Context Navigation

source: libabac/abac_verifier.c @ 4f40c3e

mei_rt2mei_rt2_fix_1

Last change on this file since 4f40c3e was e3c7769, checked in by Mei <mei@…>, 12 years ago
1) wrap up java interface with swig/jni/abac linkup 2) java regression tests 3) update doc related to new java implmentation
Property mode set to `100644`
File size: 35.0 KB

Rev	Line
[8bd77b5]	1	/**
	2	** abac_verifier.c
	3	**/
[53e540d]	4
	5	// include the GNU extension of asprintf
	6	#define _GNU_SOURCE
	7
[5110d42]	8	#include <stdio.h>
	9	#include <regex.h>
	10	#include <sys/mman.h>
	11	#include <fcntl.h>
[d037f54]	12	#include <sys/types.h>
	13	#include <sys/stat.h>
	14	#include <unistd.h>
	15
[5110d42]	16
[186cb75]	17	#include <assert.h>
[202a7f9]	18	#include <stdio.h>
[186cb75]	19
[5450aeb]	20	#include <library.h>
	21
[8bd77b5]	22	#include "abac_internal.h"
[43e3b71]	23	#include "abac_verifier.h"
[5450aeb]	24
[3c251d0]	25	#include "abac_util.h"
[202a7f9]	26	#include "abac_rt.h"
[5450aeb]	27
[8bd77b5]	28	static int debug=0;
[ba6027a]	29
[5d06689]	30	/* from abac_attribute.c */
	31	extern char get_cred_encoding(abac_attribute_t ptr);
[8bd77b5]	32
	33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
	34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
[b5a3da4]	35	extern abac_list_t *abac_yy_get_rule_clauses();
[da5afdf]	36	extern char* abac_decode_string(char *);
[b5a3da4]	37	extern void abac_yy_free_rule_clauses();
[0d0c3a9]	38	extern char generate_pl_type_clause(char , int);
[5d06689]	39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
[9b43fc3]	40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
[0d0c3a9]	41
[8bd77b5]	42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
[202a7f9]	43
[ba6027a]	44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
	45
[8bd77b5]	46	struct _abac_id_credential_t {
	47	char *hashkeyid;
	48	abac_id_t *id;
	49	char *pl_clause;
[5450aeb]	50
	51	UT_hash_handle hh;
[202a7f9]	52	};
[8bd77b5]	53	/* hash table base on sha with a p */
	54	abac_id_credential_t *id_creds = NULL;
[5110d42]	55	/* linked list of all the ids's hashkeyid */
	56	abac_list_t *id_hashkeyid_list = NULL;
[5450aeb]	57
[da5afdf]	58	/* can store either role or oset */
[401a054]	59	struct _abac_credential_t {
[8bd77b5]	60	char *hashkeyid;
	61	abac_attribute_t *attr;
	62	abac_list_t *pl_clauses;
[53e540d]	63
	64	UT_hash_handle hh;
[8bd77b5]	65	};
	66	/* hash table base on encoded attr rule */
	67	abac_credential_t *attr_creds = NULL;
	68	/* linked list of all the attr's hashkeyid */
	69	abac_list_t *attr_hashkeyid_list = NULL;
[202a7f9]	70
[8bd77b5]	71	/*****************************************************************************/
[da5afdf]	72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
[202a7f9]	73	{
[da5afdf]	74	if(fp == NULL)
	75	fp=stdout;
	76
[8bd77b5]	77	abac_attribute_t *ptr=cred->attr;
	78	abac_aspect_t *head=abac_attribute_head(ptr);
	79	abac_aspect_t *tail=abac_attribute_tail(ptr);
	80
[202a7f9]	81	if(debug) {
[da5afdf]	82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
[8bd77b5]	83	if(head) {
	84	abac_print_aspect_string_with_condition(head,fp);
[202a7f9]	85	}
[8bd77b5]	86	if(tail) {
	87	abac_print_aspect_string_with_condition(tail,fp);
[202a7f9]	88	}
	89
[8bd77b5]	90	abac_list_t *clauses=cred->pl_clauses;
[202a7f9]	91	if (clauses != NULL) {
	92	char *cur=NULL;
	93	abac_list_foreach(clauses, cur,
[da5afdf]	94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
[202a7f9]	95	if(cur)
[da5afdf]	96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
[202a7f9]	97	);
	98	}
	99	} else {
[da5afdf]	100	fprintf(fp," ");
[8bd77b5]	101	abac_print_aspect_string_with_condition(head,fp);
[da5afdf]	102	fprintf(fp," <- ");
[8bd77b5]	103	abac_print_aspect_string_with_condition(tail,fp);
[da5afdf]	104	fprintf(fp,"\n");
[202a7f9]	105	}
	106	}
	107
[5110d42]	108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
	109	{
	110	if(fp == NULL)
	111	return;
	112
	113	abac_id_t *ptr=abac_id_credential_id(prin);
	114
	115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
	116	if(abac_id_has_privkey(ptr))
	117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	118	else
	119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	120	}
	121
[202a7f9]	122	//
[8bd77b5]	123	int abac_verify_idtype_type(char *type) {
[202a7f9]	124	int i;
	125
	126	if (type == NULL)
	127	return 0;
	128
[8bd77b5]	129	for (i = 1; i <= _idtypename_cnt ; i++)
	130	if(strcmp(type,_idtypename[i])==0)
[202a7f9]	131	return i;
	132	return 0;
	133	}
	134
[8bd77b5]	135	char *abac_idtype_string(int i)
[202a7f9]	136	{
[440ba20]	137	if(i > _idtypename_cnt) {
	138	printf("bad idtypename idx %d\n", i);
[8bd77b5]	139	panic("abac_idtype_string: went out of range on idtypename");
[440ba20]	140	}
	141	return (char*) _idtypename[i];
[202a7f9]	142	}
	143
[5450aeb]	144	// convert a chunk to a lowercase binary string
	145	// malloc's the string
	146	static char *_chunk_to_string(chunk_t chunk) {
	147	int i;
	148
[3c251d0]	149	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	150
	151	for (i = 0; i < chunk.len; ++i)
	152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	153
	154	return ret;
	155	}
	156
	157	// verify that cert was issued by issuer
	158	// cert and issuer can be the same, in which case the self-sig is validated
[dfe6b61]	159	int verify_signature(certificate_t issuer_cert, certificate_t cert) {
[e3c7769]	160	/** XXX for 5.0.1
	161	if (cert->issued_by(cert, issuer_cert, NULL))
	162	*/
[8bd77b5]	163	if (cert->issued_by(cert, issuer_cert))
[5450aeb]	164	if (cert->get_validity(cert, NULL, NULL, NULL))
	165	return 1;
	166	return 0;
	167	}
	168
[cfa7b6e]	169	// verify that cert is still valid
	170	static int _verify_validity(certificate_t *cert) {
	171	if (cert->get_validity(cert, NULL, NULL, NULL))
	172	return 1;
	173	return 0;
	174	}
	175
[5450aeb]	176	/**
	177	* Init the verifier subsystem.
	178	*/
[43e3b71]	179	void abac_verifier_init(void) {
[1324a63]	180	// silence all debugging
	181
[e3c7769]	182	if(debug)fprintf(stderr, "abac_verifier_init... init strongswan..\n");
[5450aeb]	183	if (!library_init(NULL))
	184	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
	185
	186	if (!lib->plugins->load(lib->plugins, NULL,
	187	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
	188	exit(SS_RC_INITIALIZATION_FAILED);
[8bd77b5]	189
	190	attr_hashkeyid_list = abac_list_new();
[5110d42]	191	id_hashkeyid_list = abac_list_new();
[5450aeb]	192	}
	193
[186cb75]	194	/**
	195	* Uninitialize the system, free up any allocated memory.
	196	*/
[43e3b71]	197	void abac_verifier_deinit(void) {
[2485307]	198	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
[137b55f]	199
[8bd77b5]	200	abac_id_credential_t *ptr;
	201	while ((ptr = id_creds) != NULL) {
[2485307]	202	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	203	HASH_DEL(id_creds, ptr);
	204
[137b55f]	205	free(ptr->hashkeyid);
[8bd77b5]	206	free(ptr->pl_clause);
[137b55f]	207	abac_id_free(ptr->id);
[8bd77b5]	208	free(ptr);
[186cb75]	209	}
[55c272b]	210
[8bd77b5]	211	abac_credential_t *ptr2;
	212	while ((ptr2 = attr_creds) != NULL) {
	213	HASH_DEL(attr_creds, ptr2);
	214	if(debug) {
[2485307]	215	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
[8bd77b5]	216	}
	217	free(ptr2->hashkeyid);
	218	abac_attribute_free(ptr2->attr);
	219	char *cur=NULL;
	220	abac_list_foreach(ptr2->pl_clauses, cur,
	221	free(cur);
	222	);
	223	free(ptr2->pl_clauses);
	224	free(ptr2);
[53e540d]	225	}
	226
[8bd77b5]	227	if(attr_hashkeyid_list) {
[97a6a36]	228	if(debug) fprintf(stderr, "looking to free attr_hashkeyid_list..\n");
[8bd77b5]	229	char *cur;
[97a6a36]	230	abac_list_foreach(attr_hashkeyid_list, cur,
	231	if(cur) free(cur);
	232	);
[8bd77b5]	233	abac_list_free(attr_hashkeyid_list);
	234	}
[137b55f]	235
[5110d42]	236	if(id_hashkeyid_list) {
[97a6a36]	237	if(debug) fprintf(stderr, "looking to free id_hashkeyid_list..\n");
[5110d42]	238	char *cur;
[97a6a36]	239	abac_list_foreach(id_hashkeyid_list, cur,
	240	if(cur) {
	241	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
	242	free(cur);
	243	}
	244	);
[5110d42]	245	abac_list_free(id_hashkeyid_list);
	246	}
	247
[97a6a36]	248	if(debug) fprintf(stderr, "now it is time to deinit strongswan lib..\n");
[55c272b]	249	library_deinit();
[186cb75]	250	}
	251
[8bd77b5]	252	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
	253	{
	254	abac_id_credential_t *id_cred;
	255	char *cn=abac_id_cn(a_id);
[d037f54]	256	char *keyid=abac_id_keyid(a_id);
[8bd77b5]	257
[440ba20]	258	if(debug) {
[2485307]	259	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
[440ba20]	260	cn, keyid);
	261	}
	262
[8bd77b5]	263	// add the abac_id to the map of id credentials
	264	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
	265	id_cred->hashkeyid = abac_xstrdup(keyid);
	266	id_cred->id=abac_id_dup(a_id);
	267
	268	/* special handling here */
	269	if(USE("ABAC_CN")) {
	270	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
	271	} else {
[d037f54]	272	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
[8bd77b5]	273	}
	274	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
	275	if(debug)
[2485307]	276	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
[ba6027a]	277	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
[8bd77b5]	278
[5110d42]	279	assert(id_hashkeyid_list);
	280	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
	281	return id_cred;
[8bd77b5]	282	}
	283
[6244e28]	284	/* have to find the last cn
	285	CN=test/emailAddress=abac.isi.edu, CN=12345678
	286	CN=client
	287	..CN=255a03f3-ed30/emailAddress=..
