projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
added all required includes
[strongswan.git] / src / openac / openac.c
1 /* Generation of X.509 attribute certificates
2 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
3 * Copyright (C) 2004 Andreas Steffen
4 * Zuercher Hochschule Winterthur, Switzerland
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * RCSID $Id: openac.c,v 1.18 2006/01/04 21:12:33 as Exp $
17 */
18
19 #include <stdio.h>
20 #include <stdlib.h>
21 #include <string.h>
22 #include <unistd.h>
23 #include <getopt.h>
24 #include <ctype.h>
25 #include <time.h>
26 #include <gmp.h>
27
28 #include <debug.h>
29 #include <asn1/asn1.h>
30 #include <asn1/ttodata.h>
31 #include <crypto/ac.h>
32 #include <crypto/ietf_attr_list.h>
33 #include <utils/optionsfrom.h>
34
35 #include "build.h"
36
37 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
38 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
39
40 const char openac_version[] = "openac 0.4";
41
42 static void usage(const char *mess)
43 {
44 if (mess != NULL && *mess != '\0')
45 {
46 fprintf(stderr, "%s\n", mess);
47 }
48 fprintf(stderr, "Usage: openac"
49 " [--help]"
50 " [--version]"
51 " [--optionsfrom <filename>]"
52 " [--quiet]"
53 #ifdef DEBUG
54 " \\\n\t"
55 " [--debug-all]"
56 " [--debug-parsing]"
57 " [--debug-raw]"
58 " [--debug-private]"
59 #endif
60 " \\\n\t"
61 " [--days <days>]"
62 " [--hours <hours>]"
63 " \\\n\t"
64 " [--startdate <YYYYMMDDHHMMSSZ>]"
65 " [--enddate <YYYYMMDDHHMMSSZ>]"
66 " \\\n\t"
67 " --cert <certfile>"
68 " --key <keyfile>"
69 " [--password <password>]"
70 " \\\n\t"
71 " --usercert <certfile>"
72 " --groups <attr1,attr2,..>"
73 " --out <filename>"
74 "\n"
75 );
76 exit(mess == NULL? 0 : 1);
77 }
78
79 /**
80 * convert a chunk into a multi-precision integer
81 */
82 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
83 {
84 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
85 }
86
87 /**
88 * convert a multi-precision integer into a chunk
89 */
90 static chunk_t mpz_to_chunk(mpz_t number)
91 {
92 chunk_t chunk;
93
94 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
95 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
96 return chunk;
97 }
98
99 /**
100 * read the last serial number from file
101 */
102 static chunk_t read_serial(void)
103 {
104 mpz_t number;
105
106 char buf[BUF_LEN], buf1[BUF_LEN];
107 chunk_t last_serial = { buf1, BUF_LEN};
108 chunk_t serial;
109
110 FILE *fd = fopen(OPENAC_SERIAL, "r");
111
112 /* last serial number defaults to 0 */
113 *last_serial.ptr = 0x00;
114 last_serial.len = 1;
115
116 if (fd)
117 {
118 if (fscanf(fd, "%s", buf))
119 {
120 err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
121
122 if (ugh != NULL)
123 {
124 DBG1(" error reading serial number from %s: %s",
125 OPENAC_SERIAL, ugh);
126 }
127 }
128 fclose(fd);
129 }
130 else
131 {
132 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
133 }
134
135 /**
136 * conversion of read serial number to a multiprecision integer
137 * and incrementing it by one
138 * and representing it as a two's complement octet string
139 */
140 printf("last_serial: '%#B'\n", &last_serial);
141 mpz_init(number);
142 chunk_to_mpz(last_serial, number);
143 mpz_add_ui(number, number, 0x01);
144 serial = mpz_to_chunk(number);
145 printf("serial: '%#B'\n", &serial);
146 mpz_clear(number);
147
148 return serial;
149 }
150
151 /**
152 * write back the last serial number to file
153 */
154 static void write_serial(chunk_t serial)
155 {
156 FILE *fd = fopen(OPENAC_SERIAL, "w");
157
158 if (fd)
159 {
160 DBG1(" serial number is %#B", &serial);
161 fprintf(fd, "%#B\n", &serial);
162 fclose(fd);
163 }
164 else
165 {
166 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
167 }
168 }
169
170 /**
171 * global variables accessible by both main() and build.c
172 */
173 x509_t *usercert = NULL;
174 x509_t *signercert = NULL;
175
176 linked_list_t *groups = NULL;
177 rsa_private_key_t *signerkey = NULL;
178
179 time_t notBefore = UNDEFINED_TIME;
180 time_t notAfter = UNDEFINED_TIME;
181
182 chunk_t serial;
183
184 int main(int argc, char **argv)
185 {
186 char *keyfile = NULL;
187 char *certfile = NULL;
188 char *usercertfile = NULL;
189 char *outfile = NULL;
190 char buf[BUF_LEN];
191
192 chunk_t passphrase = { buf, 0 };
193 chunk_t attr_cert = chunk_empty;
194 x509ac_t *ac = NULL;
195
196 const time_t default_validity = 24*3600; /* 24 hours */
197 time_t validity = 0;
198
199 passphrase.ptr[0] = '\0';
200
201 groups = linked_list_create();
202
203 /* handle arguments */
204 for (;;)
205 {
206 # define DBG_OFFSET 256
207 static const struct option long_opts[] = {
208 /* name, has_arg, flag, val */
209 { "help", no_argument, NULL, 'h' },
210 { "version", no_argument, NULL, 'v' },
211 { "optionsfrom", required_argument, NULL, '+' },
212 { "quiet", no_argument, NULL, 'q' },
213 { "cert", required_argument, NULL, 'c' },
214 { "key", required_argument, NULL, 'k' },
215 { "password", required_argument, NULL, 'p' },
216 { "usercert", required_argument, NULL, 'u' },
217 { "groups", required_argument, NULL, 'g' },
218 { "days", required_argument, NULL, 'D' },
219 { "hours", required_argument, NULL, 'H' },
220 { "startdate", required_argument, NULL, 'S' },
221 { "enddate", required_argument, NULL, 'E' },
222 { "out", required_argument, NULL, 'o' },
223 #ifdef DEBUG
224 { "debug-all", no_argument, NULL, 'A' },
225 { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
226 { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
227 { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
228 #endif
229 { 0,0,0,0 }
230 };
231
232 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL);
233
234 /* Note: "breaking" from case terminates loop */
235 switch (c)
236 {
237 case EOF: /* end of flags */
238 break;
239
240 case 0: /* long option already handled */
241 continue;
242
243 case ':': /* diagnostic already printed by getopt_long */
244 case '?': /* diagnostic already printed by getopt_long */
245 usage(NULL);
246 break; /* not actually reached */
247
248 case 'h': /* --help */
249 usage(NULL);
250 break; /* not actually reached */
251
252 case 'v': /* --version */
253 printf("%s\n", openac_version);
254 exit(0);
255 break; /* not actually reached */
256
257 case '+': /* --optionsfrom <filename> */
258 {
259 char path[BUF_LEN];
260
261 if (*optarg == '/') /* absolute pathname */
262 {
263 strncpy(path, optarg, BUF_LEN);
264 }
265 else /* relative pathname */
266 {
267 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
268 }
269 optionsfrom(path, &argc, &argv, optind, stderr);
270 /* does not return on error */
271 }
272 continue;
273
274 case 'q': /* --quiet */
275 /* TODO log to syslog only */
276 continue;
277
278 case 'c': /* --cert */
279 certfile = optarg;
280 continue;
281
282 case 'k': /* --key */
283 keyfile = optarg;
284 continue;
285
286 case 'p': /* --key */
287 if (strlen(optarg) > BUF_LEN)
288 {
289 usage("passphrase too long");
290 }
291 strncpy(passphrase.ptr, optarg, BUF_LEN);
292 passphrase.len = min(strlen(optarg), BUF_LEN);
293 continue;
294
295 case 'u': /* --usercert */
296 usercertfile = optarg;
297 continue;
298
299 case 'g': /* --groups */
300 ietfAttr_list_create_from_string(optarg, groups);
301 continue;
302
303 case 'D': /* --days */
304 if (optarg == NULL || !isdigit(optarg[0]))
305 {
306 usage("missing number of days");
307 }
308 else
309 {
310 char *endptr;
311 long days = strtol(optarg, &endptr, 0);
312
313 if (*endptr != '\0' || endptr == optarg || days <= 0)
314 {
315 usage("<days> must be a positive number");
316 }
317 validity += 24*3600*days;
318 }
319 continue;
320
321 case 'H': /* --hours */
322 if (optarg == NULL || !isdigit(optarg[0]))
323 {
324 usage("missing number of hours");
325 }
326 else
327 {
328 char *endptr;
329 long hours = strtol(optarg, &endptr, 0);
330
331 if (*endptr != '\0' || endptr == optarg || hours <= 0)
332 {
333 usage("<hours> must be a positive number");
334 }
335 validity += 3600*hours;
336 }
337 continue;
338
339 case 'S': /* --startdate */
340 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
341 {
342 usage("date format must be YYYYMMDDHHMMSSZ");
343 }
344 else
345 {
346 chunk_t date = { optarg, 15 };
347
348 notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
349 }
350 continue;
351
352 case 'E': /* --enddate */
353 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
354 {
355 usage("date format must be YYYYMMDDHHMMSSZ");
356 }
357 else
358 {
359 chunk_t date = { optarg, 15 };
360 notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
361 }
362 continue;
363
364 case 'o': /* --outt */
365 outfile = optarg;
366 continue;
367
368 #ifdef DEBUG
369 case 'A': /* --debug-all */
370 base_debugging = DBG_ALL;
371 continue;
372 #endif
373 default:
374 usage("");
375 }
376 break;
377 }
378
379 if (optind != argc)
380 {
381 usage("unexpected argument");
382 }
383
384 /* load the signer's RSA private key */
385 if (keyfile != NULL)
386 {
387 signerkey = rsa_private_key_create_from_file(keyfile, &passphrase);
388
389 if (signerkey == NULL)
390 {
391 exit(1);
392 }
393 }
394
395 /* load the signer's X.509 certificate */
396 if (certfile != NULL)
397 {
398 signercert = x509_create_from_file(certfile, "signer cert");
399
400 if (signercert == NULL)
401 {
402 exit(1);
403 }
404 }
405
406 /* load the users's X.509 certificate */
407 if (usercertfile != NULL)
408 {
409 usercert = x509_create_from_file(usercertfile, "signer cert");
410 if (usercert == NULL)
411 {
412 exit(1);
413 }
414 }
415
416 /* compute validity interval */
417 validity = (validity)? validity : default_validity;
418 notBefore = (notBefore) ? notBefore : time(NULL);
419 notAfter = (notAfter) ? notAfter : notBefore + validity;
420
421 /* build and parse attribute certificate */
422 if (usercert != NULL && signercert != NULL && signerkey != NULL)
423 {
424 /* read the serial number and increment it by one */
425 serial = read_serial();
426
427 attr_cert = build_attr_cert();
428 ac = x509ac_create_from_chunk(attr_cert);
429
430 /* write the attribute certificate to file */
431 if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE))
432 {
433 write_serial(serial);
434 }
435 }
436
437 /* delete all dynamically allocated objects */
438 DESTROY_IF(signerkey);
439 DESTROY_IF(signercert);
440 DESTROY_IF(usercert);
441 DESTROY_IF(ac);
442 ietfAttr_list_destroy(groups);
443 free(serial.ptr);
444
445 exit(0);
446 }
strongSwan - IPsec VPN