2 Unix SMB/CIFS implementation.
4 auto-generate self signed TLS certificates
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "gnutls/gnutls.h"
27 #include "gnutls/x509.h"
29 #define ORGANISATION_NAME "Samba Administration"
30 #define UNIT_NAME "Samba - temporary autogenerated certificate"
31 #define COMMON_NAME "Samba"
32 #define LIFETIME 700*24*60*60
35 auto-generate a set of self signed certificates
37 void tls_cert_generate(TALLOC_CTX
*mem_ctx
,
38 const char *keyfile
, const char *certfile
,
41 gnutls_x509_crt cacrt
, crt
;
42 gnutls_x509_privkey key
, cakey
;
43 uint32_t serial
= (uint32_t)time(NULL
);
47 size_t keyidsize
= sizeof(keyid
);
48 time_t activation
= time(NULL
), expiry
= activation
+ LIFETIME
;
51 if (file_exist(keyfile
) || file_exist(certfile
) || file_exist(cafile
)) {
52 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
56 #define TLSCHECK(call) do { \
59 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
64 TLSCHECK(gnutls_global_init());
66 DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
68 DEBUG(3,("Generating private key\n"));
69 TLSCHECK(gnutls_x509_privkey_init(&key
));
70 TLSCHECK(gnutls_x509_privkey_generate(key
, GNUTLS_PK_RSA
, 1024, 0));
72 DEBUG(3,("Generating CA private key\n"));
73 TLSCHECK(gnutls_x509_privkey_init(&cakey
));
74 TLSCHECK(gnutls_x509_privkey_generate(cakey
, GNUTLS_PK_RSA
, 1024, 0));
76 DEBUG(3,("Generating CA certificate\n"));
77 TLSCHECK(gnutls_x509_crt_init(&cacrt
));
78 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt
,
79 GNUTLS_OID_X520_ORGANIZATION_NAME
, 0,
80 ORGANISATION_NAME
, strlen(ORGANISATION_NAME
)));
81 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt
,
82 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
, 0,
83 UNIT_NAME
, strlen(UNIT_NAME
)));
84 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt
,
85 GNUTLS_OID_X520_COMMON_NAME
, 0,
86 COMMON_NAME
, strlen(COMMON_NAME
)));
87 TLSCHECK(gnutls_x509_crt_set_key(cacrt
, cakey
));
88 TLSCHECK(gnutls_x509_crt_set_serial(cacrt
, &serial
, sizeof(serial
)));
89 TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt
, activation
));
90 TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt
, expiry
));
91 TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt
, 0));
92 #ifdef GNUTLS_KP_TLS_WWW_SERVER
93 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt
, GNUTLS_KP_TLS_WWW_SERVER
, 0));
95 TLSCHECK(gnutls_x509_crt_set_version(cacrt
, 3));
96 TLSCHECK(gnutls_x509_crt_get_key_id(cacrt
, 0, keyid
, &keyidsize
));
97 TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt
, keyid
, keyidsize
));
98 TLSCHECK(gnutls_x509_crt_sign(cacrt
, cacrt
, cakey
));
100 DEBUG(3,("Generating TLS certificate\n"));
101 TLSCHECK(gnutls_x509_crt_init(&crt
));
102 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt
,
103 GNUTLS_OID_X520_ORGANIZATION_NAME
, 0,
104 ORGANISATION_NAME
, strlen(ORGANISATION_NAME
)));
105 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt
,
106 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
, 0,
107 UNIT_NAME
, strlen(UNIT_NAME
)));
108 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt
,
109 GNUTLS_OID_X520_COMMON_NAME
, 0,
110 COMMON_NAME
, strlen(COMMON_NAME
)));
111 TLSCHECK(gnutls_x509_crt_set_key(crt
, key
));
112 TLSCHECK(gnutls_x509_crt_set_serial(crt
, &serial
, sizeof(serial
)));
113 TLSCHECK(gnutls_x509_crt_set_activation_time(crt
, activation
));
114 TLSCHECK(gnutls_x509_crt_set_expiration_time(crt
, expiry
));
115 TLSCHECK(gnutls_x509_crt_set_ca_status(crt
, 0));
116 #ifdef GNUTLS_KP_TLS_WWW_SERVER
117 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt
, GNUTLS_KP_TLS_WWW_SERVER
, 0));
119 TLSCHECK(gnutls_x509_crt_set_version(crt
, 3));
120 TLSCHECK(gnutls_x509_crt_get_key_id(crt
, 0, keyid
, &keyidsize
));
121 TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt
, keyid
, keyidsize
));
122 TLSCHECK(gnutls_x509_crt_sign(crt
, crt
, key
));
124 DEBUG(3,("Exporting TLS keys\n"));
126 bufsize
= sizeof(buf
);
127 TLSCHECK(gnutls_x509_crt_export(crt
, GNUTLS_X509_FMT_PEM
, buf
, &bufsize
));
128 file_save(certfile
, buf
, bufsize
);
130 bufsize
= sizeof(buf
);
131 TLSCHECK(gnutls_x509_crt_export(cacrt
, GNUTLS_X509_FMT_PEM
, buf
, &bufsize
));
132 file_save(cafile
, buf
, bufsize
);
134 bufsize
= sizeof(buf
);
135 TLSCHECK(gnutls_x509_privkey_export(key
, GNUTLS_X509_FMT_PEM
, buf
, &bufsize
));
136 file_save(keyfile
, buf
, bufsize
);
138 gnutls_x509_privkey_deinit(key
);
139 gnutls_x509_privkey_deinit(cakey
);
140 gnutls_x509_crt_deinit(cacrt
);
141 gnutls_x509_crt_deinit(crt
);
142 gnutls_global_deinit();
144 DEBUG(0,("TLS self-signed keys generated OK\n"));
148 DEBUG(0,("TLS certificate generation failed\n"));
152 void tls_cert_dummy(void) {}