Context Navigation

source: libabac/abac_verifier.c @ a334115

mei_rt2mei_rt2_fix_1

Last change on this file since a334115 was 97a6a36, checked in by Mei <mei@…>, 12 years ago
1) added java to libabac using swig 2) added java examples (setup/prover) into regression test suites (note. still have that libstrongswan/src/threading/threads.c/thread_deinit() problem when using using libabac with java)
Property mode set to `100644`
File size: 34.9 KB

Rev	Line
[8bd77b5]	1	/**
	2	** abac_verifier.c
	3	**/
[53e540d]	4
	5	// include the GNU extension of asprintf
	6	#define _GNU_SOURCE
	7
[5110d42]	8	#include <stdio.h>
	9	#include <regex.h>
	10	#include <sys/mman.h>
	11	#include <fcntl.h>
[d037f54]	12	#include <sys/types.h>
	13	#include <sys/stat.h>
	14	#include <unistd.h>
	15
[5110d42]	16
[186cb75]	17	#include <assert.h>
[202a7f9]	18	#include <stdio.h>
[186cb75]	19
[5450aeb]	20	#include <library.h>
	21
[8bd77b5]	22	#include "abac_internal.h"
[43e3b71]	23	#include "abac_verifier.h"
[5450aeb]	24
[3c251d0]	25	#include "abac_util.h"
[202a7f9]	26	#include "abac_rt.h"
[5450aeb]	27
[8bd77b5]	28	static int debug=0;
[ba6027a]	29
[5d06689]	30	/* from abac_attribute.c */
	31	extern char get_cred_encoding(abac_attribute_t ptr);
[8bd77b5]	32
	33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
	34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
[b5a3da4]	35	extern abac_list_t *abac_yy_get_rule_clauses();
[da5afdf]	36	extern char* abac_decode_string(char *);
[b5a3da4]	37	extern void abac_yy_free_rule_clauses();
[0d0c3a9]	38	extern char generate_pl_type_clause(char , int);
[5d06689]	39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
[9b43fc3]	40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
[0d0c3a9]	41
[8bd77b5]	42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
[202a7f9]	43
[ba6027a]	44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
	45
[8bd77b5]	46	struct _abac_id_credential_t {
	47	char *hashkeyid;
	48	abac_id_t *id;
	49	char *pl_clause;
[5450aeb]	50
	51	UT_hash_handle hh;
[202a7f9]	52	};
[8bd77b5]	53	/* hash table base on sha with a p */
	54	abac_id_credential_t *id_creds = NULL;
[5110d42]	55	/* linked list of all the ids's hashkeyid */
	56	abac_list_t *id_hashkeyid_list = NULL;
[5450aeb]	57
[da5afdf]	58	/* can store either role or oset */
[401a054]	59	struct _abac_credential_t {
[8bd77b5]	60	char *hashkeyid;
	61	abac_attribute_t *attr;
	62	abac_list_t *pl_clauses;
[53e540d]	63
	64	UT_hash_handle hh;
[8bd77b5]	65	};
	66	/* hash table base on encoded attr rule */
	67	abac_credential_t *attr_creds = NULL;
	68	/* linked list of all the attr's hashkeyid */
	69	abac_list_t *attr_hashkeyid_list = NULL;
[202a7f9]	70
[8bd77b5]	71	/*****************************************************************************/
[da5afdf]	72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
[202a7f9]	73	{
[da5afdf]	74	if(fp == NULL)
	75	fp=stdout;
	76
[8bd77b5]	77	abac_attribute_t *ptr=cred->attr;
	78	abac_aspect_t *head=abac_attribute_head(ptr);
	79	abac_aspect_t *tail=abac_attribute_tail(ptr);
	80
[202a7f9]	81	if(debug) {
[da5afdf]	82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
[8bd77b5]	83	if(head) {
	84	abac_print_aspect_string_with_condition(head,fp);
[202a7f9]	85	}
[8bd77b5]	86	if(tail) {
	87	abac_print_aspect_string_with_condition(tail,fp);
[202a7f9]	88	}
	89
[8bd77b5]	90	abac_list_t *clauses=cred->pl_clauses;
[202a7f9]	91	if (clauses != NULL) {
	92	char *cur=NULL;
	93	abac_list_foreach(clauses, cur,
[da5afdf]	94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
[202a7f9]	95	if(cur)
[da5afdf]	96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
[202a7f9]	97	);
	98	}
	99	} else {
[da5afdf]	100	fprintf(fp," ");
[8bd77b5]	101	abac_print_aspect_string_with_condition(head,fp);
[da5afdf]	102	fprintf(fp," <- ");
[8bd77b5]	103	abac_print_aspect_string_with_condition(tail,fp);
[da5afdf]	104	fprintf(fp,"\n");
[202a7f9]	105	}
	106	}
	107
[5110d42]	108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
	109	{
	110	if(fp == NULL)
	111	return;
	112
	113	abac_id_t *ptr=abac_id_credential_id(prin);
	114
	115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
	116	if(abac_id_has_privkey(ptr))
	117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	118	else
	119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	120	}
	121
[202a7f9]	122	//
[8bd77b5]	123	int abac_verify_idtype_type(char *type) {
[202a7f9]	124	int i;
	125
	126	if (type == NULL)
	127	return 0;
	128
[8bd77b5]	129	for (i = 1; i <= _idtypename_cnt ; i++)
	130	if(strcmp(type,_idtypename[i])==0)
[202a7f9]	131	return i;
	132	return 0;
	133	}
	134
[8bd77b5]	135	char *abac_idtype_string(int i)
[202a7f9]	136	{
[440ba20]	137	if(i > _idtypename_cnt) {
	138	printf("bad idtypename idx %d\n", i);
[8bd77b5]	139	panic("abac_idtype_string: went out of range on idtypename");
[440ba20]	140	}
	141	return (char*) _idtypename[i];
[202a7f9]	142	}
	143
[5450aeb]	144	// convert a chunk to a lowercase binary string
	145	// malloc's the string
	146	static char *_chunk_to_string(chunk_t chunk) {
	147	int i;
	148
[3c251d0]	149	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	150
	151	for (i = 0; i < chunk.len; ++i)
	152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	153
	154	return ret;
	155	}
	156
	157	// verify that cert was issued by issuer
	158	// cert and issuer can be the same, in which case the self-sig is validated
[dfe6b61]	159	int verify_signature(certificate_t issuer_cert, certificate_t cert) {
[8bd77b5]	160	if (cert->issued_by(cert, issuer_cert))
[5450aeb]	161	if (cert->get_validity(cert, NULL, NULL, NULL))
	162	return 1;
	163	return 0;
	164	}
	165
[cfa7b6e]	166	// verify that cert is still valid
	167	static int _verify_validity(certificate_t *cert) {
	168	if (cert->get_validity(cert, NULL, NULL, NULL))
	169	return 1;
	170	return 0;
	171	}
	172
[5450aeb]	173	/**
	174	* Init the verifier subsystem.
