2 Unix SMB/CIFS implementation.
4 auto-generate self signed TLS certificates
6 Copyright (C) Andrew Tridgell 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "lib/tls/tls.h"
26 #include <gnutls/gnutls.h>
27 #include <gnutls/x509.h>
28 #if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
32 #define ORGANISATION_NAME "Samba Administration"
33 #define CA_NAME "Samba - temporary autogenerated CA certificate"
34 #define UNIT_NAME "Samba - temporary autogenerated HOST certificate"
35 #define LIFETIME 700*24*60*60
39 auto-generate a set of self signed certificates
41 void tls_cert_generate(TALLOC_CTX *mem_ctx,
43 const char *keyfile, const char *certfile,
46 gnutls_x509_crt cacrt, crt;
47 gnutls_x509_privkey key, cakey;
48 uint32_t serial = (uint32_t)time(NULL);
49 unsigned char keyid[100];
52 size_t keyidsize = sizeof(keyid);
53 time_t activation = time(NULL), expiry = activation + LIFETIME;
56 if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
57 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
61 #define TLSCHECK(call) do { \
64 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
69 TLSCHECK(gnutls_global_init());
71 DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
74 #if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
75 DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
76 gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
79 DEBUG(3,("Generating private key\n"));
80 TLSCHECK(gnutls_x509_privkey_init(&key));
81 TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, RSA_BITS, 0));
83 DEBUG(3,("Generating CA private key\n"));
84 TLSCHECK(gnutls_x509_privkey_init(&cakey));
85 TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, RSA_BITS, 0));
87 DEBUG(3,("Generating CA certificate\n"));
88 TLSCHECK(gnutls_x509_crt_init(&cacrt));
89 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
90 GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
91 ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
92 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
93 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
94 CA_NAME, strlen(CA_NAME)));
95 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
96 GNUTLS_OID_X520_COMMON_NAME, 0,
97 hostname, strlen(hostname)));
98 TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
99 TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
100 TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
101 TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
102 TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 1));
103 TLSCHECK(gnutls_x509_crt_set_key_usage(cacrt, GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN));
104 TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
105 TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
106 #ifdef HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
107 TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
109 TLSCHECK(gnutls_x509_crt_sign2(cacrt, cacrt, cakey,
110 GNUTLS_DIG_SHA256, 0));
112 DEBUG(3,("Generating TLS certificate\n"));
113 TLSCHECK(gnutls_x509_crt_init(&crt));
114 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
115 GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
116 ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
117 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
118 GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
119 UNIT_NAME, strlen(UNIT_NAME)));
120 TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
121 GNUTLS_OID_X520_COMMON_NAME, 0,
122 hostname, strlen(hostname)));
123 TLSCHECK(gnutls_x509_crt_set_key(crt, key));
124 TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
125 TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
126 TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
127 TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
128 #ifdef GNUTLS_KP_TLS_WWW_SERVER
129 TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
131 TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
132 TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
133 #ifdef HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
134 TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
136 TLSCHECK(gnutls_x509_crt_sign2(crt, crt, key,
137 GNUTLS_DIG_SHA256, 0));
138 TLSCHECK(gnutls_x509_crt_sign2(crt, cacrt, cakey,
139 GNUTLS_DIG_SHA256, 0));
141 DEBUG(3,("Exporting TLS keys\n"));
143 bufsize = sizeof(buf);
144 TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
145 if (!file_save(certfile, buf, bufsize)) {
146 DEBUG(0,("Unable to save certificate in %s parent dir exists ?\n", certfile));
150 bufsize = sizeof(buf);
151 TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
152 if (!file_save(cafile, buf, bufsize)) {
153 DEBUG(0,("Unable to save ca cert in %s parent dir exists ?\n", cafile));
157 bufsize = sizeof(buf);
158 TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
159 if (!file_save_mode(keyfile, buf, bufsize, 0600)) {
160 DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile));
164 gnutls_x509_privkey_deinit(key);
165 gnutls_x509_privkey_deinit(cakey);
166 gnutls_x509_crt_deinit(cacrt);
167 gnutls_x509_crt_deinit(crt);
168 gnutls_global_deinit();
170 DEBUG(0,("TLS self-signed keys generated OK\n"));
174 DEBUG(0,("TLS certificate generation failed\n"));
178 void tls_cert_dummy(void);
179 void tls_cert_dummy(void) {}