3686c07ac83d01368d71f8a8fe15c5942f0b78d8
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32 #include <gmp.h>
33
34 #include <library.h>
35 #include <debug.h>
36 #include <asn1/asn1.h>
37 #include <asn1/pem.h>
38 #include <credentials/certificates/x509.h>
39 #include <credentials/certificates/ac.h>
40 #include <credentials/keys/private_key.h>
41 #include <utils/optionsfrom.h>
42
43 #ifdef INTEGRITY_TEST
44 #include <fips/fips.h>
45 #include <fips_signature.h>
46 #endif /* INTEGRITY_TEST */
47
48 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
49 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
50
51 #define DEFAULT_VALIDITY 24*3600 /* seconds */
52
53 /**
54 * @brief prints the usage of the program to the stderr
55 */
56 static void usage(const char *message)
57 {
58 if (message != NULL && *message != '\0')
59 {
60 fprintf(stderr, "%s\n", message);
61 }
62 fprintf(stderr, "Usage: openac"
63 " [--help]"
64 " [--version]"
65 " [--optionsfrom <filename>]"
66 " [--quiet]"
67 " \\\n\t"
68 " [--debug <level 0..4>]"
69 " \\\n\t"
70 " [--days <days>]"
71 " [--hours <hours>]"
72 " \\\n\t"
73 " [--startdate <YYYYMMDDHHMMSSZ>]"
74 " [--enddate <YYYYMMDDHHMMSSZ>]"
75 " \\\n\t"
76 " --cert <certfile>"
77 " --key <keyfile>"
78 " [--password <password>]"
79 " \\\n\t"
80 " --usercert <certfile>"
81 " --groups <attr1,attr2,..>"
82 " --out <filename>"
83 "\n"
84 );
85 }
86
87
88 /**
89 * convert a chunk into a multi-precision integer
90 */
91 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
92 {
93 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
94 }
95
96 /**
97 * convert a multi-precision integer into a chunk
98 */
99 static chunk_t mpz_to_chunk(mpz_t number)
100 {
101 chunk_t chunk;
102
103 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
104 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
105 if (chunk.ptr == NULL)
106 {
107 chunk.len = 0;
108 }
109 return chunk;
110 }
111
112 /**
113 * read the last serial number from file
114 */
115 static chunk_t read_serial(void)
116 {
117 mpz_t number;
118
119 char buf[BUF_LEN], buf1[BUF_LEN];
120 chunk_t hex_serial = { buf, BUF_LEN };
121 chunk_t last_serial = { buf1, BUF_LEN };
122 chunk_t serial;
123
124 FILE *fd = fopen(OPENAC_SERIAL, "r");
125
126 /* last serial number defaults to 0 */
127 *last_serial.ptr = 0x00;
128 last_serial.len = 1;
129
130 if (fd)
131 {
132 if (fscanf(fd, "%s", hex_serial.ptr))
133 {
134 hex_serial.len = strlen(hex_serial.ptr);
135 last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
136 }
137 fclose(fd);
138 }
139 else
140 {
141 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
142 }
143
144 /**
145 * conversion of read serial number to a multiprecision integer
146 * and incrementing it by one
147 * and representing it as a two's complement octet string
148 */
149 mpz_init(number);
150 chunk_to_mpz(last_serial, number);
151 mpz_add_ui(number, number, 0x01);
152 serial = mpz_to_chunk(number);
153 mpz_clear(number);
154
155 return serial;
156 }
157
158 /**
159 * write back the last serial number to file
160 */
161 static void write_serial(chunk_t serial)
162 {
163 FILE *fd = fopen(OPENAC_SERIAL, "w");
164
165 if (fd)
166 {
167 chunk_t hex_serial;
168
169 DBG1(" serial number is %#B", &serial);
170 hex_serial = chunk_to_hex(serial, NULL, FALSE);
171 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
172 fclose(fd);
173 free(hex_serial.ptr);
174 }
175 else
176 {
177 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
178 }
179 }
180
181 /**
182 * Load and parse a private key file
183 */
184 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
185 {
186 bool pgp = FALSE;
187 chunk_t chunk = chunk_empty;
188 private_key_t *key = NULL;
189
190 if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
191 {
192 DBG1(" could not load private key file '%s'", path);
193 return NULL;
194 }
195 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
196 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
197 free(chunk.ptr);
198 if (key == NULL)
199 {
200 DBG1(" could not parse loaded private key file '%s'", path);
201 return NULL;
202 }
203 DBG1(" loaded private key file '%s'", path);
204 return key;
205 }
206
207 /**
208 * global variables accessible by both main() and build.c
209 */
210
211 static int debug_level = 1;
212 static bool stderr_quiet = FALSE;
213
214 /**
215 * openac dbg function
216 */
217 static void openac_dbg(int level, char *fmt, ...)
218 {
219 int priority = LOG_INFO;
220 char buffer[8192];
221 char *current = buffer, *next;
222 va_list args;
223
224 if (level <= debug_level)
225 {
226 va_start(args, fmt);
227
228 if (!stderr_quiet)
229 {
230 vfprintf(stderr, fmt, args);
231 fprintf(stderr, "\n");
232 }
233
234 /* write in memory buffer first */
235 vsnprintf(buffer, sizeof(buffer), fmt, args);
236 va_end(args);
237
238 /* do a syslog with every line */
239 while (current)
240 {
241 next = strchr(current, '\n');
242 if (next)
243 {
244 *(next++) = '\0';
245 }
246 syslog(priority, "%s\n", current);
247 current = next;
248 }
249 }
250 }
251
252 /**
253 * @brief openac main program
254 *
255 * @param argc number of arguments
256 * @param argv pointer to the argument values
257 */
258 int main(int argc, char **argv)
259 {
260 certificate_t *attr_cert = NULL;
261 certificate_t *userCert = NULL;
262 certificate_t *signerCert = NULL;
263 private_key_t *signerKey = NULL;
264
265 time_t notBefore = UNDEFINED_TIME;
266 time_t notAfter = UNDEFINED_TIME;
267 time_t validity = 0;
268
269 char *keyfile = NULL;
270 char *certfile = NULL;
271 char *usercertfile = NULL;
272 char *outfile = NULL;
273 char *groups = "";
274 char buf[BUF_LEN];
275
276 chunk_t passphrase = { buf, 0 };
277 chunk_t serial = chunk_empty;
278 chunk_t attr_chunk = chunk_empty;
279
280 int status = 1;
281
282 /* enable openac debugging hook */
283 dbg = openac_dbg;
284
285 passphrase.ptr[0] = '\0';
286
287 openlog("openac", 0, LOG_AUTHPRIV);
288
289 /* initialize library */
290 library_init(STRONGSWAN_CONF);
291 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
292 lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
293
294 /* initialize optionsfrom */
295 options_t *options = options_create();
296
297 /* handle arguments */
298 for (;;)
299 {
300 static const struct option long_opts[] = {
301 /* name, has_arg, flag, val */
302 { "help", no_argument, NULL, 'h' },
303 { "version", no_argument, NULL, 'v' },
304 { "optionsfrom", required_argument, NULL, '+' },
305 { "quiet", no_argument, NULL, 'q' },
306 { "cert", required_argument, NULL, 'c' },
307 { "key", required_argument, NULL, 'k' },
308 { "password", required_argument, NULL, 'p' },
309 { "usercert", required_argument, NULL, 'u' },
310 { "groups", required_argument, NULL, 'g' },
311 { "days", required_argument, NULL, 'D' },
312 { "hours", required_argument, NULL, 'H' },
313 { "startdate", required_argument, NULL, 'S' },
314 { "enddate", required_argument, NULL, 'E' },
315 { "out", required_argument, NULL, 'o' },
316 { "debug", required_argument, NULL, 'd' },
317 { 0,0,0,0 }
318 };
319
320 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
321
322 /* Note: "breaking" from case terminates loop */
323 switch (c)
324 {
325 case EOF: /* end of flags */
326 break;
327
328 case 0: /* long option already handled */
329 continue;
330
331 case ':': /* diagnostic already printed by getopt_long */
332 case '?': /* diagnostic already printed by getopt_long */
333 case 'h': /* --help */
334 usage(NULL);
335 status = 1;
336 goto end;
337
338 case 'v': /* --version */
339 printf("openac (strongSwan %s)\n", VERSION);
340 status = 0;
341 goto end;
342
343 case '+': /* --optionsfrom <filename> */
344 {
345 char path[BUF_LEN];
346
347 if (*optarg == '/') /* absolute pathname */
348 {
349 strncpy(path, optarg, BUF_LEN);
350 }
351 else /* relative pathname */
352 {
353 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
354 }
355 if (!options->from(options, path, &argc, &argv, optind))
356 {
357 status = 1;
358 goto end;
359 }
360 }
361 continue;
362
363 case 'q': /* --quiet */
364 stderr_quiet = TRUE;
365 continue;
366
367 case 'c': /* --cert */
368 certfile = optarg;
369 continue;
370
371 case 'k': /* --key */
372 keyfile = optarg;
373 continue;
374
375 case 'p': /* --key */
376 if (strlen(optarg) > BUF_LEN)
377 {
378 usage("passphrase too long");
379 goto end;
380 }
381 strncpy(passphrase.ptr, optarg, BUF_LEN);
382 passphrase.len = min(strlen(optarg), BUF_LEN);
383 continue;
384
385 case 'u': /* --usercert */
386 usercertfile = optarg;
387 continue;
388
389 case 'g': /* --groups */
390 groups = optarg;
391 continue;
392
393 case 'D': /* --days */
394 if (optarg == NULL || !isdigit(optarg[0]))
395 {
396 usage("missing number of days");
397 goto end;
398 }
399 else
400 {
401 char *endptr;
402 long days = strtol(optarg, &endptr, 0);
403
404 if (*endptr != '\0' || endptr == optarg || days <= 0)
405 {
406 usage("<days> must be a positive number");
407 goto end;
408 }
409 validity += 24*3600*days;
410 }
411 continue;
412
413 case 'H': /* --hours */
414 if (optarg == NULL || !isdigit(optarg[0]))
415 {
416 usage("missing number of hours");
417 goto end;
418 }
419 else
420 {
421 char *endptr;
422 long hours = strtol(optarg, &endptr, 0);
423
424 if (*endptr != '\0' || endptr == optarg || hours <= 0)
425 {
426 usage("<hours> must be a positive number");
427 goto end;
428 }
429 validity += 3600*hours;
430 }
431 continue;
432
433 case 'S': /* --startdate */
434 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
435 {
436 usage("date format must be YYYYMMDDHHMMSSZ");
437 goto end;
438 }
439 else
440 {
441 chunk_t date = { optarg, 15 };
442
443 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
444 }
445 continue;
446
447 case 'E': /* --enddate */
448 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
449 {
450 usage("date format must be YYYYMMDDHHMMSSZ");
451 goto end;
452 }
453 else
454 {
455 chunk_t date = { optarg, 15 };
456 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
457 }
458 continue;
459
460 case 'o': /* --out */
461 outfile = optarg;
462 continue;
463
464 case 'd': /* --debug */
465 debug_level = atoi(optarg);
466 continue;
467
468 default:
469 usage("");
470 status = 0;
471 goto end;
472 }
473 /* break from loop */
474 break;
475 }
476
477 if (optind != argc)
478 {
479 usage("unexpected argument");
480 goto end;
481 }
482
483 DBG1("starting openac (strongSwan Version %s)", VERSION);
484
485 #ifdef INTEGRITY_TEST
486 DBG1("integrity test of libstrongswan code");
487 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
488 {
489 DBG1(" integrity test passed");
490 }
491 else
492 {
493 DBG1(" integrity test failed");
494 status = 3;
495 goto end;
496 }
497 #endif /* INTEGRITY_TEST */
498
499 /* load the signer's RSA private key */
500 if (keyfile != NULL)
501 {
502 signerKey = private_key_create_from_file(keyfile, &passphrase);
503
504 if (signerKey == NULL)
505 {
506 goto end;
507 }
508 }
509
510 /* load the signer's X.509 certificate */
511 if (certfile != NULL)
512 {
513 signerCert = lib->creds->create(lib->creds,
514 CRED_CERTIFICATE, CERT_X509,
515 BUILD_FROM_FILE, certfile,
516 BUILD_X509_FLAG, 0,
517 BUILD_END);
518 if (signerCert == NULL)
519 {
520 goto end;
521 }
522 }
523
524 /* load the users's X.509 certificate */
525 if (usercertfile != NULL)
526 {
527 userCert = lib->creds->create(lib->creds,
528 CRED_CERTIFICATE, CERT_X509,
529 BUILD_FROM_FILE, usercertfile,
530 BUILD_X509_FLAG, 0,
531 BUILD_END);
532 if (userCert == NULL)
533 {
534 goto end;
535 }
536 }
537
538 /* compute validity interval */
539 validity = (validity)? validity : DEFAULT_VALIDITY;
540 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
541 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
542
543 /* build and parse attribute certificate */
544 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
545 {
546 /* read the serial number and increment it by one */
547 serial = read_serial();
548
549 attr_cert = lib->creds->create(lib->creds,
550 CRED_CERTIFICATE, CERT_X509_AC,
551 BUILD_CERT, userCert,
552 BUILD_NOT_BEFORE_TIME, notBefore,
553 BUILD_NOT_AFTER_TIME, notAfter,
554 BUILD_SERIAL, serial,
555 BUILD_IETF_GROUP_ATTR, groups,
556 BUILD_SIGNING_CERT, signerCert,
557 BUILD_SIGNING_KEY, signerKey,
558 BUILD_END);
559 if (!attr_cert)
560 {
561 goto end;
562 }
563
564 /* write the attribute certificate to file */
565 attr_chunk = attr_cert->get_encoding(attr_cert);
566 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
567 {
568 write_serial(serial);
569 status = 0;
570 }
571 }
572 else
573 {
574 usage("some of the mandatory parameters --usercert --cert --key "
575 "are missing");
576 }
577
578 end:
579 /* delete all dynamically allocated objects */
580 DESTROY_IF(signerKey);
581 DESTROY_IF(signerCert);
582 DESTROY_IF(userCert);
583 DESTROY_IF(attr_cert);
584 free(attr_chunk.ptr);
585 free(serial.ptr);
586 closelog();
587 dbg = dbg_default;
588 options->destroy(options);
589 library_deinit();
590 exit(status);
591 }