Context Navigation

source: libabac/abac_verifier.c @ 05f6d35

mei_rt2mei_rt2_fix_1

Last change on this file since 05f6d35 was 6244e28, checked in by Mei <mei@…>, 12 years ago
1) added extract_cn for abac_verifier.c 2) update example directory's save log for the new multi proof case
Property mode set to `100644`
File size: 34.2 KB

Line
1	/**
2	** abac_verifier.c
3	**/
4
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	#include <stdio.h>
9	#include <regex.h>
10	#include <sys/mman.h>
11	#include <fcntl.h>
12	#include <sys/types.h>
13	#include <sys/stat.h>
14	#include <unistd.h>
15
16
17	#include <assert.h>
18	#include <stdio.h>
19
20	#include <library.h>
21
22	#include "abac_internal.h"
23	#include "abac_verifier.h"
24
25	#include "abac_util.h"
26	#include "abac_rt.h"
27
28	static int debug=0;
29
30	/* from abac_attribute.c */
31	extern char get_cred_encoding(abac_attribute_t ptr);
32
33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
35	extern abac_list_t *abac_yy_get_rule_clauses();
36	extern char* abac_decode_string(char *);
37	extern void abac_yy_free_rule_clauses();
38	extern char generate_pl_type_clause(char , int);
39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
41
42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
43
44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
45
46	struct _abac_id_credential_t {
47	char *hashkeyid;
48	abac_id_t *id;
49	char *pl_clause;
50
51	UT_hash_handle hh;
52	};
53	/* hash table base on sha with a p */
54	abac_id_credential_t *id_creds = NULL;
55	/* linked list of all the ids's hashkeyid */
56	abac_list_t *id_hashkeyid_list = NULL;
57
58	/* can store either role or oset */
59	struct _abac_credential_t {
60	char *hashkeyid;
61	abac_attribute_t *attr;
62	abac_list_t *pl_clauses;
63
64	UT_hash_handle hh;
65	};
66	/* hash table base on encoded attr rule */
67	abac_credential_t *attr_creds = NULL;
68	/* linked list of all the attr's hashkeyid */
69	abac_list_t *attr_hashkeyid_list = NULL;
70
71	/*****************************************************************************/
72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
73	{
74	if(fp == NULL)
75	fp=stdout;
76
77	abac_attribute_t *ptr=cred->attr;
78	abac_aspect_t *head=abac_attribute_head(ptr);
79	abac_aspect_t *tail=abac_attribute_tail(ptr);
80
81	if(debug) {
82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
83	if(head) {
84	abac_print_aspect_string_with_condition(head,fp);
85	}
86	if(tail) {
87	abac_print_aspect_string_with_condition(tail,fp);
88	}
89
90	abac_list_t *clauses=cred->pl_clauses;
91	if (clauses != NULL) {
92	char *cur=NULL;
93	abac_list_foreach(clauses, cur,
94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
95	if(cur)
96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
97	);
98	}
99	} else {
100	fprintf(fp," ");
101	abac_print_aspect_string_with_condition(head,fp);
102	fprintf(fp," <- ");
103	abac_print_aspect_string_with_condition(tail,fp);
104	fprintf(fp,"\n");
105	}
106	}
107
108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
109	{
110	if(fp == NULL)
111	return;
112
113	abac_id_t *ptr=abac_id_credential_id(prin);
114
115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
116	if(abac_id_has_privkey(ptr))
117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
118	else
119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
120	}
121
122	//
123	int abac_verify_idtype_type(char *type) {
124	int i;
125
126	if (type == NULL)
127	return 0;
128
129	for (i = 1; i <= _idtypename_cnt ; i++)
130	if(strcmp(type,_idtypename[i])==0)
131	return i;
132	return 0;
133	}
134
135	char *abac_idtype_string(int i)
136	{
137	if(i > _idtypename_cnt) {
138	printf("bad idtypename idx %d\n", i);
139	panic("abac_idtype_string: went out of range on idtypename");
140	}
141	return (char*) _idtypename[i];
142	}
143
144	// convert a chunk to a lowercase binary string
145	// malloc's the string
146	static char *_chunk_to_string(chunk_t chunk) {
147	int i;
148
149	char ret = abac_xmalloc(chunk.len 2 + 1);
150
151	for (i = 0; i < chunk.len; ++i)
152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
153
154	return ret;
155	}
156
157	// verify that cert was issued by issuer
158	// cert and issuer can be the same, in which case the self-sig is validated
159	static int _verify_signature(certificate_t issuer_cert, certificate_t cert) {
160	if (cert->issued_by(cert, issuer_cert))
161	if (cert->get_validity(cert, NULL, NULL, NULL))
162	return 1;
163	return 0;
164	}
165
166	/**
167	* Init the verifier subsystem.
168	*/
169	void abac_verifier_init(void) {
170	// silence all debugging
171
172	if (!library_init(NULL))
173	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
174
175	if (!lib->plugins->load(lib->plugins, NULL,
176	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
177	exit(SS_RC_INITIALIZATION_FAILED);
178
179	attr_hashkeyid_list = abac_list_new();
180	id_hashkeyid_list = abac_list_new();
181	}
182
183	/**
184	* Uninitialize the system, free up any allocated memory.
185	*/
186	void abac_verifier_deinit(void) {
187	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
188
189	abac_id_credential_t *ptr;
190	while ((ptr = id_creds) != NULL) {
191	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
192	HASH_DEL(id_creds, ptr);
193
194	free(ptr->hashkeyid);
195	free(ptr->pl_clause);
196	abac_id_free(ptr->id);
197	free(ptr);
198	}
199
200	abac_credential_t *ptr2;
201	while ((ptr2 = attr_creds) != NULL) {
202	HASH_DEL(attr_creds, ptr2);
203	if(debug) {
204	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
205	}
206	free(ptr2->hashkeyid);
207	abac_attribute_free(ptr2->attr);
208	char *cur=NULL;
209	abac_list_foreach(ptr2->pl_clauses, cur,
210	free(cur);
211	);
212	free(ptr2->pl_clauses);
213	free(ptr2);
214	}
215
216	if(attr_hashkeyid_list) {
217	char *cur;
218	if(attr_hashkeyid_list) {
219	abac_list_foreach(attr_hashkeyid_list, cur,
220	if(cur) free(cur);
221	);
222	}
223	abac_list_free(attr_hashkeyid_list);
224	}
225
226	if(id_hashkeyid_list) {
227	if(debug) fprintf(stderr, "looking to free id_hashkeyid_lst..\n");
228	char *cur;
229	if(id_hashkeyid_list) {
230	abac_list_foreach(id_hashkeyid_list, cur,
231	if(cur) {
232	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
233	free(cur);
234	}
235	);
236	}
237	abac_list_free(id_hashkeyid_list);
238	}
239
240	library_deinit();
241	}
242
243	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
244	{
245	abac_id_credential_t *id_cred;
246	char *cn=abac_id_cn(a_id);
247	char *keyid=abac_id_keyid(a_id);
248
249	if(debug) {
250	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
251	cn, keyid);
252	}
253
254	// add the abac_id to the map of id credentials
255	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
256	id_cred->hashkeyid = abac_xstrdup(keyid);
257	id_cred->id=abac_id_dup(a_id);
258
259	/* special handling here */
260	if(USE("ABAC_CN")) {
261	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
262	} else {
263	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
264	}
265	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
266	if(debug)
267	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
268	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
269
270	assert(id_hashkeyid_list);
271	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
272	return id_cred;
273	}
274
275	/* have to find the last cn
276	CN=test/emailAddress=abac.isi.edu, CN=12345678
277	CN=client
278	..CN=255a03f3-ed30/emailAddress=..
