projects / strongswan.git / blob
? search:


210e1f67639cf425311429b6385b31f50c1c7f10
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <syslog.h>
30 #include <unistd.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <time.h>
34 #include <gmp.h>
35
36 #include <library.h>
37 #include <debug.h>
38 #include <asn1/asn1.h>
39 #include <asn1/pem.h>
40 #include <credentials/certificates/x509.h>
41 #include <credentials/certificates/ac.h>
42 #include <utils/optionsfrom.h>
43
44 #ifdef INTEGRITY_TEST
45 #include <fips/fips.h>
46 #include <fips_signature.h>
47 #endif /* INTEGRITY_TEST */
48
49 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
50 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
51
52 #define DEFAULT_VALIDITY 24*3600 /* seconds */
53
54 /**
55 * @brief prints the usage of the program to the stderr
56 */
57 static void usage(const char *message)
58 {
59 if (message != NULL && *message != '\0')
60 {
61 fprintf(stderr, "%s\n", message);
62 }
63 fprintf(stderr, "Usage: openac"
64 " [--help]"
65 " [--version]"
66 " [--optionsfrom <filename>]"
67 " [--quiet]"
68 " \\\n\t"
69 " [--debug <level 0..4>]"
70 " \\\n\t"
71 " [--days <days>]"
72 " [--hours <hours>]"
73 " \\\n\t"
74 " [--startdate <YYYYMMDDHHMMSSZ>]"
75 " [--enddate <YYYYMMDDHHMMSSZ>]"
76 " \\\n\t"
77 " --cert <certfile>"
78 " --key <keyfile>"
79 " [--password <password>]"
80 " \\\n\t"
81 " --usercert <certfile>"
82 " --groups <attr1,attr2,..>"
83 " --out <filename>"
84 "\n"
85 );
86 }
87
88
89 /**
90 * convert a chunk into a multi-precision integer
91 */
92 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
93 {
94 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
95 }
96
97 /**
98 * convert a multi-precision integer into a chunk
99 */
100 static chunk_t mpz_to_chunk(mpz_t number)
101 {
102 chunk_t chunk;
103
104 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
105 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
106 return chunk;
107 }
108
109 /**
110 * read the last serial number from file
111 */
112 static chunk_t read_serial(void)
113 {
114 mpz_t number;
115
116 char buf[BUF_LEN], buf1[BUF_LEN];
117 chunk_t hex_serial = { buf, BUF_LEN };
118 chunk_t last_serial = { buf1, BUF_LEN };
119 chunk_t serial;
120
121 FILE *fd = fopen(OPENAC_SERIAL, "r");
122
123 /* last serial number defaults to 0 */
124 *last_serial.ptr = 0x00;
125 last_serial.len = 1;
126
127 if (fd)
128 {
129 if (fscanf(fd, "%s", hex_serial.ptr))
130 {
131 hex_serial.len = strlen(hex_serial.ptr);
132 last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
133 }
134 fclose(fd);
135 }
136 else
137 {
138 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
139 }
140
141 /**
142 * conversion of read serial number to a multiprecision integer
143 * and incrementing it by one
144 * and representing it as a two's complement octet string
145 */
146 mpz_init(number);
147 chunk_to_mpz(last_serial, number);
148 mpz_add_ui(number, number, 0x01);
149 serial = mpz_to_chunk(number);
150 mpz_clear(number);
151
152 return serial;
153 }
154
155 /**
156 * write back the last serial number to file
157 */
158 static void write_serial(chunk_t serial)
159 {
160 FILE *fd = fopen(OPENAC_SERIAL, "w");
161
162 if (fd)
163 {
164 chunk_t hex_serial;
165
166 DBG1(" serial number is %#B", &serial);
167 hex_serial = chunk_to_hex(serial, NULL, FALSE);
168 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
169 fclose(fd);
170 free(hex_serial.ptr);
171 }
172 else
173 {
174 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
175 }
176 }
177
178 /**
179 * Load and parse a private key file
180 */
181 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
182 {
183 bool pgp = FALSE;
184 chunk_t chunk = chunk_empty;
185 private_key_t *key = NULL;
186
187 if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
188 {
189 DBG1(" could not load private key file '%s'", path);
190 return NULL;
191 }
192 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
193 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
194 if (key == NULL)
195 {
196 DBG1(" could not parse loaded private key file '%s'", path);
197 return NULL;
198 }
199 DBG1(" loaded private key file '%s'", path);
200 return key;
201 }
202
203 /**
204 * global variables accessible by both main() and build.c
205 */
206
207 static int debug_level = 1;
208 static bool stderr_quiet = FALSE;
209
210 /**
211 * openac dbg function
212 */
213 static void openac_dbg(int level, char *fmt, ...)
214 {
215 int priority = LOG_INFO;
216 va_list args;
217
218 if (level <= debug_level)
219 {
220 va_start(args, fmt);
221 if (!stderr_quiet)
222 {
223 vfprintf(stderr, fmt, args);
224 fprintf(stderr, "\n");
225 }
226 vsyslog(priority, fmt, args);
227 va_end(args);
228 }
229 }
230
231 /**
232 * @brief openac main program
233 *
234 * @param argc number of arguments
235 * @param argv pointer to the argument values
236 */
237 int main(int argc, char **argv)
238 {
239 certificate_t *attr_cert = NULL;
240 certificate_t *userCert = NULL;
241 certificate_t *signerCert = NULL;
242 private_key_t *signerKey = NULL;
243
244 time_t notBefore = UNDEFINED_TIME;
245 time_t notAfter = UNDEFINED_TIME;
246 time_t validity = 0;
247
248 char *keyfile = NULL;
249 char *certfile = NULL;
250 char *usercertfile = NULL;
251 char *outfile = NULL;
252 char *groups = "";
253 char buf[BUF_LEN];
254
255 chunk_t passphrase = { buf, 0 };
256 chunk_t serial = chunk_empty;
257 chunk_t attr_chunk = chunk_empty;
258
259 int status = 1;
260
261 /* enable openac debugging hook */
262 dbg = openac_dbg;
263
264 passphrase.ptr[0] = '\0';
265
266 openlog("openac", 0, LOG_AUTHPRIV);
267
268 /* initialize library */
269 library_init(STRONGSWAN_CONF);
270 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, "libstrongswan-");
271
272 /* initialize optionsfrom */
273 options_t *options = options_create();
274
275 /* handle arguments */
276 for (;;)
277 {
278 static const struct option long_opts[] = {
279 /* name, has_arg, flag, val */
280 { "help", no_argument, NULL, 'h' },
281 { "version", no_argument, NULL, 'v' },
282 { "optionsfrom", required_argument, NULL, '+' },
283 { "quiet", no_argument, NULL, 'q' },
284 { "cert", required_argument, NULL, 'c' },
285 { "key", required_argument, NULL, 'k' },
286 { "password", required_argument, NULL, 'p' },
287 { "usercert", required_argument, NULL, 'u' },
288 { "groups", required_argument, NULL, 'g' },
289 { "days", required_argument, NULL, 'D' },
290 { "hours", required_argument, NULL, 'H' },
291 { "startdate", required_argument, NULL, 'S' },
292 { "enddate", required_argument, NULL, 'E' },
293 { "out", required_argument, NULL, 'o' },
294 { "debug", required_argument, NULL, 'd' },
295 { 0,0,0,0 }
296 };
297
298 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
299
300 /* Note: "breaking" from case terminates loop */
301 switch (c)
302 {
303 case EOF: /* end of flags */
304 break;
305
306 case 0: /* long option already handled */
307 continue;
308
309 case ':': /* diagnostic already printed by getopt_long */
310 case '?': /* diagnostic already printed by getopt_long */
311 case 'h': /* --help */
312 usage(NULL);
313 status = 1;
314 goto end;
315
316 case 'v': /* --version */
317 printf("openac (strongSwan %s)\n", VERSION);
318 status = 0;
319 goto end;
320
321 case '+': /* --optionsfrom <filename> */
322 {
323 char path[BUF_LEN];
324
325 if (*optarg == '/') /* absolute pathname */
326 {
327 strncpy(path, optarg, BUF_LEN);
328 }
329 else /* relative pathname */
330 {
331 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
332 }
333 if (!options->from(options, path, &argc, &argv, optind))
334 {
335 status = 1;
336 goto end;
337 }
338 }
339 continue;
340
341 case 'q': /* --quiet */
342 stderr_quiet = TRUE;
343 continue;
344
345 case 'c': /* --cert */
346 certfile = optarg;
347 continue;
348
349 case 'k': /* --key */
350 keyfile = optarg;
351 continue;
352
353 case 'p': /* --key */
354 if (strlen(optarg) > BUF_LEN)
355 {
356 usage("passphrase too long");
357 goto end;
358 }
359 strncpy(passphrase.ptr, optarg, BUF_LEN);
360 passphrase.len = min(strlen(optarg), BUF_LEN);
361 continue;
362
363 case 'u': /* --usercert */
364 usercertfile = optarg;
365 continue;
366
367 case 'g': /* --groups */
368 groups = optarg;
369 continue;
370
371 case 'D': /* --days */
372 if (optarg == NULL || !isdigit(optarg[0]))
373 {
374 usage("missing number of days");
375 goto end;
376 }
377 else
378 {
379 char *endptr;
380 long days = strtol(optarg, &endptr, 0);
381
382 if (*endptr != '\0' || endptr == optarg || days <= 0)
383 {
384 usage("<days> must be a positive number");
385 goto end;
386 }
387 validity += 24*3600*days;
388 }
389 continue;
390
391 case 'H': /* --hours */
392 if (optarg == NULL || !isdigit(optarg[0]))
393 {
394 usage("missing number of hours");
395 goto end;
396 }
397 else
398 {
399 char *endptr;
400 long hours = strtol(optarg, &endptr, 0);
401
402 if (*endptr != '\0' || endptr == optarg || hours <= 0)
403 {
404 usage("<hours> must be a positive number");
405 goto end;
406 }
407 validity += 3600*hours;
408 }
409 continue;
410
411 case 'S': /* --startdate */
412 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
413 {
414 usage("date format must be YYYYMMDDHHMMSSZ");
415 goto end;
416 }
417 else
418 {
419 chunk_t date = { optarg, 15 };
420
421 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
422 }
423 continue;
424
425 case 'E': /* --enddate */
426 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
427 {
428 usage("date format must be YYYYMMDDHHMMSSZ");
429 goto end;
430 }
431 else
432 {
433 chunk_t date = { optarg, 15 };
434 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
435 }
436 continue;
437
438 case 'o': /* --out */
439 outfile = optarg;
440 continue;
441
442 case 'd': /* --debug */
443 debug_level = atoi(optarg);
444 continue;
445
446 default:
447 usage("");
448 status = 0;
449 goto end;
450 }
451 /* break from loop */
452 break;
453 }
454
455 if (optind != argc)
456 {
457 usage("unexpected argument");
458 goto end;
459 }
460
461 DBG1("starting openac (strongSwan Version %s)", VERSION);
462
463 #ifdef INTEGRITY_TEST
464 DBG1("integrity test of libstrongswan code");
465 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
466 {
467 DBG1(" integrity test passed");
468 }
469 else
470 {
471 DBG1(" integrity test failed");
472 status = 3;
473 goto end;
474 }
475 #endif /* INTEGRITY_TEST */
476
477 /* load the signer's RSA private key */
478 if (keyfile != NULL)
479 {
480 signerKey = private_key_create_from_file(keyfile, &passphrase);
481
482 if (signerKey == NULL)
483 {
484 goto end;
485 }
486 }
487
488 /* load the signer's X.509 certificate */
489 if (certfile != NULL)
490 {
491 signerCert = lib->creds->create(lib->creds,
492 CRED_CERTIFICATE, CERT_X509,
493 BUILD_FROM_FILE, certfile,
494 BUILD_X509_FLAG, 0,
495 BUILD_END);
496 if (signerCert == NULL)
497 {
498 goto end;
499 }
500 }
501
502 /* load the users's X.509 certificate */
503 if (usercertfile != NULL)
504 {
505 userCert = lib->creds->create(lib->creds,
506 CRED_CERTIFICATE, CERT_X509,
507 BUILD_FROM_FILE, usercertfile,
508 BUILD_X509_FLAG, 0,
509 BUILD_END);
510 if (userCert == NULL)
511 {
512 goto end;
513 }
514 }
515
516 /* compute validity interval */
517 validity = (validity)? validity : DEFAULT_VALIDITY;
518 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
519 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
520
521 /* build and parse attribute certificate */
522 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
523 {
524 /* read the serial number and increment it by one */
525 serial = read_serial();
526
527 attr_cert = lib->creds->create(lib->creds,
528 CRED_CERTIFICATE, CERT_X509_AC,
529 BUILD_CERT, userCert->get_ref(userCert),
530 BUILD_NOT_BEFORE_TIME, notBefore,
531 BUILD_NOT_AFTER_TIME, notAfter,
532 BUILD_SERIAL, serial,
533 BUILD_IETF_GROUP_ATTR, groups,
534 BUILD_SIGNING_CERT, signerCert->get_ref(signerCert),
535 BUILD_SIGNING_KEY, signerKey->get_ref(signerKey),
536 BUILD_END);
537 if (!attr_cert)
538 {
539 goto end;
540 }
541
542 /* write the attribute certificate to file */
543 attr_chunk = attr_cert->get_encoding(attr_cert);
544 if (chunk_write(attr_chunk, outfile, 0022, TRUE))
545 {
546 DBG1(" wrote attribute cert file '%s' (%u bytes)", outfile, attr_chunk.len);
547 write_serial(serial);
548 status = 0;
549 }
550 }
551 else
552 {
553 usage("some of the mandatory parameters --usercert --cert --key "
554 "are missing");
555 }
556
557 end:
558 /* delete all dynamically allocated objects */
559 DESTROY_IF(signerKey);
560 DESTROY_IF(signerCert);
561 DESTROY_IF(userCert);
562 DESTROY_IF(attr_cert);
563 free(attr_chunk.ptr);
564 free(serial.ptr);
565 closelog();
566 dbg = dbg_default;
567 options->destroy(options);
568 library_deinit();
569 exit(status);
570 }
strongSwan - IPsec VPN