8862e9ab03069bf272117819ab53fa7fa5c939d2
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32 #include <errno.h>
33
34 #include <library.h>
35 #include <utils/debug.h>
36 #include <asn1/asn1.h>
37 #include <credentials/certificates/x509.h>
38 #include <credentials/certificates/ac.h>
39 #include <credentials/keys/private_key.h>
40 #include <credentials/sets/mem_cred.h>
41 #include <utils/optionsfrom.h>
42
43 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
44 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
45
46 #define DEFAULT_VALIDITY 24*3600 /* seconds */
47
48 /**
49 * @brief prints the usage of the program to the stderr
50 */
51 static void usage(const char *message)
52 {
53 if (message != NULL && *message != '\0')
54 {
55 fprintf(stderr, "%s\n", message);
56 }
57 fprintf(stderr, "Usage: openac"
58 " [--help]"
59 " [--version]"
60 " [--optionsfrom <filename>]"
61 " [--quiet]"
62 " \\\n\t"
63 " [--debug <level 0..4>]"
64 " \\\n\t"
65 " [--days <days>]"
66 " [--hours <hours>]"
67 " \\\n\t"
68 " [--startdate <YYYYMMDDHHMMSSZ>]"
69 " [--enddate <YYYYMMDDHHMMSSZ>]"
70 " \\\n\t"
71 " --cert <certfile>"
72 " --key <keyfile>"
73 " [--password <password>]"
74 " \\\n\t"
75 " --usercert <certfile>"
76 " --groups <attr1,attr2,..>"
77 " --out <filename>"
78 "\n"
79 );
80 }
81
82 /**
83 * read the last serial number from file
84 */
85 static chunk_t read_serial(void)
86 {
87 chunk_t hex, serial = chunk_empty;
88 char one[] = {0x01};
89 FILE *fd;
90
91 fd = fopen(OPENAC_SERIAL, "r");
92 if (fd)
93 {
94 hex = chunk_alloca(64);
95 hex.len = fread(hex.ptr, 1, hex.len, fd);
96 if (hex.len)
97 {
98 /* remove any terminating newline character */
99 if (hex.ptr[hex.len-1] == '\n')
100 {
101 hex.len--;
102 }
103 serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
104 serial = chunk_from_hex(hex, serial.ptr);
105 }
106 fclose(fd);
107 }
108 else
109 {
110 DBG1(DBG_LIB, " file '%s' does not exist yet - serial number "
111 "set to 01", OPENAC_SERIAL);
112 }
113 if (!serial.len)
114 {
115 return chunk_clone(chunk_create(one, 1));
116 }
117 if (chunk_increment(serial))
118 { /* overflow, prepend 0x01 */
119 return chunk_cat("cc", chunk_create(one, 1), serial);
120 }
121 return chunk_clone(serial);
122 }
123
124 /**
125 * write back the last serial number to file
126 */
127 static void write_serial(chunk_t serial)
128 {
129 FILE *fd = fopen(OPENAC_SERIAL, "w");
130
131 if (fd)
132 {
133 chunk_t hex_serial;
134
135 DBG1(DBG_LIB, " serial number is %#B", &serial);
136 hex_serial = chunk_to_hex(serial, NULL, FALSE);
137 fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr);
138 fclose(fd);
139 free(hex_serial.ptr);
140 }
141 else
142 {
143 DBG1(DBG_LIB, " could not open file '%s' for writing", OPENAC_SERIAL);
144 }
145 }
146
147 /**
148 * global variables accessible by both main() and build.c
149 */
150
151 static int debug_level = 1;
152 static bool stderr_quiet = FALSE;
153
154 /**
155 * openac dbg function
156 */
157 static void openac_dbg(debug_t group, level_t level, char *fmt, ...)
158 {
159 int priority = LOG_INFO;
160 char buffer[8192];
161 char *current = buffer, *next;
162 va_list args;
163
164 if (level <= debug_level)
165 {
166 if (!stderr_quiet)
167 {
168 va_start(args, fmt);
169 vfprintf(stderr, fmt, args);
170 fprintf(stderr, "\n");
171 va_end(args);
172 }
173
174 /* write in memory buffer first */
175 va_start(args, fmt);
176 vsnprintf(buffer, sizeof(buffer), fmt, args);
177 va_end(args);
178
179 /* do a syslog with every line */
180 while (current)
181 {
182 next = strchr(current, '\n');
183 if (next)
184 {
185 *(next++) = '\0';
186 }
187 syslog(priority, "%s\n", current);
188 current = next;
189 }
190 }
191 }
192
193 /**
194 * @brief openac main program
195 *
196 * @param argc number of arguments
197 * @param argv pointer to the argument values
198 */
199 int main(int argc, char **argv)
200 {
201 certificate_t *attr_cert = NULL;
202 certificate_t *userCert = NULL;
203 certificate_t *signerCert = NULL;
204 private_key_t *signerKey = NULL;
205
206 time_t notBefore = UNDEFINED_TIME;
207 time_t notAfter = UNDEFINED_TIME;
208 time_t validity = 0;
209
210 char *keyfile = NULL;
211 char *certfile = NULL;
212 char *usercertfile = NULL;
213 char *outfile = NULL;
214 char *groups = "";
215 char buf[BUF_LEN];
216
217 chunk_t passphrase = { buf, 0 };
218 chunk_t serial = chunk_empty;
219 chunk_t attr_chunk = chunk_empty;
220
221 int status = 1;
222
223 /* enable openac debugging hook */
224 dbg = openac_dbg;
225
226 passphrase.ptr[0] = '\0';
227
228 openlog("openac", 0, LOG_AUTHPRIV);
229
230 /* initialize library */
231 atexit(library_deinit);
232 if (!library_init(NULL, "openac"))
233 {
234 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
235 }
236 if (lib->integrity &&
237 !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
238 {
239 fprintf(stderr, "integrity check of openac failed\n");
240 exit(SS_RC_DAEMON_INTEGRITY);
241 }
242 if (!lib->plugins->load(lib->plugins,
243 lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
244 {
245 exit(SS_RC_INITIALIZATION_FAILED);
246 }
247
248 /* initialize optionsfrom */
249 options_t *options = options_create();
250
251 /* handle arguments */
252 for (;;)
253 {
254 static const struct option long_opts[] = {
255 /* name, has_arg, flag, val */
256 { "help", no_argument, NULL, 'h' },
257 { "version", no_argument, NULL, 'v' },
258 { "optionsfrom", required_argument, NULL, '+' },
259 { "quiet", no_argument, NULL, 'q' },
260 { "cert", required_argument, NULL, 'c' },
261 { "key", required_argument, NULL, 'k' },
262 { "password", required_argument, NULL, 'p' },
263 { "usercert", required_argument, NULL, 'u' },
264 { "groups", required_argument, NULL, 'g' },
265 { "days", required_argument, NULL, 'D' },
266 { "hours", required_argument, NULL, 'H' },
267 { "startdate", required_argument, NULL, 'S' },
268 { "enddate", required_argument, NULL, 'E' },
269 { "out", required_argument, NULL, 'o' },
270 { "debug", required_argument, NULL, 'd' },
271 { 0,0,0,0 }
272 };
273
274 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
275
276 /* Note: "breaking" from case terminates loop */
277 switch (c)
278 {
279 case EOF: /* end of flags */
280 break;
281
282 case 0: /* long option already handled */
283 continue;
284
285 case ':': /* diagnostic already printed by getopt_long */
286 case '?': /* diagnostic already printed by getopt_long */
287 case 'h': /* --help */
288 usage(NULL);
289 status = 1;
290 goto end;
291
292 case 'v': /* --version */
293 printf("openac (strongSwan %s)\n", VERSION);
294 status = 0;
295 goto end;
296
297 case '+': /* --optionsfrom <filename> */
298 {
299 char path[BUF_LEN];
300
301 if (*optarg == '/') /* absolute pathname */
302 {
303 strncpy(path, optarg, BUF_LEN);
304 path[BUF_LEN-1] = '\0';
305 }
306 else /* relative pathname */
307 {
308 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
309 }
310 if (!options->from(options, path, &argc, &argv, optind))
311 {
312 status = 1;
313 goto end;
314 }
315 }
316 continue;
317
318 case 'q': /* --quiet */
319 stderr_quiet = TRUE;
320 continue;
321
322 case 'c': /* --cert */
323 certfile = optarg;
324 continue;
325
326 case 'k': /* --key */
327 keyfile = optarg;
328 continue;
329
330 case 'p': /* --key */
331 if (strlen(optarg) >= BUF_LEN)
332 {
333 usage("passphrase too long");
334 goto end;
335 }
336 strncpy(passphrase.ptr, optarg, BUF_LEN);
337 passphrase.len = min(strlen(optarg), BUF_LEN);
338 continue;
339
340 case 'u': /* --usercert */
341 usercertfile = optarg;
342 continue;
343
344 case 'g': /* --groups */
345 groups = optarg;
346 continue;
347
348 case 'D': /* --days */
349 if (optarg == NULL || !isdigit(optarg[0]))
350 {
351 usage("missing number of days");
352 goto end;
353 }
354 else
355 {
356 char *endptr;
357 long days = strtol(optarg, &endptr, 0);
358
359 if (*endptr != '\0' || endptr == optarg || days <= 0)
360 {
361 usage("<days> must be a positive number");
362 goto end;
363 }
364 validity += 24*3600*days;
365 }
366 continue;
367
368 case 'H': /* --hours */
369 if (optarg == NULL || !isdigit(optarg[0]))
370 {
371 usage("missing number of hours");
372 goto end;
373 }
374 else
375 {
376 char *endptr;
377 long hours = strtol(optarg, &endptr, 0);
378
379 if (*endptr != '\0' || endptr == optarg || hours <= 0)
380 {
381 usage("<hours> must be a positive number");
382 goto end;
383 }
384 validity += 3600*hours;
385 }
386 continue;
387
388 case 'S': /* --startdate */
389 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
390 {
391 usage("date format must be YYYYMMDDHHMMSSZ");
392 goto end;
393 }
394 else
395 {
396 chunk_t date = { optarg, 15 };
397
398 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
399 }
400 continue;
401
402 case 'E': /* --enddate */
403 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
404 {
405 usage("date format must be YYYYMMDDHHMMSSZ");
406 goto end;
407 }
408 else
409 {
410 chunk_t date = { optarg, 15 };
411 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
412 }
413 continue;
414
415 case 'o': /* --out */
416 outfile = optarg;
417 continue;
418
419 case 'd': /* --debug */
420 debug_level = atoi(optarg);
421 continue;
422
423 default:
424 usage("");
425 status = 0;
426 goto end;
427 }
428 /* break from loop */
429 break;
430 }
431
432 if (optind != argc)
433 {
434 usage("unexpected argument");
435 goto end;
436 }
437
438 DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION);
439
440 /* load the signer's RSA private key */
441 if (keyfile != NULL)
442 {
443 mem_cred_t *mem;
444 shared_key_t *shared;
445
446 mem = mem_cred_create();
447 lib->credmgr->add_set(lib->credmgr, &mem->set);
448 shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
449 chunk_clone(passphrase));
450 mem->add_shared(mem, shared, NULL);
451 signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
452 BUILD_FROM_FILE, keyfile,
453 BUILD_END);
454 lib->credmgr->remove_set(lib->credmgr, &mem->set);
455 mem->destroy(mem);
456 if (signerKey == NULL)
457 {
458 goto end;
459 }
460 DBG1(DBG_LIB, " loaded private key file '%s'", keyfile);
461 }
462
463 /* load the signer's X.509 certificate */
464 if (certfile != NULL)
465 {
466 signerCert = lib->creds->create(lib->creds,
467 CRED_CERTIFICATE, CERT_X509,
468 BUILD_FROM_FILE, certfile,
469 BUILD_END);
470 if (signerCert == NULL)
471 {
472 goto end;
473 }
474 }
475
476 /* load the users's X.509 certificate */
477 if (usercertfile != NULL)
478 {
479 userCert = lib->creds->create(lib->creds,
480 CRED_CERTIFICATE, CERT_X509,
481 BUILD_FROM_FILE, usercertfile,
482 BUILD_END);
483 if (userCert == NULL)
484 {
485 goto end;
486 }
487 }
488
489 /* compute validity interval */
490 validity = (validity)? validity : DEFAULT_VALIDITY;
491 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
492 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
493
494 /* build and parse attribute certificate */
495 if (userCert != NULL && signerCert != NULL && signerKey != NULL &&
496 outfile != NULL)
497 {
498 /* read the serial number and increment it by one */
499 serial = read_serial();
500
501 attr_cert = lib->creds->create(lib->creds,
502 CRED_CERTIFICATE, CERT_X509_AC,
503 BUILD_CERT, userCert,
504 BUILD_NOT_BEFORE_TIME, notBefore,
505 BUILD_NOT_AFTER_TIME, notAfter,
506 BUILD_SERIAL, serial,
507 BUILD_IETF_GROUP_ATTR, groups,
508 BUILD_SIGNING_CERT, signerCert,
509 BUILD_SIGNING_KEY, signerKey,
510 BUILD_END);
511 if (!attr_cert)
512 {
513 goto end;
514 }
515
516 /* write the attribute certificate to file */
517 if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
518 {
519 if (chunk_write(attr_chunk, outfile, 0022, TRUE))
520 {
521 DBG1(DBG_APP, " written attribute cert file '%s' (%d bytes)",
522 outfile, attr_chunk.len);
523 write_serial(serial);
524 status = 0;
525 }
526 else
527 {
528 DBG1(DBG_APP, " writing attribute cert file '%s' failed: %s",
529 outfile, strerror(errno));
530 }
531 }
532 }
533 else
534 {
535 usage("some of the mandatory parameters --usercert --cert --key --out "
536 "are missing");
537 }
538
539 end:
540 /* delete all dynamically allocated objects */
541 DESTROY_IF(signerKey);
542 DESTROY_IF(signerCert);
543 DESTROY_IF(userCert);
544 DESTROY_IF(attr_cert);
545 free(attr_chunk.ptr);
546 free(serial.ptr);
547 closelog();
548 dbg = dbg_default;
549 options->destroy(options);
550 exit(status);
551 }