2005-06-19 04:20:27 +00:00
/*
Unix SMB / CIFS implementation .
auto - generate self signed TLS certificates
Copyright ( C ) Andrew Tridgell 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2005-06-19 04:20:27 +00:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-06-19 04:20:27 +00:00
*/
# include "includes.h"
2015-03-18 21:42:19 +01:00
# include "lib/tls/tls.h"
2005-06-19 04:20:27 +00:00
2012-02-17 22:58:07 +01:00
# include <gnutls/gnutls.h>
# include <gnutls/x509.h>
2005-06-19 04:20:27 +00:00
# define ORGANISATION_NAME "Samba Administration"
2015-12-23 15:39:48 +01:00
# define CA_NAME "Samba - temporary autogenerated CA certificate"
# define UNIT_NAME "Samba - temporary autogenerated HOST certificate"
2005-06-19 04:20:27 +00:00
# define LIFETIME 700*24*60*60
2020-03-13 15:32:27 +01:00
/* FIPS140-2 only allows 2048 or 3072 prime sizes. */
# define RSA_BITS gnutls_fips140_mode_enabled() ? 3072 : 4096
2005-06-19 04:20:27 +00:00
/*
auto - generate a set of self signed certificates
*/
void tls_cert_generate ( TALLOC_CTX * mem_ctx ,
2009-02-18 14:46:57 +11:00
const char * hostname ,
2005-06-19 04:20:27 +00:00
const char * keyfile , const char * certfile ,
const char * cafile )
{
2019-11-18 16:33:23 +01:00
gnutls_x509_crt_t cacrt , crt ;
gnutls_x509_privkey_t key , cakey ;
2005-06-19 04:20:27 +00:00
uint32_t serial = ( uint32_t ) time ( NULL ) ;
2006-03-30 08:31:39 +00:00
unsigned char keyid [ 100 ] ;
2005-06-19 04:20:27 +00:00
char buf [ 4096 ] ;
size_t bufsize ;
size_t keyidsize = sizeof ( keyid ) ;
time_t activation = time ( NULL ) , expiry = activation + LIFETIME ;
int ret ;
if ( file_exist ( keyfile ) | | file_exist ( certfile ) | | file_exist ( cafile ) ) {
DEBUG ( 0 , ( " TLS autogeneration skipped - some TLS files already exist \n " ) ) ;
return ;
}
# define TLSCHECK(call) do { \
ret = call ; \
if ( ret < 0 ) { \
DEBUG ( 0 , ( " TLS %s - %s \n " , # call , gnutls_strerror ( ret ) ) ) ; \
goto failed ; \
} \
} while ( 0 )
2009-02-18 14:46:57 +11:00
DEBUG ( 0 , ( " Attempting to autogenerate TLS self-signed keys for https for hostname '%s' \n " ,
hostname ) ) ;
2005-06-19 04:20:27 +00:00
DEBUG ( 3 , ( " Generating private key \n " ) ) ;
TLSCHECK ( gnutls_x509_privkey_init ( & key ) ) ;
2015-12-23 15:39:48 +01:00
TLSCHECK ( gnutls_x509_privkey_generate ( key , GNUTLS_PK_RSA , RSA_BITS , 0 ) ) ;
2005-06-19 04:20:27 +00:00
DEBUG ( 3 , ( " Generating CA private key \n " ) ) ;
TLSCHECK ( gnutls_x509_privkey_init ( & cakey ) ) ;
2015-12-23 15:39:48 +01:00
TLSCHECK ( gnutls_x509_privkey_generate ( cakey , GNUTLS_PK_RSA , RSA_BITS , 0 ) ) ;
2005-06-19 04:20:27 +00:00
DEBUG ( 3 , ( " Generating CA certificate \n " ) ) ;
TLSCHECK ( gnutls_x509_crt_init ( & cacrt ) ) ;
TLSCHECK ( gnutls_x509_crt_set_dn_by_oid ( cacrt ,
GNUTLS_OID_X520_ORGANIZATION_NAME , 0 ,
ORGANISATION_NAME , strlen ( ORGANISATION_NAME ) ) ) ;
TLSCHECK ( gnutls_x509_crt_set_dn_by_oid ( cacrt ,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME , 0 ,
2015-12-23 15:39:48 +01:00
CA_NAME , strlen ( CA_NAME ) ) ) ;
2005-06-19 04:20:27 +00:00
TLSCHECK ( gnutls_x509_crt_set_dn_by_oid ( cacrt ,
GNUTLS_OID_X520_COMMON_NAME , 0 ,
2009-02-18 14:46:57 +11:00
hostname , strlen ( hostname ) ) ) ;
2005-06-19 04:20:27 +00:00
TLSCHECK ( gnutls_x509_crt_set_key ( cacrt , cakey ) ) ;
TLSCHECK ( gnutls_x509_crt_set_serial ( cacrt , & serial , sizeof ( serial ) ) ) ;
TLSCHECK ( gnutls_x509_crt_set_activation_time ( cacrt , activation ) ) ;
TLSCHECK ( gnutls_x509_crt_set_expiration_time ( cacrt , expiry ) ) ;
2015-12-23 15:39:48 +01:00
TLSCHECK ( gnutls_x509_crt_set_ca_status ( cacrt , 1 ) ) ;
TLSCHECK ( gnutls_x509_crt_set_key_usage ( cacrt , GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN ) ) ;
2005-06-19 04:20:27 +00:00
TLSCHECK ( gnutls_x509_crt_set_version ( cacrt , 3 ) ) ;
TLSCHECK ( gnutls_x509_crt_get_key_id ( cacrt , 0 , keyid , & keyidsize ) ) ;
TLSCHECK ( gnutls_x509_crt_set_subject_key_id ( cacrt , keyid , keyidsize ) ) ;
2017-08-09 16:44:24 +12:00
TLSCHECK ( gnutls_x509_crt_sign2 ( cacrt , cacrt , cakey ,
GNUTLS_DIG_SHA256 , 0 ) ) ;
2005-06-19 04:20:27 +00:00
DEBUG ( 3 , ( " Generating TLS certificate \n " ) ) ;
TLSCHECK ( gnutls_x509_crt_init ( & crt ) ) ;
TLSCHECK ( gnutls_x509_crt_set_dn_by_oid ( crt ,
GNUTLS_OID_X520_ORGANIZATION_NAME , 0 ,
ORGANISATION_NAME , strlen ( ORGANISATION_NAME ) ) ) ;
TLSCHECK ( gnutls_x509_crt_set_dn_by_oid ( crt ,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME , 0 ,
UNIT_NAME , strlen ( UNIT_NAME ) ) ) ;
TLSCHECK ( gnutls_x509_crt_set_dn_by_oid ( crt ,
GNUTLS_OID_X520_COMMON_NAME , 0 ,
2009-02-18 14:46:57 +11:00
hostname , strlen ( hostname ) ) ) ;
2005-06-19 04:20:27 +00:00
TLSCHECK ( gnutls_x509_crt_set_key ( crt , key ) ) ;
TLSCHECK ( gnutls_x509_crt_set_serial ( crt , & serial , sizeof ( serial ) ) ) ;
TLSCHECK ( gnutls_x509_crt_set_activation_time ( crt , activation ) ) ;
TLSCHECK ( gnutls_x509_crt_set_expiration_time ( crt , expiry ) ) ;
TLSCHECK ( gnutls_x509_crt_set_ca_status ( crt , 0 ) ) ;
TLSCHECK ( gnutls_x509_crt_set_key_purpose_oid ( crt , GNUTLS_KP_TLS_WWW_SERVER , 0 ) ) ;
TLSCHECK ( gnutls_x509_crt_set_version ( crt , 3 ) ) ;
TLSCHECK ( gnutls_x509_crt_get_key_id ( crt , 0 , keyid , & keyidsize ) ) ;
TLSCHECK ( gnutls_x509_crt_set_subject_key_id ( crt , keyid , keyidsize ) ) ;
2017-08-09 16:44:24 +12:00
TLSCHECK ( gnutls_x509_crt_sign2 ( crt , crt , key ,
GNUTLS_DIG_SHA256 , 0 ) ) ;
TLSCHECK ( gnutls_x509_crt_sign2 ( crt , cacrt , cakey ,
GNUTLS_DIG_SHA256 , 0 ) ) ;
2005-06-19 04:20:27 +00:00
DEBUG ( 3 , ( " Exporting TLS keys \n " ) ) ;
bufsize = sizeof ( buf ) ;
TLSCHECK ( gnutls_x509_crt_export ( crt , GNUTLS_X509_FMT_PEM , buf , & bufsize ) ) ;
2010-10-27 22:59:25 +04:00
if ( ! file_save ( certfile , buf , bufsize ) ) {
DEBUG ( 0 , ( " Unable to save certificate in %s parent dir exists ? \n " , certfile ) ) ;
goto failed ;
}
2005-06-19 04:20:27 +00:00
bufsize = sizeof ( buf ) ;
TLSCHECK ( gnutls_x509_crt_export ( cacrt , GNUTLS_X509_FMT_PEM , buf , & bufsize ) ) ;
2010-10-27 22:59:25 +04:00
if ( ! file_save ( cafile , buf , bufsize ) ) {
DEBUG ( 0 , ( " Unable to save ca cert in %s parent dir exists ? \n " , cafile ) ) ;
goto failed ;
}
2005-06-19 04:20:27 +00:00
bufsize = sizeof ( buf ) ;
TLSCHECK ( gnutls_x509_privkey_export ( key , GNUTLS_X509_FMT_PEM , buf , & bufsize ) ) ;
2013-10-29 17:52:39 +01:00
if ( ! file_save_mode ( keyfile , buf , bufsize , 0600 ) ) {
2010-10-27 22:59:25 +04:00
DEBUG ( 0 , ( " Unable to save privatekey in %s parent dir exists ? \n " , keyfile ) ) ;
goto failed ;
}
2005-06-19 04:20:27 +00:00
gnutls_x509_privkey_deinit ( key ) ;
gnutls_x509_privkey_deinit ( cakey ) ;
gnutls_x509_crt_deinit ( cacrt ) ;
gnutls_x509_crt_deinit ( crt ) ;
DEBUG ( 0 , ( " TLS self-signed keys generated OK \n " ) ) ;
return ;
failed :
DEBUG ( 0 , ( " TLS certificate generation failed \n " ) ) ;
}