use of attr and resolv-conf plugins in config-payload scenario
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32 #include <gmp.h>
33
34 #include <library.h>
35 #include <debug.h>
36 #include <asn1/asn1.h>
37 #include <asn1/pem.h>
38 #include <credentials/certificates/x509.h>
39 #include <credentials/certificates/ac.h>
40 #include <utils/optionsfrom.h>
41
42 #ifdef INTEGRITY_TEST
43 #include <fips/fips.h>
44 #include <fips_signature.h>
45 #endif /* INTEGRITY_TEST */
46
47 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
48 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
49
50 #define DEFAULT_VALIDITY 24*3600 /* seconds */
51
52 /**
53 * @brief prints the usage of the program to the stderr
54 */
55 static void usage(const char *message)
56 {
57 if (message != NULL && *message != '\0')
58 {
59 fprintf(stderr, "%s\n", message);
60 }
61 fprintf(stderr, "Usage: openac"
62 " [--help]"
63 " [--version]"
64 " [--optionsfrom <filename>]"
65 " [--quiet]"
66 " \\\n\t"
67 " [--debug <level 0..4>]"
68 " \\\n\t"
69 " [--days <days>]"
70 " [--hours <hours>]"
71 " \\\n\t"
72 " [--startdate <YYYYMMDDHHMMSSZ>]"
73 " [--enddate <YYYYMMDDHHMMSSZ>]"
74 " \\\n\t"
75 " --cert <certfile>"
76 " --key <keyfile>"
77 " [--password <password>]"
78 " \\\n\t"
79 " --usercert <certfile>"
80 " --groups <attr1,attr2,..>"
81 " --out <filename>"
82 "\n"
83 );
84 }
85
86
87 /**
88 * convert a chunk into a multi-precision integer
89 */
90 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
91 {
92 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
93 }
94
95 /**
96 * convert a multi-precision integer into a chunk
97 */
98 static chunk_t mpz_to_chunk(mpz_t number)
99 {
100 chunk_t chunk;
101
102 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
103 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
104 if (chunk.ptr == NULL)
105 {
106 chunk.len = 0;
107 }
108 return chunk;
109 }
110
111 /**
112 * read the last serial number from file
113 */
114 static chunk_t read_serial(void)
115 {
116 mpz_t number;
117
118 char buf[BUF_LEN], buf1[BUF_LEN];
119 chunk_t hex_serial = { buf, BUF_LEN };
120 chunk_t last_serial = { buf1, BUF_LEN };
121 chunk_t serial;
122
123 FILE *fd = fopen(OPENAC_SERIAL, "r");
124
125 /* last serial number defaults to 0 */
126 *last_serial.ptr = 0x00;
127 last_serial.len = 1;
128
129 if (fd)
130 {
131 if (fscanf(fd, "%s", hex_serial.ptr))
132 {
133 hex_serial.len = strlen(hex_serial.ptr);
134 last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
135 }
136 fclose(fd);
137 }
138 else
139 {
140 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
141 }
142
143 /**
144 * conversion of read serial number to a multiprecision integer
145 * and incrementing it by one
146 * and representing it as a two's complement octet string
147 */
148 mpz_init(number);
149 chunk_to_mpz(last_serial, number);
150 mpz_add_ui(number, number, 0x01);
151 serial = mpz_to_chunk(number);
152 mpz_clear(number);
153
154 return serial;
155 }
156
157 /**
158 * write back the last serial number to file
159 */
160 static void write_serial(chunk_t serial)
161 {
162 FILE *fd = fopen(OPENAC_SERIAL, "w");
163
164 if (fd)
165 {
166 chunk_t hex_serial;
167
168 DBG1(" serial number is %#B", &serial);
169 hex_serial = chunk_to_hex(serial, NULL, FALSE);
170 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
171 fclose(fd);
172 free(hex_serial.ptr);
173 }
174 else
175 {
176 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
177 }
178 }
179
180 /**
181 * Load and parse a private key file
182 */
183 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
184 {
185 bool pgp = FALSE;
186 chunk_t chunk = chunk_empty;
187 private_key_t *key = NULL;
188
189 if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
190 {
191 DBG1(" could not load private key file '%s'", path);
192 return NULL;
193 }
194 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
195 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
196 free(chunk.ptr);
197 if (key == NULL)
198 {
199 DBG1(" could not parse loaded private key file '%s'", path);
200 return NULL;
201 }
202 DBG1(" loaded private key file '%s'", path);
203 return key;
204 }
205
206 /**
207 * global variables accessible by both main() and build.c
208 */
209
210 static int debug_level = 1;
211 static bool stderr_quiet = FALSE;
212
213 /**
214 * openac dbg function
215 */
216 static void openac_dbg(int level, char *fmt, ...)
