Skip to content

Instantly share code, notes, and snippets.

@nathan-osman
Last active October 15, 2024 14:55
Show Gist options
  • Save nathan-osman/5041136 to your computer and use it in GitHub Desktop.
Save nathan-osman/5041136 to your computer and use it in GitHub Desktop.
Generates a self-signed x509 certificate using OpenSSL.
# A simple CMake script for building the application.
cmake_minimum_required(VERSION 2.8)
project(create-x509)
# Our only dependency is OpenSSL
find_package(OpenSSL REQUIRED)
include_directories(${OPENSSL_INCLUDE_DIR})
add_executable(create-x509 create-x509.cpp)
target_link_libraries(create-x509 ${OPENSSL_LIBRARIES})
install(TARGETS create-x509 RUNTIME DESTINATION bin)
#include <cstdio>
#include <iostream>
#include <openssl/pem.h>
#include <openssl/x509.h>
/* Generates a 2048-bit RSA key. */
EVP_PKEY * generate_key()
{
/* Allocate memory for the EVP_PKEY structure. */
EVP_PKEY * pkey = EVP_PKEY_new();
if(!pkey)
{
std::cerr << "Unable to create EVP_PKEY structure." << std::endl;
return NULL;
}
/* Generate the RSA key and assign it to pkey. */
RSA * rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
if(!EVP_PKEY_assign_RSA(pkey, rsa))
{
std::cerr << "Unable to generate 2048-bit RSA key." << std::endl;
EVP_PKEY_free(pkey);
return NULL;
}
/* The key has been generated, return it. */
return pkey;
}
/* Generates a self-signed x509 certificate. */
X509 * generate_x509(EVP_PKEY * pkey)
{
/* Allocate memory for the X509 structure. */
X509 * x509 = X509_new();
if(!x509)
{
std::cerr << "Unable to create X509 structure." << std::endl;
return NULL;
}
/* Set the serial number. */
ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
/* This certificate is valid from now until exactly one year from now. */
X509_gmtime_adj(X509_get_notBefore(x509), 0);
X509_gmtime_adj(X509_get_notAfter(x509), 31536000L);
/* Set the public key for our certificate. */
X509_set_pubkey(x509, pkey);
/* We want to copy the subject name to the issuer name. */
X509_NAME * name = X509_get_subject_name(x509);
/* Set the country code and common name. */
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"CA", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"MyCompany", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"localhost", -1, -1, 0);
/* Now set the issuer name. */
X509_set_issuer_name(x509, name);
/* Actually sign the certificate with our key. */
if(!X509_sign(x509, pkey, EVP_sha1()))
{
std::cerr << "Error signing certificate." << std::endl;
X509_free(x509);
return NULL;
}
return x509;
}
bool write_to_disk(EVP_PKEY * pkey, X509 * x509)
{
/* Open the PEM file for writing the key to disk. */
FILE * pkey_file = fopen("key.pem", "wb");
if(!pkey_file)
{
std::cerr << "Unable to open \"key.pem\" for writing." << std::endl;
return false;
}
/* Write the key to disk. */
bool ret = PEM_write_PrivateKey(pkey_file, pkey, NULL, NULL, 0, NULL, NULL);
fclose(pkey_file);
if(!ret)
{
std::cerr << "Unable to write private key to disk." << std::endl;
return false;
}
/* Open the PEM file for writing the certificate to disk. */
FILE * x509_file = fopen("cert.pem", "wb");
if(!x509_file)
{
std::cerr << "Unable to open \"cert.pem\" for writing." << std::endl;
return false;
}
/* Write the certificate to disk. */
ret = PEM_write_X509(x509_file, x509);
fclose(x509_file);
if(!ret)
{
std::cerr << "Unable to write certificate to disk." << std::endl;
return false;
}
return true;
}
int main(int argc, char ** argv)
{
/* Generate the key. */
std::cout << "Generating RSA key..." << std::endl;
EVP_PKEY * pkey = generate_key();
if(!pkey)
return 1;
/* Generate the certificate. */
std::cout << "Generating x509 certificate..." << std::endl;
X509 * x509 = generate_x509(pkey);
if(!x509)
{
EVP_PKEY_free(pkey);
return 1;
}
/* Write the private key and certificate out to disk. */
std::cout << "Writing key and certificate to disk..." << std::endl;
bool ret = write_to_disk(pkey, x509);
EVP_PKEY_free(pkey);
X509_free(x509);
if(ret)
{
std::cout << "Success!" << std::endl;
return 0;
}
else
return 1;
}
The MIT License (MIT)
Copyright (c) 2022 Nathan Osman
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@hieunguyenmsft
Copy link

I have a similar sample code to create a CSR with SecP256r1 key. The header of signature part is:

    req->sig_alg = X509_ALGOR_dup(req->req_info->pubkey->algor);
    X509_ALGOR_set_md(req->sig_alg, (EVP_MD *)EVP_ecdsa());
    i2d_X509_REQ(req, &csrInfo);

Then I will generate the signature myself and append to the req object:

    unsignCsrData = [NSData dataWithBytes:csrInfo length:sizeof(csrInfo)];
    
    ecSignature = // generating signature internally
    
    signature->data = (unsigned char *)[ecSignature bytes];
    signature->length = (int)[ecSignature length];
    
    req->signature = signature;

My problem is in the header part, it will write ecdsa with SHA1:

170  11:   SEQUENCE {
172   7:     OBJECT IDENTIFIER ecdsaWithSHA1 (1 2 840 10045 4 1)
181   0:     NULL
       :     }

Do you know how to change the value of the header to ecdsa with SHA2? I can't find any document from OpenSSL about that.
Thank you!

@embetrix
Copy link

Hi, I'm also new to OpenSSL, does the EVP_PKEY type represents a public/private key pair?
As far as I understand from reading the docs, EVP_PKEY is used for storing private keys, but I see that your are using it for both purposes (i.e. in X509_set_pubkey and X509_sign).
Can you explain this a little bit?

For future comers, EVP_PKEY doesn't simply store a private key and return it as it is, in fact it can store a pair of keys, public key or private key, and the internals are handled by repective ENGINE, read the description part of https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html I guess for the X509_set_pubkey that ENGINE (etc) is called to return the public and since it knows this is RSA, and storing private key (we can get public key from private key here), and calculate and return public key.

I'm trying to generate a self signed certificates using a private key stored in pkcs11 engine, can you elabortae how did you solve this issue ?

@embetrix
Copy link

if the private key is srored in an engine e.g pkcs11 for example :

EVP_PKEY * pkey = ENGINE_load_private_key(eng, "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=09abc2fa100c0143;token=token1;object=ecc-key1;type=private?pin-value=12345", NULL, NULL);
X509_set_pubkey(x509, pkey) //will crash

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment