Context Navigation

source: libabac/abac_verifier.c @ da5afdf

mei_rt2mei_rt2_fix_1meiyap-rt1rt2

Last change on this file since da5afdf was da5afdf, checked in by Mei <mei@…>, 12 years ago

1) add static contraint

(limited to integer at this time)

Property mode set to 100644

File size: 17.4 KB

Line
1
2	// include the GNU extension of asprintf
3	#define _GNU_SOURCE
4
5	#include <assert.h>
6	#include <stdio.h>
7
8	#include <library.h>
9	#include <credentials/certificates/certificate.h>
10	#include <credentials/certificates/x509.h>
11	#include <credentials/certificates/ac.h>
12
13	#include "abac_verifier.h"
14
15	#include "abac_list.h"
16	#include "abac_util.h"
17	#include "abac_rt.h"
18
19	extern abac_role_t *abac_get_yap_head_role();
20	extern abac_role_t *abac_get_yap_tail_role();
21	extern abac_oset_t *abac_get_yap_head_oset();
22	extern abac_oset_t *abac_get_yap_tail_oset();
23	extern int abac_get_yap_is_oset();
24	extern abac_list_t *abac_get_yap_clauses();
25	extern char* abac_decode_string(char *);
26
27	/* keeping this a fixed enum is to have tighter control of
28	what are acceptabletypes of keyid are we allowing */
29	enum keyidtype {
30	e_KEYID = 1
31	};
32	/* keyidname[keyidtype] */
33	static char * const keyidname[] =
34	{
35	"badidtype", "keyid", 0
36	};
37
38	enum credtype {
39	e_CREDTYPE_ROLE =1,
40	e_CREDTYPE_OSET =2
41	};
42
43	static int keyidname_cnt=1;
44
45	struct _abac_id_cert_t {
46	char *keyid;
47	char *cn;
48	int type; /* keyidtype */
49	certificate_t *cert;
50	char *clause;
51
52	UT_hash_handle hh;
53	};
54
55	/* can store either role or oset */
56	struct _abac_credential_t {
57	int type;
58	void *head;
59	void *tail;
60	certificate_t *cert;
61	certificate_t *issuer;
62	abac_list_t *clauses;
63
64	int refcount;
65	};
66
67	typedef struct _abac_str_cred_t {
68	char *strid;
69	abac_credential_t *cred;
70
71	UT_hash_handle hh;
72	} abac_str_cred_t;
73
74	abac_id_cert_t *id_certs = NULL;
75	abac_str_cred_t *str_creds = NULL;
76
77	static int debug=0;
78	static void check_id_cert(abac_id_cert_t *id_cert);
79	extern void abac_print_role_string_with_condition(abac_role_t role, FILE);
80
81	//
82	void abac_print_cred_info(abac_credential_t cred, FILE fp)
83	{
84	if(fp == NULL)
85	fp=stdout;
86
87	if(debug) {
88	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
89	if(cred->head) {
90	fprintf(fp," head cred(%d):\n",(int)cred->head);
91	if(cred->type == e_CREDTYPE_ROLE)
92	abac_print_role_string_with_condition((abac_role_t*)cred->head,fp);
93	else
94	abac_print_oset_string_with_condition((abac_oset_t*)cred->head,fp);
95	}
96	if(cred->tail) {
97	fprintf(fp,"\n tail cred(%d):\n",(int)cred->tail);
98	if(cred->type == e_CREDTYPE_ROLE)
99	abac_print_role_string_with_condition((abac_role_t*)cred->tail,fp);
100	else
101	abac_print_oset_string_with_condition((abac_oset_t*)cred->tail,fp);
102	}
103
104	abac_list_t *clauses=cred->clauses;
105	if (clauses != NULL) {
106	char *cur=NULL;
107	abac_list_foreach(clauses, cur,
108	fprintf(fp,"\n a clause(%d):\n",(int)cur);
109	if(cur)
110	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
111	);
112	}
113	} else {
114	fprintf(fp," ");
115	if(cred->type == e_CREDTYPE_ROLE)
116	abac_print_role_string_with_condition((abac_role_t *)cred->head,fp);
117	else abac_print_oset_string_with_condition((abac_oset_t *)cred->head,fp);
118	fprintf(fp," <- ");
119	if(cred->type == e_CREDTYPE_ROLE)
120	abac_print_role_string_with_condition((abac_role_t *)cred->tail,fp);
121	else abac_print_oset_string_with_condition((abac_oset_t *)cred->tail,fp);
122	fprintf(fp,"\n");
123	}
124	}
125
126	//
127	int abac_verify_keyid_type(char *type) {
128	int i;
129
130	if (type == NULL)
131	return 0;
132
133	for (i = 1; i <= keyidname_cnt ; i++)
134	if(strcmp(type,keyidname[i])==0)
135	return i;
136	return 0;
137	}
138
139	char *abac_keyid_type(int i)
140	{
141	return keyidname[i];
142	}
143
144	// convert a chunk to a lowercase binary string
145	// malloc's the string
146	static char *_chunk_to_string(chunk_t chunk) {
147	int i;
148
149	char ret = abac_xmalloc(chunk.len 2 + 1);
150
151	for (i = 0; i < chunk.len; ++i)
152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
153
154	return ret;
155	}
156
157	// verify that cert was issued by issuer
158	// cert and issuer can be the same, in which case the self-sig is validated
159	static int _verify_signature(certificate_t issuer, certificate_t cert) {
160	if (cert->issued_by(cert, issuer))
161	if (cert->get_validity(cert, NULL, NULL, NULL))
162	return 1;
163	return 0;
164	}
165
166	/**
167	* Init the verifier subsystem.
168	*/
169	void abac_verifier_init(void) {
170	// silence all debugging
171
172	if (!library_init(NULL))
173	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
174
175	if (!lib->plugins->load(lib->plugins, NULL,
176	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
177	exit(SS_RC_INITIALIZATION_FAILED);
178	}
179
180	/**
181	* Uninitialize the system, free up any allocated memory.
182	*/
183	void abac_verifier_deinit(void) {
184	abac_id_cert_t *id;
185	while ((id = id_certs) != NULL) {
186	HASH_DEL(id_certs, id);
187
188	free(id->keyid);
189	free(id->cn);
190	id->cert->destroy(id->cert);
191	free(id);
192	}
193
194	abac_str_cred_t *id2;
195	while ((id2 = str_creds) != NULL) {
196	HASH_DEL(str_creds, id2);
197
198	free(id2->strid);
199	free(id2);
200	}
201
202	library_deinit();
203	}
204
205	/**
206	* Load an ID certificate.
207	*/
208	static int _load_id(certificate_t cert, abac_id_cert_t *id_cert_ret) {
209	abac_id_cert_t *id_cert = NULL;
210	char *keyid = NULL;
211	chunk_t id;
212	int ret;
213	x509_t x509 = (x509_t )cert;
214
215	assert(cert != NULL);
216
217	// get the key ID
218	id = x509->get_subjectKeyIdentifier(x509);
219	keyid = _chunk_to_string(id);
220
221	char *str;
222	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
223
224	char cn=(char )abac_xmalloc(strlen(str)+2);
225	cn[0]='p';
226	int n=sscanf(str,"CN=%s", &(cn[1]));
227	if ( n!=1 ) {
228	ret = ABAC_CERT_BAD_CN;
229	goto error;
230	}
231
232	if(debug) {
233	printf ("DEBUG:keyid %s \n", keyid);
234	printf( "DEBUG:issuer '%s' \n", str);
235	printf ("DEBUG:cn %s \n", cn);
236	}
237	free(str);
238
239	// if we already have this cert 'error' with success
240	HASH_FIND_STR(id_certs, keyid, id_cert);
241	if (id_cert != NULL) {
242	ret = ABAC_CERT_SUCCESS;
243	goto error;
244	}
245
246	// validate sig
247	ret = _verify_signature(cert, cert);
248	if (!ret) {
249	ret = ABAC_CERT_BAD_SIG;
250	goto error;
251	}
252
253	// success, add the key to the map of certificates
254	id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
255	id_cert->keyid = keyid;
256	id_cert->cert = cert;
257	id_cert->cn = cn;
258	/* XXX default it to it now */
259	id_cert->type = e_KEYID;
260	id_cert->clause = generate_pl_type_clause(cn, id_cert->type);
261
262	HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
263
264	*id_cert_ret=id_cert;
265
266	return ABAC_CERT_SUCCESS;
267
268	error:
269	if (keyid != NULL) free(keyid);
270	if (cn != NULL) free(cn);
271
272	return ret;
273	}
274
275	static void check_id_cert(abac_id_cert_t *id_cert)
276	{
277	if(id_cert) {
278	printf("checking on this id_cert %d\n", (int)id_cert);
279	printf(" --> sha is (%s)\n", id_cert->keyid);
280	printf(" --> cn is (%s)\n", id_cert->cn);
281	}
282	}
283
284	/**
285	* Load an attribute cert as string.
286	* have minimum syntax & validity check
287	*/
288	static int _load_attribute_string(char* attr_string) {
289	printf("NOT implemented yet!!!");
290	return ABAC_CERT_INVALID;
291	}
292
293	/**
294	* Load an ID cert from a file.
295	*/
296	int abac_verifier_load_id_file(char filename, abac_id_cert_t *id_cert_ret) {
297	if (lib == NULL)
298	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
299
300	// load the cert
301	certificate_t *cert = lib->creds->create(
302	lib->creds, CRED_CERTIFICATE, CERT_X509,
303	BUILD_FROM_FILE, filename,
304	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
305	BUILD_END
306	);
307	if (cert == NULL)
308	return ABAC_CERT_INVALID;
309	return _load_id(cert,id_cert_ret);
310	}
311
312	/**
313	* Load an ID cert from a chunk.
314	*/
315	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_cert_t **id_cert_ret) {
316	// load the cert
317	certificate_t *cert = lib->creds->create(
318	lib->creds, CRED_CERTIFICATE, CERT_X509,
319	BUILD_BLOB_ASN1_DER, chunk,
320	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
321	BUILD_END
322	);
323	if (cert == NULL)
324	return ABAC_CERT_INVALID;
325	return _load_id(cert,id_cert_ret);
326	}
327
328
329	void abac_print_clauses(abac_list_t clauses, FILE fp)
330	{
331	if (clauses != NULL) {
332	char *cur;
333	abac_list_foreach(clauses, cur,
334	if(cur) {
335	if(fp)
336	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
337	else printf ("a clause, %d(%s)\n", (int)cur,cur);
338	}
339	);
340	}
341	}
342
343	static int _verify_valid_role_credential(certificate_t *cert,
344	abac_credential_t *cred_ret, char encoded_attr_string)
345	{
346	abac_role_t *head_role = NULL;
347	abac_role_t *tail_role = NULL;
348	abac_list_t *clauses=NULL;
349	abac_id_cert_t *issuer;
350	int ret, i;
351
352	// get the attr
353	head_role = abac_get_yap_head_role();
354	tail_role = abac_get_yap_tail_role();
355	clauses = abac_get_yap_clauses();
356
357	// get the issuer based on keyid
358	char *principalname = abac_role_principal(head_role);
359	HASH_FIND_STR(id_certs, principalname, issuer);
360	if (issuer == NULL) {
361	ret = ABAC_CERT_MISSING_ISSUER;
362	goto error;
363	}
364
365	// make sure the issuer's signed it
366	ret = _verify_signature(issuer->cert, cert);
367	if (!ret) {
368	set_error_code(ABAC_RT_CERT_BAD_SIG);
369	goto error;
370	}
371
372	// at this point we know we have a good attribute cert
373	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
374	cred->type= e_CREDTYPE_ROLE;
375	cred->head = head_role;
376	cred->tail = tail_role;
377	cred->cert = cert;
378	cred->issuer = issuer->cert->get_ref(issuer->cert);
379	cred->clauses = clauses;
380	cred->refcount = 1;
381	*cred_ret = cred;
382
383	// success, add the key to the map of certificates
384	abac_str_cred_t *str_cred;
385	str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
386	str_cred->strid=strdup(encoded_attr_string);
387	str_cred->cred=cred;
388	HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
389
390	return ABAC_CERT_SUCCESS;
391
392	error:
393	if (head_role) abac_role_free(head_role);
394	if (tail_role) abac_role_free(tail_role);
395	abac_free_yap_clauses();
396
397	return ret;
398	}
399
400	static int _verify_valid_oset_credential(certificate_t *cert,
401	abac_credential_t *cred_ret, char encoded_attr_string)
402	{
403	abac_oset_t *head_oset = NULL;
404	abac_oset_t *tail_oset = NULL;
405	abac_list_t *clauses=NULL;
406	abac_id_cert_t *issuer;
407	int ret, i;
408
409	// get the attr
410	head_oset = abac_get_yap_head_oset();
411	tail_oset = abac_get_yap_tail_oset();
412	clauses = abac_get_yap_clauses();
413
414	// get the issuer based on keyid
415	char *principalname = abac_oset_principal(head_oset);
416	HASH_FIND_STR(id_certs, principalname, issuer);
417	if (issuer == NULL) {
418	ret = ABAC_CERT_MISSING_ISSUER;
419	goto error;
420	}
421
422	// make sure the issuer's signed it
423	ret = _verify_signature(issuer->cert, cert);
424	if (!ret) {
425	set_error_code(ABAC_RT_CERT_BAD_SIG);
426	goto error;
427	}
428
429	// at this point we know we have a good attribute cert
430	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
431	cred->type= e_CREDTYPE_OSET;
432	cred->head = head_oset;
433	cred->tail = tail_oset;
434	cred->cert = cert;
435	cred->issuer = issuer->cert->get_ref(issuer->cert);
436	cred->clauses = clauses;
437	cred->refcount = 1;
438	*cred_ret = cred;
439
440	// success, add the key to the map of certificates
441	abac_str_cred_t *str_cred;
442	str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
443	str_cred->strid=strdup(encoded_attr_string);
444	str_cred->cred=cred;
445	HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
446
447	return ABAC_CERT_SUCCESS;
448
449	error:
450	if (head_oset) abac_oset_free(head_oset);
451	if (tail_oset) abac_oset_free(tail_oset);
452	abac_free_yap_clauses();
453
454	return ret;
455	}
456	/**
457	* Load an attribute cert.
458	* Returns true only if the certificate is valid and is issued by the proper
459	* authority.
460	*/
461	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
462	ietf_attributes_t *attr_cert = NULL;
463	abac_id_cert_t *issuer;
464	int ret, i;
465
466	// get the attr
467	ac_t ac = (ac_t )cert;
468	attr_cert = ac->get_groups(ac);
469	if (attr_cert == NULL) {
470	ret = ABAC_CERT_INVALID;
471	goto error;
472	}
473
474	char *encoded_attr_string=attr_cert->get_string(attr_cert);
475	char *attr_string = abac_decode_string(encoded_attr_string);
476	if(debug)
477	printf("string to be yyparse..(%s)\n",attr_string);
478
479	if (attr_string == NULL) {
480	ret = ABAC_CERT_INVALID;
481	goto error;
482	}
483
484	/* call into yacc parser */
485	abac_reset_yyfptr(attr_string);
486	abac_yyinit();
487	int rc=yyparse();
488	if (rc) {
489	ret = ABAC_CERT_INVALID;
490	goto error;
491	}
492
493	if(abac_get_yap_is_oset()) {
494	ret=_verify_valid_oset_credential(cert,cred_ret,encoded_attr_string);
495	} else {
496	ret=_verify_valid_role_credential(cert,cred_ret,encoded_attr_string);
497	}
498
499	// free up some crap
500	attr_cert->destroy(attr_cert);
501
502	return ABAC_CERT_SUCCESS;
503
504	error:
505	if (cert) cert->destroy(cert);
506	if (attr_cert) attr_cert->destroy(attr_cert);
507	return ret;
508	}
509
510	/**
511	* Load an attribute cert from a file.
512	*/
513	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
514	// load the cert
515	certificate_t *cert = lib->creds->create(
516	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
517	BUILD_FROM_FILE, filename,
518	BUILD_END
519	);
520	if (cert == NULL)
521	return ABAC_CERT_INVALID;
522	return _load_attribute_cert(cert, cred);
523	}
524
525	/**
526	* Load attribute cert rules from a file. (this should only be used to test)
527	*/
528	int abac_verifier_load_certs_file(char *filename) {
529	size_t nbytes=0;
530	char *input=NULL;
531	FILE *fp;
532	int ret;
533
534	fp=fopen(filename, "r");
535
536	if(fp == NULL)
537	return ABAC_CERT_INVALID;
538
539	while( (ret=getline(&input, &nbytes, fp)) != -1 ) {
540	ret=_load_attribute_string(input);
541	free(input);
542	if(ret != ABAC_CERT_SUCCESS )
543	fclose(fp);
544	return ret;
545	}
546	fclose(fp);
547	return ABAC_CERT_SUCCESS;
548	}
549
550
551	/**
552	* Load an attribute cert from a chunk.
553	*/
554	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
555	// load the cert
556	certificate_t *cert = lib->creds->create(
557	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
558	BUILD_BLOB_ASN1_DER, chunk,
559	BUILD_END
560	);
561	if (cert == NULL)
562	return ABAC_CERT_INVALID;
563	return _load_attribute_cert(cert, cred);
564	}
565
566	/**
567	* Return the encoding of the attribute cert.
568	*/
569	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
570	chunk_t encoding = cred->cert->get_encoding(cred->cert);
571	abac_chunk_t ret = { encoding.ptr, encoding.len };
572	return ret;
573	}
574
575	/**
576	* Return the encoding of the issuer cert.
577	*/
578	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
579	chunk_t encoding = cred->issuer->get_encoding(cred->issuer);
580	abac_chunk_t ret = { encoding.ptr, encoding.len };
581	return ret;
582	}
583
584	/**
585	* Return the clause of the cert
586	*/
587	abac_list_t abac_credential_clauses(abac_credential_t cred) {
588	return cred->clauses;
589	}
590
591
592	/**
593	* Increase the ref count of a credential.
594	*/
595	abac_credential_t abac_credential_dup(abac_credential_t cred) {
596	assert(cred != NULL);
597
598	++cred->refcount;
599	return cred;
600	}
601
602	/**
603	* lookup for a credential.
604	*/
605	abac_credential_t abac_credential_lookup(char cred_string)
606	{
607	if(debug)
608	printf("DEBUG:doing abac_crendential_lookup ... (%s)\n", cred_string);
609	abac_str_cred_t *str_cred;
610	HASH_FIND_STR(str_creds, cred_string, str_cred);
611	if (str_cred == NULL) {
612	if(debug) printf("DEBUG:NOT FOUND..\n");
613	return NULL;
614	}
615	if(debug) printf("DEBUG:FOUND..(%d)\n", (int) str_cred->cred);
616	return str_cred->cred;
617	}
618
619	/**
620	* Decrease the reference count of a credential, freeing it when it reaches 0.
621	*/
622	void abac_credential_free(abac_credential_t *cred)
623	{
624	if(debug)
625	printf("DEBUG:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->clauses);
626
627	if (cred == NULL)
628	return;
629
630	--cred->refcount;
631	if (cred->refcount > 0)
632	return;
633
634	if(cred->type == e_CREDTYPE_ROLE) {
635	abac_role_free((abac_role_t *)cred->head);
636	abac_role_free((abac_role_t *)cred->tail);
637	} else {
638	abac_oset_free((abac_oset_t *)cred->head);
639	abac_oset_free((abac_oset_t *)cred->tail);
640	}
641	cred->cert->destroy(cred->cert);
642	cred->issuer->destroy(cred->issuer); // reference counted
643	/* no need to free yap_clauses here */
644	free(cred);
645	}
646
647	char abac_id_clause(abac_id_cert_t id_cert)
648	{
649	if(id_cert)
650	return id_cert->clause;
651	return NULL;
652	}
653
654	/* retrieve the cn that is associated with this sha_string */
655	char abac_cn_with_sha(char sha_string) {
656
657	// get the issuer based on keyid
658	abac_id_cert_t *id_cert;
659	HASH_FIND_STR(id_certs, sha_string, id_cert);
660	if (id_cert == NULL) {
661	return NULL;
662	}
663	if(debug)
664	check_id_cert(id_cert);
665	return id_cert->cn;
666	}
667
668	/* retrieve the cn that is associated with the principal of this role */
669	char abac_cn_with_role(abac_role_t role) {
670
671	char *principal = abac_role_principal(role);
672	return abac_cn_with_sha(principal);
673	}
674
675	/* retrieve the cn that is associated with the principal of this oset */
676	char abac_cn_with_oset(abac_oset_t oset) {
677
678	char *principal = abac_oset_principal(oset);
679	return abac_cn_with_sha(principal);
680	}
681

Note: See TracBrowser for help on using the repository browser.

Download in other formats: