From: Martin Willi Date: Mon, 31 Mar 2014 09:30:51 +0000 (+0200) Subject: openac: Remove obsolete openac utility X-Git-Tag: 5.1.3rc1~24^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dbd4fc074a791538e460d5ec29919c843721ede4;p=thirdparty%2Fstrongswan.git openac: Remove obsolete openac utility The same functionality is now provided by the pki --acert subcommand. --- diff --git a/conf/options/tools.opt b/conf/options/tools.opt index 23e6a1c9f8..72a49de289 100644 --- a/conf/options/tools.opt +++ b/conf/options/tools.opt @@ -1,6 +1,3 @@ -openac.load = - Plugins to load in ipsec openac tool. - pki.load = Plugins to load in ipsec pki tool. diff --git a/configure.ac b/configure.ac index bdcf397dd8..e8eb5a67c4 100644 --- a/configure.ac +++ b/configure.ac @@ -265,7 +265,7 @@ ARG_ENABL_SET([medsrv], [enable mediation server web frontend and daemon ARG_ENABL_SET([nm], [enable NetworkManager backend.]) ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) ARG_ENABL_SET([tkm], [enable Trusted Key Manager support.]) -ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) +ARG_DISBL_SET([tools], [disable additional utilities (scepclient and pki).]) # optional features ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.]) ARG_DISBL_SET([ikev1], [disable IKEv1 protocol support in charon.]) @@ -1053,7 +1053,6 @@ charon_plugins= starter_plugins= pool_plugins= attest_plugins= -openac_plugins= scepclient_plugins= pki_plugins= scripts_plugins= @@ -1069,7 +1068,7 @@ h_plugins= s_plugins= t_plugins= -ADD_PLUGIN([test-vectors], [s charon openac scepclient pki]) +ADD_PLUGIN([test-vectors], [s charon scepclient pki]) ADD_PLUGIN([curl], [s charon scepclient scripts nm cmd]) ADD_PLUGIN([soup], [s charon scripts nm cmd]) ADD_PLUGIN([unbound], [s charon scripts]) @@ -1077,38 +1076,38 @@ ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd]) ADD_PLUGIN([mysql], [s charon pool manager medsrv attest]) ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest]) ADD_PLUGIN([pkcs11], [s charon pki nm cmd]) -ADD_PLUGIN([aes], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([des], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([blowfish], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([rc2], [s charon openac scepclient pki scripts nm cmd]) -ADD_PLUGIN([sha1], [s charon openac scepclient pki scripts medsrv attest nm cmd]) -ADD_PLUGIN([sha2], [s charon openac scepclient pki scripts medsrv attest nm cmd]) -ADD_PLUGIN([md4], [s charon openac manager scepclient pki nm cmd]) -ADD_PLUGIN([md5], [s charon openac scepclient pki scripts attest nm cmd]) -ADD_PLUGIN([rdrand], [s charon openac scepclient pki scripts medsrv attest nm cmd]) -ADD_PLUGIN([random], [s charon openac scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd]) +ADD_PLUGIN([sha1], [s charon scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([md4], [s charon manager scepclient pki nm cmd]) +ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd]) +ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([random], [s charon scepclient pki scripts medsrv attest nm cmd]) ADD_PLUGIN([nonce], [s charon nm cmd]) -ADD_PLUGIN([x509], [s charon openac scepclient pki scripts attest nm cmd]) +ADD_PLUGIN([x509], [s charon scepclient pki scripts attest nm cmd]) ADD_PLUGIN([revocation], [s charon nm cmd]) ADD_PLUGIN([constraints], [s charon nm cmd]) ADD_PLUGIN([acert], [s charon]) ADD_PLUGIN([pubkey], [s charon cmd]) -ADD_PLUGIN([pkcs1], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([pkcs1], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([pkcs7], [s charon scepclient pki scripts nm cmd]) -ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([pkcs8], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([pkcs12], [s charon scepclient pki scripts cmd]) ADD_PLUGIN([pgp], [s charon]) ADD_PLUGIN([dnskey], [s charon pki]) ADD_PLUGIN([sshkey], [s charon pki nm cmd]) ADD_PLUGIN([dnscert], [c charon]) ADD_PLUGIN([ipseckey], [c charon]) -ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([pem], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([padlock], [s charon]) -ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) -ADD_PLUGIN([gcrypt], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) -ADD_PLUGIN([af-alg], [s charon openac scepclient pki scripts medsrv attest nm cmd]) +ADD_PLUGIN([openssl], [s charon scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([gcrypt], [s charon scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd]) ADD_PLUGIN([fips-prf], [s charon nm cmd]) -ADD_PLUGIN([gmp], [s charon openac scepclient pki scripts manager medsrv attest nm cmd]) +ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd]) ADD_PLUGIN([agent], [s charon nm cmd]) ADD_PLUGIN([keychain], [s charon cmd]) ADD_PLUGIN([xcbc], [s charon nm cmd]) @@ -1190,7 +1189,6 @@ AC_SUBST(charon_plugins) AC_SUBST(starter_plugins) AC_SUBST(pool_plugins) AC_SUBST(attest_plugins) -AC_SUBST(openac_plugins) AC_SUBST(scepclient_plugins) AC_SUBST(pki_plugins) AC_SUBST(scripts_plugins) @@ -1586,7 +1584,6 @@ AC_CONFIG_FILES([ src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile - src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/pki/man/Makefile diff --git a/packages/strongswan/debian/strongswan-tools.install b/packages/strongswan/debian/strongswan-tools.install index 353a7db8db..1b7872d86b 100644 --- a/packages/strongswan/debian/strongswan-tools.install +++ b/packages/strongswan/debian/strongswan-tools.install @@ -1,5 +1,3 @@ usr/lib/strongswan/scepclient usr/lib/strongswan/ -usr/lib/strongswan/openac usr/lib/strongswan/ usr/lib/strongswan/pki usr/lib/strongswan/ usr/share/man/man8/scepclient.8 usr/share/man/man8/ -usr/share/man/man8/openac.8 usr/share/man/man8/ diff --git a/src/Makefile.am b/src/Makefile.am index 7d11893d1e..93da4893f9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -73,7 +73,7 @@ if USE_UPDOWN endif if USE_TOOLS - SUBDIRS += openac scepclient pki + SUBDIRS += scepclient pki endif if USE_CONFTEST diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index d172b1545a..82bbadcf1e 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -100,7 +100,6 @@ if USE_CMD endif if USE_TOOLS - exes += $(DESTDIR)$(ipsecdir)/openac exes += $(DESTDIR)$(ipsecdir)/scepclient exes += $(DESTDIR)$(bindir)/pki endif diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 3c1f998252..61632188a6 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -70,7 +70,6 @@ case "$1" in echo " rereadcacerts|rereadaacerts|rereadocspcerts" echo " rereadacerts|rereadcrls|rereadall" echo " purgeocsp|purgecrls|purgecerts|purgeike" - echo " openac" echo " scepclient" echo " secrets" echo " starter" diff --git a/src/openac/.gitignore b/src/openac/.gitignore deleted file mode 100644 index 9aa85775fb..0000000000 --- a/src/openac/.gitignore +++ /dev/null @@ -1 +0,0 @@ -openac diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am deleted file mode 100644 index 78a466bd69..0000000000 --- a/src/openac/Makefile.am +++ /dev/null @@ -1,11 +0,0 @@ -ipsec_PROGRAMS = openac -openac_SOURCES = openac.c -dist_man_MANS = openac.8 - -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -DIPSEC_CONFDIR=\"${sysconfdir}\" \ - -DPLUGINS=\""${openac_plugins}\"" - -openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -openac.o : $(top_builddir)/config.status diff --git a/src/openac/openac.8 b/src/openac/openac.8 deleted file mode 100644 index ed1b8ed6c4..0000000000 --- a/src/openac/openac.8 +++ /dev/null @@ -1,165 +0,0 @@ -.TH IPSEC_OPENAC 8 "22 September 2007" -.SH NAME -ipsec openac \- Generation of X.509 attribute certificates -.SH SYNOPSIS -.B ipsec -.B openac -[ -.B \-\-help -] [ -.B \-\-version -] [ -.B \-\-optionsfrom -\fIfilename\fP -] -.br -\ \ \ [ -.B \-\-quiet -] [ -.B \-\-debug -\fIlevel\fP -] -.br -\ \ \ [ -.B \-\-days -\fIdays\fP -] [ -.B \-\-hours -\fIhours\fP -] -.br -\ \ \ [ -.B \-\-startdate -\fIYYYYMMDDHHMMSSZ\fP -] [ -.B \-\-stopdate -\fIYYYYMMDDHHMMSSZ\fP -] -.br -.B \ \ \ \-\-cert -\fIcertfile\fP -.B \-\-key -\fIkeyfile\fP -[ -.B \-\-password -\fIpassword\fP -] -.br -.B \ \ \ \-\-usercert -\fIcertfile\fP -.B \-\-groups -\fIattr1,attr2,...\fP -.B \-\-out -\fIfilename\fP -.SH DESCRIPTION -.BR openac -is intended to be used by an Authorization Authority (AA) to generate and sign -X.509 attribute certificates. Currently only the inclusion of one ore several group -attributes is supported. An attribute certificate is linked to a holder by -including the issuer and serial number of the holder's X.509 certificate. -.SH OPTIONS -.TP -\fB\-\-help\fP -display the usage message. -.TP -\fB\-\-version\fP -display the version of \fBopenac\fP. -.TP -\fB\-\-optionsfrom\fP\ \fIfilename\fP -adds the contents of the file to the argument list. -If \fIfilename\fP is a relative path then the file is searched in the directory -\fI/etc/openac\fP. -.TP -\fB\-\-quiet\fP -By default \fBopenac\fP logs all control output both to syslog and stderr. -With the \fB\-\-quiet\fP option no output is written to stderr. -.TP -\fB\-\-days\fP\ \fIdays\fP -Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor -the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed. -The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option. -.TP -\fB\-\-hours\fP\ \fIhours\fP -Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor -the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed. -The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option. -.TP -\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP -defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid. -The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). -If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default. - -.TP -\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP -defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire. -The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). -If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed -by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options -to the \fBnotBefore\fP date. -.TP -\fB\-\-cert\fP\ \fIcertfile\fP -specifies the file containing the X.509 certificate of the Authorization Authority. -The certificate is stored either in PEM or DER format. -.TP -\fB\-\-key\fP\ \fIkeyfile\fP -specifies the encrypted file containing the private RSA key of the Authoritzation -Authority. The private key is stored in PKCS#1 format. -.TP -\fB\-\-password\fP\ \fIpassword\fP -specifies the password with which the private RSA keyfile defined by the -\fB\-\-key\fP option has been protected. If the option is missing then the -password is prompted for on the command line. -.TP -\fB\-\-usercert\fP\ \fIcertfile\fP -specifies file containing the X.509 certificate of the user to which the generated attribute -certificate will apply. The certificate file is stored either in PEM or DER format. -.TP -\fB\-\-groups\fP\ \fIattr1,attr2\fP -specifies a comma-separated list of group attributes that will go into the -X.509 attribute certificate. -.TP -\fB\-\-out\fP\ \fIfilename\fP -specifies the file where the generated X.509 attribute certificate will be stored to. -.SS Debugging -.LP -\fBopenac\fP produces a prodigious amount of debugging information. To do so, -it must be compiled with \-DDEBUG. There are several classes of debugging output, -and \fBopenac\fP may be directed to produce a selection of them. All lines of -debugging output are prefixed with ``|\ '' to distinguish them from error messages. -.LP -When \fBopenac\fP is invoked, it may be given arguments to specify -which classes to output. The current options are: -.TP -\fB\-\-debug\fP\ \fIlevel\fP -sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), -the default level being 1. -.SH EXIT STATUS -.LP -The execution of \fBopenac\fP terminates with one of the following two exit codes: -.TP -0 -means that the attribute certificate was successfully generated and stored. -.TP -1 -means that something went wrong. -.SH FILES -\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate -.SH SEE ALSO -.LP -The X.509 attribute certificates generated with \fBopenac\fP can be used to -enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8) -to load and list X.509 attribute certificates. -.LP -For more information on X.509 attribute certificates, refer to the following -IETF RFC: -.IP -RFC 3281 An Internet Attribute Certificate Profile for Authorization -.SH HISTORY -The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi. -The software was recoded by Andreas Steffen using strongSwan's X.509 library and -the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen. -All authors were with the Zurich University of Applied Sciences in Winterthur, -Switzerland. -.LP -.SH BUGS -Bugs should be reported to the mailing list. diff --git a/src/openac/openac.c b/src/openac/openac.c deleted file mode 100644 index 1424a7e729..0000000000 --- a/src/openac/openac.c +++ /dev/null @@ -1,564 +0,0 @@ -/** - * @file openac.c - * - * @brief Generation of X.509 attribute certificates. - * - */ - -/* - * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004,2007 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#define OPENAC_PATH IPSEC_CONFDIR "/openac" -#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" - -#define DEFAULT_VALIDITY 24*3600 /* seconds */ - -/** - * @brief prints the usage of the program to the stderr - */ -static void usage(const char *message) -{ - if (message != NULL && *message != '\0') - { - fprintf(stderr, "%s\n", message); - } - fprintf(stderr, "Usage: openac" - " [--help]" - " [--version]" - " [--optionsfrom ]" - " [--quiet]" - " \\\n\t" - " [--debug ]" - " \\\n\t" - " [--days ]" - " [--hours ]" - " \\\n\t" - " [--startdate ]" - " [--enddate ]" - " \\\n\t" - " --cert " - " --key " - " [--password ]" - " \\\n\t" - " --usercert " - " --groups " - " --out " - "\n" - ); -} - -/** - * read the last serial number from file - */ -static chunk_t read_serial(void) -{ - chunk_t hex, serial = chunk_empty; - char one[] = {0x01}; - FILE *fd; - - fd = fopen(OPENAC_SERIAL, "r"); - if (fd) - { - hex = chunk_alloca(64); - hex.len = fread(hex.ptr, 1, hex.len, fd); - if (hex.len) - { - /* remove any terminating newline character */ - if (hex.ptr[hex.len-1] == '\n') - { - hex.len--; - } - serial = chunk_alloca((hex.len / 2) + (hex.len % 2)); - serial = chunk_from_hex(hex, serial.ptr); - } - fclose(fd); - } - else - { - DBG1(DBG_LIB, " file '%s' does not exist yet - serial number " - "set to 01", OPENAC_SERIAL); - } - if (!serial.len) - { - return chunk_clone(chunk_create(one, 1)); - } - if (chunk_increment(serial)) - { /* overflow, prepend 0x01 */ - return chunk_cat("cc", chunk_create(one, 1), serial); - } - return chunk_clone(serial); -} - -/** - * write back the last serial number to file - */ -static void write_serial(chunk_t serial) -{ - FILE *fd = fopen(OPENAC_SERIAL, "w"); - - if (fd) - { - chunk_t hex_serial; - - DBG1(DBG_LIB, " serial number is %#B", &serial); - hex_serial = chunk_to_hex(serial, NULL, FALSE); - fprintf(fd, "%.*s\n", (int)hex_serial.len, hex_serial.ptr); - fclose(fd); - free(hex_serial.ptr); - } - else - { - DBG1(DBG_LIB, " could not open file '%s' for writing", OPENAC_SERIAL); - } -} - -/** - * global variables accessible by both main() and build.c - */ - -static int debug_level = 1; -static bool stderr_quiet = FALSE; - -/** - * openac dbg function - */ -static void openac_dbg(debug_t group, level_t level, char *fmt, ...) -{ - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; - va_list args; - - if (level <= debug_level) - { - if (!stderr_quiet) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - fprintf(stderr, "\n"); - va_end(args); - } - - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(priority, "%s\n", current); - current = next; - } - } -} - -/** - * @brief openac main program - * - * @param argc number of arguments - * @param argv pointer to the argument values - */ -int main(int argc, char **argv) -{ - certificate_t *attr_cert = NULL; - certificate_t *userCert = NULL; - certificate_t *signerCert = NULL; - private_key_t *signerKey = NULL; - - time_t notBefore = UNDEFINED_TIME; - time_t notAfter = UNDEFINED_TIME; - time_t validity = 0; - - char *keyfile = NULL; - char *certfile = NULL; - char *usercertfile = NULL; - char *outfile = NULL; - char *groups = ""; - char buf[BUF_LEN]; - - chunk_t passphrase = { buf, 0 }; - chunk_t serial = chunk_empty; - chunk_t attr_chunk = chunk_empty; - - int status = 1; - - /* enable openac debugging hook */ - dbg = openac_dbg; - - passphrase.ptr[0] = '\0'; - - openlog("openac", 0, LOG_AUTHPRIV); - - /* initialize library */ - atexit(library_deinit); - if (!library_init(NULL, "openac")) - { - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (lib->integrity && - !lib->integrity->check_file(lib->integrity, "openac", argv[0])) - { - fprintf(stderr, "integrity check of openac failed\n"); - exit(SS_RC_DAEMON_INTEGRITY); - } - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "openac.load", PLUGINS))) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - - /* initialize optionsfrom */ - options_t *options = options_create(); - - /* handle arguments */ - for (;;) - { - static const struct option long_opts[] = { - /* name, has_arg, flag, val */ - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, 'v' }, - { "optionsfrom", required_argument, NULL, '+' }, - { "quiet", no_argument, NULL, 'q' }, - { "cert", required_argument, NULL, 'c' }, - { "key", required_argument, NULL, 'k' }, - { "password", required_argument, NULL, 'p' }, - { "usercert", required_argument, NULL, 'u' }, - { "groups", required_argument, NULL, 'g' }, - { "days", required_argument, NULL, 'D' }, - { "hours", required_argument, NULL, 'H' }, - { "startdate", required_argument, NULL, 'S' }, - { "enddate", required_argument, NULL, 'E' }, - { "out", required_argument, NULL, 'o' }, - { "debug", required_argument, NULL, 'd' }, - { 0,0,0,0 } - }; - - int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL); - - /* Note: "breaking" from case terminates loop */ - switch (c) - { - case EOF: /* end of flags */ - break; - - case 0: /* long option already handled */ - continue; - - case ':': /* diagnostic already printed by getopt_long */ - case '?': /* diagnostic already printed by getopt_long */ - case 'h': /* --help */ - usage(NULL); - status = 1; - goto end; - - case 'v': /* --version */ - printf("openac (strongSwan %s)\n", VERSION); - status = 0; - goto end; - - case '+': /* --optionsfrom */ - { - char path[BUF_LEN]; - - if (*optarg == '/') /* absolute pathname */ - { - strncpy(path, optarg, BUF_LEN); - path[BUF_LEN-1] = '\0'; - } - else /* relative pathname */ - { - snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); - } - if (!options->from(options, path, &argc, &argv, optind)) - { - status = 1; - goto end; - } - } - continue; - - case 'q': /* --quiet */ - stderr_quiet = TRUE; - continue; - - case 'c': /* --cert */ - certfile = optarg; - continue; - - case 'k': /* --key */ - keyfile = optarg; - continue; - - case 'p': /* --key */ - if (strlen(optarg) >= BUF_LEN) - { - usage("passphrase too long"); - goto end; - } - strncpy(passphrase.ptr, optarg, BUF_LEN); - passphrase.len = min(strlen(optarg), BUF_LEN); - continue; - - case 'u': /* --usercert */ - usercertfile = optarg; - continue; - - case 'g': /* --groups */ - groups = optarg; - continue; - - case 'D': /* --days */ - if (optarg == NULL || !isdigit(optarg[0])) - { - usage("missing number of days"); - goto end; - } - else - { - char *endptr; - long days = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg || days <= 0) - { - usage(" must be a positive number"); - goto end; - } - validity += 24*3600*days; - } - continue; - - case 'H': /* --hours */ - if (optarg == NULL || !isdigit(optarg[0])) - { - usage("missing number of hours"); - goto end; - } - else - { - char *endptr; - long hours = strtol(optarg, &endptr, 0); - - if (*endptr != '\0' || endptr == optarg || hours <= 0) - { - usage(" must be a positive number"); - goto end; - } - validity += 3600*hours; - } - continue; - - case 'S': /* --startdate */ - if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') - { - usage("date format must be YYYYMMDDHHMMSSZ"); - goto end; - } - else - { - chunk_t date = { optarg, 15 }; - - notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME); - } - continue; - - case 'E': /* --enddate */ - if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') - { - usage("date format must be YYYYMMDDHHMMSSZ"); - goto end; - } - else - { - chunk_t date = { optarg, 15 }; - notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME); - } - continue; - - case 'o': /* --out */ - outfile = optarg; - continue; - - case 'd': /* --debug */ - debug_level = atoi(optarg); - continue; - - default: - usage(""); - status = 0; - goto end; - } - /* break from loop */ - break; - } - - if (optind != argc) - { - usage("unexpected argument"); - goto end; - } - - DBG1(DBG_LIB, "starting openac (strongSwan Version %s)", VERSION); - - /* load the signer's RSA private key */ - if (keyfile != NULL) - { - mem_cred_t *mem; - shared_key_t *shared; - - mem = mem_cred_create(); - lib->credmgr->add_set(lib->credmgr, &mem->set); - shared = shared_key_create(SHARED_PRIVATE_KEY_PASS, - chunk_clone(passphrase)); - mem->add_shared(mem, shared, NULL); - signerKey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_FROM_FILE, keyfile, - BUILD_END); - lib->credmgr->remove_set(lib->credmgr, &mem->set); - mem->destroy(mem); - if (signerKey == NULL) - { - goto end; - } - DBG1(DBG_LIB, " loaded private key file '%s'", keyfile); - } - - /* load the signer's X.509 certificate */ - if (certfile != NULL) - { - signerCert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, certfile, - BUILD_END); - if (signerCert == NULL) - { - goto end; - } - } - - /* load the users's X.509 certificate */ - if (usercertfile != NULL) - { - userCert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, usercertfile, - BUILD_END); - if (userCert == NULL) - { - goto end; - } - } - - /* compute validity interval */ - validity = (validity)? validity : DEFAULT_VALIDITY; - notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore; - notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter; - - /* build and parse attribute certificate */ - if (userCert != NULL && signerCert != NULL && signerKey != NULL && - outfile != NULL) - { - linked_list_t *group_list; - enumerator_t *enumerator; - char *group; - - group_list = linked_list_create(); - enumerator = enumerator_create_token(groups, ",", " "); - while (enumerator->enumerate(enumerator, &group)) - { - group_list->insert_last(group_list, strdup(group)); - } - enumerator->destroy(enumerator); - - /* read the serial number and increment it by one */ - serial = read_serial(); - - attr_cert = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_AC, - BUILD_CERT, userCert, - BUILD_NOT_BEFORE_TIME, notBefore, - BUILD_NOT_AFTER_TIME, notAfter, - BUILD_SERIAL, serial, - BUILD_AC_GROUP_STRINGS, group_list, - BUILD_SIGNING_CERT, signerCert, - BUILD_SIGNING_KEY, signerKey, - BUILD_END); - group_list->destroy_function(group_list, free); - if (!attr_cert) - { - goto end; - } - - /* write the attribute certificate to file */ - if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk)) - { - if (chunk_write(attr_chunk, outfile, 0022, TRUE)) - { - DBG1(DBG_APP, " written attribute cert file '%s' (%d bytes)", - outfile, attr_chunk.len); - write_serial(serial); - status = 0; - } - else - { - DBG1(DBG_APP, " writing attribute cert file '%s' failed: %s", - outfile, strerror(errno)); - } - } - } - else - { - usage("some of the mandatory parameters --usercert --cert --key --out " - "are missing"); - } - -end: - /* delete all dynamically allocated objects */ - DESTROY_IF(signerKey); - DESTROY_IF(signerCert); - DESTROY_IF(userCert); - DESTROY_IF(attr_cert); - free(attr_chunk.ptr); - free(serial.ptr); - closelog(); - dbg = dbg_default; - options->destroy(options); - exit(status); -}