	288	*/
	289	static char* _extract_cn(char *string)
	290	{
[cfa7b6e]	291	/* find the first CN= */
[6244e28]	292	char *ptr=strstr(string,"CN=");
	293	if(ptr == NULL) return NULL;
	294
	295	/* look for last CN= */
	296	while(1) {
	297	char *tptr=ptr+3;
	298	char *p=strstr(tptr,"CN=");
	299	if(p) ptr=p;
	300	else break;
	301	}
	302
	303	/* remove the possible additional stuff */
	304	char cn=abac_xstrdup(ptr); / it would get write over */
	305	char *nptr=strtok(cn,"/");
	306	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
	307	pcn[0]='p';
[cfa7b6e]	308	/* special case.. replace empty space with _ */
	309	int i=strlen(nptr);
	310	while(i--)
	311	if(nptr[i]==' ') nptr[i]='_';
[6244e28]	312	sscanf(nptr,"CN=%s", &pcn[1]);
	313	free(cn);
	314	return pcn;
	315	}
	316
[5450aeb]	317	/**
[440ba20]	318	* Load an ID
[5450aeb]	319	*/
[8bd77b5]	320	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
	321	abac_id_credential_t *id_cred = NULL;
[d037f54]	322	char *keyid = NULL;
[5450aeb]	323	chunk_t id;
	324	int ret;
[2ef48fa]	325	x509_t x509 = (x509_t )cert;
[5450aeb]	326
[e898049]	327	assert(cert != NULL);
[5450aeb]	328
[7727f26]	329	// get the key ID, add p to keyid SHA here */
[2ef48fa]	330	id = x509->get_subjectKeyIdentifier(x509);
[d037f54]	331	keyid = _chunk_to_string(id);
[327e808]	332
[0d0c3a9]	333	/* Mike said this is the way it is */
[6244e28]	334	char *str=NULL;
[53e540d]	335	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
	336
[cfa7b6e]	337	/* add p to cn name here, if there is no useable one
	338	reuse keyid */
[6244e28]	339	char *cn=_extract_cn(str);
	340	if(cn == NULL) {
[cfa7b6e]	341	if(debug)
	342	fprintf(stderr, "DEBUG:did not find usable cn, reuse keyid\n");
	343	cn=abac_xstrdup(keyid);
[53e540d]	344	}
	345
[202a7f9]	346	if(debug) {
[2485307]	347	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
	348	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
	349	fprintf(stderr, "DEBUG:cn %s \n", cn);
[202a7f9]	350	}
[53e540d]	351	free(str);
	352
[327e808]	353	// if we already have this cert 'error' with success
[8bd77b5]	354	HASH_FIND_STR(id_creds, keyid, id_cred);
	355	if (id_cred != NULL) {
[2485307]	356	if(debug) fprintf(stderr, "existing cert \n");
[440ba20]	357	ret = ABAC_CERT_EXISTS;
[327e808]	358	goto error;
	359	}
	360
[cfa7b6e]	361	// validate validity
	362	ret = _verify_validity(cert);
	363	if (!ret) {
	364	ret = ABAC_CERT_INVALID;
	365	goto error;
	366	}
	367
[5450aeb]	368	// validate sig
[dfe6b61]	369	ret = verify_signature(cert, cert);
[0779c99]	370	if (!ret) {
[cfa7b6e]	371	/* well.. this is not a self signed cert, don't fault it anymore */
	372	if(debug) fprintf(stderr, "This is not a self-signed cert \n");
	373	} else {
	374	if(debug) fprintf(stderr, "This is a self-signed cert \n");
[0779c99]	375	}
[5450aeb]	376
[8bd77b5]	377	// success, add a new abac_id
[440ba20]	378	if(*a_id==NULL) {
	379	*a_id=abac_id_keyid_new(keyid,cn,cert);
	380	}
[5450aeb]	381
[8bd77b5]	382	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
	383	*id_cred_ret=n_id_cred;
[202a7f9]	384
[6244e28]	385	if (keyid != NULL) free(keyid);
	386	if (cn != NULL) free(cn);
	387
[0779c99]	388	return ABAC_CERT_SUCCESS;
[5450aeb]	389
	390	error:
[327e808]	391	if (keyid != NULL) free(keyid);
[53e540d]	392	if (cn != NULL) free(cn);
[5450aeb]	393
[0779c99]	394	return ret;
[5450aeb]	395	}
	396
[8bd77b5]	397	/* collect all the creds stored so far */
	398	abac_stack_t *abac_verifier_dump_creds()
[202a7f9]	399	{
[8bd77b5]	400	abac_stack_t *cred_list = abac_stack_new();
	401
	402	int cnt=0;
	403	if(attr_hashkeyid_list) {
	404	char *keyid;
	405	abac_credential_t *cred;
	406	abac_list_foreach(attr_hashkeyid_list, keyid,
	407	cred=abac_credential_lookup(keyid);
	408	abac_stack_push(cred_list, cred);
	409	cnt++;
	410	);
	411	}
[2485307]	412	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
[8bd77b5]	413	return cred_list;
	414	}
	415
[5110d42]	416	/* collect all the id stored so far */
	417	abac_stack_t *abac_verifier_dump_principals()
	418	{
	419	abac_stack_t *id_list = abac_stack_new();
	420
	421	int cnt=0;
	422	if(id_hashkeyid_list) {
	423	char *keyid;
	424	abac_id_credential_t *id;
	425	abac_list_foreach(id_hashkeyid_list, keyid,
	426	id=abac_id_credential_lookup(keyid);
	427	abac_stack_push(id_list, id);
	428	cnt++;
	429	);
	430	}
[2485307]	431	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
[5110d42]	432	return id_list;
	433	}
	434
[8bd77b5]	435
	436	static void check_id_cred(abac_id_credential_t *id_cred)
	437	{
	438	if(id_cred) {
	439	printf("checking on this id_cred location %d\n", (int)id_cred);
	440	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
	441	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
[202a7f9]	442	}
	443	}
	444
	445	/**
	446	* Load an attribute cert as string.
	447	* have minimum syntax & validity check
	448	*/
	449	static int _load_attribute_string(char* attr_string) {
	450	printf("NOT implemented yet!!!");
	451	return ABAC_CERT_INVALID;
	452	}
	453
[e898049]	454	/**
	455	* Load an ID cert from a file.
	456	*/
[ba6027a]	457	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
	458	abac_id_credential_t **id_cred_ret)
	459	{
[8bd77b5]	460	abac_id_t *id=NULL;
[61278ec]	461	if (lib == NULL)
	462	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	463
[2485307]	464	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[d037f54]	465
[137b55f]	466	// load the cert, with public key
[e898049]	467	certificate_t *cert = lib->creds->create(
	468	lib->creds, CRED_CERTIFICATE, CERT_X509,
	469	BUILD_FROM_FILE, filename,
	470	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	471	BUILD_END
	472	);
[d037f54]	473
[e898049]	474	if (cert == NULL)
[0779c99]	475	return ABAC_CERT_INVALID;
[d037f54]	476
	477	int rc=_load_id(&id,cert,id_cred_ret);
[440ba20]	478	if(rc==ABAC_CERT_EXISTS) {
[2485307]	479	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[440ba20]	480	return ABAC_CERT_SUCCESS;
	481	}
	482
[d037f54]	483	/* try to load the private key if it is there */
[2efdff5]	484	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	485	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[5110d42]	486	int keyrc=abac_id_load_privkey_file(id, keyfilename);
[d037f54]	487	if(debug) {
[2485307]	488	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[d037f54]	489	else printf("..load_id_file: load(%s) without a private key\n",filename);
	490	}
	491	}
[2efdff5]	492	return ABAC_CERT_SUCCESS;
[8bd77b5]	493	}
	494
[ba6027a]	495	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
	496	char pfile, abac_id_credential_t *id_cred_ret)
	497	{
	498	abac_id_t *id=NULL;
	499	if (lib == NULL)
	500	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	501
[2485307]	502	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[ba6027a]	503
	504	// load the cert, with public key
	505	certificate_t *cert = lib->creds->create(
	506	lib->creds, CRED_CERTIFICATE, CERT_X509,
	507	BUILD_FROM_FILE, filename,
	508	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	509	BUILD_END
	510	);
	511
	512	if (cert == NULL)
	513	return ABAC_CERT_INVALID;
	514
	515	int rc=_load_id(&id,cert,id_cred_ret);
	516	if(rc==ABAC_CERT_EXISTS) {
[2485307]	517	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[ba6027a]	518	return ABAC_CERT_SUCCESS;
	519	}
	520
	521	/* try to load the private key if it is there */
	522	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	523	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[ba6027a]	524	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
	525	if(debug) {
[2485307]	526	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[ba6027a]	527	else printf("..load_id_file: load(%s) without a private key\n",filename);
	528	}
	529	}
	530	return ABAC_CERT_SUCCESS;
	531	}
	532
[8bd77b5]	533	/**
	534	* Load an ID cert from a abac_id_t
	535	*/
	536	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
	537	certificate_t *cert = abac_id_cert(id);
	538	return _load_id(&id,cert,id_cred_ret);
[e898049]	539	}
	540
[5110d42]	541	/**
	542	* Load an ID cert from a chunk.
	543	*/
	544	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	545	abac_id_t *id=NULL;
	546	// load the cert
	547	certificate_t *cert = lib->creds->create(
	548	lib->creds, CRED_CERTIFICATE, CERT_X509,
	549	BUILD_BLOB_PEM, chunk,
	550	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	551	BUILD_END
	552	);
	553	if (cert == NULL)
	554	return ABAC_CERT_INVALID;
	555	return _load_id(&id, cert,id_cred_ret);
	556	}
[e898049]	557	/**
[9b43fc3]	558	* Load an ID cert from a chunk, Note, this only loads the id cert part
	559	* and so it is not suitable for creating an attribute credential with.
	560	* Only a complete id cert + privkey could create attribute credential.
[e898049]	561	*/
[8bd77b5]	562	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	563	abac_id_t *id=NULL;
[e898049]	564	// load the cert
	565	certificate_t *cert = lib->creds->create(
	566	lib->creds, CRED_CERTIFICATE, CERT_X509,
	567	BUILD_BLOB_ASN1_DER, chunk,
	568	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	569	BUILD_END
	570	);
	571	if (cert == NULL)
[0779c99]	572	return ABAC_CERT_INVALID;
[8bd77b5]	573	return _load_id(&id, cert,id_cred_ret);
[e898049]	574	}
	575
[9b43fc3]	576	/**
	577	* Load an ID cert from a cert chunk and a privkey chunk,
	578	* this complete id cert + privkey could create attribute credential.
	579	*/
	580	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	581	abac_id_credential_t **id_cred_ret) {
	582
	583	abac_id_t *id=NULL;
	584	// load the cert
	585	certificate_t *cert = lib->creds->create(
	586	lib->creds, CRED_CERTIFICATE, CERT_X509,
	587	BUILD_BLOB_ASN1_DER, chunk,
	588	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	589	BUILD_END
	590	);
	591	if (cert == NULL)
	592	return ABAC_CERT_INVALID;
	593
	594	int rc=_load_id(&id, cert,id_cred_ret);
	595	if(rc == ABAC_CERT_SUCCESS) {
	596	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
	597	}
	598
	599	return rc;
	600	}
	601
[ba6027a]	602	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	603	char* pfile, abac_id_credential_t **id_cred_ret) {
	604
	605	abac_id_t *id=NULL;
	606	// load the cert
	607	certificate_t *cert = lib->creds->create(
	608	lib->creds, CRED_CERTIFICATE, CERT_X509,
	609	BUILD_BLOB_ASN1_DER, chunk,
	610	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	611	BUILD_END
	612	);
	613	if (cert == NULL)
	614	return ABAC_CERT_INVALID;
	615
	616	int rc=_load_id(&id, cert,id_cred_ret);
	617	if(rc == ABAC_CERT_SUCCESS) {
	618	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
	619	}
	620
	621	return rc;
	622	}
	623
	624
[9b43fc3]	625
[2efdff5]	626	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
	627	{
	628	abac_id_credential_t *id_cred=NULL;
	629	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
	630	if(ret !=ABAC_CERT_SUCCESS)
	631	return NULL;
	632	abac_id_t *issuer=abac_id_credential_id(id_cred);
	633	return issuer;
	634	}
	635
[53e540d]	636
[5110d42]	637	static int matchex(const char subject, const char pattern, int so, int eo)
	638	{
	639	int rc; // Returned code
	640	regmatch_t pmatch;
	641
	642	regex_t re; // Compiled regexp pattern
	643
	644	if (regcomp(&re, pattern, 0) != 0) return 0;
	645
	646	rc = regexec(&re, subject, 1 , &pmatch, 0);
	647	regfree(&re);
	648
	649	if (rc == REG_NOMATCH ) return 0;
	650
	651	*so=pmatch.rm_so;
	652	*eo=pmatch.rm_eo;
	653
	654	return 1;
	655	}
	656
	657
	658
	659	static chunk_t _extract_chunk(char data, char startline, char* endline)
	660	{
	661	int found=0;
	662	int startos=0;
	663	int endos=0;
	664	regex_t re;
	665	regmatch_t pm;
	666	int rc;
	667
	668	int st;
	669	int et;
	670
	671	rc=matchex(data, startline, &st, &et);
	672	if(rc==0) return chunk_empty;
	673	startos=st;
	674
	675	rc=matchex(data, endline, &st, &et);
	676	if(rc==0) return chunk_empty;
	677	endos=et;
	678
	679	int len=endos - startos;
	680
[2485307]	681	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
[5110d42]	682	char *ptr=strndup(data+startos,len);
	683
	684	chunk_t ret = { ptr, len };
	685	return ret;
	686	}
	687
	688
	689	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
	690	{
	691	struct stat sb;
	692	int fd;
	693	int rc;
	694
	695	fd = open(filename, O_RDONLY);
	696	if (fd == -1) { return 1; }
	697	if(stat(filename, &sb) == -1) {
	698	close(fd);
	699	return 1;
	700	}
	701	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	702	if(data == MAP_FAILED) {
	703	close(fd);
	704	return 1;
	705	}
	706	close(fd);
	707
	708	chunk_t key_pem_chunk=_extract_chunk(data,
	709	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	710	chunk_t cert_pem_chunk=_extract_chunk(data,
	711	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	712
	713	/* key=0, cert=0 */
	714	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	715	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[5110d42]	716	goto error;
	717	}
	718
	719	/* key=0, cert=1 */
	720	if(key_pem_chunk.len==0) {
[2485307]	721	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[5110d42]	722	munmap(data, sb.st_size);
	723	chunk_free(&key_pem_chunk);
	724	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	725	}
	726
	727	/* key=1, cert=1 */
	728	if(cert_pem_chunk.len!=0) {
	729	if(debug) {
[2485307]	730	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[5110d42]	731	printf("(%s)\n",cert_pem_chunk.ptr);
	732	}
	733	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	734	if(rc != 0) {
[2485307]	735	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[5110d42]	736	goto error;
	737	}
	738	/* key=1, cert=0 */
	739	} else {
[2485307]	740	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[5110d42]	741	goto error;
	742	}
	743
	744	/* handle the key_pem_chunk */
	745	if(debug) {
[2485307]	746	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[5110d42]	747	printf("(%s)\n",key_pem_chunk.ptr);
	748	}
	749	abac_id_t id=abac_id_credential_id(id_cred_ret);
	750	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
	751	if(rc==0) {
	752	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	753	goto error;
	754	}
	755
	756	munmap(data, sb.st_size);
	757	return 0;
	758
	759	error:
	760	munmap(data, sb.st_size);
	761	return 1;
	762	}
	763
	764
[ba6027a]	765	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
	766	abac_id_credential_t **id_cred_ret)
	767	{
	768	struct stat sb;
	769	int fd;
	770	int rc;
	771
	772	fd = open(filename, O_RDONLY);
	773	if (fd == -1) { return 1; }
	774	if(stat(filename, &sb) == -1) {
	775	close(fd);
	776	return 1;
	777	}
	778	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	779	if(data == MAP_FAILED) {
	780	close(fd);
	781	return 1;
	782	}
	783	close(fd);
	784
	785	chunk_t key_pem_chunk=_extract_chunk(data,
	786	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	787	chunk_t cert_pem_chunk=_extract_chunk(data,
	788	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	789
	790	/* key=0, cert=0 */
	791	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	792	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[ba6027a]	793	goto error;
	794	}
	795
	796	/* key=0, cert=1 */
	797	if(key_pem_chunk.len==0) {
[2485307]	798	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[ba6027a]	799	munmap(data, sb.st_size);
	800	chunk_free(&key_pem_chunk);
	801	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	802	}
	803
	804	/* key=1, cert=1 */
	805	if(cert_pem_chunk.len!=0) {
	806	if(debug) {
[2485307]	807	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[ba6027a]	808	printf("(%s)\n",cert_pem_chunk.ptr);
	809	}
	810	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	811	if(rc != 0) {
[2485307]	812	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[ba6027a]	813	goto error;
	814	}
	815	/* key=1, cert=0 */
	816	} else {
[2485307]	817	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[ba6027a]	818	goto error;
	819	}
	820
	821	/* handle the key_pem_chunk */
	822	if(debug) {
[2485307]	823	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[ba6027a]	824	printf("(%s)\n",key_pem_chunk.ptr);
	825	printf("(%d)\n",strlen(key_pem_chunk.ptr));
	826	}
	827	abac_id_t id=abac_id_credential_id(id_cred_ret);
	828	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
	829	if(rc==0) {
	830	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	831	goto error;
	832	}
	833
	834	munmap(data, sb.st_size);
	835	return 0;
	836
	837	error:
	838	munmap(data, sb.st_size);
	839	return 1;
	840	}
[5110d42]	841
[da5afdf]	842	void abac_print_clauses(abac_list_t clauses, FILE fp)
[202a7f9]	843	{
	844	if (clauses != NULL) {
	845	char *cur;
[7b548fa]	846	printf("total-- %d clauses\n", abac_list_size(clauses));
[202a7f9]	847	abac_list_foreach(clauses, cur,
[da5afdf]	848	if(cur) {
	849	if(fp)
	850	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
	851	else printf ("a clause, %d(%s)\n", (int)cur,cur);
	852	}
[202a7f9]	853	);
	854	}
	855	}
	856
[8bd77b5]	857	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
	858	assert(ptr != NULL);
[ba6027a]	859	if(debug)
[2485307]	860	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
[8bd77b5]	861	abac_id_dup(ptr->id);
	862	return ptr;
	863	}
	864
	865	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
[da5afdf]	866	{
[8bd77b5]	867	assert(ptr);
	868	return ptr->id;
	869	}
[53e540d]	870
	871
[8bd77b5]	872	abac_id_credential_t abac_id_credential_lookup(char pname)
	873	{
	874	abac_id_credential_t *id_cred=NULL;
	875	HASH_FIND_STR(id_creds, pname, id_cred);
[5110d42]	876	if(id_cred != NULL)
	877	return abac_id_credential_dup(id_cred);
	878	else return NULL;
[8bd77b5]	879	}
[7727f26]	880
[8bd77b5]	881	void abac_id_credential_free(abac_id_credential_t *ptr)
	882	{
	883	if (ptr == NULL)
	884	return;
[53e540d]	885
[5110d42]	886	if(debug)
[2485307]	887	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
[5110d42]	888
[8bd77b5]	889	// this is very hacky...
	890	int last=abac_id_lastone(ptr->id);
	891	if(!last) {
[2485307]	892	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
[8bd77b5]	893	abac_id_free(ptr->id);
	894	} else {
[2485307]	895	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	896	free(ptr->hashkeyid);
	897	if(ptr->pl_clause)
	898	free(ptr->pl_clause);
	899	abac_id_free(ptr->id);
	900	HASH_DEL(id_creds, ptr);
	901	free(ptr);
[53e540d]	902	}
[da5afdf]	903	}
	904
[8bd77b5]	905	/****************************************************************************/
	906
[5d06689]	907	static int _verify_valid_credential_string(certificate_t *cert,
[da5afdf]	908	abac_credential_t *cred_ret, char encoded_attr_string)
	909	{
[8bd77b5]	910	abac_aspect_t *head_aspect = NULL;
	911	abac_aspect_t *tail_aspect = NULL;
[da5afdf]	912	abac_list_t *clauses=NULL;
[8bd77b5]	913	abac_id_credential_t *id_cred;
	914	abac_id_t *issuer_id;
[da5afdf]	915	int ret, i;
	916
	917	// get the attr
[8bd77b5]	918	head_aspect = abac_yy_get_rule_head_aspect();
	919	tail_aspect = abac_yy_get_rule_tail_aspect();
[b5a3da4]	920	clauses = abac_yy_get_rule_clauses();
[53e540d]	921
	922	// get the issuer based on keyid
[8bd77b5]	923	char *principalname = abac_aspect_principal_principalname(head_aspect);
[2485307]	924	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
[8bd77b5]	925
	926	HASH_FIND_STR(id_creds, principalname, id_cred);
[d037f54]	927	if(id_cred == NULL) {
	928	ret = ABAC_CERT_MISSING_ISSUER;
	929	if(debug)
[2485307]	930	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[d037f54]	931	goto error;
	932	}
[8bd77b5]	933	issuer_id=id_cred->id;
	934	if (issuer_id == NULL) {
[53e540d]	935	ret = ABAC_CERT_MISSING_ISSUER;
[8bd77b5]	936	if(debug)
[2485307]	937	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[53e540d]	938	goto error;
	939	}
	940
	941	// make sure the issuer's signed it
[dfe6b61]	942	ret = verify_signature(abac_id_cert(issuer_id), cert);
[53e540d]	943	if (!ret) {
[b5a3da4]	944	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[5110d42]	945	ret=ABAC_CERT_BAD_SIG;
[53e540d]	946	goto error;
	947	}
	948
[8bd77b5]	949	// at this point we know we have a good attribute cert baked it in
	950	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
	951	abac_attribute_set_head(attr, head_aspect);
	952	abac_attribute_add_tail(attr, tail_aspect);
	953
[53e540d]	954	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
[8bd77b5]	955	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	956	cred->attr=attr;
	957	cred->pl_clauses = clauses;
[53e540d]	958	*cred_ret = cred;
	959
	960	// success, add the key to the map of certificates
[8bd77b5]	961	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
[53e540d]	962
[8bd77b5]	963	assert(attr_hashkeyid_list);
	964	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	965
	966	if(debug)
[2485307]	967	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
[9b43fc3]	968	cred->hashkeyid, HASH_COUNT(attr_creds));
	969
[da5afdf]	970	return ABAC_CERT_SUCCESS;
	971
	972	error:
[8bd77b5]	973	if (head_aspect) abac_aspect_free(head_aspect);
	974	if (tail_aspect) abac_aspect_free(tail_aspect);
[b5a3da4]	975	abac_yy_free_rule_clauses();
[da5afdf]	976
	977	return ret;
	978	}
[8bd77b5]	979
[da5afdf]	980	/**
	981	* Load an attribute cert.
	982	* Returns true only if the certificate is valid and is issued by the proper
	983	* authority.
[5d06689]	984	* attribute string is parsed via yyparse call
[da5afdf]	985	*/
	986	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
	987	ietf_attributes_t *attr_cert = NULL;
	988	int ret, i;
	989
	990	// get the attr
	991	ac_t ac = (ac_t )cert;
	992	attr_cert = ac->get_groups(ac);
	993	if (attr_cert == NULL) {
	994	ret = ABAC_CERT_INVALID;
	995	goto error;
	996	}
	997
	998	char *encoded_attr_string=attr_cert->get_string(attr_cert);
	999	char *attr_string = abac_decode_string(encoded_attr_string);
	1000	if(debug)
[2485307]	1001	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
[da5afdf]	1002
	1003	if (attr_string == NULL) {
	1004	ret = ABAC_CERT_INVALID;
	1005	goto error;
	1006	}
	1007
	1008	/* call into yacc parser */
	1009	abac_reset_yyfptr(attr_string);
[b5a3da4]	1010	abac_yy_init();
[da5afdf]	1011	int rc=yyparse();
	1012	if (rc) {
	1013	ret = ABAC_CERT_INVALID;
	1014	goto error;
	1015	}
	1016
[5d06689]	1017	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
[da5afdf]	1018
[5110d42]	1019	if(ret != ABAC_CERT_SUCCESS) {
[671c065]	1020	char *tmp=NULL;
[9a0e1c1]	1021	asprintf(&tmp,"_load_attribute_cert: fail to verify credential (%s)",attr_string);
[671c065]	1022	panic(tmp);
[5110d42]	1023	}
	1024
[53e540d]	1025	// free up some crap
	1026	attr_cert->destroy(attr_cert);
	1027
[5110d42]	1028	return ret;
[53e540d]	1029
	1030	error:
[202a7f9]	1031	if (cert) cert->destroy(cert);
	1032	if (attr_cert) attr_cert->destroy(attr_cert);
[0779c99]	1033	return ret;
[5450aeb]	1034	}
[5f99fbc]	1035
[8bd77b5]	1036	/**
	1037	* Load an attribute cert from a abac_attribute_t.
[5d06689]	1038	* attr should be all checked out before arriving here
[8bd77b5]	1039	*/
[5d06689]	1040	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
	1041	// get the attr
	1042	abac_aspect_t *head=abac_attribute_head(ptr);
	1043	abac_aspect_t *tail=abac_attribute_tail(ptr);
	1044
	1045	// preprocess for constraint part
	1046	preprocess_pl_head(head);
	1047	preprocess_pl_tail(tail);
	1048
[9b43fc3]	1049	/* setup the encoded attribute string */
	1050	char *encoded_attr_string=get_cred_encoding(ptr);
	1051	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
	1052	/* collect up type clauses, constraint clauses and
[5d06689]	1053	generate rule clauses */
	1054	abac_list_t *clauses=generate_pl_clauses(head,tail);
[9b43fc3]	1055
[b8a6fd2a]	1056	if(debug) abac_print_clauses(clauses,NULL);
[5d06689]	1057
	1058	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	1059	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	1060	cred->attr=abac_attribute_dup(ptr);
	1061	cred->pl_clauses = clauses;
	1062	*cred_ret = cred;
	1063
	1064	// success, add the key to the map of certificates
	1065	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
	1066
	1067	assert(attr_hashkeyid_list);
	1068	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	1069
	1070	if(debug)
[2485307]	1071	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
[9b43fc3]	1072	cred->hashkeyid, HASH_COUNT(attr_creds));
[5d06689]	1073	return ABAC_CERT_SUCCESS;
[8bd77b5]	1074	}
	1075
[e898049]	1076	/**
	1077	* Load an attribute cert from a file.
	1078	*/
[0779c99]	1079	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
[e898049]	1080	// load the cert
[2485307]	1081	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
[e898049]	1082	certificate_t *cert = lib->creds->create(
	1083	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1084	BUILD_FROM_FILE, filename,
	1085	BUILD_END
	1086	);
	1087	if (cert == NULL)
[0779c99]	1088	return ABAC_CERT_INVALID;
	1089	return _load_attribute_cert(cert, cred);
[e898049]	1090	}
	1091
	1092	/**
	1093	* Load an attribute cert from a chunk.
	1094	*/
[0779c99]	1095	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]	1096	// load the cert
	1097	certificate_t *cert = lib->creds->create(
	1098	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1099	BUILD_BLOB_ASN1_DER, chunk,
	1100	BUILD_END
	1101	);
	1102	if (cert == NULL)
[0779c99]	1103	return ABAC_CERT_INVALID;
[9b43fc3]	1104
[0779c99]	1105	return _load_attribute_cert(cert, cred);
[e898049]	1106	}
	1107
[85cdf53]	1108	/**
	1109	* Return the encoding of the attribute cert.
	1110	*/
[401a054]	1111	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
[8bd77b5]	1112	abac_attribute_t *ptr=cred->attr;
	1113	certificate_t *cert=abac_attribute_cert(ptr);
[137b55f]	1114	chunk_t encoding = chunk_empty;
	1115	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1116	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1117	return ret;
[85cdf53]	1118	}
	1119
	1120	/**
	1121	* Return the encoding of the issuer cert.
	1122	*/
[401a054]	1123	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
[8bd77b5]	1124	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
	1125	assert(issuer_cert);
[137b55f]	1126	chunk_t encoding = chunk_empty;
	1127	// XXX MEI, not sure ??
	1128	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1129	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1130	return ret;
[85cdf53]	1131	}
[186cb75]	1132
[53e540d]	1133	/**
	1134	* Return the clause of the cert
	1135	*/
[202a7f9]	1136	abac_list_t abac_credential_clauses(abac_credential_t cred) {
[8bd77b5]	1137	return cred->pl_clauses;
[53e540d]	1138	}
	1139
[8bd77b5]	1140	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
	1141	assert(cred);
	1142	return cred->attr;
	1143	}
[202a7f9]	1144
[186cb75]	1145	/**
[fbb591e]	1146	* Increase the ref count of a credential.
[186cb75]	1147	*/
[401a054]	1148	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	1149	assert(cred != NULL);
[186cb75]	1150
[8bd77b5]	1151	abac_attribute_dup(cred->attr);
[fbb591e]	1152	return cred;
[186cb75]	1153	}
	1154
[53e540d]	1155	/**
	1156	* lookup for a credential.
	1157	*/
[202a7f9]	1158	abac_credential_t abac_credential_lookup(char cred_string)
	1159	{
	1160	if(debug)
[2485307]	1161	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
[8bd77b5]	1162	abac_credential_t *attr_cred;
[9b43fc3]	1163
[8bd77b5]	1164	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
	1165	if (attr_cred == NULL) {
[2485307]	1166	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
[53e540d]	1167	return NULL;
	1168	}
[8bd77b5]	1169	abac_credential_t *rt=abac_credential_dup(attr_cred);
[2485307]	1170	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
[8bd77b5]	1171	return rt;
[53e540d]	1172	}
	1173
[186cb75]	1174	/**
[fbb591e]	1175	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	1176	*/
[202a7f9]	1177	void abac_credential_free(abac_credential_t *cred)
	1178	{
	1179	if(debug)
[2485307]	1180	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
[202a7f9]	1181
[401a054]	1182	if (cred == NULL)
[186cb75]	1183	return;
	1184
[8bd77b5]	1185	// this is very hacky...
	1186	int last=abac_attribute_lastone(cred->attr);
	1187	if(!last) {
	1188	abac_attribute_free(cred->attr);
[da5afdf]	1189	} else {
[2485307]	1190	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
[8bd77b5]	1191	free(cred->hashkeyid);
	1192	char *cur=NULL;
	1193	abac_list_foreach(cred->pl_clauses, cur,
	1194	free(cur);
	1195	);
	1196	abac_attribute_free(cred->attr);
	1197	HASH_DEL(attr_creds, cred);
	1198	free(cred);
[da5afdf]	1199	}
[186cb75]	1200	}
[53e540d]	1201
[8bd77b5]	1202	char abac_id_clause(abac_id_credential_t id_cred)
[202a7f9]	1203	{
[8bd77b5]	1204	if(id_cred)
	1205	return id_cred->pl_clause;
[202a7f9]	1206	return NULL;
	1207	}
	1208
[53e540d]	1209	/* retrieve the cn that is associated with this sha_string */
[5110d42]	1210	char abac_cn_with_sha(char sha_string)
	1211	{
[53e540d]	1212	// get the issuer based on keyid
[8bd77b5]	1213	abac_id_credential_t *id_cred;
	1214	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1215	if (id_cred == NULL) {
[53e540d]	1216	return NULL;
	1217	}
[202a7f9]	1218	if(debug)
[8bd77b5]	1219	check_id_cred(id_cred);
	1220	return abac_id_cn(id_cred->id);
[53e540d]	1221	}
	1222
[8bd77b5]	1223	char abac_idtype_with_sha(char sha_string)
	1224	{
	1225	// get the issuer based on keyid
	1226	abac_id_credential_t *id_cred;
	1227	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1228	if (id_cred == NULL) {
[6244e28]	1229	// this id, sha string is not in the db...
	1230	if(debug)
	1231	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
[8bd77b5]	1232	return NULL;
	1233	}
	1234	int idtype=abac_id_idtype(id_cred->id);
	1235
	1236	return abac_idtype_string(idtype);
[923b4dd]	1237	}
	1238
[8bd77b5]	1239	abac_aspect_t abac_credential_head(abac_credential_t cred) {
	1240	return abac_attribute_head(cred->attr);
[923b4dd]	1241	}
	1242
[8bd77b5]	1243	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
	1244	return abac_attribute_tail(cred->attr);
[923b4dd]	1245	}
	1246
	1247

Note: See TracBrowser for help on using the repository browser.

Download in other formats: