Context Navigation

source: creddy/attribute.c @ 5a72d21

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 5a72d21 was 5a72d21, checked in by Mike Ryan <mikeryan@…>, 14 years ago
remove some debugging
Property mode set to `100644`
File size: 3.5 KB

Line
1	#include <credentials/keys/private_key.h>
2
3	#include "creddy.h"
4
5	#define ROLE_SEPARATOR " <- "
6
7	void attribute_main(options_t *opts) {
8	if (
9	opts->issuer == NULL \|\|
10	opts->key == NULL \|\|
11	opts->role == NULL \|\|
12	opts->subject == NULL \|\|
13	opts->out == NULL
14	)
15	usage(opts);
16
17	if (!clean_name(opts->role)) {
18	printf("bad role name\n");
19	usage(opts);
20	}
21
22	// verify the subject role name if present
23	if (opts->subject_role) {
24	char *role = opts->subject_role;
25	char *start[3];
26	int name_parts = 0, i;
27
28	start[name_parts++] = role;
29
30	for (i = 0; role[i] != '\0'; ++i)
31	if (role[i] == '.') {
32	if (name_parts == 3) {
33	printf("bad subject role name (too many dots)\n");
34	usage(opts);
35	}
36	start[name_parts++] = &role[i+1];
37	role[i] = 0;
38	}
39
40	for (i = 0; i < name_parts; ++i)
41	if (!clean_name(start[i])) {
42	printf("bad subject role name\n");
43	usage(opts);
44	}
45
46	for (i = 1; i < name_parts; ++i)
47	*(start[i]-1) = '.'; // replace the dot
48	}
49
50	if (opts->validity < 0) {
51	printf("Validity must be >= 1 day\n");
52	usage(opts);
53	}
54
55	// load signer key
56	private_key_t *key = lib->creds->create(lib->creds,
57	CRED_PRIVATE_KEY, KEY_RSA,
58	BUILD_FROM_FILE, opts->key,
59	BUILD_END
60	);
61	if (key == NULL)
62	errx(1, "can't open private key file %s", opts->key);
63
64	// get the keyids
65	certificate_t *issuer = cert_from_file(opts->issuer);
66	char *issuer_id = cert_keyid(issuer);
67
68	certificate_t *subject = cert_from_file(opts->subject);
69	char *subject_id = cert_keyid(subject);
70
71	// build the role encoding
72	int role_encoding_len = 1; // for nul terminator
73	role_encoding_len += strlen(issuer_id) + 1 + strlen(opts->role);
74	role_encoding_len += sizeof(ROLE_SEPARATOR) - 1;
75	role_encoding_len += strlen(subject_id);
76	if (opts->subject_role)
77	role_encoding_len += 1 + strlen(opts->subject_role);
78
79	char *role_encoding = xmalloc(role_encoding_len);
80	role_encoding[0] = '\0';
81
82	sprintf(role_encoding, "%s.%s" ROLE_SEPARATOR "%s", issuer_id, opts->role, subject_id);
83	if (opts->subject_role) {
84	strcat(role_encoding, ".");
85	strcat(role_encoding, opts->subject_role);
86	}
87
88	free(issuer_id);
89	free(subject_id);
90
91	// create attribute cert
92	time_t not_before = time(NULL);
93	time_t not_after = not_before + opts->validity * 3600 * 60 * 60;
94	chunk_t serial = generate_serial();
95
96	certificate_t *attr_cert = lib->creds->create(lib->creds,
97	CRED_CERTIFICATE, CERT_X509_AC,
98	BUILD_CERT, issuer,
99	BUILD_NOT_BEFORE_TIME, not_before,
100	BUILD_NOT_AFTER_TIME, not_after,
101	BUILD_SERIAL, serial,
102	BUILD_IETF_GROUP_ATTR, role_encoding,
103	BUILD_SIGNING_CERT, issuer,
104	BUILD_SIGNING_KEY, key,
105	BUILD_END
106	);
107	if (attr_cert == NULL)
108	errx(1, "Couldn't build attribute cert");
109
110	// write to file
111	chunk_t encoding = attr_cert->get_encoding(attr_cert);
112
113	FILE *out = fopen(opts->out, "w");
114	if (out == NULL)
115	err(1, "Can't open attribute cert output file %s", opts->out);
116	fwrite(encoding.ptr, encoding.len, 1, out);
117	fclose(out);
118
119	free(role_encoding);
120	free(serial.ptr);
121	DESTROY_IF(attr_cert);
122	DESTROY_IF(issuer);
123	DESTROY_IF(subject);
124	DESTROY_IF(key);
125	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: