2007-09-25 20:13:06 +00:00
|
|
|
/**
|
|
|
|
* @file openac.c
|
|
|
|
*
|
|
|
|
* @brief Generation of X.509 attribute certificates.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2006-04-28 07:14:48 +00:00
|
|
|
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
|
2007-09-25 20:13:06 +00:00
|
|
|
* Copyright (C) 2004,2007 Andreas Steffen
|
|
|
|
* Hochschule fuer Technik Rapperswil, Switzerland
|
2006-04-28 07:14:48 +00:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
2007-10-08 20:09:57 +00:00
|
|
|
*
|
|
|
|
* RCSID $Id$
|
2006-04-28 07:14:48 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2007-09-25 20:13:06 +00:00
|
|
|
#include <syslog.h>
|
2006-04-28 07:14:48 +00:00
|
|
|
#include <unistd.h>
|
|
|
|
#include <getopt.h>
|
|
|
|
#include <ctype.h>
|
|
|
|
#include <time.h>
|
|
|
|
#include <gmp.h>
|
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
#include <debug.h>
|
|
|
|
#include <asn1/asn1.h>
|
|
|
|
#include <asn1/ttodata.h>
|
|
|
|
#include <crypto/ac.h>
|
2007-09-18 20:49:05 +00:00
|
|
|
#include <crypto/ietf_attr_list.h>
|
2007-09-18 11:23:52 +00:00
|
|
|
#include <utils/optionsfrom.h>
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
#ifdef INTEGRITY_TEST
|
|
|
|
#include <fips/fips.h>
|
|
|
|
#include <fips_signature.h>
|
|
|
|
#endif /* INTEGRITY_TEST */
|
|
|
|
|
2006-04-28 07:14:48 +00:00
|
|
|
#include "build.h"
|
|
|
|
|
2006-05-16 14:24:03 +00:00
|
|
|
#define OPENAC_PATH IPSEC_CONFDIR "/openac"
|
|
|
|
#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
static void usage(const char *mess)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
if (mess != NULL && *mess != '\0')
|
|
|
|
{
|
|
|
|
fprintf(stderr, "%s\n", mess);
|
|
|
|
}
|
|
|
|
fprintf(stderr, "Usage: openac"
|
|
|
|
" [--help]"
|
|
|
|
" [--version]"
|
|
|
|
" [--optionsfrom <filename>]"
|
|
|
|
" [--quiet]"
|
|
|
|
" \\\n\t"
|
2007-09-25 20:13:06 +00:00
|
|
|
" [--debug <level 0..4>]"
|
2007-04-10 19:31:42 +00:00
|
|
|
" \\\n\t"
|
|
|
|
" [--days <days>]"
|
|
|
|
" [--hours <hours>]"
|
|
|
|
" \\\n\t"
|
|
|
|
" [--startdate <YYYYMMDDHHMMSSZ>]"
|
|
|
|
" [--enddate <YYYYMMDDHHMMSSZ>]"
|
|
|
|
" \\\n\t"
|
|
|
|
" --cert <certfile>"
|
|
|
|
" --key <keyfile>"
|
|
|
|
" [--password <password>]"
|
|
|
|
" \\\n\t"
|
|
|
|
" --usercert <certfile>"
|
|
|
|
" --groups <attr1,attr2,..>"
|
|
|
|
" --out <filename>"
|
|
|
|
"\n"
|
|
|
|
);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
/**
|
|
|
|
* convert a chunk into a multi-precision integer
|
|
|
|
*/
|
|
|
|
static void chunk_to_mpz(chunk_t chunk, mpz_t number)
|
|
|
|
{
|
|
|
|
mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* convert a multi-precision integer into a chunk
|
|
|
|
*/
|
|
|
|
static chunk_t mpz_to_chunk(mpz_t number)
|
|
|
|
{
|
|
|
|
chunk_t chunk;
|
|
|
|
|
|
|
|
chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE;
|
|
|
|
chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number);
|
|
|
|
return chunk;
|
|
|
|
}
|
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/**
|
2006-04-28 07:14:48 +00:00
|
|
|
* read the last serial number from file
|
|
|
|
*/
|
2007-04-10 19:31:42 +00:00
|
|
|
static chunk_t read_serial(void)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
mpz_t number;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
char buf[BUF_LEN], buf1[BUF_LEN];
|
|
|
|
chunk_t last_serial = { buf1, BUF_LEN};
|
|
|
|
chunk_t serial;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
FILE *fd = fopen(OPENAC_SERIAL, "r");
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
/* last serial number defaults to 0 */
|
|
|
|
*last_serial.ptr = 0x00;
|
|
|
|
last_serial.len = 1;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
if (fd)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
if (fscanf(fd, "%s", buf))
|
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
if (ugh != NULL)
|
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
DBG1(" error reading serial number from %s: %s",
|
|
|
|
OPENAC_SERIAL, ugh);
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
fclose(fd);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
else
|
|
|
|
{
|
2007-09-18 20:49:05 +00:00
|
|
|
DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL);
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/**
|
|
|
|
* conversion of read serial number to a multiprecision integer
|
|
|
|
* and incrementing it by one
|
|
|
|
* and representing it as a two's complement octet string
|
|
|
|
*/
|
2007-09-18 11:23:52 +00:00
|
|
|
mpz_init(number);
|
|
|
|
chunk_to_mpz(last_serial, number);
|
|
|
|
mpz_add_ui(number, number, 0x01);
|
|
|
|
serial = mpz_to_chunk(number);
|
|
|
|
mpz_clear(number);
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
return serial;
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/**
|
2006-04-28 07:14:48 +00:00
|
|
|
* write back the last serial number to file
|
|
|
|
*/
|
2007-04-10 19:31:42 +00:00
|
|
|
static void write_serial(chunk_t serial)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
FILE *fd = fopen(OPENAC_SERIAL, "w");
|
|
|
|
|
|
|
|
if (fd)
|
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
DBG1(" serial number is %#B", &serial);
|
|
|
|
fprintf(fd, "%#B\n", &serial);
|
2007-04-10 19:31:42 +00:00
|
|
|
fclose(fd);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
DBG1(" could not open file '%s' for writing", OPENAC_SERIAL);
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/**
|
2006-04-28 07:14:48 +00:00
|
|
|
* global variables accessible by both main() and build.c
|
|
|
|
*/
|
2007-09-18 11:23:52 +00:00
|
|
|
x509_t *usercert = NULL;
|
|
|
|
x509_t *signercert = NULL;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
linked_list_t *groups = NULL;
|
|
|
|
rsa_private_key_t *signerkey = NULL;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
time_t notBefore = UNDEFINED_TIME;
|
|
|
|
time_t notAfter = UNDEFINED_TIME;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
|
|
|
chunk_t serial;
|
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
static int debug_level = 1;
|
|
|
|
static bool stderr_quiet = FALSE;
|
2007-10-08 21:21:21 +00:00
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
/**
|
|
|
|
* openac dbg function
|
|
|
|
*/
|
|
|
|
static void openac_dbg(int level, char *fmt, ...)
|
|
|
|
{
|
|
|
|
int priority = LOG_INFO;
|
|
|
|
va_list args;
|
|
|
|
|
|
|
|
if (level <= debug_level)
|
|
|
|
{
|
|
|
|
va_start(args, fmt);
|
|
|
|
if (!stderr_quiet)
|
|
|
|
{
|
|
|
|
vfprintf(stderr, fmt, args);
|
|
|
|
fprintf(stderr, "\n");
|
|
|
|
}
|
|
|
|
vsyslog(priority, fmt, args);
|
|
|
|
va_end(args);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* openac main program
|
|
|
|
*/
|
2007-04-10 19:31:42 +00:00
|
|
|
int main(int argc, char **argv)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
char *keyfile = NULL;
|
|
|
|
char *certfile = NULL;
|
|
|
|
char *usercertfile = NULL;
|
|
|
|
char *outfile = NULL;
|
2007-09-18 11:23:52 +00:00
|
|
|
char buf[BUF_LEN];
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
chunk_t passphrase = { buf, 0 };
|
|
|
|
chunk_t attr_cert = chunk_empty;
|
|
|
|
x509ac_t *ac = NULL;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
const time_t default_validity = 24*3600; /* 24 hours */
|
|
|
|
time_t validity = 0;
|
2007-09-25 20:13:06 +00:00
|
|
|
int status = 1;
|
2007-09-27 06:40:50 +00:00
|
|
|
|
|
|
|
/* enable openac debugging hook */
|
|
|
|
dbg = openac_dbg;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
passphrase.ptr[0] = '\0';
|
|
|
|
groups = linked_list_create();
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
openlog("openac", 0, LOG_AUTHPRIV);
|
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/* handle arguments */
|
|
|
|
for (;;)
|
|
|
|
{
|
|
|
|
static const struct option long_opts[] = {
|
|
|
|
/* name, has_arg, flag, val */
|
|
|
|
{ "help", no_argument, NULL, 'h' },
|
|
|
|
{ "version", no_argument, NULL, 'v' },
|
|
|
|
{ "optionsfrom", required_argument, NULL, '+' },
|
|
|
|
{ "quiet", no_argument, NULL, 'q' },
|
|
|
|
{ "cert", required_argument, NULL, 'c' },
|
2007-09-25 20:13:06 +00:00
|
|
|
{ "key", required_argument, NULL, 'k' },
|
2007-04-10 19:31:42 +00:00
|
|
|
{ "password", required_argument, NULL, 'p' },
|
|
|
|
{ "usercert", required_argument, NULL, 'u' },
|
|
|
|
{ "groups", required_argument, NULL, 'g' },
|
|
|
|
{ "days", required_argument, NULL, 'D' },
|
|
|
|
{ "hours", required_argument, NULL, 'H' },
|
|
|
|
{ "startdate", required_argument, NULL, 'S' },
|
|
|
|
{ "enddate", required_argument, NULL, 'E' },
|
|
|
|
{ "out", required_argument, NULL, 'o' },
|
2007-09-25 20:13:06 +00:00
|
|
|
{ "debug", required_argument, NULL, 'd' },
|
2007-04-10 19:31:42 +00:00
|
|
|
{ 0,0,0,0 }
|
|
|
|
};
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL);
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
/* Note: "breaking" from case terminates loop */
|
|
|
|
switch (c)
|
|
|
|
{
|
|
|
|
case EOF: /* end of flags */
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 0: /* long option already handled */
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case ':': /* diagnostic already printed by getopt_long */
|
|
|
|
case '?': /* diagnostic already printed by getopt_long */
|
|
|
|
case 'h': /* --help */
|
|
|
|
usage(NULL);
|
2007-09-25 20:13:06 +00:00
|
|
|
status = 1;
|
|
|
|
goto end;
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
case 'v': /* --version */
|
2007-09-25 20:13:06 +00:00
|
|
|
printf("openac (strongSwan %s)\n", VERSION);
|
|
|
|
status = 0;
|
|
|
|
goto end;
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
case '+': /* --optionsfrom <filename> */
|
|
|
|
{
|
|
|
|
char path[BUF_LEN];
|
|
|
|
|
|
|
|
if (*optarg == '/') /* absolute pathname */
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
strncpy(path, optarg, BUF_LEN);
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
else /* relative pathname */
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2007-10-03 15:02:29 +00:00
|
|
|
if (!optionsfrom(path, &argc, &argv, optind))
|
|
|
|
{
|
2007-10-03 15:07:46 +00:00
|
|
|
status = 1;
|
|
|
|
goto end;
|
2007-10-03 15:02:29 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'q': /* --quiet */
|
2007-09-25 20:13:06 +00:00
|
|
|
stderr_quiet = TRUE;
|
2007-04-10 19:31:42 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'c': /* --cert */
|
|
|
|
certfile = optarg;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'k': /* --key */
|
|
|
|
keyfile = optarg;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'p': /* --key */
|
2007-09-18 11:23:52 +00:00
|
|
|
if (strlen(optarg) > BUF_LEN)
|
|
|
|
{
|
|
|
|
usage("passphrase too long");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
|
|
|
strncpy(passphrase.ptr, optarg, BUF_LEN);
|
|
|
|
passphrase.len = min(strlen(optarg), BUF_LEN);
|
2007-04-10 19:31:42 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'u': /* --usercert */
|
|
|
|
usercertfile = optarg;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'g': /* --groups */
|
2007-09-18 11:23:52 +00:00
|
|
|
ietfAttr_list_create_from_string(optarg, groups);
|
2007-04-10 19:31:42 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'D': /* --days */
|
|
|
|
if (optarg == NULL || !isdigit(optarg[0]))
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("missing number of days");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
|
|
|
else
|
2007-04-10 19:31:42 +00:00
|
|
|
{
|
|
|
|
char *endptr;
|
|
|
|
long days = strtol(optarg, &endptr, 0);
|
|
|
|
|
|
|
|
if (*endptr != '\0' || endptr == optarg || days <= 0)
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("<days> must be a positive number");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
validity += 24*3600*days;
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'H': /* --hours */
|
|
|
|
if (optarg == NULL || !isdigit(optarg[0]))
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("missing number of hours");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
|
|
|
else
|
2007-04-10 19:31:42 +00:00
|
|
|
{
|
|
|
|
char *endptr;
|
|
|
|
long hours = strtol(optarg, &endptr, 0);
|
|
|
|
|
|
|
|
if (*endptr != '\0' || endptr == optarg || hours <= 0)
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("<hours> must be a positive number");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
validity += 3600*hours;
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'S': /* --startdate */
|
|
|
|
if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("date format must be YYYYMMDDHHMMSSZ");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
|
|
|
else
|
2007-04-10 19:31:42 +00:00
|
|
|
{
|
|
|
|
chunk_t date = { optarg, 15 };
|
2007-09-18 11:23:52 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
|
|
|
case 'E': /* --enddate */
|
|
|
|
if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("date format must be YYYYMMDDHHMMSSZ");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
|
|
|
else
|
2007-04-10 19:31:42 +00:00
|
|
|
{
|
|
|
|
chunk_t date = { optarg, 15 };
|
|
|
|
notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
case 'o': /* --out */
|
2007-04-10 19:31:42 +00:00
|
|
|
outfile = optarg;
|
|
|
|
continue;
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
case 'd': /* --debug */
|
|
|
|
debug_level = atoi(optarg);
|
2007-04-10 19:31:42 +00:00
|
|
|
continue;
|
2007-09-25 20:13:06 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
default:
|
2007-09-18 11:23:52 +00:00
|
|
|
usage("");
|
2007-09-25 20:13:06 +00:00
|
|
|
status = 0;
|
|
|
|
goto end;
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
|
|
|
break;
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
if (optind != argc)
|
2007-09-18 11:23:52 +00:00
|
|
|
{
|
2007-04-10 19:31:42 +00:00
|
|
|
usage("unexpected argument");
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
DBG1("starting openac (strongSwan Version %s)", VERSION);
|
|
|
|
|
|
|
|
#ifdef INTEGRITY_TEST
|
|
|
|
DBG1("integrity test of libstrongswan code");
|
|
|
|
if (fips_verify_hmac_signature(hmac_key, hmac_signature))
|
|
|
|
{
|
|
|
|
DBG1(" integrity test passed");
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
DBG1(" integrity test failed");
|
2007-10-03 15:07:46 +00:00
|
|
|
status = 3;
|
|
|
|
goto end;
|
2007-09-25 20:13:06 +00:00
|
|
|
}
|
|
|
|
#endif /* INTEGRITY_TEST */
|
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/* load the signer's RSA private key */
|
|
|
|
if (keyfile != NULL)
|
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
signerkey = rsa_private_key_create_from_file(keyfile, &passphrase);
|
2007-04-10 19:31:42 +00:00
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
if (signerkey == NULL)
|
2007-04-10 19:31:42 +00:00
|
|
|
{
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/* load the signer's X.509 certificate */
|
|
|
|
if (certfile != NULL)
|
|
|
|
{
|
2007-09-18 11:23:52 +00:00
|
|
|
signercert = x509_create_from_file(certfile, "signer cert");
|
|
|
|
|
|
|
|
if (signercert == NULL)
|
|
|
|
{
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/* load the users's X.509 certificate */
|
|
|
|
if (usercertfile != NULL)
|
2006-04-28 07:14:48 +00:00
|
|
|
{
|
2007-09-25 20:13:06 +00:00
|
|
|
usercert = x509_create_from_file(usercertfile, "user cert");
|
|
|
|
|
2007-09-18 11:23:52 +00:00
|
|
|
if (usercert == NULL)
|
|
|
|
{
|
2007-09-25 20:13:06 +00:00
|
|
|
goto end;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
/* compute validity interval */
|
|
|
|
validity = (validity)? validity : default_validity;
|
2007-09-25 20:13:06 +00:00
|
|
|
notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
|
|
|
|
notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
|
2007-04-10 19:31:42 +00:00
|
|
|
|
|
|
|
/* build and parse attribute certificate */
|
2007-09-18 11:23:52 +00:00
|
|
|
if (usercert != NULL && signercert != NULL && signerkey != NULL)
|
2007-04-10 19:31:42 +00:00
|
|
|
{
|
|
|
|
/* read the serial number and increment it by one */
|
|
|
|
serial = read_serial();
|
|
|
|
|
|
|
|
attr_cert = build_attr_cert();
|
2007-09-18 11:23:52 +00:00
|
|
|
ac = x509ac_create_from_chunk(attr_cert);
|
2006-04-28 07:14:48 +00:00
|
|
|
|
2007-04-10 19:31:42 +00:00
|
|
|
/* write the attribute certificate to file */
|
2007-09-18 11:23:52 +00:00
|
|
|
if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE))
|
|
|
|
{
|
|
|
|
write_serial(serial);
|
2007-09-25 20:13:06 +00:00
|
|
|
status = 0;
|
2007-09-18 11:23:52 +00:00
|
|
|
}
|
2007-04-10 19:31:42 +00:00
|
|
|
}
|
|
|
|
|
2007-09-25 20:13:06 +00:00
|
|
|
end:
|
2007-09-18 11:23:52 +00:00
|
|
|
/* delete all dynamically allocated objects */
|
|
|
|
DESTROY_IF(signerkey);
|
|
|
|
DESTROY_IF(signercert);
|
|
|
|
DESTROY_IF(usercert);
|
|
|
|
DESTROY_IF(ac);
|
|
|
|
ietfAttr_list_destroy(groups);
|
|
|
|
free(serial.ptr);
|
2007-09-25 20:13:06 +00:00
|
|
|
closelog();
|
2007-09-27 06:40:50 +00:00
|
|
|
dbg = dbg_default;
|
2007-09-25 20:13:06 +00:00
|
|
|
exit(status);
|
2006-04-28 07:14:48 +00:00
|
|
|
}
|