source4/lib/tls/tlscert.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    auto-generate self signed TLS certificates
   5
   6    Copyright (C) Andrew Tridgell 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24
  25 #if HAVE_LIBGNUTLS
  26 #include "gnutls/gnutls.h"
  27 #include "gnutls/x509.h"
  28
  29 #define ORGANISATION_NAME "Samba Administration"
  30 #define UNIT_NAME         "Samba - temporary autogenerated certificate"
  31 #define COMMON_NAME       "Samba"
  32 #define LIFETIME          700*24*60*60
  33
  34 /*
  35    auto-generate a set of self signed certificates
  36 */
  37 void tls_cert_generate(TALLOC_CTX *mem_ctx,
  38                        const char *keyfile, const char *certfile,
  39                        const char *cafile)
  40 {
  41         gnutls_x509_crt cacrt, crt;
  42         gnutls_x509_privkey key, cakey;
  43         uint32_t serial = (uint32_t)time(NULL);
  44         char keyid[100];
  45         char buf[4096];
  46         size_t bufsize;
  47         size_t keyidsize = sizeof(keyid);
  48         time_t activation = time(NULL), expiry = activation + LIFETIME;
  49         int ret;
  50
  51         if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
  52                 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
  53                 return;
  54         }
  55
  56 #define TLSCHECK(call) do { \
  57         ret = call; \
  58         if (ret < 0) { \
  59                 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
  60                 goto failed; \
  61         } \
  62 } while (0)
  63
  64         TLSCHECK(gnutls_global_init());
  65
  66         DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https\n"));
  67
  68         DEBUG(3,("Generating private key\n"));
  69         TLSCHECK(gnutls_x509_privkey_init(&key));
  70         TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, 1024, 0));
  71
  72         DEBUG(3,("Generating CA private key\n"));
  73         TLSCHECK(gnutls_x509_privkey_init(&cakey));
  74         TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, 1024, 0));
  75
  76         DEBUG(3,("Generating CA certificate\n"));
  77         TLSCHECK(gnutls_x509_crt_init(&cacrt));
  78         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
  79                                       GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
  80                                       ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
  81         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
  82                                       GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
  83                                       UNIT_NAME, strlen(UNIT_NAME)));
  84         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
  85                                       GNUTLS_OID_X520_COMMON_NAME, 0,
  86                                       COMMON_NAME, strlen(COMMON_NAME)));
  87         TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
  88         TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
  89         TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
  90         TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
  91         TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0));
  92 #ifdef GNUTLS_KP_TLS_WWW_SERVER
  93         TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0));
  94 #endif
  95         TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
  96         TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
  97 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
  98         TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
  99 #endif
 100         TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
 101
 102         DEBUG(3,("Generating TLS certificate\n"));
 103         TLSCHECK(gnutls_x509_crt_init(&crt));
 104         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 105                                       GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
 106                                       ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
 107         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 108                                       GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
 109                                       UNIT_NAME, strlen(UNIT_NAME)));
 110         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 111                                       GNUTLS_OID_X520_COMMON_NAME, 0,
 112                                       COMMON_NAME, strlen(COMMON_NAME)));
 113         TLSCHECK(gnutls_x509_crt_set_key(crt, key));
 114         TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
 115         TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
 116         TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
 117         TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
 118 #ifdef GNUTLS_KP_TLS_WWW_SERVER
 119         TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
 120 #endif
 121         TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
 122         TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
 123 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
 124         TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
 125 #endif
 126         TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
 127
 128         DEBUG(3,("Exporting TLS keys\n"));
 129
 130         bufsize = sizeof(buf);
 131         TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
 132         file_save(certfile, buf, bufsize);
 133
 134         bufsize = sizeof(buf);
 135         TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
 136         file_save(cafile, buf, bufsize);
 137
 138         bufsize = sizeof(buf);
 139         TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
 140         file_save(keyfile, buf, bufsize);
 141
 142         gnutls_x509_privkey_deinit(key);
 143         gnutls_x509_privkey_deinit(cakey);
 144         gnutls_x509_crt_deinit(cacrt);
 145         gnutls_x509_crt_deinit(crt);
 146         gnutls_global_deinit();
 147
 148         DEBUG(0,("TLS self-signed keys generated OK\n"));
 149         return;
 150
 151 failed:
 152         DEBUG(0,("TLS certificate generation failed\n"));
 153 }
 154
 155 #else
 156  void tls_cert_dummy(void) {}
 157 #endif