Context Navigation

source: creddy/attribute.c @ 085f159

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 085f159 was 085f159, checked in by Mike Ryan <mikeryan@…>, 14 years ago
creddy attribute cert generator
Property mode set to `100644`
File size: 3.5 KB

Line
1	#include <credentials/keys/private_key.h>
2
3	#include "creddy.h"
4
5	#define ROLE_SEPARATOR " <- "
6
7	void attribute_main(options_t *opts) {
8	if (
9	opts->issuer == NULL \|\|
10	opts->key == NULL \|\|
11	opts->role == NULL \|\|
12	opts->subject == NULL \|\|
13	opts->out == NULL
14	)
15	usage(opts);
16
17	if (!clean_name(opts->role)) {
18	printf("bad role name\n");
19	usage(opts);
20	}
21
22	// verify the subject role name if present
23	if (opts->subject_role) {
24	char *role = opts->subject_role;
25	char *start[3];
26	int name_parts = 0, i;
27
28	start[name_parts++] = role;
29
30	for (i = 0; role[i] != '\0'; ++i)
31	if (role[i] == '.') {
32	if (name_parts == 3) {
33	printf("bad subject role name (too many dots)\n");
34	usage(opts);
35	}
36	start[name_parts++] = &role[i+1];
37	role[i] = 0;
38	}
39
40	for (i = 0; i < name_parts; ++i)
41	if (!clean_name(start[i])) {
42	printf("bad subject role name\n");
43	usage(opts);
44	}
45
46	for (i = 1; i < name_parts; ++i)
47	*(start[i]-1) = '.'; // replace the dot
48
49	printf("good: %s\n", opts->subject_role);
50	}
51
52	if (opts->validity < 0) {
53	printf("Validity must be >= 1 day\n");
54	usage(opts);
55	}
56
57	// load signer key
58	private_key_t *key = lib->creds->create(lib->creds,
59	CRED_PRIVATE_KEY, KEY_RSA,
60	BUILD_FROM_FILE, opts->key,
61	BUILD_END
62	);
63	if (key == NULL)
64	errx(1, "can't open private key file %s", opts->key);
65
66	// get the keyids
67	certificate_t *issuer = cert_from_file(opts->issuer);
68	char *issuer_id = cert_keyid(issuer);
69
70	certificate_t *subject = cert_from_file(opts->subject);
71	char *subject_id = cert_keyid(subject);
72
73	// build the role encoding
74	int role_encoding_len = 1; // for nul terminator
75	role_encoding_len += strlen(issuer_id) + 1 + strlen(opts->role);
76	role_encoding_len += sizeof(ROLE_SEPARATOR) - 1;
77	role_encoding_len += strlen(subject_id);
78	if (opts->subject_role)
79	role_encoding_len += 1 + strlen(opts->subject_role);
80
81	char *role_encoding = xmalloc(role_encoding_len);
82	role_encoding[0] = '\0';
83
84	sprintf(role_encoding, "%s.%s" ROLE_SEPARATOR "%s", issuer_id, opts->role, subject_id);
85	if (opts->subject_role) {
86	strcat(role_encoding, ".");
87	strcat(role_encoding, opts->subject_role);
88	}
89
90	free(issuer_id);
91	free(subject_id);
92
93	// create attribute cert
94	time_t not_before = time(NULL);
95	time_t not_after = not_before + opts->validity * 3600 * 60 * 60;
96	chunk_t serial = generate_serial();
97
98	certificate_t *attr_cert = lib->creds->create(lib->creds,
99	CRED_CERTIFICATE, CERT_X509_AC,
100	BUILD_CERT, issuer,
101	BUILD_NOT_BEFORE_TIME, not_before,
102	BUILD_NOT_AFTER_TIME, not_after,
103	BUILD_SERIAL, serial,
104	BUILD_IETF_GROUP_ATTR, role_encoding,
105	BUILD_SIGNING_CERT, issuer,
106	BUILD_SIGNING_KEY, key,
107	BUILD_END
108	);
109	if (attr_cert == NULL)
110	errx(1, "Couldn't build attribute cert");
111
112	// write to file
113	chunk_t encoding = attr_cert->get_encoding(attr_cert);
114
115	FILE *out = fopen(opts->out, "w");
116	if (out == NULL)
117	err(1, "Can't open attribute cert output file %s", opts->out);
118	fwrite(encoding.ptr, encoding.len, 1, out);
119	fclose(out);
120
121	free(role_encoding);
122	free(serial.ptr);
123	DESTROY_IF(attr_cert);
124	DESTROY_IF(issuer);
125	DESTROY_IF(subject);
126	DESTROY_IF(key);
127	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: