initialize library in openac
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <syslog.h>
30 #include <unistd.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <time.h>
34 #include <gmp.h>
35
36 #include <library.h>
37 #include <debug.h>
38 #include <asn1/asn1.h>
39 #include <asn1/ttodata.h>
40 #include <credentials/certificates/x509.h>
41 #include <credentials/certificates/ac.h>
42 #include <utils/optionsfrom.h>
43
44 #ifdef INTEGRITY_TEST
45 #include <fips/fips.h>
46 #include <fips_signature.h>
47 #endif /* INTEGRITY_TEST */
48
49 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
50 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
51
52 #define DEFAULT_VALIDITY 24*3600 /* seconds */
53
54 /**
55 * @brief prints the usage of the program to the stderr
56 */
57 static void usage(const char *message)
58 {
59 if (message != NULL && *message != '\0')
60 {
61 fprintf(stderr, "%s\n", message);
62 }
63 fprintf(stderr, "Usage: openac"
64 " [--help]"
65 " [--version]"
66 " [--optionsfrom <filename>]"
67 " [--quiet]"
68 " \\\n\t"
69 " [--debug <level 0..4>]"
70 " \\\n\t"
71 " [--days <days>]"
72 " [--hours <hours>]"
73 " \\\n\t"
74 " [--startdate <YYYYMMDDHHMMSSZ>]"
75 " [--enddate <YYYYMMDDHHMMSSZ>]"
76 " \\\n\t"
77 " --cert <certfile>"
78 " --key <keyfile>"
79 " [--password <password>]"
80 " \\\n\t"
81 " --usercert <certfile>"
82 " --groups <attr1,attr2,..>"
83 " --out <filename>"
84 "\n"
85 );
86 }
87
88
89 /**
90 * convert a chunk into a multi-precision integer
91 */
92 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
93 {
94 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
95 }
96
97 /**
98 * convert a multi-precision integer into a chunk
99 */
100 static chunk_t mpz_to_chunk(mpz_t number)
101 {
102 chunk_t chunk;
103
104 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
105 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
106 return chunk;
107 }
108
109 /**
110 * read the last serial number from file
111 */
112 static chunk_t read_serial(void)
113 {
114 mpz_t number;
115
116 char buf[BUF_LEN], buf1[BUF_LEN];
117 chunk_t last_serial = { buf1, BUF_LEN};
118 chunk_t serial;
119
120 FILE *fd = fopen(OPENAC_SERIAL, "r");
121
122 /* last serial number defaults to 0 */
123 *last_serial.ptr = 0x00;
124 last_serial.len = 1;
125
126 if (fd)
127 {
128 if (fscanf(fd, "%s", buf))
129 {
130 err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
131
132 if (ugh != NULL)
133 {
134 DBG1(" error reading serial number from %s: %s",
135 OPENAC_SERIAL, ugh);
136 }
137 }
138 fclose(fd);
139 }
140 else
141 {
142 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
143 }
144
145 /**
146 * conversion of read serial number to a multiprecision integer
147 * and incrementing it by one
148 * and representing it as a two's complement octet string
149 */
150 mpz_init(number);
151 chunk_to_mpz(last_serial, number);
152 mpz_add_ui(number, number, 0x01);
153 serial = mpz_to_chunk(number);
154 mpz_clear(number);
155
156 return serial;
157 }
158
159 /**
160 * write back the last serial number to file
161 */
162 static void write_serial(chunk_t serial)
163 {
164 FILE *fd = fopen(OPENAC_SERIAL, "w");
165
166 if (fd)
167 {
168 DBG1(" serial number is %#B", &serial);
169 fprintf(fd, "%#B\n", &serial);
170 fclose(fd);
171 }
172 else
173 {
174 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
175 }
176 }
177
178 /**
179 * Load and parse a private key file
180 */
181 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
182 {
183 bool pgp = FALSE;
184 chunk_t chunk = chunk_empty;
185 private_key_t *key = NULL;
186
187 if (!pem_asn1_load_file(path, &secret, &chunk, &pgp))
188 {
189 DBG1(" could not load private key file '%s'", path);
190 return NULL;
191 }
192 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
193 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
194 if (key == NULL)
195 {
196 DBG1(" could not parse loaded private key file '%s'", path);
197 return NULL;
198 }
199 DBG1(" loaded private key file '%s'", path);
200 return key;
201 }
202
203 /**
204 * Load and parse an X.509 certificate file
205 */
206 static x509_t* x509_create_from_file(char *path, char *label, x509_flag_t flag)
207 {
208
209 bool pgp = FALSE;
210 chunk_t chunk;
211 x509_t *x509;
212 certificate_t *cert;
213 time_t notBefore, notAfter, now;
214
215 if (!pem_asn1_load_file(path, NULL, &chunk, &pgp))
216 {
217 DBG1(" could not load %s file '%s'", label, path);
218 return NULL;
219 }
220 x509 = (x509_t*)lib->creds->create(lib->creds,
221 CRED_CERTIFICATE, CERT_X509,
222 BUILD_BLOB_ASN1_DER, chunk,
223 BUILD_X509_FLAG, flag,
224 BUILD_END);
225 if (x509 == NULL)
226 {
227 DBG1(" could not parse loaded %s file '%s'",label, path);
228 return NULL;
229 }
230 DBG1(" loaded %s file '%s'", label, path);
231
232 /* check validity */
233 cert = &x509->interface;
234 now = time(NULL);
235 cert->get_validity(cert, &now, &notBefore, &notAfter);
236 if (now > notAfter)
237 {
238 DBG1(" certificate expired at %T, discarded", &notAfter);
239 cert->destroy(cert);
240 return NULL;
241 }
242 if (now < notBefore)
243 {
244 DBG1(" certificate not valid before %T", &notBefore);
245 }
246 return x509;
247 }
248
249 /**
250 * global variables accessible by both main() and build.c
251 */
252
253 static int debug_level = 1;
254 static bool stderr_quiet = FALSE;
255
256 /**
257 * openac dbg function
258 */
259 static void openac_dbg(int level, char *fmt, ...)
260 {
261 int priority = LOG_INFO;
262 va_list args;
263
264 if (level <= debug_level)
265 {
266 va_start(args, fmt);
267 if (!stderr_quiet)
268 {
269 vfprintf(stderr, fmt, args);
270 fprintf(stderr, "\n");
271 }
272 vsyslog(priority, fmt, args);
273 va_end(args);
274 }
275 }
276
277 /**
278 * @brief openac main program
279 *
280 * @param argc number of arguments
281 * @param argv pointer to the argument values
282 */
283 int main(int argc, char **argv)
284 {
285 certificate_t *attr_cert = NULL;
286 certificate_t *user_cert = NULL;
287 certificate_t *signer_cert = NULL;
288 private_key_t *signer_key = NULL;
289
290 time_t notBefore = UNDEFINED_TIME;
291 time_t notAfter = UNDEFINED_TIME;
292 time_t validity = 0;
293
294 char *keyfile = NULL;
295 char *certfile = NULL;
296 char *usercertfile = NULL;
297 char *outfile = NULL;
298 char *groups = "";
299 char buf[BUF_LEN];
300
301 chunk_t passphrase = { buf, 0 };
302 chunk_t serial = chunk_empty;
303 chunk_t attr_chunk = chunk_empty;
304
305 int status = 1;
306
307 /* enable openac debugging hook */
308 dbg = openac_dbg;
309
310 passphrase.ptr[0] = '\0';
311
312 openlog("openac", 0, LOG_AUTHPRIV);
313
314 /* initialize library */
315 library_init(IPSEC_DIR "/strongswan.conf");
316 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "libstrongswan-");
317
318 /* initialize optionsfrom */
319 options_t *options = options_create();
320
321 /* handle arguments */
322 for (;;)
323 {
324 static const struct option long_opts[] = {
325 /* name, has_arg, flag, val */
326 { "help", no_argument, NULL, 'h' },
327 { "version", no_argument, NULL, 'v' },
328 { "optionsfrom", required_argument, NULL, '+' },
329 { "quiet", no_argument, NULL, 'q' },
330 { "cert", required_argument, NULL, 'c' },
331 { "key", required_argument, NULL, 'k' },
332 { "password", required_argument, NULL, 'p' },
333 { "usercert", required_argument, NULL, 'u' },
334 { "groups", required_argument, NULL, 'g' },
335 { "days", required_argument, NULL, 'D' },
336 { "hours", required_argument, NULL, 'H' },
337 { "startdate", required_argument, NULL, 'S' },
338 { "enddate", required_argument, NULL, 'E' },
339 { "out", required_argument, NULL, 'o' },
340 { "debug", required_argument, NULL, 'd' },
341 { 0,0,0,0 }
342 };
343
344 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
345
346 /* Note: "breaking" from case terminates loop */
347 switch (c)
348 {
349 case EOF: /* end of flags */
350 break;
351
352 case 0: /* long option already handled */
353 continue;
354
355 case ':': /* diagnostic already printed by getopt_long */
356 case '?': /* diagnostic already printed by getopt_long */
357 case 'h': /* --help */
358 usage(NULL);
359 status = 1;
360 goto end;
361
362 case 'v': /* --version */
363 printf("openac (strongSwan %s)\n", VERSION);
364 status = 0;
365 goto end;
366
367 case '+': /* --optionsfrom <filename> */
368 {
369 char path[BUF_LEN];
370
371 if (*optarg == '/') /* absolute pathname */
372 {
373 strncpy(path, optarg, BUF_LEN);
374 }
375 else /* relative pathname */
376 {
377 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
378 }
379 if (!options->from(options, path, &argc, &argv, optind))
380 {
381 status = 1;
382 goto end;
383 }
384 }
385 continue;
386
387 case 'q': /* --quiet */
388 stderr_quiet = TRUE;
389 continue;
390
391 case 'c': /* --cert */
392 certfile = optarg;
393 continue;
394
395 case 'k': /* --key */
396 keyfile = optarg;
397 continue;
398
399 case 'p': /* --key */
400 if (strlen(optarg) > BUF_LEN)
401 {
402 usage("passphrase too long");
403 goto end;
404 }
405 strncpy(passphrase.ptr, optarg, BUF_LEN);
406 passphrase.len = min(strlen(optarg), BUF_LEN);
407 continue;
408
409 case 'u': /* --usercert */
410 usercertfile = optarg;
411 continue;
412
413 case 'g': /* --groups */
414 groups = optarg;
415 continue;
416
417 case 'D': /* --days */
418 if (optarg == NULL || !isdigit(optarg[0]))
419 {
420 usage("missing number of days");
421 goto end;
422 }
423 else
424 {
425 char *endptr;
426 long days = strtol(optarg, &endptr, 0);
427
428 if (*endptr != '\0' || endptr == optarg || days <= 0)
429 {
430 usage("<days> must be a positive number");
431 goto end;
432 }
433 validity += 24*3600*days;
434 }
435 continue;
436
437 case 'H': /* --hours */
438 if (optarg == NULL || !isdigit(optarg[0]))
439 {
440 usage("missing number of hours");
441 goto end;
442 }
443 else
444 {
445 char *endptr;
446 long hours = strtol(optarg, &endptr, 0);
447
448 if (*endptr != '\0' || endptr == optarg || hours <= 0)
449 {
450 usage("<hours> must be a positive number");
451 goto end;
452 }
453 validity += 3600*hours;
454 }
455 continue;
456
457 case 'S': /* --startdate */
458 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
459 {
460 usage("date format must be YYYYMMDDHHMMSSZ");
461 goto end;
462 }
463 else
464 {
465 chunk_t date = { optarg, 15 };
466
467 notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
468 }
469 continue;
470
471 case 'E': /* --enddate */
472 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
473 {
474 usage("date format must be YYYYMMDDHHMMSSZ");
475 goto end;
476 }
477 else
478 {
479 chunk_t date = { optarg, 15 };
480 notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
481 }
482 continue;
483
484 case 'o': /* --out */
485 outfile = optarg;
486 continue;
487
488 case 'd': /* --debug */
489 debug_level = atoi(optarg);
490 continue;
491
492 default:
493 usage("");
494 status = 0;
495 goto end;
496 }
497 /* break from loop */
498 break;
499 }
500
501 if (optind != argc)
502 {
503 usage("unexpected argument");
504 goto end;
505 }
506
507 DBG1("starting openac (strongSwan Version %s)", VERSION);
508
509 #ifdef INTEGRITY_TEST
510 DBG1("integrity test of libstrongswan code");
511 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
512 {
513 DBG1(" integrity test passed");
514 }
515 else
516 {
517 DBG1(" integrity test failed");
518 status = 3;
519 goto end;
520 }
521 #endif /* INTEGRITY_TEST */
522
523 /* load the signer's RSA private key */
524 if (keyfile != NULL)
525 {
526 signer_key = private_key_create_from_file(keyfile, &passphrase);
527
528 if (signer_key == NULL)
529 {
530 goto end;
531 }
532 }
533
534 /* load the signer's X.509 certificate */
535 if (certfile != NULL)
536 {
537 x509_t *x509 = x509_create_from_file(certfile, "signer cert", 0);
538
539 if (x509 == NULL)
540 {
541 goto end;
542 }
543 signer_cert = &x509->interface;
544 }
545
546 /* load the users's X.509 certificate */
547 if (usercertfile != NULL)
548 {
549 x509_t *x509 = x509_create_from_file(usercertfile, "user cert", 0);
550
551 if (x509 == NULL)
552 {
553 goto end;
554 }
555 user_cert = &x509->interface;
556 }
557
558 /* compute validity interval */
559 validity = (validity)? validity : DEFAULT_VALIDITY;
560 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
561 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
562
563 /* build and parse attribute certificate */
564 if (user_cert != NULL && signer_cert != NULL && signer_key != NULL)
565 {
566 /* read the serial number and increment it by one */
567 serial = read_serial();
568
569 attr_cert = lib->creds->create(lib->creds,
570 CRED_CERTIFICATE, CERT_X509_AC,
571 BUILD_CERT, user_cert,
572 BUILD_NOT_BEFORE_TIME, &notBefore,
573 BUILD_NOT_AFTER_TIME, &notAfter,
574 BUILD_SIGNING_CERT, signer_cert,
575 BUILD_SIGNING_KEY, signer_key,
576 BUILD_END);
577 if (!attr_cert)
578 {
579 status = 1;
580 goto end;
581 }
582
583 /* write the attribute certificate to file */
584 attr_chunk = attr_cert->get_encoding(attr_cert);
585 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
586 {
587 write_serial(serial);
588 status = 0;
589 }
590 }
591 else
592 {
593 usage("some of the mandatory parameters --usercert --cert --key "
594 "are missing");
595 }
596
597 end:
598 /* delete all dynamically allocated objects */
599 DESTROY_IF(signer_key);
600 DESTROY_IF(signer_cert);
601 DESTROY_IF(user_cert);
602 DESTROY_IF(attr_cert);
603 free(attr_chunk.ptr);
604 free(serial.ptr);
605 closelog();
606 dbg = dbg_default;
607 options->destroy(options);
608 library_deinit();
609 exit(status);
610 }