| 1 | /*
|
|---|
| 2 | Unix SMB/CIFS implementation.
|
|---|
| 3 |
|
|---|
| 4 | auto-generate self signed TLS certificates
|
|---|
| 5 |
|
|---|
| 6 | Copyright (C) Andrew Tridgell 2005
|
|---|
| 7 |
|
|---|
| 8 | This program is free software; you can redistribute it and/or modify
|
|---|
| 9 | it under the terms of the GNU General Public License as published by
|
|---|
| 10 | the Free Software Foundation; either version 3 of the License, or
|
|---|
| 11 | (at your option) any later version.
|
|---|
| 12 |
|
|---|
| 13 | This program is distributed in the hope that it will be useful,
|
|---|
| 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 16 | GNU General Public License for more details.
|
|---|
| 17 |
|
|---|
| 18 | You should have received a copy of the GNU General Public License
|
|---|
| 19 | along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|---|
| 20 | */
|
|---|
| 21 |
|
|---|
| 22 | #include "includes.h"
|
|---|
| 23 |
|
|---|
| 24 | #if ENABLE_GNUTLS
|
|---|
| 25 | #include "gnutls/gnutls.h"
|
|---|
| 26 | #include "gnutls/x509.h"
|
|---|
| 27 | #if HAVE_GCRYPT_H
|
|---|
| 28 | #include <gcrypt.h>
|
|---|
| 29 | #endif
|
|---|
| 30 |
|
|---|
| 31 | #define ORGANISATION_NAME "Samba Administration"
|
|---|
| 32 | #define UNIT_NAME "Samba - temporary autogenerated certificate"
|
|---|
| 33 | #define LIFETIME 700*24*60*60
|
|---|
| 34 | #define DH_BITS 1024
|
|---|
| 35 |
|
|---|
| 36 | /*
|
|---|
| 37 | auto-generate a set of self signed certificates
|
|---|
| 38 | */
|
|---|
| 39 | void tls_cert_generate(TALLOC_CTX *mem_ctx,
|
|---|
| 40 | const char *hostname,
|
|---|
| 41 | const char *keyfile, const char *certfile,
|
|---|
| 42 | const char *cafile)
|
|---|
| 43 | {
|
|---|
| 44 | gnutls_x509_crt cacrt, crt;
|
|---|
| 45 | gnutls_x509_privkey key, cakey;
|
|---|
| 46 | uint32_t serial = (uint32_t)time(NULL);
|
|---|
| 47 | unsigned char keyid[100];
|
|---|
| 48 | char buf[4096];
|
|---|
| 49 | size_t bufsize;
|
|---|
| 50 | size_t keyidsize = sizeof(keyid);
|
|---|
| 51 | time_t activation = time(NULL), expiry = activation + LIFETIME;
|
|---|
| 52 | int ret;
|
|---|
| 53 |
|
|---|
| 54 | if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
|
|---|
| 55 | DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
|
|---|
| 56 | return;
|
|---|
| 57 | }
|
|---|
| 58 |
|
|---|
| 59 | #define TLSCHECK(call) do { \
|
|---|
| 60 | ret = call; \
|
|---|
| 61 | if (ret < 0) { \
|
|---|
| 62 | DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
|
|---|
| 63 | goto failed; \
|
|---|
| 64 | } \
|
|---|
| 65 | } while (0)
|
|---|
| 66 |
|
|---|
| 67 | TLSCHECK(gnutls_global_init());
|
|---|
| 68 |
|
|---|
| 69 | DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
|
|---|
| 70 | hostname));
|
|---|
| 71 |
|
|---|
| 72 | #ifdef HAVE_GCRYPT_H
|
|---|
| 73 | DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
|
|---|
| 74 | gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
|
|---|
| 75 | #endif
|
|---|
| 76 |
|
|---|
| 77 | DEBUG(3,("Generating private key\n"));
|
|---|
| 78 | TLSCHECK(gnutls_x509_privkey_init(&key));
|
|---|
| 79 | TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, DH_BITS, 0));
|
|---|
| 80 |
|
|---|
| 81 | DEBUG(3,("Generating CA private key\n"));
|
|---|
| 82 | TLSCHECK(gnutls_x509_privkey_init(&cakey));
|
|---|
| 83 | TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, DH_BITS, 0));
|
|---|
| 84 |
|
|---|
| 85 | DEBUG(3,("Generating CA certificate\n"));
|
|---|
| 86 | TLSCHECK(gnutls_x509_crt_init(&cacrt));
|
|---|
| 87 | TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
|
|---|
| 88 | GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
|
|---|
| 89 | ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
|
|---|
| 90 | TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
|
|---|
| 91 | GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
|
|---|
| 92 | UNIT_NAME, strlen(UNIT_NAME)));
|
|---|
| 93 | TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
|
|---|
| 94 | GNUTLS_OID_X520_COMMON_NAME, 0,
|
|---|
| 95 | hostname, strlen(hostname)));
|
|---|
| 96 | TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
|
|---|
| 97 | TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
|
|---|
| 98 | TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
|
|---|
| 99 | TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
|
|---|
| 100 | TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 0));
|
|---|
| 101 | #ifdef GNUTLS_KP_TLS_WWW_SERVER
|
|---|
| 102 | TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(cacrt, GNUTLS_KP_TLS_WWW_SERVER, 0));
|
|---|
| 103 | #endif
|
|---|
| 104 | TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
|
|---|
| 105 | TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
|
|---|
| 106 | #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
|
|---|
| 107 | TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
|
|---|
| 108 | #endif
|
|---|
| 109 | TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
|
|---|
| 110 |
|
|---|
| 111 | DEBUG(3,("Generating TLS certificate\n"));
|
|---|
| 112 | TLSCHECK(gnutls_x509_crt_init(&crt));
|
|---|
| 113 | TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
|
|---|
| 114 | GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
|
|---|
| 115 | ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
|
|---|
| 116 | TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
|
|---|
| 117 | GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
|
|---|
| 118 | UNIT_NAME, strlen(UNIT_NAME)));
|
|---|
| 119 | TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
|
|---|
| 120 | GNUTLS_OID_X520_COMMON_NAME, 0,
|
|---|
| 121 | hostname, strlen(hostname)));
|
|---|
| 122 | TLSCHECK(gnutls_x509_crt_set_key(crt, key));
|
|---|
| 123 | TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
|
|---|
| 124 | TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
|
|---|
| 125 | TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
|
|---|
| 126 | TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
|
|---|
| 127 | #ifdef GNUTLS_KP_TLS_WWW_SERVER
|
|---|
| 128 | TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
|
|---|
| 129 | #endif
|
|---|
| 130 | TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
|
|---|
| 131 | TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
|
|---|
| 132 | #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
|
|---|
| 133 | TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
|
|---|
| 134 | #endif
|
|---|
| 135 | TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
|
|---|
| 136 |
|
|---|
| 137 | DEBUG(3,("Exporting TLS keys\n"));
|
|---|
| 138 |
|
|---|
| 139 | bufsize = sizeof(buf);
|
|---|
| 140 | TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
|
|---|
| 141 | file_save(certfile, buf, bufsize);
|
|---|
| 142 |
|
|---|
| 143 | bufsize = sizeof(buf);
|
|---|
| 144 | TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
|
|---|
| 145 | file_save(cafile, buf, bufsize);
|
|---|
| 146 |
|
|---|
| 147 | bufsize = sizeof(buf);
|
|---|
| 148 | TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
|
|---|
| 149 | file_save(keyfile, buf, bufsize);
|
|---|
| 150 |
|
|---|
| 151 | gnutls_x509_privkey_deinit(key);
|
|---|
| 152 | gnutls_x509_privkey_deinit(cakey);
|
|---|
| 153 | gnutls_x509_crt_deinit(cacrt);
|
|---|
| 154 | gnutls_x509_crt_deinit(crt);
|
|---|
| 155 | gnutls_global_deinit();
|
|---|
| 156 |
|
|---|
| 157 | DEBUG(0,("TLS self-signed keys generated OK\n"));
|
|---|
| 158 | return;
|
|---|
| 159 |
|
|---|
| 160 | failed:
|
|---|
| 161 | DEBUG(0,("TLS certificate generation failed\n"));
|
|---|
| 162 | }
|
|---|
| 163 |
|
|---|
| 164 | #else
|
|---|
| 165 | void tls_cert_dummy(void) {}
|
|---|
| 166 | #endif
|
|---|
