integrity test of openac and scepclient code files
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32 #include <gmp.h>
33
34 #include <library.h>
35 #include <debug.h>
36 #include <asn1/asn1.h>
37 #include <asn1/pem.h>
38 #include <credentials/certificates/x509.h>
39 #include <credentials/certificates/ac.h>
40 #include <credentials/keys/private_key.h>
41 #include <utils/optionsfrom.h>
42
43 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
44 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
45
46 #define DEFAULT_VALIDITY 24*3600 /* seconds */
47
48 /**
49 * @brief prints the usage of the program to the stderr
50 */
51 static void usage(const char *message)
52 {
53 if (message != NULL && *message != '\0')
54 {
55 fprintf(stderr, "%s\n", message);
56 }
57 fprintf(stderr, "Usage: openac"
58 " [--help]"
59 " [--version]"
60 " [--optionsfrom <filename>]"
61 " [--quiet]"
62 " \\\n\t"
63 " [--debug <level 0..4>]"
64 " \\\n\t"
65 " [--days <days>]"
66 " [--hours <hours>]"
67 " \\\n\t"
68 " [--startdate <YYYYMMDDHHMMSSZ>]"
69 " [--enddate <YYYYMMDDHHMMSSZ>]"
70 " \\\n\t"
71 " --cert <certfile>"
72 " --key <keyfile>"
73 " [--password <password>]"
74 " \\\n\t"
75 " --usercert <certfile>"
76 " --groups <attr1,attr2,..>"
77 " --out <filename>"
78 "\n"
79 );
80 }
81
82
83 /**
84 * convert a chunk into a multi-precision integer
85 */
86 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
87 {
88 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
89 }
90
91 /**
92 * convert a multi-precision integer into a chunk
93 */
94 static chunk_t mpz_to_chunk(mpz_t number)
95 {
96 chunk_t chunk;
97
98 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
99 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
100 if (chunk.ptr == NULL)
101 {
102 chunk.len = 0;
103 }
104 return chunk;
105 }
106
107 /**
108 * read the last serial number from file
109 */
110 static chunk_t read_serial(void)
111 {
112 mpz_t number;
113
114 char buf[BUF_LEN], buf1[BUF_LEN];
115 chunk_t hex_serial = { buf, BUF_LEN };
116 chunk_t last_serial = { buf1, BUF_LEN };
117 chunk_t serial;
118
119 FILE *fd = fopen(OPENAC_SERIAL, "r");
120
121 /* last serial number defaults to 0 */
122 *last_serial.ptr = 0x00;
123 last_serial.len = 1;
124
125 if (fd)
126 {
127 if (fscanf(fd, "%s", hex_serial.ptr))
128 {
129 hex_serial.len = strlen(hex_serial.ptr);
130 last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
131 }
132 fclose(fd);
133 }
134 else
135 {
136 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
137 }
138
139 /**
140 * conversion of read serial number to a multiprecision integer
141 * and incrementing it by one
142 * and representing it as a two's complement octet string
143 */
144 mpz_init(number);
145 chunk_to_mpz(last_serial, number);
146 mpz_add_ui(number, number, 0x01);
147 serial = mpz_to_chunk(number);
148 mpz_clear(number);
149
150 return serial;
151 }
152
153 /**
154 * write back the last serial number to file
155 */
156 static void write_serial(chunk_t serial)
157 {
158 FILE *fd = fopen(OPENAC_SERIAL, "w");
159
160 if (fd)
161 {
162 chunk_t hex_serial;
163
164 DBG1(" serial number is %#B", &serial);
165 hex_serial = chunk_to_hex(serial, NULL, FALSE);
166 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
167 fclose(fd);
168 free(hex_serial.ptr);
169 }
170 else
171 {
172 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
173 }
174 }
175
176 /**
177 * Load and parse a private key file
178 */
179 static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
180 {
181 bool pgp = FALSE;
182 chunk_t chunk = chunk_empty;
183 private_key_t *key = NULL;
184
185 if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
186 {
187 DBG1(" could not load private key file '%s'", path);
188 return NULL;
189 }
190 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
191 BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
192 free(chunk.ptr);
193 if (key == NULL)
194 {
195 DBG1(" could not parse loaded private key file '%s'", path);
196 return NULL;
197 }
198 DBG1(" loaded private key file '%s'", path);
199 return key;
200 }
201
202 /**
203 * global variables accessible by both main() and build.c
204 */
205
206 static int debug_level = 1;
207 static bool stderr_quiet = FALSE;
208
209 /**
210 * openac dbg function
211 */
212 static void openac_dbg(int level, char *fmt, ...)
213 {
214 int priority = LOG_INFO;
215 char buffer[8192];
216 char *current = buffer, *next;
217 va_list args;
218
219 if (level <= debug_level)
220 {
221 if (!stderr_quiet)
222 {
223 va_start(args, fmt);
224 vfprintf(stderr, fmt, args);
225 fprintf(stderr, "\n");
226 va_end(args);
227 }
228
229 /* write in memory buffer first */
230 va_start(args, fmt);
231 vsnprintf(buffer, sizeof(buffer), fmt, args);
232 va_end(args);
233
234 /* do a syslog with every line */
235 while (current)
236 {
237 next = strchr(current, '\n');
238 if (next)
239 {
240 *(next++) = '\0';
241 }
242 syslog(priority, "%s\n", current);
243 current = next;
244 }
245 }
246 }
247
248 /**
249 * @brief openac main program
250 *
251 * @param argc number of arguments
252 * @param argv pointer to the argument values
253 */
254 int main(int argc, char **argv)
255 {
256 certificate_t *attr_cert = NULL;
257 certificate_t *userCert = NULL;
258 certificate_t *signerCert = NULL;
259 private_key_t *signerKey = NULL;
260
261 time_t notBefore = UNDEFINED_TIME;
262 time_t notAfter = UNDEFINED_TIME;
263 time_t validity = 0;
264
265 char *keyfile = NULL;
266 char *certfile = NULL;
267 char *usercertfile = NULL;
268 char *outfile = NULL;
269 char *groups = "";
270 char buf[BUF_LEN];
271
272 chunk_t passphrase = { buf, 0 };
273 chunk_t serial = chunk_empty;
274 chunk_t attr_chunk = chunk_empty;
275
276 int status = 1;
277
278 /* enable openac debugging hook */
279 dbg = openac_dbg;
280
281 passphrase.ptr[0] = '\0';
282
283 openlog("openac", 0, LOG_AUTHPRIV);
284
285 /* initialize library */
286 if (!library_init(STRONGSWAN_CONF))
287 {
288 library_deinit();
289 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
290 }
291 if (lib->integrity &&
292 !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
293 {
294 fprintf(stderr, "integrity check of openac failed\n");
295 library_deinit();
296 exit(SS_RC_DAEMON_INTEGRITY);
297 }
298 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
299 lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
300
301 /* initialize optionsfrom */
302 options_t *options = options_create();
303
304 /* handle arguments */
305 for (;;)
306 {
307 static const struct option long_opts[] = {
308 /* name, has_arg, flag, val */
309 { "help", no_argument, NULL, 'h' },
310 { "version", no_argument, NULL, 'v' },
311 { "optionsfrom", required_argument, NULL, '+' },
312 { "quiet", no_argument, NULL, 'q' },
313 { "cert", required_argument, NULL, 'c' },
314 { "key", required_argument, NULL, 'k' },
315 { "password", required_argument, NULL, 'p' },
316 { "usercert", required_argument, NULL, 'u' },
317 { "groups", required_argument, NULL, 'g' },
318 { "days", required_argument, NULL, 'D' },
319 { "hours", required_argument, NULL, 'H' },
320 { "startdate", required_argument, NULL, 'S' },
321 { "enddate", required_argument, NULL, 'E' },
322 { "out", required_argument, NULL, 'o' },
323 { "debug", required_argument, NULL, 'd' },
324 { 0,0,0,0 }
325 };
326
327 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
328
329 /* Note: "breaking" from case terminates loop */
330 switch (c)
331 {
332 case EOF: /* end of flags */
333 break;
334
335 case 0: /* long option already handled */
336 continue;
337
338 case ':': /* diagnostic already printed by getopt_long */
339 case '?': /* diagnostic already printed by getopt_long */
340 case 'h': /* --help */
341 usage(NULL);
342 status = 1;
343 goto end;
344
345 case 'v': /* --version */
346 printf("openac (strongSwan %s)\n", VERSION);
347 status = 0;
348 goto end;
349
350 case '+': /* --optionsfrom <filename> */
351 {
352 char path[BUF_LEN];
353
354 if (*optarg == '/') /* absolute pathname */
355 {
356 strncpy(path, optarg, BUF_LEN);
357 }
358 else /* relative pathname */
359 {
360 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
361 }
362 if (!options->from(options, path, &argc, &argv, optind))
363 {
364 status = 1;
365 goto end;
366 }
367 }
368 continue;
369
370 case 'q': /* --quiet */
371 stderr_quiet = TRUE;
372 continue;
373
374 case 'c': /* --cert */
375 certfile = optarg;
376 continue;
377
378 case 'k': /* --key */
379 keyfile = optarg;
380 continue;
381
382 case 'p': /* --key */
383 if (strlen(optarg) > BUF_LEN)
384 {
385 usage("passphrase too long");
386 goto end;
387 }
388 strncpy(passphrase.ptr, optarg, BUF_LEN);
389 passphrase.len = min(strlen(optarg), BUF_LEN);
390 continue;
391
392 case 'u': /* --usercert */
393 usercertfile = optarg;
394 continue;
395
396 case 'g': /* --groups */
397 groups = optarg;
398 continue;
399
400 case 'D': /* --days */
401 if (optarg == NULL || !isdigit(optarg[0]))
402 {
403 usage("missing number of days");
404 goto end;
405 }
406 else
407 {
408 char *endptr;
409 long days = strtol(optarg, &endptr, 0);
410
411 if (*endptr != '\0' || endptr == optarg || days <= 0)
412 {
413 usage("<days> must be a positive number");
414 goto end;
415 }
416 validity += 24*3600*days;
417 }
418 continue;
419
420 case 'H': /* --hours */
421 if (optarg == NULL || !isdigit(optarg[0]))
422 {
423 usage("missing number of hours");
424 goto end;
425 }
426 else
427 {
428 char *endptr;
429 long hours = strtol(optarg, &endptr, 0);
430
431 if (*endptr != '\0' || endptr == optarg || hours <= 0)
432 {
433 usage("<hours> must be a positive number");
434 goto end;
435 }
436 validity += 3600*hours;
437 }
438 continue;
439
440 case 'S': /* --startdate */
441 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
442 {
443 usage("date format must be YYYYMMDDHHMMSSZ");
444 goto end;
445 }
446 else
447 {
448 chunk_t date = { optarg, 15 };
449
450 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
451 }
452 continue;
453
454 case 'E': /* --enddate */
455 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
456 {
457 usage("date format must be YYYYMMDDHHMMSSZ");
458 goto end;
459 }
460 else
461 {
462 chunk_t date = { optarg, 15 };
463 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
464 }
465 continue;
466
467 case 'o': /* --out */
468 outfile = optarg;
469 continue;
470
471 case 'd': /* --debug */
472 debug_level = atoi(optarg);
473 continue;
474
475 default:
476 usage("");
477 status = 0;
478 goto end;
479 }
480 /* break from loop */
481 break;
482 }
483
484 if (optind != argc)
485 {
486 usage("unexpected argument");
487 goto end;
488 }
489
490 DBG1("starting openac (strongSwan Version %s)", VERSION);
491
492 /* load the signer's RSA private key */
493 if (keyfile != NULL)
494 {
495 signerKey = private_key_create_from_file(keyfile, &passphrase);
496
497 if (signerKey == NULL)
498 {
499 goto end;
500 }
501 }
502
503 /* load the signer's X.509 certificate */
504 if (certfile != NULL)
505 {
506 signerCert = lib->creds->create(lib->creds,
507 CRED_CERTIFICATE, CERT_X509,
508 BUILD_FROM_FILE, certfile,
509 BUILD_X509_FLAG, 0,
510 BUILD_END);
511 if (signerCert == NULL)
512 {
513 goto end;
514 }
515 }
516
517 /* load the users's X.509 certificate */
518 if (usercertfile != NULL)
519 {
520 userCert = lib->creds->create(lib->creds,
521 CRED_CERTIFICATE, CERT_X509,
522 BUILD_FROM_FILE, usercertfile,
523 BUILD_X509_FLAG, 0,
524 BUILD_END);
525 if (userCert == NULL)
526 {
527 goto end;
528 }
529 }
530
531 /* compute validity interval */
532 validity = (validity)? validity : DEFAULT_VALIDITY;
533 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
534 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
535
536 /* build and parse attribute certificate */
537 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
538 {
539 /* read the serial number and increment it by one */
540 serial = read_serial();
541
542 attr_cert = lib->creds->create(lib->creds,
543 CRED_CERTIFICATE, CERT_X509_AC,
544 BUILD_CERT, userCert,
545 BUILD_NOT_BEFORE_TIME, notBefore,
546 BUILD_NOT_AFTER_TIME, notAfter,
547 BUILD_SERIAL, serial,
548 BUILD_IETF_GROUP_ATTR, groups,
549 BUILD_SIGNING_CERT, signerCert,
550 BUILD_SIGNING_KEY, signerKey,
551 BUILD_END);
552 if (!attr_cert)
553 {
554 goto end;
555 }
556
557 /* write the attribute certificate to file */
558 attr_chunk = attr_cert->get_encoding(attr_cert);
559 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
560 {
561 write_serial(serial);
562 status = 0;
563 }
564 }
565 else
566 {
567 usage("some of the mandatory parameters --usercert --cert --key "
568 "are missing");
569 }
570
571 end:
572 /* delete all dynamically allocated objects */
573 DESTROY_IF(signerKey);
574 DESTROY_IF(signerCert);
575 DESTROY_IF(userCert);
576 DESTROY_IF(attr_cert);
577 free(attr_chunk.ptr);
578 free(serial.ptr);
579 closelog();
580 dbg = dbg_default;
581 options->destroy(options);
582 library_deinit();
583 exit(status);
584 }