49b376fe419c426b857fbd29f3e4284c60f14616
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32 #include <gmp.h>
33
34 #include <library.h>
35 #include <debug.h>
36 #include <asn1/asn1.h>
37 #include <credentials/certificates/x509.h>
38 #include <credentials/certificates/ac.h>
39 #include <credentials/keys/private_key.h>
40 #include <utils/optionsfrom.h>
41
42 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
43 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
44
45 #define DEFAULT_VALIDITY 24*3600 /* seconds */
46
47 /**
48 * @brief prints the usage of the program to the stderr
49 */
50 static void usage(const char *message)
51 {
52 if (message != NULL && *message != '\0')
53 {
54 fprintf(stderr, "%s\n", message);
55 }
56 fprintf(stderr, "Usage: openac"
57 " [--help]"
58 " [--version]"
59 " [--optionsfrom <filename>]"
60 " [--quiet]"
61 " \\\n\t"
62 " [--debug <level 0..4>]"
63 " \\\n\t"
64 " [--days <days>]"
65 " [--hours <hours>]"
66 " \\\n\t"
67 " [--startdate <YYYYMMDDHHMMSSZ>]"
68 " [--enddate <YYYYMMDDHHMMSSZ>]"
69 " \\\n\t"
70 " --cert <certfile>"
71 " --key <keyfile>"
72 " [--password <password>]"
73 " \\\n\t"
74 " --usercert <certfile>"
75 " --groups <attr1,attr2,..>"
76 " --out <filename>"
77 "\n"
78 );
79 }
80
81
82 /**
83 * convert a chunk into a multi-precision integer
84 */
85 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
86 {
87 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
88 }
89
90 /**
91 * convert a multi-precision integer into a chunk
92 */
93 static chunk_t mpz_to_chunk(mpz_t number)
94 {
95 chunk_t chunk;
96
97 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
98 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
99 if (chunk.ptr == NULL)
100 {
101 chunk.len = 0;
102 }
103 return chunk;
104 }
105
106 /**
107 * read the last serial number from file
108 */
109 static chunk_t read_serial(void)
110 {
111 mpz_t number;
112
113 char buf[BUF_LEN], buf1[BUF_LEN];
114 chunk_t hex_serial = { buf, BUF_LEN };
115 chunk_t last_serial = { buf1, BUF_LEN };
116 chunk_t serial;
117
118 FILE *fd = fopen(OPENAC_SERIAL, "r");
119
120 /* last serial number defaults to 0 */
121 *last_serial.ptr = 0x00;
122 last_serial.len = 1;
123
124 if (fd)
125 {
126 if (fscanf(fd, "%s", hex_serial.ptr))
127 {
128 hex_serial.len = strlen(hex_serial.ptr);
129 last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
130 }
131 fclose(fd);
132 }
133 else
134 {
135 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
136 }
137
138 /**
139 * conversion of read serial number to a multiprecision integer
140 * and incrementing it by one
141 * and representing it as a two's complement octet string
142 */
143 mpz_init(number);
144 chunk_to_mpz(last_serial, number);
145 mpz_add_ui(number, number, 0x01);
146 serial = mpz_to_chunk(number);
147 mpz_clear(number);
148
149 return serial;
150 }
151
152 /**
153 * write back the last serial number to file
154 */
155 static void write_serial(chunk_t serial)
156 {
157 FILE *fd = fopen(OPENAC_SERIAL, "w");
158
159 if (fd)
160 {
161 chunk_t hex_serial;
162
163 DBG1(" serial number is %#B", &serial);
164 hex_serial = chunk_to_hex(serial, NULL, FALSE);
165 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
166 fclose(fd);
167 free(hex_serial.ptr);
168 }
169 else
170 {
171 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
172 }
173 }
174
175 /**
176 * global variables accessible by both main() and build.c
177 */
178
179 static int debug_level = 1;
180 static bool stderr_quiet = FALSE;
181
182 /**
183 * openac dbg function
184 */
185 static void openac_dbg(int level, char *fmt, ...)
186 {
187 int priority = LOG_INFO;
188 char buffer[8192];
189 char *current = buffer, *next;
190 va_list args;
191
192 if (level <= debug_level)
193 {
194 if (!stderr_quiet)
195 {
196 va_start(args, fmt);
197 vfprintf(stderr, fmt, args);
198 fprintf(stderr, "\n");
199 va_end(args);
200 }
201
202 /* write in memory buffer first */
203 va_start(args, fmt);
204 vsnprintf(buffer, sizeof(buffer), fmt, args);
205 va_end(args);
206
207 /* do a syslog with every line */
208 while (current)
209 {
210 next = strchr(current, '\n');
211 if (next)
212 {
213 *(next++) = '\0';
214 }
215 syslog(priority, "%s\n", current);
216 current = next;
217 }
218 }
219 }
220
221 /**
222 * @brief openac main program
223 *
224 * @param argc number of arguments
225 * @param argv pointer to the argument values
226 */
227 int main(int argc, char **argv)
228 {
229 certificate_t *attr_cert = NULL;
230 certificate_t *userCert = NULL;
231 certificate_t *signerCert = NULL;
232 private_key_t *signerKey = NULL;
233
234 time_t notBefore = UNDEFINED_TIME;
235 time_t notAfter = UNDEFINED_TIME;
236 time_t validity = 0;
237
238 char *keyfile = NULL;
239 char *certfile = NULL;
240 char *usercertfile = NULL;
241 char *outfile = NULL;
242 char *groups = "";
243 char buf[BUF_LEN];
244
245 chunk_t passphrase = { buf, 0 };
246 chunk_t serial = chunk_empty;
247 chunk_t attr_chunk = chunk_empty;
248
249 int status = 1;
250
251 /* enable openac debugging hook */
252 dbg = openac_dbg;
253
254 passphrase.ptr[0] = '\0';
255
256 openlog("openac", 0, LOG_AUTHPRIV);
257
258 /* initialize library */
259 if (!library_init(STRONGSWAN_CONF))
260 {
261 library_deinit();
262 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
263 }
264 if (lib->integrity &&
265 !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
266 {
267 fprintf(stderr, "integrity check of openac failed\n");
268 library_deinit();
269 exit(SS_RC_DAEMON_INTEGRITY);
270 }
271 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
272 lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
273
274 /* initialize optionsfrom */
275 options_t *options = options_create();
276
277 /* handle arguments */
278 for (;;)
279 {
280 static const struct option long_opts[] = {
281 /* name, has_arg, flag, val */
282 { "help", no_argument, NULL, 'h' },
283 { "version", no_argument, NULL, 'v' },
284 { "optionsfrom", required_argument, NULL, '+' },
285 { "quiet", no_argument, NULL, 'q' },
286 { "cert", required_argument, NULL, 'c' },
287 { "key", required_argument, NULL, 'k' },
288 { "password", required_argument, NULL, 'p' },
289 { "usercert", required_argument, NULL, 'u' },
290 { "groups", required_argument, NULL, 'g' },
291 { "days", required_argument, NULL, 'D' },
292 { "hours", required_argument, NULL, 'H' },
293 { "startdate", required_argument, NULL, 'S' },
294 { "enddate", required_argument, NULL, 'E' },
295 { "out", required_argument, NULL, 'o' },
296 { "debug", required_argument, NULL, 'd' },
297 { 0,0,0,0 }
298 };
299
300 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
301
302 /* Note: "breaking" from case terminates loop */
303 switch (c)
304 {
305 case EOF: /* end of flags */
306 break;
307
308 case 0: /* long option already handled */
309 continue;
310
311 case ':': /* diagnostic already printed by getopt_long */
312 case '?': /* diagnostic already printed by getopt_long */
313 case 'h': /* --help */
314 usage(NULL);
315 status = 1;
316 goto end;
317
318 case 'v': /* --version */
319 printf("openac (strongSwan %s)\n", VERSION);
320 status = 0;
321 goto end;
322
323 case '+': /* --optionsfrom <filename> */
324 {
325 char path[BUF_LEN];
326
327 if (*optarg == '/') /* absolute pathname */
328 {
329 strncpy(path, optarg, BUF_LEN);
330 }
331 else /* relative pathname */
332 {
333 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
334 }
335 if (!options->from(options, path, &argc, &argv, optind))
336 {
337 status = 1;
338 goto end;
339 }
340 }
341 continue;
342
343 case 'q': /* --quiet */
344 stderr_quiet = TRUE;
345 continue;
346
347 case 'c': /* --cert */
348 certfile = optarg;
349 continue;
350
351 case 'k': /* --key */
352 keyfile = optarg;
353 continue;
354
355 case 'p': /* --key */
356 if (strlen(optarg) > BUF_LEN)
357 {
358 usage("passphrase too long");
359 goto end;
360 }
361 strncpy(passphrase.ptr, optarg, BUF_LEN);
362 passphrase.len = min(strlen(optarg), BUF_LEN);
363 continue;
364
365 case 'u': /* --usercert */
366 usercertfile = optarg;
367 continue;
368
369 case 'g': /* --groups */
370 groups = optarg;
371 continue;
372
373 case 'D': /* --days */
374 if (optarg == NULL || !isdigit(optarg[0]))
375 {
376 usage("missing number of days");
377 goto end;
378 }
379 else
380 {
381 char *endptr;
382 long days = strtol(optarg, &endptr, 0);
383
384 if (*endptr != '\0' || endptr == optarg || days <= 0)
385 {
386 usage("<days> must be a positive number");
387 goto end;
388 }
389 validity += 24*3600*days;
390 }
391 continue;
392
393 case 'H': /* --hours */
394 if (optarg == NULL || !isdigit(optarg[0]))
395 {
396 usage("missing number of hours");
397 goto end;
398 }
399 else
400 {
401 char *endptr;
402 long hours = strtol(optarg, &endptr, 0);
403
404 if (*endptr != '\0' || endptr == optarg || hours <= 0)
405 {
406 usage("<hours> must be a positive number");
407 goto end;
408 }
409 validity += 3600*hours;
410 }
411 continue;
412
413 case 'S': /* --startdate */
414 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
415 {
416 usage("date format must be YYYYMMDDHHMMSSZ");
417 goto end;
418 }
419 else
420 {
421 chunk_t date = { optarg, 15 };
422
423 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
424 }
425 continue;
426
427 case 'E': /* --enddate */
428 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
429 {
430 usage("date format must be YYYYMMDDHHMMSSZ");
431 goto end;
432 }
433 else
434 {
435 chunk_t date = { optarg, 15 };
436 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
437 }
438 continue;
439
440 case 'o': /* --out */
441 outfile = optarg;
442 continue;
443
444 case 'd': /* --debug */
445 debug_level = atoi(optarg);
446 continue;
447
448 default:
449 usage("");
450 status = 0;
451 goto end;
452 }
453 /* break from loop */
454 break;
455 }
456
457 if (optind != argc)
458 {
459 usage("unexpected argument");
460 goto end;
461 }
462
463 DBG1("starting openac (strongSwan Version %s)", VERSION);
464
465 /* load the signer's RSA private key */
466 if (keyfile != NULL)
467 {
468 signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
469 BUILD_FROM_FILE, keyfile,
470 BUILD_PASSPHRASE, passphrase,
471 BUILD_END);
472 if (signerKey == NULL)
473 {
474 goto end;
475 }
476 DBG1(" loaded private key file '%s'", keyfile);
477 }
478
479 /* load the signer's X.509 certificate */
480 if (certfile != NULL)
481 {
482 signerCert = lib->creds->create(lib->creds,
483 CRED_CERTIFICATE, CERT_X509,
484 BUILD_FROM_FILE, certfile,
485 BUILD_X509_FLAG, 0,
486 BUILD_END);
487 if (signerCert == NULL)
488 {
489 goto end;
490 }
491 }
492
493 /* load the users's X.509 certificate */
494 if (usercertfile != NULL)
495 {
496 userCert = lib->creds->create(lib->creds,
497 CRED_CERTIFICATE, CERT_X509,
498 BUILD_FROM_FILE, usercertfile,
499 BUILD_X509_FLAG, 0,
500 BUILD_END);
501 if (userCert == NULL)
502 {
503 goto end;
504 }
505 }
506
507 /* compute validity interval */
508 validity = (validity)? validity : DEFAULT_VALIDITY;
509 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
510 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
511
512 /* build and parse attribute certificate */
513 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
514 {
515 /* read the serial number and increment it by one */
516 serial = read_serial();
517
518 attr_cert = lib->creds->create(lib->creds,
519 CRED_CERTIFICATE, CERT_X509_AC,
520 BUILD_CERT, userCert,
521 BUILD_NOT_BEFORE_TIME, notBefore,
522 BUILD_NOT_AFTER_TIME, notAfter,
523 BUILD_SERIAL, serial,
524 BUILD_IETF_GROUP_ATTR, groups,
525 BUILD_SIGNING_CERT, signerCert,
526 BUILD_SIGNING_KEY, signerKey,
527 BUILD_END);
528 if (!attr_cert)
529 {
530 goto end;
531 }
532
533 /* write the attribute certificate to file */
534 attr_chunk = attr_cert->get_encoding(attr_cert);
535 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
536 {
537 write_serial(serial);
538 status = 0;
539 }
540 }
541 else
542 {
543 usage("some of the mandatory parameters --usercert --cert --key "
544 "are missing");
545 }
546
547 end:
548 /* delete all dynamically allocated objects */
549 DESTROY_IF(signerKey);
550 DESTROY_IF(signerCert);
551 DESTROY_IF(userCert);
552 DESTROY_IF(attr_cert);
553 free(attr_chunk.ptr);
554 free(serial.ptr);
555 closelog();
556 dbg = dbg_default;
557 options->destroy(options);
558 library_deinit();
559 exit(status);
560 }