corrected brief
[strongswan.git] / src / openac / openac.c
1 /**
2 * @file openac.c
3 *
4 * @brief Generation of X.509 attribute certificates.
5 *
6 */
7
8 /*
9 * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
10 * Copyright (C) 2004,2007 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <syslog.h>
30 #include <unistd.h>
31 #include <getopt.h>
32 #include <ctype.h>
33 #include <time.h>
34 #include <gmp.h>
35
36 #include <debug.h>
37 #include <asn1/asn1.h>
38 #include <asn1/ttodata.h>
39 #include <crypto/ac.h>
40 #include <crypto/ietf_attr_list.h>
41 #include <utils/optionsfrom.h>
42
43 #ifdef INTEGRITY_TEST
44 #include <fips/fips.h>
45 #include <fips_signature.h>
46 #endif /* INTEGRITY_TEST */
47
48 #include "build.h"
49
50 #define OPENAC_PATH IPSEC_CONFDIR "/openac"
51 #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
52
53 /**
54 * @brief prints the usage of the program to the stderr
55 */
56 static void usage(const char *message)
57 {
58 if (message != NULL && *message != '\0')
59 {
60 fprintf(stderr, "%s\n", message);
61 }
62 fprintf(stderr, "Usage: openac"
63 " [--help]"
64 " [--version]"
65 " [--optionsfrom <filename>]"
66 " [--quiet]"
67 " \\\n\t"
68 " [--debug <level 0..4>]"
69 " \\\n\t"
70 " [--days <days>]"
71 " [--hours <hours>]"
72 " \\\n\t"
73 " [--startdate <YYYYMMDDHHMMSSZ>]"
74 " [--enddate <YYYYMMDDHHMMSSZ>]"
75 " \\\n\t"
76 " --cert <certfile>"
77 " --key <keyfile>"
78 " [--password <password>]"
79 " \\\n\t"
80 " --usercert <certfile>"
81 " --groups <attr1,attr2,..>"
82 " --out <filename>"
83 "\n"
84 );
85 }
86
87
88 /**
89 * convert a chunk into a multi-precision integer
90 */
91 static void chunk_to_mpz(chunk_t chunk, mpz_t number)
92 {
93 mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
94 }
95
96 /**
97 * convert a multi-precision integer into a chunk
98 */
99 static chunk_t mpz_to_chunk(mpz_t number)
100 {
101 chunk_t chunk;
102
103 chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
104 chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
105 return chunk;
106 }
107
108 /**
109 * read the last serial number from file
110 */
111 static chunk_t read_serial(void)
112 {
113 mpz_t number;
114
115 char buf[BUF_LEN], buf1[BUF_LEN];
116 chunk_t last_serial = { buf1, BUF_LEN};
117 chunk_t serial;
118
119 FILE *fd = fopen(OPENAC_SERIAL, "r");
120
121 /* last serial number defaults to 0 */
122 *last_serial.ptr = 0x00;
123 last_serial.len = 1;
124
125 if (fd)
126 {
127 if (fscanf(fd, "%s", buf))
128 {
129 err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
130
131 if (ugh != NULL)
132 {
133 DBG1(" error reading serial number from %s: %s",
134 OPENAC_SERIAL, ugh);
135 }
136 }
137 fclose(fd);
138 }
139 else
140 {
141 DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
142 }
143
144 /**
145 * conversion of read serial number to a multiprecision integer
146 * and incrementing it by one
147 * and representing it as a two's complement octet string
148 */
149 mpz_init(number);
150 chunk_to_mpz(last_serial, number);
151 mpz_add_ui(number, number, 0x01);
152 serial = mpz_to_chunk(number);
153 mpz_clear(number);
154
155 return serial;
156 }
157
158 /**
159 * write back the last serial number to file
160 */
161 static void write_serial(chunk_t serial)
162 {
163 FILE *fd = fopen(OPENAC_SERIAL, "w");
164
165 if (fd)
166 {
167 DBG1(" serial number is %#B", &serial);
168 fprintf(fd, "%#B\n", &serial);
169 fclose(fd);
170 }
171 else
172 {
173 DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
174 }
175 }
176
177 /**
178 * global variables accessible by both main() and build.c
179 */
180 x509_t *usercert = NULL;
181 x509_t *signercert = NULL;
182
183 linked_list_t *groups = NULL;
184 rsa_private_key_t *signerkey = NULL;
185
186 time_t notBefore = UNDEFINED_TIME;
187 time_t notAfter = UNDEFINED_TIME;
188
189 chunk_t serial;
190
191 static int debug_level = 1;
192 static bool stderr_quiet = FALSE;
193
194 /**
195 * openac dbg function
196 */
197 static void openac_dbg(int level, char *fmt, ...)
198 {
199 int priority = LOG_INFO;
200 va_list args;
201
202 if (level <= debug_level)
203 {
204 va_start(args, fmt);
205 if (!stderr_quiet)
206 {
207 vfprintf(stderr, fmt, args);
208 fprintf(stderr, "\n");
209 }
210 vsyslog(priority, fmt, args);
211 va_end(args);
212 }
213 }
214
215 /**
216 * @brief openac main program
217 *
218 * @param argc number of arguments
219 * @param argv pointer to the argument values
220 */
221 int main(int argc, char **argv)
222 {
223 char *keyfile = NULL;
224 char *certfile = NULL;
225 char *usercertfile = NULL;
226 char *outfile = NULL;
227 char buf[BUF_LEN];
228
229 chunk_t passphrase = { buf, 0 };
230 chunk_t attr_cert = chunk_empty;
231 x509ac_t *ac = NULL;
232
233 const time_t default_validity = 24*3600; /* 24 hours */
234 time_t validity = 0;
235 int status = 1;
236
237 /* enable openac debugging hook */
238 dbg = openac_dbg;
239
240 passphrase.ptr[0] = '\0';
241 groups = linked_list_create();
242
243 openlog("openac", 0, LOG_AUTHPRIV);
244
245 /* handle arguments */
246 for (;;)
247 {
248 static const struct option long_opts[] = {
249 /* name, has_arg, flag, val */
250 { "help", no_argument, NULL, 'h' },
251 { "version", no_argument, NULL, 'v' },
252 { "optionsfrom", required_argument, NULL, '+' },
253 { "quiet", no_argument, NULL, 'q' },
254 { "cert", required_argument, NULL, 'c' },
255 { "key", required_argument, NULL, 'k' },
256 { "password", required_argument, NULL, 'p' },
257 { "usercert", required_argument, NULL, 'u' },
258 { "groups", required_argument, NULL, 'g' },
259 { "days", required_argument, NULL, 'D' },
260 { "hours", required_argument, NULL, 'H' },
261 { "startdate", required_argument, NULL, 'S' },
262 { "enddate", required_argument, NULL, 'E' },
263 { "out", required_argument, NULL, 'o' },
264 { "debug", required_argument, NULL, 'd' },
265 { 0,0,0,0 }
266 };
267
268 int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
269
270 /* Note: "breaking" from case terminates loop */
271 switch (c)
272 {
273 case EOF: /* end of flags */
274 break;
275
276 case 0: /* long option already handled */
277 continue;
278
279 case ':': /* diagnostic already printed by getopt_long */
280 case '?': /* diagnostic already printed by getopt_long */
281 case 'h': /* --help */
282 usage(NULL);
283 status = 1;
284 goto end;
285
286 case 'v': /* --version */
287 printf("openac (strongSwan %s)\n", VERSION);
288 status = 0;
289 goto end;
290
291 case '+': /* --optionsfrom <filename> */
292 {
293 char path[BUF_LEN];
294
295 if (*optarg == '/') /* absolute pathname */
296 {
297 strncpy(path, optarg, BUF_LEN);
298 }
299 else /* relative pathname */
300 {
301 snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
302 }
303 if (!optionsfrom(path, &argc, &argv, optind))
304 {
305 status = 1;
306 goto end;
307 }
308 }
309 continue;
310
311 case 'q': /* --quiet */
312 stderr_quiet = TRUE;
313 continue;
314
315 case 'c': /* --cert */
316 certfile = optarg;
317 continue;
318
319 case 'k': /* --key */
320 keyfile = optarg;
321 continue;
322
323 case 'p': /* --key */
324 if (strlen(optarg) > BUF_LEN)
325 {
326 usage("passphrase too long");
327 goto end;
328 }
329 strncpy(passphrase.ptr, optarg, BUF_LEN);
330 passphrase.len = min(strlen(optarg), BUF_LEN);
331 continue;
332
333 case 'u': /* --usercert */
334 usercertfile = optarg;
335 continue;
336
337 case 'g': /* --groups */
338 ietfAttr_list_create_from_string(optarg, groups);
339 continue;
340
341 case 'D': /* --days */
342 if (optarg == NULL || !isdigit(optarg[0]))
343 {
344 usage("missing number of days");
345 goto end;
346 }
347 else
348 {
349 char *endptr;
350 long days = strtol(optarg, &endptr, 0);
351
352 if (*endptr != '\0' || endptr == optarg || days <= 0)
353 {
354 usage("<days> must be a positive number");
355 goto end;
356 }
357 validity += 24*3600*days;
358 }
359 continue;
360
361 case 'H': /* --hours */
362 if (optarg == NULL || !isdigit(optarg[0]))
363 {
364 usage("missing number of hours");
365 goto end;
366 }
367 else
368 {
369 char *endptr;
370 long hours = strtol(optarg, &endptr, 0);
371
372 if (*endptr != '\0' || endptr == optarg || hours <= 0)
373 {
374 usage("<hours> must be a positive number");
375 goto end;
376 }
377 validity += 3600*hours;
378 }
379 continue;
380
381 case 'S': /* --startdate */
382 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
383 {
384 usage("date format must be YYYYMMDDHHMMSSZ");
385 goto end;
386 }
387 else
388 {
389 chunk_t date = { optarg, 15 };
390
391 notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
392 }
393 continue;
394
395 case 'E': /* --enddate */
396 if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
397 {
398 usage("date format must be YYYYMMDDHHMMSSZ");
399 goto end;
400 }
401 else
402 {
403 chunk_t date = { optarg, 15 };
404 notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
405 }
406 continue;
407
408 case 'o': /* --out */
409 outfile = optarg;
410 continue;
411
412 case 'd': /* --debug */
413 debug_level = atoi(optarg);
414 continue;
415
416 default:
417 usage("");
418 status = 0;
419 goto end;
420 }
421 /* break from loop */
422 break;
423 }
424
425 if (optind != argc)
426 {
427 usage("unexpected argument");
428 goto end;
429 }
430
431 DBG1("starting openac (strongSwan Version %s)", VERSION);
432
433 #ifdef INTEGRITY_TEST
434 DBG1("integrity test of libstrongswan code");
435 if (fips_verify_hmac_signature(hmac_key, hmac_signature))
436 {
437 DBG1(" integrity test passed");
438 }
439 else
440 {
441 DBG1(" integrity test failed");
442 status = 3;
443 goto end;
444 }
445 #endif /* INTEGRITY_TEST */
446
447 /* load the signer's RSA private key */
448 if (keyfile != NULL)
449 {
450 signerkey = rsa_private_key_create_from_file(keyfile, &passphrase);
451
452 if (signerkey == NULL)
453 {
454 goto end;
455 }
456 }
457
458 /* load the signer's X.509 certificate */
459 if (certfile != NULL)
460 {
461 signercert = x509_create_from_file(certfile, "signer cert");
462
463 if (signercert == NULL)
464 {
465 goto end;
466 }
467 }
468
469 /* load the users's X.509 certificate */
470 if (usercertfile != NULL)
471 {
472 usercert = x509_create_from_file(usercertfile, "user cert");
473
474 if (usercert == NULL)
475 {
476 goto end;
477 }
478 }
479
480 /* compute validity interval */
481 validity = (validity)? validity : default_validity;
482 notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
483 notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
484
485 /* build and parse attribute certificate */
486 if (usercert != NULL && signercert != NULL && signerkey != NULL)
487 {
488 /* read the serial number and increment it by one */
489 serial = read_serial();
490
491 attr_cert = build_attr_cert();
492 ac = x509ac_create_from_chunk(attr_cert);
493
494 /* write the attribute certificate to file */
495 if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE))
496 {
497 write_serial(serial);
498 status = 0;
499 }
500 }
501
502 end:
503 /* delete all dynamically allocated objects */
504 DESTROY_IF(signerkey);
505 DESTROY_IF(signercert);
506 DESTROY_IF(usercert);
507 DESTROY_IF(ac);
508 ietfAttr_list_destroy(groups);
509 free(serial.ptr);
510 closelog();
511 dbg = dbg_default;
512 exit(status);
513 }