[90d20f0] | 1 | #ifndef __ABAC_H__ |
---|
| 2 | #define __ABAC_H__ |
---|
| 3 | |
---|
[461541a] | 4 | #include <time.h> // for struct tm |
---|
| 5 | #include <stdio.h> // for FILE |
---|
[11e3eb7] | 6 | |
---|
[390f749] | 7 | typedef struct _abac_context_t abac_context_t; |
---|
[401a054] | 8 | typedef struct _abac_credential_t abac_credential_t; |
---|
[1743825] | 9 | typedef struct _abac_role_t abac_role_t; |
---|
[90d20f0] | 10 | |
---|
[461541a] | 11 | typedef struct _abac_id_t abac_id_t; |
---|
| 12 | typedef struct _abac_attribute_t abac_attribute_t; |
---|
| 13 | |
---|
[4721618] | 14 | typedef struct _abac_list_t ABAC_LIST_T; |
---|
| 15 | |
---|
[461541a] | 16 | typedef struct _abac_chunk_t { |
---|
| 17 | unsigned char *ptr; |
---|
| 18 | int len; |
---|
| 19 | } abac_chunk_t; |
---|
| 20 | |
---|
[0bf0e67] | 21 | /* |
---|
| 22 | * ABAC functions, operating on an ABAC context. |
---|
| 23 | */ |
---|
[390f749] | 24 | abac_context_t *abac_context_new(void); |
---|
| 25 | abac_context_t *abac_context_dup(abac_context_t *ctx); |
---|
| 26 | void abac_context_free(abac_context_t *ctx); |
---|
[90d20f0] | 27 | |
---|
[0779c99] | 28 | /* see the bottom of the file for possible return codes */ |
---|
[390f749] | 29 | int abac_context_load_id_file(abac_context_t *ctx, char *filename); |
---|
| 30 | int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert); |
---|
| 31 | int abac_context_load_attribute_file(abac_context_t *ctx, char *filename); |
---|
| 32 | int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert); |
---|
[90d20f0] | 33 | |
---|
[03b3293] | 34 | /* load an entire directory full of certs */ |
---|
[390f749] | 35 | void abac_context_load_directory(abac_context_t *ctx, char *path); |
---|
[03b3293] | 36 | |
---|
[401a054] | 37 | /* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */ |
---|
[4e426c9] | 38 | abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success); |
---|
[3c4fd68] | 39 | |
---|
| 40 | /* get all the credentials from the context, returns a NULL-terminated array of credentials */ |
---|
| 41 | abac_credential_t **abac_context_credentials(abac_context_t *ctx); |
---|
| 42 | |
---|
| 43 | /* use this to free the results of either of the previous two functions */ |
---|
| 44 | void abac_context_credentials_free(abac_credential_t **credentials); |
---|
[90d20f0] | 45 | |
---|
[0bf0e67] | 46 | /* |
---|
[401a054] | 47 | * Operations on credentials |
---|
[0bf0e67] | 48 | */ |
---|
[401a054] | 49 | abac_role_t *abac_credential_head(abac_credential_t *cred); |
---|
| 50 | abac_role_t *abac_credential_tail(abac_credential_t *cred); |
---|
| 51 | abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred); |
---|
| 52 | abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred); |
---|
[0bf0e67] | 53 | |
---|
[401a054] | 54 | abac_credential_t *abac_credential_dup(abac_credential_t *cred); |
---|
| 55 | void abac_credential_free(abac_credential_t *cred); |
---|
[0bf0e67] | 56 | |
---|
| 57 | /* |
---|
| 58 | * Operations on roles. |
---|
| 59 | */ |
---|
[dcc1a8e] | 60 | abac_role_t *abac_role_principal_new(char *principal); |
---|
| 61 | abac_role_t *abac_role_role_new(char *principal, char *abac_role_name); |
---|
| 62 | abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name); |
---|
[0bf0e67] | 63 | |
---|
[dcc1a8e] | 64 | void abac_role_free(abac_role_t *role); |
---|
[0bf0e67] | 65 | |
---|
[dcc1a8e] | 66 | abac_role_t *abac_role_from_string(char *string); |
---|
| 67 | abac_role_t *abac_role_dup(abac_role_t *role); |
---|
[0bf0e67] | 68 | |
---|
[dcc1a8e] | 69 | int abac_role_is_principal(abac_role_t *role); |
---|
| 70 | int abac_role_is_role(abac_role_t *role); |
---|
| 71 | int abac_role_is_linking(abac_role_t *role); |
---|
[9a411d7] | 72 | int abac_role_is_intersection(abac_role_t *role); |
---|
[0bf0e67] | 73 | |
---|
[dcc1a8e] | 74 | char *abac_role_string(abac_role_t *role); |
---|
| 75 | char *abac_role_linked_role(abac_role_t *role); |
---|
| 76 | char *abac_role_role_name(abac_role_t *role); |
---|
| 77 | char *abac_role_principal(abac_role_t *role); |
---|
[0bf0e67] | 78 | |
---|
[dcc1a8e] | 79 | char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role); |
---|
[0bf0e67] | 80 | |
---|
[461541a] | 81 | /* |
---|
| 82 | * Operations on ID |
---|
| 83 | */ |
---|
| 84 | // create an ID from an X.509 certificate |
---|
| 85 | abac_id_t *abac_id_from_file(char *); |
---|
| 86 | |
---|
| 87 | // create an ID from a X.509 certificate PEM chunk |
---|
| 88 | abac_id_t *abac_id_from_chunk(abac_chunk_t chunk); |
---|
| 89 | |
---|
| 90 | // load an X.509 private key from a file |
---|
| 91 | int abac_id_privkey_from_file(abac_id_t *id, char *filename); |
---|
| 92 | |
---|
| 93 | // generate an ID |
---|
| 94 | // returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top) |
---|
| 95 | int abac_id_generate(abac_id_t **ret, char *cn, long validity); |
---|
| 96 | |
---|
| 97 | // get the SHA1 keyid, pointer is valid for the lifetime of the object |
---|
| 98 | char *abac_id_keyid(abac_id_t *id); |
---|
| 99 | |
---|
| 100 | // get the name of the issuer |
---|
| 101 | // caller must free the returned string |
---|
| 102 | char *abac_id_issuer(abac_id_t *id); |
---|
| 103 | |
---|
| 104 | // get the DN of the subject |
---|
| 105 | // caller must free the returned string |
---|
| 106 | char *abac_id_subject(abac_id_t *id); |
---|
| 107 | |
---|
| 108 | // check if the cert is still valid |
---|
| 109 | int abac_id_still_valid(abac_id_t *id); |
---|
| 110 | |
---|
| 111 | // check if the principal cert's keyid is specified |
---|
| 112 | int abac_id_has_keyid(abac_id_t *id, char *); |
---|
| 113 | |
---|
| 114 | // check if the cert is has a private key |
---|
| 115 | int abac_id_has_privkey(abac_id_t *id); |
---|
| 116 | |
---|
| 117 | // get the validity period of the cert |
---|
| 118 | int abac_id_validity(abac_id_t *id, struct tm *not_before, struct tm *not_after); |
---|
| 119 | |
---|
| 120 | // default filename for the cert: ${CN}_ID.pem |
---|
| 121 | // caller must free the returned string |
---|
| 122 | char *abac_id_cert_filename(abac_id_t *id); |
---|
| 123 | |
---|
| 124 | // write the cert fo an open file pointer |
---|
| 125 | int abac_id_write_cert(abac_id_t *id, FILE *out); |
---|
| 126 | |
---|
| 127 | // default filename for the private key: ${CN}_key.pem |
---|
| 128 | // caller must free the return value |
---|
| 129 | char *abac_id_privkey_filename(abac_id_t *id); |
---|
| 130 | |
---|
| 131 | // write the private key to a file |
---|
| 132 | // it is recommended that you open this file mode 0600 |
---|
| 133 | // returns false if there's no private key loaded |
---|
| 134 | int abac_id_write_privkey(abac_id_t *id, FILE *out); |
---|
| 135 | |
---|
| 136 | // get a chunk representing the cert |
---|
| 137 | // you must free the ptr of the chunk when done |
---|
| 138 | abac_chunk_t abac_id_cert_chunk(abac_id_t *id); |
---|
| 139 | |
---|
| 140 | // dup an ID (increases its refcount) |
---|
| 141 | abac_id_t *abac_id_dup(abac_id_t *id); |
---|
| 142 | |
---|
| 143 | // destroy the id |
---|
| 144 | // decreases refcount and destroys when it hits 0 |
---|
| 145 | void abac_id_free(abac_id_t *id); |
---|
| 146 | |
---|
| 147 | /* |
---|
| 148 | * Operations on Attribute |
---|
| 149 | */ |
---|
| 150 | // |
---|
| 151 | // Here's the skinny: |
---|
| 152 | // Attribute cert objects don't contain an actual cert until they're baked. |
---|
| 153 | // First you construct the object using abac_attribute_create, then you add |
---|
| 154 | // subjects to it using abac_attribute_{principal,role,linking_role}. |
---|
| 155 | // Finally you bake it. Once you've done that, you can keep it as XML chunk |
---|
| 156 | // or write it to a file. |
---|
| 157 | // |
---|
| 158 | |
---|
| 159 | // create an attribute cert |
---|
| 160 | // validity is in days |
---|
| 161 | // returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top) |
---|
| 162 | int abac_attribute_create(abac_attribute_t **attr, abac_id_t *issuer, char *role, long validity); |
---|
| 163 | |
---|
| 164 | // add a head string to the cert |
---|
| 165 | void abac_attribute_set_head(abac_attribute_t *attr, char *string); |
---|
| 166 | |
---|
| 167 | // return the head string of the attribute |
---|
| 168 | char *abac_attribute_get_head(abac_attribute_t *); |
---|
| 169 | |
---|
| 170 | // add a tail role string to the cert |
---|
| 171 | void abac_attribute_set_tail(abac_attribute_t *attr, char *string); |
---|
| 172 | |
---|
| 173 | // return the tail string of the attribute |
---|
| 174 | char *abac_attribute_get_tail(abac_attribute_t *); |
---|
| 175 | |
---|
| 176 | // add a principal subject to the cert |
---|
| 177 | int abac_attribute_principal(abac_attribute_t *attr, char *keyid); |
---|
| 178 | |
---|
| 179 | // add a role subject |
---|
| 180 | int abac_attribute_role(abac_attribute_t *attr, char *keyid, char *role); |
---|
| 181 | |
---|
| 182 | // add a linking role subject |
---|
| 183 | int abac_attribute_linking_role(abac_attribute_t *attr, char *keyid, char *role, char *linked); |
---|
| 184 | |
---|
| 185 | // create the attribute cert once all the subjects have been added |
---|
| 186 | // can return 0 if there are no subjects or there's a problem building the cert |
---|
| 187 | int abac_attribute_bake(abac_attribute_t *attr); |
---|
| 188 | |
---|
| 189 | // returns true iff the cert's been baked |
---|
| 190 | int abac_attribute_baked(abac_attribute_t *attr); |
---|
| 191 | |
---|
| 192 | // write the cert to a file. returns 0 if the cert hasn't been baked |
---|
| 193 | int abac_attribute_write(abac_attribute_t *attr, FILE *out); |
---|
[4721618] | 194 | int abac_attribute_write_file(abac_attribute_t *attr, const char *fname); |
---|
[461541a] | 195 | |
---|
| 196 | // get chunked cert |
---|
| 197 | // returns 0 if the cert isn't baked |
---|
[4721618] | 198 | abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *); |
---|
[461541a] | 199 | |
---|
| 200 | // destroy the cert |
---|
| 201 | void abac_attribute_free(abac_attribute_t *); |
---|
| 202 | |
---|
| 203 | // load a list of attr cert from file (aborts on fail) |
---|
[4721618] | 204 | ABAC_LIST_T *abac_attribute_certs_from_file(char *); |
---|
[461541a] | 205 | |
---|
| 206 | // load a list of attr cert from chunk (aborts on fail) |
---|
[4721618] | 207 | ABAC_LIST_T *abac_attribute_certs_from_chunk(abac_chunk_t); |
---|
[461541a] | 208 | |
---|
| 209 | // get the attribute role string |
---|
| 210 | char *abac_attribute_role_string(abac_attribute_t *attr); |
---|
| 211 | |
---|
| 212 | // get the issuer id of an attribute |
---|
| 213 | abac_id_t *abac_attribute_issuer_id(abac_attribute_t *ptr); |
---|
| 214 | |
---|
| 215 | // get the validity period of the attribute cert |
---|
| 216 | int abac_attribute_validity(abac_attribute_t *attr, struct tm *not_before, struct tm *not_after); |
---|
| 217 | |
---|
| 218 | // return the principal from an attribute's role string |
---|
| 219 | // callee must free the space |
---|
| 220 | char *abac_attribute_get_principal(abac_attribute_t *attr); |
---|
| 221 | |
---|
| 222 | // check if the attribute cert is still valid |
---|
| 223 | int abac_attribute_still_valid(abac_attribute_t *attr); |
---|
| 224 | |
---|
| 225 | |
---|
[0779c99] | 226 | /* |
---|
| 227 | * Error codes for loading certificates. |
---|
| 228 | */ |
---|
| 229 | #define ABAC_CERT_SUCCESS 0 // certificate loaded, all is well |
---|
| 230 | #define ABAC_CERT_INVALID -1 // invalid format; also file not found |
---|
| 231 | #define ABAC_CERT_BAD_SIG -2 // invalid signature |
---|
| 232 | #define ABAC_CERT_MISSING_ISSUER -3 // missing ID cert that issued the attribute cert |
---|
[461541a] | 233 | #define ABAC_CERT_BAD_PRINCIPAL -4 // Principal of attribute cert issuer has mismatch keyid |
---|
| 234 | #define ABAC_CERT_INVALID_ISSUER -5 // Issuer of attribute cert is invalid |
---|
| 235 | #define ABAC_CERT_SIGNER_NOKEY -6 // Signer of attribute cert is missing private key |
---|
| 236 | |
---|
| 237 | /* |
---|
| 238 | * Error codes for IDs and Attributes |
---|
| 239 | */ |
---|
| 240 | #define ABAC_SUCCESS 0 |
---|
| 241 | #define ABAC_FAILURE 1 /* catch all */ |
---|
| 242 | #define ABAC_GENERATE_INVALID_CN -1 |
---|
| 243 | #define ABAC_GENERATE_INVALID_VALIDITY -2 |
---|
| 244 | #define ABAC_ATTRIBUTE_ISSUER_NOKEY -3 |
---|
| 245 | #define ABAC_ATTRIBUTE_INVALID_ROLE -4 |
---|
| 246 | #define ABAC_ATTRIBUTE_INVALID_VALIDITY -5 |
---|
| 247 | #define ABAC_ATTRIBUTE_INVALID_ISSUER -6 |
---|
| 248 | |
---|
| 249 | |
---|
[0779c99] | 250 | |
---|
[90d20f0] | 251 | #endif /* __ABAC_H__ */ |
---|