217 {
218 int priority = LOG_INFO;
219 char buffer[8192];
220 char *current = buffer, *next;
221 va_list args;
222
223 if (level <= debug_level)
224 {
225 va_start(args, fmt);
226
227 if (!stderr_quiet)
228 {
229 vfprintf(stderr, fmt, args);
230 fprintf(stderr, "\n");
231 }
232
233 /* write in memory buffer first */
234 vsnprintf(buffer, sizeof(buffer), fmt, args);
235 va_end(args);
236
237 /* do a syslog with every line */
238 while (current)
239 {
240 next = strchr(current, '\n');
241 if (next)
242 {
243 *(next++) = '\0';
244 }
245 syslog(priority, "%s\n", current);
246 current = next;
247 }
248 }
249 }
250
251 /**
252 * @brief openac main program
253 *
254 * @param argc number of arguments
255 * @param argv pointer to the argument values
256 */
257 int main(int argc, char **argv)
258 {
259 certificate_t *attr_cert = NULL;
260 certificate_t *userCert = NULL;
261 certificate_t *signerCert = NULL;
262 private_key_t *signerKey = NULL;
263
264 time_t notBefore = UNDEFINED_TIME;
265 time_t notAfter = UNDEFINED_TIME;
266 time_t validity = 0;
267
268 char *keyfile = NULL;
269 char *certfile = NULL;
270 char *usercertfile = NULL;
271 char *outfile = NULL;
272 char *groups = "";
273 char buf[BUF_LEN];
274
275 chunk_t passphrase = { buf, 0 };
276 chunk_t serial = chunk_empty;
277 chunk_t attr_chunk = chunk_empty;
278
279 int status = 1;
280
281 /* enable openac debugging hook */
282 dbg = openac_dbg;
283
284 passphrase.ptr[0] = '\0';
285
286 openlog("openac", 0, LOG_AUTHPRIV);
287
288 /* initialize library */
289 library_init(STRONGSWAN_CONF);
290 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
291 lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
292
293 /* initialize optionsfrom */
294 options_t *options = options_create();
295
296 /* handle arguments */
297 for (;;)
298 {
299 static const struct option long_opts[] = {
300 /* name, has_arg, flag, val */
301 { "help", no_argument, NULL, 'h' },
302 { "version", no_argument, NULL, 'v' },
303 { "optionsfrom", required_argument, NULL, '+' },
304 { "quiet", no_argument, NULL, 'q' },
305 { "cert", required_argument, NULL, 'c' },
306 { "key", required_argument, NULL, 'k' },
307 { "password", required_argument, NULL, 'p' },
308 { "usercert", required_argument, NULL, 'u' },
309 { "groups", required_argument, NULL, 'g' },
310 { "days", required_argument, NULL, 'D' },
311 { "hours", required_argument, NULL, 'H' },
312 { "startdate", required_argument, NULL, 'S' },
313 { "enddate", required_argument, NULL, 'E' },
314 { "out", required_argument, NULL, 'o' },
315 { "debug", required_argument, NULL, 'd' },
316 { 0,0,0,0 }
317 };
318
319 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
320
321 /* Note: "breaking" from case terminates loop */
322 switch (c)
323 {
324 case EOF: /* end of flags */
325 break;
326
327 case 0: /* long option already handled */
328 continue;
329
330 case ':': /* diagnostic already printed by getopt_long */
331 case '?': /* diagnostic already printed by getopt_long */
332 case 'h': /* --help */
333 usage(NULL);
334 status = 1;
335 goto end;
336
337 case 'v': /* --version */
338 printf("openac (strongSwan %s)\n", VERSION);
339 status = 0;
340 goto end;
341
342 case '+': /* --optionsfrom <filename> */
343 {
344 char path[BUF_LEN];
345
346 if (*optarg == '/') /* absolute pathname */
347 {
348 strncpy(path, optarg, BUF_LEN);
349 }
350 else /* relative pathname */
351 {
352 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
353 }
354 if (!options->from(options, path, &argc, &argv, optind))
355 {
356 status = 1;
357 goto end;
358 }
359 }
360 continue;
361
362 case 'q': /* --quiet */
363 stderr_quiet = TRUE;
364 continue;
365
366 case 'c': /* --cert */
367 certfile = optarg;
368 continue;
369
370 case 'k': /* --key */
371 keyfile = optarg;
372 continue;
373
374 case 'p': /* --key */
375 if (strlen(optarg) > BUF_LEN)
376 {
377 usage("passphrase too long");
378 goto end;
379 }
380 strncpy(passphrase.ptr, optarg, BUF_LEN);
381 passphrase.len = min(strlen(optarg), BUF_LEN);
382 continue;
383
384 case 'u': /* --usercert */
385 usercertfile = optarg;
386 continue;
387
388 case 'g': /* --groups */
389 groups = optarg;
390 continue;
391
392 case 'D': /* --days */
393 if (optarg == NULL || !isdigit(optarg[0]))
394 {
395 usage("missing number of days");
396 goto end;
397 }
398 else
399 {
400 char *endptr;
401 long days = strtol(optarg, &endptr, 0);
402
403 if (*endptr != '\0' || endptr == optarg || days <= 0)
404 {
405 usage("<days> must be a positive number");
406 goto end;
407 }
408 validity += 24*3600*days;
409 }
410 continue;
411
412 case 'H': /* --hours */
413 if (optarg == NULL || !isdigit(optarg[0]))
414 {
415 usage("missing number of hours");
416 goto end;
417 }
418 else
419 {
420 char *endptr;
421 long hours = strtol(optarg, &endptr, 0);
422
423 if (*endptr != '\0' || endptr == optarg || hours <= 0)
424 {
425 usage("<hours> must be a positive number");
426 goto end;
427 }
428 validity += 3600*hours;
429 }
430 continue;
431
432 case 'S': /* --startdate */
433 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
434 {
435 usage("date format must be YYYYMMDDHHMMSSZ");
436 goto end;
437 }
438 else
439 {
440 chunk_t date = { optarg, 15 };
441
442 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
443 }
444 continue;
445
446 case 'E': /* --enddate */
447 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
448 {
449 usage("date format must be YYYYMMDDHHMMSSZ");
450 goto end;
451 }
452 else
453 {
454 chunk_t date = { optarg, 15 };
455 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
456 }
457 continue;
458
459 case 'o': /* --out */
460 outfile = optarg;
461 continue;
462
463 case 'd': /* --debug */
464 debug_level = atoi(optarg);
465 continue;
466
467 default:
468 usage("");
469 status = 0;
470 goto end;
471 }
472 /* break from loop */
473 break;
474 }
475
476 if (optind != argc)
477 {
478 usage("unexpected argument");
479 goto end;
480 }
481
482 DBG1("starting openac (strongSwan Version %s)", VERSION);
483
484 #ifdef INTEGRITY_TEST
485 DBG1("integrity test of libstrongswan code");
486 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
487 {
488 DBG1(" integrity test passed");
489 }
490 else
491 {
492 DBG1(" integrity test failed");
493 status = 3;
494 goto end;
495 }
496 #endif /* INTEGRITY_TEST */
497
498 /* load the signer's RSA private key */
499 if (keyfile != NULL)
500 {
501 signerKey = private_key_create_from_file(keyfile, &passphrase);
502
503 if (signerKey == NULL)
504 {
505 goto end;
506 }
507 }
508
509 /* load the signer's X.509 certificate */
510 if (certfile != NULL)
511 {
512 signerCert = lib->creds->create(lib->creds,
513 CRED_CERTIFICATE, CERT_X509,
514 BUILD_FROM_FILE, certfile,
515 BUILD_X509_FLAG, 0,
516 BUILD_END);
517 if (signerCert == NULL)
518 {
519 goto end;
520 }
521 }
522
523 /* load the users's X.509 certificate */
524 if (usercertfile != NULL)
525 {
526 userCert = lib->creds->create(lib->creds,
527 CRED_CERTIFICATE, CERT_X509,
528 BUILD_FROM_FILE, usercertfile,
529 BUILD_X509_FLAG, 0,
530 BUILD_END);
531 if (userCert == NULL)
532 {
533 goto end;
534 }
535 }
536
537 /* compute validity interval */
538 validity = (validity)? validity : DEFAULT_VALIDITY;
539 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
540 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
541
542 /* build and parse attribute certificate */
543 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
544 {
545 /* read the serial number and increment it by one */
546 serial = read_serial();
547
548 attr_cert = lib->creds->create(lib->creds,
549 CRED_CERTIFICATE, CERT_X509_AC,
550 BUILD_CERT, userCert,
551 BUILD_NOT_BEFORE_TIME, notBefore,
552 BUILD_NOT_AFTER_TIME, notAfter,
553 BUILD_SERIAL, serial,
554 BUILD_IETF_GROUP_ATTR, groups,
555 BUILD_SIGNING_CERT, signerCert,
556 BUILD_SIGNING_KEY, signerKey,
557 BUILD_END);
558 if (!attr_cert)
559 {
560 goto end;
561 }
562
563 /* write the attribute certificate to file */
564 attr_chunk = attr_cert->get_encoding(attr_cert);
565 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
566 {
567 write_serial(serial);
568 status = 0;
569 }
570 }
571 else
572 {
573 usage("some of the mandatory parameters --usercert --cert --key "
574 "are missing");
575 }
576
577 end:
578 /* delete all dynamically allocated objects */
579 DESTROY_IF(signerKey);
580 DESTROY_IF(signerCert);
581 DESTROY_IF(userCert);
582 DESTROY_IF(attr_cert);
583 free(attr_chunk.ptr);
584 free(serial.ptr);
585 closelog();
586 dbg = dbg_default;
587 options->destroy(options);
588 library_deinit();
589 exit(status);
590 }