439 lines
11 KiB
C
Executable File
439 lines
11 KiB
C
Executable File
/* Generation of X.509 attribute certificates
|
|
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
|
|
* Copyright (C) 2004 Andreas Steffen
|
|
* Zuercher Hochschule Winterthur, Switzerland
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*
|
|
* RCSID $Id: openac.c,v 1.18 2006/01/04 21:12:33 as Exp $
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <getopt.h>
|
|
#include <ctype.h>
|
|
#include <time.h>
|
|
#include <gmp.h>
|
|
|
|
#include <freeswan.h>
|
|
|
|
#include "../pluto/constants.h"
|
|
#include "../pluto/defs.h"
|
|
#include "../pluto/mp_defs.h"
|
|
#include "../pluto/log.h"
|
|
#include "../pluto/asn1.h"
|
|
#include "../pluto/certs.h"
|
|
#include "../pluto/x509.h"
|
|
#include "../pluto/crl.h"
|
|
#include "../pluto/keys.h"
|
|
#include "../pluto/ac.h"
|
|
|
|
#include "build.h"
|
|
|
|
#define OPENAC_PATH IPSEC_CONFDIR "/openac"
|
|
#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
|
|
|
|
const char openac_version[] = "openac 0.3";
|
|
|
|
/* by default the CRL policy is lenient */
|
|
bool strict_crl_policy = FALSE;
|
|
|
|
/* by default pluto does not check crls dynamically */
|
|
long crl_check_interval = 0;
|
|
|
|
/* by default pluto logs out after every smartcard use */
|
|
bool pkcs11_keep_state = FALSE;
|
|
|
|
static void
|
|
usage(const char *mess)
|
|
{
|
|
if (mess != NULL && *mess != '\0')
|
|
fprintf(stderr, "%s\n", mess);
|
|
fprintf(stderr
|
|
, "Usage: openac"
|
|
" [--help]"
|
|
" [--version]"
|
|
" [--optionsfrom <filename>]"
|
|
" [--quiet]"
|
|
#ifdef DEBUG
|
|
" \\\n\t"
|
|
" [--debug-all]"
|
|
" [--debug-parsing]"
|
|
" [--debug-raw]"
|
|
" [--debug-private]"
|
|
#endif
|
|
" \\\n\t"
|
|
" [--days <days>]"
|
|
" [--hours <hours>]"
|
|
" \\\n\t"
|
|
" [--startdate <YYYYMMDDHHMMSSZ>]"
|
|
" [--enddate <YYYYMMDDHHMMSSZ>]"
|
|
" \\\n\t"
|
|
" --cert <certfile>"
|
|
" --key <keyfile>"
|
|
" [--password <password>]"
|
|
" \\\n\t"
|
|
" --usercert <certfile>"
|
|
" --groups <attr1,attr2,..>"
|
|
" --out <filename>"
|
|
"\n"
|
|
);
|
|
exit(mess == NULL? 0 : 1);
|
|
}
|
|
|
|
/*
|
|
* read the last serial number from file
|
|
*/
|
|
static chunk_t
|
|
read_serial(void)
|
|
{
|
|
MP_INT number;
|
|
|
|
char buf[BUF_LEN];
|
|
char bytes[BUF_LEN];
|
|
|
|
FILE *fd = fopen(OPENAC_SERIAL, "r");
|
|
|
|
/* serial number defaults to 0 */
|
|
size_t len = 1;
|
|
bytes[0] = 0x00;
|
|
|
|
if (fd)
|
|
{
|
|
if (fscanf(fd, "%s", buf))
|
|
{
|
|
err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len);
|
|
|
|
if (ugh != NULL)
|
|
plog(" error reading serial number from %s: %s"
|
|
, OPENAC_SERIAL, ugh);
|
|
}
|
|
fclose(fd);
|
|
}
|
|
else
|
|
plog(" file '%s' does not exist yet - serial number set to 01"
|
|
, OPENAC_SERIAL);
|
|
|
|
/* conversion of read serial number to a multiprecision integer
|
|
* and incrementing it by one
|
|
* and representing it as a two's complement octet string
|
|
*/
|
|
n_to_mpz(&number, bytes, len);
|
|
mpz_add_ui(&number, &number, 0x01);
|
|
serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE);
|
|
mpz_clear(&number);
|
|
|
|
return serial;
|
|
}
|
|
|
|
/*
|
|
* write back the last serial number to file
|
|
*/
|
|
static void
|
|
write_serial(chunk_t serial)
|
|
{
|
|
char buf[BUF_LEN];
|
|
|
|
FILE *fd = fopen(OPENAC_SERIAL, "w");
|
|
|
|
if (fd)
|
|
{
|
|
datatot(serial.ptr, serial.len, 16, buf, BUF_LEN);
|
|
plog(" serial number is %s", buf);
|
|
fprintf(fd, "%s\n", buf);
|
|
fclose(fd);
|
|
}
|
|
else
|
|
plog(" could not open file '%s' for writing", OPENAC_SERIAL);
|
|
}
|
|
|
|
/*
|
|
* global variables accessible by both main() and build.c
|
|
*/
|
|
x509cert_t *user = NULL;
|
|
x509cert_t *signer = NULL;
|
|
|
|
ietfAttrList_t *groups = NULL;
|
|
struct RSA_private_key *signerkey = NULL;
|
|
|
|
time_t notBefore = 0;
|
|
time_t notAfter = 0;
|
|
|
|
chunk_t serial;
|
|
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
char *keyfile = NULL;
|
|
char *certfile = NULL;
|
|
char *usercertfile = NULL;
|
|
char *outfile = NULL;
|
|
|
|
cert_t signercert = empty_cert;
|
|
cert_t usercert = empty_cert;
|
|
|
|
chunk_t attr_cert = empty_chunk;
|
|
x509acert_t *ac = NULL;
|
|
|
|
const time_t default_validity = 24*3600; /* 24 hours */
|
|
time_t validity = 0;
|
|
|
|
prompt_pass_t pass;
|
|
|
|
pass.secret[0] = '\0';
|
|
pass.prompt = TRUE;
|
|
pass.fd = STDIN_FILENO;
|
|
|
|
log_to_stderr = TRUE;
|
|
|
|
/* handle arguments */
|
|
for (;;)
|
|
{
|
|
# define DBG_OFFSET 256
|
|
static const struct option long_opts[] = {
|
|
/* name, has_arg, flag, val */
|
|
{ "help", no_argument, NULL, 'h' },
|
|
{ "version", no_argument, NULL, 'v' },
|
|
{ "optionsfrom", required_argument, NULL, '+' },
|
|
{ "quiet", no_argument, NULL, 'q' },
|
|
{ "cert", required_argument, NULL, 'c' },
|
|
{ "key", required_argument, NULL, 'k' },
|
|
{ "password", required_argument, NULL, 'p' },
|
|
{ "usercert", required_argument, NULL, 'u' },
|
|
{ "groups", required_argument, NULL, 'g' },
|
|
{ "days", required_argument, NULL, 'D' },
|
|
{ "hours", required_argument, NULL, 'H' },
|
|
{ "startdate", required_argument, NULL, 'S' },
|
|
{ "enddate", required_argument, NULL, 'E' },
|
|
{ "out", required_argument, NULL, 'o' },
|
|
#ifdef DEBUG
|
|
{ "debug-all", no_argument, NULL, 'A' },
|
|
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
|
|
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
|
|
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
|
|
#endif
|
|
{ 0,0,0,0 }
|
|
};
|
|
|
|
int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL);
|
|
|
|
/* Note: "breaking" from case terminates loop */
|
|
switch (c)
|
|
{
|
|
case EOF: /* end of flags */
|
|
break;
|
|
|
|
case 0: /* long option already handled */
|
|
continue;
|
|
|
|
case ':': /* diagnostic already printed by getopt_long */
|
|
case '?': /* diagnostic already printed by getopt_long */
|
|
usage(NULL);
|
|
break; /* not actually reached */
|
|
|
|
case 'h': /* --help */
|
|
usage(NULL);
|
|
break; /* not actually reached */
|
|
|
|
case 'v': /* --version */
|
|
printf("%s\n", openac_version);
|
|
exit(0);
|
|
break; /* not actually reached */
|
|
|
|
case '+': /* --optionsfrom <filename> */
|
|
{
|
|
char path[BUF_LEN];
|
|
|
|
if (*optarg == '/') /* absolute pathname */
|
|
strncpy(path, optarg, BUF_LEN);
|
|
else /* relative pathname */
|
|
snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
|
|
optionsfrom(path, &argc, &argv, optind, stderr);
|
|
/* does not return on error */
|
|
}
|
|
continue;
|
|
|
|
case 'q': /* --quiet */
|
|
log_to_stderr = TRUE;
|
|
continue;
|
|
|
|
case 'c': /* --cert */
|
|
certfile = optarg;
|
|
continue;
|
|
|
|
case 'k': /* --key */
|
|
keyfile = optarg;
|
|
continue;
|
|
|
|
case 'p': /* --key */
|
|
pass.prompt = FALSE;
|
|
strncpy(pass.secret, optarg, sizeof(pass.secret));
|
|
continue;
|
|
|
|
case 'u': /* --usercert */
|
|
usercertfile = optarg;
|
|
continue;
|
|
|
|
case 'g': /* --groups */
|
|
decode_groups(optarg, &groups);
|
|
continue;
|
|
|
|
case 'D': /* --days */
|
|
if (optarg == NULL || !isdigit(optarg[0]))
|
|
usage("missing number of days");
|
|
{
|
|
char *endptr;
|
|
long days = strtol(optarg, &endptr, 0);
|
|
|
|
if (*endptr != '\0' || endptr == optarg
|
|
|| days <= 0)
|
|
usage("<days> must be a positive number");
|
|
validity += 24*3600*days;
|
|
}
|
|
continue;
|
|
|
|
case 'H': /* --hours */
|
|
if (optarg == NULL || !isdigit(optarg[0]))
|
|
usage("missing number of hours");
|
|
{
|
|
char *endptr;
|
|
long hours = strtol(optarg, &endptr, 0);
|
|
|
|
if (*endptr != '\0' || endptr == optarg
|
|
|| hours <= 0)
|
|
usage("<hours> must be a positive number");
|
|
validity += 3600*hours;
|
|
}
|
|
continue;
|
|
|
|
case 'S': /* --startdate */
|
|
if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
|
|
usage("date format must be YYYYMMDDHHMMSSZ");
|
|
{
|
|
chunk_t date = { optarg, 15 };
|
|
notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
|
|
}
|
|
continue;
|
|
|
|
case 'E': /* --enddate */
|
|
if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
|
|
usage("date format must be YYYYMMDDHHMMSSZ");
|
|
{
|
|
chunk_t date = { optarg, 15 };
|
|
notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
|
|
}
|
|
continue;
|
|
|
|
case 'o': /* --outt */
|
|
outfile = optarg;
|
|
continue ;
|
|
|
|
#ifdef DEBUG
|
|
case 'A': /* --debug-all */
|
|
base_debugging = DBG_ALL;
|
|
continue;
|
|
#endif
|
|
default:
|
|
#ifdef DEBUG
|
|
if (c >= DBG_OFFSET)
|
|
{
|
|
base_debugging |= c - DBG_OFFSET;
|
|
continue;
|
|
}
|
|
#undef DBG_OFFSET
|
|
#endif
|
|
bad_case(c);
|
|
}
|
|
break;
|
|
}
|
|
|
|
init_log("openac");
|
|
cur_debugging = base_debugging;
|
|
|
|
if (optind != argc)
|
|
usage("unexpected argument");
|
|
|
|
/* load the signer's RSA private key */
|
|
if (keyfile != NULL)
|
|
{
|
|
err_t ugh = NULL;
|
|
|
|
signerkey = alloc_thing(RSA_private_key_t, "RSA private key");
|
|
ugh = load_rsa_private_key(keyfile, &pass, signerkey);
|
|
|
|
if (ugh != NULL)
|
|
{
|
|
free_RSA_private_content(signerkey);
|
|
pfree(signerkey);
|
|
plog("%s", ugh);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
/* load the signer's X.509 certificate */
|
|
if (certfile != NULL)
|
|
{
|
|
if (!load_cert(certfile, "signer cert", &signercert))
|
|
exit(1);
|
|
signer = signercert.u.x509;
|
|
}
|
|
|
|
/* load the users's X.509 certificate */
|
|
if (usercertfile != NULL)
|
|
{
|
|
if (!load_cert(usercertfile, "user cert", &usercert))
|
|
exit(1);
|
|
user = usercert.u.x509;
|
|
}
|
|
|
|
/* compute validity interval */
|
|
validity = (validity)? validity : default_validity;
|
|
notBefore = (notBefore) ? notBefore : time(NULL);
|
|
notAfter = (notAfter) ? notAfter : notBefore + validity;
|
|
|
|
/* build and parse attribute certificate */
|
|
if (user != NULL && signer != NULL && signerkey != NULL)
|
|
{
|
|
/* read the serial number and increment it by one */
|
|
serial = read_serial();
|
|
|
|
attr_cert = build_attr_cert();
|
|
ac = alloc_thing(x509acert_t, "x509acert");
|
|
*ac = empty_ac;
|
|
parse_ac(attr_cert, ac);
|
|
|
|
/* write the attribute certificate to file */
|
|
if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE))
|
|
write_serial(serial);
|
|
}
|
|
|
|
/* delete all dynamic objects */
|
|
if (signerkey != NULL)
|
|
{
|
|
free_RSA_private_content(signerkey);
|
|
pfree(signerkey);
|
|
}
|
|
free_x509cert(signercert.u.x509);
|
|
free_x509cert(usercert.u.x509);
|
|
free_ietfAttrList(groups);
|
|
free_acert(ac);
|
|
pfree(serial.ptr);
|
|
|
|
#ifdef LEAK_DETECTIVE
|
|
report_leaks();
|
|
#endif /* LEAK_DETECTIVE */
|
|
close_log();
|
|
exit(0);
|
|
}
|