search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r7742: abstracted out the tls code from the web server, so that our other servers
[Samba/ekacnet.git] / source4 / lib / tls / tlscert.c
blob2cd46ff4329b80e79c23bc59a250b6ece1b2de53
1 /*
2 Unix SMB/CIFS implementation.
3
4 auto-generate self signed TLS certificates
5
6 Copyright (C) Andrew Tridgell 2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24
25 #if HAVE_LIBGNUTLS
26 #include "gnutls/gnutls.h"
27 #include "gnutls/x509.h"
28
29 #define ORGANISATION_NAME "Samba Administration"
30 #define UNIT_NAME "Samba - temporary autogenerated certificate"
31 #define COMMON_NAME "Samba"
32 #define LIFETIME 700*24*60*60
33
34 /*
35 auto-generate a set of self signed certificates
36 */
37 void tls_cert_generate(TALLOC_CTX *mem_ctx,
38 const char *keyfile, const char *certfile,
39 const char *cafile)
40 {
41 gnutls_x509_crt cacrt, crt;
42 gnutls_x509_privkey key, cakey;
43 uint32_t serial = (uint32_t)time(NULL);
44 char keyid[100];
45 char buf[4096];
46 size_t bufsize;
47 size_t keyidsize = sizeof(keyid);
48 time_t activation = time(NULL), expiry = activation + LIFETIME;
49 int ret;
50
51 if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
52 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
53 return;
54 }
55
56 #define TLSCHECK(call) do { \
57 ret = call; \
58 if (ret < 0) { \
59 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
60 goto failed; \
61 } \
62 } while (0)
63
64 TLSCHECK(gnutls_global_init());
65
66 DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
67
68 DEBUG(3,("Generating private key\n"));
69 TLSCHECK(gnutls_x509_privkey_init(&key));
70 TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 1024, 0));
71
72 DEBUG(3,("Generating CA private key\n"));
73 TLSCHECK(gnutls_x509_privkey_init(&cakey));
74 TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, 1024, 0));
75
76 DEBUG(3,("Generating CA certificate\n"));
77 TLSCHECK(gnutls_x509_crt_init(&cacrt));
78 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
79 GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
80 ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
81 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
82 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
83 UNIT_NAME, strlen(UNIT_NAME)));
84 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
85 GNUTLS_OID_X520_COMMON_NAME, 0,
86 COMMON_NAME, strlen(COMMON_NAME)));
87 TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
88 TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
89 TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
90 TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
91 TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0));
92 #ifdef GNUTLS_KP_TLS_WWW_SERVER
93 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0));
94 #endif
95 TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
96 TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
97 TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
98 TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
99
100 DEBUG(3,("Generating TLS certificate\n"));
101 TLSCHECK(gnutls_x509_crt_init(&crt));
102 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
103 GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
104 ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
105 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
106 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
107 UNIT_NAME, strlen(UNIT_NAME)));
108 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
109 GNUTLS_OID_X520_COMMON_NAME, 0,
110 COMMON_NAME, strlen(COMMON_NAME)));
111 TLSCHECK(gnutls_x509_crt_set_key(crt, key));
112 TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
113 TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
114 TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
115 TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
116 #ifdef GNUTLS_KP_TLS_WWW_SERVER
117 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
118 #endif
119 TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
120 TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
121 TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
122 TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
123
124 DEBUG(3,("Exporting TLS keys\n"));
125
126 bufsize = sizeof(buf);
127 TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
128 file_save(certfile, buf, bufsize);
129
130 bufsize = sizeof(buf);
131 TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
132 file_save(cafile, buf, bufsize);
133
134 bufsize = sizeof(buf);
135 TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
136 file_save(keyfile, buf, bufsize);
137
138 gnutls_x509_privkey_deinit(key);
139 gnutls_x509_privkey_deinit(cakey);
140 gnutls_x509_crt_deinit(cacrt);
141 gnutls_x509_crt_deinit(crt);
142 gnutls_global_deinit();
143
144 DEBUG(0,("TLS self-signed keys generated OK\n"));
145 return;
146
147 failed:
148 DEBUG(0,("TLS certificate generation failed\n"));
149 }
150
151 #else
152 void tls_cert_dummy(void) {}
153 #endif