openac: Remove obsolete openac utility
authorMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:30:51 +0000 (11:30 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:39:25 +0000 (11:39 +0200)
The same functionality is now provided by the pki --acert subcommand.

conf/options/tools.opt
configure.ac
packages/strongswan/debian/strongswan-tools.install
src/Makefile.am
src/checksum/Makefile.am
src/ipsec/_ipsec.in
src/openac/.gitignore [deleted file]
src/openac/Makefile.am [deleted file]
src/openac/openac.8 [deleted file]
src/openac/openac.c [deleted file]

index 23e6a1c..72a49de 100644 (file)
@@ -1,6 +1,3 @@
-openac.load =
-       Plugins to load in ipsec openac tool.
-
 pki.load =
        Plugins to load in ipsec pki tool.
 
index bdcf397..e8eb5a6 100644 (file)
@@ -265,7 +265,7 @@ ARG_ENABL_SET([medsrv],         [enable mediation server web frontend and daemon
 ARG_ENABL_SET([nm],             [enable NetworkManager backend.])
 ARG_DISBL_SET([scripts],        [disable additional utilities (found in directory scripts).])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
-ARG_DISBL_SET([tools],          [disable additional utilities (openac, scepclient and pki).])
+ARG_DISBL_SET([tools],          [disable additional utilities (scepclient and pki).])
 # optional features
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
 ARG_DISBL_SET([ikev1],          [disable IKEv1 protocol support in charon.])
@@ -1053,7 +1053,6 @@ charon_plugins=
 starter_plugins=
 pool_plugins=
 attest_plugins=
-openac_plugins=
 scepclient_plugins=
 pki_plugins=
 scripts_plugins=
@@ -1069,7 +1068,7 @@ h_plugins=
 s_plugins=
 t_plugins=
 
-ADD_PLUGIN([test-vectors],         [s charon openac scepclient pki])
+ADD_PLUGIN([test-vectors],         [s charon scepclient pki])
 ADD_PLUGIN([curl],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([soup],                 [s charon scripts nm cmd])
 ADD_PLUGIN([unbound],              [s charon scripts])
@@ -1077,38 +1076,38 @@ ADD_PLUGIN([ldap],                 [s charon scepclient scripts nm cmd])
 ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
 ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
 ADD_PLUGIN([pkcs11],               [s charon pki nm cmd])
-ADD_PLUGIN([aes],                  [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([des],                  [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([blowfish],             [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([rc2],                  [s charon openac scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([sha2],                 [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([md4],                  [s charon openac manager scepclient pki nm cmd])
-ADD_PLUGIN([md5],                  [s charon openac scepclient pki scripts attest nm cmd])
-ADD_PLUGIN([rdrand],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
-ADD_PLUGIN([random],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([blowfish],             [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([rc2],                  [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([md4],                  [s charon manager scepclient pki nm cmd])
+ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([random],               [s charon scepclient pki scripts medsrv attest nm cmd])
 ADD_PLUGIN([nonce],                [s charon nm cmd])
-ADD_PLUGIN([x509],                 [s charon openac scepclient pki scripts attest nm cmd])
+ADD_PLUGIN([x509],                 [s charon scepclient pki scripts attest nm cmd])
 ADD_PLUGIN([revocation],           [s charon nm cmd])
 ADD_PLUGIN([constraints],          [s charon nm cmd])
 ADD_PLUGIN([acert],                [s charon])
 ADD_PLUGIN([pubkey],               [s charon cmd])
-ADD_PLUGIN([pkcs1],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs1],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([pkcs7],                [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([pkcs8],                [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pkcs8],                [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([pkcs12],               [s charon scepclient pki scripts cmd])
 ADD_PLUGIN([pgp],                  [s charon])
 ADD_PLUGIN([dnskey],               [s charon pki])
 ADD_PLUGIN([sshkey],               [s charon pki nm cmd])
 ADD_PLUGIN([dnscert],              [c charon])
 ADD_PLUGIN([ipseckey],             [c charon])
-ADD_PLUGIN([pem],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([pem],                  [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([padlock],              [s charon])
-ADD_PLUGIN([openssl],              [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([gcrypt],               [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg],               [s charon openac scepclient pki scripts medsrv attest nm cmd])
+ADD_PLUGIN([openssl],              [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gcrypt],               [s charon scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd])
 ADD_PLUGIN([fips-prf],             [s charon nm cmd])
-ADD_PLUGIN([gmp],                  [s charon openac scepclient pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd])
 ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
 ADD_PLUGIN([xcbc],                 [s charon nm cmd])
@@ -1190,7 +1189,6 @@ AC_SUBST(charon_plugins)
 AC_SUBST(starter_plugins)
 AC_SUBST(pool_plugins)
 AC_SUBST(attest_plugins)
-AC_SUBST(openac_plugins)
 AC_SUBST(scepclient_plugins)
 AC_SUBST(pki_plugins)
 AC_SUBST(scripts_plugins)
@@ -1586,7 +1584,6 @@ AC_CONFIG_FILES([
        src/_updown/Makefile
        src/_updown_espmark/Makefile
        src/_copyright/Makefile
-       src/openac/Makefile
        src/scepclient/Makefile
        src/pki/Makefile
        src/pki/man/Makefile
index 353a7db..1b7872d 100644 (file)
@@ -1,5 +1,3 @@
 usr/lib/strongswan/scepclient          usr/lib/strongswan/
-usr/lib/strongswan/openac                      usr/lib/strongswan/
 usr/lib/strongswan/pki                         usr/lib/strongswan/
 usr/share/man/man8/scepclient.8                usr/share/man/man8/
-usr/share/man/man8/openac.8                    usr/share/man/man8/
index 7d11893..93da489 100644 (file)
@@ -73,7 +73,7 @@ if USE_UPDOWN
 endif
 
 if USE_TOOLS
-  SUBDIRS += openac scepclient pki
+  SUBDIRS += scepclient pki
 endif
 
 if USE_CONFTEST
index d172b15..82bbadc 100644 (file)
@@ -100,7 +100,6 @@ if USE_CMD
 endif
 
 if USE_TOOLS
-  exes += $(DESTDIR)$(ipsecdir)/openac
   exes += $(DESTDIR)$(ipsecdir)/scepclient
   exes += $(DESTDIR)$(bindir)/pki
 endif
index 3c1f998..6163218 100644 (file)
@@ -70,7 +70,6 @@ case "$1" in
        echo "  rereadcacerts|rereadaacerts|rereadocspcerts"
        echo "  rereadacerts|rereadcrls|rereadall"
        echo "  purgeocsp|purgecrls|purgecerts|purgeike"
-       echo "  openac"
        echo "  scepclient"
        echo "  secrets"
        echo "  starter"
diff --git a/src/openac/.gitignore b/src/openac/.gitignore
deleted file mode 100644 (file)
index 9aa8577..0000000
+++ /dev/null
@@ -1 +0,0 @@
-openac
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
deleted file mode 100644 (file)
index 78a466b..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-ipsec_PROGRAMS = openac
-openac_SOURCES = openac.c
-dist_man_MANS = openac.8
-
-AM_CPPFLAGS = \
-       -I$(top_srcdir)/src/libstrongswan \
-       -DIPSEC_CONFDIR=\"${sysconfdir}\" \
-       -DPLUGINS=\""${openac_plugins}\""
-
-openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
-openac.o :             $(top_builddir)/config.status
diff --git a/src/openac/openac.8 b/src/openac/openac.8
deleted file mode 100644 (file)
index ed1b8ed..0000000
+++ /dev/null
@@ -1,165 +0,0 @@
-.TH IPSEC_OPENAC 8 "22 September 2007"
-.SH NAME
-ipsec openac \- Generation of X.509 attribute certificates
-.SH SYNOPSIS
-.B ipsec
-.B openac
-[
-.B \-\-help
-] [
-.B \-\-version
-] [
-.B \-\-optionsfrom
-\fIfilename\fP
-]
-.br
-\ \ \ [
-.B \-\-quiet
-] [
-.B \-\-debug
-\fIlevel\fP
-]
-.br
-\ \ \ [
-.B \-\-days
-\fIdays\fP
-] [
-.B \-\-hours
-\fIhours\fP
-]
-.br
-\ \ \ [
-.B \-\-startdate
-\fIYYYYMMDDHHMMSSZ\fP
-] [
-.B \-\-stopdate
-\fIYYYYMMDDHHMMSSZ\fP
-]
-.br
-.B \ \ \ \-\-cert
-\fIcertfile\fP
-.B \-\-key
-\fIkeyfile\fP
-[
-.B \-\-password
-\fIpassword\fP
-]
-.br
-.B \ \ \ \-\-usercert
-\fIcertfile\fP
-.B \-\-groups
-\fIattr1,attr2,...\fP
-.B \-\-out
-\fIfilename\fP
-.SH DESCRIPTION
-.BR openac
-is intended to be used by an Authorization Authority (AA) to generate and sign
-X.509 attribute certificates. Currently only the inclusion of one ore several group
-attributes is supported. An attribute certificate is linked to a holder by
-including the issuer and serial number of the holder's X.509 certificate.
-.SH OPTIONS
-.TP
-\fB\-\-help\fP
-display the usage message.
-.TP
-\fB\-\-version\fP
-display the version of \fBopenac\fP.
-.TP
-\fB\-\-optionsfrom\fP\ \fIfilename\fP
-adds the contents of the file to the argument list.
-If \fIfilename\fP is a relative path then the file is searched in the directory
-\fI/etc/openac\fP.
-.TP
-\fB\-\-quiet\fP
-By default \fBopenac\fP logs all control output both to syslog and stderr.
-With the \fB\-\-quiet\fP option no output is written to stderr.
-.TP
-\fB\-\-days\fP\ \fIdays\fP
-Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor
-the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed.
-The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option.
-.TP
-\fB\-\-hours\fP\ \fIhours\fP
-Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor
-the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed.
-The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option.
-.TP
-\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
-defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid.
-The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
-If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default.
-
-.TP
-\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
-defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire.
-The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
-If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed
-by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options
-to the \fBnotBefore\fP date.
-.TP
-\fB\-\-cert\fP\ \fIcertfile\fP
-specifies the file containing the X.509 certificate of the Authorization Authority.
-The certificate is stored either in PEM or DER format.
-.TP
-\fB\-\-key\fP\ \fIkeyfile\fP
-specifies the encrypted file containing the private RSA key of the Authoritzation
-Authority. The private key is stored in PKCS#1 format.
-.TP
-\fB\-\-password\fP\ \fIpassword\fP
-specifies the password with which the private RSA keyfile defined by the
-\fB\-\-key\fP option has been protected. If the option is missing then the
-password is prompted for on the command line.
-.TP
-\fB\-\-usercert\fP\ \fIcertfile\fP
-specifies file containing the X.509 certificate of the user to which the generated attribute
-certificate will apply. The certificate file is stored either in PEM or DER format.
-.TP
-\fB\-\-groups\fP\ \fIattr1,attr2\fP
-specifies a comma-separated list of group attributes that will go into the
-X.509 attribute certificate.
-.TP
-\fB\-\-out\fP\ \fIfilename\fP
-specifies the file where the generated X.509 attribute certificate will be stored to.
-.SS Debugging
-.LP
-\fBopenac\fP produces a prodigious amount of debugging information.  To do so,
-it must be compiled with \-DDEBUG.  There are several classes of debugging output,
-and \fBopenac\fP may be directed to produce a selection of them.  All lines of
-debugging output are prefixed with ``|\ '' to distinguish them from error messages.
-.LP
-When \fBopenac\fP is invoked, it may be given arguments to specify
-which classes to output.  The current options are:
-.TP
-\fB\-\-debug\fP\ \fIlevel\fP
-sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private),
-the default level being 1.
-.SH EXIT STATUS
-.LP
-The execution of \fBopenac\fP terminates with one of the following two exit codes:
-.TP
-0
-means that the attribute certificate was successfully generated and stored.
-.TP
-1
-means that something went wrong.
-.SH FILES
-\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate
-.SH SEE ALSO
-.LP
-The X.509 attribute certificates generated with \fBopenac\fP can be used to
-enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8)
-to load and list X.509 attribute certificates.
-.LP
-For more information on X.509 attribute certificates, refer to the following
-IETF RFC:
-.IP
-RFC 3281 An Internet Attribute Certificate Profile for Authorization
-.SH HISTORY
-The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi.
-The software was recoded by Andreas Steffen using strongSwan's X.509 library and 
-the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen.
-All authors were with the Zurich University of Applied Sciences in Winterthur,
-Switzerland.
-.LP
-.SH BUGS
-Bugs should be reported to the <users@lists.strongswan.org> mailing list.
diff --git a/src/openac/openac.c b/src/openac/openac.c
deleted file mode 100644 (file)
index 1424a7e..0000000
+++ /dev/null
@@ -1,564 +0,0 @@
-/**
- * @file openac.c
- *
- * @brief Generation of X.509 attribute certificates.
- *
- */
-
-/*
- * Copyright (C) 2002  Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2004,2007  Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <time.h>
-#include <errno.h>
-
-#include <library.h>
-#include <utils/debug.h>
-#include <asn1/asn1.h>
-#include <credentials/certificates/x509.h>
-#include <credentials/certificates/ac.h>
-#include <credentials/keys/private_key.h>
-#include <credentials/sets/mem_cred.h>
-#include <utils/optionsfrom.h>
-
-#define OPENAC_PATH                    IPSEC_CONFDIR "/openac"
-#define OPENAC_SERIAL          IPSEC_CONFDIR "/openac/serial"
-
-#define DEFAULT_VALIDITY       24*3600         /* seconds */
-
-/**
- * @brief prints the usage of the program to the stderr
- */
-static void usage(const char *message)
-{
-       if (message != NULL && *message != '\0')
-       {
-               fprintf(stderr, "%s\n", message);
-       }
-       fprintf(stderr, "Usage: openac"
-               " [--help]"
-               " [--version]"
-               " [--optionsfrom <filename>]"
-               " [--quiet]"
-               " \\\n\t"
-               "      [--debug <level 0..4>]"
-               " \\\n\t"
-               "      [--days <days>]"
-               " [--hours <hours>]"
-               " \\\n\t"
-               "      [--startdate <YYYYMMDDHHMMSSZ>]"
-               " [--enddate <YYYYMMDDHHMMSSZ>]"
-               " \\\n\t"
-               "      --cert <certfile>"
-               " --key <keyfile>"
-               " [--password <password>]"
-               " \\\n\t"
-               "      --usercert <certfile>"
-               " --groups <attr1,attr2,..>"
-               " --out <filename>"
-               "\n"
-       );
-}
-
-/**
- * read the last serial number from file
- */
-static chunk_t read_serial(void)
-{
-       chunk_t hex, serial = chunk_empty;
-       char one[] = {0x01};
-       FILE *fd;
-
-       fd = fopen(OPENAC_SERIAL, "r");
-       if (fd)
-       {
-               hex = chunk_alloca(64);
-               hex.len = fread(hex.ptr, 1, hex.len, fd);
-               if (hex.len)
-               {
-                       /* remove any terminating newline character */
-                       if (hex.ptr[hex.len-1] == '\n')
-                       {
-                               hex.len--;
-                       }
-                       serial = chunk_alloca((hex.len / 2) + (hex.len % 2));
-                       serial = chunk_from_hex(hex, serial.ptr);
-               }
-               fclose(fd);
-       }
-       else
-       {
-               DBG1(DBG_LIB, "  file '%s' does not exist yet - serial number "
-                        "set to 01", OPENAC_SERIAL);
-       }
-       if (!serial.len)
-       {
-               return chunk_clone(chunk_create(one, 1));
-       }
-       if (chunk_increment(serial))
-       {       /* overflow, prepend 0x01 */
-               return chunk_cat("cc", chunk_create(one, 1), serial);
-       }
-       return chunk_clone(serial);
-}
-
-/**
- * write back the last serial number to file
- */
-static void write_serial(chunk_t serial)
-{
-       FILE *fd = fopen(OPENAC_SERIAL, "w");
-
-       if (fd)
-       {
-               chunk_t hex_serial;
-
-               DBG1(DBG_LIB, "  serial number is %#B", &serial);
-               hex_serial = chunk_to_hex(serial, NULL, FALSE);
-               fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr);
-               fclose(fd);
-               free(hex_serial.ptr);
-       }
-       else
-       {
-               DBG1(DBG_LIB, "  could not open file '%s' for writing", OPENAC_SERIAL);
-       }
-}
-
-/**
- * global variables accessible by both main() and build.c
- */
-
-static int debug_level = 1;
-static bool stderr_quiet = FALSE;
-
-/**
- * openac dbg function
- */
-static void openac_dbg(debug_t group, level_t level, char *fmt, ...)
-{
-       int priority = LOG_INFO;
-       char buffer[8192];
-       char *current = buffer, *next;
-       va_list args;
-
-       if (level <= debug_level)
-       {
-               if (!stderr_quiet)
-               {
-                       va_start(args, fmt);
-                       vfprintf(stderr, fmt, args);
-                       fprintf(stderr, "\n");
-                       va_end(args);
-               }
-
-               /* write in memory buffer first */
-               va_start(args, fmt);
-               vsnprintf(buffer, sizeof(buffer), fmt, args);
-               va_end(args);
-
-               /* do a syslog with every line */
-               while (current)
-               {
-                       next = strchr(current, '\n');
-                       if (next)
-                       {
-                               *(next++) = '\0';
-                       }
-                       syslog(priority, "%s\n", current);
-                       current = next;
-               }
-       }
-}
-
-/**
- * @brief openac main program
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char **argv)
-{
-       certificate_t *attr_cert   = NULL;
-       certificate_t *userCert   = NULL;
-       certificate_t *signerCert = NULL;
-       private_key_t *signerKey  = NULL;
-
-       time_t notBefore = UNDEFINED_TIME;
-       time_t notAfter  = UNDEFINED_TIME;
-       time_t validity = 0;
-
-       char *keyfile = NULL;
-       char *certfile = NULL;
-       char *usercertfile = NULL;
-       char *outfile = NULL;
-       char *groups = "";
-       char buf[BUF_LEN];
-
-       chunk_t passphrase = { buf, 0 };
-       chunk_t serial = chunk_empty;
-       chunk_t attr_chunk = chunk_empty;
-
-       int status = 1;
-
-       /* enable openac debugging hook */
-       dbg = openac_dbg;
-
-       passphrase.ptr[0] = '\0';
-
-       openlog("openac", 0, LOG_AUTHPRIV);
-
-       /* initialize library */
-       atexit(library_deinit);
-       if (!library_init(NULL, "openac"))
-       {
-               exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
-       }
-       if (lib->integrity &&
-               !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
-       {
-               fprintf(stderr, "integrity check of openac failed\n");
-               exit(SS_RC_DAEMON_INTEGRITY);
-       }
-       if (!lib->plugins->load(lib->plugins,
-                       lib->settings->get_str(lib->settings, "openac.load", PLUGINS)))
-       {
-               exit(SS_RC_INITIALIZATION_FAILED);
-       }
-
-       /* initialize optionsfrom */
-       options_t *options = options_create();
-
-       /* handle arguments */
-       for (;;)
-       {
-               static const struct option long_opts[] = {
-                       /* name, has_arg, flag, val */
-                       { "help", no_argument, NULL, 'h' },
-                       { "version", no_argument, NULL, 'v' },
-                       { "optionsfrom", required_argument, NULL, '+' },
-                       { "quiet", no_argument, NULL, 'q' },
-                       { "cert", required_argument, NULL, 'c' },
-                       { "key", required_argument, NULL, 'k' },
-                       { "password", required_argument, NULL, 'p' },
-                       { "usercert", required_argument, NULL, 'u' },
-                       { "groups", required_argument, NULL, 'g' },
-                       { "days", required_argument, NULL, 'D' },
-                       { "hours", required_argument, NULL, 'H' },
-                       { "startdate", required_argument, NULL, 'S' },
-                       { "enddate", required_argument, NULL, 'E' },
-                       { "out", required_argument, NULL, 'o' },
-                       { "debug", required_argument, NULL, 'd' },
-                       { 0,0,0,0 }
-               };
-
-               int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
-
-               /* Note: "breaking" from case terminates loop */
-               switch (c)
-               {
-                       case EOF:       /* end of flags */
-                               break;
-
-                       case 0: /* long option already handled */
-                               continue;
-
-                       case ':':       /* diagnostic already printed by getopt_long */
-                       case '?':       /* diagnostic already printed by getopt_long */
-                       case 'h':       /* --help */
-                               usage(NULL);
-                               status = 1;
-                               goto end;
-
-                       case 'v':       /* --version */
-                               printf("openac (strongSwan %s)\n", VERSION);
-                               status = 0;
-                               goto end;
-
-                       case '+':       /* --optionsfrom <filename> */
-                               {
-                                       char path[BUF_LEN];
-
-                                       if (*optarg == '/')     /* absolute pathname */
-                                       {
-                                               strncpy(path, optarg, BUF_LEN);
-                                               path[BUF_LEN-1] = '\0';
-                                       }
-                                       else                    /* relative pathname */
-                                       {
-                                               snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
-                                       }
-                                       if (!options->from(options, path, &argc, &argv, optind))
-                                       {
-                                               status = 1;
-                                               goto end;
-                                       }
-                               }
-                               continue;
-
-                       case 'q':       /* --quiet */
-                               stderr_quiet = TRUE;
-                               continue;
-
-                       case 'c':       /* --cert */
-                               certfile = optarg;
-                               continue;
-
-                       case 'k':       /* --key */
-                               keyfile = optarg;
-                               continue;
-
-                       case 'p':       /* --key */
-                               if (strlen(optarg) >= BUF_LEN)
-                               {
-                                       usage("passphrase too long");
-                                       goto end;
-                               }
-                               strncpy(passphrase.ptr, optarg, BUF_LEN);
-                               passphrase.len = min(strlen(optarg), BUF_LEN);
-                               continue;
-
-                       case 'u':       /* --usercert */
-                               usercertfile = optarg;
-                               continue;
-
-                       case 'g':       /* --groups */
-                               groups = optarg;
-                               continue;
-
-                       case 'D':       /* --days */
-                               if (optarg == NULL || !isdigit(optarg[0]))
-                               {
-                                       usage("missing number of days");
-                                       goto end;
-                               }
-                               else
-                               {
-                                       char *endptr;
-                                       long days = strtol(optarg, &endptr, 0);
-
-                                       if (*endptr != '\0' || endptr == optarg || days <= 0)
-                                       {
-                                               usage("<days> must be a positive number");
-                                               goto end;
-                                       }
-                                       validity += 24*3600*days;
-                               }
-                               continue;
-
-                       case 'H':       /* --hours */
-                               if (optarg == NULL || !isdigit(optarg[0]))
-                               {
-                                       usage("missing number of hours");
-                                       goto end;
-                               }
-                               else
-                               {
-                                       char *endptr;
-                                       long hours = strtol(optarg, &endptr, 0);
-
-                                       if (*endptr != '\0' || endptr == optarg || hours <= 0)
-                                       {
-                                               usage("<hours> must be a positive number");
-                                               goto end;
-                                       }
-                                       validity += 3600*hours;
-                               }
-                               continue;
-
-                       case 'S':       /* --startdate */
-                               if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
-                               {
-                                       usage("date format must be YYYYMMDDHHMMSSZ");
-                                       goto end;
-                               }
-                               else
-                               {
-                                       chunk_t date = { optarg, 15 };
-
-                                       notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
-                               }
-                               continue;
-
-                       case 'E':       /* --enddate */
-                               if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
-                               {
-                                       usage("date format must be YYYYMMDDHHMMSSZ");
-                                       goto end;
-                               }
-                               else
-                               {
-                                       chunk_t date = { optarg, 15 };
-                                       notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
-                               }
-                               continue;
-
-                       case 'o':       /* --out */
-                               outfile = optarg;
-                               continue;
-
-                       case 'd':       /* --debug */
-                               debug_level = atoi(optarg);
-                               continue;
-
-                       default:
-                               usage("");
-                               status = 0;
-                               goto end;
-               }
-               /* break from loop */
-               break;
-       }
-
-       if (optind != argc)
-       {
-               usage("unexpected argument");
-               goto end;
-       }
-
-       DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION);
-
-       /* load the signer's RSA private key */
-       if (keyfile != NULL)
-       {
-               mem_cred_t *mem;
-               shared_key_t *shared;
-
-               mem = mem_cred_create();
-               lib->credmgr->add_set(lib->credmgr, &mem->set);
-               shared = shared_key_create(SHARED_PRIVATE_KEY_PASS,
-                                                                  chunk_clone(passphrase));
-               mem->add_shared(mem, shared, NULL);
-               signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
-                                                                          BUILD_FROM_FILE, keyfile,
-                                                                          BUILD_END);
-               lib->credmgr->remove_set(lib->credmgr, &mem->set);
-               mem->destroy(mem);
-               if (signerKey == NULL)
-               {
-                       goto end;
-               }
-               DBG1(DBG_LIB, "  loaded private key file '%s'", keyfile);
-       }
-
-       /* load the signer's X.509 certificate */
-       if (certfile != NULL)
-       {
-               signerCert = lib->creds->create(lib->creds,
-                                                                               CRED_CERTIFICATE, CERT_X509,
-                                                                               BUILD_FROM_FILE, certfile,
-                                                                               BUILD_END);
-               if (signerCert == NULL)
-               {
-                       goto end;
-               }
-       }
-
-       /* load the users's X.509 certificate */
-       if (usercertfile != NULL)
-       {
-               userCert = lib->creds->create(lib->creds,
-                                                                         CRED_CERTIFICATE, CERT_X509,
-                                                                         BUILD_FROM_FILE, usercertfile,
-                                                                         BUILD_END);
-               if (userCert == NULL)
-               {
-                       goto end;
-               }
-       }
-
-       /* compute validity interval */
-       validity = (validity)? validity : DEFAULT_VALIDITY;
-       notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
-       notAfter =  (notAfter  == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
-
-       /* build and parse attribute certificate */
-       if (userCert != NULL && signerCert != NULL && signerKey != NULL &&
-               outfile != NULL)
-       {
-               linked_list_t *group_list;
-               enumerator_t *enumerator;
-               char *group;
-
-               group_list = linked_list_create();
-               enumerator = enumerator_create_token(groups, ",", " ");
-               while (enumerator->enumerate(enumerator, &group))
-               {
-                       group_list->insert_last(group_list, strdup(group));
-               }
-               enumerator->destroy(enumerator);
-
-               /* read the serial number and increment it by one */
-               serial = read_serial();
-
-               attr_cert = lib->creds->create(lib->creds,
-                                                       CRED_CERTIFICATE, CERT_X509_AC,
-                                                       BUILD_CERT, userCert,
-                                                       BUILD_NOT_BEFORE_TIME, notBefore,
-                                                       BUILD_NOT_AFTER_TIME, notAfter,
-                                                       BUILD_SERIAL, serial,
-                                                       BUILD_AC_GROUP_STRINGS, group_list,
-                                                       BUILD_SIGNING_CERT, signerCert,
-                                                       BUILD_SIGNING_KEY, signerKey,
-                                                       BUILD_END);
-               group_list->destroy_function(group_list, free);
-               if (!attr_cert)
-               {
-                       goto end;
-               }
-
-               /* write the attribute certificate to file */
-               if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk))
-               {
-                       if (chunk_write(attr_chunk, outfile, 0022, TRUE))
-                       {
-                               DBG1(DBG_APP, "  written attribute cert file '%s' (%d bytes)",
-                                                outfile, attr_chunk.len);
-                               write_serial(serial);
-                               status = 0;
-                       }
-                       else
-                       {
-                               DBG1(DBG_APP, "  writing attribute cert file '%s' failed: %s",
-                                        outfile, strerror(errno));
-                       }
-               }
-       }
-       else
-       {
-               usage("some of the mandatory parameters --usercert --cert --key --out "
-                         "are missing");
-       }
-
-end:
-       /* delete all dynamically allocated objects */
-       DESTROY_IF(signerKey);
-       DESTROY_IF(signerCert);
-       DESTROY_IF(userCert);
-       DESTROY_IF(attr_cert);
-       free(attr_chunk.ptr);
-       free(serial.ptr);
-       closelog();
-       dbg = dbg_default;
-       options->destroy(options);
-       exit(status);
-}