	175	*/
[43e3b71]	176	void abac_verifier_init(void) {
[1324a63]	177	// silence all debugging
	178
[5450aeb]	179	if (!library_init(NULL))
	180	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
	181
	182	if (!lib->plugins->load(lib->plugins, NULL,
	183	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
	184	exit(SS_RC_INITIALIZATION_FAILED);
[8bd77b5]	185
	186	attr_hashkeyid_list = abac_list_new();
[5110d42]	187	id_hashkeyid_list = abac_list_new();
[5450aeb]	188	}
	189
[186cb75]	190	/**
	191	* Uninitialize the system, free up any allocated memory.
	192	*/
[43e3b71]	193	void abac_verifier_deinit(void) {
[2485307]	194	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
[137b55f]	195
[8bd77b5]	196	abac_id_credential_t *ptr;
	197	while ((ptr = id_creds) != NULL) {
[2485307]	198	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	199	HASH_DEL(id_creds, ptr);
	200
[137b55f]	201	free(ptr->hashkeyid);
[8bd77b5]	202	free(ptr->pl_clause);
[137b55f]	203	abac_id_free(ptr->id);
[8bd77b5]	204	free(ptr);
[186cb75]	205	}
[55c272b]	206
[8bd77b5]	207	abac_credential_t *ptr2;
	208	while ((ptr2 = attr_creds) != NULL) {
	209	HASH_DEL(attr_creds, ptr2);
	210	if(debug) {
[2485307]	211	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
[8bd77b5]	212	}
	213	free(ptr2->hashkeyid);
	214	abac_attribute_free(ptr2->attr);
	215	char *cur=NULL;
	216	abac_list_foreach(ptr2->pl_clauses, cur,
	217	free(cur);
	218	);
	219	free(ptr2->pl_clauses);
	220	free(ptr2);
[53e540d]	221	}
	222
[8bd77b5]	223	if(attr_hashkeyid_list) {
[97a6a36]	224	if(debug) fprintf(stderr, "looking to free attr_hashkeyid_list..\n");
[8bd77b5]	225	char *cur;
[97a6a36]	226	abac_list_foreach(attr_hashkeyid_list, cur,
	227	if(cur) free(cur);
	228	);
[8bd77b5]	229	abac_list_free(attr_hashkeyid_list);
	230	}
[137b55f]	231
[5110d42]	232	if(id_hashkeyid_list) {
[97a6a36]	233	if(debug) fprintf(stderr, "looking to free id_hashkeyid_list..\n");
[5110d42]	234	char *cur;
[97a6a36]	235	abac_list_foreach(id_hashkeyid_list, cur,
	236	if(cur) {
	237	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
	238	free(cur);
	239	}
	240	);
[5110d42]	241	abac_list_free(id_hashkeyid_list);
	242	}
	243
[97a6a36]	244	if(debug) fprintf(stderr, "now it is time to deinit strongswan lib..\n");
[55c272b]	245	library_deinit();
[186cb75]	246	}
	247
[8bd77b5]	248	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
	249	{
	250	abac_id_credential_t *id_cred;
	251	char *cn=abac_id_cn(a_id);
[d037f54]	252	char *keyid=abac_id_keyid(a_id);
[8bd77b5]	253
[440ba20]	254	if(debug) {
[2485307]	255	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
[440ba20]	256	cn, keyid);
	257	}
	258
[8bd77b5]	259	// add the abac_id to the map of id credentials
	260	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
	261	id_cred->hashkeyid = abac_xstrdup(keyid);
	262	id_cred->id=abac_id_dup(a_id);
	263
	264	/* special handling here */
	265	if(USE("ABAC_CN")) {
	266	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
	267	} else {
[d037f54]	268	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
[8bd77b5]	269	}
	270	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
	271	if(debug)
[2485307]	272	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
[ba6027a]	273	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
[8bd77b5]	274
[5110d42]	275	assert(id_hashkeyid_list);
	276	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
	277	return id_cred;
[8bd77b5]	278	}
	279
[6244e28]	280	/* have to find the last cn
	281	CN=test/emailAddress=abac.isi.edu, CN=12345678
	282	CN=client
	283	..CN=255a03f3-ed30/emailAddress=..
	284	*/
	285	static char* _extract_cn(char *string)
	286	{
[cfa7b6e]	287	/* find the first CN= */
[6244e28]	288	char *ptr=strstr(string,"CN=");
	289	if(ptr == NULL) return NULL;
	290
	291	/* look for last CN= */
	292	while(1) {
	293	char *tptr=ptr+3;
	294	char *p=strstr(tptr,"CN=");
	295	if(p) ptr=p;
	296	else break;
	297	}
	298
	299	/* remove the possible additional stuff */
	300	char cn=abac_xstrdup(ptr); / it would get write over */
	301	char *nptr=strtok(cn,"/");
	302	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
	303	pcn[0]='p';
[cfa7b6e]	304	/* special case.. replace empty space with _ */
	305	int i=strlen(nptr);
	306	while(i--)
	307	if(nptr[i]==' ') nptr[i]='_';
[6244e28]	308	sscanf(nptr,"CN=%s", &pcn[1]);
	309	free(cn);
	310	return pcn;
	311	}
	312
[5450aeb]	313	/**
[440ba20]	314	* Load an ID
[5450aeb]	315	*/
[8bd77b5]	316	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
	317	abac_id_credential_t *id_cred = NULL;
[d037f54]	318	char *keyid = NULL;
[5450aeb]	319	chunk_t id;
	320	int ret;
[2ef48fa]	321	x509_t x509 = (x509_t )cert;
[5450aeb]	322
[e898049]	323	assert(cert != NULL);
[5450aeb]	324
[7727f26]	325	// get the key ID, add p to keyid SHA here */
[2ef48fa]	326	id = x509->get_subjectKeyIdentifier(x509);
[d037f54]	327	keyid = _chunk_to_string(id);
[327e808]	328
[0d0c3a9]	329	/* Mike said this is the way it is */
[6244e28]	330	char *str=NULL;
[53e540d]	331	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
	332
[cfa7b6e]	333	/* add p to cn name here, if there is no useable one
	334	reuse keyid */
[6244e28]	335	char *cn=_extract_cn(str);
	336	if(cn == NULL) {
[cfa7b6e]	337	if(debug)
	338	fprintf(stderr, "DEBUG:did not find usable cn, reuse keyid\n");
	339	cn=abac_xstrdup(keyid);
[53e540d]	340	}
	341
[202a7f9]	342	if(debug) {
[2485307]	343	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
	344	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
	345	fprintf(stderr, "DEBUG:cn %s \n", cn);
[202a7f9]	346	}
[53e540d]	347	free(str);
	348
[327e808]	349	// if we already have this cert 'error' with success
[8bd77b5]	350	HASH_FIND_STR(id_creds, keyid, id_cred);
	351	if (id_cred != NULL) {
[2485307]	352	if(debug) fprintf(stderr, "existing cert \n");
[440ba20]	353	ret = ABAC_CERT_EXISTS;
[327e808]	354	goto error;
	355	}
	356
[cfa7b6e]	357	// validate validity
	358	ret = _verify_validity(cert);
	359	if (!ret) {
	360	ret = ABAC_CERT_INVALID;
	361	goto error;
	362	}
	363
[5450aeb]	364	// validate sig
[dfe6b61]	365	ret = verify_signature(cert, cert);
[0779c99]	366	if (!ret) {
[cfa7b6e]	367	/* well.. this is not a self signed cert, don't fault it anymore */
	368	if(debug) fprintf(stderr, "This is not a self-signed cert \n");
	369	} else {
	370	if(debug) fprintf(stderr, "This is a self-signed cert \n");
[0779c99]	371	}
[5450aeb]	372
[8bd77b5]	373	// success, add a new abac_id
[440ba20]	374	if(*a_id==NULL) {
	375	*a_id=abac_id_keyid_new(keyid,cn,cert);
	376	}
[5450aeb]	377
[8bd77b5]	378	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
	379	*id_cred_ret=n_id_cred;
[202a7f9]	380
[6244e28]	381	if (keyid != NULL) free(keyid);
	382	if (cn != NULL) free(cn);
	383
[0779c99]	384	return ABAC_CERT_SUCCESS;
[5450aeb]	385
	386	error:
[327e808]	387	if (keyid != NULL) free(keyid);
[53e540d]	388	if (cn != NULL) free(cn);
[5450aeb]	389
[0779c99]	390	return ret;
[5450aeb]	391	}
	392
[8bd77b5]	393	/* collect all the creds stored so far */
	394	abac_stack_t *abac_verifier_dump_creds()
[202a7f9]	395	{
[8bd77b5]	396	abac_stack_t *cred_list = abac_stack_new();
	397
	398	int cnt=0;
	399	if(attr_hashkeyid_list) {
	400	char *keyid;
	401	abac_credential_t *cred;
	402	abac_list_foreach(attr_hashkeyid_list, keyid,
	403	cred=abac_credential_lookup(keyid);
	404	abac_stack_push(cred_list, cred);
	405	cnt++;
	406	);
	407	}
[2485307]	408	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
[8bd77b5]	409	return cred_list;
	410	}
	411
[5110d42]	412	/* collect all the id stored so far */
	413	abac_stack_t *abac_verifier_dump_principals()
	414	{
	415	abac_stack_t *id_list = abac_stack_new();
	416
	417	int cnt=0;
	418	if(id_hashkeyid_list) {
	419	char *keyid;
	420	abac_id_credential_t *id;
	421	abac_list_foreach(id_hashkeyid_list, keyid,
	422	id=abac_id_credential_lookup(keyid);
	423	abac_stack_push(id_list, id);
	424	cnt++;
	425	);
	426	}
[2485307]	427	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
[5110d42]	428	return id_list;
	429	}
	430
[8bd77b5]	431
	432	static void check_id_cred(abac_id_credential_t *id_cred)
	433	{
	434	if(id_cred) {
	435	printf("checking on this id_cred location %d\n", (int)id_cred);
	436	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
	437	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
[202a7f9]	438	}
	439	}
	440
	441	/**
	442	* Load an attribute cert as string.
	443	* have minimum syntax & validity check
	444	*/
	445	static int _load_attribute_string(char* attr_string) {
	446	printf("NOT implemented yet!!!");
	447	return ABAC_CERT_INVALID;
	448	}
	449
[e898049]	450	/**
	451	* Load an ID cert from a file.
	452	*/
[ba6027a]	453	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
	454	abac_id_credential_t **id_cred_ret)
	455	{
[8bd77b5]	456	abac_id_t *id=NULL;
[61278ec]	457	if (lib == NULL)
	458	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	459
[2485307]	460	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[d037f54]	461
[137b55f]	462	// load the cert, with public key
[e898049]	463	certificate_t *cert = lib->creds->create(
	464	lib->creds, CRED_CERTIFICATE, CERT_X509,
	465	BUILD_FROM_FILE, filename,
	466	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	467	BUILD_END
	468	);
[d037f54]	469
[e898049]	470	if (cert == NULL)
[0779c99]	471	return ABAC_CERT_INVALID;
[d037f54]	472
	473	int rc=_load_id(&id,cert,id_cred_ret);
[440ba20]	474	if(rc==ABAC_CERT_EXISTS) {
[2485307]	475	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[440ba20]	476	return ABAC_CERT_SUCCESS;
	477	}
	478
[d037f54]	479	/* try to load the private key if it is there */
[2efdff5]	480	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	481	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[5110d42]	482	int keyrc=abac_id_load_privkey_file(id, keyfilename);
[d037f54]	483	if(debug) {
[2485307]	484	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[d037f54]	485	else printf("..load_id_file: load(%s) without a private key\n",filename);
	486	}
	487	}
[2efdff5]	488	return ABAC_CERT_SUCCESS;
[8bd77b5]	489	}
	490
[ba6027a]	491	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
	492	char pfile, abac_id_credential_t *id_cred_ret)
	493	{
	494	abac_id_t *id=NULL;
	495	if (lib == NULL)
	496	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	497
[2485307]	498	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[ba6027a]	499
	500	// load the cert, with public key
	501	certificate_t *cert = lib->creds->create(
	502	lib->creds, CRED_CERTIFICATE, CERT_X509,
	503	BUILD_FROM_FILE, filename,
	504	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	505	BUILD_END
	506	);
	507
	508	if (cert == NULL)
	509	return ABAC_CERT_INVALID;
	510
	511	int rc=_load_id(&id,cert,id_cred_ret);
	512	if(rc==ABAC_CERT_EXISTS) {
[2485307]	513	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[ba6027a]	514	return ABAC_CERT_SUCCESS;
	515	}
	516
	517	/* try to load the private key if it is there */
	518	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	519	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[ba6027a]	520	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
	521	if(debug) {
[2485307]	522	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[ba6027a]	523	else printf("..load_id_file: load(%s) without a private key\n",filename);
	524	}
	525	}
	526	return ABAC_CERT_SUCCESS;
	527	}
	528
[8bd77b5]	529	/**
	530	* Load an ID cert from a abac_id_t
	531	*/
	532	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
	533	certificate_t *cert = abac_id_cert(id);
	534	return _load_id(&id,cert,id_cred_ret);
[e898049]	535	}
	536
[5110d42]	537	/**
	538	* Load an ID cert from a chunk.
	539	*/
	540	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	541	abac_id_t *id=NULL;
	542	// load the cert
	543	certificate_t *cert = lib->creds->create(
	544	lib->creds, CRED_CERTIFICATE, CERT_X509,
	545	BUILD_BLOB_PEM, chunk,
	546	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	547	BUILD_END
	548	);
	549	if (cert == NULL)
	550	return ABAC_CERT_INVALID;
	551	return _load_id(&id, cert,id_cred_ret);
	552	}
[e898049]	553	/**
[9b43fc3]	554	* Load an ID cert from a chunk, Note, this only loads the id cert part
	555	* and so it is not suitable for creating an attribute credential with.
	556	* Only a complete id cert + privkey could create attribute credential.
[e898049]	557	*/
[8bd77b5]	558	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	559	abac_id_t *id=NULL;
[e898049]	560	// load the cert
	561	certificate_t *cert = lib->creds->create(
	562	lib->creds, CRED_CERTIFICATE, CERT_X509,
	563	BUILD_BLOB_ASN1_DER, chunk,
	564	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	565	BUILD_END
	566	);
	567	if (cert == NULL)
[0779c99]	568	return ABAC_CERT_INVALID;
[8bd77b5]	569	return _load_id(&id, cert,id_cred_ret);
[e898049]	570	}
	571
[9b43fc3]	572	/**
	573	* Load an ID cert from a cert chunk and a privkey chunk,
	574	* this complete id cert + privkey could create attribute credential.
	575	*/
	576	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	577	abac_id_credential_t **id_cred_ret) {
	578
	579	abac_id_t *id=NULL;
	580	// load the cert
	581	certificate_t *cert = lib->creds->create(
	582	lib->creds, CRED_CERTIFICATE, CERT_X509,
	583	BUILD_BLOB_ASN1_DER, chunk,
	584	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	585	BUILD_END
	586	);
	587	if (cert == NULL)
	588	return ABAC_CERT_INVALID;
	589
	590	int rc=_load_id(&id, cert,id_cred_ret);
	591	if(rc == ABAC_CERT_SUCCESS) {
	592	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
	593	}
	594
	595	return rc;
	596	}
	597
[ba6027a]	598	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	599	char* pfile, abac_id_credential_t **id_cred_ret) {
	600
	601	abac_id_t *id=NULL;
	602	// load the cert
	603	certificate_t *cert = lib->creds->create(
	604	lib->creds, CRED_CERTIFICATE, CERT_X509,
	605	BUILD_BLOB_ASN1_DER, chunk,
	606	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	607	BUILD_END
	608	);
	609	if (cert == NULL)
	610	return ABAC_CERT_INVALID;
	611
	612	int rc=_load_id(&id, cert,id_cred_ret);
	613	if(rc == ABAC_CERT_SUCCESS) {
	614	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
	615	}
	616
	617	return rc;
	618	}
	619
	620
[9b43fc3]	621
[2efdff5]	622	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
	623	{
	624	abac_id_credential_t *id_cred=NULL;
	625	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
	626	if(ret !=ABAC_CERT_SUCCESS)
	627	return NULL;
	628	abac_id_t *issuer=abac_id_credential_id(id_cred);
	629	return issuer;
	630	}
	631
[53e540d]	632
[5110d42]	633	static int matchex(const char subject, const char pattern, int so, int eo)
	634	{
	635	int rc; // Returned code
	636	regmatch_t pmatch;
	637
	638	regex_t re; // Compiled regexp pattern
	639
	640	if (regcomp(&re, pattern, 0) != 0) return 0;
	641
	642	rc = regexec(&re, subject, 1 , &pmatch, 0);
	643	regfree(&re);
	644
	645	if (rc == REG_NOMATCH ) return 0;
	646
	647	*so=pmatch.rm_so;
	648	*eo=pmatch.rm_eo;
	649
	650	return 1;
	651	}
	652
	653
	654
	655	static chunk_t _extract_chunk(char data, char startline, char* endline)
	656	{
	657	int found=0;
	658	int startos=0;
	659	int endos=0;
	660	regex_t re;
	661	regmatch_t pm;
	662	int rc;
	663
	664	int st;
	665	int et;
	666
	667	rc=matchex(data, startline, &st, &et);
	668	if(rc==0) return chunk_empty;
	669	startos=st;
	670
	671	rc=matchex(data, endline, &st, &et);
	672	if(rc==0) return chunk_empty;
	673	endos=et;
	674
	675	int len=endos - startos;
	676
[2485307]	677	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
[5110d42]	678	char *ptr=strndup(data+startos,len);
	679
	680	chunk_t ret = { ptr, len };
	681	return ret;
	682	}
	683
	684
	685	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
	686	{
	687	struct stat sb;
	688	int fd;
	689	int rc;
	690
	691	fd = open(filename, O_RDONLY);
	692	if (fd == -1) { return 1; }
	693	if(stat(filename, &sb) == -1) {
	694	close(fd);
	695	return 1;
	696	}
	697	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	698	if(data == MAP_FAILED) {
	699	close(fd);
	700	return 1;
	701	}
	702	close(fd);
	703
	704	chunk_t key_pem_chunk=_extract_chunk(data,
	705	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	706	chunk_t cert_pem_chunk=_extract_chunk(data,
	707	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	708
	709	/* key=0, cert=0 */
	710	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	711	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[5110d42]	712	goto error;
	713	}
	714
	715	/* key=0, cert=1 */
	716	if(key_pem_chunk.len==0) {
[2485307]	717	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[5110d42]	718	munmap(data, sb.st_size);
	719	chunk_free(&key_pem_chunk);
	720	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	721	}
	722
	723	/* key=1, cert=1 */
	724	if(cert_pem_chunk.len!=0) {
	725	if(debug) {
[2485307]	726	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[5110d42]	727	printf("(%s)\n",cert_pem_chunk.ptr);
	728	}
	729	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	730	if(rc != 0) {
[2485307]	731	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[5110d42]	732	goto error;
	733	}
	734	/* key=1, cert=0 */
	735	} else {
[2485307]	736	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[5110d42]	737	goto error;
	738	}
	739
	740	/* handle the key_pem_chunk */
	741	if(debug) {
[2485307]	742	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[5110d42]	743	printf("(%s)\n",key_pem_chunk.ptr);
	744	}
	745	abac_id_t id=abac_id_credential_id(id_cred_ret);
	746	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
	747	if(rc==0) {
	748	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	749	goto error;
	750	}
	751
	752	munmap(data, sb.st_size);
	753	return 0;
	754
	755	error:
	756	munmap(data, sb.st_size);
	757	return 1;
	758	}
	759
	760
[ba6027a]	761	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
	762	abac_id_credential_t **id_cred_ret)
	763	{
	764	struct stat sb;
	765	int fd;
	766	int rc;
	767
	768	fd = open(filename, O_RDONLY);
	769	if (fd == -1) { return 1; }
	770	if(stat(filename, &sb) == -1) {
	771	close(fd);
	772	return 1;
	773	}
	774	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	775	if(data == MAP_FAILED) {
	776	close(fd);
	777	return 1;
	778	}
	779	close(fd);
	780
	781	chunk_t key_pem_chunk=_extract_chunk(data,
	782	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	783	chunk_t cert_pem_chunk=_extract_chunk(data,
	784	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	785
	786	/* key=0, cert=0 */
	787	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	788	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[ba6027a]	789	goto error;
	790	}
	791
	792	/* key=0, cert=1 */
	793	if(key_pem_chunk.len==0) {
[2485307]	794	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[ba6027a]	795	munmap(data, sb.st_size);
	796	chunk_free(&key_pem_chunk);
	797	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	798	}
	799
	800	/* key=1, cert=1 */
	801	if(cert_pem_chunk.len!=0) {
	802	if(debug) {
[2485307]	803	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[ba6027a]	804	printf("(%s)\n",cert_pem_chunk.ptr);
	805	}
	806	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	807	if(rc != 0) {
[2485307]	808	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[ba6027a]	809	goto error;
	810	}
	811	/* key=1, cert=0 */
	812	} else {
[2485307]	813	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[ba6027a]	814	goto error;
	815	}
	816
	817	/* handle the key_pem_chunk */
	818	if(debug) {
[2485307]	819	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[ba6027a]	820	printf("(%s)\n",key_pem_chunk.ptr);
	821	printf("(%d)\n",strlen(key_pem_chunk.ptr));
	822	}
	823	abac_id_t id=abac_id_credential_id(id_cred_ret);
	824	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
	825	if(rc==0) {
	826	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	827	goto error;
	828	}
	829
	830	munmap(data, sb.st_size);
	831	return 0;
	832
	833	error:
	834	munmap(data, sb.st_size);
	835	return 1;
	836	}
[5110d42]	837
[da5afdf]	838	void abac_print_clauses(abac_list_t clauses, FILE fp)
[202a7f9]	839	{
	840	if (clauses != NULL) {
	841	char *cur;
[7b548fa]	842	printf("total-- %d clauses\n", abac_list_size(clauses));
[202a7f9]	843	abac_list_foreach(clauses, cur,
[da5afdf]	844	if(cur) {
	845	if(fp)
	846	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
	847	else printf ("a clause, %d(%s)\n", (int)cur,cur);
	848	}
[202a7f9]	849	);
	850	}
	851	}
	852
[8bd77b5]	853	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
	854	assert(ptr != NULL);
[ba6027a]	855	if(debug)
[2485307]	856	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
[8bd77b5]	857	abac_id_dup(ptr->id);
	858	return ptr;
	859	}
	860
	861	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
[da5afdf]	862	{
[8bd77b5]	863	assert(ptr);
	864	return ptr->id;
	865	}
[53e540d]	866
	867
[8bd77b5]	868	abac_id_credential_t abac_id_credential_lookup(char pname)
	869	{
	870	abac_id_credential_t *id_cred=NULL;
	871	HASH_FIND_STR(id_creds, pname, id_cred);
[5110d42]	872	if(id_cred != NULL)
	873	return abac_id_credential_dup(id_cred);
	874	else return NULL;
[8bd77b5]	875	}
[7727f26]	876
[8bd77b5]	877	void abac_id_credential_free(abac_id_credential_t *ptr)
	878	{
	879	if (ptr == NULL)
	880	return;
[53e540d]	881
[5110d42]	882	if(debug)
[2485307]	883	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
[5110d42]	884
[8bd77b5]	885	// this is very hacky...
	886	int last=abac_id_lastone(ptr->id);
	887	if(!last) {
[2485307]	888	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
[8bd77b5]	889	abac_id_free(ptr->id);
	890	} else {
[2485307]	891	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	892	free(ptr->hashkeyid);
	893	if(ptr->pl_clause)
	894	free(ptr->pl_clause);
	895	abac_id_free(ptr->id);
	896	HASH_DEL(id_creds, ptr);
	897	free(ptr);
[53e540d]	898	}
[da5afdf]	899	}
	900
[8bd77b5]	901	/****************************************************************************/
	902
[5d06689]	903	static int _verify_valid_credential_string(certificate_t *cert,
[da5afdf]	904	abac_credential_t *cred_ret, char encoded_attr_string)
	905	{
[8bd77b5]	906	abac_aspect_t *head_aspect = NULL;
	907	abac_aspect_t *tail_aspect = NULL;
[da5afdf]	908	abac_list_t *clauses=NULL;
[8bd77b5]	909	abac_id_credential_t *id_cred;
	910	abac_id_t *issuer_id;
[da5afdf]	911	int ret, i;
	912
	913	// get the attr
[8bd77b5]	914	head_aspect = abac_yy_get_rule_head_aspect();
	915	tail_aspect = abac_yy_get_rule_tail_aspect();
[b5a3da4]	916	clauses = abac_yy_get_rule_clauses();
[53e540d]	917
	918	// get the issuer based on keyid
[8bd77b5]	919	char *principalname = abac_aspect_principal_principalname(head_aspect);
[2485307]	920	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
[8bd77b5]	921
	922	HASH_FIND_STR(id_creds, principalname, id_cred);
[d037f54]	923	if(id_cred == NULL) {
	924	ret = ABAC_CERT_MISSING_ISSUER;
	925	if(debug)
[2485307]	926	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[d037f54]	927	goto error;
	928	}
[8bd77b5]	929	issuer_id=id_cred->id;
	930	if (issuer_id == NULL) {
[53e540d]	931	ret = ABAC_CERT_MISSING_ISSUER;
[8bd77b5]	932	if(debug)
[2485307]	933	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[53e540d]	934	goto error;
	935	}
	936
	937	// make sure the issuer's signed it
[dfe6b61]	938	ret = verify_signature(abac_id_cert(issuer_id), cert);
[53e540d]	939	if (!ret) {
[b5a3da4]	940	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[5110d42]	941	ret=ABAC_CERT_BAD_SIG;
[53e540d]	942	goto error;
	943	}
	944
[8bd77b5]	945	// at this point we know we have a good attribute cert baked it in
	946	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
	947	abac_attribute_set_head(attr, head_aspect);
	948	abac_attribute_add_tail(attr, tail_aspect);
	949
[53e540d]	950	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
[8bd77b5]	951	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	952	cred->attr=attr;
	953	cred->pl_clauses = clauses;
[53e540d]	954	*cred_ret = cred;
	955
	956	// success, add the key to the map of certificates
[8bd77b5]	957	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
[53e540d]	958
[8bd77b5]	959	assert(attr_hashkeyid_list);
	960	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	961
	962	if(debug)
[2485307]	963	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
[9b43fc3]	964	cred->hashkeyid, HASH_COUNT(attr_creds));
	965
[da5afdf]	966	return ABAC_CERT_SUCCESS;
	967
	968	error:
[8bd77b5]	969	if (head_aspect) abac_aspect_free(head_aspect);
	970	if (tail_aspect) abac_aspect_free(tail_aspect);
[b5a3da4]	971	abac_yy_free_rule_clauses();
[da5afdf]	972
	973	return ret;
	974	}
[8bd77b5]	975
[da5afdf]	976	/**
	977	* Load an attribute cert.
	978	* Returns true only if the certificate is valid and is issued by the proper
	979	* authority.
[5d06689]	980	* attribute string is parsed via yyparse call
[da5afdf]	981	*/
	982	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
	983	ietf_attributes_t *attr_cert = NULL;
	984	int ret, i;
	985
	986	// get the attr
	987	ac_t ac = (ac_t )cert;
	988	attr_cert = ac->get_groups(ac);
	989	if (attr_cert == NULL) {
	990	ret = ABAC_CERT_INVALID;
	991	goto error;
	992	}
	993
	994	char *encoded_attr_string=attr_cert->get_string(attr_cert);
	995	char *attr_string = abac_decode_string(encoded_attr_string);
	996	if(debug)
[2485307]	997	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
[da5afdf]	998
	999	if (attr_string == NULL) {
	1000	ret = ABAC_CERT_INVALID;
	1001	goto error;
	1002	}
	1003
	1004	/* call into yacc parser */
	1005	abac_reset_yyfptr(attr_string);
[b5a3da4]	1006	abac_yy_init();
[da5afdf]	1007	int rc=yyparse();
	1008	if (rc) {
	1009	ret = ABAC_CERT_INVALID;
	1010	goto error;
	1011	}
	1012
[5d06689]	1013	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
[da5afdf]	1014
[5110d42]	1015	if(ret != ABAC_CERT_SUCCESS) {
[671c065]	1016	char *tmp=NULL;
[9a0e1c1]	1017	asprintf(&tmp,"_load_attribute_cert: fail to verify credential (%s)",attr_string);
[671c065]	1018	panic(tmp);
[5110d42]	1019	}
	1020
[53e540d]	1021	// free up some crap
	1022	attr_cert->destroy(attr_cert);
	1023
[5110d42]	1024	return ret;
[53e540d]	1025
	1026	error:
[202a7f9]	1027	if (cert) cert->destroy(cert);
	1028	if (attr_cert) attr_cert->destroy(attr_cert);
[0779c99]	1029	return ret;
[5450aeb]	1030	}
[5f99fbc]	1031
[8bd77b5]	1032	/**
	1033	* Load an attribute cert from a abac_attribute_t.
[5d06689]	1034	* attr should be all checked out before arriving here
[8bd77b5]	1035	*/
[5d06689]	1036	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
	1037	// get the attr
	1038	abac_aspect_t *head=abac_attribute_head(ptr);
	1039	abac_aspect_t *tail=abac_attribute_tail(ptr);
	1040
	1041	// preprocess for constraint part
	1042	preprocess_pl_head(head);
	1043	preprocess_pl_tail(tail);
	1044
[9b43fc3]	1045	/* setup the encoded attribute string */
	1046	char *encoded_attr_string=get_cred_encoding(ptr);
	1047	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
	1048	/* collect up type clauses, constraint clauses and
[5d06689]	1049	generate rule clauses */
	1050	abac_list_t *clauses=generate_pl_clauses(head,tail);
[9b43fc3]	1051
[b8a6fd2a]	1052	if(debug) abac_print_clauses(clauses,NULL);
[5d06689]	1053
	1054	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	1055	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	1056	cred->attr=abac_attribute_dup(ptr);
	1057	cred->pl_clauses = clauses;
	1058	*cred_ret = cred;
	1059
	1060	// success, add the key to the map of certificates
	1061	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
	1062
	1063	assert(attr_hashkeyid_list);
	1064	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	1065
	1066	if(debug)
[2485307]	1067	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
[9b43fc3]	1068	cred->hashkeyid, HASH_COUNT(attr_creds));
[5d06689]	1069	return ABAC_CERT_SUCCESS;
[8bd77b5]	1070	}
	1071
[e898049]	1072	/**
	1073	* Load an attribute cert from a file.
	1074	*/
[0779c99]	1075	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
[e898049]	1076	// load the cert
[2485307]	1077	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
[e898049]	1078	certificate_t *cert = lib->creds->create(
	1079	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1080	BUILD_FROM_FILE, filename,
	1081	BUILD_END
	1082	);
	1083	if (cert == NULL)
[0779c99]	1084	return ABAC_CERT_INVALID;
	1085	return _load_attribute_cert(cert, cred);
[e898049]	1086	}
	1087
	1088	/**
	1089	* Load an attribute cert from a chunk.
	1090	*/
[0779c99]	1091	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]	1092	// load the cert
	1093	certificate_t *cert = lib->creds->create(
	1094	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1095	BUILD_BLOB_ASN1_DER, chunk,
	1096	BUILD_END
	1097	);
	1098	if (cert == NULL)
[0779c99]	1099	return ABAC_CERT_INVALID;
[9b43fc3]	1100
[0779c99]	1101	return _load_attribute_cert(cert, cred);
[e898049]	1102	}
	1103
[85cdf53]	1104	/**
	1105	* Return the encoding of the attribute cert.
	1106	*/
[401a054]	1107	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
[8bd77b5]	1108	abac_attribute_t *ptr=cred->attr;
	1109	certificate_t *cert=abac_attribute_cert(ptr);
[137b55f]	1110	chunk_t encoding = chunk_empty;
	1111	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1112	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1113	return ret;
[85cdf53]	1114	}
	1115
	1116	/**
	1117	* Return the encoding of the issuer cert.
	1118	*/
[401a054]	1119	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
[8bd77b5]	1120	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
	1121	assert(issuer_cert);
[137b55f]	1122	chunk_t encoding = chunk_empty;
	1123	// XXX MEI, not sure ??
	1124	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1125	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1126	return ret;
[85cdf53]	1127	}
[186cb75]	1128
[53e540d]	1129	/**
	1130	* Return the clause of the cert
	1131	*/
[202a7f9]	1132	abac_list_t abac_credential_clauses(abac_credential_t cred) {
[8bd77b5]	1133	return cred->pl_clauses;
[53e540d]	1134	}
	1135
[8bd77b5]	1136	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
	1137	assert(cred);
	1138	return cred->attr;
	1139	}
[202a7f9]	1140
[186cb75]	1141	/**
[fbb591e]	1142	* Increase the ref count of a credential.
[186cb75]	1143	*/
[401a054]	1144	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	1145	assert(cred != NULL);
[186cb75]	1146
[8bd77b5]	1147	abac_attribute_dup(cred->attr);
[fbb591e]	1148	return cred;
[186cb75]	1149	}
	1150
[53e540d]	1151	/**
	1152	* lookup for a credential.
	1153	*/
[202a7f9]	1154	abac_credential_t abac_credential_lookup(char cred_string)
	1155	{
	1156	if(debug)
[2485307]	1157	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
[8bd77b5]	1158	abac_credential_t *attr_cred;
[9b43fc3]	1159
[8bd77b5]	1160	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
	1161	if (attr_cred == NULL) {
[2485307]	1162	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
[53e540d]	1163	return NULL;
	1164	}
[8bd77b5]	1165	abac_credential_t *rt=abac_credential_dup(attr_cred);
[2485307]	1166	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
[8bd77b5]	1167	return rt;
[53e540d]	1168	}
	1169
[186cb75]	1170	/**
[fbb591e]	1171	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	1172	*/
[202a7f9]	1173	void abac_credential_free(abac_credential_t *cred)
	1174	{
	1175	if(debug)
[2485307]	1176	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
[202a7f9]	1177
[401a054]	1178	if (cred == NULL)
[186cb75]	1179	return;
	1180
[8bd77b5]	1181	// this is very hacky...
	1182	int last=abac_attribute_lastone(cred->attr);
	1183	if(!last) {
	1184	abac_attribute_free(cred->attr);
[da5afdf]	1185	} else {
[2485307]	1186	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
[8bd77b5]	1187	free(cred->hashkeyid);
	1188	char *cur=NULL;
	1189	abac_list_foreach(cred->pl_clauses, cur,
	1190	free(cur);
	1191	);
	1192	abac_attribute_free(cred->attr);
	1193	HASH_DEL(attr_creds, cred);
	1194	free(cred);
[da5afdf]	1195	}
[186cb75]	1196	}
[53e540d]	1197
[8bd77b5]	1198	char abac_id_clause(abac_id_credential_t id_cred)
[202a7f9]	1199	{
[8bd77b5]	1200	if(id_cred)
	1201	return id_cred->pl_clause;
[202a7f9]	1202	return NULL;
	1203	}
	1204
[53e540d]	1205	/* retrieve the cn that is associated with this sha_string */
[5110d42]	1206	char abac_cn_with_sha(char sha_string)
	1207	{
[53e540d]	1208	// get the issuer based on keyid
[8bd77b5]	1209	abac_id_credential_t *id_cred;
	1210	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1211	if (id_cred == NULL) {
[53e540d]	1212	return NULL;
	1213	}
[202a7f9]	1214	if(debug)
[8bd77b5]	1215	check_id_cred(id_cred);
	1216	return abac_id_cn(id_cred->id);
[53e540d]	1217	}
	1218
[8bd77b5]	1219	char abac_idtype_with_sha(char sha_string)
	1220	{
	1221	// get the issuer based on keyid
	1222	abac_id_credential_t *id_cred;
	1223	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1224	if (id_cred == NULL) {
[6244e28]	1225	// this id, sha string is not in the db...
	1226	if(debug)
	1227	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
[8bd77b5]	1228	return NULL;
	1229	}
	1230	int idtype=abac_id_idtype(id_cred->id);
	1231
	1232	return abac_idtype_string(idtype);
[923b4dd]	1233	}
	1234
[8bd77b5]	1235	abac_aspect_t abac_credential_head(abac_credential_t cred) {
	1236	return abac_attribute_head(cred->attr);
[923b4dd]	1237	}
	1238
[8bd77b5]	1239	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
	1240	return abac_attribute_tail(cred->attr);
[923b4dd]	1241	}
	1242
	1243

Note: See TracBrowser for help on using the repository browser.

Download in other formats: