source: libabac/abac_verifier.c @ 0d0c3a9

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 0d0c3a9 was 0d0c3a9, checked in by Mei <mei@…>, 12 years ago

1) adding missing extern forward declarations that is causing

freeBSD compiled prover to coredump
  • Property mode set to 100644
File size: 17.6 KB
Line 
1
2// include the GNU extension of asprintf
3#define _GNU_SOURCE
4
5#include <assert.h>
6#include <stdio.h>
7
8#include <library.h>
9#include <credentials/certificates/certificate.h>
10#include <credentials/certificates/x509.h>
11#include <credentials/certificates/ac.h>
12
13#include "abac_verifier.h"
14
15#include "abac_list.h"
16#include "abac_util.h"
17#include "abac_rt.h"
18
19extern abac_role_t *abac_yy_get_rule_head_role();
20extern abac_role_t *abac_yy_get_rule_tail_role();
21extern abac_oset_t *abac_yy_get_rule_head_oset();
22extern abac_oset_t *abac_yy_get_rule_tail_oset();
23extern int abac_yy_get_rule_is_oset();
24extern abac_list_t *abac_yy_get_rule_clauses();
25extern char* abac_decode_string(char *);
26extern void abac_yy_free_rule_clauses();
27extern char *generate_pl_type_clause(char *, int);
28
29
30/* keeping this a fixed enum is to have tighter control of
31   what are acceptabletypes of keyid are we allowing */
32typedef enum _keyidtype_t {
33    e_KEYID = 1,
34} keyidtype_t;
35
36/* keyidname[keyidtype] */
37static char * const keyidname[] =
38{
39  "badidtype", "keyid", 0
40};
41
42typedef enum _credtype_t {
43   e_CREDTYPE_ROLE =1,
44   e_CREDTYPE_OSET =2,
45} credtype_t;
46
47static int keyidname_cnt=1;
48
49struct _abac_id_cert_t {
50    char *keyid;
51    char *cn;
52    int type; /* keyidtype */
53    certificate_t *cert;
54    char *clause;
55
56    UT_hash_handle hh;
57};
58
59/* can store either role or oset */
60struct _abac_credential_t {
61    int type;
62    void *head;
63    void *tail;
64    certificate_t *cert;
65    certificate_t *issuer;
66    abac_list_t *clauses;
67
68    int refcount;
69};
70
71typedef struct _abac_str_cred_t {
72    char *strid;
73    abac_credential_t *cred;
74
75    UT_hash_handle hh;
76} abac_str_cred_t;
77
78abac_id_cert_t *id_certs = NULL;
79abac_str_cred_t *str_creds = NULL;
80
81static int debug=0;
82static void check_id_cert(abac_id_cert_t *id_cert);
83extern void abac_print_role_string_with_condition(abac_role_t *role, FILE*);
84
85//
86void abac_print_cred_info(abac_credential_t *cred, FILE *fp)
87{
88    if(fp == NULL)
89        fp=stdout;
90
91    if(debug) {
92        fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
93        if(cred->head) {
94            fprintf(fp,"  head cred(%d):\n",(int)cred->head);
95            if(cred->type == e_CREDTYPE_ROLE)
96               abac_print_role_string_with_condition((abac_role_t*)cred->head,fp);
97               else
98                   abac_print_oset_string_with_condition((abac_oset_t*)cred->head,fp);
99        }
100        if(cred->tail) {
101            fprintf(fp,"\n  tail cred(%d):\n",(int)cred->tail);
102            if(cred->type == e_CREDTYPE_ROLE)
103                abac_print_role_string_with_condition((abac_role_t*)cred->tail,fp);
104                else
105                    abac_print_oset_string_with_condition((abac_oset_t*)cred->tail,fp);
106        }
107
108        abac_list_t *clauses=cred->clauses;
109        if (clauses != NULL) {
110            char *cur=NULL;
111            abac_list_foreach(clauses, cur,
112                fprintf(fp,"\n  a clause(%d):\n",(int)cur);
113                if(cur)
114                    fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
115            );
116        }
117        } else {
118            fprintf(fp," ");
119            if(cred->type == e_CREDTYPE_ROLE)
120                abac_print_role_string_with_condition((abac_role_t *)cred->head,fp);
121                else abac_print_oset_string_with_condition((abac_oset_t *)cred->head,fp);
122            fprintf(fp," <- ");
123            if(cred->type == e_CREDTYPE_ROLE)
124                abac_print_role_string_with_condition((abac_role_t *)cred->tail,fp);
125                else abac_print_oset_string_with_condition((abac_oset_t *)cred->tail,fp);
126            fprintf(fp,"\n");
127   }
128}
129
130//
131int abac_verify_keyid_type(char *type) {
132    int i;
133
134    if (type == NULL)
135        return 0;
136
137    for (i = 1; i <= keyidname_cnt ; i++)
138        if(strcmp(type,keyidname[i])==0)
139            return i;
140    return 0;
141}
142
143char *abac_keyid_type(int i)
144{
145    return keyidname[i];
146}
147
148// convert a chunk to a lowercase binary string
149// malloc's the string
150static char *_chunk_to_string(chunk_t chunk) {
151    int i;
152
153    char *ret = abac_xmalloc(chunk.len * 2 + 1);
154
155    for (i = 0; i < chunk.len; ++i)
156        sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
157
158    return ret;
159}
160
161// verify that cert was issued by issuer
162// cert and issuer can be the same, in which case the self-sig is validated
163static int _verify_signature(certificate_t *issuer, certificate_t *cert) {
164    if (cert->issued_by(cert, issuer))
165        if (cert->get_validity(cert, NULL, NULL, NULL))
166            return 1;
167    return 0;
168}
169
170/**
171 * Init the verifier subsystem.
172 */
173void abac_verifier_init(void) {
174    // silence all debugging
175
176    if (!library_init(NULL))
177        exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
178
179    if (!lib->plugins->load(lib->plugins, NULL,
180            lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
181        exit(SS_RC_INITIALIZATION_FAILED);
182}
183
184/**
185 * Uninitialize the system, free up any allocated memory.
186 */
187void abac_verifier_deinit(void) {
188    abac_id_cert_t *id;
189    while ((id = id_certs) != NULL) {
190        HASH_DEL(id_certs, id);
191
192        free(id->keyid);
193        free(id->cn);
194        id->cert->destroy(id->cert);
195        free(id);
196    }
197
198    abac_str_cred_t *id2;
199    while ((id2 = str_creds) != NULL) {
200        HASH_DEL(str_creds, id2);
201
202        free(id2->strid);
203        free(id2);
204    }
205
206    library_deinit();
207}
208
209/**
210 * Load an ID certificate.
211 */
212static int _load_id(certificate_t *cert, abac_id_cert_t **id_cert_ret) {
213    abac_id_cert_t *id_cert = NULL;
214    char *keyid = NULL;
215    chunk_t id;
216    int ret;
217    x509_t *x509 = (x509_t *)cert;
218
219    assert(cert != NULL);
220
221    // get the key ID
222    id = x509->get_subjectKeyIdentifier(x509);
223    keyid = _chunk_to_string(id);
224
225    /* Mike said this is the way it is */
226    char *str;
227    int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
228
229    char *cn=(char *)abac_xmalloc(strlen(str)+2);
230    cn[0]='p';
231    int n=sscanf(str,"CN=%s", &(cn[1]));
232    if ( n!=1 ) { 
233        ret = ABAC_CERT_BAD_CN;
234        goto error;
235    }
236
237    if(debug) {
238        printf ("DEBUG:keyid %s \n", keyid);
239        printf( "DEBUG:issuer '%s' \n", str);
240        printf ("DEBUG:cn %s \n", cn);
241    }
242    free(str);
243
244    // if we already have this cert 'error' with success
245    HASH_FIND_STR(id_certs, keyid, id_cert);
246    if (id_cert != NULL) {
247        ret = ABAC_CERT_SUCCESS;
248        goto error;
249    }
250
251    // validate sig
252    ret = _verify_signature(cert, cert);
253    if (!ret) {
254        ret = ABAC_CERT_BAD_SIG;
255        goto error;
256    }
257
258    // success, add the key to the map of certificates
259    id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
260    id_cert->keyid = keyid;
261    id_cert->cert = cert;
262    id_cert->cn = cn;
263    id_cert->type = e_KEYID;
264    id_cert->clause = generate_pl_type_clause(cn, id_cert->type);
265
266    HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
267
268    *id_cert_ret=id_cert;
269
270    return ABAC_CERT_SUCCESS;
271
272error:
273    if (keyid != NULL) free(keyid);
274    if (cn != NULL) free(cn);
275
276    return ret;
277}
278
279static void check_id_cert(abac_id_cert_t *id_cert)
280{
281    if(id_cert) {
282        printf("checking on this id_cert %d\n", (int)id_cert);
283        printf("  --> sha is (%s)\n", id_cert->keyid);
284        printf("  --> cn is (%s)\n", id_cert->cn);
285    }
286}
287
288/**
289 * Load an attribute cert as string.
290 * have minimum syntax & validity check
291 */
292static int _load_attribute_string(char* attr_string) {
293    printf("NOT implemented yet!!!");
294    return ABAC_CERT_INVALID;
295}
296
297/**
298 * Load an ID cert from a file.
299 */
300int abac_verifier_load_id_file(char *filename, abac_id_cert_t **id_cert_ret) {
301    if (lib == NULL)
302        errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
303
304    // load the cert
305    certificate_t *cert = lib->creds->create(
306        lib->creds, CRED_CERTIFICATE, CERT_X509,
307        BUILD_FROM_FILE, filename,
308        BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
309        BUILD_END
310    );
311    if (cert == NULL)
312        return ABAC_CERT_INVALID;
313    return _load_id(cert,id_cert_ret);
314}
315
316/**
317 * Load an ID cert from a chunk.
318 */
319int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_cert_t **id_cert_ret) {
320    // load the cert
321    certificate_t *cert = lib->creds->create(
322        lib->creds, CRED_CERTIFICATE, CERT_X509,
323        BUILD_BLOB_ASN1_DER, chunk,
324        BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
325        BUILD_END
326    );
327    if (cert == NULL)
328        return ABAC_CERT_INVALID;
329    return _load_id(cert,id_cert_ret);
330}
331
332
333void abac_print_clauses(abac_list_t *clauses, FILE *fp)
334{
335    if (clauses != NULL) {
336        char *cur;
337        abac_list_foreach(clauses, cur,
338            if(cur) {
339                if(fp)
340                    fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
341                    else printf ("a clause, %d(%s)\n", (int)cur,cur);
342            }
343        );
344    }
345}
346
347static int _verify_valid_role_credential(certificate_t *cert,
348abac_credential_t **cred_ret, char *encoded_attr_string)
349{
350    abac_role_t *head_role = NULL;
351    abac_role_t *tail_role = NULL;
352    abac_list_t *clauses=NULL;
353    abac_id_cert_t *issuer;
354    int ret, i;
355
356    // get the attr
357    head_role = abac_yy_get_rule_head_role();
358    tail_role = abac_yy_get_rule_tail_role();
359    clauses = abac_yy_get_rule_clauses();
360
361    // get the issuer based on keyid
362    char *principalname = abac_role_principal(head_role);
363    HASH_FIND_STR(id_certs, principalname, issuer);
364    if (issuer == NULL) {
365        ret = ABAC_CERT_MISSING_ISSUER;
366        goto error;
367    }
368
369    // make sure the issuer's signed it
370    ret = _verify_signature(issuer->cert, cert);
371    if (!ret) {
372        abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
373        goto error;
374    }
375
376    // at this point we know we have a good attribute cert
377    abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
378    cred->type= e_CREDTYPE_ROLE;
379    cred->head = head_role;
380    cred->tail = tail_role;
381    cred->cert = cert;
382    cred->issuer = issuer->cert->get_ref(issuer->cert);
383    cred->clauses = clauses;
384    cred->refcount = 1;
385    *cred_ret = cred;
386
387    // success, add the key to the map of certificates
388    abac_str_cred_t *str_cred;
389    str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
390    str_cred->strid=strdup(encoded_attr_string);
391    str_cred->cred=cred;
392    HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
393
394    return ABAC_CERT_SUCCESS;
395
396error:
397    if (head_role) abac_role_free(head_role);
398    if (tail_role) abac_role_free(tail_role);
399    abac_yy_free_rule_clauses();
400
401    return ret;
402}
403
404static int _verify_valid_oset_credential(certificate_t *cert,
405abac_credential_t **cred_ret, char *encoded_attr_string)
406{
407    abac_oset_t *head_oset = NULL;
408    abac_oset_t *tail_oset = NULL;
409    abac_list_t *clauses=NULL;
410    abac_id_cert_t *issuer;
411    int ret, i;
412
413    // get the attr
414    head_oset = abac_yy_get_rule_head_oset();
415    tail_oset = abac_yy_get_rule_tail_oset();
416    clauses = abac_yy_get_rule_clauses();
417
418    // get the issuer based on keyid
419    char *principalname = abac_oset_principal(head_oset);
420    HASH_FIND_STR(id_certs, principalname, issuer);
421    if (issuer == NULL) {
422        ret = ABAC_CERT_MISSING_ISSUER;
423        goto error;
424    }
425
426    // make sure the issuer's signed it
427    ret = _verify_signature(issuer->cert, cert);
428    if (!ret) {
429        abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
430        goto error;
431    }
432
433    // at this point we know we have a good attribute cert
434    abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
435    cred->type= e_CREDTYPE_OSET;
436    cred->head = head_oset;
437    cred->tail = tail_oset;
438    cred->cert = cert;
439    cred->issuer = issuer->cert->get_ref(issuer->cert);
440    cred->clauses = clauses;
441    cred->refcount = 1;
442    *cred_ret = cred;
443
444    // success, add the key to the map of certificates
445    abac_str_cred_t *str_cred;
446    str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
447    str_cred->strid=strdup(encoded_attr_string);
448    str_cred->cred=cred;
449    HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
450
451    return ABAC_CERT_SUCCESS;
452
453error:
454    if (head_oset) abac_oset_free(head_oset);
455    if (tail_oset) abac_oset_free(tail_oset);
456    abac_yy_free_rule_clauses();
457
458    return ret;
459}
460/**
461 * Load an attribute cert.
462 * Returns true only if the certificate is valid and is issued by the proper
463 * authority.
464 */
465static int _load_attribute_cert(certificate_t *cert, abac_credential_t **cred_ret) {
466    ietf_attributes_t *attr_cert = NULL;
467    abac_id_cert_t *issuer;
468    int ret, i;
469
470    // get the attr
471    ac_t *ac = (ac_t *)cert;
472    attr_cert = ac->get_groups(ac);
473    if (attr_cert == NULL) {
474        ret = ABAC_CERT_INVALID;
475        goto error;
476    }
477
478    char *encoded_attr_string=attr_cert->get_string(attr_cert);
479    char *attr_string = abac_decode_string(encoded_attr_string);
480    if(debug)
481         printf("string to be yyparse..(%s)\n",attr_string);
482
483    if (attr_string == NULL) {
484        ret = ABAC_CERT_INVALID;
485        goto error;
486    }
487
488    /* call into yacc parser */
489    abac_reset_yyfptr(attr_string);
490    abac_yy_init();
491    int rc=yyparse();
492    if (rc) {
493        ret = ABAC_CERT_INVALID;
494        goto error;
495    }
496
497    if(abac_yy_get_rule_is_oset()) {
498        ret=_verify_valid_oset_credential(cert,cred_ret,encoded_attr_string);
499        } else {
500            ret=_verify_valid_role_credential(cert,cred_ret,encoded_attr_string);
501    }
502
503    // free up some crap
504    attr_cert->destroy(attr_cert);
505
506    return ABAC_CERT_SUCCESS;
507
508error:
509    if (cert) cert->destroy(cert);
510    if (attr_cert) attr_cert->destroy(attr_cert);
511    return ret;
512}
513
514/**
515 * Load an attribute cert from a file.
516 */
517int abac_verifier_load_attribute_cert_file(char *filename, abac_credential_t **cred) {
518    // load the cert
519    certificate_t *cert = lib->creds->create(
520        lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
521        BUILD_FROM_FILE, filename,
522        BUILD_END
523    );
524    if (cert == NULL)
525        return ABAC_CERT_INVALID;
526    return _load_attribute_cert(cert, cred);
527}
528
529/**
530 * Load attribute cert rules from a file. (this should only be used to test)
531 */
532int abac_verifier_load_certs_file(char *filename) {
533    size_t nbytes=0;
534    char *input=NULL;
535    FILE *fp;
536    int ret;
537
538    fp=fopen(filename, "r");
539
540    if(fp == NULL)
541        return ABAC_CERT_INVALID;
542
543    while( (ret=getline(&input, &nbytes, fp)) != -1 ) {
544        ret=_load_attribute_string(input);
545        free(input);
546        if(ret != ABAC_CERT_SUCCESS )
547            fclose(fp);
548            return ret;
549    }
550    fclose(fp);
551    return ABAC_CERT_SUCCESS;
552}
553
554
555/**
556 * Load an attribute cert from a chunk.
557 */
558int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
559    // load the cert
560    certificate_t *cert = lib->creds->create(
561        lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
562        BUILD_BLOB_ASN1_DER, chunk,
563        BUILD_END
564    );
565    if (cert == NULL)
566        return ABAC_CERT_INVALID;
567    return _load_attribute_cert(cert, cred);
568}
569
570/**
571 * Return the encoding of the attribute cert.
572 */
573abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
574    chunk_t encoding = cred->cert->get_encoding(cred->cert);
575    abac_chunk_t ret = { encoding.ptr, encoding.len };
576    return ret;
577}
578
579/**
580 * Return the encoding of the issuer cert.
581 */
582abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
583    chunk_t encoding = cred->issuer->get_encoding(cred->issuer);
584    abac_chunk_t ret = { encoding.ptr, encoding.len };
585    return ret;
586}
587
588/**
589 * Return the clause of the cert
590 */
591abac_list_t *abac_credential_clauses(abac_credential_t *cred) {
592    return cred->clauses;
593}
594
595
596/**
597 * Increase the ref count of a credential.
598 */
599abac_credential_t *abac_credential_dup(abac_credential_t *cred) {
600    assert(cred != NULL);
601
602    ++cred->refcount;
603    return cred;
604}
605
606/**
607 *  lookup for a credential.
608 */
609abac_credential_t *abac_credential_lookup(char* cred_string)
610{
611    if(debug)
612        printf("DEBUG:doing abac_crendential_lookup ... (%s)\n", cred_string);
613    abac_str_cred_t *str_cred;
614    HASH_FIND_STR(str_creds, cred_string, str_cred);
615    if (str_cred == NULL) {
616        if(debug) printf("DEBUG:NOT FOUND..\n");
617        return NULL;
618    }
619    if(debug) printf("DEBUG:FOUND..(%d)\n", (int) str_cred->cred);
620    return str_cred->cred;
621}
622
623/**
624 * Decrease the reference count of a credential, freeing it when it reaches 0.
625 */
626void abac_credential_free(abac_credential_t *cred)
627{
628    if(debug)
629        printf("DEBUG:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->clauses);
630
631    if (cred == NULL)
632        return;
633
634    --cred->refcount;
635    if (cred->refcount > 0)
636        return;
637
638    if(cred->type == e_CREDTYPE_ROLE) {
639        abac_role_free((abac_role_t *)cred->head);
640        abac_role_free((abac_role_t *)cred->tail);
641        } else {
642            abac_oset_free((abac_oset_t *)cred->head);
643            abac_oset_free((abac_oset_t *)cred->tail);
644    }
645    cred->cert->destroy(cred->cert);
646    cred->issuer->destroy(cred->issuer); // reference counted
647    /* no need to freeyap_clauses here */
648    free(cred);
649}
650
651char *abac_id_clause(abac_id_cert_t *id_cert)
652{
653    if(id_cert)
654        return id_cert->clause;
655    return NULL;
656}
657
658/* retrieve the cn that is associated with this sha_string */
659char *abac_cn_with_sha(char *sha_string) {
660
661    // get the issuer based on keyid
662    abac_id_cert_t *id_cert;
663    HASH_FIND_STR(id_certs, sha_string, id_cert);
664    if (id_cert == NULL) {
665        return NULL;
666    }
667    if(debug)
668        check_id_cert(id_cert);
669    return id_cert->cn;
670}
671
672/* retrieve the cn that is associated with the principal of this role */
673char *abac_cn_with_role(abac_role_t *role) {
674
675    char *principal = abac_role_principal(role);
676    return abac_cn_with_sha(principal);
677}
678
679/* retrieve the cn that is associated with the principal of this oset */
680char *abac_cn_with_oset(abac_oset_t *oset) {
681    char *principal = abac_oset_principal(oset);
682    return abac_cn_with_sha(principal);
683}
684
Note: See TracBrowser for help on using the repository browser.