0b70726e325e29742642c732a7cd43d98c843b2c
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <syslog.h>
30 #include <unistd.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <time.h>
34 #include <gmp.h>
35
36 #include <debug.h>
37 #include <asn1/asn1.h>
38 #include <asn1/ttodata.h>
39 #include <credentials/certificates/x509.h>
40 #include <credentials/certificates/ac.h>
41 #include <utils/optionsfrom.h>
42
43 #ifdef INTEGRITY_TEST
44 #include <fips/fips.h>
45 #include <fips_signature.h>
46 #endif /* INTEGRITY_TEST */
47
48 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
49 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
50
51 #define DEFAULT_VALIDITY 24*3600 /* seconds */
52
53 /**
54 * @brief prints the usage of the program to the stderr
55 */
56 static void usage(const char *message)
57 {
58 if (message != NULL && *message != '\0')
59 {
60 fprintf(stderr, "%s\n", message);
61 }
62 fprintf(stderr, "Usage: openac"
63 " [--help]"
64 " [--version]"
65 " [--optionsfrom <filename>]"
66 " [--quiet]"
67 " \\\n\t"
68 " [--debug <level 0..4>]"
69 " \\\n\t"
70 " [--days <days>]"
71 " [--hours <hours>]"
72 " \\\n\t"
73 " [--startdate <YYYYMMDDHHMMSSZ>]"
74 " [--enddate <YYYYMMDDHHMMSSZ>]"
75 " \\\n\t"
76 " --cert <certfile>"
77 " --key <keyfile>"
78 " [--password <password>]"
79 " \\\n\t"
80 " --usercert <certfile>"
81 " --groups <attr1,attr2,..>"
82 " --out <filename>"
83 "\n"
84 );
85 }
86
87
88 /**
89 * convert a chunk into a multi-precision integer
90 */
91 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
92 {
93 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
94 }
95
96 /**
97 * convert a multi-precision integer into a chunk
98 */
99 static chunk_t mpz_to_chunk(mpz_t number)
100 {
101 chunk_t chunk;
102
103 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
104 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
105 return chunk;
106 }
107
108 /**
109 * read the last serial number from file
110 */
111 static chunk_t read_serial(void)
112 {
113 mpz_t number;
114
115 char buf[BUF_LEN], buf1[BUF_LEN];
116 chunk_t last_serial = { buf1, BUF_LEN};
117 chunk_t serial;
118
119 FILE *fd = fopen(OPENAC_SERIAL, "r");
120
121 /* last serial number defaults to 0 */
122 *last_serial.ptr = 0x00;
123 last_serial.len = 1;
124
125 if (fd)
126 {
127 if (fscanf(fd, "%s", buf))
128 {
129 err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
130
131 if (ugh != NULL)
132 {
133 DBG1(" error reading serial number from %s: %s",
134 OPENAC_SERIAL, ugh);
135 }
136 }
137 fclose(fd);
138 }
139 else
140 {
141 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
142 }
143
144 /**
145 * conversion of read serial number to a multiprecision integer
146 * and incrementing it by one
147 * and representing it as a two's complement octet string
148 */
149 mpz_init(number);
150 chunk_to_mpz(last_serial, number);
151 mpz_add_ui(number, number, 0x01);
152 serial = mpz_to_chunk(number);
153 mpz_clear(number);
154
155 return serial;
156 }
157
158 /**
159 * write back the last serial number to file
160 */
161 static void write_serial(chunk_t serial)
162 {
163 FILE *fd = fopen(OPENAC_SERIAL, "w");
164
165 if (fd)
166 {
167 DBG1(" serial number is %#B", &serial);
168 fprintf(fd, "%#B\n", &serial);
169 fclose(fd);
170 }
171 else
172 {
173 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
174 }
175 }
176
177 /**
178 * Load and parse a private key file
179 */
180 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
181 {
182 bool pgp = FALSE;
183 chunk_t chunk = chunk_empty;
184 private_key_t *key = NULL;
185
186 if (!pem_asn1_load_file(path, &secret, &chunk, &pgp))
187 {
188 DBG1(" could not load private key file '%s'", path);
189 return NULL;
190 }
191 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
192 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
193 if (key == NULL)
194 {
195 DBG1(" could not parse loaded private key file '%s'", path);
196 return NULL;
197 }
198 DBG1(" loaded private key file '%s'", path);
199 return key;
200 }
201
202 /**
203 * Load and parse an X.509 certificate file
204 */
205 static x509_t* x509_create_from_file(char *path, char *label, x509_flag_t flag)
206 {
207
208 bool pgp = FALSE;
209 chunk_t chunk;
210 x509_t *x509;
211 certificate_t *cert;
212 time_t notBefore, notAfter, now;
213
214 if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
215 {
216 DBG1(" could not load %s file '%s'", label, path);
217 return NULL;
218 }
219 x509 = (x509_t*)lib->creds->create(lib->creds,
220 CRED_CERTIFICATE, CERT_X509,
221 BUILD_BLOB_ASN1_DER, chunk,
222 BUILD_X509_FLAG, flag,
223 BUILD_END);
224 if (x509 == NULL)
225 {
226 DBG1(" could not parse loaded %s file '%s'",label, path);
227 return NULL;
228 }
229 DBG1(" loaded %s file '%s'", label, path);
230
231 /* check validity */
232 cert = &x509->interface;
233 now = time(NULL);
234 cert->get_validity(cert, &now, &notBefore, &notAfter);
235 if (now > notAfter)
236 {
237 DBG1(" certificate expired at %T, discarded", &notAfter);
238 cert->destroy(cert);
239 return NULL;
240 }
241 if (now < notBefore)
242 {
243 DBG1(" certificate not valid before %T", &notBefore);
244 }
245 return x509;
246 }
247
248 /**
249 * global variables accessible by both main() and build.c
250 */
251
252 static int debug_level = 1;
253 static bool stderr_quiet = FALSE;
254
255 /**
256 * openac dbg function
257 */
258 static void openac_dbg(int level, char *fmt, ...)
259 {
260 int priority = LOG_INFO;
261 va_list args;
262
263 if (level <= debug_level)
264 {
265 va_start(args, fmt);
266 if (!stderr_quiet)
267 {
268 vfprintf(stderr, fmt, args);
269 fprintf(stderr, "\n");
270 }
271 vsyslog(priority, fmt, args);
272 va_end(args);
273 }
274 }
275
276 /**
277 * @brief openac main program
278 *
279 * @param argc number of arguments
280 * @param argv pointer to the argument values
281 */
282 int main(int argc, char **argv)
283 {
284 certificate_t *attr_cert = NULL;
285 certificate_t *user_cert = NULL;
286 certificate_t *signer_cert = NULL;
287 private_key_t *signer_key = NULL;
288
289 time_t notBefore = UNDEFINED_TIME;
290 time_t notAfter = UNDEFINED_TIME;
291 time_t validity = 0;
292
293 char *keyfile = NULL;
294 char *certfile = NULL;
295 char *usercertfile = NULL;
296 char *outfile = NULL;
297 char *groups = "";
298 char buf[BUF_LEN];
299
300 chunk_t serial;
301 chunk_t passphrase = { buf, 0 };
302 chunk_t attr_chunk = chunk_empty;
303
304 int status = 1;
305
306 options_t *options = options_create();
307
308 /* enable openac debugging hook */
309 dbg = openac_dbg;
310
311 passphrase.ptr[0] = '\0';
312
313 openlog("openac", 0, LOG_AUTHPRIV);
314
315 /* handle arguments */
316 for (;;)
317 {
318 static const struct option long_opts[] = {
319 /* name, has_arg, flag, val */
320 { "help", no_argument, NULL, 'h' },
321 { "version", no_argument, NULL, 'v' },
322 { "optionsfrom", required_argument, NULL, '+' },
323 { "quiet", no_argument, NULL, 'q' },
324 { "cert", required_argument, NULL, 'c' },
325 { "key", required_argument, NULL, 'k' },
326 { "password", required_argument, NULL, 'p' },
327 { "usercert", required_argument, NULL, 'u' },
328 { "groups", required_argument, NULL, 'g' },
329 { "days", required_argument, NULL, 'D' },
330 { "hours", required_argument, NULL, 'H' },
331 { "startdate", required_argument, NULL, 'S' },
332 { "enddate", required_argument, NULL, 'E' },
333 { "out", required_argument, NULL, 'o' },
334 { "debug", required_argument, NULL, 'd' },
335 { 0,0,0,0 }
336 };
337
338 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
339
340 /* Note: "breaking" from case terminates loop */
341 switch (c)
342 {
343 case EOF: /* end of flags */
344 break;
345
346 case 0: /* long option already handled */
347 continue;
348
349 case ':': /* diagnostic already printed by getopt_long */
350 case '?': /* diagnostic already printed by getopt_long */
351 case 'h': /* --help */
352 usage(NULL);
353 status = 1;
354 goto end;
355
356 case 'v': /* --version */
357 printf("openac (strongSwan %s)\n", VERSION);
358 status = 0;
359 goto end;
360
361 case '+': /* --optionsfrom <filename> */
362 {
363 char path[BUF_LEN];
364
365 if (*optarg == '/') /* absolute pathname */
366 {
367 strncpy(path, optarg, BUF_LEN);
368 }
369 else /* relative pathname */
370 {
371 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
372 }
373 if (!options->from(options, path, &argc, &argv, optind))
374 {
375 status = 1;
376 goto end;
377 }
378 }
379 continue;
380
381 case 'q': /* --quiet */
382 stderr_quiet = TRUE;
383 continue;
384
385 case 'c': /* --cert */
386 certfile = optarg;
387 continue;
388
389 case 'k': /* --key */
390 keyfile = optarg;
391 continue;
392
393 case 'p': /* --key */
394 if (strlen(optarg) > BUF_LEN)
395 {
396 usage("passphrase too long");
397 goto end;
398 }
399 strncpy(passphrase.ptr, optarg, BUF_LEN);
400 passphrase.len = min(strlen(optarg), BUF_LEN);
401 continue;
402
403 case 'u': /* --usercert */
404 usercertfile = optarg;
405 continue;
406
407 case 'g': /* --groups */
408 groups = optarg;
409 continue;
410
411 case 'D': /* --days */
412 if (optarg == NULL || !isdigit(optarg[0]))
413 {
414 usage("missing number of days");
415 goto end;
416 }
417 else
418 {
419 char *endptr;
420 long days = strtol(optarg, &endptr, 0);
421
422 if (*endptr != '\0' || endptr == optarg || days <= 0)
423 {
424 usage("<days> must be a positive number");
425 goto end;
426 }
427 validity += 24*3600*days;
428 }
429 continue;
430
431 case 'H': /* --hours */
432 if (optarg == NULL || !isdigit(optarg[0]))
433 {
434 usage("missing number of hours");
435 goto end;
436 }
437 else
438 {
439 char *endptr;
440 long hours = strtol(optarg, &endptr, 0);
441
442 if (*endptr != '\0' || endptr == optarg || hours <= 0)
443 {
444 usage("<hours> must be a positive number");
445 goto end;
446 }
447 validity += 3600*hours;
448 }
449 continue;
450
451 case 'S': /* --startdate */
452 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
453 {
454 usage("date format must be YYYYMMDDHHMMSSZ");
455 goto end;
456 }
457 else
458 {
459 chunk_t date = { optarg, 15 };
460
461 notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
462 }
463 continue;
464
465 case 'E': /* --enddate */
466 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
467 {
468 usage("date format must be YYYYMMDDHHMMSSZ");
469 goto end;
470 }
471 else
472 {
473 chunk_t date = { optarg, 15 };
474 notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
475 }
476 continue;
477
478 case 'o': /* --out */
479 outfile = optarg;
480 continue;
481
482 case 'd': /* --debug */
483 debug_level = atoi(optarg);
484 continue;
485
486 default:
487 usage("");
488 status = 0;
489 goto end;
490 }
491 /* break from loop */
492 break;
493 }
494
495 if (optind != argc)
496 {
497 usage("unexpected argument");
498 goto end;
499 }
500
501 DBG1("starting openac (strongSwan Version %s)", VERSION);
502
503 #ifdef INTEGRITY_TEST
504 DBG1("integrity test of libstrongswan code");
505 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
506 {
507 DBG1(" integrity test passed");
508 }
509 else
510 {
511 DBG1(" integrity test failed");
512 status = 3;
513 goto end;
514 }
515 #endif /* INTEGRITY_TEST */
516
517 /* load the signer's RSA private key */
518 if (keyfile != NULL)
519 {
520 signer_key = private_key_create_from_file(keyfile, &passphrase);
521
522 if (signer_key == NULL)
523 {
524 goto end;
525 }
526 }
527
528 /* load the signer's X.509 certificate */
529 if (certfile != NULL)
530 {
531 x509_t *x509 = x509_create_from_file(certfile, "signer cert", 0);
532
533 if (x509 == NULL)
534 {
535 goto end;
536 }
537 signer_cert = &x509->interface;
538 }
539
540 /* load the users's X.509 certificate */
541 if (usercertfile != NULL)
542 {
543 x509_t *x509 = x509_create_from_file(usercertfile, "user cert", 0);
544
545 if (x509 == NULL)
546 {
547 goto end;
548 }
549 user_cert = &x509->interface;
550 }
551
552 /* compute validity interval */
553 validity = (validity)? validity : DEFAULT_VALIDITY;
554 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
555 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
556
557 /* build and parse attribute certificate */
558 if (user_cert != NULL && signer_cert != NULL && signer_key != NULL)
559 {
560 /* read the serial number and increment it by one */
561 serial = read_serial();
562
563 attr_cert = lib->creds->create(lib->creds,
564 CRED_CERTIFICATE, CERT_X509_AC,
565 BUILD_CERT, user_cert,
566 BUILD_NOT_BEFORE_TIME, &notBefore,
567 BUILD_NOT_AFTER_TIME, &notAfter,
568 BUILD_SIGNING_CERT, signer_cert,
569 BUILD_SIGNING_KEY, signer_key,
570 BUILD_END);
571 attr_chunk = attr_cert->get_encoding(attr_cert);
572
573 /* write the attribute certificate to file */
574 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
575 {
576 write_serial(serial);
577 status = 0;
578 }
579 }
580
581 end:
582 /* delete all dynamically allocated objects */
583 DESTROY_IF(signer_key);
584 DESTROY_IF(signer_cert);
585 DESTROY_IF(user_cert);
586 DESTROY_IF(attr_cert);
587 free(attr_chunk.ptr);
588 free(serial.ptr);
589 closelog();
590 dbg = dbg_default;
591 options->destroy(options);
592 exit(status);
593 }