static gnutls_x509_privkey generate_private_key(void)
{
int ret;
gnutls_x509_privkey key;
ret = gnutls_x509_privkey_init(&key);
if ( ret < 0 ) {
fprintf(stderr, "error initializing private key: %s.\n", gnutls_strerror(ret));
return NULL;
}
gcry_set_progress_handler(entropy_progress_cb, NULL);
fprintf(stderr, "Generating %d bits RSA private key... This might take a very long time.\n", generated_key_size);
fprintf(stderr, "[Increasing system activity will speed-up the process].\n");
fprintf(stderr, "Generation in progress... ");
fflush(stderr);
ret = gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, generated_key_size, 0);
if ( ret < 0 ) {
fprintf(stderr, "error generating private RSA key: %s\n", gnutls_strerror(ret));
gnutls_x509_privkey_deinit(key);
return NULL;
}
fprintf(stderr, "\n\n");
return key;
}
static gpointer
epc_tls_private_key_thread (gpointer data)
{
EcpTlsKeyContext *context = data;
context->rc = gnutls_x509_privkey_generate (context->key, GNUTLS_PK_RSA, 1024, 0);
g_main_loop_quit (context->loop);
return NULL;
}
PrivateKey
PrivateKey::generate(unsigned key_length)
{
if (gnutls_global_init() != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize GnuTLS.");
gnutls_x509_privkey_t key;
if (gnutls_x509_privkey_init(&key) != GNUTLS_E_SUCCESS)
throw CryptoException("Can't initialize private key.");
int err = gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, key_length, 0);
if (err != GNUTLS_E_SUCCESS) {
gnutls_x509_privkey_deinit(key);
throw CryptoException(std::string("Can't generate RSA key pair: ") + gnutls_strerror(err));
}
return PrivateKey{key};
}
/*!
* Generate new key and export it in the PEM format.
*/
int pem_generate(gnutls_pk_algorithm_t algorithm, unsigned bits,
dnssec_binary_t *pem_ptr, char **id_ptr)
{
assert(pem_ptr);
assert(id_ptr);
// generate key
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int r = gnutls_x509_privkey_init(&key);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_ENOMEM;
}
r = gnutls_x509_privkey_generate(key, algorithm, bits, 0);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_KEY_GENERATE_ERROR;
}
// convert to PEM and export the ID
dnssec_binary_t pem = { 0 };
r = pem_gnutls_x509_export(key, &pem);
if (r != DNSSEC_EOK) {
return r;
}
// export key ID
char *id = gnutls_x509_privkey_hex_key_id(key);
if (!id) {
dnssec_binary_free(&pem);
return DNSSEC_ENOMEM;
}
*pem_ptr = pem;
*id_ptr = id;
return DNSSEC_EOK;
}
int
main (void)
{
gnutls_x509_privkey_t key;
gnutls_datum_t p, q, g, y, x;
int ret;
gnutls_global_init ();
ret = gnutls_x509_privkey_init (&key);
if (ret < 0)
return 1;
ret = gnutls_x509_privkey_generate (key, GNUTLS_PK_DSA, 512, 0);
if (ret < 0)
return 1;
ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x);
if (ret < 0)
return 1;
if (q.size == 3 && memcmp (q.data, "\x01\x00\x01", 3) == 0)
{
printf ("buggy\n");
return 1;
}
else
printf ("success!\n");
gnutls_free (p.data);
gnutls_free (q.data);
gnutls_free (g.data);
gnutls_free (y.data);
gnutls_free (x.data);
gnutls_x509_privkey_deinit (key);
gnutls_global_deinit ();
return 0;
}
void Plugin::_loadPrivateKey()
{
QFile file(this->keyFile);
int bits;
size_t size;
QByteArray data;
gnutls_datum_t datum;
int error;
if (!file.open(QIODevice::ReadWrite))
throw Properties("error", "Unable to open the private key file").add("file", this->keyFile);
ASSERT_INIT(gnutls_x509_privkey_init(&this->key), "privkey");
// Checks that the private key is valid
if (file.size() > 0)
{
data = file.readAll();
datum.size = data.size();
datum.data = (unsigned char *)data.data();
if ((error = gnutls_x509_privkey_import_pkcs8(this->key, &datum, GNUTLS_X509_FMT_PEM, this->keyPassword.data(), 0)) != GNUTLS_E_SUCCESS)
{
LOG_ERROR("Invalid private key", Properties("error", gnutls_strerror(error)).toMap(), "Plugin", "_generatePrivateKey");
file.resize(0);
}
else if (gnutls_x509_privkey_sec_param(this->key) != this->secParam)
file.resize(0);
}
// Generates the private key
if (file.size() == 0)
{
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, this->secParam);
LOG_INFO("Generating a new private key", Properties("secParam", gnutls_sec_param_get_name(this->secParam)).add("bits", bits).toMap(), "Plugin", "_generatePrivateKey");
ASSERT(gnutls_x509_privkey_generate(this->key, GNUTLS_PK_RSA, bits, 0));
ASSERT(gnutls_x509_privkey_verify_params(this->key));
size = bits;
data.resize((int)size);
ASSERT(gnutls_x509_privkey_export_pkcs8(this->key, GNUTLS_X509_FMT_PEM, this->keyPassword.data(), GNUTLS_PKCS_USE_PBES2_AES_256, data.data(), &size));
data.resize((int)size);
file.write(data);
}
}
/*
auto-generate a set of self signed certificates
*/
void tls_cert_generate(TALLOC_CTX *mem_ctx,
const char *hostname,
const char *keyfile, const char *certfile,
const char *cafile)
{
gnutls_x509_crt cacrt, crt;
gnutls_x509_privkey key, cakey;
uint32_t serial = (uint32_t)time(NULL);
unsigned char keyid[100];
char buf[4096];
size_t bufsize;
size_t keyidsize = sizeof(keyid);
time_t activation = time(NULL), expiry = activation + LIFETIME;
int ret;
if (file_exist(keyfile) || file_exist(certfile) || file_exist(cafile)) {
DEBUG(0,("TLS autogeneration skipped - some TLS files already exist\n"));
return;
}
#define TLSCHECK(call) do { \
ret = call; \
if (ret < 0) { \
DEBUG(0,("TLS %s - %s\n", #call, gnutls_strerror(ret))); \
goto failed; \
} \
} while (0)
TLSCHECK(gnutls_global_init());
DEBUG(0,("Attempting to autogenerate TLS self-signed keys for https for hostname '%s'\n",
hostname));
#if defined(HAVE_GCRYPT_H) && !defined(HAVE_GNUTLS3)
DEBUG(3,("Enabling QUICK mode in gcrypt\n"));
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
#endif
DEBUG(3,("Generating private key\n"));
TLSCHECK(gnutls_x509_privkey_init(&key));
TLSCHECK(gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, RSA_BITS, 0));
DEBUG(3,("Generating CA private key\n"));
TLSCHECK(gnutls_x509_privkey_init(&cakey));
TLSCHECK(gnutls_x509_privkey_generate(cakey, GNUTLS_PK_RSA, RSA_BITS, 0));
DEBUG(3,("Generating CA certificate\n"));
TLSCHECK(gnutls_x509_crt_init(&cacrt));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
CA_NAME, strlen(CA_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(cacrt,
GNUTLS_OID_X520_COMMON_NAME, 0,
hostname, strlen(hostname)));
TLSCHECK(gnutls_x509_crt_set_key(cacrt, cakey));
TLSCHECK(gnutls_x509_crt_set_serial(cacrt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(cacrt, activation));
TLSCHECK(gnutls_x509_crt_set_expiration_time(cacrt, expiry));
TLSCHECK(gnutls_x509_crt_set_ca_status(cacrt, 1));
TLSCHECK(gnutls_x509_crt_set_key_usage(cacrt, GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN));
TLSCHECK(gnutls_x509_crt_set_version(cacrt, 3));
TLSCHECK(gnutls_x509_crt_get_key_id(cacrt, 0, keyid, &keyidsize));
#if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
#endif
TLSCHECK(gnutls_x509_crt_sign2(cacrt, cacrt, cakey,
GNUTLS_DIG_SHA256, 0));
DEBUG(3,("Generating TLS certificate\n"));
TLSCHECK(gnutls_x509_crt_init(&crt));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
ORGANISATION_NAME, strlen(ORGANISATION_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0,
UNIT_NAME, strlen(UNIT_NAME)));
TLSCHECK(gnutls_x509_crt_set_dn_by_oid(crt,
GNUTLS_OID_X520_COMMON_NAME, 0,
hostname, strlen(hostname)));
TLSCHECK(gnutls_x509_crt_set_key(crt, key));
TLSCHECK(gnutls_x509_crt_set_serial(crt, &serial, sizeof(serial)));
TLSCHECK(gnutls_x509_crt_set_activation_time(crt, activation));
TLSCHECK(gnutls_x509_crt_set_expiration_time(crt, expiry));
TLSCHECK(gnutls_x509_crt_set_ca_status(crt, 0));
#ifdef GNUTLS_KP_TLS_WWW_SERVER
TLSCHECK(gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0));
#endif
TLSCHECK(gnutls_x509_crt_set_version(crt, 3));
TLSCHECK(gnutls_x509_crt_get_key_id(crt, 0, keyid, &keyidsize));
#if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
#endif
TLSCHECK(gnutls_x509_crt_sign2(crt, crt, key,
GNUTLS_DIG_SHA256, 0));
TLSCHECK(gnutls_x509_crt_sign2(crt, cacrt, cakey,
GNUTLS_DIG_SHA256, 0));
DEBUG(3,("Exporting TLS keys\n"));
bufsize = sizeof(buf);
TLSCHECK(gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
if (!file_save(certfile, buf, bufsize)) {
DEBUG(0,("Unable to save certificate in %s parent dir exists ?\n", certfile));
goto failed;
}
bufsize = sizeof(buf);
TLSCHECK(gnutls_x509_crt_export(cacrt, GNUTLS_X509_FMT_PEM, buf, &bufsize));
if (!file_save(cafile, buf, bufsize)) {
DEBUG(0,("Unable to save ca cert in %s parent dir exists ?\n", cafile));
goto failed;
}
bufsize = sizeof(buf);
TLSCHECK(gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buf, &bufsize));
if (!file_save_mode(keyfile, buf, bufsize, 0600)) {
DEBUG(0,("Unable to save privatekey in %s parent dir exists ?\n", keyfile));
goto failed;
}
gnutls_x509_privkey_deinit(key);
gnutls_x509_privkey_deinit(cakey);
gnutls_x509_crt_deinit(cacrt);
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
DEBUG(0,("TLS self-signed keys generated OK\n"));
return;
failed:
DEBUG(0,("TLS certificate generation failed\n"));
}
void
doit (void)
{
gnutls_x509_privkey_t pkey;
gnutls_privkey_t abs_pkey;
gnutls_x509_crq_t crq;
size_t pkey_key_id_len;
unsigned char *pkey_key_id = NULL;
size_t crq_key_id_len;
unsigned char *crq_key_id = NULL;
gnutls_pk_algorithm_t algorithm;
int ret;
ret = global_init ();
if (ret < 0)
fail ("global_init: %d\n", ret);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (4711);
for (algorithm = GNUTLS_PK_RSA; algorithm <= GNUTLS_PK_DSA; algorithm++)
{
ret = gnutls_x509_crq_init (&crq);
if (ret < 0)
fail ("gnutls_x509_crq_init: %d\n", ret);
ret = gnutls_x509_privkey_init (&pkey);
if (ret < 0)
{
fail ("gnutls_x509_privkey_init: %d\n", ret);
}
ret = gnutls_privkey_init (&abs_pkey);
if (ret < 0)
{
fail ("gnutls_privkey_init: %d\n", ret);
}
ret = gnutls_x509_privkey_generate (pkey, algorithm, 1024, 0);
if (ret < 0)
{
fail ("gnutls_x509_privkey_generate (rsa): %d\n", ret);
}
else if (debug)
{
success ("Key[%s] generation ok: %d\n",
gnutls_pk_algorithm_get_name (algorithm), ret);
}
pkey_key_id_len = 0;
ret = gnutls_x509_privkey_get_key_id (pkey, 0, pkey_key_id,
&pkey_key_id_len);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fail ("gnutls_x509_privkey_get_key_id incorrectly returns %d\n",
ret);
}
pkey_key_id = malloc (sizeof (unsigned char) * pkey_key_id_len);
ret = gnutls_x509_privkey_get_key_id (pkey, 0, pkey_key_id,
&pkey_key_id_len);
if (ret != GNUTLS_E_SUCCESS)
{
fail ("gnutls_x509_privkey_get_key_id incorrectly returns %d\n",
ret);
}
ret = gnutls_x509_crq_set_version (crq, 1);
if (ret < 0)
{
fail ("gnutls_x509_crq_set_version: %d\n", ret);
}
ret = gnutls_x509_crq_set_key (crq, pkey);
if (ret < 0)
{
fail ("gnutls_x509_crq_set_key: %d\n", ret);
}
ret = gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
0, "CN-Test", 7);
if (ret < 0)
{
fail ("gnutls_x509_crq_set_dn_by_oid: %d\n", ret);
}
ret = gnutls_privkey_import_x509( abs_pkey, pkey, 0);
if (ret < 0)
{
fail ("gnutls_privkey_import_x509: %d\n", ret);
}
ret = gnutls_x509_crq_privkey_sign (crq, abs_pkey, GNUTLS_DIG_SHA1, 0);
if (ret < 0)
{
fail ("gnutls_x509_crq_sign: %d\n", ret);
}
ret = gnutls_x509_crq_verify (crq, 0);
if (ret < 0)
{
fail ("gnutls_x509_crq_verify: %d\n", ret);
}
crq_key_id_len = 0;
ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fail ("gnutls_x509_crq_get_key_id incorrectly returns %d\n", ret);
}
crq_key_id = malloc (sizeof (unsigned char) * crq_key_id_len);
ret = gnutls_x509_crq_get_key_id (crq, 0, crq_key_id, &crq_key_id_len);
if (ret != GNUTLS_E_SUCCESS)
{
fail ("gnutls_x509_crq_get_key_id incorrectly returns %d\n", ret);
}
if (crq_key_id_len == pkey_key_id_len)
{
ret = memcmp (crq_key_id, pkey_key_id, crq_key_id_len);
if (ret == 0)
{
if (debug)
success ("Key ids are identical. OK.\n");
}
else
{
fail ("Key ids differ incorrectly: %d\n", ret);
}
}
else
{
fail ("Key_id lengths differ incorrectly: %d - %d\n",
(int) crq_key_id_len, (int) pkey_key_id_len);
}
if (pkey_key_id)
{
free (pkey_key_id);
pkey_key_id = NULL;
}
if (crq_key_id)
{
free (crq_key_id);
crq_key_id = NULL;
}
gnutls_x509_crq_deinit (crq);
gnutls_x509_privkey_deinit (pkey);
gnutls_privkey_deinit (abs_pkey);
}
gnutls_global_deinit ();
}
static int /* O - 1 on success, 0 on failure */
make_certificate(cupsd_client_t *con) /* I - Client connection */
{
gnutls_x509_crt crt; /* Self-signed certificate */
gnutls_x509_privkey key; /* Encryption key */
cups_lang_t *language; /* Default language info */
cups_file_t *fp; /* Key/cert file */
unsigned char buffer[8192]; /* Buffer for x509 data */
size_t bytes; /* Number of bytes of data */
unsigned char serial[4]; /* Serial number buffer */
time_t curtime; /* Current time */
int result; /* Result of GNU TLS calls */
/*
* Create the encryption key...
*/
cupsdLogMessage(CUPSD_LOG_INFO, "Generating SSL server key...");
gnutls_x509_privkey_init(&key);
gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
/*
* Save it...
*/
bytes = sizeof(buffer);
if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM,
buffer, &bytes)) < 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to export SSL server key - %s",
gnutls_strerror(result));
gnutls_x509_privkey_deinit(key);
return (0);
}
else if ((fp = cupsFileOpen(ServerKey, "w")) != NULL)
{
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
cupsdLogMessage(CUPSD_LOG_INFO, "Created SSL server key file \"%s\"...",
ServerKey);
}
else
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to create SSL server key file \"%s\" - %s",
ServerKey, strerror(errno));
gnutls_x509_privkey_deinit(key);
return (0);
}
/*
* Create the self-signed certificate...
*/
cupsdLogMessage(CUPSD_LOG_INFO, "Generating self-signed SSL certificate...");
language = cupsLangDefault();
curtime = time(NULL);
serial[0] = curtime >> 24;
serial[1] = curtime >> 16;
serial[2] = curtime >> 8;
serial[3] = curtime;
gnutls_x509_crt_init(&crt);
if (strlen(language->language) == 5)
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
language->language + 3, 2);
else
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
"US", 2);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
ServerName, strlen(ServerName));
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
ServerName, strlen(ServerName));
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, "Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
"Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
"Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
ServerAdmin, strlen(ServerAdmin));
gnutls_x509_crt_set_key(crt, key);
gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
gnutls_x509_crt_set_activation_time(crt, curtime);
gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
gnutls_x509_crt_set_ca_status(crt, 0);
gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME,
ServerName);
gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
gnutls_x509_crt_set_version(crt, 3);
bytes = sizeof(buffer);
if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
gnutls_x509_crt_sign(crt, crt, key);
/*
* Save it...
*/
bytes = sizeof(buffer);
if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM,
buffer, &bytes)) < 0)
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to export SSL server certificate - %s",
gnutls_strerror(result));
else if ((fp = cupsFileOpen(ServerCertificate, "w")) != NULL)
{
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
cupsdLogMessage(CUPSD_LOG_INFO,
"Created SSL server certificate file \"%s\"...",
ServerCertificate);
}
else
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to create SSL server certificate file \"%s\" - %s",
ServerCertificate, strerror(errno));
/*
* Cleanup...
*/
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
return (1);
}
/** Private function which generate private keys and certificates.
*
* @return 1 if keys were successfully generated, 0 otherwise
*/
static userpref_error_t userpref_gen_keys_and_cert(void)
{
userpref_error_t ret = USERPREF_E_SSL_ERROR;
gnutls_x509_privkey_t root_privkey;
gnutls_x509_crt_t root_cert;
gnutls_x509_privkey_t host_privkey;
gnutls_x509_crt_t host_cert;
gnutls_global_deinit();
gnutls_global_init();
//use less secure random to speed up key generation
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM);
gnutls_x509_privkey_init(&root_privkey);
gnutls_x509_privkey_init(&host_privkey);
gnutls_x509_crt_init(&root_cert);
gnutls_x509_crt_init(&host_cert);
/* generate root key */
gnutls_x509_privkey_generate(root_privkey, GNUTLS_PK_RSA, 2048, 0);
gnutls_x509_privkey_generate(host_privkey, GNUTLS_PK_RSA, 2048, 0);
/* generate certificates */
gnutls_x509_crt_set_key(root_cert, root_privkey);
gnutls_x509_crt_set_serial(root_cert, "\x00", 1);
gnutls_x509_crt_set_version(root_cert, 3);
gnutls_x509_crt_set_ca_status(root_cert, 1);
gnutls_x509_crt_set_activation_time(root_cert, time(NULL));
gnutls_x509_crt_set_expiration_time(root_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
gnutls_x509_crt_sign(root_cert, root_cert, root_privkey);
gnutls_x509_crt_set_key(host_cert, host_privkey);
gnutls_x509_crt_set_serial(host_cert, "\x00", 1);
gnutls_x509_crt_set_version(host_cert, 3);
gnutls_x509_crt_set_ca_status(host_cert, 0);
gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE);
gnutls_x509_crt_set_activation_time(host_cert, time(NULL));
gnutls_x509_crt_set_expiration_time(host_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
gnutls_x509_crt_sign(host_cert, root_cert, root_privkey);
/* export to PEM format */
size_t root_key_export_size = 0;
size_t host_key_export_size = 0;
gnutls_datum_t root_key_pem = { NULL, 0 };
gnutls_datum_t host_key_pem = { NULL, 0 };
gnutls_x509_privkey_export(root_privkey, GNUTLS_X509_FMT_PEM, NULL, &root_key_export_size);
gnutls_x509_privkey_export(host_privkey, GNUTLS_X509_FMT_PEM, NULL, &host_key_export_size);
root_key_pem.data = gnutls_malloc(root_key_export_size);
host_key_pem.data = gnutls_malloc(host_key_export_size);
gnutls_x509_privkey_export(root_privkey, GNUTLS_X509_FMT_PEM, root_key_pem.data, &root_key_export_size);
root_key_pem.size = root_key_export_size;
gnutls_x509_privkey_export(host_privkey, GNUTLS_X509_FMT_PEM, host_key_pem.data, &host_key_export_size);
host_key_pem.size = host_key_export_size;
size_t root_cert_export_size = 0;
size_t host_cert_export_size = 0;
gnutls_datum_t root_cert_pem = { NULL, 0 };
gnutls_datum_t host_cert_pem = { NULL, 0 };
gnutls_x509_crt_export(root_cert, GNUTLS_X509_FMT_PEM, NULL, &root_cert_export_size);
gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM, NULL, &host_cert_export_size);
root_cert_pem.data = gnutls_malloc(root_cert_export_size);
host_cert_pem.data = gnutls_malloc(host_cert_export_size);
gnutls_x509_crt_export(root_cert, GNUTLS_X509_FMT_PEM, root_cert_pem.data, &root_cert_export_size);
root_cert_pem.size = root_cert_export_size;
gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM, host_cert_pem.data, &host_cert_export_size);
host_cert_pem.size = host_cert_export_size;
if (NULL != root_cert_pem.data && 0 != root_cert_pem.size &&
NULL != host_cert_pem.data && 0 != host_cert_pem.size)
ret = USERPREF_E_SUCCESS;
/* store values in config file */
userpref_set_keys_and_certs( &root_key_pem, &root_cert_pem, &host_key_pem, &host_cert_pem);
gnutls_free(root_key_pem.data);
gnutls_free(root_cert_pem.data);
gnutls_free(host_key_pem.data);
gnutls_free(host_cert_pem.data);
//restore gnutls env
gnutls_global_deinit();
gnutls_global_init();
return ret;
}
static void
inf_test_certificate_request_notify_status_cb(GObject* object,
GParamSpec* pspec,
gpointer user_data)
{
InfTestCertificateRequest* test;
InfBrowserStatus status;
gnutls_x509_crq_t crq;
InfRequest* request;
GError* error;
int res;
test = (InfTestCertificateRequest*)user_data;
g_object_get(G_OBJECT(test->browser), "status", &status, NULL);
if(status == INF_BROWSER_OPEN)
{
fprintf(stderr, "Connection established, creating key... (4096 bit)\n");
/* TODO: Some error checking here */
gnutls_x509_privkey_init(&test->key);
gnutls_x509_privkey_generate(test->key, GNUTLS_PK_RSA, 4096, 0);
fprintf(stderr, "Done, sending the certificate request\n");
gnutls_x509_crq_init(&crq);
gnutls_x509_crq_set_key(crq, test->key);
gnutls_x509_crq_set_key_usage(crq, GNUTLS_KEY_DIGITAL_SIGNATURE);
gnutls_x509_crq_set_version(crq, 3);
gnutls_x509_crq_set_dn_by_oid(
crq,
GNUTLS_OID_X520_COMMON_NAME,
0,
"Armin Burgmeier",
strlen("Armin Burgmeier")
);
/* TODO: gnutls_x509_crq_sign2 is deprecated in favour of
* gnutls_x509_crq_privkey_sign, but the latter returns the error code
* GNUTLS_E_UNIMPLEMENTED_FEATURE, so we keep using the deprecated
* version here. */
/*gnutls_x509_crq_privkey_sign(crq, key, GNUTLS_DIG_SHA1, 0);*/
gnutls_x509_crq_sign2(crq, test->key, GNUTLS_DIG_SHA1, 0);
error = NULL;
request = inf_browser_create_acl_account(
INF_BROWSER(object),
crq,
inf_test_certificate_request_finished_cb,
test
);
gnutls_x509_crq_deinit(crq);
}
if(status == INF_BROWSER_CLOSED)
{
if(inf_standalone_io_loop_running(test->io))
inf_standalone_io_loop_quit(test->io);
}
}
int
main (void)
{
gnutls_x509_crq_t crq;
gnutls_x509_privkey_t key;
unsigned char buffer[10 * 1024];
size_t buffer_size = sizeof (buffer);
unsigned int bits;
gnutls_global_init ();
/* Initialize an empty certificate request, and
* an empty private key.
*/
gnutls_x509_crq_init (&crq);
gnutls_x509_privkey_init (&key);
/* Generate an RSA key of moderate security.
*/
bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_NORMAL);
gnutls_x509_privkey_generate (key, GNUTLS_PK_RSA, bits, 0);
/* Add stuff to the distinguished name
*/
gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COUNTRY_NAME,
0, "GR", 2);
gnutls_x509_crq_set_dn_by_oid (crq, GNUTLS_OID_X520_COMMON_NAME,
0, "Nikos", strlen ("Nikos"));
/* Set the request version.
*/
gnutls_x509_crq_set_version (crq, 1);
/* Set a challenge password.
*/
gnutls_x509_crq_set_challenge_password (crq, "something to remember here");
/* Associate the request with the private key
*/
gnutls_x509_crq_set_key (crq, key);
/* Self sign the certificate request.
*/
gnutls_x509_crq_sign2 (crq, key, GNUTLS_DIG_SHA1, 0);
/* Export the PEM encoded certificate request, and
* display it.
*/
gnutls_x509_crq_export (crq, GNUTLS_X509_FMT_PEM, buffer, &buffer_size);
printf ("Certificate Request: \n%s", buffer);
/* Export the PEM encoded private key, and
* display it.
*/
buffer_size = sizeof (buffer);
gnutls_x509_privkey_export (key, GNUTLS_X509_FMT_PEM, buffer, &buffer_size);
printf ("\n\nPrivate key: \n%s", buffer);
gnutls_x509_crq_deinit (crq);
gnutls_x509_privkey_deinit (key);
return 0;
}
/* If how is zero then the included parameters are used.
*/
int generate_prime(FILE * outfile, int how, common_info_st * info)
{
int ret;
gnutls_dh_params_t dh_params;
gnutls_datum_t p, g;
int bits = get_bits(GNUTLS_PK_DH, info->bits, info->sec_param, 1);
unsigned int q_bits = 0, key_bits = 0;
fix_lbuffer(0);
gnutls_dh_params_init(&dh_params);
if (how != 0) {
fprintf(stderr, "Generating DH parameters (%d bits)...\n",
bits);
fprintf(stderr, "(might take long time)\n");
} else
fprintf(stderr, "Retrieving DH parameters...\n");
if (how != 0) {
if (info->provable != 0) {
gnutls_x509_privkey_t pkey;
unsigned save;
ret = gnutls_x509_privkey_init(&pkey);
if (ret < 0) {
fprintf(stderr,
"Error initializing key: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (info->seed_size > 0) {
gnutls_keygen_data_st data;
if (info->seed_size < 32) {
fprintf(stderr, "For DH parameter generation a 32-byte seed value or larger is expected (have: %d); use -d 2 for more information.\n", (int)info->seed_size);
exit(1);
}
data.type = GNUTLS_KEYGEN_SEED;
data.data = (void*)info->seed;
data.size = info->seed_size;
ret = gnutls_x509_privkey_generate2(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE, &data, 1);
} else {
ret = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_DSA, bits, GNUTLS_PRIVKEY_FLAG_PROVABLE);
}
if (ret < 0) {
fprintf(stderr,
"Error generating DSA parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (info->outcert_format == GNUTLS_X509_FMT_PEM) {
save = info->no_compat;
info->no_compat = 1;
print_private_key(outfile, info, pkey);
info->no_compat = save;
}
ret = gnutls_dh_params_import_dsa(dh_params, pkey);
if (ret < 0) {
fprintf(stderr,
"Error importing DSA parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_privkey_deinit(pkey);
} else {
ret = gnutls_dh_params_generate2(dh_params, bits);
if (ret < 0) {
fprintf(stderr,
"Error generating parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
}
ret =
gnutls_dh_params_export_raw(dh_params, &p, &g,
&q_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
} else {
if (info->provable != 0) {
fprintf(stderr, "The DH parameters obtained via this option are not provable\n");
exit(1);
}
#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
if (bits <= 2048) {
p = gnutls_ffdhe_2048_group_prime;
g = gnutls_ffdhe_2048_group_generator;
key_bits = gnutls_ffdhe_2048_key_bits;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_ffdhe_3072_group_prime;
g = gnutls_ffdhe_3072_group_generator;
key_bits = gnutls_ffdhe_3072_key_bits;
bits = 3072;
} else if (bits <= 4096) {
p = gnutls_ffdhe_4096_group_prime;
g = gnutls_ffdhe_4096_group_generator;
key_bits = gnutls_ffdhe_4096_key_bits;
bits = 4096;
} else {
p = gnutls_ffdhe_8192_group_prime;
g = gnutls_ffdhe_8192_group_generator;
key_bits = gnutls_ffdhe_8192_key_bits;
bits = 8192;
}
ret = gnutls_dh_params_import_raw2(dh_params, &p, &g, key_bits);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#elif defined(ENABLE_SRP)
if (bits <= 1024) {
p = gnutls_srp_1024_group_prime;
g = gnutls_srp_1024_group_generator;
bits = 1024;
} else if (bits <= 1536) {
p = gnutls_srp_1536_group_prime;
g = gnutls_srp_1536_group_generator;
bits = 1536;
} else if (bits <= 2048) {
p = gnutls_srp_2048_group_prime;
g = gnutls_srp_2048_group_generator;
bits = 2048;
} else if (bits <= 3072) {
p = gnutls_srp_3072_group_prime;
g = gnutls_srp_3072_group_generator;
bits = 3072;
} else {
p = gnutls_srp_4096_group_prime;
g = gnutls_srp_4096_group_generator;
bits = 4096;
}
ret = gnutls_dh_params_import_raw(dh_params, &p, &g);
if (ret < 0) {
fprintf(stderr, "Error exporting parameters: %s\n",
gnutls_strerror(ret));
exit(1);
}
#else
fprintf(stderr,
"Parameters unavailable as SRP is disabled.\n");
exit(1);
#endif
}
if (info->outcert_format == GNUTLS_X509_FMT_PEM)
print_dh_info(outfile, &p, &g, q_bits, info->cprint);
if (!info->cprint) { /* generate a PKCS#3 structure */
size_t len = lbuffer_size;
ret =
gnutls_dh_params_export_pkcs3(dh_params,
info->outcert_format,
lbuffer, &len);
if (ret == 0) {
if (info->outcert_format == GNUTLS_X509_FMT_PEM)
fprintf(outfile, "\n%s", lbuffer);
else
fwrite(lbuffer, 1, len, outfile);
} else {
fprintf(stderr, "Error: %s\n",
gnutls_strerror(ret));
}
}
if (how != 0) {
gnutls_free(p.data);
gnutls_free(g.data);
}
gnutls_dh_params_deinit(dh_params);
return 0;
}
int /* O - 1 on success, 0 on failure */
cupsMakeServerCredentials(
const char *path, /* I - Path to keychain/directory */
const char *common_name, /* I - Common name */
int num_alt_names, /* I - Number of subject alternate names */
const char **alt_names, /* I - Subject Alternate Names */
time_t expiration_date) /* I - Expiration date */
{
gnutls_x509_crt_t crt; /* Self-signed certificate */
gnutls_x509_privkey_t key; /* Encryption private key */
char temp[1024], /* Temporary directory name */
crtfile[1024], /* Certificate filename */
keyfile[1024]; /* Private key filename */
cups_lang_t *language; /* Default language info */
cups_file_t *fp; /* Key/cert file */
unsigned char buffer[8192]; /* Buffer for x509 data */
size_t bytes; /* Number of bytes of data */
unsigned char serial[4]; /* Serial number buffer */
time_t curtime; /* Current time */
int result; /* Result of GNU TLS calls */
DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
/*
* Filenames...
*/
if (!path)
path = http_gnutls_default_path(temp, sizeof(temp));
if (!path || !common_name)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
return (0);
}
http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
/*
* Create the encryption key...
*/
DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
gnutls_x509_privkey_init(&key);
gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
/*
* Save it...
*/
bytes = sizeof(buffer);
if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
gnutls_x509_privkey_deinit(key);
return (0);
}
else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
{
DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
}
else
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
gnutls_x509_privkey_deinit(key);
return (0);
}
/*
* Create the self-signed certificate...
*/
DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
language = cupsLangDefault();
curtime = time(NULL);
serial[0] = curtime >> 24;
serial[1] = curtime >> 16;
serial[2] = curtime >> 8;
serial[3] = curtime;
gnutls_x509_crt_init(&crt);
if (strlen(language->language) == 5)
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
language->language + 3, 2);
else
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
"US", 2);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
common_name, strlen(common_name));
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
common_name, strlen(common_name));
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, "Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
"Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
"Unknown", 7);
/* gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
ServerAdmin, strlen(ServerAdmin));*/
gnutls_x509_crt_set_key(crt, key);
gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
gnutls_x509_crt_set_activation_time(crt, curtime);
gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
gnutls_x509_crt_set_ca_status(crt, 0);
if (num_alt_names > 0)
gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
gnutls_x509_crt_set_version(crt, 3);
bytes = sizeof(buffer);
if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
gnutls_x509_crt_sign(crt, crt, key);
/*
* Save it...
*/
bytes = sizeof(buffer);
if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
return (0);
}
else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
{
DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
}
else
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
return (0);
}
/*
* Cleanup...
*/
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
return (1);
}
/**
* gnutls_rsa_params_generate2 - This function will generate temporary RSA parameters
* @params: The structure where the parameters will be stored
* @bits: is the prime's number of bits
*
* This function will generate new temporary RSA parameters for use in
* RSA-EXPORT ciphersuites. This function is normally slow.
*
* Note that if the parameters are to be used in export cipher suites the
* bits value should be 512 or less.
* Also note that the generation of new RSA parameters is only useful
* to servers. Clients use the parameters sent by the server, thus it's
* no use calling this in client side.
*
**/
int
gnutls_rsa_params_generate2 (gnutls_rsa_params_t params, unsigned int bits)
{
return gnutls_x509_privkey_generate (params, GNUTLS_PK_RSA, bits, 0);
}
