Context Navigation

source: libabac/abac_verifier.c @ 342e28f

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml

Last change on this file since 342e28f was 342e28f, checked in by Mike Ryan <mikeryan@…>, 14 years ago
load intersection attribute certificates, do not add them to the graph
Property mode set to `100644`
File size: 9.6 KB

Rev	Line
[186cb75]	1	#include <assert.h>
	2
[5450aeb]	3	#include <library.h>
	4	#include <credentials/certificates/certificate.h>
	5	#include <credentials/certificates/x509.h>
	6	#include <credentials/certificates/ac.h>
	7
[43e3b71]	8	#include "abac_verifier.h"
[5450aeb]	9
[342e28f]	10	#include "abac_list.h"
[3c251d0]	11	#include "abac_util.h"
[5450aeb]	12
[43e3b71]	13	typedef struct _abac_id_cert_t {
[5450aeb]	14	char *keyid;
	15	certificate_t *cert;
	16
	17	UT_hash_handle hh;
[43e3b71]	18	} abac_id_cert_t;
[5450aeb]	19
[401a054]	20	struct _abac_credential_t {
[1743825]	21	abac_role_t *head;
	22	abac_role_t *tail;
[342e28f]	23	abac_list_t *prereqs; // an intersecton has prereqs, not a tail
[5f99fbc]	24	certificate_t *cert;
	25	certificate_t *issuer;
[fbb591e]	26
	27	int refcount;
[5f99fbc]	28	};
	29
[43e3b71]	30	abac_id_cert_t *id_certs = NULL;
[5450aeb]	31
	32	// convert a chunk to a lowercase binary string
	33	// malloc's the string
	34	static char *_chunk_to_string(chunk_t chunk) {
	35	int i;
	36
[3c251d0]	37	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	38
	39	for (i = 0; i < chunk.len; ++i)
	40	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	41
	42	return ret;
	43	}
	44
	45	// verify that cert was issued by issuer
	46	// cert and issuer can be the same, in which case the self-sig is validated
[0779c99]	47	static int _verify_signature(certificate_t issuer, certificate_t cert) {
[5450aeb]	48	if (cert->issued_by(cert, issuer))
	49	if (cert->get_validity(cert, NULL, NULL, NULL))
	50	return 1;
	51	return 0;
	52	}
	53
	54	/**
	55	* Init the verifier subsystem.
	56	*/
[43e3b71]	57	void abac_verifier_init(void) {
[5450aeb]	58	atexit(library_deinit);
	59
[1324a63]	60	// silence all debugging
	61	dbg_default_set_level(-1);
	62
[5450aeb]	63	if (!library_init(NULL))
	64	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
	65
	66	if (!lib->plugins->load(lib->plugins, NULL,
	67	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
	68	exit(SS_RC_INITIALIZATION_FAILED);
	69	}
	70
[186cb75]	71	/**
	72	* Uninitialize the system, free up any allocated memory.
	73	*/
[43e3b71]	74	void abac_verifier_deinit(void) {
	75	abac_id_cert_t *id;
[186cb75]	76
	77	while ((id = id_certs) != NULL) {
	78	HASH_DEL(id_certs, id);
	79
	80	free(id->keyid);
	81	id->cert->destroy(id->cert);
	82	free(id);
	83	}
	84	}
	85
[5450aeb]	86	/**
	87	* Load an ID certificate.
	88	*/
[e898049]	89	static int _load_id(certificate_t *cert) {
[327e808]	90	abac_id_cert_t *id_cert = NULL;
[5450aeb]	91	char *keyid = NULL;
	92	chunk_t id;
	93	int ret;
[2ef48fa]	94	x509_t x509 = (x509_t )cert;
[5450aeb]	95
[e898049]	96	assert(cert != NULL);
[5450aeb]	97
[2ef48fa]	98	// get the key ID
	99	id = x509->get_subjectKeyIdentifier(x509);
[327e808]	100	keyid = _chunk_to_string(id);
	101
	102	// if we already have this cert 'error' with success
	103	HASH_FIND_STR(id_certs, keyid, id_cert);
	104	if (id_cert != NULL) {
	105	ret = ABAC_CERT_SUCCESS;
	106	goto error;
	107	}
	108
[5450aeb]	109	// validate sig
[0779c99]	110	ret = _verify_signature(cert, cert);
	111	if (!ret) {
	112	ret = ABAC_CERT_BAD_SIG;
	113	goto error;
	114	}
[5450aeb]	115
	116	// success, add the key to the map of certificates
[327e808]	117	id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
[5450aeb]	118	id_cert->keyid = keyid;
	119	id_cert->cert = cert;
	120	HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
	121
[0779c99]	122	return ABAC_CERT_SUCCESS;
[5450aeb]	123
	124	error:
[327e808]	125	if (keyid != NULL) free(keyid);
[5450aeb]	126
[0779c99]	127	return ret;
[5450aeb]	128	}
	129
[e898049]	130	/**
	131	* Load an ID cert from a file.
	132	*/
[43e3b71]	133	int abac_verifier_load_id_file(char *filename) {
[61278ec]	134	if (lib == NULL)
	135	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	136
[e898049]	137	// load the cert
	138	certificate_t *cert = lib->creds->create(
	139	lib->creds, CRED_CERTIFICATE, CERT_X509,
	140	BUILD_FROM_FILE, filename,
	141	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	142	BUILD_END
	143	);
	144	if (cert == NULL)
[0779c99]	145	return ABAC_CERT_INVALID;
[e898049]	146	return _load_id(cert);
	147	}
	148
	149	/**
	150	* Load an ID cert from a chunk.
	151	*/
[43e3b71]	152	int abac_verifier_load_id_chunk(chunk_t chunk) {
[e898049]	153	// load the cert
	154	certificate_t *cert = lib->creds->create(
	155	lib->creds, CRED_CERTIFICATE, CERT_X509,
	156	BUILD_BLOB_ASN1_DER, chunk,
	157	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	158	BUILD_END
	159	);
	160	if (cert == NULL)
[0779c99]	161	return ABAC_CERT_INVALID;
[e898049]	162	return _load_id(cert);
	163	}
	164
[342e28f]	165	/**
	166	* Split a string based on the given delimiter.
	167	*/
	168	static void _split(char string, char delim, char *ret, int num) {
	169	int len = strlen(delim);
	170	char *start = string;
	171	int count = 0;
	172
	173	// split the string by the delim
	174	while ((start = strstr(string, delim)) != NULL) {
	175	*start = 0;
	176	ret[count++] = string;
	177	string = start + len;
	178	}
	179	ret[count++] = string;
	180
	181	*num = count;
	182	}
	183
[5450aeb]	184	/**
	185	* Load an attribute cert.
	186	* Returns true only if the certificate is valid and is issued by the proper
	187	* authority.
	188	*/
[0779c99]	189	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
[804a66a]	190	ietf_attributes_t *attr_cert = NULL;
[1743825]	191	abac_role_t *head_role = NULL;
	192	abac_role_t *tail_role = NULL;
[43e3b71]	193	abac_id_cert_t *issuer;
[342e28f]	194	abac_list_t *prereqs = NULL;
	195	int ret, i;
[5450aeb]	196
	197	// get the attr
	198	ac_t ac = (ac_t )cert;
[804a66a]	199	attr_cert = ac->get_groups(ac);
[0779c99]	200	if (attr_cert == NULL) {
	201	ret = ABAC_CERT_INVALID;
	202	goto error;
	203	}
[5450aeb]	204
[804a66a]	205	char *attr_string = attr_cert->get_string(attr_cert);
[0779c99]	206	if (attr_string == NULL) {
	207	ret = ABAC_CERT_INVALID;
	208	goto error;
	209	}
[5450aeb]	210
	211	// split into head/tail parts
[342e28f]	212	char *head_tail[2];
	213	_split(attr_string, " <- ", head_tail, &ret);
[0779c99]	214	if (ret != 2) {
	215	ret = ABAC_CERT_INVALID;
	216	goto error;
	217	}
[5450aeb]	218
	219	// must be a role
[342e28f]	220	head_role = abac_role_from_string(head_tail[0]);
[5450aeb]	221	if (head_role == NULL) goto error;
[0779c99]	222	if (!abac_role_is_role(head_role)) {
	223	ret = ABAC_CERT_INVALID;
	224	goto error;
	225	}
[5450aeb]	226
[342e28f]	227	// split the tail (in case of an intersection num_tails > 1)
	228	char *tails[256];
	229	int num_tails;
	230	_split(head_tail[1], " & ", tails, &num_tails);
	231
	232	if (num_tails > 1)
	233	prereqs = abac_list_new();
	234
	235	for (i = 0; i < num_tails; ++i) {
	236	// make sure the tail role is valid
	237	tail_role = abac_role_from_string(tails[i]);
	238	if (tail_role == NULL) {
	239	ret = ABAC_CERT_INVALID;
	240	goto error;
	241	}
	242
	243	// add to the list if intersection
	244	if (num_tails > 1)
	245	abac_list_add(prereqs, tail_role);
[0779c99]	246	}
[5450aeb]	247
[342e28f]	248	if (num_tails > 1)
	249	tail_role = NULL;
	250
[5450aeb]	251	// get the issuer based on keyid
[dcc1a8e]	252	char *principal = abac_role_principal(head_role);
[5450aeb]	253	HASH_FIND_STR(id_certs, principal, issuer);
[0779c99]	254	if (issuer == NULL) {
	255	ret = ABAC_CERT_MISSING_ISSUER;
	256	goto error;
	257	}
[5450aeb]	258
	259	// make sure the issuer's signed it
[0779c99]	260	ret = _verify_signature(issuer->cert, cert);
	261	if (!ret) {
	262	ret = ABAC_CERT_BAD_SIG;
	263	goto error;
	264	}
[5450aeb]	265
	266	// at this point we know we have a good attribute cert
[401a054]	267	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	268	cred->head = head_role;
	269	cred->tail = tail_role;
[342e28f]	270	cred->prereqs = prereqs;
[401a054]	271	cred->cert = cert;
	272	cred->issuer = issuer->cert->get_ref(issuer->cert);
[fbb591e]	273	cred->refcount = 1;
[0779c99]	274	*cred_ret = cred;
[5450aeb]	275
	276	// free up some crap
[804a66a]	277	attr_cert->destroy(attr_cert);
[5450aeb]	278
[0779c99]	279	return ABAC_CERT_SUCCESS;
[5450aeb]	280
	281	error:
	282	if (cert != NULL) cert->destroy(cert);
[804a66a]	283	if (attr_cert != NULL) attr_cert->destroy(attr_cert);
[dcc1a8e]	284	if (head_role != NULL) abac_role_free(head_role);
	285	if (tail_role != NULL) abac_role_free(tail_role);
[5450aeb]	286
[342e28f]	287	// free all the tail roles
	288	if (prereqs != NULL) {
	289	abac_list_foreach(prereqs, tail_role,
	290	abac_role_free(tail_role);
	291	);
	292	abac_list_free(prereqs);
	293	}
	294
[0779c99]	295	return ret;
[5450aeb]	296	}
[5f99fbc]	297
[e898049]	298	/**
	299	* Load an attribute cert from a file.
	300	*/
[0779c99]	301	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
[e898049]	302	// load the cert
	303	certificate_t *cert = lib->creds->create(
	304	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	305	BUILD_FROM_FILE, filename,
	306	BUILD_END
	307	);
	308	if (cert == NULL)
[0779c99]	309	return ABAC_CERT_INVALID;
	310	return _load_attribute_cert(cert, cred);
[e898049]	311	}
	312
	313	/**
	314	* Load an attribute cert from a chunk.
	315	*/
[0779c99]	316	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]	317	// load the cert
	318	certificate_t *cert = lib->creds->create(
	319	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	320	BUILD_BLOB_ASN1_DER, chunk,
	321	BUILD_END
	322	);
	323	if (cert == NULL)
[0779c99]	324	return ABAC_CERT_INVALID;
	325	return _load_attribute_cert(cert, cred);
[e898049]	326	}
	327
[5f99fbc]	328	/**
	329	* Return the head role.
	330	*/
[401a054]	331	abac_role_t abac_credential_head(abac_credential_t cred) {
	332	return cred->head;
[5f99fbc]	333	}
	334
	335	/**
	336	* Return the tail role.
	337	*/
[401a054]	338	abac_role_t abac_credential_tail(abac_credential_t cred) {
	339	return cred->tail;
[5f99fbc]	340	}
[85cdf53]	341
[342e28f]	342	/**
	343	* Return the prereqs. Non-NULL iff intersection.
	344	*/
	345	abac_list_t abac_credential_prereqs(abac_credential_t cred) {
	346	return cred->prereqs;
	347	}
	348
[85cdf53]	349	/**
	350	* Return the encoding of the attribute cert.
	351	*/
[401a054]	352	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
	353	chunk_t encoding = cred->cert->get_encoding(cred->cert);
[9efbfbf]	354	abac_chunk_t ret = { encoding.ptr, encoding.len };
	355	return ret;
[85cdf53]	356	}
	357
	358	/**
	359	* Return the encoding of the issuer cert.
	360	*/
[401a054]	361	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
	362	chunk_t encoding = cred->issuer->get_encoding(cred->issuer);
[9efbfbf]	363	abac_chunk_t ret = { encoding.ptr, encoding.len };
	364	return ret;
[85cdf53]	365	}
[186cb75]	366
	367	/**
[fbb591e]	368	* Increase the ref count of a credential.
[186cb75]	369	*/
[401a054]	370	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	371	assert(cred != NULL);
[186cb75]	372
[fbb591e]	373	++cred->refcount;
	374	return cred;
[186cb75]	375	}
	376
	377	/**
[fbb591e]	378	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	379	*/
[401a054]	380	void abac_credential_free(abac_credential_t *cred) {
	381	if (cred == NULL)
[186cb75]	382	return;
	383
[fbb591e]	384	--cred->refcount;
	385	if (cred->refcount > 0)
	386	return;
	387
[401a054]	388	abac_role_free(cred->head);
	389	abac_role_free(cred->tail);
	390	cred->cert->destroy(cred->cert);
	391	cred->issuer->destroy(cred->issuer); // reference counted
[186cb75]	392
[342e28f]	393	if (cred->prereqs != NULL) {
	394	abac_role_t *tail;
	395	abac_list_foreach(cred->prereqs, tail,
	396	abac_role_free(tail);
	397	);
	398	abac_list_free(cred->prereqs);
	399	}
	400
[401a054]	401	free(cred);
[186cb75]	402	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: