source: libabac/abac.h @ 9e063cb

abac0-leakabac0-meimei-idmei-rt0-nmei_rt0tvf-new-xml
Last change on this file since 9e063cb was 9e063cb, checked in by Mei <mei@…>, 11 years ago

1) test out using encrypted private key to generate id credential
  • Property mode set to 100644
File size: 8.9 KB
Line 
1#ifndef __ABAC_H__
2#define __ABAC_H__
3
4#include <time.h>  // for struct tm
5#include <stdio.h> // for FILE
6
7typedef struct _abac_context_t abac_context_t;
8typedef struct _abac_credential_t abac_credential_t;
9typedef struct _abac_role_t abac_role_t;
10
11typedef struct _abac_id_t abac_id_t;
12typedef struct _abac_attribute_t abac_attribute_t;
13
14typedef struct _abac_list_t ABAC_LIST_T;
15
16typedef struct _abac_chunk_t {
17    unsigned char *ptr;
18    int len;
19} abac_chunk_t;
20
21/*
22 * ABAC functions, operating on an ABAC context.
23 */
24abac_context_t *abac_context_new(void);
25abac_context_t *abac_context_dup(abac_context_t *ctx);
26void abac_context_free(abac_context_t *ctx);
27
28/* see the bottom of the file for possible return codes */
29int abac_context_load_id_file(abac_context_t *ctx, char *filename);
30int abac_context_load_id_chunk(abac_context_t *ctx, abac_chunk_t cert);
31int abac_context_load_attribute_file(abac_context_t *ctx, char *filename);
32int abac_context_load_attribute_chunk(abac_context_t *ctx, abac_chunk_t cert);
33
34/* load an entire directory full of certs */
35void abac_context_load_directory(abac_context_t *ctx, char *path);
36
37/* abac query, returns a NULL-terminated array of credentials on success, NULL on fail */
38abac_credential_t **abac_context_query(abac_context_t *ctx, char *role, char *principal, int *success);
39
40/* get all the credentials from the context, returns a NULL-terminated array of credentials */
41abac_credential_t **abac_context_credentials(abac_context_t *ctx);
42
43/* use this to free the results of either of the previous two functions */
44void abac_context_credentials_free(abac_credential_t **credentials);
45
46/*
47 * Operations on credentials
48 */
49abac_role_t *abac_credential_head(abac_credential_t *cred);
50abac_role_t *abac_credential_tail(abac_credential_t *cred);
51abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred);
52abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred);
53
54abac_credential_t *abac_credential_dup(abac_credential_t *cred);
55void abac_credential_free(abac_credential_t *cred);
56
57/*
58 * Operations on roles.
59 */
60abac_role_t *abac_role_principal_new(char *principal);
61abac_role_t *abac_role_role_new(char *principal, char *abac_role_name);
62abac_role_t *abac_role_linking_new(char *principal, char *linked_role, char *abac_role_name);
63
64void abac_role_free(abac_role_t *role);
65
66abac_role_t *abac_role_from_string(char *string);
67abac_role_t *abac_role_dup(abac_role_t *role);
68
69int abac_role_is_principal(abac_role_t *role);
70int abac_role_is_role(abac_role_t *role);
71int abac_role_is_linking(abac_role_t *role);
72int abac_role_is_intersection(abac_role_t *role);
73
74char *abac_role_string(abac_role_t *role);
75char *abac_role_linked_role(abac_role_t *role);
76char *abac_role_role_name(abac_role_t *role);
77char *abac_role_principal(abac_role_t *role);
78
79char *abac_role_attr_key(abac_role_t *head_role, abac_role_t *tail_role);
80
81/*
82 * Operations on ID
83 */
84// create an ID from an X.509 certificate
85abac_id_t *abac_id_from_file(char *);
86
87// create an ID from a X.509 certificate PEM chunk
88abac_id_t *abac_id_from_chunk(abac_chunk_t chunk);
89
90// load an X.509 private key from a file
91int abac_id_privkey_from_file(abac_id_t *id, char *filename);
92
93// generate an ID
94// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
95int abac_id_generate(abac_id_t **ret, char *cn, long validity);
96
97// generate an ID using supplied private key
98// returns one of ABAC_SUCCESS or ABAC_GENERATE_* (see top)
99int abac_id_generate_with_key(abac_id_t **ret, char *cn, long validity, char *keyfile);
100
101// get the SHA1 keyid, pointer is valid for the lifetime of the object
102char *abac_id_keyid(abac_id_t *id);
103
104// get the name of the issuer
105// caller must free the returned string
106char *abac_id_issuer(abac_id_t *id);
107
108// get the DN of the subject
109// caller must free the returned string
110char *abac_id_subject(abac_id_t *id);
111
112// check if the cert is still valid
113int abac_id_still_valid(abac_id_t *id);
114
115// check if the principal cert's keyid is specified
116int abac_id_has_keyid(abac_id_t *id, char *);
117
118// check if the cert is has a private key
119int abac_id_has_privkey(abac_id_t *id);
120
121// get the validity period of the cert
122int abac_id_validity(abac_id_t *id, struct tm *not_before, struct tm *not_after);
123
124// default filename for the cert: ${CN}_ID.pem
125// caller must free the returned string
126char *abac_id_cert_filename(abac_id_t *id);
127
128// write the cert fo an open file pointer
129int abac_id_write_cert(abac_id_t *id, FILE *out);
130
131// default filename for the private key: ${CN}_key.pem
132// caller must free the return value
133char *abac_id_privkey_filename(abac_id_t *id);
134
135// write the private key to a file
136// it is recommended that you open this file mode 0600
137// returns false if there's no private key loaded
138int abac_id_write_privkey(abac_id_t *id, FILE *out);
139
140// get a chunk representing the cert
141// you must free the ptr of the chunk when done
142abac_chunk_t abac_id_cert_chunk(abac_id_t *id);
143
144// dup an ID (increases its refcount)
145abac_id_t *abac_id_dup(abac_id_t *id);
146
147// destroy the id
148// decreases refcount and destroys when it hits 0
149void abac_id_free(abac_id_t *id);
150
151/*
152 * Operations on Attribute
153 */
154//
155// Here's the skinny:
156//  Attribute cert objects don't contain an actual cert until they're baked.
157//  First you construct the object using abac_attribute_create, then you add
158//  subjects to it using abac_attribute_{principal,role,linking_role}.
159//  Finally you bake it. Once you've done that, you can keep it as XML chunk
160//  or write it to a file.
161//
162
163// create an attribute cert
164// validity is in days
165// returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top)
166int abac_attribute_create(abac_attribute_t **attr, abac_id_t *issuer, char *role, long validity);
167
168// add a head string to the cert
169void abac_attribute_set_head(abac_attribute_t *attr, char *string);
170
171// return the head string of the attribute
172char *abac_attribute_get_head(abac_attribute_t *);
173
174// add a tail role string to the cert
175void abac_attribute_set_tail(abac_attribute_t *attr, char *string);
176
177// return the tail string of the attribute
178char *abac_attribute_get_tail(abac_attribute_t *);
179
180// add a principal subject to the cert
181int abac_attribute_principal(abac_attribute_t *attr, char *keyid);
182
183// add a role subject
184int abac_attribute_role(abac_attribute_t *attr, char *keyid, char *role);
185
186// add a linking role subject
187int abac_attribute_linking_role(abac_attribute_t *attr, char *keyid, char *role, char *linked);
188
189// create the attribute cert once all the subjects have been added
190// can return 0 if there are no subjects or there's a problem building the cert
191int abac_attribute_bake(abac_attribute_t *attr);
192
193// returns true iff the cert's been baked
194int abac_attribute_baked(abac_attribute_t *attr);
195
196// write the cert to a file. returns 0 if the cert hasn't been baked
197int abac_attribute_write(abac_attribute_t *attr, FILE *out);
198int abac_attribute_write_file(abac_attribute_t *attr, const char *fname);
199
200// get chunked cert
201// returns 0 if the cert isn't baked
202abac_chunk_t abac_attribute_cert_chunk(abac_attribute_t *);
203
204// destroy the cert
205void abac_attribute_free(abac_attribute_t *);
206
207// load a list of attr cert from file (aborts on fail)
208ABAC_LIST_T *abac_attribute_certs_from_file(char *);
209
210// load a list of attr cert from chunk (aborts on fail)
211ABAC_LIST_T *abac_attribute_certs_from_chunk(abac_chunk_t);
212
213        // get the attribute role string
214char *abac_attribute_role_string(abac_attribute_t *attr);
215
216// get the issuer id of an attribute
217abac_id_t *abac_attribute_issuer_id(abac_attribute_t *ptr);
218
219// get the validity period of the attribute cert
220int abac_attribute_validity(abac_attribute_t *attr, struct tm *not_before, struct tm *not_after);
221
222// return the principal from an attribute's role string
223// callee must free the space
224char *abac_attribute_get_principal(abac_attribute_t *attr);
225
226// check if the attribute cert is still valid
227int abac_attribute_still_valid(abac_attribute_t *attr);
228
229/*
230 * Return code for libabac
231 */
232#define ABAC_RC_SUCCESS                0
233#define ABAC_RC_FAILURE                1
234
235/*
236 * Error codes for loading certificates.
237 */
238#define ABAC_CERT_SUCCESS           0   // certificate loaded, all is well
239#define ABAC_CERT_INVALID           -1  // invalid format; also file not found
240#define ABAC_CERT_BAD_SIG           -2  // invalid signature
241#define ABAC_CERT_MISSING_ISSUER    -3  // missing ID cert that issued the attribute cert
242#define ABAC_CERT_BAD_PRINCIPAL     -4  // Principal of attribute cert issuer has mismatch keyid
243#define ABAC_CERT_INVALID_ISSUER    -5  // Issuer of attribute cert is invalid
244#define ABAC_CERT_SIGNER_NOKEY      -6  // Signer of attribute cert is missing private key
245
246/*
247 * Error codes for IDs and Attributes
248 */
249#define ABAC_SUCCESS                          0
250#define ABAC_FAILURE                          1 /* catch all */
251#define ABAC_GENERATE_INVALID_CN             -1
252#define ABAC_GENERATE_INVALID_VALIDITY       -2
253#define ABAC_ATTRIBUTE_ISSUER_NOKEY          -3
254#define ABAC_ATTRIBUTE_INVALID_ROLE          -4
255#define ABAC_ATTRIBUTE_INVALID_VALIDITY      -5
256#define ABAC_ATTRIBUTE_INVALID_ISSUER        -6
257
258
259
260#endif /* __ABAC_H__ */
Note: See TracBrowser for help on using the repository browser.