Context Navigation

source: creddy/creddy.c @ b19d1f0

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since b19d1f0 was b19d1f0, checked in by Mike Ryan <mikeryan@…>, 13 years ago
show subject of ID/Attr cert see #17
Property mode set to `100644`
File size: 9.2 KB

Line
1	#include <assert.h>
2	#include <getopt.h>
3	#include <stdio.h>
4	#include <stdlib.h>
5	#include <string.h>
6
7	#include "creddy_common.h"
8
9	#define OPT_CN 1
10	#define OPT_VALIDITY 2
11	#define OPT_CERT 3
12	#define OPT_ISSUER 4
13	#define OPT_KEY 5
14	#define OPT_ROLE 6
15	#define OPT_SUBJECT_CERT 7
16	#define OPT_SUBJECT_ROLE 8
17	#define OPT_OUT 9 // the world oughta be opt-in only :(
18	#define OPT_ATTRCERT 10
19	#define OPT_SUBJECT_ID 11
20	#define OPT_SHOW 12
21
22	subject_t *subjects = NULL;
23	int num_subjects = 0;
24	int subjects_size = 0;
25
26	char **roles = NULL;
27	int num_roles = 0;
28	int roles_size = 0;
29
30	void subject(char *subject, int cert) {
31	if (num_subjects == subjects_size) {
32	subjects_size *= 2;
33	subjects = xrealloc(subjects, sizeof(subject_t) * subjects_size);
34	}
35
36	int i = num_subjects++;
37	subjects[i].id = NULL;
38	subjects[i].cert = NULL;
39	subjects[i].role = NULL;
40
41	if (cert)
42	subjects[i].cert = subject;
43	else
44	subjects[i].id = subject;
45	}
46
47	void role(char *role) {
48	if (num_roles == roles_size) {
49	roles_size *= 2;
50	roles = xrealloc(roles, sizeof(char ) roles_size);
51	}
52
53	int i = num_roles++;
54	roles[i] = role;
55	}
56
57	int main(int argc, char **argv) {
58	int ret;
59	options_t options = { 0, };
60
61	subjects = xmalloc(sizeof(subject_t) * 2);
62	subjects_size = 2;
63
64	roles = xmalloc(sizeof(char ) 2);
65	roles_size = 2;
66
67	struct option getopts[] = {
68	{ "help", 0, &options.help, 1 },
69	{ "generate", 0, &options.mode, MODE_GENERATE },
70	{ "verify", 0, &options.mode, MODE_VERIFY },
71	{ "keyid", 0, &options.mode, MODE_KEYID },
72	{ "attribute", 0, &options.mode, MODE_ATTRIBUTE },
73	{ "roles", 0, &options.mode, MODE_ROLES },
74	{ "version", 0, &options.mode, MODE_VERSION },
75	{ "display", 0, &options.mode, MODE_DISPLAY },
76
77	{ "cert", 1, 0, OPT_CERT },
78
79	// generate options
80	{ "cn", 1, 0, OPT_CN },
81	{ "validity", 1, 0, OPT_VALIDITY },
82
83	// attribute options
84	{ "issuer", 1, 0, OPT_ISSUER },
85	{ "key", 1, 0, OPT_KEY },
86	{ "role", 1, 0, OPT_ROLE },
87	{ "subject-cert", 1, 0, OPT_SUBJECT_CERT },
88	{ "subject-id", 1, 0, OPT_SUBJECT_ID },
89	{ "subject-role", 1, 0, OPT_SUBJECT_ROLE },
90	{ "out", 1, 0, OPT_OUT },
91
92	// verify option
93	{ "attrcert", 1, 0, OPT_ATTRCERT },
94
95	// display options
96	{ "show", 1, 0, OPT_SHOW },
97
98	{ NULL },
99	};
100
101	for ( ; ; ) {
102	int c = getopt_long(argc, argv, "", getopts, NULL);
103	if (c < 0)
104	break;
105
106	switch (c) {
107	// set the option from the value in the getopts struct
108	case 0:
109	continue;
110
111	case OPT_CERT:
112	options.cert = xstrdup(optarg);
113	break;
114
115	// generate options
116	case OPT_CN:
117	options.cn = xstrdup(optarg);
118	break;
119	case OPT_VALIDITY: // also an attribute option
120	options.validity = atoi(optarg);
121	break;
122
123	// attribute options
124	case OPT_ISSUER:
125	options.issuer = xstrdup(optarg);
126	break;
127	case OPT_KEY:
128	options.key = xstrdup(optarg);
129	break;
130	case OPT_ROLE:
131	options.role = xstrdup(optarg);
132	break;
133	case OPT_SUBJECT_CERT:
134	subject(xstrdup(optarg), 1);
135	break;
136	case OPT_SUBJECT_ID:
137	subject(xstrdup(optarg), 0);
138	break;
139	case OPT_SUBJECT_ROLE:
140	role(xstrdup(optarg));
141	break;
142	case OPT_OUT:
143	options.out = xstrdup(optarg);
144	break;
145
146	// verify options
147	case OPT_ATTRCERT:
148	options.attrcert = xstrdup(optarg);
149	break;
150
151	// display options
152	case OPT_SHOW:
153	options.show = xstrdup(optarg);
154	break;
155
156	case '?':
157	break;
158
159	default:
160	printf("wat\n");
161	return 45;
162	}
163	}
164
165	if (options.help \|\| optind < argc) {
166	if (optind > 0 && optind < argc)
167	printf("I don't understand %s\n", argv[optind]);
168	usage(&options);
169	}
170
171	if (options.mode == MODE_ATTRIBUTE) {
172	int i;
173
174	// have to do error checking on subjects here
175	if (
176	(num_subjects == 0) \|\|
177	(num_subjects != num_roles && num_subjects != 1 && num_roles != 0)
178	) {
179	printf(
180	"You have %d subject%s and %d role%s, which is invalid\n",
181	num_subjects, num_subjects == 1 ? "" : "s",
182	num_roles, num_roles == 1 ? "" : "s"
183	);
184	usage(&options);
185	}
186
187	for (i = 0; i < num_roles; ++i)
188	subjects[i].role = roles[i];
189	free(roles);
190
191	options.subjects = subjects;
192	options.num_subjects = num_subjects;
193	}
194
195	// launch the sub command
196	switch (options.mode) {
197	case MODE_GENERATE:
198	if (options.validity == 0) options.validity = 1080;
199	generate_main(&options);
200	break;
201
202	case MODE_KEYID:
203	keyid_main(&options);
204	break;
205
206	case MODE_ATTRIBUTE:
207	if (options.validity == 0) options.validity = 365;
208	attribute_main(&options);
209	break;
210
211	case MODE_ROLES:
212	roles_main(&options);
213	break;
214
215	case MODE_VERIFY:
216	verify_main(&options);
217	break;
218
219	case MODE_DISPLAY:
220	display_main(&options);
221	break;
222
223	case MODE_VERSION:
224	printf("ABAC/creddy " ABAC_VERSION "\n");
225	break;
226
227	default:
228	usage(&options);
229	}
230
231	return 0;
232	}
233
234	void usage(options_t *opts) {
235	if (opts->mode == MODE_GENERATE)
236	printf(
237	"Usage: creddy --generate --cn <name> [ --validity <days> ]\n"
238	" cert will be in ${name}_ID.der, private key in ${name}_private.pem\n"
239	" default validity: 1080 days\n"
240	);
241
242	else if (opts->mode == MODE_VERIFY)
243	printf(
244	"Usage: identity --verify --cert <cert> [ --attrcert <cert> ]\n"
245	" if attrcert is provided, verify that it was issued by cert\n"
246	);
247
248	else if (opts->mode == MODE_KEYID)
249	printf(
250	"Usage: identity --keyid --cert <cert>\n"
251	);
252
253	else if (opts->mode == MODE_ATTRIBUTE)
254	printf(
255	"Usage: identity --attribute \\\n"
256	" --issuer <cert> --key <key> --role <role> \\\n"
257	" [ --subject-cert <cert> \| --subject-id <sha1> \\\n"
258	" [ --subject-role <role> ] ... ] \\\n"
259	" [ --validity <days> ] --out <file>\n"
260	" default validity: 365 days\n"
261	" provide exactly one of --subject-cert / --subject-id\n"
262	" give multiple --subject-{cert,id} / --subject-role pairs for intersection\n"
263	);
264
265	else if (opts->mode == MODE_ROLES)
266	printf(
267	"Usage: identity --roles --cert <cert>\n"
268	);
269
270	else if (opts->mode == MODE_DISPLAY)
271	printf(
272	"Usage: creddy --display --show=[issuer,..,all] --cert <cert>\n"
273	" values for --show are comma-separated:\n"
274	" issuer DN of issuer\n"
275	" subject DN of subject\n"
276	" validity validity period\n"
277	" all all of the above\n"
278	" cert may be X.509 identity or attribute cert\n"
279	);
280
281	else
282	printf(
283	"Usage: creddy [ --<mode> ] [ --help ]\n"
284	" --generate: generate X.509 identity cert and private key\n"
285	" --verify: check validity of X.509 ID or attribute cert\n"
286	" --keyid: get fingerprint from X.509 ID cert\n"
287	" --attribute: generate an X.509 attribute cert\n"
288	" --roles: list roles from an X.509 attribute cert\n"
289	" --display: list metadata from an X.509 identity or attribute cert\n"
290	" --version: display ABAC version\n"
291	);
292
293
294	exit(1);
295	}
296
297	void *xmalloc(size_t len) {
298	void *ret = malloc(len);
299	if (ret == NULL)
300	err(1, "couldn't malloc %d bytes\n", len);
301	return ret;
302	}
303
304	void xrealloc(void ptr, size_t size) {
305	void *ret = realloc(ptr, size);
306	if (ret == NULL)
307	err(1, "couldn't realloc %d bytes\n", size);
308	return ret;
309	}
310
311	char xstrdup(char string) {
312	char *dup = strdup(string);
313	if (dup == NULL)
314	err(1, "Can't dup %s", string);
315	return dup;
316	}
317
318	certificate_t attr_cert_from_file(char filename) {
319	libabac_init();
320	certificate_t *cert = lib->creds->create(lib->creds,
321	CRED_CERTIFICATE, CERT_X509_AC,
322	BUILD_FROM_FILE, filename,
323	BUILD_END
324	);
325	if (cert == NULL)
326	errx(1, "Couldn't load attribute cert %s", filename);
327
328	return cert;
329	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: