diff options
Diffstat (limited to 'src/openac')
| -rw-r--r-- | src/openac/Makefile.am | 8 | ||||
| -rw-r--r-- | src/openac/Makefile.in | 49 | ||||
| -rw-r--r-- | src/openac/build.c | 193 | ||||
| -rw-r--r-- | src/openac/build.h | 45 | ||||
| -rwxr-xr-x | src/openac/openac.c | 163 |
5 files changed, 142 insertions, 316 deletions
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am index 4b88d8b2d..005486779 100644 --- a/src/openac/Makefile.am +++ b/src/openac/Makefile.am @@ -1,8 +1,12 @@ ipsec_PROGRAMS = openac -openac_SOURCES = openac.c build.c build.h +openac_SOURCES = openac.c dist_man_MANS = openac.8 INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" +AM_CFLAGS = \ + -DIPSEC_CONFDIR=\"${confdir}\" \ + -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ + -DIPSEC_PLUGINDIR=\"${plugindir}\" \ + -DPLUGINS=\""${libstrongswan_plugins}\"" openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 3cca270a7..00977e038 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10 from Makefile.am. +# Makefile.in generated by automake 1.10.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -45,7 +45,7 @@ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) -am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT) +am_openac_OBJECTS = openac.$(OBJEXT) openac_OBJECTS = $(am_openac_OBJECTS) openac_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -88,6 +88,7 @@ CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ ECHO = @ECHO@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ @@ -117,6 +118,7 @@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ +NMEDIT = @NMEDIT@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ @@ -147,7 +149,6 @@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ -backenddir = @backenddir@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -158,12 +159,11 @@ builddir = @builddir@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ -dbus_CFLAGS = @dbus_CFLAGS@ -dbus_LIBS = @dbus_LIBS@ docdir = @docdir@ dvidir = @dvidir@ -eapdir = @eapdir@ exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -173,12 +173,12 @@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ -interfacedir = @interfacedir@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ -ipsecuid = @ipsecuid@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ +libstrongswan_plugins = @libstrongswan_plugins@ linuxdir = @linuxdir@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -191,20 +191,27 @@ plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +resolv_conf = @resolv_conf@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ simreader = @simreader@ srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -openac_SOURCES = openac.c build.c build.h +openac_SOURCES = openac.c dist_man_MANS = openac.8 INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" +AM_CFLAGS = \ + -DIPSEC_CONFDIR=\"${confdir}\" \ + -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ + -DIPSEC_PLUGINDIR=\"${plugindir}\" \ + -DPLUGINS=\""${libstrongswan_plugins}\"" + openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp all: all-am @@ -248,8 +255,8 @@ install-ipsecPROGRAMS: $(ipsec_PROGRAMS) || test -f $$p1 \ ; then \ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \ else :; fi; \ done @@ -277,7 +284,6 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/build.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@ .c.o: @@ -357,8 +363,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS @@ -370,8 +376,8 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -381,13 +387,12 @@ ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ - here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) ' { files[$$0] = 1; } \ - END { for (i in files) print i; }'`; \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique diff --git a/src/openac/build.c b/src/openac/build.c deleted file mode 100644 index 40c8b7964..000000000 --- a/src/openac/build.c +++ /dev/null @@ -1,193 +0,0 @@ -/* Build a X.509 attribute certificate - * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004,2007 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: build.c 3424 2008-01-22 10:34:44Z andreas $ - */ - -#include <stdlib.h> -#include <string.h> -#include <stdio.h> - -#include <asn1/oid.h> -#include <asn1/asn1.h> -#include <crypto/ietf_attr_list.h> -#include <utils/identification.h> - -#include "build.h" - -static u_char ASN1_group_oid_str[] = { - 0x06, 0x08, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04 -}; - -static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str); - -static u_char ASN1_authorityKeyIdentifier_oid_str[] = { - 0x06, 0x03, - 0x55, 0x1d, 0x23 -}; - -static const chunk_t ASN1_authorityKeyIdentifier_oid = - chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str); - -static u_char ASN1_noRevAvail_ext_str[] = { - 0x30, 0x09, - 0x06, 0x03, - 0x55, 0x1d, 0x38, - 0x04, 0x02, - 0x05, 0x00 -}; - -static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str); - -/** - * build directoryName - */ -static chunk_t build_directoryName(asn1_t tag, chunk_t name) -{ - return asn1_wrap(tag, "m", - asn1_simple_object(ASN1_CONTEXT_C_4, name)); -} - -/** - * build holder - */ -static chunk_t build_holder(void) -{ - identification_t *issuer = usercert->get_issuer(usercert); - identification_t *subject = usercert->get_subject(usercert); - - return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_wrap(ASN1_CONTEXT_C_0, "mm", - build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)), - asn1_simple_object(ASN1_INTEGER, usercert->get_serialNumber(usercert)) - ), - build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject))); -} - -/** - * build v2Form - */ -static chunk_t build_v2_form(void) -{ - identification_t *subject = signercert->get_subject(signercert); - - return asn1_wrap(ASN1_CONTEXT_C_0, "m", - build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject))); -} - -/** - * build attrCertValidityPeriod - */ -static chunk_t build_attr_cert_validity(void) -{ - return asn1_wrap(ASN1_SEQUENCE, "mm", - timetoasn1(¬Before, ASN1_GENERALIZEDTIME), - timetoasn1(¬After, ASN1_GENERALIZEDTIME)); -} - - -/** - * build attribute type - */ -static chunk_t build_attribute_type(const chunk_t type, chunk_t content) -{ - return asn1_wrap(ASN1_SEQUENCE, "cm", - type, - asn1_wrap(ASN1_SET, "m", content)); -} - -/** - * build attributes - */ -static chunk_t build_attributes(void) -{ - return asn1_wrap(ASN1_SEQUENCE, "m", - build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(groups))); -} - -/** - * build authorityKeyIdentifier - */ -static chunk_t build_authorityKeyID(x509_t *signer) -{ - identification_t *issuer = signer->get_issuer(signer); - chunk_t subjectKeyID = signer->get_subjectKeyID(signer); - - chunk_t keyIdentifier = (subjectKeyID.ptr == NULL) - ? chunk_empty - : asn1_simple_object(ASN1_CONTEXT_S_0, subjectKeyID); - - chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1, - issuer->get_encoding(issuer)); - - chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2, - signer->get_serialNumber(signer)); - - return asn1_wrap(ASN1_SEQUENCE, "cm", - ASN1_authorityKeyIdentifier_oid, - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "mmm", - keyIdentifier, - authorityCertIssuer, - authorityCertSerialNumber - ) - ) - ); -} - -/** - * build extensions - */ -static chunk_t build_extensions(void) -{ - return asn1_wrap(ASN1_SEQUENCE, "mc", - build_authorityKeyID(signercert), - ASN1_noRevAvail_ext); -} - -/** - * build attributeCertificateInfo - */ -static chunk_t build_attr_cert_info(void) -{ - return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm", - ASN1_INTEGER_1, - build_holder(), - build_v2_form(), - asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), - asn1_simple_object(ASN1_INTEGER, serial), - build_attr_cert_validity(), - build_attributes(), - build_extensions()); -} - - -/** - * build an X.509 attribute certificate - */ -chunk_t build_attr_cert(void) -{ - chunk_t signatureValue; - chunk_t attributeCertificateInfo = build_attr_cert_info(); - - signerkey->build_emsa_pkcs1_signature(signerkey, HASH_SHA1, - attributeCertificateInfo, &signatureValue); - - return asn1_wrap(ASN1_SEQUENCE, "mcm", - attributeCertificateInfo, - asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), - asn1_bitstring("m", signatureValue)); -} diff --git a/src/openac/build.h b/src/openac/build.h deleted file mode 100644 index c873c4479..000000000 --- a/src/openac/build.h +++ /dev/null @@ -1,45 +0,0 @@ -/* Build a X.509 attribute certificate - * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004,2007 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: build.h 3270 2007-10-08 20:09:57Z andreas $ - */ - -#ifndef _BUILD_H -#define _BUILD_H - -#include <time.h> - -#include <library.h> -#include <crypto/x509.h> -#include <crypto/rsa/rsa_private_key.h> -#include <utils/linked_list.h> - -/* - * global variables accessible by both main() and build.c - */ -extern x509_t *usercert; -extern x509_t *signercert; -extern rsa_private_key_t *signerkey; -extern linked_list_t *groups; -extern time_t notBefore; -extern time_t notAfter; -extern chunk_t serial; - -/* - * exported functions - */ -extern chunk_t build_attr_cert(void); - -#endif /* _BUILD_H */ diff --git a/src/openac/openac.c b/src/openac/openac.c index 3d82940c2..48dc57ece 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -20,7 +20,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: openac.c 3442 2008-02-04 14:46:43Z andreas $ + * RCSID $Id: openac.c 3967 2008-05-16 08:52:32Z martin $ */ #include <stdio.h> @@ -33,11 +33,12 @@ #include <time.h> #include <gmp.h> +#include <library.h> #include <debug.h> #include <asn1/asn1.h> -#include <asn1/ttodata.h> -#include <crypto/ac.h> -#include <crypto/ietf_attr_list.h> +#include <asn1/pem.h> +#include <credentials/certificates/x509.h> +#include <credentials/certificates/ac.h> #include <utils/optionsfrom.h> #ifdef INTEGRITY_TEST @@ -45,10 +46,10 @@ #include <fips_signature.h> #endif /* INTEGRITY_TEST */ -#include "build.h" +#define OPENAC_PATH IPSEC_CONFDIR "/openac" +#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" -#define OPENAC_PATH IPSEC_CONFDIR "/openac" -#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" +#define DEFAULT_VALIDITY 24*3600 /* seconds */ /** * @brief prints the usage of the program to the stderr @@ -113,7 +114,8 @@ static chunk_t read_serial(void) mpz_t number; char buf[BUF_LEN], buf1[BUF_LEN]; - chunk_t last_serial = { buf1, BUF_LEN}; + chunk_t hex_serial = { buf, BUF_LEN }; + chunk_t last_serial = { buf1, BUF_LEN }; chunk_t serial; FILE *fd = fopen(OPENAC_SERIAL, "r"); @@ -124,15 +126,10 @@ static chunk_t read_serial(void) if (fd) { - if (fscanf(fd, "%s", buf)) + if (fscanf(fd, "%s", hex_serial.ptr)) { - err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len); - - if (ugh != NULL) - { - DBG1(" error reading serial number from %s: %s", - OPENAC_SERIAL, ugh); - } + hex_serial.len = strlen(hex_serial.ptr); + last_serial = chunk_from_hex(hex_serial, last_serial.ptr); } fclose(fd); } @@ -164,9 +161,13 @@ static void write_serial(chunk_t serial) if (fd) { + chunk_t hex_serial; + DBG1(" serial number is %#B", &serial); - fprintf(fd, "%#B\n", &serial); + hex_serial = chunk_to_hex(serial, NULL, FALSE); + fprintf(fd, "%.*s\n", hex_serial.len, hex_serial.ptr); fclose(fd); + free(hex_serial.ptr); } else { @@ -175,18 +176,33 @@ static void write_serial(chunk_t serial) } /** - * global variables accessible by both main() and build.c + * Load and parse a private key file */ -x509_t *usercert = NULL; -x509_t *signercert = NULL; - -linked_list_t *groups = NULL; -rsa_private_key_t *signerkey = NULL; +static private_key_t* private_key_create_from_file(char *path, chunk_t *secret) +{ + bool pgp = FALSE; + chunk_t chunk = chunk_empty; + private_key_t *key = NULL; -time_t notBefore = UNDEFINED_TIME; -time_t notAfter = UNDEFINED_TIME; + if (!pem_asn1_load_file(path, secret, &chunk, &pgp)) + { + DBG1(" could not load private key file '%s'", path); + return NULL; + } + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB_ASN1_DER, chunk, BUILD_END); + if (key == NULL) + { + DBG1(" could not parse loaded private key file '%s'", path); + return NULL; + } + DBG1(" loaded private key file '%s'", path); + return key; +} -chunk_t serial; +/** + * global variables accessible by both main() and build.c + */ static int debug_level = 1; static bool stderr_quiet = FALSE; @@ -220,30 +236,43 @@ static void openac_dbg(int level, char *fmt, ...) */ int main(int argc, char **argv) { + certificate_t *attr_cert = NULL; + certificate_t *userCert = NULL; + certificate_t *signerCert = NULL; + private_key_t *signerKey = NULL; + + time_t notBefore = UNDEFINED_TIME; + time_t notAfter = UNDEFINED_TIME; + time_t validity = 0; + char *keyfile = NULL; char *certfile = NULL; char *usercertfile = NULL; char *outfile = NULL; + char *groups = ""; char buf[BUF_LEN]; chunk_t passphrase = { buf, 0 }; - chunk_t attr_cert = chunk_empty; - x509ac_t *ac = NULL; + chunk_t serial = chunk_empty; + chunk_t attr_chunk = chunk_empty; - const time_t default_validity = 24*3600; /* 24 hours */ - time_t validity = 0; int status = 1; - options_t *options = options_create(); - /* enable openac debugging hook */ dbg = openac_dbg; passphrase.ptr[0] = '\0'; - groups = linked_list_create(); openlog("openac", 0, LOG_AUTHPRIV); + /* initialize library */ + library_init(STRONGSWAN_CONF); + lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, + lib->settings->get_str(lib->settings, "openac.load", PLUGINS)); + + /* initialize optionsfrom */ + options_t *options = options_create(); + /* handle arguments */ for (;;) { @@ -337,7 +366,7 @@ int main(int argc, char **argv) continue; case 'g': /* --groups */ - ietfAttr_list_create_from_string(optarg, groups); + groups = optarg; continue; case 'D': /* --days */ @@ -390,7 +419,7 @@ int main(int argc, char **argv) { chunk_t date = { optarg, 15 }; - notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME); + notBefore = asn1_to_time(&date, ASN1_GENERALIZEDTIME); } continue; @@ -403,7 +432,7 @@ int main(int argc, char **argv) else { chunk_t date = { optarg, 15 }; - notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME); + notAfter = asn1_to_time(&date, ASN1_GENERALIZEDTIME); } continue; @@ -449,9 +478,9 @@ int main(int argc, char **argv) /* load the signer's RSA private key */ if (keyfile != NULL) { - signerkey = rsa_private_key_create_from_file(keyfile, &passphrase); + signerKey = private_key_create_from_file(keyfile, &passphrase); - if (signerkey == NULL) + if (signerKey == NULL) { goto end; } @@ -460,9 +489,12 @@ int main(int argc, char **argv) /* load the signer's X.509 certificate */ if (certfile != NULL) { - signercert = x509_create_from_file(certfile, "signer cert"); - - if (signercert == NULL) + signerCert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, certfile, + BUILD_X509_FLAG, 0, + BUILD_END); + if (signerCert == NULL) { goto end; } @@ -471,46 +503,69 @@ int main(int argc, char **argv) /* load the users's X.509 certificate */ if (usercertfile != NULL) { - usercert = x509_create_from_file(usercertfile, "user cert"); - - if (usercert == NULL) + userCert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, usercertfile, + BUILD_X509_FLAG, 0, + BUILD_END); + if (userCert == NULL) { goto end; } } /* compute validity interval */ - validity = (validity)? validity : default_validity; + validity = (validity)? validity : DEFAULT_VALIDITY; notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore; notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter; /* build and parse attribute certificate */ - if (usercert != NULL && signercert != NULL && signerkey != NULL) + if (userCert != NULL && signerCert != NULL && signerKey != NULL) { /* read the serial number and increment it by one */ serial = read_serial(); - attr_cert = build_attr_cert(); - ac = x509ac_create_from_chunk(attr_cert); + attr_cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_AC, + BUILD_CERT, userCert->get_ref(userCert), + BUILD_NOT_BEFORE_TIME, notBefore, + BUILD_NOT_AFTER_TIME, notAfter, + BUILD_SERIAL, serial, + BUILD_IETF_GROUP_ATTR, groups, + BUILD_SIGNING_CERT, signerCert->get_ref(signerCert), + BUILD_SIGNING_KEY, signerKey->get_ref(signerKey), + BUILD_END); + if (!attr_cert) + { + goto end; + } /* write the attribute certificate to file */ - if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE)) + attr_chunk = attr_cert->get_encoding(attr_cert); + if (chunk_write(attr_chunk, outfile, 0022, TRUE)) { + DBG1(" wrote attribute cert file '%s' (%u bytes)", outfile, attr_chunk.len); write_serial(serial); status = 0; } } + else + { + usage("some of the mandatory parameters --usercert --cert --key " + "are missing"); + } end: /* delete all dynamically allocated objects */ - DESTROY_IF(signerkey); - DESTROY_IF(signercert); - DESTROY_IF(usercert); - DESTROY_IF(ac); - ietfAttr_list_destroy(groups); + DESTROY_IF(signerKey); + DESTROY_IF(signerCert); + DESTROY_IF(userCert); + DESTROY_IF(attr_cert); + free(attr_chunk.ptr); free(serial.ptr); closelog(); dbg = dbg_default; options->destroy(options); + library_deinit(); exit(status); } |