root/source4/lib/tls/tlscert.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. tls_cert_generate
  2. tls_cert_dummy

   1 /* 
   2    Unix SMB/CIFS implementation.
   3 
   4    auto-generate self signed TLS certificates
   5 
   6    Copyright (C) Andrew Tridgell 2005
   7    
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12    
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17    
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21 
  22 #include "includes.h"
  23 
  24 #if ENABLE_GNUTLS
  25 #include "gnutls/gnutls.h"
  26 #include "gnutls/x509.h"
  27 #if HAVE_GCRYPT_H
  28 #include <gcrypt.h>
  29 #endif
  30 
  31 #define ORGANISATION_NAME "Samba Administration"
  32 #define UNIT_NAME         "Samba - temporary autogenerated certificate"
  33 #define LIFETIME          700*24*60*60
  34 #define DH_BITS                   1024
  35 
  36 /* 
  37    auto-generate a set of self signed certificates
  38 */
  39 void tls_cert_generate(TALLOC_CTX *mem_ctx, 
     /* [<][>][^][v][top][bottom][index][help] */
  40                        const char *hostname, 
  41                        const char *keyfile, const char *certfile,
  42                        const char *cafile)
  43 {
  44         gnutls_x509_crt cacrt, crt;
  45         gnutls_x509_privkey key, cakey;
  46         uint32_t serial = (uint32_t)time(NULL);
  47         unsigned char keyid[100];
  48         char buf[4096];
  49         size_t bufsize;
  50         size_t keyidsize = sizeof(keyid);
  51         time_t activation = time(NULL), expiry = activation + LIFETIME;
  52         int ret;
  53 
  54         if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
  55                 DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
  56                 return;
  57         }
  58 
  59 #define TLSCHECK(call) do { \
  60         ret = call; \
  61         if (ret < 0) { \
  62                 DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
  63                 goto failed; \
  64         } \
  65 } while (0)
  66 
  67         TLSCHECK(gnutls_global_init());
  68 
  69         DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n", 
  70                  hostname));
  71         
  72 #ifdef HAVE_GCRYPT_H
  73         DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
  74         gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
  75 #endif
  76 
  77         DEBUG(3,("Generating private key\n"));
  78         TLSCHECK(gnutls_x509_privkey_init(&key));
  79         TLSCHECK(gnutls_x509_privkey_generate(key,   GNUTLS_PK_RSA, DH_BITS, 0));
  80 
  81         DEBUG(3,("Generating CA private key\n"));
  82         TLSCHECK(gnutls_x509_privkey_init(&cakey));
  83         TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, DH_BITS, 0));
  84 
  85         DEBUG(3,("Generating CA certificate\n"));
  86         TLSCHECK(gnutls_x509_crt_init(&cacrt));
  87         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 
  88                                       GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
  89                                       ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
  90         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt, 
  91                                       GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
  92                                       UNIT_NAME, strlen(UNIT_NAME)));
  93         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
  94                                       GNUTLS_OID_X520_COMMON_NAME, 0,
  95                                       hostname, strlen(hostname)));
  96         TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
  97         TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
  98         TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
  99         TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
 100         TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0));
 101 #ifdef GNUTLS_KP_TLS_WWW_SERVER
 102         TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0));
 103 #endif
 104         TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
 105         TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
 106 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
 107         TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
 108 #endif
 109         TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
 110 
 111         DEBUG(3,("Generating TLS certificate\n"));
 112         TLSCHECK(gnutls_x509_crt_init(&crt));
 113         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 
 114                                       GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
 115                                       ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
 116         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt, 
 117                                       GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
 118                                       UNIT_NAME, strlen(UNIT_NAME)));
 119         TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
 120                                       GNUTLS_OID_X520_COMMON_NAME, 0,
 121                                       hostname, strlen(hostname)));
 122         TLSCHECK(gnutls_x509_crt_set_key(crt, key));
 123         TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
 124         TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
 125         TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
 126         TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
 127 #ifdef GNUTLS_KP_TLS_WWW_SERVER
 128         TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
 129 #endif
 130         TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
 131         TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
 132 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
 133         TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
 134 #endif
 135         TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
 136 
 137         DEBUG(3,("Exporting TLS keys\n"));
 138 
 139         bufsize = sizeof(buf);
 140         TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
 141         file_save(certfile, buf, bufsize);
 142 
 143         bufsize = sizeof(buf);
 144         TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
 145         file_save(cafile, buf, bufsize);
 146 
 147         bufsize = sizeof(buf);
 148         TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
 149         file_save(keyfile, buf, bufsize);
 150 
 151         gnutls_x509_privkey_deinit(key);
 152         gnutls_x509_privkey_deinit(cakey);
 153         gnutls_x509_crt_deinit(cacrt);
 154         gnutls_x509_crt_deinit(crt);
 155         gnutls_global_deinit();
 156 
 157         DEBUG(0,("TLS self-signed keys generated OK\n"));
 158         return;
 159 
 160 failed:
 161         DEBUG(0,("TLS certificate generation failed\n"));
 162 }
 163 
 164 #else
 165 void tls_cert_dummy(void) {}
     /* [<][>][^][v][top][bottom][index][help] */
 166 #endif

/* [<][>][^][v][top][bottom][index][help] */