added RCSID
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <syslog.h>
30 #include <unistd.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <time.h>
34 #include <gmp.h>
35
36 #include <debug.h>
37 #include <asn1/asn1.h>
38 #include <asn1/ttodata.h>
39 #include <crypto/ac.h>
40 #include <crypto/ietf_attr_list.h>
41 #include <utils/optionsfrom.h>
42
43 #ifdef INTEGRITY_TEST
44 #include <fips/fips.h>
45 #include <fips_signature.h>
46 #endif /* INTEGRITY_TEST */
47
48 #include "build.h"
49
50 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
51 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
52
53 static void usage(const char *mess)
54 {
55 if (mess != NULL && *mess != '\0')
56 {
57 fprintf(stderr, "%s\n", mess);
58 }
59 fprintf(stderr, "Usage: openac"
60 " [--help]"
61 " [--version]"
62 " [--optionsfrom <filename>]"
63 " [--quiet]"
64 " \\\n\t"
65 " [--debug <level 0..4>]"
66 " \\\n\t"
67 " [--days <days>]"
68 " [--hours <hours>]"
69 " \\\n\t"
70 " [--startdate <YYYYMMDDHHMMSSZ>]"
71 " [--enddate <YYYYMMDDHHMMSSZ>]"
72 " \\\n\t"
73 " --cert <certfile>"
74 " --key <keyfile>"
75 " [--password <password>]"
76 " \\\n\t"
77 " --usercert <certfile>"
78 " --groups <attr1,attr2,..>"
79 " --out <filename>"
80 "\n"
81 );
82 }
83
84
85 /**
86 * convert a chunk into a multi-precision integer
87 */
88 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
89 {
90 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
91 }
92
93 /**
94 * convert a multi-precision integer into a chunk
95 */
96 static chunk_t mpz_to_chunk(mpz_t number)
97 {
98 chunk_t chunk;
99
100 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
101 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
102 return chunk;
103 }
104
105 /**
106 * read the last serial number from file
107 */
108 static chunk_t read_serial(void)
109 {
110 mpz_t number;
111
112 char buf[BUF_LEN], buf1[BUF_LEN];
113 chunk_t last_serial = { buf1, BUF_LEN};
114 chunk_t serial;
115
116 FILE *fd = fopen(OPENAC_SERIAL, "r");
117
118 /* last serial number defaults to 0 */
119 *last_serial.ptr = 0x00;
120 last_serial.len = 1;
121
122 if (fd)
123 {
124 if (fscanf(fd, "%s", buf))
125 {
126 err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
127
128 if (ugh != NULL)
129 {
130 DBG1(" error reading serial number from %s: %s",
131 OPENAC_SERIAL, ugh);
132 }
133 }
134 fclose(fd);
135 }
136 else
137 {
138 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
139 }
140
141 /**
142 * conversion of read serial number to a multiprecision integer
143 * and incrementing it by one
144 * and representing it as a two's complement octet string
145 */
146 mpz_init(number);
147 chunk_to_mpz(last_serial, number);
148 mpz_add_ui(number, number, 0x01);
149 serial = mpz_to_chunk(number);
150 mpz_clear(number);
151
152 return serial;
153 }
154
155 /**
156 * write back the last serial number to file
157 */
158 static void write_serial(chunk_t serial)
159 {
160 FILE *fd = fopen(OPENAC_SERIAL, "w");
161
162 if (fd)
163 {
164 DBG1(" serial number is %#B", &serial);
165 fprintf(fd, "%#B\n", &serial);
166 fclose(fd);
167 }
168 else
169 {
170 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
171 }
172 }
173
174 /**
175 * global variables accessible by both main() and build.c
176 */
177 x509_t *usercert = NULL;
178 x509_t *signercert = NULL;
179
180 linked_list_t *groups = NULL;
181 rsa_private_key_t *signerkey = NULL;
182
183 time_t notBefore = UNDEFINED_TIME;
184 time_t notAfter = UNDEFINED_TIME;
185
186 chunk_t serial;
187
188 static int debug_level = 1;
189 static bool stderr_quiet = FALSE;
190 /**
191 * openac dbg function
192 */
193 static void openac_dbg(int level, char *fmt, ...)
194 {
195 int priority = LOG_INFO;
196 va_list args;
197
198 if (level <= debug_level)
199 {
200 va_start(args, fmt);
201 if (!stderr_quiet)
202 {
203 vfprintf(stderr, fmt, args);
204 fprintf(stderr, "\n");
205 }
206 vsyslog(priority, fmt, args);
207 va_end(args);
208 }
209 }
210
211 /**
212 * openac main program
213 */
214 int main(int argc, char **argv)
215 {
216 char *keyfile = NULL;
217 char *certfile = NULL;
218 char *usercertfile = NULL;
219 char *outfile = NULL;
220 char buf[BUF_LEN];
221
222 chunk_t passphrase = { buf, 0 };
223 chunk_t attr_cert = chunk_empty;
224 x509ac_t *ac = NULL;
225
226 const time_t default_validity = 24*3600; /* 24 hours */
227 time_t validity = 0;
228 int status = 1;
229
230 /* enable openac debugging hook */
231 dbg = openac_dbg;
232
233 passphrase.ptr[0] = '\0';
234 groups = linked_list_create();
235
236 openlog("openac", 0, LOG_AUTHPRIV);
237
238 /* handle arguments */
239 for (;;)
240 {
241 static const struct option long_opts[] = {
242 /* name, has_arg, flag, val */
243 { "help", no_argument, NULL, 'h' },
244 { "version", no_argument, NULL, 'v' },
245 { "optionsfrom", required_argument, NULL, '+' },
246 { "quiet", no_argument, NULL, 'q' },
247 { "cert", required_argument, NULL, 'c' },
248 { "key", required_argument, NULL, 'k' },
249 { "password", required_argument, NULL, 'p' },
250 { "usercert", required_argument, NULL, 'u' },
251 { "groups", required_argument, NULL, 'g' },
252 { "days", required_argument, NULL, 'D' },
253 { "hours", required_argument, NULL, 'H' },
254 { "startdate", required_argument, NULL, 'S' },
255 { "enddate", required_argument, NULL, 'E' },
256 { "out", required_argument, NULL, 'o' },
257 { "debug", required_argument, NULL, 'd' },
258 { 0,0,0,0 }
259 };
260
261 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
262
263 /* Note: "breaking" from case terminates loop */
264 switch (c)
265 {
266 case EOF: /* end of flags */
267 break;
268
269 case 0: /* long option already handled */
270 continue;
271
272 case ':': /* diagnostic already printed by getopt_long */
273 case '?': /* diagnostic already printed by getopt_long */
274 case 'h': /* --help */
275 usage(NULL);
276 status = 1;
277 goto end;
278
279 case 'v': /* --version */
280 printf("openac (strongSwan %s)\n", VERSION);
281 status = 0;
282 goto end;
283
284 case '+': /* --optionsfrom <filename> */
285 {
286 char path[BUF_LEN];
287
288 if (*optarg == '/') /* absolute pathname */
289 {
290 strncpy(path, optarg, BUF_LEN);
291 }
292 else /* relative pathname */
293 {
294 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
295 }
296 if (!optionsfrom(path, &argc, &argv, optind))
297 {
298 status = 1;
299 goto end;
300 }
301 }
302 continue;
303
304 case 'q': /* --quiet */
305 stderr_quiet = TRUE;
306 continue;
307
308 case 'c': /* --cert */
309 certfile = optarg;
310 continue;
311
312 case 'k': /* --key */
313 keyfile = optarg;
314 continue;
315
316 case 'p': /* --key */
317 if (strlen(optarg) > BUF_LEN)
318 {
319 usage("passphrase too long");
320 goto end;
321 }
322 strncpy(passphrase.ptr, optarg, BUF_LEN);
323 passphrase.len = min(strlen(optarg), BUF_LEN);
324 continue;
325
326 case 'u': /* --usercert */
327 usercertfile = optarg;
328 continue;
329
330 case 'g': /* --groups */
331 ietfAttr_list_create_from_string(optarg, groups);
332 continue;
333
334 case 'D': /* --days */
335 if (optarg == NULL || !isdigit(optarg[0]))
336 {
337 usage("missing number of days");
338 goto end;
339 }
340 else
341 {
342 char *endptr;
343 long days = strtol(optarg, &endptr, 0);
344
345 if (*endptr != '\0' || endptr == optarg || days <= 0)
346 {
347 usage("<days> must be a positive number");
348 goto end;
349 }
350 validity += 24*3600*days;
351 }
352 continue;
353
354 case 'H': /* --hours */
355 if (optarg == NULL || !isdigit(optarg[0]))
356 {
357 usage("missing number of hours");
358 goto end;
359 }
360 else
361 {
362 char *endptr;
363 long hours = strtol(optarg, &endptr, 0);
364
365 if (*endptr != '\0' || endptr == optarg || hours <= 0)
366 {
367 usage("<hours> must be a positive number");
368 goto end;
369 }
370 validity += 3600*hours;
371 }
372 continue;
373
374 case 'S': /* --startdate */
375 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
376 {
377 usage("date format must be YYYYMMDDHHMMSSZ");
378 goto end;
379 }
380 else
381 {
382 chunk_t date = { optarg, 15 };
383
384 notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
385 }
386 continue;
387
388 case 'E': /* --enddate */
389 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
390 {
391 usage("date format must be YYYYMMDDHHMMSSZ");
392 goto end;
393 }
394 else
395 {
396 chunk_t date = { optarg, 15 };
397 notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
398 }
399 continue;
400
401 case 'o': /* --out */
402 outfile = optarg;
403 continue;
404
405 case 'd': /* --debug */
406 debug_level = atoi(optarg);
407 continue;
408
409 default:
410 usage("");
411 status = 0;
412 goto end;
413 }
414 break;
415 }
416
417 if (optind != argc)
418 {
419 usage("unexpected argument");
420 goto end;
421 }
422
423 DBG1("starting openac (strongSwan Version %s)", VERSION);
424
425 #ifdef INTEGRITY_TEST
426 DBG1("integrity test of libstrongswan code");
427 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
428 {
429 DBG1(" integrity test passed");
430 }
431 else
432 {
433 DBG1(" integrity test failed");
434 status = 3;
435 goto end;
436 }
437 #endif /* INTEGRITY_TEST */
438
439 /* load the signer's RSA private key */
440 if (keyfile != NULL)
441 {
442 signerkey = rsa_private_key_create_from_file(keyfile, &passphrase);
443
444 if (signerkey == NULL)
445 {
446 goto end;
447 }
448 }
449
450 /* load the signer's X.509 certificate */
451 if (certfile != NULL)
452 {
453 signercert = x509_create_from_file(certfile, "signer cert");
454
455 if (signercert == NULL)
456 {
457 goto end;
458 }
459 }
460
461 /* load the users's X.509 certificate */
462 if (usercertfile != NULL)
463 {
464 usercert = x509_create_from_file(usercertfile, "user cert");
465
466 if (usercert == NULL)
467 {
468 goto end;
469 }
470 }
471
472 /* compute validity interval */
473 validity = (validity)? validity : default_validity;
474 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
475 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
476
477 /* build and parse attribute certificate */
478 if (usercert != NULL && signercert != NULL && signerkey != NULL)
479 {
480 /* read the serial number and increment it by one */
481 serial = read_serial();
482
483 attr_cert = build_attr_cert();
484 ac = x509ac_create_from_chunk(attr_cert);
485
486 /* write the attribute certificate to file */
487 if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE))
488 {
489 write_serial(serial);
490 status = 0;
491 }
492 }
493
494 end:
495 /* delete all dynamically allocated objects */
496 DESTROY_IF(signerkey);
497 DESTROY_IF(signercert);
498 DESTROY_IF(usercert);
499 DESTROY_IF(ac);
500 ietfAttr_list_destroy(groups);
501 free(serial.ptr);
502 closelog();
503 dbg = dbg_default;
504 exit(status);
505 }