Context Navigation

source: libabac/abac_verifier.c @ 41a0c1e

mei_rt2mei_rt2_fix_1

Last change on this file since 41a0c1e was 6244e28, checked in by Mei <mei@…>, 12 years ago
1) added extract_cn for abac_verifier.c 2) update example directory's save log for the new multi proof case
Property mode set to `100644`
File size: 34.2 KB

Rev	Line
[8bd77b5]	1	/**
	2	** abac_verifier.c
	3	**/
[53e540d]	4
	5	// include the GNU extension of asprintf
	6	#define _GNU_SOURCE
	7
[5110d42]	8	#include <stdio.h>
	9	#include <regex.h>
	10	#include <sys/mman.h>
	11	#include <fcntl.h>
[d037f54]	12	#include <sys/types.h>
	13	#include <sys/stat.h>
	14	#include <unistd.h>
	15
[5110d42]	16
[186cb75]	17	#include <assert.h>
[202a7f9]	18	#include <stdio.h>
[186cb75]	19
[5450aeb]	20	#include <library.h>
	21
[8bd77b5]	22	#include "abac_internal.h"
[43e3b71]	23	#include "abac_verifier.h"
[5450aeb]	24
[3c251d0]	25	#include "abac_util.h"
[202a7f9]	26	#include "abac_rt.h"
[5450aeb]	27
[8bd77b5]	28	static int debug=0;
[ba6027a]	29
[5d06689]	30	/* from abac_attribute.c */
	31	extern char get_cred_encoding(abac_attribute_t ptr);
[8bd77b5]	32
	33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
	34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
[b5a3da4]	35	extern abac_list_t *abac_yy_get_rule_clauses();
[da5afdf]	36	extern char* abac_decode_string(char *);
[b5a3da4]	37	extern void abac_yy_free_rule_clauses();
[0d0c3a9]	38	extern char generate_pl_type_clause(char , int);
[5d06689]	39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
[9b43fc3]	40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
[0d0c3a9]	41
[8bd77b5]	42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
[202a7f9]	43
[ba6027a]	44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
	45
[8bd77b5]	46	struct _abac_id_credential_t {
	47	char *hashkeyid;
	48	abac_id_t *id;
	49	char *pl_clause;
[5450aeb]	50
	51	UT_hash_handle hh;
[202a7f9]	52	};
[8bd77b5]	53	/* hash table base on sha with a p */
	54	abac_id_credential_t *id_creds = NULL;
[5110d42]	55	/* linked list of all the ids's hashkeyid */
	56	abac_list_t *id_hashkeyid_list = NULL;
[5450aeb]	57
[da5afdf]	58	/* can store either role or oset */
[401a054]	59	struct _abac_credential_t {
[8bd77b5]	60	char *hashkeyid;
	61	abac_attribute_t *attr;
	62	abac_list_t *pl_clauses;
[53e540d]	63
	64	UT_hash_handle hh;
[8bd77b5]	65	};
	66	/* hash table base on encoded attr rule */
	67	abac_credential_t *attr_creds = NULL;
	68	/* linked list of all the attr's hashkeyid */
	69	abac_list_t *attr_hashkeyid_list = NULL;
[202a7f9]	70
[8bd77b5]	71	/*****************************************************************************/
[da5afdf]	72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
[202a7f9]	73	{
[da5afdf]	74	if(fp == NULL)
	75	fp=stdout;
	76
[8bd77b5]	77	abac_attribute_t *ptr=cred->attr;
	78	abac_aspect_t *head=abac_attribute_head(ptr);
	79	abac_aspect_t *tail=abac_attribute_tail(ptr);
	80
[202a7f9]	81	if(debug) {
[da5afdf]	82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
[8bd77b5]	83	if(head) {
	84	abac_print_aspect_string_with_condition(head,fp);
[202a7f9]	85	}
[8bd77b5]	86	if(tail) {
	87	abac_print_aspect_string_with_condition(tail,fp);
[202a7f9]	88	}
	89
[8bd77b5]	90	abac_list_t *clauses=cred->pl_clauses;
[202a7f9]	91	if (clauses != NULL) {
	92	char *cur=NULL;
	93	abac_list_foreach(clauses, cur,
[da5afdf]	94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
[202a7f9]	95	if(cur)
[da5afdf]	96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
[202a7f9]	97	);
	98	}
	99	} else {
[da5afdf]	100	fprintf(fp," ");
[8bd77b5]	101	abac_print_aspect_string_with_condition(head,fp);
[da5afdf]	102	fprintf(fp," <- ");
[8bd77b5]	103	abac_print_aspect_string_with_condition(tail,fp);
[da5afdf]	104	fprintf(fp,"\n");
[202a7f9]	105	}
	106	}
	107
[5110d42]	108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
	109	{
	110	if(fp == NULL)
	111	return;
	112
	113	abac_id_t *ptr=abac_id_credential_id(prin);
	114
	115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
	116	if(abac_id_has_privkey(ptr))
	117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	118	else
	119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	120	}
	121
[202a7f9]	122	//
[8bd77b5]	123	int abac_verify_idtype_type(char *type) {
[202a7f9]	124	int i;
	125
	126	if (type == NULL)
	127	return 0;
	128
[8bd77b5]	129	for (i = 1; i <= _idtypename_cnt ; i++)
	130	if(strcmp(type,_idtypename[i])==0)
[202a7f9]	131	return i;
	132	return 0;
	133	}
	134
[8bd77b5]	135	char *abac_idtype_string(int i)
[202a7f9]	136	{
[440ba20]	137	if(i > _idtypename_cnt) {
	138	printf("bad idtypename idx %d\n", i);
[8bd77b5]	139	panic("abac_idtype_string: went out of range on idtypename");
[440ba20]	140	}
	141	return (char*) _idtypename[i];
[202a7f9]	142	}
	143
[5450aeb]	144	// convert a chunk to a lowercase binary string
	145	// malloc's the string
	146	static char *_chunk_to_string(chunk_t chunk) {
	147	int i;
	148
[3c251d0]	149	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	150
	151	for (i = 0; i < chunk.len; ++i)
	152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	153
	154	return ret;
	155	}
	156
	157	// verify that cert was issued by issuer
	158	// cert and issuer can be the same, in which case the self-sig is validated
[8bd77b5]	159	static int _verify_signature(certificate_t issuer_cert, certificate_t cert) {
	160	if (cert->issued_by(cert, issuer_cert))
[5450aeb]	161	if (cert->get_validity(cert, NULL, NULL, NULL))
	162	return 1;
	163	return 0;
	164	}
	165
	166	/**
	167	* Init the verifier subsystem.
	168	*/
[43e3b71]	169	void abac_verifier_init(void) {
[1324a63]	170	// silence all debugging
	171
[5450aeb]	172	if (!library_init(NULL))
	173	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
	174
	175	if (!lib->plugins->load(lib->plugins, NULL,
	176	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
	177	exit(SS_RC_INITIALIZATION_FAILED);
[8bd77b5]	178
	179	attr_hashkeyid_list = abac_list_new();
[5110d42]	180	id_hashkeyid_list = abac_list_new();
[5450aeb]	181	}
	182
[186cb75]	183	/**
	184	* Uninitialize the system, free up any allocated memory.
	185	*/
[43e3b71]	186	void abac_verifier_deinit(void) {
[2485307]	187	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
[137b55f]	188
[8bd77b5]	189	abac_id_credential_t *ptr;
	190	while ((ptr = id_creds) != NULL) {
[2485307]	191	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	192	HASH_DEL(id_creds, ptr);
	193
[137b55f]	194	free(ptr->hashkeyid);
[8bd77b5]	195	free(ptr->pl_clause);
[137b55f]	196	abac_id_free(ptr->id);
[8bd77b5]	197	free(ptr);
[186cb75]	198	}
[55c272b]	199
[8bd77b5]	200	abac_credential_t *ptr2;
	201	while ((ptr2 = attr_creds) != NULL) {
	202	HASH_DEL(attr_creds, ptr2);
	203	if(debug) {
[2485307]	204	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
[8bd77b5]	205	}
	206	free(ptr2->hashkeyid);
	207	abac_attribute_free(ptr2->attr);
	208	char *cur=NULL;
	209	abac_list_foreach(ptr2->pl_clauses, cur,
	210	free(cur);
	211	);
	212	free(ptr2->pl_clauses);
	213	free(ptr2);
[53e540d]	214	}
	215
[8bd77b5]	216	if(attr_hashkeyid_list) {
	217	char *cur;
	218	if(attr_hashkeyid_list) {
	219	abac_list_foreach(attr_hashkeyid_list, cur,
	220	if(cur) free(cur);
	221	);
	222	}
	223	abac_list_free(attr_hashkeyid_list);
	224	}
[137b55f]	225
[5110d42]	226	if(id_hashkeyid_list) {
[2485307]	227	if(debug) fprintf(stderr, "looking to free id_hashkeyid_lst..\n");
[5110d42]	228	char *cur;
	229	if(id_hashkeyid_list) {
	230	abac_list_foreach(id_hashkeyid_list, cur,
[137b55f]	231	if(cur) {
[2485307]	232	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
[137b55f]	233	free(cur);
	234	}
[5110d42]	235	);
	236	}
	237	abac_list_free(id_hashkeyid_list);
	238	}
	239
[55c272b]	240	library_deinit();
[186cb75]	241	}
	242
[8bd77b5]	243	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
	244	{
	245	abac_id_credential_t *id_cred;
	246	char *cn=abac_id_cn(a_id);
[d037f54]	247	char *keyid=abac_id_keyid(a_id);
[8bd77b5]	248
[440ba20]	249	if(debug) {
[2485307]	250	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
[440ba20]	251	cn, keyid);
	252	}
	253
[8bd77b5]	254	// add the abac_id to the map of id credentials
	255	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
	256	id_cred->hashkeyid = abac_xstrdup(keyid);
	257	id_cred->id=abac_id_dup(a_id);
	258
	259	/* special handling here */
	260	if(USE("ABAC_CN")) {
	261	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
	262	} else {
[d037f54]	263	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
[8bd77b5]	264	}
	265	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
	266	if(debug)
[2485307]	267	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
[ba6027a]	268	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
[8bd77b5]	269
[5110d42]	270	assert(id_hashkeyid_list);
	271	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
	272	return id_cred;
[8bd77b5]	273	}
	274
[6244e28]	275	/* have to find the last cn
	276	CN=test/emailAddress=abac.isi.edu, CN=12345678
	277	CN=client
	278	..CN=255a03f3-ed30/emailAddress=..
	279	*/
	280	static char* _extract_cn(char *string)
	281	{
	282	char *ptr=strstr(string,"CN=");
	283	if(ptr == NULL) return NULL;
	284
	285	/* look for last CN= */
	286	while(1) {
	287	char *tptr=ptr+3;
	288	char *p=strstr(tptr,"CN=");
	289	if(p) ptr=p;
	290	else break;
	291	}
	292
	293	/* remove the possible additional stuff */
	294	char cn=abac_xstrdup(ptr); / it would get write over */
	295	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	296
	297	char *nptr=strtok(cn,"/");
	298	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
	299	pcn[0]='p';
	300	sscanf(nptr,"CN=%s", &pcn[1]);
	301	free(cn);
	302	return pcn;
	303	}
	304
[5450aeb]	305	/**
[440ba20]	306	* Load an ID
[5450aeb]	307	*/
[8bd77b5]	308	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
	309	abac_id_credential_t *id_cred = NULL;
[d037f54]	310	char *keyid = NULL;
[5450aeb]	311	chunk_t id;
	312	int ret;
[2ef48fa]	313	x509_t x509 = (x509_t )cert;
[5450aeb]	314
[e898049]	315	assert(cert != NULL);
[5450aeb]	316
[7727f26]	317	// get the key ID, add p to keyid SHA here */
[2ef48fa]	318	id = x509->get_subjectKeyIdentifier(x509);
[d037f54]	319	keyid = _chunk_to_string(id);
[327e808]	320
[0d0c3a9]	321	/* Mike said this is the way it is */
[6244e28]	322	char *str=NULL;
[53e540d]	323	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
	324
[36b100a]	325	/* add p to cn name here */
[6244e28]	326	char *cn=_extract_cn(str);
	327	if(cn == NULL) {
[53e540d]	328	ret = ABAC_CERT_BAD_CN;
	329	goto error;
	330	}
	331
[202a7f9]	332	if(debug) {
[2485307]	333	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
	334	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
	335	fprintf(stderr, "DEBUG:cn %s \n", cn);
[202a7f9]	336	}
[53e540d]	337	free(str);
	338
[327e808]	339	// if we already have this cert 'error' with success
[8bd77b5]	340	HASH_FIND_STR(id_creds, keyid, id_cred);
	341	if (id_cred != NULL) {
[2485307]	342	if(debug) fprintf(stderr, "existing cert \n");
[440ba20]	343	ret = ABAC_CERT_EXISTS;
[327e808]	344	goto error;
	345	}
	346
[5450aeb]	347	// validate sig
[0779c99]	348	ret = _verify_signature(cert, cert);
	349	if (!ret) {
	350	ret = ABAC_CERT_BAD_SIG;
	351	goto error;
	352	}
[5450aeb]	353
[8bd77b5]	354	// success, add a new abac_id
[440ba20]	355	if(*a_id==NULL) {
	356	*a_id=abac_id_keyid_new(keyid,cn,cert);
	357	}
[5450aeb]	358
[8bd77b5]	359	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
	360	*id_cred_ret=n_id_cred;
[202a7f9]	361
[6244e28]	362	if (keyid != NULL) free(keyid);
	363	if (cn != NULL) free(cn);
	364
[0779c99]	365	return ABAC_CERT_SUCCESS;
[5450aeb]	366
	367	error:
[327e808]	368	if (keyid != NULL) free(keyid);
[53e540d]	369	if (cn != NULL) free(cn);
[5450aeb]	370
[0779c99]	371	return ret;
[5450aeb]	372	}
	373
[8bd77b5]	374	/* collect all the creds stored so far */
	375	abac_stack_t *abac_verifier_dump_creds()
[202a7f9]	376	{
[8bd77b5]	377	abac_stack_t *cred_list = abac_stack_new();
	378
	379	int cnt=0;
	380	if(attr_hashkeyid_list) {
	381	char *keyid;
	382	abac_credential_t *cred;
	383	abac_list_foreach(attr_hashkeyid_list, keyid,
	384	cred=abac_credential_lookup(keyid);
	385	abac_stack_push(cred_list, cred);
	386	cnt++;
	387	);
	388	}
[2485307]	389	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
[8bd77b5]	390	return cred_list;
	391	}
	392
[5110d42]	393	/* collect all the id stored so far */
	394	abac_stack_t *abac_verifier_dump_principals()
	395	{
	396	abac_stack_t *id_list = abac_stack_new();
	397
	398	int cnt=0;
	399	if(id_hashkeyid_list) {
	400	char *keyid;
	401	abac_id_credential_t *id;
	402	abac_list_foreach(id_hashkeyid_list, keyid,
	403	id=abac_id_credential_lookup(keyid);
	404	abac_stack_push(id_list, id);
	405	cnt++;
	406	);
	407	}
[2485307]	408	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
[5110d42]	409	return id_list;
	410	}
	411
[8bd77b5]	412
	413	static void check_id_cred(abac_id_credential_t *id_cred)
	414	{
	415	if(id_cred) {
	416	printf("checking on this id_cred location %d\n", (int)id_cred);
	417	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
	418	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
[202a7f9]	419	}
	420	}
	421
	422	/**
	423	* Load an attribute cert as string.
	424	* have minimum syntax & validity check
	425	*/
	426	static int _load_attribute_string(char* attr_string) {
	427	printf("NOT implemented yet!!!");
	428	return ABAC_CERT_INVALID;
	429	}
	430
[e898049]	431	/**
	432	* Load an ID cert from a file.
	433	*/
[ba6027a]	434	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
	435	abac_id_credential_t **id_cred_ret)
	436	{
[8bd77b5]	437	abac_id_t *id=NULL;
[61278ec]	438	if (lib == NULL)
	439	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	440
[2485307]	441	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[d037f54]	442
[137b55f]	443	// load the cert, with public key
[e898049]	444	certificate_t *cert = lib->creds->create(
	445	lib->creds, CRED_CERTIFICATE, CERT_X509,
	446	BUILD_FROM_FILE, filename,
	447	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	448	BUILD_END
	449	);
[d037f54]	450
[e898049]	451	if (cert == NULL)
[0779c99]	452	return ABAC_CERT_INVALID;
[d037f54]	453
	454	int rc=_load_id(&id,cert,id_cred_ret);
[440ba20]	455	if(rc==ABAC_CERT_EXISTS) {
[2485307]	456	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[440ba20]	457	return ABAC_CERT_SUCCESS;
	458	}
	459
[d037f54]	460	/* try to load the private key if it is there */
[2efdff5]	461	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	462	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[5110d42]	463	int keyrc=abac_id_load_privkey_file(id, keyfilename);
[d037f54]	464	if(debug) {
[2485307]	465	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[d037f54]	466	else printf("..load_id_file: load(%s) without a private key\n",filename);
	467	}
	468	}
[2efdff5]	469	return ABAC_CERT_SUCCESS;
[8bd77b5]	470	}
	471
[ba6027a]	472	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
	473	char pfile, abac_id_credential_t *id_cred_ret)
	474	{
	475	abac_id_t *id=NULL;
	476	if (lib == NULL)
	477	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	478
[2485307]	479	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[ba6027a]	480
	481	// load the cert, with public key
	482	certificate_t *cert = lib->creds->create(
	483	lib->creds, CRED_CERTIFICATE, CERT_X509,
	484	BUILD_FROM_FILE, filename,
	485	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	486	BUILD_END
	487	);
	488
	489	if (cert == NULL)
	490	return ABAC_CERT_INVALID;
	491
	492	int rc=_load_id(&id,cert,id_cred_ret);
	493	if(rc==ABAC_CERT_EXISTS) {
[2485307]	494	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[ba6027a]	495	return ABAC_CERT_SUCCESS;
	496	}
	497
	498	/* try to load the private key if it is there */
	499	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	500	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[ba6027a]	501	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
	502	if(debug) {
[2485307]	503	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[ba6027a]	504	else printf("..load_id_file: load(%s) without a private key\n",filename);
	505	}
	506	}
	507	return ABAC_CERT_SUCCESS;
	508	}
	509
[8bd77b5]	510	/**
	511	* Load an ID cert from a abac_id_t
	512	*/
	513	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
	514	certificate_t *cert = abac_id_cert(id);
	515	return _load_id(&id,cert,id_cred_ret);
[e898049]	516	}
	517
[5110d42]	518	/**
	519	* Load an ID cert from a chunk.
	520	*/
	521	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	522	abac_id_t *id=NULL;
	523	// load the cert
	524	certificate_t *cert = lib->creds->create(
	525	lib->creds, CRED_CERTIFICATE, CERT_X509,
	526	BUILD_BLOB_PEM, chunk,
	527	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	528	BUILD_END
	529	);
	530	if (cert == NULL)
	531	return ABAC_CERT_INVALID;
	532	return _load_id(&id, cert,id_cred_ret);
	533	}
[e898049]	534	/**
[9b43fc3]	535	* Load an ID cert from a chunk, Note, this only loads the id cert part
	536	* and so it is not suitable for creating an attribute credential with.
	537	* Only a complete id cert + privkey could create attribute credential.
[e898049]	538	*/
[8bd77b5]	539	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	540	abac_id_t *id=NULL;
[e898049]	541	// load the cert
	542	certificate_t *cert = lib->creds->create(
	543	lib->creds, CRED_CERTIFICATE, CERT_X509,
	544	BUILD_BLOB_ASN1_DER, chunk,
	545	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	546	BUILD_END
	547	);
	548	if (cert == NULL)
[0779c99]	549	return ABAC_CERT_INVALID;
[8bd77b5]	550	return _load_id(&id, cert,id_cred_ret);
[e898049]	551	}
	552
[9b43fc3]	553	/**
	554	* Load an ID cert from a cert chunk and a privkey chunk,
	555	* this complete id cert + privkey could create attribute credential.
	556	*/
	557	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	558	abac_id_credential_t **id_cred_ret) {
	559
	560	abac_id_t *id=NULL;
	561	// load the cert
	562	certificate_t *cert = lib->creds->create(
	563	lib->creds, CRED_CERTIFICATE, CERT_X509,
	564	BUILD_BLOB_ASN1_DER, chunk,
	565	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	566	BUILD_END
	567	);
	568	if (cert == NULL)
	569	return ABAC_CERT_INVALID;
	570
	571	int rc=_load_id(&id, cert,id_cred_ret);
	572	if(rc == ABAC_CERT_SUCCESS) {
	573	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
	574	}
	575
	576	return rc;
	577	}
	578
[ba6027a]	579	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	580	char* pfile, abac_id_credential_t **id_cred_ret) {
	581
	582	abac_id_t *id=NULL;
	583	// load the cert
	584	certificate_t *cert = lib->creds->create(
	585	lib->creds, CRED_CERTIFICATE, CERT_X509,
	586	BUILD_BLOB_ASN1_DER, chunk,
	587	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	588	BUILD_END
	589	);
	590	if (cert == NULL)
	591	return ABAC_CERT_INVALID;
	592
	593	int rc=_load_id(&id, cert,id_cred_ret);
	594	if(rc == ABAC_CERT_SUCCESS) {
	595	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
	596	}
	597
	598	return rc;
	599	}
	600
	601
[9b43fc3]	602
[2efdff5]	603	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
	604	{
	605	abac_id_credential_t *id_cred=NULL;
	606	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
	607	if(ret !=ABAC_CERT_SUCCESS)
	608	return NULL;
	609	abac_id_t *issuer=abac_id_credential_id(id_cred);
	610	return issuer;
	611	}
	612
[53e540d]	613
[5110d42]	614	static int matchex(const char subject, const char pattern, int so, int eo)
	615	{
	616	int rc; // Returned code
	617	regmatch_t pmatch;
	618
	619	regex_t re; // Compiled regexp pattern
	620
	621	if (regcomp(&re, pattern, 0) != 0) return 0;
	622
	623	rc = regexec(&re, subject, 1 , &pmatch, 0);
	624	regfree(&re);
	625
	626	if (rc == REG_NOMATCH ) return 0;
	627
	628	*so=pmatch.rm_so;
	629	*eo=pmatch.rm_eo;
	630
	631	return 1;
	632	}
	633
	634
	635
	636	static chunk_t _extract_chunk(char data, char startline, char* endline)
	637	{
	638	int found=0;
	639	int startos=0;
	640	int endos=0;
	641	regex_t re;
	642	regmatch_t pm;
	643	int rc;
	644
	645	int st;
	646	int et;
	647
	648	rc=matchex(data, startline, &st, &et);
	649	if(rc==0) return chunk_empty;
	650	startos=st;
	651
	652	rc=matchex(data, endline, &st, &et);
	653	if(rc==0) return chunk_empty;
	654	endos=et;
	655
	656	int len=endos - startos;
	657
[2485307]	658	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
[5110d42]	659	char *ptr=strndup(data+startos,len);
	660
	661	chunk_t ret = { ptr, len };
	662	return ret;
	663	}
	664
	665
	666	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
	667	{
	668	struct stat sb;
	669	int fd;
	670	int rc;
	671
	672	fd = open(filename, O_RDONLY);
	673	if (fd == -1) { return 1; }
	674	if(stat(filename, &sb) == -1) {
	675	close(fd);
	676	return 1;
	677	}
	678	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	679	if(data == MAP_FAILED) {
	680	close(fd);
	681	return 1;
	682	}
	683	close(fd);
	684
	685	chunk_t key_pem_chunk=_extract_chunk(data,
	686	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	687	chunk_t cert_pem_chunk=_extract_chunk(data,
	688	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	689
	690	/* key=0, cert=0 */
	691	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	692	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[5110d42]	693	goto error;
	694	}
	695
	696	/* key=0, cert=1 */
	697	if(key_pem_chunk.len==0) {
[2485307]	698	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[5110d42]	699	munmap(data, sb.st_size);
	700	chunk_free(&key_pem_chunk);
	701	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	702	}
	703
	704	/* key=1, cert=1 */
	705	if(cert_pem_chunk.len!=0) {
	706	if(debug) {
[2485307]	707	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[5110d42]	708	printf("(%s)\n",cert_pem_chunk.ptr);
	709	}
	710	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	711	if(rc != 0) {
[2485307]	712	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[5110d42]	713	goto error;
	714	}
	715	/* key=1, cert=0 */
	716	} else {
[2485307]	717	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[5110d42]	718	goto error;
	719	}
	720
	721	/* handle the key_pem_chunk */
	722	if(debug) {
[2485307]	723	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[5110d42]	724	printf("(%s)\n",key_pem_chunk.ptr);
	725	}
	726	abac_id_t id=abac_id_credential_id(id_cred_ret);
	727	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
	728	if(rc==0) {
	729	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	730	goto error;
	731	}
	732
	733	munmap(data, sb.st_size);
	734	return 0;
	735
	736	error:
	737	munmap(data, sb.st_size);
	738	return 1;
	739	}
	740
	741
[ba6027a]	742	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
	743	abac_id_credential_t **id_cred_ret)
	744	{
	745	struct stat sb;
	746	int fd;
	747	int rc;
	748
	749	fd = open(filename, O_RDONLY);
	750	if (fd == -1) { return 1; }
	751	if(stat(filename, &sb) == -1) {
	752	close(fd);
	753	return 1;
	754	}
	755	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	756	if(data == MAP_FAILED) {
	757	close(fd);
	758	return 1;
	759	}
	760	close(fd);
	761
	762	chunk_t key_pem_chunk=_extract_chunk(data,
	763	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	764	chunk_t cert_pem_chunk=_extract_chunk(data,
	765	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	766
	767	/* key=0, cert=0 */
	768	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	769	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[ba6027a]	770	goto error;
	771	}
	772
	773	/* key=0, cert=1 */
	774	if(key_pem_chunk.len==0) {
[2485307]	775	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[ba6027a]	776	munmap(data, sb.st_size);
	777	chunk_free(&key_pem_chunk);
	778	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	779	}
	780
	781	/* key=1, cert=1 */
	782	if(cert_pem_chunk.len!=0) {
	783	if(debug) {
[2485307]	784	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[ba6027a]	785	printf("(%s)\n",cert_pem_chunk.ptr);
	786	}
	787	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	788	if(rc != 0) {
[2485307]	789	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[ba6027a]	790	goto error;
	791	}
	792	/* key=1, cert=0 */
	793	} else {
[2485307]	794	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[ba6027a]	795	goto error;
	796	}
	797
	798	/* handle the key_pem_chunk */
	799	if(debug) {
[2485307]	800	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[ba6027a]	801	printf("(%s)\n",key_pem_chunk.ptr);
	802	printf("(%d)\n",strlen(key_pem_chunk.ptr));
	803	}
	804	abac_id_t id=abac_id_credential_id(id_cred_ret);
	805	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
	806	if(rc==0) {
	807	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	808	goto error;
	809	}
	810
	811	munmap(data, sb.st_size);
	812	return 0;
	813
	814	error:
	815	munmap(data, sb.st_size);
	816	return 1;
	817	}
[5110d42]	818
[da5afdf]	819	void abac_print_clauses(abac_list_t clauses, FILE fp)
[202a7f9]	820	{
	821	if (clauses != NULL) {
	822	char *cur;
[7b548fa]	823	printf("total-- %d clauses\n", abac_list_size(clauses));
[202a7f9]	824	abac_list_foreach(clauses, cur,
[da5afdf]	825	if(cur) {
	826	if(fp)
	827	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
	828	else printf ("a clause, %d(%s)\n", (int)cur,cur);
	829	}
[202a7f9]	830	);
	831	}
	832	}
	833
[8bd77b5]	834	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
	835	assert(ptr != NULL);
[ba6027a]	836	if(debug)
[2485307]	837	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
[8bd77b5]	838	abac_id_dup(ptr->id);
	839	return ptr;
	840	}
	841
	842	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
[da5afdf]	843	{
[8bd77b5]	844	assert(ptr);
	845	return ptr->id;
	846	}
[53e540d]	847
	848
[8bd77b5]	849	abac_id_credential_t abac_id_credential_lookup(char pname)
	850	{
	851	abac_id_credential_t *id_cred=NULL;
	852	HASH_FIND_STR(id_creds, pname, id_cred);
[5110d42]	853	if(id_cred != NULL)
	854	return abac_id_credential_dup(id_cred);
	855	else return NULL;
[8bd77b5]	856	}
[7727f26]	857
[8bd77b5]	858	void abac_id_credential_free(abac_id_credential_t *ptr)
	859	{
	860	if (ptr == NULL)
	861	return;
[53e540d]	862
[5110d42]	863	if(debug)
[2485307]	864	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
[5110d42]	865
[8bd77b5]	866	// this is very hacky...
	867	int last=abac_id_lastone(ptr->id);
	868	if(!last) {
[2485307]	869	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
[8bd77b5]	870	abac_id_free(ptr->id);
	871	} else {
[2485307]	872	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	873	free(ptr->hashkeyid);
	874	if(ptr->pl_clause)
	875	free(ptr->pl_clause);
	876	abac_id_free(ptr->id);
	877	HASH_DEL(id_creds, ptr);
	878	free(ptr);
[53e540d]	879	}
[da5afdf]	880	}
	881
[8bd77b5]	882	/****************************************************************************/
	883
[5d06689]	884	static int _verify_valid_credential_string(certificate_t *cert,
[da5afdf]	885	abac_credential_t *cred_ret, char encoded_attr_string)
	886	{
[8bd77b5]	887	abac_aspect_t *head_aspect = NULL;
	888	abac_aspect_t *tail_aspect = NULL;
[da5afdf]	889	abac_list_t *clauses=NULL;
[8bd77b5]	890	abac_id_credential_t *id_cred;
	891	abac_id_t *issuer_id;
[da5afdf]	892	int ret, i;
	893
	894	// get the attr
[8bd77b5]	895	head_aspect = abac_yy_get_rule_head_aspect();
	896	tail_aspect = abac_yy_get_rule_tail_aspect();
[b5a3da4]	897	clauses = abac_yy_get_rule_clauses();
[53e540d]	898
	899	// get the issuer based on keyid
[8bd77b5]	900	char *principalname = abac_aspect_principal_principalname(head_aspect);
[2485307]	901	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
[8bd77b5]	902
	903	HASH_FIND_STR(id_creds, principalname, id_cred);
[d037f54]	904	if(id_cred == NULL) {
	905	ret = ABAC_CERT_MISSING_ISSUER;
	906	if(debug)
[2485307]	907	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[d037f54]	908	goto error;
	909	}
[8bd77b5]	910	issuer_id=id_cred->id;
	911	if (issuer_id == NULL) {
[53e540d]	912	ret = ABAC_CERT_MISSING_ISSUER;
[8bd77b5]	913	if(debug)
[2485307]	914	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[53e540d]	915	goto error;
	916	}
	917
[8bd77b5]	918
[53e540d]	919	// make sure the issuer's signed it
[8bd77b5]	920	ret = _verify_signature(abac_id_cert(issuer_id), cert);
[53e540d]	921	if (!ret) {
[b5a3da4]	922	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[5110d42]	923	ret=ABAC_CERT_BAD_SIG;
[53e540d]	924	goto error;
	925	}
	926
[8bd77b5]	927	// at this point we know we have a good attribute cert baked it in
	928	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
	929	abac_attribute_set_head(attr, head_aspect);
	930	abac_attribute_add_tail(attr, tail_aspect);
	931
[53e540d]	932	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
[8bd77b5]	933	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	934	cred->attr=attr;
	935	cred->pl_clauses = clauses;
[53e540d]	936	*cred_ret = cred;
	937
	938	// success, add the key to the map of certificates
[8bd77b5]	939	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
[53e540d]	940
[8bd77b5]	941	assert(attr_hashkeyid_list);
	942	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	943
	944	if(debug)
[2485307]	945	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
[9b43fc3]	946	cred->hashkeyid, HASH_COUNT(attr_creds));
	947
[da5afdf]	948	return ABAC_CERT_SUCCESS;
	949
	950	error:
[8bd77b5]	951	if (head_aspect) abac_aspect_free(head_aspect);
	952	if (tail_aspect) abac_aspect_free(tail_aspect);
[b5a3da4]	953	abac_yy_free_rule_clauses();
[da5afdf]	954
	955	return ret;
	956	}
[8bd77b5]	957
[da5afdf]	958	/**
	959	* Load an attribute cert.
	960	* Returns true only if the certificate is valid and is issued by the proper
	961	* authority.
[5d06689]	962	* attribute string is parsed via yyparse call
[da5afdf]	963	*/
	964	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
	965	ietf_attributes_t *attr_cert = NULL;
[8bd77b5]	966	abac_id_credential_t *issuer;
[da5afdf]	967	int ret, i;
	968
	969	// get the attr
	970	ac_t ac = (ac_t )cert;
	971	attr_cert = ac->get_groups(ac);
	972	if (attr_cert == NULL) {
	973	ret = ABAC_CERT_INVALID;
	974	goto error;
	975	}
	976
	977	char *encoded_attr_string=attr_cert->get_string(attr_cert);
	978	char *attr_string = abac_decode_string(encoded_attr_string);
	979	if(debug)
[2485307]	980	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
[da5afdf]	981
	982	if (attr_string == NULL) {
	983	ret = ABAC_CERT_INVALID;
	984	goto error;
	985	}
	986
	987	/* call into yacc parser */
	988	abac_reset_yyfptr(attr_string);
[b5a3da4]	989	abac_yy_init();
[da5afdf]	990	int rc=yyparse();
	991	if (rc) {
	992	ret = ABAC_CERT_INVALID;
	993	goto error;
	994	}
	995
[5d06689]	996	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
[da5afdf]	997
[5110d42]	998	if(ret != ABAC_CERT_SUCCESS) {
[671c065]	999	char *tmp=NULL;
	1000	asprintf(&tmp,"_load_attribute_cert: fail to process (%s)",encoded_attr_string);
	1001	panic(tmp);
[5110d42]	1002	}
	1003
[53e540d]	1004	// free up some crap
	1005	attr_cert->destroy(attr_cert);
	1006
[5110d42]	1007	return ret;
[53e540d]	1008
	1009	error:
[202a7f9]	1010	if (cert) cert->destroy(cert);
	1011	if (attr_cert) attr_cert->destroy(attr_cert);
[0779c99]	1012	return ret;
[5450aeb]	1013	}
[5f99fbc]	1014
[8bd77b5]	1015	/**
	1016	* Load an attribute cert from a abac_attribute_t.
[5d06689]	1017	* attr should be all checked out before arriving here
[8bd77b5]	1018	*/
[5d06689]	1019	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
	1020	// get the attr
	1021	abac_aspect_t *head=abac_attribute_head(ptr);
	1022	abac_aspect_t *tail=abac_attribute_tail(ptr);
	1023
	1024	// preprocess for constraint part
	1025	preprocess_pl_head(head);
	1026	preprocess_pl_tail(tail);
	1027
[9b43fc3]	1028	/* setup the encoded attribute string */
	1029	char *encoded_attr_string=get_cred_encoding(ptr);
	1030	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
	1031	/* collect up type clauses, constraint clauses and
[5d06689]	1032	generate rule clauses */
	1033	abac_list_t *clauses=generate_pl_clauses(head,tail);
[9b43fc3]	1034
	1035	abac_print_clauses(clauses,NULL);
[5d06689]	1036
	1037	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	1038	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	1039	cred->attr=abac_attribute_dup(ptr);
	1040	cred->pl_clauses = clauses;
	1041	*cred_ret = cred;
	1042
	1043	// success, add the key to the map of certificates
	1044	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
	1045
	1046	assert(attr_hashkeyid_list);
	1047	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	1048
	1049	if(debug)
[2485307]	1050	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
[9b43fc3]	1051	cred->hashkeyid, HASH_COUNT(attr_creds));
[5d06689]	1052	return ABAC_CERT_SUCCESS;
[8bd77b5]	1053	}
	1054
[e898049]	1055	/**
	1056	* Load an attribute cert from a file.
	1057	*/
[0779c99]	1058	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
[e898049]	1059	// load the cert
[2485307]	1060	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
[e898049]	1061	certificate_t *cert = lib->creds->create(
	1062	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1063	BUILD_FROM_FILE, filename,
	1064	BUILD_END
	1065	);
	1066	if (cert == NULL)
[0779c99]	1067	return ABAC_CERT_INVALID;
	1068	return _load_attribute_cert(cert, cred);
[e898049]	1069	}
	1070
	1071	/**
	1072	* Load an attribute cert from a chunk.
	1073	*/
[0779c99]	1074	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]	1075	// load the cert
	1076	certificate_t *cert = lib->creds->create(
	1077	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1078	BUILD_BLOB_ASN1_DER, chunk,
	1079	BUILD_END
	1080	);
	1081	if (cert == NULL)
[0779c99]	1082	return ABAC_CERT_INVALID;
[9b43fc3]	1083
[0779c99]	1084	return _load_attribute_cert(cert, cred);
[e898049]	1085	}
	1086
[85cdf53]	1087	/**
	1088	* Return the encoding of the attribute cert.
	1089	*/
[401a054]	1090	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
[8bd77b5]	1091	abac_attribute_t *ptr=cred->attr;
	1092	certificate_t *cert=abac_attribute_cert(ptr);
[137b55f]	1093	chunk_t encoding = chunk_empty;
	1094	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1095	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1096	return ret;
[85cdf53]	1097	}
	1098
	1099	/**
	1100	* Return the encoding of the issuer cert.
	1101	*/
[401a054]	1102	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
[8bd77b5]	1103	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
	1104	assert(issuer_cert);
[137b55f]	1105	chunk_t encoding = chunk_empty;
	1106	// XXX MEI, not sure ??
	1107	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1108	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1109	return ret;
[85cdf53]	1110	}
[186cb75]	1111
[53e540d]	1112	/**
	1113	* Return the clause of the cert
	1114	*/
[202a7f9]	1115	abac_list_t abac_credential_clauses(abac_credential_t cred) {
[8bd77b5]	1116	return cred->pl_clauses;
[53e540d]	1117	}
	1118
[8bd77b5]	1119	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
	1120	assert(cred);
	1121	return cred->attr;
	1122	}
[202a7f9]	1123
[186cb75]	1124	/**
[fbb591e]	1125	* Increase the ref count of a credential.
[186cb75]	1126	*/
[401a054]	1127	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	1128	assert(cred != NULL);
[186cb75]	1129
[8bd77b5]	1130	abac_attribute_dup(cred->attr);
[fbb591e]	1131	return cred;
[186cb75]	1132	}
	1133
[53e540d]	1134	/**
	1135	* lookup for a credential.
	1136	*/
[202a7f9]	1137	abac_credential_t abac_credential_lookup(char cred_string)
	1138	{
	1139	if(debug)
[2485307]	1140	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
[8bd77b5]	1141	abac_credential_t *attr_cred;
[9b43fc3]	1142
[8bd77b5]	1143	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
	1144	if (attr_cred == NULL) {
[2485307]	1145	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
[53e540d]	1146	return NULL;
	1147	}
[8bd77b5]	1148	abac_credential_t *rt=abac_credential_dup(attr_cred);
[2485307]	1149	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
[8bd77b5]	1150	return rt;
[53e540d]	1151	}
	1152
[186cb75]	1153	/**
[fbb591e]	1154	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	1155	*/
[202a7f9]	1156	void abac_credential_free(abac_credential_t *cred)
	1157	{
	1158	if(debug)
[2485307]	1159	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
[202a7f9]	1160
[401a054]	1161	if (cred == NULL)
[186cb75]	1162	return;
	1163
[8bd77b5]	1164	// this is very hacky...
	1165	int last=abac_attribute_lastone(cred->attr);
	1166	if(!last) {
	1167	abac_attribute_free(cred->attr);
[da5afdf]	1168	} else {
[2485307]	1169	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
[8bd77b5]	1170	free(cred->hashkeyid);
	1171	char *cur=NULL;
	1172	abac_list_foreach(cred->pl_clauses, cur,
	1173	free(cur);
	1174	);
	1175	abac_attribute_free(cred->attr);
	1176	HASH_DEL(attr_creds, cred);
	1177	free(cred);
[da5afdf]	1178	}
[186cb75]	1179	}
[53e540d]	1180
[8bd77b5]	1181	char abac_id_clause(abac_id_credential_t id_cred)
[202a7f9]	1182	{
[8bd77b5]	1183	if(id_cred)
	1184	return id_cred->pl_clause;
[202a7f9]	1185	return NULL;
	1186	}
	1187
[53e540d]	1188	/* retrieve the cn that is associated with this sha_string */
[5110d42]	1189	char abac_cn_with_sha(char sha_string)
	1190	{
[53e540d]	1191	// get the issuer based on keyid
[8bd77b5]	1192	abac_id_credential_t *id_cred;
	1193	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1194	if (id_cred == NULL) {
[53e540d]	1195	return NULL;
	1196	}
[202a7f9]	1197	if(debug)
[8bd77b5]	1198	check_id_cred(id_cred);
	1199	return abac_id_cn(id_cred->id);
[53e540d]	1200	}
	1201
[8bd77b5]	1202	char abac_idtype_with_sha(char sha_string)
	1203	{
	1204	// get the issuer based on keyid
	1205	abac_id_credential_t *id_cred;
	1206	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1207	if (id_cred == NULL) {
[6244e28]	1208	// this id, sha string is not in the db...
	1209	if(debug)
	1210	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
[8bd77b5]	1211	return NULL;
	1212	}
	1213	int idtype=abac_id_idtype(id_cred->id);
	1214
	1215	return abac_idtype_string(idtype);
[923b4dd]	1216	}
	1217
[8bd77b5]	1218	abac_aspect_t abac_credential_head(abac_credential_t cred) {
	1219	return abac_attribute_head(cred->attr);
[923b4dd]	1220	}
	1221
[8bd77b5]	1222	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
	1223	return abac_attribute_tail(cred->attr);
[923b4dd]	1224	}
	1225
	1226

Note: See TracBrowser for help on using the repository browser.

Download in other formats: