1/* 2 Unix SMB/CIFS implementation. 3 4 auto-generate self signed TLS certificates 5 6 Copyright (C) Andrew Tridgell 2005 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License as published by 10 the Free Software Foundation; either version 3 of the License, or 11 (at your option) any later version. 12 13 This program is distributed in the hope that it will be useful, 14 but WITHOUT ANY WARRANTY; without even the implied warranty of 15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 GNU General Public License for more details. 17 18 You should have received a copy of the GNU General Public License 19 along with this program. If not, see <http://www.gnu.org/licenses/>. 20*/ 21 22#include "includes.h" 23 24#if ENABLE_GNUTLS 25#include "gnutls/gnutls.h" 26#include "gnutls/x509.h" 27#if HAVE_GCRYPT_H 28#include <gcrypt.h> 29#endif 30 31#define ORGANISATION_NAME "Samba Administration" 32#define UNIT_NAME "Samba - temporary autogenerated certificate" 33#define LIFETIME 700*24*60*60 34#define DH_BITS 1024 35 36/* 37 auto-generate a set of self signed certificates 38*/ 39void tls_cert_generate(TALLOC_CTX *mem_ctx, 40 const char *hostname, 41 const char *keyfile, const char *certfile, 42 const char *cafile) 43{ 44 gnutls_x509_crt cacrt, crt; 45 gnutls_x509_privkey key, cakey; 46 uint32_t serial = (uint32_t)time(NULL); 47 unsigned char keyid[100]; 48 char buf[4096]; 49 size_t bufsize; 50 size_t keyidsize = sizeof(keyid); 51 time_t activation = time(NULL), expiry = activation + LIFETIME; 52 int ret; 53 54 if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) { 55 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n")); 56 return; 57 } 58 59#define TLSCHECK(call) do { \ 60 ret = call; \ 61 if (ret < 0) { \ 62 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \ 63 goto failed; \ 64 } \ 65} while (0) 66 67 TLSCHECK(gnutls_global_init()); 68 69 DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 70 hostname)); 71 72#ifdef HAVE_GCRYPT_H 73 DEBUG(3,("Enabling QUICK mode in gcrypt\n")); 74 gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0); 75#endif 76 77 DEBUG(3,("Generating private key\n")); 78 TLSCHECK(gnutls_x509_privkey_init(&key)); 79 TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0)); 80 81 DEBUG(3,("Generating CA private key\n")); 82 TLSCHECK(gnutls_x509_privkey_init(&cakey)); 83 TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, DH_BITS, 0)); 84 85 DEBUG(3,("Generating CA certificate\n")); 86 TLSCHECK(gnutls_x509_crt_init(&cacrt)); 87 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 88 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 89 ORGANISATION_NAME, strlen(ORGANISATION_NAME))); 90 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 91 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 92 UNIT_NAME, strlen(UNIT_NAME))); 93 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 94 GNUTLS_OID_X520_COMMON_NAME, 0, 95 hostname, strlen(hostname))); 96 TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey)); 97 TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial))); 98 TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation)); 99 TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry)); 100 TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0)); 101#ifdef GNUTLS_KP_TLS_WWW_SERVER 102 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0)); 103#endif 104 TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3)); 105 TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize)); 106#if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID 107 TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize)); 108#endif 109 TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey)); 110 111 DEBUG(3,("Generating TLS certificate\n")); 112 TLSCHECK(gnutls_x509_crt_init(&crt)); 113 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 114 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 115 ORGANISATION_NAME, strlen(ORGANISATION_NAME))); 116 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 117 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 118 UNIT_NAME, strlen(UNIT_NAME))); 119 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 120 GNUTLS_OID_X520_COMMON_NAME, 0, 121 hostname, strlen(hostname))); 122 TLSCHECK(gnutls_x509_crt_set_key(crt, key)); 123 TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial))); 124 TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation)); 125 TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry)); 126 TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0)); 127#ifdef GNUTLS_KP_TLS_WWW_SERVER 128 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0)); 129#endif 130 TLSCHECK(gnutls_x509_crt_set_version(crt, 3)); 131 TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize)); 132#if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID 133 TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize)); 134#endif 135 TLSCHECK(gnutls_x509_crt_sign(crt, crt, key)); 136 137 DEBUG(3,("Exporting TLS keys\n")); 138 139 bufsize = sizeof(buf); 140 TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize)); 141 file_save(certfile, buf, bufsize); 142 143 bufsize = sizeof(buf); 144 TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize)); 145 file_save(cafile, buf, bufsize); 146 147 bufsize = sizeof(buf); 148 TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize)); 149 file_save(keyfile, buf, bufsize); 150 151 gnutls_x509_privkey_deinit(key); 152 gnutls_x509_privkey_deinit(cakey); 153 gnutls_x509_crt_deinit(cacrt); 154 gnutls_x509_crt_deinit(crt); 155 gnutls_global_deinit(); 156 157 DEBUG(0,("TLS self-signed keys generated OK\n")); 158 return; 159 160failed: 161 DEBUG(0,("TLS certificate generation failed\n")); 162} 163 164#else 165void tls_cert_dummy(void) {} 166#endif 167