Context Navigation

source: libabac/abac_verifier.c @ ec550f7

abac0-leakabac0-meimei-idtvf-new-xml

Last change on this file since ec550f7 was ec550f7, checked in by Mei <mei@…>, 11 years ago

1) reworked how API doc is generated
2) tweak top level Makefile.am
3) loading issuer principal as side-effect of loading

an attribute credentials

4) add examples of GENI specific attribute credentials

and principal certificates into the regression testing

5) rename examples to tests

Property mode set to 100644

File size: 8.6 KB

Rev	Line
[186cb75]	1
[461541a]	2	/* abac_verifier.c */
	3	#include <assert.h>
[5450aeb]	4
[461541a]	5	#include "libabac_common.h"
	6	#include "abac.h"
[342e28f]	7	#include "abac_list.h"
[461541a]	8	#include "uthash.h"
[3c251d0]	9	#include "abac_util.h"
[5450aeb]	10
[43e3b71]	11	typedef struct _abac_id_cert_t {
[461541a]	12	char *keyid; // using cert's keyid
	13	abac_id_t *cert;
[5450aeb]	14
	15	UT_hash_handle hh;
[43e3b71]	16	} abac_id_cert_t;
[5450aeb]	17
[401a054]	18	struct _abac_credential_t {
[1743825]	19	abac_role_t *head;
	20	abac_role_t *tail;
[461541a]	21	abac_id_t issuer; / Acme of Acme.customer <- Coyote */
	22	abac_attribute_t *cert;
[fbb591e]	23
	24	int refcount;
[5f99fbc]	25	};
	26
[461541a]	27	/* hash table of all the principal id credentials */
[43e3b71]	28	abac_id_cert_t *id_certs = NULL;
[5450aeb]	29
[ec550f7]	30	extern int abac_id_pass_privkey_from_id(abac_id_t to_id, abac_id_t from_id);
	31	extern char make_pem_from_naked_pem(char naked_pem);
	32
[461541a]	33	/***********************************************************************/
[5450aeb]	34	// convert a chunk to a lowercase binary string
	35	// malloc's the string
[9ac7fb4]	36	/*** not used,
[461541a]	37	static char *_chunk_to_string(abac_chunk_t chunk) {
[5450aeb]	38	int i;
	39
[3c251d0]	40	char ret = abac_xmalloc(chunk.len 2 + 1);
[5450aeb]	41
	42	for (i = 0; i < chunk.len; ++i)
	43	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
	44
	45	return ret;
	46	}
[9ac7fb4]	47	***/
[5450aeb]	48
	49	// verify that cert was issued by issuer
	50	// cert and issuer can be the same, in which case the self-sig is validated
[9ac7fb4]	51	/*** not used
[461541a]	52	static int _verify_cert(abac_id_t *cert) {
	53
	54	assert(cert);
	55	if(!abac_id_still_valid(cert))
	56	return 0;
	57	return 1;
[5450aeb]	58	}
[9ac7fb4]	59	***/
[5450aeb]	60
	61	/**
	62	* Init the verifier subsystem.
	63	*/
[43e3b71]	64	void abac_verifier_init(void) {
[461541a]	65	init_openssl();
	66	init_xmlsec();
[5450aeb]	67	}
	68
[186cb75]	69	/**
	70	* Uninitialize the system, free up any allocated memory.
	71	*/
[43e3b71]	72	void abac_verifier_deinit(void) {
	73	abac_id_cert_t *id;
[186cb75]	74
	75	while ((id = id_certs) != NULL) {
	76	HASH_DEL(id_certs, id);
	77
	78	free(id->keyid);
[461541a]	79	abac_id_free(id->cert);
[186cb75]	80	free(id);
	81	}
[461541a]	82	deinit_xmlsec();
	83	deinit_openssl();
[186cb75]	84	}
	85
[5450aeb]	86	/**
	87	* Load an ID certificate.
	88	*/
[461541a]	89	static int _load_id(abac_id_t *cert) {
[327e808]	90	abac_id_cert_t *id_cert = NULL;
[5450aeb]	91	char *keyid = NULL;
	92	int ret;
	93
[461541a]	94	assert(cert);
[5450aeb]	95
[2ef48fa]	96	// get the key ID
[461541a]	97	keyid = abac_id_keyid(cert);
[327e808]	98
	99	// if we already have this cert 'error' with success
	100	HASH_FIND_STR(id_certs, keyid, id_cert);
	101	if (id_cert != NULL) {
[ec550f7]	102	/* special case, if
	103	existing id does not have private key and
	104	incoming does, then need to bring that bit of
	105	information in */
	106	if(abac_id_has_privkey(cert) &&
	107	!abac_id_has_privkey(id_cert->cert)) {
	108	abac_id_pass_privkey_from_id(id_cert->cert, cert);
	109	}
[327e808]	110	ret = ABAC_CERT_SUCCESS;
	111	goto error;
	112	}
	113
[461541a]	114	ret = abac_id_still_valid(cert);
[0779c99]	115	if (!ret) {
[461541a]	116	ret = ABAC_CERT_INVALID;
[0779c99]	117	goto error;
	118	}
[5450aeb]	119
	120	// success, add the key to the map of certificates
[327e808]	121	id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
[461541a]	122	id_cert->keyid = abac_xstrdup(keyid);
[5450aeb]	123	id_cert->cert = cert;
	124	HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
	125
[0779c99]	126	return ABAC_CERT_SUCCESS;
[5450aeb]	127
	128	error:
[327e808]	129	if (keyid != NULL) free(keyid);
[0779c99]	130	return ret;
[5450aeb]	131	}
	132
[461541a]	133	abac_id_t abac_verifier_lookup_id(char keyid)
	134	{
	135	abac_id_cert_t *id_cert;
	136	HASH_FIND_STR(id_certs, keyid, id_cert);
	137	if(id_cert == NULL) return NULL;
	138	return id_cert->cert;
	139	}
	140
[e898049]	141	/**
	142	* Load an ID cert from a file.
	143	*/
[43e3b71]	144	int abac_verifier_load_id_file(char *filename) {
[e898049]	145	// load the cert
[461541a]	146	abac_id_t *cert = abac_id_from_file(filename);
	147
[e898049]	148	if (cert == NULL)
[0779c99]	149	return ABAC_CERT_INVALID;
[461541a]	150
[e898049]	151	return _load_id(cert);
	152	}
	153
	154	/**
	155	* Load an ID cert from a chunk.
	156	*/
[461541a]	157	int abac_verifier_load_id_chunk(abac_chunk_t chunk) {
	158
[e898049]	159	// load the cert
[461541a]	160	abac_id_t *cert= abac_id_from_chunk(chunk);
	161
[e898049]	162	if (cert == NULL)
[0779c99]	163	return ABAC_CERT_INVALID;
[e898049]	164	return _load_id(cert);
	165	}
	166
[ec550f7]	167	/**
	168	* Load an ID cert from a char ptr of a X509 pem data
	169	* this is called from parse_privilege(..)
	170	*/
	171	int abac_verifier_load_id_chars(char *naked_pem) {
	172	/* make a well formed pem from this */
	173	char *new_naked_pem=abac_xstrdup(naked_pem);
	174	char *pem=make_pem_from_naked_pem(new_naked_pem);
	175	int len=strlen(pem);
	176	abac_chunk_t chunk = { pem, len };
	177	free(new_naked_pem);
	178	return abac_verifier_load_id_chunk(chunk);
	179	}
[5450aeb]	180	/**
	181	* Load an attribute cert.
	182	* Returns true only if the certificate is valid and is issued by the proper
	183	* authority.
	184	*/
[461541a]	185	static int _load_attribute_cert(abac_attribute_t cert, abac_credential_t *cred_ret) {
[1743825]	186	abac_role_t *head_role = NULL;
	187	abac_role_t *tail_role = NULL;
[461541a]	188	abac_id_cert_t *issuer=NULL;
	189	int ret;
[5450aeb]	190
[461541a]	191	char *attr_string=abac_attribute_role_string(cert);
[5450aeb]	192
[461541a]	193	if(attr_string == NULL) {
	194	ret = ABAC_CERT_INVALID;
	195	goto error;
[0779c99]	196	}
[5450aeb]	197
	198	// split into head/tail parts
[342e28f]	199	char *head_tail[2];
[461541a]	200	abac_split(attr_string, "<-", head_tail, &ret);
[0779c99]	201	if (ret != 2) {
	202	ret = ABAC_CERT_INVALID;
	203	goto error;
	204	}
[5450aeb]	205
	206	// must be a role
[342e28f]	207	head_role = abac_role_from_string(head_tail[0]);
[5450aeb]	208	if (head_role == NULL) goto error;
[0779c99]	209	if (!abac_role_is_role(head_role)) {
	210	ret = ABAC_CERT_INVALID;
	211	goto error;
	212	}
[5450aeb]	213
[9a411d7]	214	// make sure the tail's valid too
	215	tail_role = abac_role_from_string(head_tail[1]);
	216	if (tail_role == NULL) {
	217	ret = ABAC_CERT_INVALID;
	218	goto error;
[0779c99]	219	}
[5450aeb]	220
[dcc1a8e]	221	char *principal = abac_role_principal(head_role);
[5450aeb]	222	HASH_FIND_STR(id_certs, principal, issuer);
[0779c99]	223	if (issuer == NULL) {
	224	ret = ABAC_CERT_MISSING_ISSUER;
	225	goto error;
	226	}
[5450aeb]	227
[461541a]	228	// check if issuer is still valid
	229	if (!abac_id_still_valid(issuer->cert)) {
	230	ret = ABAC_CERT_INVALID_ISSUER;
[0779c99]	231	goto error;
	232	}
[5450aeb]	233
[461541a]	234	// make sure principal match up with keyid
	235	if(!abac_id_has_keyid(issuer->cert,principal)) {
	236	ret = ABAC_CERT_BAD_PRINCIPAL;
	237	goto error;
	238	}
	239
[5450aeb]	240	// at this point we know we have a good attribute cert
[401a054]	241	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
	242	cred->head = head_role;
	243	cred->tail = tail_role;
	244	cred->cert = cert;
[461541a]	245	/* acme's cert */
	246	cred->issuer = abac_id_dup(issuer->cert);
[fbb591e]	247	cred->refcount = 1;
[0779c99]	248	*cred_ret = cred;
[5450aeb]	249
[0779c99]	250	return ABAC_CERT_SUCCESS;
[5450aeb]	251
	252	error:
[dcc1a8e]	253	if (head_role != NULL) abac_role_free(head_role);
	254	if (tail_role != NULL) abac_role_free(tail_role);
[5450aeb]	255
[0779c99]	256	return ret;
[5450aeb]	257	}
[5f99fbc]	258
[461541a]	259	static int _load_attribute_certs(abac_list_t attr_list, abac_list_t cred_list) {
	260
	261	int sz=abac_list_size(attr_list);
	262	abac_credential_t *cred_ret=NULL;
	263	abac_attribute_t *attr;
	264	if(sz) {
	265	abac_list_foreach(attr_list, attr,
	266	int ret=_load_attribute_cert(attr, &cred_ret);
	267	if(ret==ABAC_CERT_SUCCESS) {
	268	abac_list_add(cred_list, cred_ret);
	269	}
	270	);
	271	}
	272	return sz;
	273	}
	274
[e898049]	275	/**
	276	* Load an attribute cert from a file.
	277	*/
[461541a]	278	int abac_verifier_load_attribute_cert_file(char filename, abac_list_t cred_list) {
	279
[e898049]	280	// load the cert
[461541a]	281	abac_list_t *attr_list = abac_attribute_certs_from_file(filename);
	282
	283	if (abac_list_size(attr_list) == 0)
	284	return ABAC_CERT_INVALID;
	285
	286	int ret=_load_attribute_certs(attr_list, cred_list);
	287
	288	if(ret) return ABAC_CERT_SUCCESS;
[0779c99]	289	return ABAC_CERT_INVALID;
[e898049]	290	}
	291
	292	/**
	293	* Load an attribute cert from a chunk.
	294	*/
[461541a]	295	int abac_verifier_load_attribute_cert_chunk(abac_chunk_t chunk, abac_list_t *cred_list) {
	296
[e898049]	297	// load the cert
[461541a]	298	abac_list_t *attr_list = abac_attribute_certs_from_chunk(chunk);
	299
	300	if (abac_list_size(attr_list) == 0)
[0779c99]	301	return ABAC_CERT_INVALID;
[4721618]	302
	303	int ret=_load_attribute_certs(attr_list,cred_list);
	304
	305	if(ret) return ABAC_CERT_SUCCESS;
	306	return ABAC_CERT_INVALID;
[e898049]	307	}
	308
[5f99fbc]	309	/**
	310	* Return the head role.
	311	*/
[401a054]	312	abac_role_t abac_credential_head(abac_credential_t cred) {
	313	return cred->head;
[5f99fbc]	314	}
	315
	316	/**
	317	* Return the tail role.
	318	*/
[401a054]	319	abac_role_t abac_credential_tail(abac_credential_t cred) {
	320	return cred->tail;
[5f99fbc]	321	}
[85cdf53]	322
	323	/**
[461541a]	324	* Return the xml chunk of the attribute cert.
[85cdf53]	325	*/
[401a054]	326	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
[461541a]	327	assert(cred); assert(cred->cert);
	328	return abac_attribute_cert(cred->cert);
[85cdf53]	329	}
	330
	331	/**
[461541a]	332	* Return the chunk of the issuer cert.
[85cdf53]	333	*/
[401a054]	334	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
[461541a]	335	assert(cred); assert(cred->issuer);
	336	abac_chunk_t ret= abac_id_in_PEM(cred->issuer);
[9efbfbf]	337	return ret;
[85cdf53]	338	}
[186cb75]	339
	340	/**
[fbb591e]	341	* Increase the ref count of a credential.
[186cb75]	342	*/
[401a054]	343	abac_credential_t abac_credential_dup(abac_credential_t cred) {
	344	assert(cred != NULL);
[186cb75]	345
[fbb591e]	346	++cred->refcount;
	347	return cred;
[186cb75]	348	}
	349
	350	/**
[fbb591e]	351	* Decrease the reference count of a credential, freeing it when it reaches 0.
[186cb75]	352	*/
[401a054]	353	void abac_credential_free(abac_credential_t *cred) {
	354	if (cred == NULL)
[186cb75]	355	return;
	356
[fbb591e]	357	--cred->refcount;
	358	if (cred->refcount > 0)
	359	return;
	360
[401a054]	361	abac_role_free(cred->head);
	362	abac_role_free(cred->tail);
[461541a]	363	abac_attribute_free(cred->cert);
	364	abac_id_free(cred->issuer);
[186cb75]	365
[401a054]	366	free(cred);
[186cb75]	367	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac_verifier.c @ ec550f7

Download in other formats: