[461541a] | 1 | |
---|
| 2 | /* creddy.c */ |
---|
| 3 | |
---|
[abd7c25] | 4 | #include <assert.h> |
---|
[00d21a1] | 5 | #include <errno.h> |
---|
[abd7c25] | 6 | #include <getopt.h> |
---|
| 7 | #include <stdio.h> |
---|
| 8 | #include <stdlib.h> |
---|
| 9 | #include <string.h> |
---|
[461541a] | 10 | #include <ctype.h> |
---|
| 11 | #include <err.h> |
---|
[abd7c25] | 12 | |
---|
[04f5da1] | 13 | #include "creddy_common.h" |
---|
[756011e] | 14 | #include "libabac_common.h" |
---|
| 15 | #include "abac.h" |
---|
| 16 | #include "abac_list.h" |
---|
| 17 | #include "abac_verifier.h" |
---|
[9ac7fb4] | 18 | |
---|
[abd7c25] | 19 | #define OPT_CN 1 |
---|
| 20 | #define OPT_VALIDITY 2 |
---|
[fd0febd] | 21 | #define OPT_CERT 3 |
---|
[085f159] | 22 | #define OPT_ISSUER 4 |
---|
| 23 | #define OPT_KEY 5 |
---|
| 24 | #define OPT_ROLE 6 |
---|
[ee5afdd] | 25 | #define OPT_SUBJECT_CERT 7 |
---|
[085f159] | 26 | #define OPT_SUBJECT_ROLE 8 |
---|
| 27 | #define OPT_OUT 9 // the world oughta be opt-in only :( |
---|
[784a398] | 28 | #define OPT_ATTRCERT 10 |
---|
[ee5afdd] | 29 | #define OPT_SUBJECT_ID 11 |
---|
[0aaa651] | 30 | #define OPT_SHOW 12 |
---|
[461541a] | 31 | #define OPT_ATTRRULE 13 |
---|
[abd7c25] | 32 | |
---|
[980a7b6] | 33 | subject_t *subjects = NULL; |
---|
| 34 | int num_subjects = 0; |
---|
| 35 | int subjects_size = 0; |
---|
| 36 | |
---|
| 37 | char **roles = NULL; |
---|
| 38 | int num_roles = 0; |
---|
| 39 | int roles_size = 0; |
---|
| 40 | |
---|
| 41 | void subject(char *subject, int cert) { |
---|
| 42 | if (num_subjects == subjects_size) { |
---|
| 43 | subjects_size *= 2; |
---|
| 44 | subjects = xrealloc(subjects, sizeof(subject_t) * subjects_size); |
---|
| 45 | } |
---|
| 46 | |
---|
| 47 | int i = num_subjects++; |
---|
| 48 | subjects[i].id = NULL; |
---|
| 49 | subjects[i].cert = NULL; |
---|
| 50 | subjects[i].role = NULL; |
---|
| 51 | |
---|
| 52 | if (cert) |
---|
| 53 | subjects[i].cert = subject; |
---|
| 54 | else |
---|
| 55 | subjects[i].id = subject; |
---|
| 56 | } |
---|
| 57 | |
---|
| 58 | void role(char *role) { |
---|
| 59 | if (num_roles == roles_size) { |
---|
| 60 | roles_size *= 2; |
---|
| 61 | roles = xrealloc(roles, sizeof(char *) * roles_size); |
---|
| 62 | } |
---|
| 63 | |
---|
| 64 | int i = num_roles++; |
---|
| 65 | roles[i] = role; |
---|
| 66 | } |
---|
| 67 | |
---|
[abd7c25] | 68 | int main(int argc, char **argv) { |
---|
| 69 | options_t options = { 0, }; |
---|
[00d21a1] | 70 | char *validity_str = NULL; |
---|
[abd7c25] | 71 | |
---|
[461541a] | 72 | libabac_init(); |
---|
| 73 | |
---|
[980a7b6] | 74 | subjects = xmalloc(sizeof(subject_t) * 2); |
---|
| 75 | subjects_size = 2; |
---|
| 76 | |
---|
| 77 | roles = xmalloc(sizeof(char *) * 2); |
---|
| 78 | roles_size = 2; |
---|
| 79 | |
---|
[abd7c25] | 80 | struct option getopts[] = { |
---|
| 81 | { "help", 0, &options.help, 1 }, |
---|
| 82 | { "generate", 0, &options.mode, MODE_GENERATE }, |
---|
| 83 | { "verify", 0, &options.mode, MODE_VERIFY }, |
---|
| 84 | { "keyid", 0, &options.mode, MODE_KEYID }, |
---|
| 85 | { "attribute", 0, &options.mode, MODE_ATTRIBUTE }, |
---|
| 86 | { "roles", 0, &options.mode, MODE_ROLES }, |
---|
[19be896] | 87 | { "version", 0, &options.mode, MODE_VERSION }, |
---|
[0aaa651] | 88 | { "display", 0, &options.mode, MODE_DISPLAY }, |
---|
[abd7c25] | 89 | |
---|
[fd0febd] | 90 | { "cert", 1, 0, OPT_CERT }, |
---|
| 91 | |
---|
[abd7c25] | 92 | // generate options |
---|
| 93 | { "cn", 1, 0, OPT_CN }, |
---|
| 94 | { "validity", 1, 0, OPT_VALIDITY }, |
---|
| 95 | |
---|
[085f159] | 96 | // attribute options |
---|
| 97 | { "issuer", 1, 0, OPT_ISSUER }, |
---|
| 98 | { "key", 1, 0, OPT_KEY }, |
---|
| 99 | { "role", 1, 0, OPT_ROLE }, |
---|
[ee5afdd] | 100 | { "subject-cert", 1, 0, OPT_SUBJECT_CERT }, |
---|
| 101 | { "subject-id", 1, 0, OPT_SUBJECT_ID }, |
---|
[ec06cb6] | 102 | { "subject-role", 1, 0, OPT_SUBJECT_ROLE }, |
---|
[085f159] | 103 | { "out", 1, 0, OPT_OUT }, |
---|
| 104 | |
---|
[461541a] | 105 | // attribute_rule option |
---|
| 106 | { "attrrule", 1, 0, OPT_ATTRRULE }, |
---|
| 107 | |
---|
[784a398] | 108 | // verify option |
---|
| 109 | { "attrcert", 1, 0, OPT_ATTRCERT }, |
---|
| 110 | |
---|
[0aaa651] | 111 | // display options |
---|
| 112 | { "show", 1, 0, OPT_SHOW }, |
---|
| 113 | |
---|
[abd7c25] | 114 | { NULL }, |
---|
| 115 | }; |
---|
| 116 | |
---|
| 117 | for ( ; ; ) { |
---|
| 118 | int c = getopt_long(argc, argv, "", getopts, NULL); |
---|
| 119 | if (c < 0) |
---|
| 120 | break; |
---|
| 121 | |
---|
| 122 | switch (c) { |
---|
| 123 | // set the option from the value in the getopts struct |
---|
| 124 | case 0: |
---|
| 125 | continue; |
---|
| 126 | |
---|
[fd0febd] | 127 | case OPT_CERT: |
---|
| 128 | options.cert = xstrdup(optarg); |
---|
| 129 | break; |
---|
| 130 | |
---|
[abd7c25] | 131 | // generate options |
---|
| 132 | case OPT_CN: |
---|
| 133 | options.cn = xstrdup(optarg); |
---|
| 134 | break; |
---|
[085f159] | 135 | case OPT_VALIDITY: // also an attribute option |
---|
[00d21a1] | 136 | validity_str = xstrdup(optarg); |
---|
[abd7c25] | 137 | break; |
---|
| 138 | |
---|
[085f159] | 139 | // attribute options |
---|
| 140 | case OPT_ISSUER: |
---|
| 141 | options.issuer = xstrdup(optarg); |
---|
| 142 | break; |
---|
[9e063cb] | 143 | case OPT_KEY: // also an generate option |
---|
[085f159] | 144 | options.key = xstrdup(optarg); |
---|
| 145 | break; |
---|
| 146 | case OPT_ROLE: |
---|
| 147 | options.role = xstrdup(optarg); |
---|
| 148 | break; |
---|
[ee5afdd] | 149 | case OPT_SUBJECT_CERT: |
---|
[980a7b6] | 150 | subject(xstrdup(optarg), 1); |
---|
[ee5afdd] | 151 | break; |
---|
| 152 | case OPT_SUBJECT_ID: |
---|
[980a7b6] | 153 | subject(xstrdup(optarg), 0); |
---|
[085f159] | 154 | break; |
---|
| 155 | case OPT_SUBJECT_ROLE: |
---|
[980a7b6] | 156 | role(xstrdup(optarg)); |
---|
[085f159] | 157 | break; |
---|
| 158 | case OPT_OUT: |
---|
| 159 | options.out = xstrdup(optarg); |
---|
| 160 | break; |
---|
| 161 | |
---|
[461541a] | 162 | // attribute rule options |
---|
| 163 | case OPT_ATTRRULE: |
---|
| 164 | options.attrrule = xstrdup(optarg); |
---|
| 165 | break; |
---|
| 166 | |
---|
[784a398] | 167 | // verify options |
---|
| 168 | case OPT_ATTRCERT: |
---|
| 169 | options.attrcert = xstrdup(optarg); |
---|
| 170 | break; |
---|
| 171 | |
---|
[0aaa651] | 172 | // display options |
---|
| 173 | case OPT_SHOW: |
---|
| 174 | options.show = xstrdup(optarg); |
---|
| 175 | break; |
---|
| 176 | |
---|
[abd7c25] | 177 | case '?': |
---|
| 178 | break; |
---|
| 179 | |
---|
| 180 | default: |
---|
| 181 | printf("wat\n"); |
---|
| 182 | return 45; |
---|
| 183 | } |
---|
| 184 | } |
---|
| 185 | |
---|
| 186 | if (options.help || optind < argc) { |
---|
| 187 | if (optind > 0 && optind < argc) |
---|
| 188 | printf("I don't understand %s\n", argv[optind]); |
---|
| 189 | usage(&options); |
---|
| 190 | } |
---|
| 191 | |
---|
[00d21a1] | 192 | // parse the validity |
---|
| 193 | if (validity_str != NULL) { |
---|
| 194 | char suffix = 'd'; // default suffix is days |
---|
[756011e] | 195 | int multiplier = 1; |
---|
[00d21a1] | 196 | |
---|
| 197 | int len = strlen(validity_str); |
---|
| 198 | assert(len > 0); |
---|
| 199 | |
---|
| 200 | // get the suffix char if it's alphabetical |
---|
| 201 | if (isalpha(validity_str[len - 1])) { |
---|
| 202 | suffix = validity_str[len - 1]; |
---|
| 203 | |
---|
| 204 | // truncate |
---|
| 205 | validity_str[len - 1] = '\0'; |
---|
| 206 | --len; |
---|
| 207 | |
---|
| 208 | // make sure it's not only a suffix |
---|
| 209 | if (len == 0) { |
---|
| 210 | printf("Invalid validity\n"); |
---|
| 211 | usage(&options); |
---|
| 212 | } |
---|
| 213 | } |
---|
| 214 | |
---|
| 215 | // convert the suffix to a multiplier |
---|
| 216 | switch(suffix) { |
---|
| 217 | case 's': multiplier = 1; break; |
---|
| 218 | case 'm': multiplier = 60; break; |
---|
| 219 | case 'h': multiplier = 3600; break; |
---|
| 220 | case 'd': multiplier = 86400; break; |
---|
| 221 | case 'y': multiplier = 31536000; break; |
---|
| 222 | default: |
---|
| 223 | printf("Invalid suffix, must be s m h d y\n"); |
---|
| 224 | usage(&options); |
---|
| 225 | } |
---|
| 226 | |
---|
| 227 | // ascii to int |
---|
| 228 | char *end; |
---|
| 229 | options.validity = strtol(validity_str, &end, 10); |
---|
| 230 | if (errno != 0 || end - validity_str < len) { |
---|
| 231 | printf("Invalid validity\n"); |
---|
| 232 | usage(&options); |
---|
| 233 | } |
---|
| 234 | |
---|
| 235 | if (options.validity <= 0) { |
---|
| 236 | printf("Invalid validity: must be > 0\n"); |
---|
| 237 | usage(&options); |
---|
| 238 | } |
---|
| 239 | |
---|
| 240 | // multiply! |
---|
| 241 | options.validity *= multiplier; |
---|
| 242 | |
---|
| 243 | free(validity_str); |
---|
| 244 | } |
---|
| 245 | |
---|
[461541a] | 246 | if (options.mode == MODE_ATTRIBUTE && options.attrrule == NULL) { |
---|
[980a7b6] | 247 | int i; |
---|
| 248 | |
---|
| 249 | // have to do error checking on subjects here |
---|
| 250 | if ( |
---|
| 251 | (num_subjects == 0) || |
---|
| 252 | (num_subjects != num_roles && num_subjects != 1 && num_roles != 0) |
---|
| 253 | ) { |
---|
| 254 | printf( |
---|
| 255 | "You have %d subject%s and %d role%s, which is invalid\n", |
---|
| 256 | num_subjects, num_subjects == 1 ? "" : "s", |
---|
| 257 | num_roles, num_roles == 1 ? "" : "s" |
---|
| 258 | ); |
---|
| 259 | usage(&options); |
---|
| 260 | } |
---|
| 261 | |
---|
| 262 | for (i = 0; i < num_roles; ++i) |
---|
| 263 | subjects[i].role = roles[i]; |
---|
| 264 | free(roles); |
---|
| 265 | |
---|
| 266 | options.subjects = subjects; |
---|
| 267 | options.num_subjects = num_subjects; |
---|
| 268 | } |
---|
| 269 | |
---|
[9410b51] | 270 | // launch the sub command |
---|
[abd7c25] | 271 | switch (options.mode) { |
---|
| 272 | case MODE_GENERATE: |
---|
[00d21a1] | 273 | if (options.validity == 0) options.validity = 1080 * 86400; |
---|
[abd7c25] | 274 | generate_main(&options); |
---|
| 275 | break; |
---|
| 276 | |
---|
[fd0febd] | 277 | case MODE_KEYID: |
---|
| 278 | keyid_main(&options); |
---|
| 279 | break; |
---|
| 280 | |
---|
[085f159] | 281 | case MODE_ATTRIBUTE: |
---|
[00d21a1] | 282 | if (options.validity == 0) options.validity = 365 * 86400; |
---|
[461541a] | 283 | if(options.attrrule) |
---|
| 284 | attribute_rule_main(&options); |
---|
| 285 | else attribute_main(&options); |
---|
[085f159] | 286 | break; |
---|
| 287 | |
---|
[9410b51] | 288 | case MODE_ROLES: |
---|
| 289 | roles_main(&options); |
---|
| 290 | break; |
---|
| 291 | |
---|
[784a398] | 292 | case MODE_VERIFY: |
---|
| 293 | verify_main(&options); |
---|
| 294 | break; |
---|
| 295 | |
---|
[0aaa651] | 296 | case MODE_DISPLAY: |
---|
| 297 | display_main(&options); |
---|
[adc86c3] | 298 | break; |
---|
| 299 | |
---|
[19be896] | 300 | case MODE_VERSION: |
---|
| 301 | printf("ABAC/creddy " ABAC_VERSION "\n"); |
---|
| 302 | break; |
---|
| 303 | |
---|
[abd7c25] | 304 | default: |
---|
| 305 | usage(&options); |
---|
| 306 | } |
---|
| 307 | |
---|
| 308 | return 0; |
---|
| 309 | } |
---|
| 310 | |
---|
| 311 | void usage(options_t *opts) { |
---|
| 312 | if (opts->mode == MODE_GENERATE) |
---|
| 313 | printf( |
---|
[00d21a1] | 314 | "Usage: creddy --generate --cn <name> [ --validity <time> ] [ --out <dir> ]\n" |
---|
[f1e892e] | 315 | " cert will be in ${name}_ID.der, private key in ${name}_private.pem\n" |
---|
[8231b92] | 316 | " files output to dir if specified\n" |
---|
[abd7c25] | 317 | " default validity: 1080 days\n" |
---|
[00d21a1] | 318 | "\n" |
---|
| 319 | " time is specified with optional suffix: s m h d y\n" |
---|
| 320 | " defaults to days if unspecified\n" |
---|
[abd7c25] | 321 | ); |
---|
| 322 | |
---|
| 323 | else if (opts->mode == MODE_VERIFY) |
---|
| 324 | printf( |
---|
[91659cb] | 325 | "Usage: creddy --verify --cert <cert> [ --attrcert <cert> ]\n" |
---|
[abd7c25] | 326 | " if attrcert is provided, verify that it was issued by cert\n" |
---|
| 327 | ); |
---|
| 328 | |
---|
| 329 | else if (opts->mode == MODE_KEYID) |
---|
| 330 | printf( |
---|
[91659cb] | 331 | "Usage: creddy --keyid --cert <cert>\n" |
---|
[abd7c25] | 332 | ); |
---|
| 333 | |
---|
| 334 | else if (opts->mode == MODE_ATTRIBUTE) |
---|
| 335 | printf( |
---|
[91659cb] | 336 | "Usage: creddy --attribute \\\n" |
---|
[abd7c25] | 337 | " --issuer <cert> --key <key> --role <role> \\\n" |
---|
[980a7b6] | 338 | " [ --subject-cert <cert> | --subject-id <sha1> \\\n" |
---|
| 339 | " [ --subject-role <role> ] ... ] \\\n" |
---|
[00d21a1] | 340 | " [ --validity <time> ] --out <file>\n" |
---|
[abd7c25] | 341 | " default validity: 365 days\n" |
---|
[ee5afdd] | 342 | " provide exactly one of --subject-cert / --subject-id\n" |
---|
[980a7b6] | 343 | " give multiple --subject-{cert,id} / --subject-role pairs for intersection\n" |
---|
[00d21a1] | 344 | "\n" |
---|
| 345 | " time is specified with optional suffix: s m h d y\n" |
---|
| 346 | " defaults to days if unspecified\n" |
---|
[abd7c25] | 347 | ); |
---|
| 348 | |
---|
| 349 | else if (opts->mode == MODE_ROLES) |
---|
| 350 | printf( |
---|
[91659cb] | 351 | "Usage: creddy --roles --cert <cert>\n" |
---|
[abd7c25] | 352 | ); |
---|
| 353 | |
---|
[0aaa651] | 354 | else if (opts->mode == MODE_DISPLAY) |
---|
[adc86c3] | 355 | printf( |
---|
[405bba3] | 356 | "Usage: creddy --display --show=[issuer,..,all] --cert <cert>\n" |
---|
[0aaa651] | 357 | " values for --show are comma-separated:\n" |
---|
| 358 | " issuer DN of issuer\n" |
---|
[b19d1f0] | 359 | " subject DN of subject\n" |
---|
[405bba3] | 360 | " validity validity period\n" |
---|
[08e7235] | 361 | " roles attribute cert roles (fails silently on ID certs)\n" |
---|
[0aaa651] | 362 | " all all of the above\n" |
---|
[adc86c3] | 363 | " cert may be X.509 identity or attribute cert\n" |
---|
| 364 | ); |
---|
| 365 | |
---|
[abd7c25] | 366 | else |
---|
| 367 | printf( |
---|
[66462c5] | 368 | "Usage: creddy [ --<mode> ] [ --help ]\n" |
---|
[abd7c25] | 369 | " --generate: generate X.509 identity cert and private key\n" |
---|
[4721618] | 370 | " --verify: check validity of X.509 ID or XML attribute cert\n" |
---|
[abd7c25] | 371 | " --keyid: get fingerprint from X.509 ID cert\n" |
---|
[4721618] | 372 | " --attribute: generate an XML attribute cert\n" |
---|
| 373 | " --roles: list roles from an XML attribute cert\n" |
---|
| 374 | " --display: list metadata from an X.509 identity or an XML attribute cert\n" |
---|
[19be896] | 375 | " --version: display ABAC version\n" |
---|
[abd7c25] | 376 | ); |
---|
| 377 | |
---|
| 378 | |
---|
| 379 | exit(1); |
---|
| 380 | } |
---|
| 381 | |
---|
| 382 | void *xmalloc(size_t len) { |
---|
| 383 | void *ret = malloc(len); |
---|
| 384 | if (ret == NULL) |
---|
[1bf0f03] | 385 | err(1, "couldn't malloc %zu bytes\n", len); |
---|
[abd7c25] | 386 | return ret; |
---|
| 387 | } |
---|
| 388 | |
---|
[980a7b6] | 389 | void *xrealloc(void *ptr, size_t size) { |
---|
| 390 | void *ret = realloc(ptr, size); |
---|
| 391 | if (ret == NULL) |
---|
[1bf0f03] | 392 | err(1, "couldn't realloc %zu bytes\n", size); |
---|
[980a7b6] | 393 | return ret; |
---|
| 394 | } |
---|
| 395 | |
---|
[abd7c25] | 396 | char *xstrdup(char *string) { |
---|
| 397 | char *dup = strdup(string); |
---|
| 398 | if (dup == NULL) |
---|
| 399 | err(1, "Can't dup %s", string); |
---|
| 400 | return dup; |
---|
| 401 | } |
---|
| 402 | |
---|