("DNS:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
+ san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+ san_cur->node.san.unstructured_name.len = strlen(sanval);
+ } else if (!strncmp(santype, "EMAIL:", strlen("EMAIL:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;
+ san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+ san_cur->node.san.unstructured_name.len = strlen(sanval);
+ } else if (!strncmp(santype, "IP:", strlen("IP:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
+ mbedtls_x509_crt_parse_cn_inet_pton(sanval, ipaddr);
+ san_cur->node.san.unstructured_name.p = (unsigned char *) ipaddr;
+ san_cur->node.san.unstructured_name.len = sizeof(ipaddr);
+ } else if (!strncmp(santype, "URI:", strlen("URI:"))) {
+ san_cur->node.type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+ san_cur->node.san.unstructured_name.p = (unsigned char *) sanval;
+ san_cur->node.san.unstructured_name.len = strlen(sanval);
+ }
+ else fprintf(stderr, "No match to subjectAltName content type.\n");
+ arg++;
+ }
}
arg++;
+
+ //set the pointers in our san_list linked list
+ if (san_prev == NULL) {
+ san_list = san_cur;
+ } else {
+ san_prev->next = san_cur;
+ }
+ san_prev = san_cur;
}
gen_key(&key, rsa, ksize, exp, curve, pem);
mbedtls_x509write_crt_set_basic_constraints(&cert, 0, -1);
mbedtls_x509write_crt_set_subject_key_identifier(&cert);
mbedtls_x509write_crt_set_authority_key_identifier(&cert);
+ mbedtls_x509write_crt_set_subject_alternative_name(&cert, san_list);
+ mbedtls_x509write_crt_set_ext_key_usage(&cert, ext_key_usage);
_urandom(NULL, (void *) buf, 8);
for (len = 0; len < 8; len++)
projects / openwrt / staging / blocktrron.git / commitdiff