Hand out shared secret of load tester for all identities
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32
33 #include <library.h>
34 #include <debug.h>
35 #include <asn1/asn1.h>
36 #include <credentials/certificates/x509.h>
37 #include <credentials/certificates/ac.h>
38 #include <credentials/keys/private_key.h>
39 #include <utils/optionsfrom.h>
40
41 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
42 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
43
44 #define DEFAULT_VALIDITY 24*3600 /* seconds */
45
46 /**
47 * @brief prints the usage of the program to the stderr
48 */
49 static void usage(const char *message)
50 {
51 if (message != NULL && *message != '\0')
52 {
53 fprintf(stderr, "%s\n", message);
54 }
55 fprintf(stderr, "Usage: openac"
56 " [--help]"
57 " [--version]"
58 " [--optionsfrom <filename>]"
59 " [--quiet]"
60 " \\\n\t"
61 " [--debug <level 0..4>]"
62 " \\\n\t"
63 " [--days <days>]"
64 " [--hours <hours>]"
65 " \\\n\t"
66 " [--startdate <YYYYMMDDHHMMSSZ>]"
67 " [--enddate <YYYYMMDDHHMMSSZ>]"
68 " \\\n\t"
69 " --cert <certfile>"
70 " --key <keyfile>"
71 " [--password <password>]"
72 " \\\n\t"
73 " --usercert <certfile>"
74 " --groups <attr1,attr2,..>"
75 " --out <filename>"
76 "\n"
77 );
78 }
79
80 /**
81 * read the last serial number from file
82 */
83 static chunk_t read_serial(void)
84 {
85 chunk_t hex, serial = chunk_empty;
86 char one[] = {0x01};
87 FILE *fd;
88
89 fd = fopen(OPENAC_SERIAL, "r");
90 if (fd)
91 {
92 hex = chunk_alloca(64);
93 hex.len = fread(hex.ptr, 1, hex.len, fd);
94 if (hex.len)
95 {
96 /* remove any terminating newline character */
97 if (hex.ptr[hex.len-1] == '\n')
98 {
99 hex.len--;
100 }
101 serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
102 serial = chunk_from_hex(hex, serial.ptr);
103 }
104 fclose(fd);
105 }
106 else
107 {
108 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
109 }
110 if (!serial.len)
111 {
112 return chunk_clone(chunk_create(one, 1));
113 }
114 if (chunk_increment(serial))
115 { /* overflow, prepend 0x01 */
116 return chunk_cat("cc", chunk_create(one, 1), serial);
117 }
118 return chunk_clone(serial);
119 }
120
121 /**
122 * write back the last serial number to file
123 */
124 static void write_serial(chunk_t serial)
125 {
126 FILE *fd = fopen(OPENAC_SERIAL, "w");
127
128 if (fd)
129 {
130 chunk_t hex_serial;
131
132 DBG1(" serial number is %#B", &serial);
133 hex_serial = chunk_to_hex(serial, NULL, FALSE);
134 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
135 fclose(fd);
136 free(hex_serial.ptr);
137 }
138 else
139 {
140 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
141 }
142 }
143
144 /**
145 * global variables accessible by both main() and build.c
146 */
147
148 static int debug_level = 1;
149 static bool stderr_quiet = FALSE;
150
151 /**
152 * openac dbg function
153 */
154 static void openac_dbg(int level, char *fmt, ...)
155 {
156 int priority = LOG_INFO;
157 char buffer[8192];
158 char *current = buffer, *next;
159 va_list args;
160
161 if (level <= debug_level)
162 {
163 if (!stderr_quiet)
164 {
165 va_start(args, fmt);
166 vfprintf(stderr, fmt, args);
167 fprintf(stderr, "\n");
168 va_end(args);
169 }
170
171 /* write in memory buffer first */
172 va_start(args, fmt);
173 vsnprintf(buffer, sizeof(buffer), fmt, args);
174 va_end(args);
175
176 /* do a syslog with every line */
177 while (current)
178 {
179 next = strchr(current, '\n');
180 if (next)
181 {
182 *(next++) = '\0';
183 }
184 syslog(priority, "%s\n", current);
185 current = next;
186 }
187 }
188 }
189
190 /**
191 * @brief openac main program
192 *
193 * @param argc number of arguments
194 * @param argv pointer to the argument values
195 */
196 int main(int argc, char **argv)
197 {
198 certificate_t *attr_cert = NULL;
199 certificate_t *userCert = NULL;
200 certificate_t *signerCert = NULL;
201 private_key_t *signerKey = NULL;
202
203 time_t notBefore = UNDEFINED_TIME;
204 time_t notAfter = UNDEFINED_TIME;
205 time_t validity = 0;
206
207 char *keyfile = NULL;
208 char *certfile = NULL;
209 char *usercertfile = NULL;
210 char *outfile = NULL;
211 char *groups = "";
212 char buf[BUF_LEN];
213
214 chunk_t passphrase = { buf, 0 };
215 chunk_t serial = chunk_empty;
216 chunk_t attr_chunk = chunk_empty;
217
218 int status = 1;
219
220 /* enable openac debugging hook */
221 dbg = openac_dbg;
222
223 passphrase.ptr[0] = '\0';
224
225 openlog("openac", 0, LOG_AUTHPRIV);
226
227 /* initialize library */
228 atexit(library_deinit);
229 if (!library_init(NULL))
230 {
231 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
232 }
233 if (lib->integrity &&
234 !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
235 {
236 fprintf(stderr, "integrity check of openac failed\n");
237 exit(SS_RC_DAEMON_INTEGRITY);
238 }
239 if (!lib->plugins->load(lib->plugins, NULL,
240 lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
241 {
242 exit(SS_RC_INITIALIZATION_FAILED);
243 }
244
245 /* initialize optionsfrom */
246 options_t *options = options_create();
247
248 /* handle arguments */
249 for (;;)
250 {
251 static const struct option long_opts[] = {
252 /* name, has_arg, flag, val */
253 { "help", no_argument, NULL, 'h' },
254 { "version", no_argument, NULL, 'v' },
255 { "optionsfrom", required_argument, NULL, '+' },
256 { "quiet", no_argument, NULL, 'q' },
257 { "cert", required_argument, NULL, 'c' },
258 { "key", required_argument, NULL, 'k' },
259 { "password", required_argument, NULL, 'p' },
260 { "usercert", required_argument, NULL, 'u' },
261 { "groups", required_argument, NULL, 'g' },
262 { "days", required_argument, NULL, 'D' },
263 { "hours", required_argument, NULL, 'H' },
264 { "startdate", required_argument, NULL, 'S' },
265 { "enddate", required_argument, NULL, 'E' },
266 { "out", required_argument, NULL, 'o' },
267 { "debug", required_argument, NULL, 'd' },
268 { 0,0,0,0 }
269 };
270
271 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
272
273 /* Note: "breaking" from case terminates loop */
274 switch (c)
275 {
276 case EOF: /* end of flags */
277 break;
278
279 case 0: /* long option already handled */
280 continue;
281
282 case ':': /* diagnostic already printed by getopt_long */
283 case '?': /* diagnostic already printed by getopt_long */
284 case 'h': /* --help */
285 usage(NULL);
286 status = 1;
287 goto end;
288
289 case 'v': /* --version */
290 printf("openac (strongSwan %s)\n", VERSION);
291 status = 0;
292 goto end;
293
294 case '+': /* --optionsfrom <filename> */
295 {
296 char path[BUF_LEN];
297
298 if (*optarg == '/') /* absolute pathname */
299 {
300 strncpy(path, optarg, BUF_LEN);
301 }
302 else /* relative pathname */
303 {
304 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
305 }
306 if (!options->from(options, path, &argc, &argv, optind))
307 {
308 status = 1;
309 goto end;
310 }
311 }
312 continue;
313
314 case 'q': /* --quiet */
315 stderr_quiet = TRUE;
316 continue;
317
318 case 'c': /* --cert */
319 certfile = optarg;
320 continue;
321
322 case 'k': /* --key */
323 keyfile = optarg;
324 continue;
325
326 case 'p': /* --key */
327 if (strlen(optarg) > BUF_LEN)
328 {
329 usage("passphrase too long");
330 goto end;
331 }
332 strncpy(passphrase.ptr, optarg, BUF_LEN);
333 passphrase.len = min(strlen(optarg), BUF_LEN);
334 continue;
335
336 case 'u': /* --usercert */
337 usercertfile = optarg;
338 continue;
339
340 case 'g': /* --groups */
341 groups = optarg;
342 continue;
343
344 case 'D': /* --days */
345 if (optarg == NULL || !isdigit(optarg[0]))
346 {
347 usage("missing number of days");
348 goto end;
349 }
350 else
351 {
352 char *endptr;
353 long days = strtol(optarg, &endptr, 0);
354
355 if (*endptr != '\0' || endptr == optarg || days <= 0)
356 {
357 usage("<days> must be a positive number");
358 goto end;
359 }
360 validity += 24*3600*days;
361 }
362 continue;
363
364 case 'H': /* --hours */
365 if (optarg == NULL || !isdigit(optarg[0]))
366 {
367 usage("missing number of hours");
368 goto end;
369 }
370 else
371 {
372 char *endptr;
373 long hours = strtol(optarg, &endptr, 0);
374
375 if (*endptr != '\0' || endptr == optarg || hours <= 0)
376 {
377 usage("<hours> must be a positive number");
378 goto end;
379 }
380 validity += 3600*hours;
381 }
382 continue;
383
384 case 'S': /* --startdate */
385 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
386 {
387 usage("date format must be YYYYMMDDHHMMSSZ");
388 goto end;
389 }
390 else
391 {
392 chunk_t date = { optarg, 15 };
393
394 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
395 }
396 continue;
397
398 case 'E': /* --enddate */
399 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
400 {
401 usage("date format must be YYYYMMDDHHMMSSZ");
402 goto end;
403 }
404 else
405 {
406 chunk_t date = { optarg, 15 };
407 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
408 }
409 continue;
410
411 case 'o': /* --out */
412 outfile = optarg;
413 continue;
414
415 case 'd': /* --debug */
416 debug_level = atoi(optarg);
417 continue;
418
419 default:
420 usage("");
421 status = 0;
422 goto end;
423 }
424 /* break from loop */
425 break;
426 }
427
428 if (optind != argc)
429 {
430 usage("unexpected argument");
431 goto end;
432 }
433
434 DBG1("starting openac (strongSwan Version %s)", VERSION);
435
436 /* load the signer's RSA private key */
437 if (keyfile != NULL)
438 {
439 signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
440 BUILD_FROM_FILE, keyfile,
441 BUILD_PASSPHRASE, passphrase,
442 BUILD_END);
443 if (signerKey == NULL)
444 {
445 goto end;
446 }
447 DBG1(" loaded private key file '%s'", keyfile);
448 }
449
450 /* load the signer's X.509 certificate */
451 if (certfile != NULL)
452 {
453 signerCert = lib->creds->create(lib->creds,
454 CRED_CERTIFICATE, CERT_X509,
455 BUILD_FROM_FILE, certfile,
456 BUILD_END);
457 if (signerCert == NULL)
458 {
459 goto end;
460 }
461 }
462
463 /* load the users's X.509 certificate */
464 if (usercertfile != NULL)
465 {
466 userCert = lib->creds->create(lib->creds,
467 CRED_CERTIFICATE, CERT_X509,
468 BUILD_FROM_FILE, usercertfile,
469 BUILD_END);
470 if (userCert == NULL)
471 {
472 goto end;
473 }
474 }
475
476 /* compute validity interval */
477 validity = (validity)? validity : DEFAULT_VALIDITY;
478 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
479 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
480
481 /* build and parse attribute certificate */
482 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
483 {
484 /* read the serial number and increment it by one */
485 serial = read_serial();
486
487 attr_cert = lib->creds->create(lib->creds,
488 CRED_CERTIFICATE, CERT_X509_AC,
489 BUILD_CERT, userCert,
490 BUILD_NOT_BEFORE_TIME, notBefore,
491 BUILD_NOT_AFTER_TIME, notAfter,
492 BUILD_SERIAL, serial,
493 BUILD_IETF_GROUP_ATTR, groups,
494 BUILD_SIGNING_CERT, signerCert,
495 BUILD_SIGNING_KEY, signerKey,
496 BUILD_END);
497 if (!attr_cert)
498 {
499 goto end;
500 }
501
502 /* write the attribute certificate to file */
503 attr_chunk = attr_cert->get_encoding(attr_cert);
504 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
505 {
506 write_serial(serial);
507 status = 0;
508 }
509 }
510 else
511 {
512 usage("some of the mandatory parameters --usercert --cert --key "
513 "are missing");
514 }
515
516 end:
517 /* delete all dynamically allocated objects */
518 DESTROY_IF(signerKey);
519 DESTROY_IF(signerCert);
520 DESTROY_IF(userCert);
521 DESTROY_IF(attr_cert);
522 free(attr_chunk.ptr);
523 free(serial.ptr);
524 closelog();
525 dbg = dbg_default;
526 options->destroy(options);
527 exit(status);
528 }