279	*/
280	static char* _extract_cn(char *string)
281	{
282	char *ptr=strstr(string,"CN=");
283	if(ptr == NULL) return NULL;
284
285	/* look for last CN= */
286	while(1) {
287	char *tptr=ptr+3;
288	char *p=strstr(tptr,"CN=");
289	if(p) ptr=p;
290	else break;
291	}
292
293	/* remove the possible additional stuff */
294	char cn=abac_xstrdup(ptr); / it would get write over */
295	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
296
297	char *nptr=strtok(cn,"/");
298	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
299	pcn[0]='p';
300	sscanf(nptr,"CN=%s", &pcn[1]);
301	free(cn);
302	return pcn;
303	}
304
305	/**
306	* Load an ID
307	*/
308	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
309	abac_id_credential_t *id_cred = NULL;
310	char *keyid = NULL;
311	chunk_t id;
312	int ret;
313	x509_t x509 = (x509_t )cert;
314
315	assert(cert != NULL);
316
317	// get the key ID, add p to keyid SHA here */
318	id = x509->get_subjectKeyIdentifier(x509);
319	keyid = _chunk_to_string(id);
320
321	/* Mike said this is the way it is */
322	char *str=NULL;
323	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
324
325	/* add p to cn name here */
326	char *cn=_extract_cn(str);
327	if(cn == NULL) {
328	ret = ABAC_CERT_BAD_CN;
329	goto error;
330	}
331
332	if(debug) {
333	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
334	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
335	fprintf(stderr, "DEBUG:cn %s \n", cn);
336	}
337	free(str);
338
339	// if we already have this cert 'error' with success
340	HASH_FIND_STR(id_creds, keyid, id_cred);
341	if (id_cred != NULL) {
342	if(debug) fprintf(stderr, "existing cert \n");
343	ret = ABAC_CERT_EXISTS;
344	goto error;
345	}
346
347	// validate sig
348	ret = _verify_signature(cert, cert);
349	if (!ret) {
350	ret = ABAC_CERT_BAD_SIG;
351	goto error;
352	}
353
354	// success, add a new abac_id
355	if(*a_id==NULL) {
356	*a_id=abac_id_keyid_new(keyid,cn,cert);
357	}
358
359	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
360	*id_cred_ret=n_id_cred;
361
362	if (keyid != NULL) free(keyid);
363	if (cn != NULL) free(cn);
364
365	return ABAC_CERT_SUCCESS;
366
367	error:
368	if (keyid != NULL) free(keyid);
369	if (cn != NULL) free(cn);
370
371	return ret;
372	}
373
374	/* collect all the creds stored so far */
375	abac_stack_t *abac_verifier_dump_creds()
376	{
377	abac_stack_t *cred_list = abac_stack_new();
378
379	int cnt=0;
380	if(attr_hashkeyid_list) {
381	char *keyid;
382	abac_credential_t *cred;
383	abac_list_foreach(attr_hashkeyid_list, keyid,
384	cred=abac_credential_lookup(keyid);
385	abac_stack_push(cred_list, cred);
386	cnt++;
387	);
388	}
389	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
390	return cred_list;
391	}
392
393	/* collect all the id stored so far */
394	abac_stack_t *abac_verifier_dump_principals()
395	{
396	abac_stack_t *id_list = abac_stack_new();
397
398	int cnt=0;
399	if(id_hashkeyid_list) {
400	char *keyid;
401	abac_id_credential_t *id;
402	abac_list_foreach(id_hashkeyid_list, keyid,
403	id=abac_id_credential_lookup(keyid);
404	abac_stack_push(id_list, id);
405	cnt++;
406	);
407	}
408	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
409	return id_list;
410	}
411
412
413	static void check_id_cred(abac_id_credential_t *id_cred)
414	{
415	if(id_cred) {
416	printf("checking on this id_cred location %d\n", (int)id_cred);
417	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
418	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
419	}
420	}
421
422	/**
423	* Load an attribute cert as string.
424	* have minimum syntax & validity check
425	*/
426	static int _load_attribute_string(char* attr_string) {
427	printf("NOT implemented yet!!!");
428	return ABAC_CERT_INVALID;
429	}
430
431	/**
432	* Load an ID cert from a file.
433	*/
434	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
435	abac_id_credential_t **id_cred_ret)
436	{
437	abac_id_t *id=NULL;
438	if (lib == NULL)
439	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
440
441	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
442
443	// load the cert, with public key
444	certificate_t *cert = lib->creds->create(
445	lib->creds, CRED_CERTIFICATE, CERT_X509,
446	BUILD_FROM_FILE, filename,
447	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
448	BUILD_END
449	);
450
451	if (cert == NULL)
452	return ABAC_CERT_INVALID;
453
454	int rc=_load_id(&id,cert,id_cred_ret);
455	if(rc==ABAC_CERT_EXISTS) {
456	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
457	return ABAC_CERT_SUCCESS;
458	}
459
460	/* try to load the private key if it is there */
461	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
462	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
463	int keyrc=abac_id_load_privkey_file(id, keyfilename);
464	if(debug) {
465	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
466	else printf("..load_id_file: load(%s) without a private key\n",filename);
467	}
468	}
469	return ABAC_CERT_SUCCESS;
470	}
471
472	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
473	char pfile, abac_id_credential_t *id_cred_ret)
474	{
475	abac_id_t *id=NULL;
476	if (lib == NULL)
477	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
478
479	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
480
481	// load the cert, with public key
482	certificate_t *cert = lib->creds->create(
483	lib->creds, CRED_CERTIFICATE, CERT_X509,
484	BUILD_FROM_FILE, filename,
485	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
486	BUILD_END
487	);
488
489	if (cert == NULL)
490	return ABAC_CERT_INVALID;
491
492	int rc=_load_id(&id,cert,id_cred_ret);
493	if(rc==ABAC_CERT_EXISTS) {
494	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
495	return ABAC_CERT_SUCCESS;
496	}
497
498	/* try to load the private key if it is there */
499	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
500	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
501	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
502	if(debug) {
503	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
504	else printf("..load_id_file: load(%s) without a private key\n",filename);
505	}
506	}
507	return ABAC_CERT_SUCCESS;
508	}
509
510	/**
511	* Load an ID cert from a abac_id_t
512	*/
513	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
514	certificate_t *cert = abac_id_cert(id);
515	return _load_id(&id,cert,id_cred_ret);
516	}
517
518	/**
519	* Load an ID cert from a chunk.
520	*/
521	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
522	abac_id_t *id=NULL;
523	// load the cert
524	certificate_t *cert = lib->creds->create(
525	lib->creds, CRED_CERTIFICATE, CERT_X509,
526	BUILD_BLOB_PEM, chunk,
527	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
528	BUILD_END
529	);
530	if (cert == NULL)
531	return ABAC_CERT_INVALID;
532	return _load_id(&id, cert,id_cred_ret);
533	}
534	/**
535	* Load an ID cert from a chunk, Note, this only loads the id cert part
536	* and so it is not suitable for creating an attribute credential with.
537	* Only a complete id cert + privkey could create attribute credential.
538	*/
539	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
540	abac_id_t *id=NULL;
541	// load the cert
542	certificate_t *cert = lib->creds->create(
543	lib->creds, CRED_CERTIFICATE, CERT_X509,
544	BUILD_BLOB_ASN1_DER, chunk,
545	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
546	BUILD_END
547	);
548	if (cert == NULL)
549	return ABAC_CERT_INVALID;
550	return _load_id(&id, cert,id_cred_ret);
551	}
552
553	/**
554	* Load an ID cert from a cert chunk and a privkey chunk,
555	* this complete id cert + privkey could create attribute credential.
556	*/
557	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
558	abac_id_credential_t **id_cred_ret) {
559
560	abac_id_t *id=NULL;
561	// load the cert
562	certificate_t *cert = lib->creds->create(
563	lib->creds, CRED_CERTIFICATE, CERT_X509,
564	BUILD_BLOB_ASN1_DER, chunk,
565	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
566	BUILD_END
567	);
568	if (cert == NULL)
569	return ABAC_CERT_INVALID;
570
571	int rc=_load_id(&id, cert,id_cred_ret);
572	if(rc == ABAC_CERT_SUCCESS) {
573	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
574	}
575
576	return rc;
577	}
578
579	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
580	char* pfile, abac_id_credential_t **id_cred_ret) {
581
582	abac_id_t *id=NULL;
583	// load the cert
584	certificate_t *cert = lib->creds->create(
585	lib->creds, CRED_CERTIFICATE, CERT_X509,
586	BUILD_BLOB_ASN1_DER, chunk,
587	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
588	BUILD_END
589	);
590	if (cert == NULL)
591	return ABAC_CERT_INVALID;
592
593	int rc=_load_id(&id, cert,id_cred_ret);
594	if(rc == ABAC_CERT_SUCCESS) {
595	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
596	}
597
598	return rc;
599	}
600
601
602
603	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
604	{
605	abac_id_credential_t *id_cred=NULL;
606	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
607	if(ret !=ABAC_CERT_SUCCESS)
608	return NULL;
609	abac_id_t *issuer=abac_id_credential_id(id_cred);
610	return issuer;
611	}
612
613
614	static int matchex(const char subject, const char pattern, int so, int eo)
615	{
616	int rc; // Returned code
617	regmatch_t pmatch;
618
619	regex_t re; // Compiled regexp pattern
620
621	if (regcomp(&re, pattern, 0) != 0) return 0;
622
623	rc = regexec(&re, subject, 1 , &pmatch, 0);
624	regfree(&re);
625
626	if (rc == REG_NOMATCH ) return 0;
627
628	*so=pmatch.rm_so;
629	*eo=pmatch.rm_eo;
630
631	return 1;
632	}
633
634
635
636	static chunk_t _extract_chunk(char data, char startline, char* endline)
637	{
638	int found=0;
639	int startos=0;
640	int endos=0;
641	regex_t re;
642	regmatch_t pm;
643	int rc;
644
645	int st;
646	int et;
647
648	rc=matchex(data, startline, &st, &et);
649	if(rc==0) return chunk_empty;
650	startos=st;
651
652	rc=matchex(data, endline, &st, &et);
653	if(rc==0) return chunk_empty;
654	endos=et;
655
656	int len=endos - startos;
657
658	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
659	char *ptr=strndup(data+startos,len);
660
661	chunk_t ret = { ptr, len };
662	return ret;
663	}
664
665
666	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
667	{
668	struct stat sb;
669	int fd;
670	int rc;
671
672	fd = open(filename, O_RDONLY);
673	if (fd == -1) { return 1; }
674	if(stat(filename, &sb) == -1) {
675	close(fd);
676	return 1;
677	}
678	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
679	if(data == MAP_FAILED) {
680	close(fd);
681	return 1;
682	}
683	close(fd);
684
685	chunk_t key_pem_chunk=_extract_chunk(data,
686	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
687	chunk_t cert_pem_chunk=_extract_chunk(data,
688	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
689
690	/* key=0, cert=0 */
691	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
692	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
693	goto error;
694	}
695
696	/* key=0, cert=1 */
697	if(key_pem_chunk.len==0) {
698	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
699	munmap(data, sb.st_size);
700	chunk_free(&key_pem_chunk);
701	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
702	}
703
704	/* key=1, cert=1 */
705	if(cert_pem_chunk.len!=0) {
706	if(debug) {
707	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
708	printf("(%s)\n",cert_pem_chunk.ptr);
709	}
710	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
711	if(rc != 0) {
712	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
713	goto error;
714	}
715	/* key=1, cert=0 */
716	} else {
717	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
718	goto error;
719	}
720
721	/* handle the key_pem_chunk */
722	if(debug) {
723	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
724	printf("(%s)\n",key_pem_chunk.ptr);
725	}
726	abac_id_t id=abac_id_credential_id(id_cred_ret);
727	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
728	if(rc==0) {
729	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
730	goto error;
731	}
732
733	munmap(data, sb.st_size);
734	return 0;
735
736	error:
737	munmap(data, sb.st_size);
738	return 1;
739	}
740
741
742	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
743	abac_id_credential_t **id_cred_ret)
744	{
745	struct stat sb;
746	int fd;
747	int rc;
748
749	fd = open(filename, O_RDONLY);
750	if (fd == -1) { return 1; }
751	if(stat(filename, &sb) == -1) {
752	close(fd);
753	return 1;
754	}
755	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
756	if(data == MAP_FAILED) {
757	close(fd);
758	return 1;
759	}
760	close(fd);
761
762	chunk_t key_pem_chunk=_extract_chunk(data,
763	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
764	chunk_t cert_pem_chunk=_extract_chunk(data,
765	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
766
767	/* key=0, cert=0 */
768	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
769	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
770	goto error;
771	}
772
773	/* key=0, cert=1 */
774	if(key_pem_chunk.len==0) {
775	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
776	munmap(data, sb.st_size);
777	chunk_free(&key_pem_chunk);
778	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
779	}
780
781	/* key=1, cert=1 */
782	if(cert_pem_chunk.len!=0) {
783	if(debug) {
784	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
785	printf("(%s)\n",cert_pem_chunk.ptr);
786	}
787	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
788	if(rc != 0) {
789	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
790	goto error;
791	}
792	/* key=1, cert=0 */
793	} else {
794	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
795	goto error;
796	}
797
798	/* handle the key_pem_chunk */
799	if(debug) {
800	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
801	printf("(%s)\n",key_pem_chunk.ptr);
802	printf("(%d)\n",strlen(key_pem_chunk.ptr));
803	}
804	abac_id_t id=abac_id_credential_id(id_cred_ret);
805	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
806	if(rc==0) {
807	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
808	goto error;
809	}
810
811	munmap(data, sb.st_size);
812	return 0;
813
814	error:
815	munmap(data, sb.st_size);
816	return 1;
817	}
818
819	void abac_print_clauses(abac_list_t clauses, FILE fp)
820	{
821	if (clauses != NULL) {
822	char *cur;
823	printf("total-- %d clauses\n", abac_list_size(clauses));
824	abac_list_foreach(clauses, cur,
825	if(cur) {
826	if(fp)
827	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
828	else printf ("a clause, %d(%s)\n", (int)cur,cur);
829	}
830	);
831	}
832	}
833
834	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
835	assert(ptr != NULL);
836	if(debug)
837	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
838	abac_id_dup(ptr->id);
839	return ptr;
840	}
841
842	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
843	{
844	assert(ptr);
845	return ptr->id;
846	}
847
848
849	abac_id_credential_t abac_id_credential_lookup(char pname)
850	{
851	abac_id_credential_t *id_cred=NULL;
852	HASH_FIND_STR(id_creds, pname, id_cred);
853	if(id_cred != NULL)
854	return abac_id_credential_dup(id_cred);
855	else return NULL;
856	}
857
858	void abac_id_credential_free(abac_id_credential_t *ptr)
859	{
860	if (ptr == NULL)
861	return;
862
863	if(debug)
864	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
865
866	// this is very hacky...
867	int last=abac_id_lastone(ptr->id);
868	if(!last) {
869	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
870	abac_id_free(ptr->id);
871	} else {
872	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
873	free(ptr->hashkeyid);
874	if(ptr->pl_clause)
875	free(ptr->pl_clause);
876	abac_id_free(ptr->id);
877	HASH_DEL(id_creds, ptr);
878	free(ptr);
879	}
880	}
881
882	/****************************************************************************/
883
884	static int _verify_valid_credential_string(certificate_t *cert,
885	abac_credential_t *cred_ret, char encoded_attr_string)
886	{
887	abac_aspect_t *head_aspect = NULL;
888	abac_aspect_t *tail_aspect = NULL;
889	abac_list_t *clauses=NULL;
890	abac_id_credential_t *id_cred;
891	abac_id_t *issuer_id;
892	int ret, i;
893
894	// get the attr
895	head_aspect = abac_yy_get_rule_head_aspect();
896	tail_aspect = abac_yy_get_rule_tail_aspect();
897	clauses = abac_yy_get_rule_clauses();
898
899	// get the issuer based on keyid
900	char *principalname = abac_aspect_principal_principalname(head_aspect);
901	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
902
903	HASH_FIND_STR(id_creds, principalname, id_cred);
904	if(id_cred == NULL) {
905	ret = ABAC_CERT_MISSING_ISSUER;
906	if(debug)
907	fprintf(stderr, "can not find %s in id_creds\n", principalname);
908	goto error;
909	}
910	issuer_id=id_cred->id;
911	if (issuer_id == NULL) {
912	ret = ABAC_CERT_MISSING_ISSUER;
913	if(debug)
914	fprintf(stderr, "can not find %s in id_creds\n", principalname);
915	goto error;
916	}
917
918
919	// make sure the issuer's signed it
920	ret = _verify_signature(abac_id_cert(issuer_id), cert);
921	if (!ret) {
922	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
923	ret=ABAC_CERT_BAD_SIG;
924	goto error;
925	}
926
927	// at this point we know we have a good attribute cert baked it in
928	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
929	abac_attribute_set_head(attr, head_aspect);
930	abac_attribute_add_tail(attr, tail_aspect);
931
932	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
933	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
934	cred->attr=attr;
935	cred->pl_clauses = clauses;
936	*cred_ret = cred;
937
938	// success, add the key to the map of certificates
939	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
940
941	assert(attr_hashkeyid_list);
942	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
943
944	if(debug)
945	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
946	cred->hashkeyid, HASH_COUNT(attr_creds));
947
948	return ABAC_CERT_SUCCESS;
949
950	error:
951	if (head_aspect) abac_aspect_free(head_aspect);
952	if (tail_aspect) abac_aspect_free(tail_aspect);
953	abac_yy_free_rule_clauses();
954
955	return ret;
956	}
957
958	/**
959	* Load an attribute cert.
960	* Returns true only if the certificate is valid and is issued by the proper
961	* authority.
962	* attribute string is parsed via yyparse call
963	*/
964	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
965	ietf_attributes_t *attr_cert = NULL;
966	abac_id_credential_t *issuer;
967	int ret, i;
968
969	// get the attr
970	ac_t ac = (ac_t )cert;
971	attr_cert = ac->get_groups(ac);
972	if (attr_cert == NULL) {
973	ret = ABAC_CERT_INVALID;
974	goto error;
975	}
976
977	char *encoded_attr_string=attr_cert->get_string(attr_cert);
978	char *attr_string = abac_decode_string(encoded_attr_string);
979	if(debug)
980	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
981
982	if (attr_string == NULL) {
983	ret = ABAC_CERT_INVALID;
984	goto error;
985	}
986
987	/* call into yacc parser */
988	abac_reset_yyfptr(attr_string);
989	abac_yy_init();
990	int rc=yyparse();
991	if (rc) {
992	ret = ABAC_CERT_INVALID;
993	goto error;
994	}
995
996	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
997
998	if(ret != ABAC_CERT_SUCCESS) {
999	char *tmp=NULL;
1000	asprintf(&tmp,"_load_attribute_cert: fail to process (%s)",encoded_attr_string);
1001	panic(tmp);
1002	}
1003
1004	// free up some crap
1005	attr_cert->destroy(attr_cert);
1006
1007	return ret;
1008
1009	error:
1010	if (cert) cert->destroy(cert);
1011	if (attr_cert) attr_cert->destroy(attr_cert);
1012	return ret;
1013	}
1014
1015	/**
1016	* Load an attribute cert from a abac_attribute_t.
1017	* attr should be all checked out before arriving here
1018	*/
1019	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
1020	// get the attr
1021	abac_aspect_t *head=abac_attribute_head(ptr);
1022	abac_aspect_t *tail=abac_attribute_tail(ptr);
1023
1024	// preprocess for constraint part
1025	preprocess_pl_head(head);
1026	preprocess_pl_tail(tail);
1027
1028	/* setup the encoded attribute string */
1029	char *encoded_attr_string=get_cred_encoding(ptr);
1030	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
1031	/* collect up type clauses, constraint clauses and
1032	generate rule clauses */
1033	abac_list_t *clauses=generate_pl_clauses(head,tail);
1034
1035	abac_print_clauses(clauses,NULL);
1036
1037	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
1038	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
1039	cred->attr=abac_attribute_dup(ptr);
1040	cred->pl_clauses = clauses;
1041	*cred_ret = cred;
1042
1043	// success, add the key to the map of certificates
1044	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
1045
1046	assert(attr_hashkeyid_list);
1047	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
1048
1049	if(debug)
1050	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
1051	cred->hashkeyid, HASH_COUNT(attr_creds));
1052	return ABAC_CERT_SUCCESS;
1053	}
1054
1055	/**
1056	* Load an attribute cert from a file.
1057	*/
1058	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
1059	// load the cert
1060	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
1061	certificate_t *cert = lib->creds->create(
1062	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1063	BUILD_FROM_FILE, filename,
1064	BUILD_END
1065	);
1066	if (cert == NULL)
1067	return ABAC_CERT_INVALID;
1068	return _load_attribute_cert(cert, cred);
1069	}
1070
1071	/**
1072	* Load an attribute cert from a chunk.
1073	*/
1074	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
1075	// load the cert
1076	certificate_t *cert = lib->creds->create(
1077	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1078	BUILD_BLOB_ASN1_DER, chunk,
1079	BUILD_END
1080	);
1081	if (cert == NULL)
1082	return ABAC_CERT_INVALID;
1083
1084	return _load_attribute_cert(cert, cred);
1085	}
1086
1087	/**
1088	* Return the encoding of the attribute cert.
1089	*/
1090	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
1091	abac_attribute_t *ptr=cred->attr;
1092	certificate_t *cert=abac_attribute_cert(ptr);
1093	chunk_t encoding = chunk_empty;
1094	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
1095	abac_chunk_t ret = { encoding.ptr, encoding.len };
1096	return ret;
1097	}
1098
1099	/**
1100	* Return the encoding of the issuer cert.
1101	*/
1102	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
1103	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
1104	assert(issuer_cert);
1105	chunk_t encoding = chunk_empty;
1106	// XXX MEI, not sure ??
1107	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
1108	abac_chunk_t ret = { encoding.ptr, encoding.len };
1109	return ret;
1110	}
1111
1112	/**
1113	* Return the clause of the cert
1114	*/
1115	abac_list_t abac_credential_clauses(abac_credential_t cred) {
1116	return cred->pl_clauses;
1117	}
1118
1119	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
1120	assert(cred);
1121	return cred->attr;
1122	}
1123
1124	/**
1125	* Increase the ref count of a credential.
1126	*/
1127	abac_credential_t abac_credential_dup(abac_credential_t cred) {
1128	assert(cred != NULL);
1129
1130	abac_attribute_dup(cred->attr);
1131	return cred;
1132	}
1133
1134	/**
1135	* lookup for a credential.
1136	*/
1137	abac_credential_t abac_credential_lookup(char cred_string)
1138	{
1139	if(debug)
1140	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
1141	abac_credential_t *attr_cred;
1142
1143	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
1144	if (attr_cred == NULL) {
1145	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
1146	return NULL;
1147	}
1148	abac_credential_t *rt=abac_credential_dup(attr_cred);
1149	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
1150	return rt;
1151	}
1152
1153	/**
1154	* Decrease the reference count of a credential, freeing it when it reaches 0.
1155	*/
1156	void abac_credential_free(abac_credential_t *cred)
1157	{
1158	if(debug)
1159	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
1160
1161	if (cred == NULL)
1162	return;
1163
1164	// this is very hacky...
1165	int last=abac_attribute_lastone(cred->attr);
1166	if(!last) {
1167	abac_attribute_free(cred->attr);
1168	} else {
1169	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
1170	free(cred->hashkeyid);
1171	char *cur=NULL;
1172	abac_list_foreach(cred->pl_clauses, cur,
1173	free(cur);
1174	);
1175	abac_attribute_free(cred->attr);
1176	HASH_DEL(attr_creds, cred);
1177	free(cred);
1178	}
1179	}
1180
1181	char abac_id_clause(abac_id_credential_t id_cred)
1182	{
1183	if(id_cred)
1184	return id_cred->pl_clause;
1185	return NULL;
1186	}
1187
1188	/* retrieve the cn that is associated with this sha_string */
1189	char abac_cn_with_sha(char sha_string)
1190	{
1191	// get the issuer based on keyid
1192	abac_id_credential_t *id_cred;
1193	HASH_FIND_STR(id_creds, sha_string, id_cred);
1194	if (id_cred == NULL) {
1195	return NULL;
1196	}
1197	if(debug)
1198	check_id_cred(id_cred);
1199	return abac_id_cn(id_cred->id);
1200	}
1201
1202	char abac_idtype_with_sha(char sha_string)
1203	{
1204	// get the issuer based on keyid
1205	abac_id_credential_t *id_cred;
1206	HASH_FIND_STR(id_creds, sha_string, id_cred);
1207	if (id_cred == NULL) {
1208	// this id, sha string is not in the db...
1209	if(debug)
1210	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
1211	return NULL;
1212	}
1213	int idtype=abac_id_idtype(id_cred->id);
1214
1215	return abac_idtype_string(idtype);
1216	}
1217
1218	abac_aspect_t abac_credential_head(abac_credential_t cred) {
1219	return abac_attribute_head(cred->attr);
1220	}
1221
1222	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
1223	return abac_attribute_tail(cred->attr);
1224	}
1225
1226

Note: See TracBrowser for help on using the repository browser.

Download in other formats: