projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
pki: Use SHA-256 as default for signatures
[strongswan.git] / src / pki / commands / acert.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Copyright (C) 2015 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <time.h>
18 #include <errno.h>
19
20 #include "pki.h"
21
22 #include <utils/debug.h>
23 #include <asn1/asn1.h>
24 #include <collections/linked_list.h>
25 #include <credentials/certificates/certificate.h>
26 #include <credentials/certificates/x509.h>
27 #include <credentials/certificates/ac.h>
28
29 /**
30 * Issue an attribute certificate
31 */
32 static int acert()
33 {
34 cred_encoding_type_t form = CERT_ASN1_DER;
35 hash_algorithm_t digest = HASH_SHA256;
36 certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
37 private_key_t *private = NULL;
38 public_key_t *public = NULL;
39 char *file = NULL, *hex = NULL, *issuercert = NULL, *issuerkey = NULL;
40 char *error = NULL, *keyid = NULL;
41 linked_list_t *groups;
42 chunk_t serial = chunk_empty, encoding = chunk_empty;
43 time_t not_before, not_after, lifetime = 24 * 60 * 60;
44 char *datenb = NULL, *datena = NULL, *dateform = NULL;
45 rng_t *rng;
46 char *arg;
47
48 groups = linked_list_create();
49
50 while (TRUE)
51 {
52 switch (command_getopt(&arg))
53 {
54 case 'h':
55 goto usage;
56 case 'g':
57 if (!enum_from_name(hash_algorithm_short_names, arg, &digest))
58 {
59 error = "invalid --digest type";
60 goto usage;
61 }
62 continue;
63 case 'i':
64 file = arg;
65 continue;
66 case 'm':
67 groups->insert_last(groups, arg);
68 continue;
69 case 'c':
70 issuercert = arg;
71 continue;
72 case 'k':
73 issuerkey = arg;
74 continue;
75 case 'x':
76 keyid = arg;
77 continue;
78 case 'l':
79 lifetime = atoi(arg) * 60 * 60;
80 if (!lifetime)
81 {
82 error = "invalid --lifetime value";
83 goto usage;
84 }
85 continue;
86 case 'D':
87 dateform = arg;
88 continue;
89 case 'F':
90 datenb = arg;
91 continue;
92 case 'T':
93 datena = arg;
94 continue;
95 case 's':
96 hex = arg;
97 continue;
98 case 'f':
99 if (!get_form(arg, &form, CRED_CERTIFICATE))
100 {
101 error = "invalid output format";
102 goto usage;
103 }
104 continue;
105 case EOF:
106 break;
107 default:
108 error = "invalid --acert option";
109 goto usage;
110 }
111 break;
112 }
113
114 if (!calculate_lifetime(dateform, datenb, datena, lifetime,
115 &not_before, &not_after))
116 {
117 error = "invalid --not-before/after datetime";
118 goto usage;
119 }
120
121 if (!issuercert)
122 {
123 error = "--issuercert is required";
124 goto usage;
125 }
126 if (!issuerkey && !keyid)
127 {
128 error = "--issuerkey or --issuerkeyid is required";
129 goto usage;
130 }
131
132 issuer = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
133 BUILD_FROM_FILE, issuercert, BUILD_END);
134 if (!issuer)
135 {
136 error = "parsing issuer certificate failed";
137 goto end;
138 }
139 public = issuer->get_public_key(issuer);
140 if (!public)
141 {
142 error = "extracting issuer certificate public key failed";
143 goto end;
144 }
145 if (issuerkey)
146 {
147 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
148 public->get_type(public),
149 BUILD_FROM_FILE, issuerkey, BUILD_END);
150 }
151 else
152 {
153 chunk_t chunk;
154
155 chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
156 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
157 BUILD_PKCS11_KEYID, chunk, BUILD_END);
158 free(chunk.ptr);
159 }
160 if (!private)
161 {
162 error = "loading issuer private key failed";
163 goto end;
164 }
165 if (!private->belongs_to(private, public))
166 {
167 error = "issuer private key does not match issuer certificate";
168 goto end;
169 }
170
171 if (hex)
172 {
173 serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
174 }
175 else
176 {
177 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
178 if (!rng)
179 {
180 error = "no random number generator found";
181 goto end;
182 }
183 if (!rng_allocate_bytes_not_zero(rng, 8, &serial, FALSE))
184 {
185 error = "failed to generate serial number";
186 rng->destroy(rng);
187 goto end;
188 }
189 serial.ptr[0] &= 0x7F;
190 rng->destroy(rng);
191 }
192
193 if (file)
194 {
195 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
196 BUILD_FROM_FILE, file, BUILD_END);
197 }
198 else
199 {
200 set_file_mode(stdin, CERT_ASN1_DER);
201 if (!chunk_from_fd(0, &encoding))
202 {
203 fprintf(stderr, "%s: ", strerror(errno));
204 error = "reading public key failed";
205 goto end;
206 }
207 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
208 BUILD_BLOB, encoding, BUILD_END);
209 chunk_free(&encoding);
210 }
211 if (!cert)
212 {
213 error = "parsing user certificate failed";
214 goto end;
215 }
216
217 ac = lib->creds->create(lib->creds,
218 CRED_CERTIFICATE, CERT_X509_AC,
219 BUILD_CERT, cert,
220 BUILD_NOT_BEFORE_TIME, not_before,
221 BUILD_NOT_AFTER_TIME, not_after,
222 BUILD_SERIAL, serial,
223 BUILD_AC_GROUP_STRINGS, groups,
224 BUILD_SIGNING_CERT, issuer,
225 BUILD_SIGNING_KEY, private,
226 BUILD_END);
227 if (!ac)
228 {
229 error = "generating attribute certificate failed";
230 goto end;
231 }
232 if (!ac->get_encoding(ac, form, &encoding))
233 {
234 error = "encoding attribute certificate failed";
235 goto end;
236 }
237 set_file_mode(stdout, form);
238 if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1)
239 {
240 error = "writing attribute certificate key failed";
241 goto end;
242 }
243
244 end:
245 DESTROY_IF(ac);
246 DESTROY_IF(cert);
247 DESTROY_IF(issuer);
248 DESTROY_IF(public);
249 DESTROY_IF(private);
250 groups->destroy(groups);
251 free(encoding.ptr);
252 free(serial.ptr);
253
254 if (error)
255 {
256 fprintf(stderr, "%s\n", error);
257 return 1;
258 }
259 return 0;
260
261 usage:
262 groups->destroy(groups);
263 return command_usage(error);
264 }
265
266 /**
267 * Register the command.
268 */
269 static void __attribute__ ((constructor))reg()
270 {
271 command_register((command_t) {
272 acert, 'z', "acert",
273 "issue an attribute certificate",
274 {"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex",
275 " --issuercert file [--serial hex] [--lifetime hours]",
276 " [--not-before datetime] [--not-after datetime] [--dateform form]",
277 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
278 {
279 {"help", 'h', 0, "show usage information"},
280 {"in", 'i', 1, "holder certificate, default: stdin"},
281 {"group", 'm', 1, "group membership string to include"},
282 {"issuercert", 'c', 1, "issuer certificate file"},
283 {"issuerkey", 'k', 1, "issuer private key file"},
284 {"issuerkeyid", 'x', 1, "keyid on smartcard of issuer private key"},
285 {"serial", 's', 1, "serial number in hex, default: random"},
286 {"lifetime", 'l', 1, "hours the acert is valid, default: 24"},
287 {"not-before", 'F', 1, "date/time the validity of the AC starts"},
288 {"not-after", 'T', 1, "date/time the validity of the AC ends"},
289 {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
290 {"digest", 'g', 1, "digest for signature creation, default: sha256"},
291 {"outform", 'f', 1, "encoding of generated cert, default: der"},
292 }
293 });
294 }
strongSwan - IPsec VPN