/** * WinPR: Windows Portable Runtime * makecert replacement * * Copyright 2012 Marc-Andre Moreau * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #include #include #include #include #include #include #ifdef _WIN32 #include #endif X509* x509 = NULL; EVP_PKEY* pkey = NULL; char* output_file = NULL; COMMAND_LINE_ARGUMENT_A args[] = { /* Basic Options */ { "rdp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Generate certificate with required options for RDP usage." }, { "n", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's certificate name. This name must conform to the X.500 standard. " "The simplest method is to specify the name in double quotes, preceded by CN=; for example, -n \"CN=myName\"." }, { "pe", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Marks the generated private key as exportable. This allows the private key to be included in the certificate." }, { "sk", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's key container location, which contains the private key. " "If a key container does not exist, it will be created." }, { "sr", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's certificate store location. location can be either currentuser (the default) or localmachine." }, { "ss", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's certificate store name that stores the output certificate." }, { "#", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies a serial number from 1 to 2,147,483,647. The default is a unique value generated by Makecert.exe." }, { "$", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the signing authority of the certificate, which must be set to either commercial " "(for certificates used by commercial software publishers) or individual (for certificates used by individual software publishers)." }, /* Extended Options */ { "a", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the signature algorithm. algorithm must be md5, sha1 (the default), sha256, sha384, or sha512." }, { "b", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the start of the validity period. Defaults to the current date." }, { "crl", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Generates a certificate relocation list (CRL) instead of a certificate." }, { "cy", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the certificate type. Valid values are end for end-entity and authority for certification authority." }, { "e", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT." }, { "eku", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate." }, { "h", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the maximum height of the tree below this certificate." }, { "ic", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's certificate file." }, { "ik", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's key container name." }, { "iky", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's key type, which must be one of the following: " "signature (which indicates that the key is used for a digital signature), " "exchange (which indicates that the key is used for key encryption and key exchange), " "or an integer that represents a provider type. " "By default, you can pass 1 for an exchange key or 2 for a signature key." }, { "in", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's certificate common name." }, { "ip", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the –sp option." }, { "ir", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the location of the issuer's certificate store. location can be either currentuser (the default) or localmachine." }, { "is", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's certificate store name." }, { "iv", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's .pvk private key file." }, { "iy", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the –sy option." }, { "l", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Links to policy information (for example, to a URL)." }, { "len", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the generated key length, in bits." }, { "m", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the duration, in months, of the certificate validity period." }, { "nscp", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Includes the Netscape client-authorization extension." }, { "r", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Creates a self-signed certificate." }, { "sc", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's certificate file." }, { "sky", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's key type, which must be one of the following: " "signature (which indicates that the key is used for a digital signature), " "exchange (which indicates that the key is used for key encryption and key exchange), " "or an integer that represents a provider type. " "By default, you can pass 1 for an exchange key or 2 for a signature key." }, { "sp", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's CryptoAPI provider name, which must be defined in the registry subkeys of " "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider. If both –sp and –sy are present, " "the type of the CryptoAPI provider must correspond to the Type value of the provider's subkey." }, { "sv", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's .pvk private key file. The file is created if none exists." }, { "sy", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the subject's CryptoAPI provider type, which must be defined in the registry subkeys of " "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider Types. If both –sy and –sp are present, " "the name of the CryptoAPI provider must correspond to the Name value of the provider type subkey." }, { "tbs", COMMAND_LINE_VALUE_REQUIRED, "", NULL, NULL, -1, NULL, "Specifies the certificate or CRL file to be signed." }, /* Help */ { "?", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_HELP, NULL, NULL, NULL, -1, "help", "print help" }, { "!", COMMAND_LINE_VALUE_FLAG | COMMAND_LINE_PRINT_HELP, NULL, NULL, NULL, -1, "help-ext", "print extended help" }, { NULL, 0, NULL, NULL, NULL, -1, NULL, NULL } }; int makecert_print_command_line_help(int argc, char** argv) { char* str; int length; COMMAND_LINE_ARGUMENT_A* arg; printf("Usage: %s [options] [output file]\n", argv[0]); printf("\n"); arg = args; do { if (arg->Flags & COMMAND_LINE_VALUE_FLAG) { printf(" %s", "-"); printf("%-20s", arg->Name); printf("\t%s\n", arg->Text); } else if ((arg->Flags & COMMAND_LINE_VALUE_REQUIRED) || (arg->Flags & COMMAND_LINE_VALUE_OPTIONAL)) { printf(" %s", "-"); if (arg->Format) { length = strlen(arg->Name) + strlen(arg->Format) + 2; str = malloc(length + 1); sprintf_s(str, length + 1, "%s %s", arg->Name, arg->Format); printf("%-20s", str); free(str); } else { printf("%-20s", arg->Name); } printf("\t%s\n", arg->Text); } } while ((arg = CommandLineFindNextArgumentA(arg)) != NULL); return 1; } int x509_add_ext(X509* cert, int nid, char* value) { X509V3_CTX ctx; X509_EXTENSION* ext; X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); ext = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); if (!ext) return 0; X509_add_ext(cert, ext, -1); X509_EXTENSION_free(ext); return 1; } char* x509_name_parse(char* name, char* txt, int* length) { char* p; char* entry; p = strstr(name, txt); if (!p) return NULL; entry = p + strlen(txt) + 1; p = strchr(entry, '='); if (!p) *length = strlen(entry); else *length = p - entry; return entry; } char* x509_get_default_name() { DWORD nSize = 0; char* ComputerName; GetComputerNameExA(ComputerNameNetBIOS, NULL, &nSize); ComputerName = (char*) malloc(nSize); GetComputerNameExA(ComputerNameNetBIOS, ComputerName, &nSize); return ComputerName; } int makecert() { BIO* bio; FILE* fp; int length; char* entry; int key_length; char* filename; RSA* rsa = NULL; long serial = 0; char* default_name; X509_NAME* name = NULL; const EVP_MD* md = NULL; COMMAND_LINE_ARGUMENT_A* arg; default_name = x509_get_default_name(); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); bio = BIO_new_fp(stderr, BIO_NOCLOSE); if (!pkey) pkey = EVP_PKEY_new(); if (!pkey) return -1; if (!x509) x509 = X509_new(); if (!x509) return -1; key_length = 2048; arg = CommandLineFindArgumentA(args, "len"); if (arg->Flags & COMMAND_LINE_VALUE_PRESENT) { key_length = atoi(arg->Value); } rsa = RSA_generate_key(key_length, RSA_F4, NULL, NULL); if (!EVP_PKEY_assign_RSA(pkey, rsa)) return -1; rsa = NULL; X509_set_version(x509, 2); arg = CommandLineFindArgumentA(args, "#"); if (arg->Flags & COMMAND_LINE_VALUE_PRESENT) serial = atoi(arg->Value); else serial = (long) GetTickCount64(); ASN1_INTEGER_set(X509_get_serialNumber(x509), serial); X509_gmtime_adj(X509_get_notBefore(x509), 0); X509_gmtime_adj(X509_get_notAfter(x509), (long) 60 * 60 * 24 * 365); X509_set_pubkey(x509, pkey); name = X509_get_subject_name(x509); arg = CommandLineFindArgumentA(args, "n"); if (arg->Flags & COMMAND_LINE_VALUE_PRESENT) { entry = x509_name_parse(arg->Value, "C", &length); if (entry) X509_NAME_add_entry_by_txt(name, "C", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); entry = x509_name_parse(arg->Value, "ST", &length); if (entry) X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); entry = x509_name_parse(arg->Value, "L", &length); if (entry) X509_NAME_add_entry_by_txt(name, "L", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); entry = x509_name_parse(arg->Value, "O", &length); if (entry) X509_NAME_add_entry_by_txt(name, "O", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); entry = x509_name_parse(arg->Value, "OU", &length); if (entry) X509_NAME_add_entry_by_txt(name, "OU", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); entry = x509_name_parse(arg->Value, "CN", &length); if (!entry) { entry = default_name; length = strlen(entry); } X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); } else { entry = default_name; length = strlen(entry); X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_UTF8, (const unsigned char*) entry, length, -1, 0); } X509_set_issuer_name(x509, name); x509_add_ext(x509, NID_ext_key_usage, "serverAuth"); x509_add_ext(x509, NID_key_usage, "keyEncipherment,dataEncipherment"); arg = CommandLineFindArgumentA(args, "a"); md = EVP_sha1(); if (arg->Flags & COMMAND_LINE_VALUE_PRESENT) { if (strcmp(arg->Value, "md5") == 0) md = EVP_md5(); else if (strcmp(arg->Value, "sha1") == 0) md = EVP_sha1(); else if (strcmp(arg->Value, "sha256") == 0) md = EVP_sha256(); else if (strcmp(arg->Value, "sha384") == 0) md = EVP_sha384(); else if (strcmp(arg->Value, "sha512") == 0) md = EVP_sha512(); } if (!X509_sign(x509, pkey, md)) return -1; /** * Print Certificate */ X509_print_fp(stdout, x509); if (!output_file) output_file = default_name; /* * Output Certificate File */ length = strlen(output_file); filename = malloc(length + 8); strcpy(filename, output_file); strcpy(&filename[length], ".crt"); fp = fopen(filename, "w+"); if (fp) { PEM_write_X509(fp, x509); fclose(fp); } free(filename); /** * Output Private Key File */ length = strlen(output_file); filename = malloc(length + 8); strcpy(filename, output_file); strcpy(&filename[length], ".key"); fp = fopen(filename, "w+"); if (fp) { PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL); fclose(fp); } free(filename); X509_free(x509); EVP_PKEY_free(pkey); free(default_name); CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(bio); BIO_free(bio); return 0; } int command_line_pre_filter(void* context, int index, int argc, LPCSTR* argv) { if (index == (argc - 1)) { if (argv[index][0] != '-') output_file = (char*) argv[index]; } return 0; } int main(int argc, char* argv[]) { int status; DWORD flags; COMMAND_LINE_ARGUMENT_A* arg; /** * makecert -r -pe -n "CN=%COMPUTERNAME%" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine * -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 */ flags = COMMAND_LINE_SEPARATOR_SPACE | COMMAND_LINE_SIGIL_DASH; status = CommandLineParseArgumentsA(argc, (const char**) argv, args, flags, NULL, command_line_pre_filter, NULL); if (status & COMMAND_LINE_STATUS_PRINT_HELP) { makecert_print_command_line_help(argc, argv); return 0; } arg = args; do { if (!(arg->Flags & COMMAND_LINE_VALUE_PRESENT)) continue; CommandLineSwitchStart(arg) /* Basic Options */ CommandLineSwitchCase(arg, "n") { } CommandLineSwitchCase(arg, "pe") { } CommandLineSwitchCase(arg, "sk") { } CommandLineSwitchCase(arg, "sr") { } CommandLineSwitchCase(arg, "ss") { } CommandLineSwitchCase(arg, "#") { } CommandLineSwitchCase(arg, "$") { } /* Extended Options */ CommandLineSwitchCase(arg, "a") { } CommandLineSwitchCase(arg, "b") { } CommandLineSwitchCase(arg, "crl") { } CommandLineSwitchCase(arg, "cy") { } CommandLineSwitchCase(arg, "e") { } CommandLineSwitchCase(arg, "eku") { } CommandLineSwitchCase(arg, "h") { } CommandLineSwitchCase(arg, "ic") { } CommandLineSwitchCase(arg, "ik") { } CommandLineSwitchCase(arg, "iky") { } CommandLineSwitchCase(arg, "in") { } CommandLineSwitchCase(arg, "ip") { } CommandLineSwitchCase(arg, "ir") { } CommandLineSwitchCase(arg, "is") { } CommandLineSwitchCase(arg, "iv") { } CommandLineSwitchCase(arg, "iy") { } CommandLineSwitchCase(arg, "l") { } CommandLineSwitchCase(arg, "l") { } CommandLineSwitchCase(arg, "m") { } CommandLineSwitchCase(arg, "nscp") { } CommandLineSwitchCase(arg, "r") { } CommandLineSwitchCase(arg, "sc") { } CommandLineSwitchCase(arg, "sky") { } CommandLineSwitchCase(arg, "sp") { } CommandLineSwitchCase(arg, "sv") { } CommandLineSwitchCase(arg, "sy") { } CommandLineSwitchCase(arg, "tbs") { } CommandLineSwitchDefault(arg) { } CommandLineSwitchEnd(arg) } while ((arg = CommandLineFindNextArgumentA(arg)) != NULL); makecert(); return 0; }