the option has been changed to --outform
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stdio.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <syslog.h>
28 #include <unistd.h>
29 #include <getopt.h>
30 #include <ctype.h>
31 #include <time.h>
32
33 #include <library.h>
34 #include <debug.h>
35 #include <asn1/asn1.h>
36 #include <credentials/certificates/x509.h>
37 #include <credentials/certificates/ac.h>
38 #include <credentials/keys/private_key.h>
39 #include <utils/optionsfrom.h>
40
41 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
42 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
43
44 #define DEFAULT_VALIDITY 24*3600 /* seconds */
45
46 /**
47 * @brief prints the usage of the program to the stderr
48 */
49 static void usage(const char *message)
50 {
51 if (message != NULL && *message != '\0')
52 {
53 fprintf(stderr, "%s\n", message);
54 }
55 fprintf(stderr, "Usage: openac"
56 " [--help]"
57 " [--version]"
58 " [--optionsfrom <filename>]"
59 " [--quiet]"
60 " \\\n\t"
61 " [--debug <level 0..4>]"
62 " \\\n\t"
63 " [--days <days>]"
64 " [--hours <hours>]"
65 " \\\n\t"
66 " [--startdate <YYYYMMDDHHMMSSZ>]"
67 " [--enddate <YYYYMMDDHHMMSSZ>]"
68 " \\\n\t"
69 " --cert <certfile>"
70 " --key <keyfile>"
71 " [--password <password>]"
72 " \\\n\t"
73 " --usercert <certfile>"
74 " --groups <attr1,attr2,..>"
75 " --out <filename>"
76 "\n"
77 );
78 }
79
80 /**
81 * read the last serial number from file
82 */
83 static chunk_t read_serial(void)
84 {
85 chunk_t hex, serial = chunk_empty;
86 char one[] = {0x01};
87 FILE *fd;
88
89 fd = fopen(OPENAC_SERIAL, "r");
90 if (fd)
91 {
92 hex = chunk_alloca(64);
93 hex.len = fread(hex.ptr, 1, hex.len, fd);
94 if (hex.len)
95 {
96 serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
97 serial = chunk_from_hex(hex, serial.ptr);
98 }
99 fclose(fd);
100 }
101 else
102 {
103 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
104 }
105 if (!serial.len)
106 {
107 return chunk_clone(chunk_create(one, 1));
108 }
109 if (chunk_increment(serial))
110 { /* overflow, prepend 0x01 */
111 return chunk_cat("cc", chunk_create(one, 1), serial);
112 }
113 return chunk_clone(serial);
114 }
115
116 /**
117 * write back the last serial number to file
118 */
119 static void write_serial(chunk_t serial)
120 {
121 FILE *fd = fopen(OPENAC_SERIAL, "w");
122
123 if (fd)
124 {
125 chunk_t hex_serial;
126
127 DBG1(" serial number is %#B", &serial);
128 hex_serial = chunk_to_hex(serial, NULL, FALSE);
129 fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
130 fclose(fd);
131 free(hex_serial.ptr);
132 }
133 else
134 {
135 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
136 }
137 }
138
139 /**
140 * global variables accessible by both main() and build.c
141 */
142
143 static int debug_level = 1;
144 static bool stderr_quiet = FALSE;
145
146 /**
147 * openac dbg function
148 */
149 static void openac_dbg(int level, char *fmt, ...)
150 {
151 int priority = LOG_INFO;
152 char buffer[8192];
153 char *current = buffer, *next;
154 va_list args;
155
156 if (level <= debug_level)
157 {
158 if (!stderr_quiet)
159 {
160 va_start(args, fmt);
161 vfprintf(stderr, fmt, args);
162 fprintf(stderr, "\n");
163 va_end(args);
164 }
165
166 /* write in memory buffer first */
167 va_start(args, fmt);
168 vsnprintf(buffer, sizeof(buffer), fmt, args);
169 va_end(args);
170
171 /* do a syslog with every line */
172 while (current)
173 {
174 next = strchr(current, '\n');
175 if (next)
176 {
177 *(next++) = '\0';
178 }
179 syslog(priority, "%s\n", current);
180 current = next;
181 }
182 }
183 }
184
185 /**
186 * @brief openac main program
187 *
188 * @param argc number of arguments
189 * @param argv pointer to the argument values
190 */
191 int main(int argc, char **argv)
192 {
193 certificate_t *attr_cert = NULL;
194 certificate_t *userCert = NULL;
195 certificate_t *signerCert = NULL;
196 private_key_t *signerKey = NULL;
197
198 time_t notBefore = UNDEFINED_TIME;
199 time_t notAfter = UNDEFINED_TIME;
200 time_t validity = 0;
201
202 char *keyfile = NULL;
203 char *certfile = NULL;
204 char *usercertfile = NULL;
205 char *outfile = NULL;
206 char *groups = "";
207 char buf[BUF_LEN];
208
209 chunk_t passphrase = { buf, 0 };
210 chunk_t serial = chunk_empty;
211 chunk_t attr_chunk = chunk_empty;
212
213 int status = 1;
214
215 /* enable openac debugging hook */
216 dbg = openac_dbg;
217
218 passphrase.ptr[0] = '\0';
219
220 openlog("openac", 0, LOG_AUTHPRIV);
221
222 /* initialize library */
223 if (!library_init(STRONGSWAN_CONF))
224 {
225 library_deinit();
226 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
227 }
228 if (lib->integrity &&
229 !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
230 {
231 fprintf(stderr, "integrity check of openac failed\n");
232 library_deinit();
233 exit(SS_RC_DAEMON_INTEGRITY);
234 }
235 lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
236 lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
237
238 /* initialize optionsfrom */
239 options_t *options = options_create();
240
241 /* handle arguments */
242 for (;;)
243 {
244 static const struct option long_opts[] = {
245 /* name, has_arg, flag, val */
246 { "help", no_argument, NULL, 'h' },
247 { "version", no_argument, NULL, 'v' },
248 { "optionsfrom", required_argument, NULL, '+' },
249 { "quiet", no_argument, NULL, 'q' },
250 { "cert", required_argument, NULL, 'c' },
251 { "key", required_argument, NULL, 'k' },
252 { "password", required_argument, NULL, 'p' },
253 { "usercert", required_argument, NULL, 'u' },
254 { "groups", required_argument, NULL, 'g' },
255 { "days", required_argument, NULL, 'D' },
256 { "hours", required_argument, NULL, 'H' },
257 { "startdate", required_argument, NULL, 'S' },
258 { "enddate", required_argument, NULL, 'E' },
259 { "out", required_argument, NULL, 'o' },
260 { "debug", required_argument, NULL, 'd' },
261 { 0,0,0,0 }
262 };
263
264 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
265
266 /* Note: "breaking" from case terminates loop */
267 switch (c)
268 {
269 case EOF: /* end of flags */
270 break;
271
272 case 0: /* long option already handled */
273 continue;
274
275 case ':': /* diagnostic already printed by getopt_long */
276 case '?': /* diagnostic already printed by getopt_long */
277 case 'h': /* --help */
278 usage(NULL);
279 status = 1;
280 goto end;
281
282 case 'v': /* --version */
283 printf("openac (strongSwan %s)\n", VERSION);
284 status = 0;
285 goto end;
286
287 case '+': /* --optionsfrom <filename> */
288 {
289 char path[BUF_LEN];
290
291 if (*optarg == '/') /* absolute pathname */
292 {
293 strncpy(path, optarg, BUF_LEN);
294 }
295 else /* relative pathname */
296 {
297 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
298 }
299 if (!options->from(options, path, &argc, &argv, optind))
300 {
301 status = 1;
302 goto end;
303 }
304 }
305 continue;
306
307 case 'q': /* --quiet */
308 stderr_quiet = TRUE;
309 continue;
310
311 case 'c': /* --cert */
312 certfile = optarg;
313 continue;
314
315 case 'k': /* --key */
316 keyfile = optarg;
317 continue;
318
319 case 'p': /* --key */
320 if (strlen(optarg) > BUF_LEN)
321 {
322 usage("passphrase too long");
323 goto end;
324 }
325 strncpy(passphrase.ptr, optarg, BUF_LEN);
326 passphrase.len = min(strlen(optarg), BUF_LEN);
327 continue;
328
329 case 'u': /* --usercert */
330 usercertfile = optarg;
331 continue;
332
333 case 'g': /* --groups */
334 groups = optarg;
335 continue;
336
337 case 'D': /* --days */
338 if (optarg == NULL || !isdigit(optarg[0]))
339 {
340 usage("missing number of days");
341 goto end;
342 }
343 else
344 {
345 char *endptr;
346 long days = strtol(optarg, &endptr, 0);
347
348 if (*endptr != '\0' || endptr == optarg || days <= 0)
349 {
350 usage("<days> must be a positive number");
351 goto end;
352 }
353 validity += 24*3600*days;
354 }
355 continue;
356
357 case 'H': /* --hours */
358 if (optarg == NULL || !isdigit(optarg[0]))
359 {
360 usage("missing number of hours");
361 goto end;
362 }
363 else
364 {
365 char *endptr;
366 long hours = strtol(optarg, &endptr, 0);
367
368 if (*endptr != '\0' || endptr == optarg || hours <= 0)
369 {
370 usage("<hours> must be a positive number");
371 goto end;
372 }
373 validity += 3600*hours;
374 }
375 continue;
376
377 case 'S': /* --startdate */
378 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
379 {
380 usage("date format must be YYYYMMDDHHMMSSZ");
381 goto end;
382 }
383 else
384 {
385 chunk_t date = { optarg, 15 };
386
387 notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
388 }
389 continue;
390
391 case 'E': /* --enddate */
392 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
393 {
394 usage("date format must be YYYYMMDDHHMMSSZ");
395 goto end;
396 }
397 else
398 {
399 chunk_t date = { optarg, 15 };
400 notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
401 }
402 continue;
403
404 case 'o': /* --out */
405 outfile = optarg;
406 continue;
407
408 case 'd': /* --debug */
409 debug_level = atoi(optarg);
410 continue;
411
412 default:
413 usage("");
414 status = 0;
415 goto end;
416 }
417 /* break from loop */
418 break;
419 }
420
421 if (optind != argc)
422 {
423 usage("unexpected argument");
424 goto end;
425 }
426
427 DBG1("starting openac (strongSwan Version %s)", VERSION);
428
429 /* load the signer's RSA private key */
430 if (keyfile != NULL)
431 {
432 signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
433 BUILD_FROM_FILE, keyfile,
434 BUILD_PASSPHRASE, passphrase,
435 BUILD_END);
436 if (signerKey == NULL)
437 {
438 goto end;
439 }
440 DBG1(" loaded private key file '%s'", keyfile);
441 }
442
443 /* load the signer's X.509 certificate */
444 if (certfile != NULL)
445 {
446 signerCert = lib->creds->create(lib->creds,
447 CRED_CERTIFICATE, CERT_X509,
448 BUILD_FROM_FILE, certfile,
449 BUILD_X509_FLAG, 0,
450 BUILD_END);
451 if (signerCert == NULL)
452 {
453 goto end;
454 }
455 }
456
457 /* load the users's X.509 certificate */
458 if (usercertfile != NULL)
459 {
460 userCert = lib->creds->create(lib->creds,
461 CRED_CERTIFICATE, CERT_X509,
462 BUILD_FROM_FILE, usercertfile,
463 BUILD_X509_FLAG, 0,
464 BUILD_END);
465 if (userCert == NULL)
466 {
467 goto end;
468 }
469 }
470
471 /* compute validity interval */
472 validity = (validity)? validity : DEFAULT_VALIDITY;
473 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
474 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
475
476 /* build and parse attribute certificate */
477 if (userCert != NULL && signerCert != NULL && signerKey != NULL)
478 {
479 /* read the serial number and increment it by one */
480 serial = read_serial();
481
482 attr_cert = lib->creds->create(lib->creds,
483 CRED_CERTIFICATE, CERT_X509_AC,
484 BUILD_CERT, userCert,
485 BUILD_NOT_BEFORE_TIME, notBefore,
486 BUILD_NOT_AFTER_TIME, notAfter,
487 BUILD_SERIAL, serial,
488 BUILD_IETF_GROUP_ATTR, groups,
489 BUILD_SIGNING_CERT, signerCert,
490 BUILD_SIGNING_KEY, signerKey,
491 BUILD_END);
492 if (!attr_cert)
493 {
494 goto end;
495 }
496
497 /* write the attribute certificate to file */
498 attr_chunk = attr_cert->get_encoding(attr_cert);
499 if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE))
500 {
501 write_serial(serial);
502 status = 0;
503 }
504 }
505 else
506 {
507 usage("some of the mandatory parameters --usercert --cert --key "
508 "are missing");
509 }
510
511 end:
512 /* delete all dynamically allocated objects */
513 DESTROY_IF(signerKey);
514 DESTROY_IF(signerCert);
515 DESTROY_IF(userCert);
516 DESTROY_IF(attr_cert);
517 free(attr_chunk.ptr);
518 free(serial.ptr);
519 closelog();
520 dbg = dbg_default;
521 options->destroy(options);
522 library_deinit();
523 exit(status);
524 }