Context Navigation

source: creddy/creddy.c @ ee5afdd

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since ee5afdd was ee5afdd, checked in by Mike Ryan <mikeryan@…>, 14 years ago
support subject-cert and subject-id
Property mode set to `100644`
File size: 7.3 KB

Line
1	#include <assert.h>
2	#include <getopt.h>
3	#include <stdio.h>
4	#include <stdlib.h>
5	#include <string.h>
6
7	#include "creddy.h"
8
9	#define OPT_CN 1
10	#define OPT_VALIDITY 2
11	#define OPT_CERT 3
12	#define OPT_ISSUER 4
13	#define OPT_KEY 5
14	#define OPT_ROLE 6
15	#define OPT_SUBJECT_CERT 7
16	#define OPT_SUBJECT_ROLE 8
17	#define OPT_OUT 9 // the world oughta be opt-in only :(
18	#define OPT_ATTRCERT 10
19	#define OPT_SUBJECT_ID 11
20
21	int main(int argc, char **argv) {
22	int ret;
23	options_t options = { 0, };
24
25	struct option getopts[] = {
26	{ "help", 0, &options.help, 1 },
27	{ "generate", 0, &options.mode, MODE_GENERATE },
28	{ "verify", 0, &options.mode, MODE_VERIFY },
29	{ "keyid", 0, &options.mode, MODE_KEYID },
30	{ "attribute", 0, &options.mode, MODE_ATTRIBUTE },
31	{ "roles", 0, &options.mode, MODE_ROLES },
32
33	{ "cert", 1, 0, OPT_CERT },
34
35	// generate options
36	{ "cn", 1, 0, OPT_CN },
37	{ "validity", 1, 0, OPT_VALIDITY },
38
39	// attribute options
40	{ "issuer", 1, 0, OPT_ISSUER },
41	{ "key", 1, 0, OPT_KEY },
42	{ "role", 1, 0, OPT_ROLE },
43	{ "subject-cert", 1, 0, OPT_SUBJECT_CERT },
44	{ "subject-id", 1, 0, OPT_SUBJECT_ID },
45	{ "subject-role", 1, 0, OPT_SUBJECT_ROLE },
46	{ "out", 1, 0, OPT_OUT },
47
48	// verify option
49	{ "attrcert", 1, 0, OPT_ATTRCERT },
50
51	{ NULL },
52	};
53
54	for ( ; ; ) {
55	int c = getopt_long(argc, argv, "", getopts, NULL);
56	if (c < 0)
57	break;
58
59	switch (c) {
60	// set the option from the value in the getopts struct
61	case 0:
62	continue;
63
64	case OPT_CERT:
65	options.cert = xstrdup(optarg);
66	break;
67
68	// generate options
69	case OPT_CN:
70	options.cn = xstrdup(optarg);
71	break;
72	case OPT_VALIDITY: // also an attribute option
73	options.validity = atoi(optarg);
74	break;
75
76	// attribute options
77	case OPT_ISSUER:
78	options.issuer = xstrdup(optarg);
79	break;
80	case OPT_KEY:
81	options.key = xstrdup(optarg);
82	break;
83	case OPT_ROLE:
84	options.role = xstrdup(optarg);
85	break;
86	case OPT_SUBJECT_CERT:
87	options.subject_cert = xstrdup(optarg);
88	break;
89	case OPT_SUBJECT_ID:
90	options.subject_id = xstrdup(optarg);
91	break;
92	case OPT_SUBJECT_ROLE:
93	options.subject_role = xstrdup(optarg);
94	break;
95	case OPT_OUT:
96	options.out = xstrdup(optarg);
97	break;
98
99	// verify options
100	case OPT_ATTRCERT:
101	options.attrcert = xstrdup(optarg);
102	break;
103
104	case '?':
105	break;
106
107	default:
108	printf("wat\n");
109	return 45;
110	}
111	}
112
113	if (options.help \|\| optind < argc) {
114	if (optind > 0 && optind < argc)
115	printf("I don't understand %s\n", argv[optind]);
116	usage(&options);
117	}
118
119	// init libstrongswan
120	atexit(library_deinit);
121	dbg_default_set_level(-1);
122	ret = library_init(NULL);
123	if (!ret)
124	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
125	ret = lib->plugins->load(
126	lib->plugins,
127	NULL,
128	lib->settings->get_str(lib->settings, "", PLUGINS)
129	);
130	if (!ret)
131	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
132
133	// launch the sub command
134	switch (options.mode) {
135	case MODE_GENERATE:
136	if (options.validity == 0) options.validity = 1080;
137	generate_main(&options);
138	break;
139
140	case MODE_KEYID:
141	keyid_main(&options);
142	break;
143
144	case MODE_ATTRIBUTE:
145	if (options.validity == 0) options.validity = 365;
146	attribute_main(&options);
147	break;
148
149	case MODE_ROLES:
150	roles_main(&options);
151	break;
152
153	case MODE_VERIFY:
154	verify_main(&options);
155	break;
156
157	default:
158	usage(&options);
159	}
160
161	return 0;
162	}
163
164	void usage(options_t *opts) {
165	if (opts->mode == MODE_GENERATE)
166	printf(
167	"Usage: creddy --generate --cn <name> [ --validity <days> ]\n"
168	" cert will be in ${name}_ID.der, private key in ${name}_private.pem\n"
169	" default validity: 1080 days\n"
170	);
171
172	else if (opts->mode == MODE_VERIFY)
173	printf(
174	"Usage: identity --verify --cert <cert> [ --attrcert <cert> ]\n"
175	" if attrcert is provided, verify that it was issued by cert\n"
176	);
177
178	else if (opts->mode == MODE_KEYID)
179	printf(
180	"Usage: identity --keyid --cert <cert>\n"
181	);
182
183	else if (opts->mode == MODE_ATTRIBUTE)
184	printf(
185	"Usage: identity --attribute \\\n"
186	" --issuer <cert> --key <key> --role <role> \\\n"
187	" --subject-cert <cert> \| --subject-id <sha1> \\\n"
188	" [ --subject-role <role> ] \\\n"
189	" [ --validity <days> ] --out <file>\n"
190	" default validity: 365 days\n"
191	" provide exactly one of --subject-cert / --subject-id\n"
192	);
193
194	else if (opts->mode == MODE_ROLES)
195	printf(
196	"Usage: identity --roles --cert <cert>\n"
197	);
198
199	else
200	printf(
201	"Usage: creddy [ --<mode> ] [ --help ]\n"
202	" --generate: generate X.509 identity cert and private key\n"
203	" --verify: check validity of X.509 ID or attribute cert\n"
204	" --keyid: get fingerprint from X.509 ID cert\n"
205	" --attribute: generate an X.509 attribute cert\n"
206	" --roles: list roles from an X.509 attribute cert\n"
207	);
208
209
210	exit(1);
211	}
212
213	void *xmalloc(size_t len) {
214	void *ret = malloc(len);
215	if (ret == NULL)
216	err(1, "couldn't malloc %d bytes\n", len);
217	return ret;
218	}
219
220	char xstrdup(char string) {
221	char *dup = strdup(string);
222	if (dup == NULL)
223	err(1, "Can't dup %s", string);
224	return dup;
225	}
226
227	int clean_name(char *string) {
228	int i;
229
230	assert(string != NULL);
231
232	// must start with a letter
233	if (!isalpha(string[0]))
234	return 0;
235
236	// rest must be alphanumeric or _
237	for (i = 1; string[i] != '\0'; ++i)
238	if (!isalnum(string[i]) && string[i] != '_')
239	return 0;
240
241	return 1;
242	}
243
244	// load an ID cert from file
245	certificate_t cert_from_file(char filename) {
246	certificate_t *cert = lib->creds->create(lib->creds,
247	CRED_CERTIFICATE, CERT_X509,
248	BUILD_FROM_FILE, filename,
249	BUILD_X509_FLAG, X509_AA,
250	BUILD_END
251	);
252
253	if (cert == NULL)
254	errx(1, "Can't open cert from %s", filename);
255
256	return cert;
257	}
258
259	certificate_t attr_cert_from_file(char filename) {
260	certificate_t *cert = lib->creds->create(lib->creds,
261	CRED_CERTIFICATE, CERT_X509_AC,
262	BUILD_FROM_FILE, filename,
263	BUILD_END
264	);
265	if (cert == NULL)
266	errx(1, "Couldn't load attribute cert %s", filename);
267
268	return cert;
269	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: