make load_tester more strict to use it along stroke
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <syslog.h>
30 #include <unistd.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <time.h>
34 #include <gmp.h>
35
36 #include <library.h>
37 #include <debug.h>
38 #include <asn1/asn1.h>
39 #include <asn1/pem.h>
40 #include <credentials/certificates/x509.h>
41 #include <credentials/certificates/ac.h>
42 #include <utils/optionsfrom.h>
43
44 #ifdef INTEGRITY_TEST
45 #include <fips/fips.h>
46 #include <fips_signature.h>
47 #endif /* INTEGRITY_TEST */
48
49 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
50 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
51
52 #define DEFAULT_VALIDITY 24*3600 /* seconds */
53
54 /**
55 * @brief prints the usage of the program to the stderr
56 */
57 static void usage(const char *message)
58 {
59 if (message != NULL && *message != '\0')
60 {
61 fprintf(stderr, "%s\n", message);
62 }
63 fprintf(stderr, "Usage: openac"
64 " [--help]"
65 " [--version]"
66 " [--optionsfrom <filename>]"
67 " [--quiet]"
68 " \\\n\t"
69 " [--debug <level 0..4>]"
70 " \\\n\t"
71 " [--days <days>]"
72 " [--hours <hours>]"
73 " \\\n\t"
74 " [--startdate <YYYYMMDDHHMMSSZ>]"
75 " [--enddate <YYYYMMDDHHMMSSZ>]"
76 " \\\n\t"
77 " --cert <certfile>"
78 " --key <keyfile>"
79 " [--password <password>]"
80 " \\\n\t"
81 " --usercert <certfile>"
82 " --groups <attr1,attr2,..>"
83 " --out <filename>"
84 "\n"
85 );
86 }
87
88
89 /**
90 * convert a chunk into a multi-precision integer
91 */
92 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
93 {
94 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
95 }
96
97 /**
98 * convert a multi-precision integer into a chunk
99 */
100 static chunk_t mpz_to_chunk(mpz_t number)
101 {
102 chunk_t chunk;
103
104 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
105 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
106 if (chunk.ptr == NULL)
107 {
108 chunk.len = 0;
109 }
110 return chunk;
111 }
112
113 /**
114 * read the last serial number from file
115 */
116 static chunk_t read_serial(void)
117 {
118 mpz_t number;
119
120 char buf[BUF_LEN], buf1[BUF_LEN];
121 chunk_t hex_serial = { buf, BUF_LEN };
122 chunk_t last_serial = { buf1, BUF_LEN };
123 chunk_t serial;
124
125 FILE *fd = fopen(OPENAC_SERIAL, "r");
126
127 /* last serial number defaults to 0 */
128 *last_serial.ptr = 0x00;
129 last_serial.len = 1;
130
131 if (fd)
132 {
133 if (fscanf(fd, "%s", hex_serial.ptr))
134 {
135 hex_serial.len = strlen(hex_serial.ptr);
136 last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
137 }
138 fclose(fd);
139 }
140 else
141 {
142 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
143 }
144
145 /**
146 * conversion of read serial number to a multiprecision integer
147 * and incrementing it by one
148 * and representing it as a two's complement octet string
149 */
150 mpz_init(number);
151 chunk_to_mpz(last_serial, number);
152 mpz_add_ui(number, number, 0x01);
153 serial = mpz_to_chunk(number);
154 mpz_clear(number);
155
156 return serial;
157 }
158
159 /**
160 * write back the last serial number to file
161 */
162 static void write_serial(chunk_t serial)
163 {
164 FILE *fd = fopen(OPENAC_SERIAL, "w");
165
166 if (fd)
167 {
168 chunk_t hex_serial;
169
170 DBG1(" serial number is %#B", &serial);
171 hex_serial = chunk_to_hex(serial, NULL, FALSE);
172 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
173 fclose(fd);
174 free(hex_serial.ptr);
175 }
176 else
177 {
178 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
179 }
180 }
181
182 /**
183 * Load and parse a private key file
184 */
185 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
186 {
187 bool pgp = FALSE;
188 chunk_t chunk = chunk_empty;
189 private_key_t *key = NULL;
190
191 if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
192 {
193 DBG1(" could not load private key file '%s'", path);
194 return NULL;
195 }
196 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
197 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
198 free(chunk.ptr);
199 if (key == NULL)
200 {
201 DBG1(" could not parse loaded private key file '%s'", path);
202 return NULL;
203 }
204 DBG1(" loaded private key file '%s'", path);
205 return key;
206 }
207
208 /**
209 * global variables accessible by both main() and build.c
210 */
211
212 static int debug_level = 1;
213 static bool stderr_quiet = FALSE;
214
215 /**
216 * openac dbg function
217 */
218 static void openac_dbg(int level, char *fmt, ...)
219 {
220 int priority = LOG_INFO;
221 va_list args;
222
223 if (level <= debug_level)
224 {
225 va_start(args, fmt);
226 if (!stderr_quiet)
227 {
228 vfprintf(stderr, fmt, args);
229 fprintf(stderr, "\n");
230 }
231 vsyslog(priority, fmt, args);
232 va_end(args);
233 }
234 }
235
236 /**
237 * @brief openac main program
238 *
239 * @param argc number of arguments
240 * @param argv pointer to the argument values
241 */
242 int main(int argc, char **argv)
243 {
244 certificate_t *attr_cert = NULL;
245 certificate_t *userCert = NULL;
246 certificate_t *signerCert = NULL;
247 private_key_t *signerKey = NULL;
248
249 time_t notBefore = UNDEFINED_TIME;
250 time_t notAfter = UNDEFINED_TIME;
251 time_t validity = 0;
252
253 char *keyfile = NULL;
254 char *certfile = NULL;
255 char *usercertfile = NULL;
256 char *outfile = NULL;
257 char *groups = "";
258 char buf[BUF_LEN];
259
260 chunk_t passphrase = { buf, 0 };
261 chunk_t serial = chunk_empty;
262 chunk_t attr_chunk = chunk_empty;
263
264 int status = 1;
265
266 /* enable openac debugging hook */
267 dbg = openac_dbg;
268
269 passphrase.ptr[0] = '\0';
270
271 openlog("openac", 0, LOG_AUTHPRIV);
272
273 /* initialize library */
274 library_init(STRONGSWAN_CONF);
275 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
276 lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
277
278 /* initialize optionsfrom */
279 options_t *options = options_create();
280
281 /* handle arguments */
282 for (;;)
283 {
284 static const struct option long_opts[] = {
285 /* name, has_arg, flag, val */
286 { "help", no_argument, NULL, 'h' },
287 { "version", no_argument, NULL, 'v' },
288 { "optionsfrom", required_argument, NULL, '+' },
289 { "quiet", no_argument, NULL, 'q' },
290 { "cert", required_argument, NULL, 'c' },
291 { "key", required_argument, NULL, 'k' },
292 { "password", required_argument, NULL, 'p' },
293 { "usercert", required_argument, NULL, 'u' },
294 { "groups", required_argument, NULL, 'g' },
295 { "days", required_argument, NULL, 'D' },
296 { "hours", required_argument, NULL, 'H' },
297 { "startdate", required_argument, NULL, 'S' },
298 { "enddate", required_argument, NULL, 'E' },
299 { "out", required_argument, NULL, 'o' },
300 { "debug", required_argument, NULL, 'd' },
301 { 0,0,0,0 }
302 };
303
304 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
305
306 /* Note: "breaking" from case terminates loop */
307 switch (c)
308 {
309 case EOF: /* end of flags */
310 break;
311
312 case 0: /* long option already handled */
313 continue;
314
315 case ':': /* diagnostic already printed by getopt_long */
316 case '?': /* diagnostic already printed by getopt_long */
317 case 'h': /* --help */
318 usage(NULL);
319 status = 1;
320 goto end;
321
322 case 'v': /* --version */
323 printf("openac (strongSwan %s)\n", VERSION);
324 status = 0;
325 goto end;
326
327 case '+': /* --optionsfrom <filename> */
328 {
329 char path[BUF_LEN];
330
331 if (*optarg == '/') /* absolute pathname */
332 {
333 strncpy(path, optarg, BUF_LEN);
334 }
335 else /* relative pathname */
336 {
337 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
338 }
339 if (!options->from(options, path, &argc, &argv, optind))
340 {
341 status = 1;
342 goto end;
343 }
344 }
345 continue;
346
347 case 'q': /* --quiet */
348 stderr_quiet = TRUE;
349 continue;
350
351 case 'c': /* --cert */
352 certfile = optarg;
353 continue;
354
355 case 'k': /* --key */
356 keyfile = optarg;
357 continue;
358
359 case 'p': /* --key */
360 if (strlen(optarg) > BUF_LEN)
361 {
362 usage("passphrase too long");
363 goto end;
364 }
365 strncpy(passphrase.ptr, optarg, BUF_LEN);
366 passphrase.len = min(strlen(optarg), BUF_LEN);
367 continue;
368
369 case 'u': /* --usercert */
370 usercertfile = optarg;
371 continue;
372
373 case 'g': /* --groups */
374 groups = optarg;
375 continue;
376
377 case 'D': /* --days */
378 if (optarg == NULL || !isdigit(optarg[0]))
379 {
380 usage("missing number of days");
381 goto end;
382 }
383 else
384 {
385 char *endptr;
386 long days = strtol(optarg, &endptr, 0);
387
388 if (*endptr != '\0' || endptr == optarg || days <= 0)
389 {
390 usage("<days> must be a positive number");
391 goto end;
392 }
393 validity += 24*3600*days;
394 }
395 continue;
396
397 case 'H': /* --hours */
398 if (optarg == NULL || !isdigit(optarg[0]))
399 {
400 usage("missing number of hours");
401 goto end;
402 }
403 else
404 {
405 char *endptr;
406 long hours = strtol(optarg, &endptr, 0);
407
408 if (*endptr != '\0' || endptr == optarg || hours <= 0)
409 {
410 usage("<hours> must be a positive number");
411 goto end;
412 }
413 validity += 3600*hours;
414 }
415 continue;
416
417 case 'S': /* --startdate */
418 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
419 {
420 usage("date format must be YYYYMMDDHHMMSSZ");
421 goto end;
422 }
423 else
424 {
425 chunk_t date = { optarg, 15 };
426
427 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
428 }
429 continue;
430
431 case 'E': /* --enddate */
432 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
433 {
434 usage("date format must be YYYYMMDDHHMMSSZ");
435 goto end;
436 }
437 else
438 {
439 chunk_t date = { optarg, 15 };
440 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
441 }
442 continue;
443
444 case 'o': /* --out */
445 outfile = optarg;
446 continue;
447
448 case 'd': /* --debug */
449 debug_level = atoi(optarg);
450 continue;
451
452 default:
453 usage("");
454 status = 0;
455 goto end;
456 }
457 /* break from loop */
458 break;
459 }
460
461 if (optind != argc)
462 {
463 usage("unexpected argument");
464 goto end;
465 }
466
467 DBG1("starting openac (strongSwan Version %s)", VERSION);
468
469 #ifdef INTEGRITY_TEST
470 DBG1("integrity test of libstrongswan code");
471 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
472 {
473 DBG1(" integrity test passed");
474 }
475 else
476 {
477 DBG1(" integrity test failed");
478 status = 3;
479 goto end;
480 }
481 #endif /* INTEGRITY_TEST */
482
483 /* load the signer's RSA private key */
484 if (keyfile != NULL)
485 {
486 signerKey = private_key_create_from_file(keyfile, &passphrase);
487
488 if (signerKey == NULL)
489 {
490 goto end;
491 }
492 }
493
494 /* load the signer's X.509 certificate */
495 if (certfile != NULL)
496 {
497 signerCert = lib->creds->create(lib->creds,
498 CRED_CERTIFICATE, CERT_X509,
499 BUILD_FROM_FILE, certfile,
500 BUILD_X509_FLAG, 0,
501 BUILD_END);
502 if (signerCert == NULL)
503 {
504 goto end;
505 }
506 }
507
508 /* load the users's X.509 certificate */
509 if (usercertfile != NULL)
510 {
511 userCert = lib->creds->create(lib->creds,
512 CRED_CERTIFICATE, CERT_X509,
513 BUILD_FROM_FILE, usercertfile,
514 BUILD_X509_FLAG, 0,
515 BUILD_END);
516 if (userCert == NULL)
517 {
518 goto end;
519 }
520 }
521
522 /* compute validity interval */
523 validity = (validity)? validity : DEFAULT_VALIDITY;
524 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
525 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
526
527 /* build and parse attribute certificate */
528 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
529 {
530 /* read the serial number and increment it by one */
531 serial = read_serial();
532
533 attr_cert = lib->creds->create(lib->creds,
534 CRED_CERTIFICATE, CERT_X509_AC,
535 BUILD_CERT, userCert,
536 BUILD_NOT_BEFORE_TIME, notBefore,
537 BUILD_NOT_AFTER_TIME, notAfter,
538 BUILD_SERIAL, serial,
539 BUILD_IETF_GROUP_ATTR, groups,
540 BUILD_SIGNING_CERT, signerCert,
541 BUILD_SIGNING_KEY, signerKey,
542 BUILD_END);
543 free(serial.ptr);
544 if (!attr_cert)
545 {
546 goto end;
547 }
548
549 /* write the attribute certificate to file */
550 attr_chunk = attr_cert->get_encoding(attr_cert);
551 if (chunk_write(attr_chunk, outfile, 0022, TRUE))
552 {
553 DBG1(" wrote attribute cert file '%s' (%u bytes)", outfile, attr_chunk.len);
554 write_serial(serial);
555 status = 0;
556 }
557 }
558 else
559 {
560 usage("some of the mandatory parameters --usercert --cert --key "
561 "are missing");
562 }
563
564 end:
565 /* delete all dynamically allocated objects */
566 DESTROY_IF(signerKey);
567 DESTROY_IF(signerCert);
568 DESTROY_IF(userCert);
569 DESTROY_IF(attr_cert);
570 free(attr_chunk.ptr);
571 free(serial.ptr);
572 closelog();
573 dbg = dbg_default;
574 options->destroy(options);
575 library_deinit();
576 exit(status);
577 }