source: libabac/abac_verifier.c @ 59ea648

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 59ea648 was 7727f26, checked in by Mei <mei@…>, 13 years ago

1) add environment variables DUMP_DB, ABAC_CN.

ABAC_CN will switch to using CNs for keyid insead of SHAs

2) add/modified couple of doc files.
  • Property mode set to 100644
File size: 19.0 KB
RevLine 
[53e540d]1
2// include the GNU extension of asprintf
3#define _GNU_SOURCE
4
[186cb75]5#include <assert.h>
[202a7f9]6#include <stdio.h>
[186cb75]7
[5450aeb]8#include <library.h>
9#include <credentials/certificates/certificate.h>
10#include <credentials/certificates/x509.h>
11#include <credentials/certificates/ac.h>
12
[43e3b71]13#include "abac_verifier.h"
[5450aeb]14
[342e28f]15#include "abac_list.h"
[3c251d0]16#include "abac_util.h"
[202a7f9]17#include "abac_rt.h"
[5450aeb]18
[b5a3da4]19extern abac_role_t *abac_yy_get_rule_head_role();
20extern abac_role_t *abac_yy_get_rule_tail_role();
21extern abac_oset_t *abac_yy_get_rule_head_oset();
22extern abac_oset_t *abac_yy_get_rule_tail_oset();
23extern int abac_yy_get_rule_is_oset();
24extern abac_list_t *abac_yy_get_rule_clauses();
[da5afdf]25extern char* abac_decode_string(char *);
[b5a3da4]26extern void abac_yy_free_rule_clauses();
[0d0c3a9]27extern char *generate_pl_type_clause(char *, int);
28
[202a7f9]29
30/* keeping this a fixed enum is to have tighter control of
31   what are acceptabletypes of keyid are we allowing */
[0d0c3a9]32typedef enum _keyidtype_t {
33    e_KEYID = 1,
34} keyidtype_t;
35
[202a7f9]36/* keyidname[keyidtype] */
[da5afdf]37static char * const keyidname[] =
[202a7f9]38{
39  "badidtype", "keyid", 0
40};
41
[0d0c3a9]42typedef enum _credtype_t {
[da5afdf]43   e_CREDTYPE_ROLE =1,
[0d0c3a9]44   e_CREDTYPE_OSET =2,
45} credtype_t;
[da5afdf]46
47static int keyidname_cnt=1;
[202a7f9]48
49struct _abac_id_cert_t {
[5450aeb]50    char *keyid;
[53e540d]51    char *cn;
[202a7f9]52    int type; /* keyidtype */
[5450aeb]53    certificate_t *cert;
[202a7f9]54    char *clause;
[5450aeb]55
56    UT_hash_handle hh;
[202a7f9]57};
[5450aeb]58
[da5afdf]59/* can store either role or oset */
[401a054]60struct _abac_credential_t {
[da5afdf]61    int type;
62    void *head;
63    void *tail;
[5f99fbc]64    certificate_t *cert;
65    certificate_t *issuer;
[202a7f9]66    abac_list_t *clauses;
[fbb591e]67
68    int refcount;
[5f99fbc]69};
70
[53e540d]71typedef struct _abac_str_cred_t {
72    char *strid;
73    abac_credential_t *cred;
74
75    UT_hash_handle hh;
76} abac_str_cred_t;
77
[43e3b71]78abac_id_cert_t *id_certs = NULL;
[53e540d]79abac_str_cred_t *str_creds = NULL;
[5450aeb]80
[202a7f9]81static int debug=0;
82static void check_id_cert(abac_id_cert_t *id_cert);
[da5afdf]83extern void abac_print_role_string_with_condition(abac_role_t *role, FILE*);
[202a7f9]84
85//
[da5afdf]86void abac_print_cred_info(abac_credential_t *cred, FILE *fp)
[202a7f9]87{
[da5afdf]88    if(fp == NULL)
89        fp=stdout;
90
[202a7f9]91    if(debug) {
[da5afdf]92        fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
[202a7f9]93        if(cred->head) {
[da5afdf]94            fprintf(fp,"  head cred(%d):\n",(int)cred->head);
95            if(cred->type == e_CREDTYPE_ROLE)
96               abac_print_role_string_with_condition((abac_role_t*)cred->head,fp);
97               else
98                   abac_print_oset_string_with_condition((abac_oset_t*)cred->head,fp);
[202a7f9]99        }
100        if(cred->tail) {
[da5afdf]101            fprintf(fp,"\n  tail cred(%d):\n",(int)cred->tail);
102            if(cred->type == e_CREDTYPE_ROLE)
103                abac_print_role_string_with_condition((abac_role_t*)cred->tail,fp);
104                else
105                    abac_print_oset_string_with_condition((abac_oset_t*)cred->tail,fp);
[202a7f9]106        }
107
108        abac_list_t *clauses=cred->clauses;
109        if (clauses != NULL) {
110            char *cur=NULL;
111            abac_list_foreach(clauses, cur,
[da5afdf]112                fprintf(fp,"\n  a clause(%d):\n",(int)cur);
[202a7f9]113                if(cur)
[da5afdf]114                    fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
[202a7f9]115            );
116        }
117        } else {
[da5afdf]118            fprintf(fp," ");
119            if(cred->type == e_CREDTYPE_ROLE)
120                abac_print_role_string_with_condition((abac_role_t *)cred->head,fp);
121                else abac_print_oset_string_with_condition((abac_oset_t *)cred->head,fp);
122            fprintf(fp," <- ");
123            if(cred->type == e_CREDTYPE_ROLE)
124                abac_print_role_string_with_condition((abac_role_t *)cred->tail,fp);
125                else abac_print_oset_string_with_condition((abac_oset_t *)cred->tail,fp);
126            fprintf(fp,"\n");
[202a7f9]127   }
128}
129
130//
131int abac_verify_keyid_type(char *type) {
132    int i;
133
134    if (type == NULL)
135        return 0;
136
137    for (i = 1; i <= keyidname_cnt ; i++)
138        if(strcmp(type,keyidname[i])==0)
139            return i;
140    return 0;
141}
142
143char *abac_keyid_type(int i)
144{
145    return keyidname[i];
146}
147
[5450aeb]148// convert a chunk to a lowercase binary string
149// malloc's the string
150static char *_chunk_to_string(chunk_t chunk) {
151    int i;
152
[3c251d0]153    char *ret = abac_xmalloc(chunk.len * 2 + 1);
[5450aeb]154
155    for (i = 0; i < chunk.len; ++i)
156        sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
157
158    return ret;
159}
160
161// verify that cert was issued by issuer
162// cert and issuer can be the same, in which case the self-sig is validated
[0779c99]163static int _verify_signature(certificate_t *issuer, certificate_t *cert) {
[5450aeb]164    if (cert->issued_by(cert, issuer))
165        if (cert->get_validity(cert, NULL, NULL, NULL))
166            return 1;
167    return 0;
168}
169
170/**
171 * Init the verifier subsystem.
172 */
[43e3b71]173void abac_verifier_init(void) {
[1324a63]174    // silence all debugging
175
[5450aeb]176    if (!library_init(NULL))
177        exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
178
179    if (!lib->plugins->load(lib->plugins, NULL,
180            lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
181        exit(SS_RC_INITIALIZATION_FAILED);
182}
183
[186cb75]184/**
185 * Uninitialize the system, free up any allocated memory.
186 */
[43e3b71]187void abac_verifier_deinit(void) {
188    abac_id_cert_t *id;
[186cb75]189    while ((id = id_certs) != NULL) {
190        HASH_DEL(id_certs, id);
191
192        free(id->keyid);
[53e540d]193        free(id->cn);
[186cb75]194        id->cert->destroy(id->cert);
195        free(id);
196    }
[55c272b]197
[53e540d]198    abac_str_cred_t *id2;
199    while ((id2 = str_creds) != NULL) {
200        HASH_DEL(str_creds, id2);
201
202        free(id2->strid);
203        free(id2);
204    }
205
[55c272b]206    library_deinit();
[186cb75]207}
208
[5450aeb]209/**
210 * Load an ID certificate.
211 */
[202a7f9]212static int _load_id(certificate_t *cert, abac_id_cert_t **id_cert_ret) {
[327e808]213    abac_id_cert_t *id_cert = NULL;
[7727f26]214    char *okeyid, *keyid = NULL;
[5450aeb]215    chunk_t id;
216    int ret;
[2ef48fa]217    x509_t *x509 = (x509_t *)cert;
[5450aeb]218
[e898049]219    assert(cert != NULL);
[5450aeb]220
[7727f26]221    // get the key ID, add p to keyid SHA here */
[2ef48fa]222    id = x509->get_subjectKeyIdentifier(x509);
[7727f26]223    okeyid = _chunk_to_string(id);
224    asprintf(&keyid,"p%s",okeyid);
[327e808]225
[0d0c3a9]226    /* Mike said this is the way it is */
[53e540d]227    char *str;
228    int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
229
[36b100a]230    /* add p to cn name here */
[202a7f9]231    char *cn=(char *)abac_xmalloc(strlen(str)+2);
[53e540d]232    cn[0]='p';
233    int n=sscanf(str,"CN=%s", &(cn[1]));
234    if ( n!=1 ) { 
235        ret = ABAC_CERT_BAD_CN;
236        goto error;
237    }
238
[202a7f9]239    if(debug) {
240        printf ("DEBUG:keyid %s \n", keyid);
241        printf( "DEBUG:issuer '%s' \n", str);
242        printf ("DEBUG:cn %s \n", cn);
243    }
[53e540d]244    free(str);
245
[327e808]246    // if we already have this cert 'error' with success
247    HASH_FIND_STR(id_certs, keyid, id_cert);
248    if (id_cert != NULL) {
249        ret = ABAC_CERT_SUCCESS;
250        goto error;
251    }
252
[5450aeb]253    // validate sig
[0779c99]254    ret = _verify_signature(cert, cert);
255    if (!ret) {
256        ret = ABAC_CERT_BAD_SIG;
257        goto error;
258    }
[5450aeb]259
260    // success, add the key to the map of certificates
[327e808]261    id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
[5450aeb]262    id_cert->keyid = keyid;
263    id_cert->cert = cert;
[53e540d]264    id_cert->cn = cn;
[da5afdf]265    id_cert->type = e_KEYID;
[7727f26]266    /* special handling here */
267    if(USE("ABAC_CN")) {
268        id_cert->clause = generate_pl_type_clause(cn, id_cert->type);
269        } else {
270           id_cert->clause=generate_pl_type_clause(keyid, id_cert->type);
271    }
[5450aeb]272    HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
[7727f26]273    if(debug) 
274        printf("-->adding into id_certs, (%s)..cnt(%d)\n", 
275                                   id_cert->keyid, HASH_COUNT(id_certs));
[5450aeb]276
[202a7f9]277    *id_cert_ret=id_cert;
278
[0779c99]279    return ABAC_CERT_SUCCESS;
[5450aeb]280
281error:
[327e808]282    if (keyid != NULL) free(keyid);
[53e540d]283    if (cn != NULL) free(cn);
[5450aeb]284
[0779c99]285    return ret;
[5450aeb]286}
287
[202a7f9]288static void check_id_cert(abac_id_cert_t *id_cert)
289{
290    if(id_cert) {
[7727f26]291        printf("checking on this id_cert location %d\n", (int)id_cert);
[202a7f9]292        printf("  --> sha is (%s)\n", id_cert->keyid);
293        printf("  --> cn is (%s)\n", id_cert->cn);
294    }
295}
296
297/**
298 * Load an attribute cert as string.
299 * have minimum syntax & validity check
300 */
301static int _load_attribute_string(char* attr_string) {
302    printf("NOT implemented yet!!!");
303    return ABAC_CERT_INVALID;
304}
305
[e898049]306/**
307 * Load an ID cert from a file.
308 */
[202a7f9]309int abac_verifier_load_id_file(char *filename, abac_id_cert_t **id_cert_ret) {
[61278ec]310    if (lib == NULL)
311        errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
312
[e898049]313    // load the cert
314    certificate_t *cert = lib->creds->create(
315        lib->creds, CRED_CERTIFICATE, CERT_X509,
316        BUILD_FROM_FILE, filename,
317        BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
318        BUILD_END
319    );
320    if (cert == NULL)
[0779c99]321        return ABAC_CERT_INVALID;
[202a7f9]322    return _load_id(cert,id_cert_ret);
[e898049]323}
324
325/**
326 * Load an ID cert from a chunk.
327 */
[202a7f9]328int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_cert_t **id_cert_ret) {
[e898049]329    // load the cert
330    certificate_t *cert = lib->creds->create(
331        lib->creds, CRED_CERTIFICATE, CERT_X509,
332        BUILD_BLOB_ASN1_DER, chunk,
333        BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
334        BUILD_END
335    );
336    if (cert == NULL)
[0779c99]337        return ABAC_CERT_INVALID;
[202a7f9]338    return _load_id(cert,id_cert_ret);
[e898049]339}
340
[53e540d]341
[da5afdf]342void abac_print_clauses(abac_list_t *clauses, FILE *fp)
[202a7f9]343{
344    if (clauses != NULL) {
345        char *cur;
[7b548fa]346        printf("total-- %d clauses\n", abac_list_size(clauses));
[202a7f9]347        abac_list_foreach(clauses, cur,
[da5afdf]348            if(cur) {
349                if(fp)
350                    fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
351                    else printf ("a clause, %d(%s)\n", (int)cur,cur);
352            }
[202a7f9]353        );
354    }
355}
356
[da5afdf]357static int _verify_valid_role_credential(certificate_t *cert,
358abac_credential_t **cred_ret, char *encoded_attr_string)
359{
[53e540d]360    abac_role_t *head_role = NULL;
361    abac_role_t *tail_role = NULL;
[202a7f9]362    abac_list_t *clauses=NULL;
[53e540d]363    abac_id_cert_t *issuer;
364    int ret, i;
365
366    // get the attr
[b5a3da4]367    head_role = abac_yy_get_rule_head_role();
368    tail_role = abac_yy_get_rule_tail_role();
369    clauses = abac_yy_get_rule_clauses();
[53e540d]370
[da5afdf]371    // get the issuer based on keyid
[7727f26]372    char *principalname = abac_role_principal_principalname(head_role);
373    if(debug) printf("LOOKING for %s\n", principalname);
374
[da5afdf]375    HASH_FIND_STR(id_certs, principalname, issuer);
376    if (issuer == NULL) {
377        ret = ABAC_CERT_MISSING_ISSUER;
[7727f26]378        if(debug)
379             printf("can not find %s in id_certs\n", principalname);
[53e540d]380        goto error;
381    }
382
[da5afdf]383    // make sure the issuer's signed it
384    ret = _verify_signature(issuer->cert, cert);
385    if (!ret) {
[b5a3da4]386        abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[53e540d]387        goto error;
388    }
[da5afdf]389
390    // at this point we know we have a good attribute cert
391    abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
392    cred->type= e_CREDTYPE_ROLE;
393    cred->head = head_role;
394    cred->tail = tail_role;
395    cred->cert = cert;
396    cred->issuer = issuer->cert->get_ref(issuer->cert);
397    cred->clauses = clauses;
398    cred->refcount = 1;
399    *cred_ret = cred;
400
401    // success, add the key to the map of certificates
402    abac_str_cred_t *str_cred;
403    str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
404    str_cred->strid=strdup(encoded_attr_string);
405    str_cred->cred=cred;
406    HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
407
408    return ABAC_CERT_SUCCESS;
409
410error:
411    if (head_role) abac_role_free(head_role);
412    if (tail_role) abac_role_free(tail_role);
[b5a3da4]413    abac_yy_free_rule_clauses();
[da5afdf]414
415    return ret;
416}
417
418static int _verify_valid_oset_credential(certificate_t *cert,
419abac_credential_t **cred_ret, char *encoded_attr_string)
420{
421    abac_oset_t *head_oset = NULL;
422    abac_oset_t *tail_oset = NULL;
423    abac_list_t *clauses=NULL;
424    abac_id_cert_t *issuer;
425    int ret, i;
426
427    // get the attr
[b5a3da4]428    head_oset = abac_yy_get_rule_head_oset();
429    tail_oset = abac_yy_get_rule_tail_oset();
430    clauses = abac_yy_get_rule_clauses();
[53e540d]431
432    // get the issuer based on keyid
[7727f26]433    char *principalname = abac_oset_principal_principalname(head_oset);
[202a7f9]434    HASH_FIND_STR(id_certs, principalname, issuer);
[53e540d]435    if (issuer == NULL) {
436        ret = ABAC_CERT_MISSING_ISSUER;
437        goto error;
438    }
439
440    // make sure the issuer's signed it
441    ret = _verify_signature(issuer->cert, cert);
442    if (!ret) {
[b5a3da4]443        abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[53e540d]444        goto error;
445    }
446
447    // at this point we know we have a good attribute cert
448    abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
[da5afdf]449    cred->type= e_CREDTYPE_OSET;
450    cred->head = head_oset;
451    cred->tail = tail_oset;
[53e540d]452    cred->cert = cert;
453    cred->issuer = issuer->cert->get_ref(issuer->cert);
[202a7f9]454    cred->clauses = clauses;
[53e540d]455    cred->refcount = 1;
456    *cred_ret = cred;
457
458    // success, add the key to the map of certificates
459    abac_str_cred_t *str_cred;
460    str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
[da5afdf]461    str_cred->strid=strdup(encoded_attr_string);
[53e540d]462    str_cred->cred=cred;
463    HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
464
[da5afdf]465    return ABAC_CERT_SUCCESS;
466
467error:
468    if (head_oset) abac_oset_free(head_oset);
469    if (tail_oset) abac_oset_free(tail_oset);
[b5a3da4]470    abac_yy_free_rule_clauses();
[da5afdf]471
472    return ret;
473}
474/**
475 * Load an attribute cert.
476 * Returns true only if the certificate is valid and is issued by the proper
477 * authority.
478 */
479static int _load_attribute_cert(certificate_t *cert, abac_credential_t **cred_ret) {
480    ietf_attributes_t *attr_cert = NULL;
481    abac_id_cert_t *issuer;
482    int ret, i;
483
484    // get the attr
485    ac_t *ac = (ac_t *)cert;
486    attr_cert = ac->get_groups(ac);
487    if (attr_cert == NULL) {
488        ret = ABAC_CERT_INVALID;
489        goto error;
490    }
491
492    char *encoded_attr_string=attr_cert->get_string(attr_cert);
493    char *attr_string = abac_decode_string(encoded_attr_string);
494    if(debug)
495         printf("string to be yyparse..(%s)\n",attr_string);
496
497    if (attr_string == NULL) {
498        ret = ABAC_CERT_INVALID;
499        goto error;
500    }
501
502    /* call into yacc parser */
503    abac_reset_yyfptr(attr_string);
[b5a3da4]504    abac_yy_init();
[da5afdf]505    int rc=yyparse();
506    if (rc) {
507        ret = ABAC_CERT_INVALID;
508        goto error;
509    }
510
[b5a3da4]511    if(abac_yy_get_rule_is_oset()) {
[da5afdf]512        ret=_verify_valid_oset_credential(cert,cred_ret,encoded_attr_string);
513        } else {
514            ret=_verify_valid_role_credential(cert,cred_ret,encoded_attr_string);
515    }
516
[53e540d]517    // free up some crap
518    attr_cert->destroy(attr_cert);
519
520    return ABAC_CERT_SUCCESS;
521
522error:
[202a7f9]523    if (cert) cert->destroy(cert);
524    if (attr_cert) attr_cert->destroy(attr_cert);
[0779c99]525    return ret;
[5450aeb]526}
[5f99fbc]527
[e898049]528/**
529 * Load an attribute cert from a file.
530 */
[0779c99]531int abac_verifier_load_attribute_cert_file(char *filename, abac_credential_t **cred) {
[e898049]532    // load the cert
533    certificate_t *cert = lib->creds->create(
534        lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
535        BUILD_FROM_FILE, filename,
536        BUILD_END
537    );
538    if (cert == NULL)
[0779c99]539        return ABAC_CERT_INVALID;
540    return _load_attribute_cert(cert, cred);
[e898049]541}
542
[202a7f9]543/**
544 * Load attribute cert rules from a file. (this should only be used to test)
545 */
546int abac_verifier_load_certs_file(char *filename) {
547    size_t nbytes=0;
548    char *input=NULL;
549    FILE *fp;
550    int ret;
551
552    fp=fopen(filename, "r");
553
554    if(fp == NULL)
555        return ABAC_CERT_INVALID;
556
557    while( (ret=getline(&input, &nbytes, fp)) != -1 ) {
558        ret=_load_attribute_string(input);
559        free(input);
560        if(ret != ABAC_CERT_SUCCESS )
561            fclose(fp);
562            return ret;
563    }
564    fclose(fp);
565    return ABAC_CERT_SUCCESS;
566}
567
568
[e898049]569/**
570 * Load an attribute cert from a chunk.
571 */
[0779c99]572int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]573    // load the cert
574    certificate_t *cert = lib->creds->create(
575        lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
576        BUILD_BLOB_ASN1_DER, chunk,
577        BUILD_END
578    );
579    if (cert == NULL)
[0779c99]580        return ABAC_CERT_INVALID;
581    return _load_attribute_cert(cert, cred);
[e898049]582}
583
[85cdf53]584/**
585 * Return the encoding of the attribute cert.
586 */
[401a054]587abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
588    chunk_t encoding = cred->cert->get_encoding(cred->cert);
[9efbfbf]589    abac_chunk_t ret = { encoding.ptr, encoding.len };
590    return ret;
[85cdf53]591}
592
593/**
594 * Return the encoding of the issuer cert.
595 */
[401a054]596abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
597    chunk_t encoding = cred->issuer->get_encoding(cred->issuer);
[9efbfbf]598    abac_chunk_t ret = { encoding.ptr, encoding.len };
599    return ret;
[85cdf53]600}
[186cb75]601
[53e540d]602/**
603 * Return the clause of the cert
604 */
[202a7f9]605abac_list_t *abac_credential_clauses(abac_credential_t *cred) {
606    return cred->clauses;
[53e540d]607}
608
[202a7f9]609
[186cb75]610/**
[fbb591e]611 * Increase the ref count of a credential.
[186cb75]612 */
[401a054]613abac_credential_t *abac_credential_dup(abac_credential_t *cred) {
614    assert(cred != NULL);
[186cb75]615
[fbb591e]616    ++cred->refcount;
617    return cred;
[186cb75]618}
619
[53e540d]620/**
621 *  lookup for a credential.
622 */
[202a7f9]623abac_credential_t *abac_credential_lookup(char* cred_string)
624{
625    if(debug)
626        printf("DEBUG:doing abac_crendential_lookup ... (%s)\n", cred_string);
[53e540d]627    abac_str_cred_t *str_cred;
628    HASH_FIND_STR(str_creds, cred_string, str_cred);
629    if (str_cred == NULL) {
[202a7f9]630        if(debug) printf("DEBUG:NOT FOUND..\n");
[53e540d]631        return NULL;
632    }
[202a7f9]633    if(debug) printf("DEBUG:FOUND..(%d)\n", (int) str_cred->cred);
[53e540d]634    return str_cred->cred;
635}
636
[186cb75]637/**
[fbb591e]638 * Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]639 */
[202a7f9]640void abac_credential_free(abac_credential_t *cred)
641{
642    if(debug)
643        printf("DEBUG:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->clauses);
644
[401a054]645    if (cred == NULL)
[186cb75]646        return;
647
[fbb591e]648    --cred->refcount;
649    if (cred->refcount > 0)
650        return;
651
[da5afdf]652    if(cred->type == e_CREDTYPE_ROLE) {
653        abac_role_free((abac_role_t *)cred->head);
654        abac_role_free((abac_role_t *)cred->tail);
655        } else {
656            abac_oset_free((abac_oset_t *)cred->head);
657            abac_oset_free((abac_oset_t *)cred->tail);
658    }
[401a054]659    cred->cert->destroy(cred->cert);
660    cred->issuer->destroy(cred->issuer); // reference counted
[b5a3da4]661    /* no need to freeyap_clauses here */
[401a054]662    free(cred);
[186cb75]663}
[53e540d]664
[202a7f9]665char *abac_id_clause(abac_id_cert_t *id_cert)
666{
667    if(id_cert)
668        return id_cert->clause;
669    return NULL;
670}
671
[53e540d]672/* retrieve the cn that is associated with this sha_string */
673char *abac_cn_with_sha(char *sha_string) {
674
675    // get the issuer based on keyid
676    abac_id_cert_t *id_cert;
677    HASH_FIND_STR(id_certs, sha_string, id_cert);
678    if (id_cert == NULL) {
679        return NULL;
680    }
[202a7f9]681    if(debug)
682        check_id_cert(id_cert);
[53e540d]683    return id_cert->cn;
684}
685
686/* retrieve the cn that is associated with the principal of this role */
[202a7f9]687char *abac_cn_with_role(abac_role_t *role) {
[53e540d]688
[7727f26]689    char *principal = abac_role_principal_principalname(role);
[53e540d]690    return abac_cn_with_sha(principal);
691}
692
[7727f26]693char *abac_principalname_with_role(abac_role_t *role) {
694
695    return abac_role_principal_principalname(role);
696}
697
698
[da5afdf]699/* retrieve the cn that is associated with the principal of this oset */
700char *abac_cn_with_oset(abac_oset_t *oset) {
[7727f26]701    char *principal = abac_oset_principal_principalname(oset);
[da5afdf]702    return abac_cn_with_sha(principal);
703}
704
[7727f26]705char *abac_principalname_with_oset(abac_oset_t *oset) {
706    return abac_oset_principal_principalname(oset);
707}
708
[923b4dd]709abac_role_t *abac_credential_head(abac_credential_t *cred) {
710    return (abac_role_t *) cred->head; 
711}
712
713abac_role_t *abac_credential_tail(abac_credential_t *cred) {
714    return (abac_role_t *) cred->tail; 
715}
716
717abac_oset_t *abac_credential_head_oset(abac_credential_t *cred) {
718    return (abac_oset_t *) cred->head; 
719}
720
721abac_oset_t *abac_credential_tail_oset(abac_credential_t *cred) {
722    return (abac_oset_t *) cred->tail; 
723}
724int abac_credential_holds_roles(abac_credential_t *cred) { 
725    return (cred->type == e_CREDTYPE_ROLE);
726}
727
Note: See TracBrowser for help on using the repository browser.