2 Unix SMB/CIFS implementation.
4 auto-generate self signed TLS certificates
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include <gnutls/gnutls.h>
26 #include <gnutls/x509.h>
31 #define ORGANISATION_NAME "Samba Administration"
32 #define UNIT_NAME "Samba - temporary autogenerated certificate"
33 #define LIFETIME 700*24*60*60
37 auto-generate a set of self signed certificates
39 void tls_cert_generate(TALLOC_CTX
*mem_ctx
,
41 const char *keyfile
, const char *certfile
,
44 gnutls_x509_crt cacrt
, crt
;
45 gnutls_x509_privkey key
, cakey
;
46 uint32_t serial
= (uint32_t)time(NULL
);
47 unsigned char keyid
[100];
50 size_t keyidsize
= sizeof(keyid
);
51 time_t activation
= time(NULL
), expiry
= activation
+ LIFETIME
;
54 if (file_exist(keyfile
) || file_exist(certfile
) || file_exist(cafile
)) {
55 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
59 #define TLSCHECK(call) do { \
62 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
67 TLSCHECK(gnutls_global_init());
69 DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
73 DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
74 gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM
, 0);
77 DEBUG(3,("Generating private key\n"));
78 TLSCHECK(gnutls_x509_privkey_init(&key
));
79 TLSCHECK(gnutls_x509_privkey_generate(key
, GNUTLS_PK_RSA
, DH_BITS
, 0));
81 DEBUG(3,("Generating CA private key\n"));
82 TLSCHECK(gnutls_x509_privkey_init(&cakey
));
83 TLSCHECK(gnutls_x509_privkey_generate(cakey
, GNUTLS_PK_RSA
, DH_BITS
, 0));
85 DEBUG(3,("Generating CA certificate\n"));
86 TLSCHECK(gnutls_x509_crt_init(&cacrt
));
87 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt
,
88 GNUTLS_OID_X520_ORGANIZATION_NAME
, 0,
89 ORGANISATION_NAME
, strlen(ORGANISATION_NAME
)));
90 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt
,
91 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
, 0,
92 UNIT_NAME
, strlen(UNIT_NAME
)));
93 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt
,
94 GNUTLS_OID_X520_COMMON_NAME
, 0,
95 hostname
, strlen(hostname
)));
96 TLSCHECK(gnutls_x509_crt_set_key(cacrt
, cakey
));
97 TLSCHECK(gnutls_x509_crt_set_serial(cacrt
, &serial
, sizeof(serial
)));
98 TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt
, activation
));
99 TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt
, expiry
));
100 TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt
, 0));
101 #ifdef GNUTLS_KP_TLS_WWW_SERVER
102 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt
, GNUTLS_KP_TLS_WWW_SERVER
, 0));
104 TLSCHECK(gnutls_x509_crt_set_version(cacrt
, 3));
105 TLSCHECK(gnutls_x509_crt_get_key_id(cacrt
, 0, keyid
, &keyidsize
));
106 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
107 TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt
, keyid
, keyidsize
));
109 TLSCHECK(gnutls_x509_crt_sign(cacrt
, cacrt
, cakey
));
111 DEBUG(3,("Generating TLS certificate\n"));
112 TLSCHECK(gnutls_x509_crt_init(&crt
));
113 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt
,
114 GNUTLS_OID_X520_ORGANIZATION_NAME
, 0,
115 ORGANISATION_NAME
, strlen(ORGANISATION_NAME
)));
116 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt
,
117 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME
, 0,
118 UNIT_NAME
, strlen(UNIT_NAME
)));
119 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt
,
120 GNUTLS_OID_X520_COMMON_NAME
, 0,
121 hostname
, strlen(hostname
)));
122 TLSCHECK(gnutls_x509_crt_set_key(crt
, key
));
123 TLSCHECK(gnutls_x509_crt_set_serial(crt
, &serial
, sizeof(serial
)));
124 TLSCHECK(gnutls_x509_crt_set_activation_time(crt
, activation
));
125 TLSCHECK(gnutls_x509_crt_set_expiration_time(crt
, expiry
));
126 TLSCHECK(gnutls_x509_crt_set_ca_status(crt
, 0));
127 #ifdef GNUTLS_KP_TLS_WWW_SERVER
128 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt
, GNUTLS_KP_TLS_WWW_SERVER
, 0));
130 TLSCHECK(gnutls_x509_crt_set_version(crt
, 3));
131 TLSCHECK(gnutls_x509_crt_get_key_id(crt
, 0, keyid
, &keyidsize
));
132 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
133 TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt
, keyid
, keyidsize
));
135 TLSCHECK(gnutls_x509_crt_sign(crt
, crt
, key
));
137 DEBUG(3,("Exporting TLS keys\n"));
139 bufsize
= sizeof(buf
);
140 TLSCHECK(gnutls_x509_crt_export(crt
, GNUTLS_X509_FMT_PEM
, buf
, &bufsize
));
141 if (!file_save(certfile
, buf
, bufsize
)) {
142 DEBUG(0,("Unable to save certificate in %s parent dir exists ?\n", certfile
));
146 bufsize
= sizeof(buf
);
147 TLSCHECK(gnutls_x509_crt_export(cacrt
, GNUTLS_X509_FMT_PEM
, buf
, &bufsize
));
148 if (!file_save(cafile
, buf
, bufsize
)) {
149 DEBUG(0,("Unable to save ca cert in %s parent dir exists ?\n", cafile
));
153 bufsize
= sizeof(buf
);
154 TLSCHECK(gnutls_x509_privkey_export(key
, GNUTLS_X509_FMT_PEM
, buf
, &bufsize
));
155 if (!file_save(keyfile
, buf
, bufsize
)) {
156 DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile
));
160 gnutls_x509_privkey_deinit(key
);
161 gnutls_x509_privkey_deinit(cakey
);
162 gnutls_x509_crt_deinit(cacrt
);
163 gnutls_x509_crt_deinit(crt
);
164 gnutls_global_deinit();
166 DEBUG(0,("TLS self-signed keys generated OK\n"));
170 DEBUG(0,("TLS certificate generation failed\n"));
174 void tls_cert_dummy(void) {}