Context Navigation

source: libabac/abac_verifier.c @ dfe6b61

mei_rt2mei_rt2_fix_1

Last change on this file since dfe6b61 was dfe6b61, checked in by Mei <mei@…>, 12 years ago
1) added ID_chunk() and Attribute_chunk() to abac.hh
Property mode set to `100644`
File size: 34.8 KB

Rev	Line
[8bd77b5]	1	/**
	2	** abac_verifier.c
	3	**/
[53e540d]	4
	5	// include the GNU extension of asprintf
	6	#define _GNU_SOURCE
	7
[5110d42]	8	#include <stdio.h>
	9	#include <regex.h>
	10	#include <sys/mman.h>
	11	#include <fcntl.h>
[d037f54]	12	#include <sys/types.h>
	13	#include <sys/stat.h>
	14	#include <unistd.h>
	15
[5110d42]	16
[186cb75]	17	#include <assert.h>
[202a7f9]	18	#include <stdio.h>
[186cb75]	19
[5450aeb]	20	#include <library.h>
	21
[8bd77b5]	22	#include "abac_internal.h"
[43e3b71]	23	#include "abac_verifier.h"
[5450aeb]	24
[3c251d0]	25	#include "abac_util.h"
[202a7f9]	26	#include "abac_rt.h"
[5450aeb]	27
[8bd77b5]	28	static int debug=0;
[ba6027a]	29
[5d06689]	30	/* from abac_attribute.c */
	31	extern char get_cred_encoding(abac_attribute_t ptr);
[8bd77b5]	32
	33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
	34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
[b5a3da4]	35	extern abac_list_t *abac_yy_get_rule_clauses();
[da5afdf]	36	extern char* abac_decode_string(char *);
[b5a3da4]	37	extern void abac_yy_free_rule_clauses();
[0d0c3a9]	38	extern char generate_pl_type_clause(char , int);
[5d06689]	39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
[9b43fc3]	40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
[0d0c3a9]	41
[8bd77b5]	42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
[202a7f9]	43
[ba6027a]	44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
	45
[8bd77b5]	46	struct _abac_id_credential_t {
	47	char *hashkeyid;
	48	abac_id_t *id;
	49	char *pl_clause;
[5450aeb]	50
	51	UT_hash_handle hh;
[202a7f9]	52	};
[8bd77b5]	53	/* hash table base on sha with a p */
	54	abac_id_credential_t *id_creds = NULL;
[5110d42]	55	/* linked list of all the ids's hashkeyid */
	56	abac_list_t *id_hashkeyid_list = NULL;
[5450aeb]	57
[da5afdf]	58	/* can store either role or oset */
[401a054]	59	struct _abac_credential_t {
[8bd77b5]	60	char *hashkeyid;
	61	abac_attribute_t *attr;
	62	abac_list_t *pl_clauses;
[53e540d]	63
	64	UT_hash_handle hh;
[8bd77b5]	65	};
	66	/* hash table base on encoded attr rule */
	67	abac_credential_t *attr_creds = NULL;
	68	/* linked list of all the attr's hashkeyid */
	69	abac_list_t *attr_hashkeyid_list = NULL;
[202a7f9]	70
[8bd77b5]	71	/*****************************************************************************/
[da5afdf]	72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
[202a7f9]	73	{
[da5afdf]	74	if(fp == NULL)
	75	fp=stdout;
	76
[8bd77b5]	77	abac_attribute_t *ptr=cred->attr;
	78	abac_aspect_t *head=abac_attribute_head(ptr);
	79	abac_aspect_t *tail=abac_attribute_tail(ptr);
	80
[202a7f9]	81	if(debug) {
[da5afdf]	82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
[8bd77b5]	83	if(head) {
	84	abac_print_aspect_string_with_condition(head,fp);
[202a7f9]	85	}
[8bd77b5]	86	if(tail) {
	87	abac_print_aspect_string_with_condition(tail,fp);
[202a7f9]	88	}
	89
[8bd77b5]	90	abac_list_t *clauses=cred->pl_clauses;
[202a7f9]	91	if (clauses != NULL) {
	92	char *cur=NULL;
	93	abac_list_foreach(clauses, cur,
[da5afdf]	94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
[202a7f9]	95	if(cur)
[da5afdf]	96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
[202a7f9]	97	);
	98	}
	99	} else {
[da5afdf]	100	fprintf(fp," ");
[8bd77b5]	101	abac_print_aspect_string_with_condition(head,fp);
[da5afdf]	102	fprintf(fp," <- ");
[8bd77b5]	103	abac_print_aspect_string_with_condition(tail,fp);
[da5afdf]	104	fprintf(fp,"\n");
[202a7f9]	105	}
	106	}
	107
[5110d42]	108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
	109	{
	110	if(fp == NULL)
	111	return;
	112
	113	abac_id_t *ptr=abac_id_credential_id(prin);
	114
	115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
	116	if(abac_id_has_privkey(ptr))
	117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	118	else
	119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
	120	}
	121
[202a7f9]	122	//
[8bd77b5]	123	int abac_verify_idtype_type(char *type) {
[202a7f9]	124	int i;
	125
	126	if (type == NULL)
	127	return 0;
	128
[8bd77b5]	129	for (i = 1; i <= _idtypename_cnt ; i++)
	130	if(strcmp(type,_idtypename[i])==0)
[202a7f9]	131	return i;
	132	return 0;
	133	}
	134
[8bd77b5]	135	char *abac_idtype_string(int i)
[202a7f9]	136	{
[440ba20]	137	if(i > _idtypename_cnt) {
	138	printf("bad idtypename idx %d\n", i);
[8bd77b5]	139	panic("abac_idtype_string: went out of range on idtypename");
[440ba20]	140	}
	141	return (char*) _idtypename[i];
[202a7f9]	142	}
	143
[5450aeb]	144	// convert a chunk to a lowercase binary string
	145	// malloc's the string
	146	static char *_chunk_to_string(chunk_t chunk) {
	147	int i;
	148
[3c251d0]	149	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	150
	151	for (i = 0; i < chunk.len; ++i)
	152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	153
	154	return ret;
	155	}
	156
	157	// verify that cert was issued by issuer
	158	// cert and issuer can be the same, in which case the self-sig is validated
[dfe6b61]	159	int verify_signature(certificate_t issuer_cert, certificate_t cert) {
[8bd77b5]	160	if (cert->issued_by(cert, issuer_cert))
[5450aeb]	161	if (cert->get_validity(cert, NULL, NULL, NULL))
	162	return 1;
	163	return 0;
	164	}
	165
[cfa7b6e]	166	// verify that cert is still valid
	167	static int _verify_validity(certificate_t *cert) {
	168	if (cert->get_validity(cert, NULL, NULL, NULL))
	169	return 1;
	170	return 0;
	171	}
	172
[5450aeb]	173	/**
	174	* Init the verifier subsystem.
	175	*/
[43e3b71]	176	void abac_verifier_init(void) {
[1324a63]	177	// silence all debugging
	178
[5450aeb]	179	if (!library_init(NULL))
	180	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
	181
	182	if (!lib->plugins->load(lib->plugins, NULL,
	183	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
	184	exit(SS_RC_INITIALIZATION_FAILED);
[8bd77b5]	185
	186	attr_hashkeyid_list = abac_list_new();
[5110d42]	187	id_hashkeyid_list = abac_list_new();
[5450aeb]	188	}
	189
[186cb75]	190	/**
	191	* Uninitialize the system, free up any allocated memory.
	192	*/
[43e3b71]	193	void abac_verifier_deinit(void) {
[2485307]	194	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
[137b55f]	195
[8bd77b5]	196	abac_id_credential_t *ptr;
	197	while ((ptr = id_creds) != NULL) {
[2485307]	198	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	199	HASH_DEL(id_creds, ptr);
	200
[137b55f]	201	free(ptr->hashkeyid);
[8bd77b5]	202	free(ptr->pl_clause);
[137b55f]	203	abac_id_free(ptr->id);
[8bd77b5]	204	free(ptr);
[186cb75]	205	}
[55c272b]	206
[8bd77b5]	207	abac_credential_t *ptr2;
	208	while ((ptr2 = attr_creds) != NULL) {
	209	HASH_DEL(attr_creds, ptr2);
	210	if(debug) {
[2485307]	211	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
[8bd77b5]	212	}
	213	free(ptr2->hashkeyid);
	214	abac_attribute_free(ptr2->attr);
	215	char *cur=NULL;
	216	abac_list_foreach(ptr2->pl_clauses, cur,
	217	free(cur);
	218	);
	219	free(ptr2->pl_clauses);
	220	free(ptr2);
[53e540d]	221	}
	222
[8bd77b5]	223	if(attr_hashkeyid_list) {
	224	char *cur;
	225	if(attr_hashkeyid_list) {
	226	abac_list_foreach(attr_hashkeyid_list, cur,
	227	if(cur) free(cur);
	228	);
	229	}
	230	abac_list_free(attr_hashkeyid_list);
	231	}
[137b55f]	232
[5110d42]	233	if(id_hashkeyid_list) {
[2485307]	234	if(debug) fprintf(stderr, "looking to free id_hashkeyid_lst..\n");
[5110d42]	235	char *cur;
	236	if(id_hashkeyid_list) {
	237	abac_list_foreach(id_hashkeyid_list, cur,
[137b55f]	238	if(cur) {
[2485307]	239	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
[137b55f]	240	free(cur);
	241	}
[5110d42]	242	);
	243	}
	244	abac_list_free(id_hashkeyid_list);
	245	}
	246
[55c272b]	247	library_deinit();
[186cb75]	248	}
	249
[8bd77b5]	250	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
	251	{
	252	abac_id_credential_t *id_cred;
	253	char *cn=abac_id_cn(a_id);
[d037f54]	254	char *keyid=abac_id_keyid(a_id);
[8bd77b5]	255
[440ba20]	256	if(debug) {
[2485307]	257	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
[440ba20]	258	cn, keyid);
	259	}
	260
[8bd77b5]	261	// add the abac_id to the map of id credentials
	262	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
	263	id_cred->hashkeyid = abac_xstrdup(keyid);
	264	id_cred->id=abac_id_dup(a_id);
	265
	266	/* special handling here */
	267	if(USE("ABAC_CN")) {
	268	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
	269	} else {
[d037f54]	270	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
[8bd77b5]	271	}
	272	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
	273	if(debug)
[2485307]	274	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
[ba6027a]	275	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
[8bd77b5]	276
[5110d42]	277	assert(id_hashkeyid_list);
	278	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
	279	return id_cred;
[8bd77b5]	280	}
	281
[6244e28]	282	/* have to find the last cn
	283	CN=test/emailAddress=abac.isi.edu, CN=12345678
	284	CN=client
	285	..CN=255a03f3-ed30/emailAddress=..
	286	*/
	287	static char* _extract_cn(char *string)
	288	{
[cfa7b6e]	289	/* find the first CN= */
[6244e28]	290	char *ptr=strstr(string,"CN=");
	291	if(ptr == NULL) return NULL;
	292
	293	/* look for last CN= */
	294	while(1) {
	295	char *tptr=ptr+3;
	296	char *p=strstr(tptr,"CN=");
	297	if(p) ptr=p;
	298	else break;
	299	}
	300
	301	/* remove the possible additional stuff */
	302	char cn=abac_xstrdup(ptr); / it would get write over */
	303	char *nptr=strtok(cn,"/");
	304	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
	305	pcn[0]='p';
[cfa7b6e]	306	/* special case.. replace empty space with _ */
	307	int i=strlen(nptr);
	308	while(i--)
	309	if(nptr[i]==' ') nptr[i]='_';
[6244e28]	310	sscanf(nptr,"CN=%s", &pcn[1]);
	311	free(cn);
	312	return pcn;
	313	}
	314
[5450aeb]	315	/**
[440ba20]	316	* Load an ID
[5450aeb]	317	*/
[8bd77b5]	318	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
	319	abac_id_credential_t *id_cred = NULL;
[d037f54]	320	char *keyid = NULL;
[5450aeb]	321	chunk_t id;
	322	int ret;
[2ef48fa]	323	x509_t x509 = (x509_t )cert;
[5450aeb]	324
[e898049]	325	assert(cert != NULL);
[5450aeb]	326
[7727f26]	327	// get the key ID, add p to keyid SHA here */
[2ef48fa]	328	id = x509->get_subjectKeyIdentifier(x509);
[d037f54]	329	keyid = _chunk_to_string(id);
[327e808]	330
[0d0c3a9]	331	/* Mike said this is the way it is */
[6244e28]	332	char *str=NULL;
[53e540d]	333	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
	334
[cfa7b6e]	335	/* add p to cn name here, if there is no useable one
	336	reuse keyid */
[6244e28]	337	char *cn=_extract_cn(str);
	338	if(cn == NULL) {
[cfa7b6e]	339	if(debug)
	340	fprintf(stderr, "DEBUG:did not find usable cn, reuse keyid\n");
	341	cn=abac_xstrdup(keyid);
[53e540d]	342	}
	343
[202a7f9]	344	if(debug) {
[2485307]	345	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
	346	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
	347	fprintf(stderr, "DEBUG:cn %s \n", cn);
[202a7f9]	348	}
[53e540d]	349	free(str);
	350
[327e808]	351	// if we already have this cert 'error' with success
[8bd77b5]	352	HASH_FIND_STR(id_creds, keyid, id_cred);
	353	if (id_cred != NULL) {
[2485307]	354	if(debug) fprintf(stderr, "existing cert \n");
[440ba20]	355	ret = ABAC_CERT_EXISTS;
[327e808]	356	goto error;
	357	}
	358
[cfa7b6e]	359	// validate validity
	360	ret = _verify_validity(cert);
	361	if (!ret) {
	362	ret = ABAC_CERT_INVALID;
	363	goto error;
	364	}
	365
[5450aeb]	366	// validate sig
[dfe6b61]	367	ret = verify_signature(cert, cert);
[0779c99]	368	if (!ret) {
[cfa7b6e]	369	/* well.. this is not a self signed cert, don't fault it anymore */
	370	if(debug) fprintf(stderr, "This is not a self-signed cert \n");
	371	} else {
	372	if(debug) fprintf(stderr, "This is a self-signed cert \n");
[0779c99]	373	}
[5450aeb]	374
[8bd77b5]	375	// success, add a new abac_id
[440ba20]	376	if(*a_id==NULL) {
	377	*a_id=abac_id_keyid_new(keyid,cn,cert);
	378	}
[5450aeb]	379
[8bd77b5]	380	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
	381	*id_cred_ret=n_id_cred;
[202a7f9]	382
[6244e28]	383	if (keyid != NULL) free(keyid);
	384	if (cn != NULL) free(cn);
	385
[0779c99]	386	return ABAC_CERT_SUCCESS;
[5450aeb]	387
	388	error:
[327e808]	389	if (keyid != NULL) free(keyid);
[53e540d]	390	if (cn != NULL) free(cn);
[5450aeb]	391
[0779c99]	392	return ret;
[5450aeb]	393	}
	394
[8bd77b5]	395	/* collect all the creds stored so far */
	396	abac_stack_t *abac_verifier_dump_creds()
[202a7f9]	397	{
[8bd77b5]	398	abac_stack_t *cred_list = abac_stack_new();
	399
	400	int cnt=0;
	401	if(attr_hashkeyid_list) {
	402	char *keyid;
	403	abac_credential_t *cred;
	404	abac_list_foreach(attr_hashkeyid_list, keyid,
	405	cred=abac_credential_lookup(keyid);
	406	abac_stack_push(cred_list, cred);
	407	cnt++;
	408	);
	409	}
[2485307]	410	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
[8bd77b5]	411	return cred_list;
	412	}
	413
[5110d42]	414	/* collect all the id stored so far */
	415	abac_stack_t *abac_verifier_dump_principals()
	416	{
	417	abac_stack_t *id_list = abac_stack_new();
	418
	419	int cnt=0;
	420	if(id_hashkeyid_list) {
	421	char *keyid;
	422	abac_id_credential_t *id;
	423	abac_list_foreach(id_hashkeyid_list, keyid,
	424	id=abac_id_credential_lookup(keyid);
	425	abac_stack_push(id_list, id);
	426	cnt++;
	427	);
	428	}
[2485307]	429	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
[5110d42]	430	return id_list;
	431	}
	432
[8bd77b5]	433
	434	static void check_id_cred(abac_id_credential_t *id_cred)
	435	{
	436	if(id_cred) {
	437	printf("checking on this id_cred location %d\n", (int)id_cred);
	438	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
	439	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
[202a7f9]	440	}
	441	}
	442
	443	/**
	444	* Load an attribute cert as string.
	445	* have minimum syntax & validity check
	446	*/
	447	static int _load_attribute_string(char* attr_string) {
	448	printf("NOT implemented yet!!!");
	449	return ABAC_CERT_INVALID;
	450	}
	451
[e898049]	452	/**
	453	* Load an ID cert from a file.
	454	*/
[ba6027a]	455	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
	456	abac_id_credential_t **id_cred_ret)
	457	{
[8bd77b5]	458	abac_id_t *id=NULL;
[61278ec]	459	if (lib == NULL)
	460	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	461
[2485307]	462	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[d037f54]	463
[137b55f]	464	// load the cert, with public key
[e898049]	465	certificate_t *cert = lib->creds->create(
	466	lib->creds, CRED_CERTIFICATE, CERT_X509,
	467	BUILD_FROM_FILE, filename,
	468	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	469	BUILD_END
	470	);
[d037f54]	471
[e898049]	472	if (cert == NULL)
[0779c99]	473	return ABAC_CERT_INVALID;
[d037f54]	474
	475	int rc=_load_id(&id,cert,id_cred_ret);
[440ba20]	476	if(rc==ABAC_CERT_EXISTS) {
[2485307]	477	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[440ba20]	478	return ABAC_CERT_SUCCESS;
	479	}
	480
[d037f54]	481	/* try to load the private key if it is there */
[2efdff5]	482	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	483	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[5110d42]	484	int keyrc=abac_id_load_privkey_file(id, keyfilename);
[d037f54]	485	if(debug) {
[2485307]	486	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[d037f54]	487	else printf("..load_id_file: load(%s) without a private key\n",filename);
	488	}
	489	}
[2efdff5]	490	return ABAC_CERT_SUCCESS;
[8bd77b5]	491	}
	492
[ba6027a]	493	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
	494	char pfile, abac_id_credential_t *id_cred_ret)
	495	{
	496	abac_id_t *id=NULL;
	497	if (lib == NULL)
	498	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
	499
[2485307]	500	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
[ba6027a]	501
	502	// load the cert, with public key
	503	certificate_t *cert = lib->creds->create(
	504	lib->creds, CRED_CERTIFICATE, CERT_X509,
	505	BUILD_FROM_FILE, filename,
	506	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	507	BUILD_END
	508	);
	509
	510	if (cert == NULL)
	511	return ABAC_CERT_INVALID;
	512
	513	int rc=_load_id(&id,cert,id_cred_ret);
	514	if(rc==ABAC_CERT_EXISTS) {
[2485307]	515	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
[ba6027a]	516	return ABAC_CERT_SUCCESS;
	517	}
	518
	519	/* try to load the private key if it is there */
	520	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
[2485307]	521	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
[ba6027a]	522	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
	523	if(debug) {
[2485307]	524	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
[ba6027a]	525	else printf("..load_id_file: load(%s) without a private key\n",filename);
	526	}
	527	}
	528	return ABAC_CERT_SUCCESS;
	529	}
	530
[8bd77b5]	531	/**
	532	* Load an ID cert from a abac_id_t
	533	*/
	534	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
	535	certificate_t *cert = abac_id_cert(id);
	536	return _load_id(&id,cert,id_cred_ret);
[e898049]	537	}
	538
[5110d42]	539	/**
	540	* Load an ID cert from a chunk.
	541	*/
	542	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	543	abac_id_t *id=NULL;
	544	// load the cert
	545	certificate_t *cert = lib->creds->create(
	546	lib->creds, CRED_CERTIFICATE, CERT_X509,
	547	BUILD_BLOB_PEM, chunk,
	548	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	549	BUILD_END
	550	);
	551	if (cert == NULL)
	552	return ABAC_CERT_INVALID;
	553	return _load_id(&id, cert,id_cred_ret);
	554	}
[e898049]	555	/**
[9b43fc3]	556	* Load an ID cert from a chunk, Note, this only loads the id cert part
	557	* and so it is not suitable for creating an attribute credential with.
	558	* Only a complete id cert + privkey could create attribute credential.
[e898049]	559	*/
[8bd77b5]	560	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
	561	abac_id_t *id=NULL;
[e898049]	562	// load the cert
	563	certificate_t *cert = lib->creds->create(
	564	lib->creds, CRED_CERTIFICATE, CERT_X509,
	565	BUILD_BLOB_ASN1_DER, chunk,
	566	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	567	BUILD_END
	568	);
	569	if (cert == NULL)
[0779c99]	570	return ABAC_CERT_INVALID;
[8bd77b5]	571	return _load_id(&id, cert,id_cred_ret);
[e898049]	572	}
	573
[9b43fc3]	574	/**
	575	* Load an ID cert from a cert chunk and a privkey chunk,
	576	* this complete id cert + privkey could create attribute credential.
	577	*/
	578	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	579	abac_id_credential_t **id_cred_ret) {
	580
	581	abac_id_t *id=NULL;
	582	// load the cert
	583	certificate_t *cert = lib->creds->create(
	584	lib->creds, CRED_CERTIFICATE, CERT_X509,
	585	BUILD_BLOB_ASN1_DER, chunk,
	586	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	587	BUILD_END
	588	);
	589	if (cert == NULL)
	590	return ABAC_CERT_INVALID;
	591
	592	int rc=_load_id(&id, cert,id_cred_ret);
	593	if(rc == ABAC_CERT_SUCCESS) {
	594	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
	595	}
	596
	597	return rc;
	598	}
	599
[ba6027a]	600	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
	601	char* pfile, abac_id_credential_t **id_cred_ret) {
	602
	603	abac_id_t *id=NULL;
	604	// load the cert
	605	certificate_t *cert = lib->creds->create(
	606	lib->creds, CRED_CERTIFICATE, CERT_X509,
	607	BUILD_BLOB_ASN1_DER, chunk,
	608	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
	609	BUILD_END
	610	);
	611	if (cert == NULL)
	612	return ABAC_CERT_INVALID;
	613
	614	int rc=_load_id(&id, cert,id_cred_ret);
	615	if(rc == ABAC_CERT_SUCCESS) {
	616	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
	617	}
	618
	619	return rc;
	620	}
	621
	622
[9b43fc3]	623
[2efdff5]	624	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
	625	{
	626	abac_id_credential_t *id_cred=NULL;
	627	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
	628	if(ret !=ABAC_CERT_SUCCESS)
	629	return NULL;
	630	abac_id_t *issuer=abac_id_credential_id(id_cred);
	631	return issuer;
	632	}
	633
[53e540d]	634
[5110d42]	635	static int matchex(const char subject, const char pattern, int so, int eo)
	636	{
	637	int rc; // Returned code
	638	regmatch_t pmatch;
	639
	640	regex_t re; // Compiled regexp pattern
	641
	642	if (regcomp(&re, pattern, 0) != 0) return 0;
	643
	644	rc = regexec(&re, subject, 1 , &pmatch, 0);
	645	regfree(&re);
	646
	647	if (rc == REG_NOMATCH ) return 0;
	648
	649	*so=pmatch.rm_so;
	650	*eo=pmatch.rm_eo;
	651
	652	return 1;
	653	}
	654
	655
	656
	657	static chunk_t _extract_chunk(char data, char startline, char* endline)
	658	{
	659	int found=0;
	660	int startos=0;
	661	int endos=0;
	662	regex_t re;
	663	regmatch_t pm;
	664	int rc;
	665
	666	int st;
	667	int et;
	668
	669	rc=matchex(data, startline, &st, &et);
	670	if(rc==0) return chunk_empty;
	671	startos=st;
	672
	673	rc=matchex(data, endline, &st, &et);
	674	if(rc==0) return chunk_empty;
	675	endos=et;
	676
	677	int len=endos - startos;
	678
[2485307]	679	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
[5110d42]	680	char *ptr=strndup(data+startos,len);
	681
	682	chunk_t ret = { ptr, len };
	683	return ret;
	684	}
	685
	686
	687	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
	688	{
	689	struct stat sb;
	690	int fd;
	691	int rc;
	692
	693	fd = open(filename, O_RDONLY);
	694	if (fd == -1) { return 1; }
	695	if(stat(filename, &sb) == -1) {
	696	close(fd);
	697	return 1;
	698	}
	699	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	700	if(data == MAP_FAILED) {
	701	close(fd);
	702	return 1;
	703	}
	704	close(fd);
	705
	706	chunk_t key_pem_chunk=_extract_chunk(data,
	707	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	708	chunk_t cert_pem_chunk=_extract_chunk(data,
	709	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	710
	711	/* key=0, cert=0 */
	712	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	713	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[5110d42]	714	goto error;
	715	}
	716
	717	/* key=0, cert=1 */
	718	if(key_pem_chunk.len==0) {
[2485307]	719	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[5110d42]	720	munmap(data, sb.st_size);
	721	chunk_free(&key_pem_chunk);
	722	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	723	}
	724
	725	/* key=1, cert=1 */
	726	if(cert_pem_chunk.len!=0) {
	727	if(debug) {
[2485307]	728	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[5110d42]	729	printf("(%s)\n",cert_pem_chunk.ptr);
	730	}
	731	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	732	if(rc != 0) {
[2485307]	733	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[5110d42]	734	goto error;
	735	}
	736	/* key=1, cert=0 */
	737	} else {
[2485307]	738	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[5110d42]	739	goto error;
	740	}
	741
	742	/* handle the key_pem_chunk */
	743	if(debug) {
[2485307]	744	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[5110d42]	745	printf("(%s)\n",key_pem_chunk.ptr);
	746	}
	747	abac_id_t id=abac_id_credential_id(id_cred_ret);
	748	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
	749	if(rc==0) {
	750	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	751	goto error;
	752	}
	753
	754	munmap(data, sb.st_size);
	755	return 0;
	756
	757	error:
	758	munmap(data, sb.st_size);
	759	return 1;
	760	}
	761
	762
[ba6027a]	763	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
	764	abac_id_credential_t **id_cred_ret)
	765	{
	766	struct stat sb;
	767	int fd;
	768	int rc;
	769
	770	fd = open(filename, O_RDONLY);
	771	if (fd == -1) { return 1; }
	772	if(stat(filename, &sb) == -1) {
	773	close(fd);
	774	return 1;
	775	}
	776	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	777	if(data == MAP_FAILED) {
	778	close(fd);
	779	return 1;
	780	}
	781	close(fd);
	782
	783	chunk_t key_pem_chunk=_extract_chunk(data,
	784	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
	785	chunk_t cert_pem_chunk=_extract_chunk(data,
	786	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
	787
	788	/* key=0, cert=0 */
	789	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
[2485307]	790	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
[ba6027a]	791	goto error;
	792	}
	793
	794	/* key=0, cert=1 */
	795	if(key_pem_chunk.len==0) {
[2485307]	796	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
[ba6027a]	797	munmap(data, sb.st_size);
	798	chunk_free(&key_pem_chunk);
	799	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
	800	}
	801
	802	/* key=1, cert=1 */
	803	if(cert_pem_chunk.len!=0) {
	804	if(debug) {
[2485307]	805	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
[ba6027a]	806	printf("(%s)\n",cert_pem_chunk.ptr);
	807	}
	808	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
	809	if(rc != 0) {
[2485307]	810	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
[ba6027a]	811	goto error;
	812	}
	813	/* key=1, cert=0 */
	814	} else {
[2485307]	815	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
[ba6027a]	816	goto error;
	817	}
	818
	819	/* handle the key_pem_chunk */
	820	if(debug) {
[2485307]	821	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
[ba6027a]	822	printf("(%s)\n",key_pem_chunk.ptr);
	823	printf("(%d)\n",strlen(key_pem_chunk.ptr));
	824	}
	825	abac_id_t id=abac_id_credential_id(id_cred_ret);
	826	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
	827	if(rc==0) {
	828	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
	829	goto error;
	830	}
	831
	832	munmap(data, sb.st_size);
	833	return 0;
	834
	835	error:
	836	munmap(data, sb.st_size);
	837	return 1;
	838	}
[5110d42]	839
[da5afdf]	840	void abac_print_clauses(abac_list_t clauses, FILE fp)
[202a7f9]	841	{
	842	if (clauses != NULL) {
	843	char *cur;
[7b548fa]	844	printf("total-- %d clauses\n", abac_list_size(clauses));
[202a7f9]	845	abac_list_foreach(clauses, cur,
[da5afdf]	846	if(cur) {
	847	if(fp)
	848	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
	849	else printf ("a clause, %d(%s)\n", (int)cur,cur);
	850	}
[202a7f9]	851	);
	852	}
	853	}
	854
[8bd77b5]	855	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
	856	assert(ptr != NULL);
[ba6027a]	857	if(debug)
[2485307]	858	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
[8bd77b5]	859	abac_id_dup(ptr->id);
	860	return ptr;
	861	}
	862
	863	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
[da5afdf]	864	{
[8bd77b5]	865	assert(ptr);
	866	return ptr->id;
	867	}
[53e540d]	868
	869
[8bd77b5]	870	abac_id_credential_t abac_id_credential_lookup(char pname)
	871	{
	872	abac_id_credential_t *id_cred=NULL;
	873	HASH_FIND_STR(id_creds, pname, id_cred);
[5110d42]	874	if(id_cred != NULL)
	875	return abac_id_credential_dup(id_cred);
	876	else return NULL;
[8bd77b5]	877	}
[7727f26]	878
[8bd77b5]	879	void abac_id_credential_free(abac_id_credential_t *ptr)
	880	{
	881	if (ptr == NULL)
	882	return;
[53e540d]	883
[5110d42]	884	if(debug)
[2485307]	885	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
[5110d42]	886
[8bd77b5]	887	// this is very hacky...
	888	int last=abac_id_lastone(ptr->id);
	889	if(!last) {
[2485307]	890	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
[8bd77b5]	891	abac_id_free(ptr->id);
	892	} else {
[2485307]	893	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
[8bd77b5]	894	free(ptr->hashkeyid);
	895	if(ptr->pl_clause)
	896	free(ptr->pl_clause);
	897	abac_id_free(ptr->id);
	898	HASH_DEL(id_creds, ptr);
	899	free(ptr);
[53e540d]	900	}
[da5afdf]	901	}
	902
[8bd77b5]	903	/****************************************************************************/
	904
[5d06689]	905	static int _verify_valid_credential_string(certificate_t *cert,
[da5afdf]	906	abac_credential_t *cred_ret, char encoded_attr_string)
	907	{
[8bd77b5]	908	abac_aspect_t *head_aspect = NULL;
	909	abac_aspect_t *tail_aspect = NULL;
[da5afdf]	910	abac_list_t *clauses=NULL;
[8bd77b5]	911	abac_id_credential_t *id_cred;
	912	abac_id_t *issuer_id;
[da5afdf]	913	int ret, i;
	914
	915	// get the attr
[8bd77b5]	916	head_aspect = abac_yy_get_rule_head_aspect();
	917	tail_aspect = abac_yy_get_rule_tail_aspect();
[b5a3da4]	918	clauses = abac_yy_get_rule_clauses();
[53e540d]	919
	920	// get the issuer based on keyid
[8bd77b5]	921	char *principalname = abac_aspect_principal_principalname(head_aspect);
[2485307]	922	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
[8bd77b5]	923
	924	HASH_FIND_STR(id_creds, principalname, id_cred);
[d037f54]	925	if(id_cred == NULL) {
	926	ret = ABAC_CERT_MISSING_ISSUER;
	927	if(debug)
[2485307]	928	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[d037f54]	929	goto error;
	930	}
[8bd77b5]	931	issuer_id=id_cred->id;
	932	if (issuer_id == NULL) {
[53e540d]	933	ret = ABAC_CERT_MISSING_ISSUER;
[8bd77b5]	934	if(debug)
[2485307]	935	fprintf(stderr, "can not find %s in id_creds\n", principalname);
[53e540d]	936	goto error;
	937	}
	938
	939	// make sure the issuer's signed it
[dfe6b61]	940	ret = verify_signature(abac_id_cert(issuer_id), cert);
[53e540d]	941	if (!ret) {
[b5a3da4]	942	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
[5110d42]	943	ret=ABAC_CERT_BAD_SIG;
[53e540d]	944	goto error;
	945	}
	946
[8bd77b5]	947	// at this point we know we have a good attribute cert baked it in
	948	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
	949	abac_attribute_set_head(attr, head_aspect);
	950	abac_attribute_add_tail(attr, tail_aspect);
	951
[53e540d]	952	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
[8bd77b5]	953	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	954	cred->attr=attr;
	955	cred->pl_clauses = clauses;
[53e540d]	956	*cred_ret = cred;
	957
	958	// success, add the key to the map of certificates
[8bd77b5]	959	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
[53e540d]	960
[8bd77b5]	961	assert(attr_hashkeyid_list);
	962	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	963
	964	if(debug)
[2485307]	965	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
[9b43fc3]	966	cred->hashkeyid, HASH_COUNT(attr_creds));
	967
[da5afdf]	968	return ABAC_CERT_SUCCESS;
	969
	970	error:
[8bd77b5]	971	if (head_aspect) abac_aspect_free(head_aspect);
	972	if (tail_aspect) abac_aspect_free(tail_aspect);
[b5a3da4]	973	abac_yy_free_rule_clauses();
[da5afdf]	974
	975	return ret;
	976	}
[8bd77b5]	977
[da5afdf]	978	/**
	979	* Load an attribute cert.
	980	* Returns true only if the certificate is valid and is issued by the proper
	981	* authority.
[5d06689]	982	* attribute string is parsed via yyparse call
[da5afdf]	983	*/
	984	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
	985	ietf_attributes_t *attr_cert = NULL;
	986	int ret, i;
	987
	988	// get the attr
	989	ac_t ac = (ac_t )cert;
	990	attr_cert = ac->get_groups(ac);
	991	if (attr_cert == NULL) {
	992	ret = ABAC_CERT_INVALID;
	993	goto error;
	994	}
	995
	996	char *encoded_attr_string=attr_cert->get_string(attr_cert);
	997	char *attr_string = abac_decode_string(encoded_attr_string);
	998	if(debug)
[2485307]	999	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
[da5afdf]	1000
	1001	if (attr_string == NULL) {
	1002	ret = ABAC_CERT_INVALID;
	1003	goto error;
	1004	}
	1005
	1006	/* call into yacc parser */
	1007	abac_reset_yyfptr(attr_string);
[b5a3da4]	1008	abac_yy_init();
[da5afdf]	1009	int rc=yyparse();
	1010	if (rc) {
	1011	ret = ABAC_CERT_INVALID;
	1012	goto error;
	1013	}
	1014
[5d06689]	1015	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
[da5afdf]	1016
[5110d42]	1017	if(ret != ABAC_CERT_SUCCESS) {
[671c065]	1018	char *tmp=NULL;
	1019	asprintf(&tmp,"_load_attribute_cert: fail to process (%s)",encoded_attr_string);
	1020	panic(tmp);
[5110d42]	1021	}
	1022
[53e540d]	1023	// free up some crap
	1024	attr_cert->destroy(attr_cert);
	1025
[5110d42]	1026	return ret;
[53e540d]	1027
	1028	error:
[202a7f9]	1029	if (cert) cert->destroy(cert);
	1030	if (attr_cert) attr_cert->destroy(attr_cert);
[0779c99]	1031	return ret;
[5450aeb]	1032	}
[5f99fbc]	1033
[8bd77b5]	1034	/**
	1035	* Load an attribute cert from a abac_attribute_t.
[5d06689]	1036	* attr should be all checked out before arriving here
[8bd77b5]	1037	*/
[5d06689]	1038	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
	1039	// get the attr
	1040	abac_aspect_t *head=abac_attribute_head(ptr);
	1041	abac_aspect_t *tail=abac_attribute_tail(ptr);
	1042
	1043	// preprocess for constraint part
	1044	preprocess_pl_head(head);
	1045	preprocess_pl_tail(tail);
	1046
[9b43fc3]	1047	/* setup the encoded attribute string */
	1048	char *encoded_attr_string=get_cred_encoding(ptr);
	1049	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
	1050	/* collect up type clauses, constraint clauses and
[5d06689]	1051	generate rule clauses */
	1052	abac_list_t *clauses=generate_pl_clauses(head,tail);
[9b43fc3]	1053
	1054	abac_print_clauses(clauses,NULL);
[5d06689]	1055
	1056	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	1057	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
	1058	cred->attr=abac_attribute_dup(ptr);
	1059	cred->pl_clauses = clauses;
	1060	*cred_ret = cred;
	1061
	1062	// success, add the key to the map of certificates
	1063	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
	1064
	1065	assert(attr_hashkeyid_list);
	1066	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
[9b43fc3]	1067
	1068	if(debug)
[2485307]	1069	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
[9b43fc3]	1070	cred->hashkeyid, HASH_COUNT(attr_creds));
[5d06689]	1071	return ABAC_CERT_SUCCESS;
[8bd77b5]	1072	}
	1073
[e898049]	1074	/**
	1075	* Load an attribute cert from a file.
	1076	*/
[0779c99]	1077	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
[e898049]	1078	// load the cert
[2485307]	1079	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
[e898049]	1080	certificate_t *cert = lib->creds->create(
	1081	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1082	BUILD_FROM_FILE, filename,
	1083	BUILD_END
	1084	);
	1085	if (cert == NULL)
[0779c99]	1086	return ABAC_CERT_INVALID;
	1087	return _load_attribute_cert(cert, cred);
[e898049]	1088	}
	1089
	1090	/**
	1091	* Load an attribute cert from a chunk.
	1092	*/
[0779c99]	1093	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
[e898049]	1094	// load the cert
	1095	certificate_t *cert = lib->creds->create(
	1096	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
	1097	BUILD_BLOB_ASN1_DER, chunk,
	1098	BUILD_END
	1099	);
	1100	if (cert == NULL)
[0779c99]	1101	return ABAC_CERT_INVALID;
[9b43fc3]	1102
[0779c99]	1103	return _load_attribute_cert(cert, cred);
[e898049]	1104	}
	1105
[85cdf53]	1106	/**
	1107	* Return the encoding of the attribute cert.
	1108	*/
[401a054]	1109	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
[8bd77b5]	1110	abac_attribute_t *ptr=cred->attr;
	1111	certificate_t *cert=abac_attribute_cert(ptr);
[137b55f]	1112	chunk_t encoding = chunk_empty;
	1113	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1114	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1115	return ret;
[85cdf53]	1116	}
	1117
	1118	/**
	1119	* Return the encoding of the issuer cert.
	1120	*/
[401a054]	1121	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
[8bd77b5]	1122	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
	1123	assert(issuer_cert);
[137b55f]	1124	chunk_t encoding = chunk_empty;
	1125	// XXX MEI, not sure ??
	1126	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
[9efbfbf]	1127	abac_chunk_t ret = { encoding.ptr, encoding.len };
	1128	return ret;
[85cdf53]	1129	}
[186cb75]	1130
[53e540d]	1131	/**
	1132	* Return the clause of the cert
	1133	*/
[202a7f9]	1134	abac_list_t abac_credential_clauses(abac_credential_t cred) {
[8bd77b5]	1135	return cred->pl_clauses;
[53e540d]	1136	}
	1137
[8bd77b5]	1138	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
	1139	assert(cred);
	1140	return cred->attr;
	1141	}
[202a7f9]	1142
[186cb75]	1143	/**
[fbb591e]	1144	* Increase the ref count of a credential.
[186cb75]	1145	*/
[401a054]	1146	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	1147	assert(cred != NULL);
[186cb75]	1148
[8bd77b5]	1149	abac_attribute_dup(cred->attr);
[fbb591e]	1150	return cred;
[186cb75]	1151	}
	1152
[53e540d]	1153	/**
	1154	* lookup for a credential.
	1155	*/
[202a7f9]	1156	abac_credential_t abac_credential_lookup(char cred_string)
	1157	{
	1158	if(debug)
[2485307]	1159	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
[8bd77b5]	1160	abac_credential_t *attr_cred;
[9b43fc3]	1161
[8bd77b5]	1162	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
	1163	if (attr_cred == NULL) {
[2485307]	1164	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
[53e540d]	1165	return NULL;
	1166	}
[8bd77b5]	1167	abac_credential_t *rt=abac_credential_dup(attr_cred);
[2485307]	1168	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
[8bd77b5]	1169	return rt;
[53e540d]	1170	}
	1171
[186cb75]	1172	/**
[fbb591e]	1173	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	1174	*/
[202a7f9]	1175	void abac_credential_free(abac_credential_t *cred)
	1176	{
	1177	if(debug)
[2485307]	1178	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
[202a7f9]	1179
[401a054]	1180	if (cred == NULL)
[186cb75]	1181	return;
	1182
[8bd77b5]	1183	// this is very hacky...
	1184	int last=abac_attribute_lastone(cred->attr);
	1185	if(!last) {
	1186	abac_attribute_free(cred->attr);
[da5afdf]	1187	} else {
[2485307]	1188	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
[8bd77b5]	1189	free(cred->hashkeyid);
	1190	char *cur=NULL;
	1191	abac_list_foreach(cred->pl_clauses, cur,
	1192	free(cur);
	1193	);
	1194	abac_attribute_free(cred->attr);
	1195	HASH_DEL(attr_creds, cred);
	1196	free(cred);
[da5afdf]	1197	}
[186cb75]	1198	}
[53e540d]	1199
[8bd77b5]	1200	char abac_id_clause(abac_id_credential_t id_cred)
[202a7f9]	1201	{
[8bd77b5]	1202	if(id_cred)
	1203	return id_cred->pl_clause;
[202a7f9]	1204	return NULL;
	1205	}
	1206
[53e540d]	1207	/* retrieve the cn that is associated with this sha_string */
[5110d42]	1208	char abac_cn_with_sha(char sha_string)
	1209	{
[53e540d]	1210	// get the issuer based on keyid
[8bd77b5]	1211	abac_id_credential_t *id_cred;
	1212	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1213	if (id_cred == NULL) {
[53e540d]	1214	return NULL;
	1215	}
[202a7f9]	1216	if(debug)
[8bd77b5]	1217	check_id_cred(id_cred);
	1218	return abac_id_cn(id_cred->id);
[53e540d]	1219	}
	1220
[8bd77b5]	1221	char abac_idtype_with_sha(char sha_string)
	1222	{
	1223	// get the issuer based on keyid
	1224	abac_id_credential_t *id_cred;
	1225	HASH_FIND_STR(id_creds, sha_string, id_cred);
	1226	if (id_cred == NULL) {
[6244e28]	1227	// this id, sha string is not in the db...
	1228	if(debug)
	1229	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
[8bd77b5]	1230	return NULL;
	1231	}
	1232	int idtype=abac_id_idtype(id_cred->id);
	1233
	1234	return abac_idtype_string(idtype);
[923b4dd]	1235	}
	1236
[8bd77b5]	1237	abac_aspect_t abac_credential_head(abac_credential_t cred) {
	1238	return abac_attribute_head(cred->attr);
[923b4dd]	1239	}
	1240
[8bd77b5]	1241	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
	1242	return abac_attribute_tail(cred->attr);
[923b4dd]	1243	}
	1244
	1245

Note: See TracBrowser for help on using the repository browser.

Download in other formats: