2
Unix SMB/CIFS implementation.
4
auto-generate self signed TLS certificates
6
Copyright (C) Andrew Tridgell 2005
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
25
#include "gnutls/gnutls.h"
26
#include "gnutls/x509.h"
31
#define ORGANISATION_NAME "Samba Administration"
32
#define UNIT_NAME "Samba - temporary autogenerated certificate"
33
#define LIFETIME 700*24*60*60
37
auto-generate a set of self signed certificates
39
void tls_cert_generate(TALLOC_CTX *mem_ctx,
41
const char *keyfile, const char *certfile,
44
gnutls_x509_crt cacrt, crt;
45
gnutls_x509_privkey key, cakey;
46
uint32_t serial = (uint32_t)time(NULL);
47
unsigned char keyid[100];
50
size_t keyidsize = sizeof(keyid);
51
time_t activation = time(NULL), expiry = activation + LIFETIME;
54
if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
55
DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
59
#define TLSCHECK(call) do { \
62
DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
67
TLSCHECK(gnutls_global_init());
69
DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
73
DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
74
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
77
DEBUG(3,("Generating private key\n"));
78
TLSCHECK(gnutls_x509_privkey_init(&key));
79
TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0));
81
DEBUG(3,("Generating CA private key\n"));
82
TLSCHECK(gnutls_x509_privkey_init(&cakey));
83
TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, DH_BITS, 0));
85
DEBUG(3,("Generating CA certificate\n"));
86
TLSCHECK(gnutls_x509_crt_init(&cacrt));
87
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
88
GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
89
ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
90
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
91
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
92
UNIT_NAME, strlen(UNIT_NAME)));
93
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
94
GNUTLS_OID_X520_COMMON_NAME, 0,
95
hostname, strlen(hostname)));
96
TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
97
TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
98
TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
99
TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
100
TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0));
101
#ifdef GNUTLS_KP_TLS_WWW_SERVER
102
TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0));
104
TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
105
TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
106
#if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
107
TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
109
TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
111
DEBUG(3,("Generating TLS certificate\n"));
112
TLSCHECK(gnutls_x509_crt_init(&crt));
113
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
114
GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
115
ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
116
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
117
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
118
UNIT_NAME, strlen(UNIT_NAME)));
119
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
120
GNUTLS_OID_X520_COMMON_NAME, 0,
121
hostname, strlen(hostname)));
122
TLSCHECK(gnutls_x509_crt_set_key(crt, key));
123
TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
124
TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
125
TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
126
TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
127
#ifdef GNUTLS_KP_TLS_WWW_SERVER
128
TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
130
TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
131
TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
132
#if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
133
TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
135
TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
137
DEBUG(3,("Exporting TLS keys\n"));
139
bufsize = sizeof(buf);
140
TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
141
file_save(certfile, buf, bufsize);
143
bufsize = sizeof(buf);
144
TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
145
file_save(cafile, buf, bufsize);
147
bufsize = sizeof(buf);
148
TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
149
file_save(keyfile, buf, bufsize);
151
gnutls_x509_privkey_deinit(key);
152
gnutls_x509_privkey_deinit(cakey);
153
gnutls_x509_crt_deinit(cacrt);
154
gnutls_x509_crt_deinit(crt);
155
gnutls_global_deinit();
157
DEBUG(0,("TLS self-signed keys generated OK\n"));
161
DEBUG(0,("TLS certificate generation failed\n"));
165
void tls_cert_dummy(void) {}