summaryrefslogtreecommitdiff
path: root/src/openac
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-07-09 21:02:41 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-07-09 21:02:41 +0000
commitdb67c87db3c9089ea8d2e14f617bf3d9e2af261f (patch)
tree665c0caea83d34c11c1517c4c57137bb58cba6fb /src/openac
parent1c088a8b6237ec67f63c23f97a0f2dc4e99af869 (diff)
downloadvyos-strongswan-db67c87db3c9089ea8d2e14f617bf3d9e2af261f.tar.gz
vyos-strongswan-db67c87db3c9089ea8d2e14f617bf3d9e2af261f.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.2.4)
Diffstat (limited to 'src/openac')
-rw-r--r--src/openac/Makefile.am8
-rw-r--r--src/openac/Makefile.in49
-rw-r--r--src/openac/build.c193
-rw-r--r--src/openac/build.h45
-rwxr-xr-xsrc/openac/openac.c163
5 files changed, 142 insertions, 316 deletions
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
index 4b88d8b2d..005486779 100644
--- a/src/openac/Makefile.am
+++ b/src/openac/Makefile.am
@@ -1,8 +1,12 @@
ipsec_PROGRAMS = openac
-openac_SOURCES = openac.c build.c build.h
+openac_SOURCES = openac.c
dist_man_MANS = openac.8
INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\"
+AM_CFLAGS = \
+ -DIPSEC_CONFDIR=\"${confdir}\" \
+ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+ -DIPSEC_PLUGINDIR=\"${plugindir}\" \
+ -DPLUGINS=\""${libstrongswan_plugins}\""
openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 3cca270a7..00977e038 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.10 from Makefile.am.
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -45,7 +45,7 @@ CONFIG_CLEAN_FILES =
am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(ipsec_PROGRAMS)
-am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT)
+am_openac_OBJECTS = openac.$(OBJEXT)
openac_OBJECTS = $(am_openac_OBJECTS)
openac_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -88,6 +88,7 @@ CXXFLAGS = @CXXFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
ECHO = @ECHO@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
@@ -117,6 +118,7 @@ LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
OBJEXT = @OBJEXT@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
@@ -147,7 +149,6 @@ am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
-backenddir = @backenddir@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -158,12 +159,11 @@ builddir = @builddir@
confdir = @confdir@
datadir = @datadir@
datarootdir = @datarootdir@
-dbus_CFLAGS = @dbus_CFLAGS@
-dbus_LIBS = @dbus_LIBS@
docdir = @docdir@
dvidir = @dvidir@
-eapdir = @eapdir@
exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -173,12 +173,12 @@ htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
-interfacedir = @interfacedir@
ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecuid = @ipsecuid@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
linuxdir = @linuxdir@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -191,20 +191,27 @@ plugindir = @plugindir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+resolv_conf = @resolv_conf@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
simreader = @simreader@
srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-openac_SOURCES = openac.c build.c build.h
+openac_SOURCES = openac.c
dist_man_MANS = openac.8
INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\"
+AM_CFLAGS = \
+ -DIPSEC_CONFDIR=\"${confdir}\" \
+ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
+ -DIPSEC_PLUGINDIR=\"${plugindir}\" \
+ -DPLUGINS=\""${libstrongswan_plugins}\""
+
openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp
all: all-am
@@ -248,8 +255,8 @@ install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
|| test -f $$p1 \
; then \
f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
else :; fi; \
done
@@ -277,7 +284,6 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/build.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@
.c.o:
@@ -357,8 +363,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
+ $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
@@ -370,8 +376,8 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
$(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
@@ -381,13 +387,12 @@ ctags: CTAGS
CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
tags=; \
- here=`pwd`; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
test -z "$(CTAGS_ARGS)$$tags$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
$$tags $$unique
diff --git a/src/openac/build.c b/src/openac/build.c
deleted file mode 100644
index 40c8b7964..000000000
--- a/src/openac/build.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/* Build a X.509 attribute certificate
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2004,2007 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: build.c 3424 2008-01-22 10:34:44Z andreas $
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-
-#include <asn1/oid.h>
-#include <asn1/asn1.h>
-#include <crypto/ietf_attr_list.h>
-#include <utils/identification.h>
-
-#include "build.h"
-
-static u_char ASN1_group_oid_str[] = {
- 0x06, 0x08,
- 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
-};
-
-static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str);
-
-static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
- 0x06, 0x03,
- 0x55, 0x1d, 0x23
-};
-
-static const chunk_t ASN1_authorityKeyIdentifier_oid =
- chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str);
-
-static u_char ASN1_noRevAvail_ext_str[] = {
- 0x30, 0x09,
- 0x06, 0x03,
- 0x55, 0x1d, 0x38,
- 0x04, 0x02,
- 0x05, 0x00
-};
-
-static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str);
-
-/**
- * build directoryName
- */
-static chunk_t build_directoryName(asn1_t tag, chunk_t name)
-{
- return asn1_wrap(tag, "m",
- asn1_simple_object(ASN1_CONTEXT_C_4, name));
-}
-
-/**
- * build holder
- */
-static chunk_t build_holder(void)
-{
- identification_t *issuer = usercert->get_issuer(usercert);
- identification_t *subject = usercert->get_subject(usercert);
-
- return asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_wrap(ASN1_CONTEXT_C_0, "mm",
- build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)),
- asn1_simple_object(ASN1_INTEGER, usercert->get_serialNumber(usercert))
- ),
- build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject)));
-}
-
-/**
- * build v2Form
- */
-static chunk_t build_v2_form(void)
-{
- identification_t *subject = signercert->get_subject(signercert);
-
- return asn1_wrap(ASN1_CONTEXT_C_0, "m",
- build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject)));
-}
-
-/**
- * build attrCertValidityPeriod
- */
-static chunk_t build_attr_cert_validity(void)
-{
- return asn1_wrap(ASN1_SEQUENCE, "mm",
- timetoasn1(&notBefore, ASN1_GENERALIZEDTIME),
- timetoasn1(&notAfter, ASN1_GENERALIZEDTIME));
-}
-
-
-/**
- * build attribute type
- */
-static chunk_t build_attribute_type(const chunk_t type, chunk_t content)
-{
- return asn1_wrap(ASN1_SEQUENCE, "cm",
- type,
- asn1_wrap(ASN1_SET, "m", content));
-}
-
-/**
- * build attributes
- */
-static chunk_t build_attributes(void)
-{
- return asn1_wrap(ASN1_SEQUENCE, "m",
- build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(groups)));
-}
-
-/**
- * build authorityKeyIdentifier
- */
-static chunk_t build_authorityKeyID(x509_t *signer)
-{
- identification_t *issuer = signer->get_issuer(signer);
- chunk_t subjectKeyID = signer->get_subjectKeyID(signer);
-
- chunk_t keyIdentifier = (subjectKeyID.ptr == NULL)
- ? chunk_empty
- : asn1_simple_object(ASN1_CONTEXT_S_0, subjectKeyID);
-
- chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
- issuer->get_encoding(issuer));
-
- chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
- signer->get_serialNumber(signer));
-
- return asn1_wrap(ASN1_SEQUENCE, "cm",
- ASN1_authorityKeyIdentifier_oid,
- asn1_wrap(ASN1_OCTET_STRING, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmm",
- keyIdentifier,
- authorityCertIssuer,
- authorityCertSerialNumber
- )
- )
- );
-}
-
-/**
- * build extensions
- */
-static chunk_t build_extensions(void)
-{
- return asn1_wrap(ASN1_SEQUENCE, "mc",
- build_authorityKeyID(signercert),
- ASN1_noRevAvail_ext);
-}
-
-/**
- * build attributeCertificateInfo
- */
-static chunk_t build_attr_cert_info(void)
-{
- return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm",
- ASN1_INTEGER_1,
- build_holder(),
- build_v2_form(),
- asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
- asn1_simple_object(ASN1_INTEGER, serial),
- build_attr_cert_validity(),
- build_attributes(),
- build_extensions());
-}
-
-
-/**
- * build an X.509 attribute certificate
- */
-chunk_t build_attr_cert(void)
-{
- chunk_t signatureValue;
- chunk_t attributeCertificateInfo = build_attr_cert_info();
-
- signerkey->build_emsa_pkcs1_signature(signerkey, HASH_SHA1,
- attributeCertificateInfo, &signatureValue);
-
- return asn1_wrap(ASN1_SEQUENCE, "mcm",
- attributeCertificateInfo,
- asn1_algorithmIdentifier(OID_SHA1_WITH_RSA),
- asn1_bitstring("m", signatureValue));
-}
diff --git a/src/openac/build.h b/src/openac/build.h
deleted file mode 100644
index c873c4479..000000000
--- a/src/openac/build.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* Build a X.509 attribute certificate
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2004,2007 Andreas Steffen
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: build.h 3270 2007-10-08 20:09:57Z andreas $
- */
-
-#ifndef _BUILD_H
-#define _BUILD_H
-
-#include <time.h>
-
-#include <library.h>
-#include <crypto/x509.h>
-#include <crypto/rsa/rsa_private_key.h>
-#include <utils/linked_list.h>
-
-/*
- * global variables accessible by both main() and build.c
- */
-extern x509_t *usercert;
-extern x509_t *signercert;
-extern rsa_private_key_t *signerkey;
-extern linked_list_t *groups;
-extern time_t notBefore;
-extern time_t notAfter;
-extern chunk_t serial;
-
-/*
- * exported functions
- */
-extern chunk_t build_attr_cert(void);
-
-#endif /* _BUILD_H */
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 3d82940c2..48dc57ece 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -20,7 +20,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: openac.c 3442 2008-02-04 14:46:43Z andreas $
+ * RCSID $Id: openac.c 3967 2008-05-16 08:52:32Z martin $
*/
#include <stdio.h>
@@ -33,11 +33,12 @@
#include <time.h>
#include <gmp.h>
+#include <library.h>
#include <debug.h>
#include <asn1/asn1.h>
-#include <asn1/ttodata.h>
-#include <crypto/ac.h>
-#include <crypto/ietf_attr_list.h>
+#include <asn1/pem.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/ac.h>
#include <utils/optionsfrom.h>
#ifdef INTEGRITY_TEST
@@ -45,10 +46,10 @@
#include <fips_signature.h>
#endif /* INTEGRITY_TEST */
-#include "build.h"
+#define OPENAC_PATH IPSEC_CONFDIR "/openac"
+#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
-#define OPENAC_PATH IPSEC_CONFDIR "/openac"
-#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
+#define DEFAULT_VALIDITY 24*3600 /* seconds */
/**
* @brief prints the usage of the program to the stderr
@@ -113,7 +114,8 @@ static chunk_t read_serial(void)
mpz_t number;
char buf[BUF_LEN], buf1[BUF_LEN];
- chunk_t last_serial = { buf1, BUF_LEN};
+ chunk_t hex_serial = { buf, BUF_LEN };
+ chunk_t last_serial = { buf1, BUF_LEN };
chunk_t serial;
FILE *fd = fopen(OPENAC_SERIAL, "r");
@@ -124,15 +126,10 @@ static chunk_t read_serial(void)
if (fd)
{
- if (fscanf(fd, "%s", buf))
+ if (fscanf(fd, "%s", hex_serial.ptr))
{
- err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len);
-
- if (ugh != NULL)
- {
- DBG1(" error reading serial number from %s: %s",
- OPENAC_SERIAL, ugh);
- }
+ hex_serial.len = strlen(hex_serial.ptr);
+ last_serial = chunk_from_hex(hex_serial, last_serial.ptr);
}
fclose(fd);
}
@@ -164,9 +161,13 @@ static void write_serial(chunk_t serial)
if (fd)
{
+ chunk_t hex_serial;
+
DBG1(" serial number is %#B", &serial);
- fprintf(fd, "%#B\n", &serial);
+ hex_serial = chunk_to_hex(serial, NULL, FALSE);
+ fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr);
fclose(fd);
+ free(hex_serial.ptr);
}
else
{
@@ -175,18 +176,33 @@ static void write_serial(chunk_t serial)
}
/**
- * global variables accessible by both main() and build.c
+ * Load and parse a private key file
*/
-x509_t *usercert = NULL;
-x509_t *signercert = NULL;
-
-linked_list_t *groups = NULL;
-rsa_private_key_t *signerkey = NULL;
+static private_key_t* private_key_create_from_file(char *path, chunk_t *secret)
+{
+ bool pgp = FALSE;
+ chunk_t chunk = chunk_empty;
+ private_key_t *key = NULL;
-time_t notBefore = UNDEFINED_TIME;
-time_t notAfter = UNDEFINED_TIME;
+ if (!pem_asn1_load_file(path, secret, &chunk, &pgp))
+ {
+ DBG1(" could not load private key file '%s'", path);
+ return NULL;
+ }
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+ if (key == NULL)
+ {
+ DBG1(" could not parse loaded private key file '%s'", path);
+ return NULL;
+ }
+ DBG1(" loaded private key file '%s'", path);
+ return key;
+}
-chunk_t serial;
+/**
+ * global variables accessible by both main() and build.c
+ */
static int debug_level = 1;
static bool stderr_quiet = FALSE;
@@ -220,30 +236,43 @@ static void openac_dbg(int level, char *fmt, ...)
*/
int main(int argc, char **argv)
{
+ certificate_t *attr_cert = NULL;
+ certificate_t *userCert = NULL;
+ certificate_t *signerCert = NULL;
+ private_key_t *signerKey = NULL;
+
+ time_t notBefore = UNDEFINED_TIME;
+ time_t notAfter = UNDEFINED_TIME;
+ time_t validity = 0;
+
char *keyfile = NULL;
char *certfile = NULL;
char *usercertfile = NULL;
char *outfile = NULL;
+ char *groups = "";
char buf[BUF_LEN];
chunk_t passphrase = { buf, 0 };
- chunk_t attr_cert = chunk_empty;
- x509ac_t *ac = NULL;
+ chunk_t serial = chunk_empty;
+ chunk_t attr_chunk = chunk_empty;
- const time_t default_validity = 24*3600; /* 24 hours */
- time_t validity = 0;
int status = 1;
- options_t *options = options_create();
-
/* enable openac debugging hook */
dbg = openac_dbg;
passphrase.ptr[0] = '\0';
- groups = linked_list_create();
openlog("openac", 0, LOG_AUTHPRIV);
+ /* initialize library */
+ library_init(STRONGSWAN_CONF);
+ lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
+ lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
+
+ /* initialize optionsfrom */
+ options_t *options = options_create();
+
/* handle arguments */
for (;;)
{
@@ -337,7 +366,7 @@ int main(int argc, char **argv)
continue;
case 'g': /* --groups */
- ietfAttr_list_create_from_string(optarg, groups);
+ groups = optarg;
continue;
case 'D': /* --days */
@@ -390,7 +419,7 @@ int main(int argc, char **argv)
{
chunk_t date = { optarg, 15 };
- notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
+ notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
}
continue;
@@ -403,7 +432,7 @@ int main(int argc, char **argv)
else
{
chunk_t date = { optarg, 15 };
- notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
+ notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME);
}
continue;
@@ -449,9 +478,9 @@ int main(int argc, char **argv)
/* load the signer's RSA private key */
if (keyfile != NULL)
{
- signerkey = rsa_private_key_create_from_file(keyfile, &passphrase);
+ signerKey = private_key_create_from_file(keyfile, &passphrase);
- if (signerkey == NULL)
+ if (signerKey == NULL)
{
goto end;
}
@@ -460,9 +489,12 @@ int main(int argc, char **argv)
/* load the signer's X.509 certificate */
if (certfile != NULL)
{
- signercert = x509_create_from_file(certfile, "signer cert");
-
- if (signercert == NULL)
+ signerCert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, certfile,
+ BUILD_X509_FLAG, 0,
+ BUILD_END);
+ if (signerCert == NULL)
{
goto end;
}
@@ -471,46 +503,69 @@ int main(int argc, char **argv)
/* load the users's X.509 certificate */
if (usercertfile != NULL)
{
- usercert = x509_create_from_file(usercertfile, "user cert");
-
- if (usercert == NULL)
+ userCert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, usercertfile,
+ BUILD_X509_FLAG, 0,
+ BUILD_END);
+ if (userCert == NULL)
{
goto end;
}
}
/* compute validity interval */
- validity = (validity)? validity : default_validity;
+ validity = (validity)? validity : DEFAULT_VALIDITY;
notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore;
notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter;
/* build and parse attribute certificate */
- if (usercert != NULL && signercert != NULL && signerkey != NULL)
+ if (userCert != NULL && signerCert != NULL && signerKey != NULL)
{
/* read the serial number and increment it by one */
serial = read_serial();
- attr_cert = build_attr_cert();
- ac = x509ac_create_from_chunk(attr_cert);
+ attr_cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509_AC,
+ BUILD_CERT, userCert->get_ref(userCert),
+ BUILD_NOT_BEFORE_TIME, notBefore,
+ BUILD_NOT_AFTER_TIME, notAfter,
+ BUILD_SERIAL, serial,
+ BUILD_IETF_GROUP_ATTR, groups,
+ BUILD_SIGNING_CERT, signerCert->get_ref(signerCert),
+ BUILD_SIGNING_KEY, signerKey->get_ref(signerKey),
+ BUILD_END);
+ if (!attr_cert)
+ {
+ goto end;
+ }
/* write the attribute certificate to file */
- if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE))
+ attr_chunk = attr_cert->get_encoding(attr_cert);
+ if (chunk_write(attr_chunk, outfile, 0022, TRUE))
{
+ DBG1(" wrote attribute cert file '%s' (%u bytes)", outfile, attr_chunk.len);
write_serial(serial);
status = 0;
}
}
+ else
+ {
+ usage("some of the mandatory parameters --usercert --cert --key "
+ "are missing");
+ }
end:
/* delete all dynamically allocated objects */
- DESTROY_IF(signerkey);
- DESTROY_IF(signercert);
- DESTROY_IF(usercert);
- DESTROY_IF(ac);
- ietfAttr_list_destroy(groups);
+ DESTROY_IF(signerKey);
+ DESTROY_IF(signerCert);
+ DESTROY_IF(userCert);
+ DESTROY_IF(attr_cert);
+ free(attr_chunk.ptr);
free(serial.ptr);
closelog();
dbg = dbg_default;
options->destroy(options);
+ library_deinit();
exit(status);
}