Context Navigation

source: libabac/abac_verifier.c @ 53e540d

mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2 yap_rt0

Last change on this file since 53e540d was 53e540d, checked in by Mei <mei@…>, 13 years ago
1) adding appendL to do the credential list appending
Property mode set to `100644`
File size: 13.2 KB

Line
1
2	// include the GNU extension of asprintf
3	#define _GNU_SOURCE
4
5	#include <assert.h>
6
7	#include <library.h>
8	#include <credentials/certificates/certificate.h>
9	#include <credentials/certificates/x509.h>
10	#include <credentials/certificates/ac.h>
11
12	#include "abac_verifier.h"
13
14	#include "abac_list.h"
15	#include "abac_util.h"
16	#include "abac_rt0.h"
17
18	typedef struct _abac_id_cert_t {
19	char *keyid;
20	char *cn;
21	certificate_t *cert;
22
23	UT_hash_handle hh;
24	} abac_id_cert_t;
25
26
27	struct _abac_credential_t {
28	abac_role_t *head;
29	abac_role_t *tail;
30	certificate_t *cert;
31	certificate_t *issuer;
32	char *clause;
33
34	int refcount;
35	};
36
37	typedef struct _abac_str_cred_t {
38	char *strid;
39	abac_credential_t *cred;
40
41	UT_hash_handle hh;
42	} abac_str_cred_t;
43
44	abac_id_cert_t *id_certs = NULL;
45	abac_str_cred_t *str_creds = NULL;
46
47	// convert a chunk to a lowercase binary string
48	// malloc's the string
49	static char *_chunk_to_string(chunk_t chunk) {
50	int i;
51
52	char ret = abac_xmalloc(chunk.len 2 + 1);
53
54	for (i = 0; i < chunk.len; ++i)
55	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
56
57	return ret;
58	}
59
60	// verify that cert was issued by issuer
61	// cert and issuer can be the same, in which case the self-sig is validated
62	static int _verify_signature(certificate_t issuer, certificate_t cert) {
63	if (cert->issued_by(cert, issuer))
64	if (cert->get_validity(cert, NULL, NULL, NULL))
65	return 1;
66	return 0;
67	}
68
69	/**
70	* Init the verifier subsystem.
71	*/
72	void abac_verifier_init(void) {
73	// silence all debugging
74
75	if (!library_init(NULL))
76	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
77
78	if (!lib->plugins->load(lib->plugins, NULL,
79	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
80	exit(SS_RC_INITIALIZATION_FAILED);
81	}
82
83	/**
84	* Uninitialize the system, free up any allocated memory.
85	*/
86	void abac_verifier_deinit(void) {
87	abac_id_cert_t *id;
88	while ((id = id_certs) != NULL) {
89	HASH_DEL(id_certs, id);
90
91	free(id->keyid);
92	free(id->cn);
93	id->cert->destroy(id->cert);
94	free(id);
95	}
96
97	abac_str_cred_t *id2;
98	while ((id2 = str_creds) != NULL) {
99	HASH_DEL(str_creds, id2);
100
101	free(id2->strid);
102	free(id2);
103	}
104
105	library_deinit();
106	}
107
108	/**
109	* Load an ID certificate.
110	*/
111	static int _load_id(certificate_t *cert) {
112	abac_id_cert_t *id_cert = NULL;
113	char *keyid = NULL;
114	chunk_t id;
115	int ret;
116	x509_t x509 = (x509_t )cert;
117
118	assert(cert != NULL);
119
120	// get the key ID
121	id = x509->get_subjectKeyIdentifier(x509);
122	keyid = _chunk_to_string(id);
123
124	/* XXX MEI */
125	/**
126	identification_t *issuer=cert->get_subject(cert);
127	char str=(char )abac_xmalloc(strlen((char *)issuer));
128	sprintf(str,"%Y",issuer);
129	**/
130	char *str;
131	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
132
133	char cn=(char )abac_xmalloc(strlen(str)+1);
134	cn[0]='p';
135	int n=sscanf(str,"CN=%s", &(cn[1]));
136	if ( n!=1 ) {
137	ret = ABAC_CERT_BAD_CN;
138	goto error;
139	}
140
141	printf ("XXX keyid %s \n", keyid);
142	printf( "XXX issuer '%s' \n", str);
143	printf ("XXX cn %s \n", cn);
144	free(str);
145
146	// if we already have this cert 'error' with success
147	HASH_FIND_STR(id_certs, keyid, id_cert);
148	if (id_cert != NULL) {
149	ret = ABAC_CERT_SUCCESS;
150	goto error;
151	}
152
153	// validate sig
154	ret = _verify_signature(cert, cert);
155	if (!ret) {
156	ret = ABAC_CERT_BAD_SIG;
157	goto error;
158	}
159
160	// success, add the key to the map of certificates
161	id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
162	id_cert->keyid = keyid;
163	id_cert->cert = cert;
164	id_cert->cn = cn;
165	HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
166
167	return ABAC_CERT_SUCCESS;
168
169	error:
170	if (keyid != NULL) free(keyid);
171	if (cn != NULL) free(cn);
172
173	return ret;
174	}
175
176	/**
177	* Load an ID cert from a file.
178	*/
179	int abac_verifier_load_id_file(char *filename) {
180	if (lib == NULL)
181	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
182
183	// load the cert
184	certificate_t *cert = lib->creds->create(
185	lib->creds, CRED_CERTIFICATE, CERT_X509,
186	BUILD_FROM_FILE, filename,
187	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
188	BUILD_END
189	);
190	if (cert == NULL)
191	return ABAC_CERT_INVALID;
192	return _load_id(cert);
193	}
194
195	/**
196	* Load an ID cert from a chunk.
197	*/
198	int abac_verifier_load_id_chunk(chunk_t chunk) {
199	// load the cert
200	certificate_t *cert = lib->creds->create(
201	lib->creds, CRED_CERTIFICATE, CERT_X509,
202	BUILD_BLOB_ASN1_DER, chunk,
203	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
204	BUILD_END
205	);
206	if (cert == NULL)
207	return ABAC_CERT_INVALID;
208	return _load_id(cert);
209	}
210
211
212	/**
213	* Load an attribute cert.
214	* Returns true only if the certificate is valid and is issued by the proper
215	* authority.
216	*/
217	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
218	ietf_attributes_t *attr_cert = NULL;
219	abac_role_t *head_role = NULL;
220	abac_role_t *tail_role = NULL;
221	abac_id_cert_t *issuer;
222	char *attr_string_copy;
223	int ret, i;
224
225	// get the attr
226	ac_t ac = (ac_t )cert;
227	attr_cert = ac->get_groups(ac);
228	if (attr_cert == NULL) {
229	ret = ABAC_CERT_INVALID;
230	goto error;
231	}
232
233	char *attr_string = attr_cert->get_string(attr_cert);
234	if (attr_string == NULL) {
235	ret = ABAC_CERT_INVALID;
236	goto error;
237	}
238
239	printf("YYY-->attr_string(%s)%d\n", attr_string, strlen(attr_string));
240	/* call into yacc parser */
241	attr_string_copy = strdup(attr_string);
242	abac_reset_yyfptr(attr_string_copy);
243	abac_yyinit();
244	int rc=yyparse();
245	if (rc) {
246	ret = ABAC_CERT_INVALID;
247	goto error;
248	}
249
250	char *head_tail[2];
251	abac_split(attr_string, " <- ", head_tail, &ret);
252	if (ret != 2) {
253	ret = ABAC_CERT_INVALID;
254	goto error;
255	}
256
257	// must be a role
258	head_role = abac_role_from_string(head_tail[0]);
259	if (head_role == NULL) goto error;
260	if (!abac_role_is_role(head_role)) {
261	ret = ABAC_CERT_INVALID;
262	goto error;
263	}
264
265	// make sure the tail's valid too
266	tail_role = abac_role_from_string(head_tail[1]);
267	if (tail_role == NULL) {
268	ret = ABAC_CERT_INVALID;
269	goto error;
270	}
271
272	// get the issuer based on keyid
273	char *principal = abac_role_principal(head_role);
274	HASH_FIND_STR(id_certs, principal, issuer);
275	if (issuer == NULL) {
276	ret = ABAC_CERT_MISSING_ISSUER;
277	goto error;
278	}
279
280	// make sure the issuer's signed it
281	ret = _verify_signature(issuer->cert, cert);
282	if (!ret) {
283	ret = ABAC_CERT_BAD_SIG;
284	goto error;
285	}
286
287	// at this point we know we have a good attribute cert
288	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
289	cred->head = head_role;
290	cred->tail = tail_role;
291	cred->cert = cert;
292	cred->issuer = issuer->cert->get_ref(issuer->cert);
293	cred->clause = abac_get_yap_clause();
294	cred->refcount = 1;
295	*cred_ret = cred;
296
297	// success, add the key to the map of certificates
298	abac_str_cred_t *str_cred;
299	str_cred=abac_xmalloc(sizeof(abac_str_cred_t));
300	str_cred->strid=attr_string_copy;
301	str_cred->cred=cred;
302	HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred);
303
304	// free up some crap
305	attr_cert->destroy(attr_cert);
306
307	return ABAC_CERT_SUCCESS;
308
309	error:
310	if (cert != NULL) cert->destroy(cert);
311	if (attr_cert != NULL) attr_cert->destroy(attr_cert);
312	if (head_role != NULL) abac_role_free(head_role);
313	if (tail_role != NULL) abac_role_free(tail_role);
314	if (attr_string_copy != NULL) free(attr_string_copy);
315	abac_free_yap_clause();
316
317	return ret;
318	}
319
320	#ifdef OLD
321	/**
322	* Load an attribute cert.
323	* Returns true only if the certificate is valid and is issued by the proper
324	* authority.
325	*/
326	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
327	ietf_attributes_t *attr_cert = NULL;
328	abac_role_t *head_role = NULL;
329	abac_role_t *tail_role = NULL;
330	abac_id_cert_t *issuer;
331	int ret, i;
332
333	// get the attr
334	ac_t ac = (ac_t )cert;
335	attr_cert = ac->get_groups(ac);
336	if (attr_cert == NULL) {
337	ret = ABAC_CERT_INVALID;
338	goto error;
339	}
340
341	char *attr_string = attr_cert->get_string(attr_cert);
342	if (attr_string == NULL) {
343	ret = ABAC_CERT_INVALID;
344	goto error;
345	}
346
347	printf("YYY-->attr_string(%s)%d\n", attr_string, strlen(attr_string));
348
349	// split into head/tail parts
350	char *head_tail[2];
351	abac_split(attr_string, " <- ", head_tail, &ret);
352	if (ret != 2) {
353	ret = ABAC_CERT_INVALID;
354	goto error;
355	}
356
357	// must be a role
358	head_role = abac_role_from_string(head_tail[0]);
359	if (head_role == NULL) goto error;
360	if (!abac_role_is_role(head_role)) {
361	ret = ABAC_CERT_INVALID;
362	goto error;
363	}
364
365	// make sure the tail's valid too
366	tail_role = abac_role_from_string(head_tail[1]);
367	if (tail_role == NULL) {
368	ret = ABAC_CERT_INVALID;
369	goto error;
370	}
371
372	// get the issuer based on keyid
373	char *principal = abac_role_principal(head_role);
374	HASH_FIND_STR(id_certs, principal, issuer);
375	if (issuer == NULL) {
376	ret = ABAC_CERT_MISSING_ISSUER;
377	goto error;
378	}
379
380	printf("YYY principal found is %s\n", principal);
381
382	// make sure the issuer's signed it
383	ret = _verify_signature(issuer->cert, cert);
384	if (!ret) {
385	ret = ABAC_CERT_BAD_SIG;
386	goto error;
387	}
388
389	// at this point we know we have a good attribute cert
390	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
391	cred->head = head_role;
392	cred->tail = tail_role;
393	cred->cert = cert;
394	cred->issuer = issuer->cert->get_ref(issuer->cert);
395	cred->refcount = 1;
396	*cred_ret = cred;
397
398	// free up some crap
399	attr_cert->destroy(attr_cert);
400
401	return ABAC_CERT_SUCCESS;
402
403	error:
404	if (cert != NULL) cert->destroy(cert);
405	if (attr_cert != NULL) attr_cert->destroy(attr_cert);
406	if (head_role != NULL) abac_role_free(head_role);
407	if (tail_role != NULL) abac_role_free(tail_role);
408
409	return ret;
410	}
411	#endif
412
413	/**
414	* Load an attribute cert from a file.
415	*/
416	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
417	// load the cert
418	certificate_t *cert = lib->creds->create(
419	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
420	BUILD_FROM_FILE, filename,
421	BUILD_END
422	);
423	if (cert == NULL)
424	return ABAC_CERT_INVALID;
425	return _load_attribute_cert(cert, cred);
426	}
427
428	/**
429	* Load an attribute cert from a chunk.
430	*/
431	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
432	// load the cert
433	certificate_t *cert = lib->creds->create(
434	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
435	BUILD_BLOB_ASN1_DER, chunk,
436	BUILD_END
437	);
438	if (cert == NULL)
439	return ABAC_CERT_INVALID;
440	return _load_attribute_cert(cert, cred);
441	}
442
443	/**
444	* Return the head role.
445	*/
446	abac_role_t abac_credential_head(abac_credential_t cred) {
447	return cred->head;
448	}
449
450	/**
451	* Return the tail role.
452	*/
453	abac_role_t abac_credential_tail(abac_credential_t cred) {
454	return cred->tail;
455	}
456
457	/**
458	* Return the encoding of the attribute cert.
459	*/
460	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
461	chunk_t encoding = cred->cert->get_encoding(cred->cert);
462	abac_chunk_t ret = { encoding.ptr, encoding.len };
463	return ret;
464	}
465
466	/**
467	* Return the encoding of the issuer cert.
468	*/
469	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
470	chunk_t encoding = cred->issuer->get_encoding(cred->issuer);
471	abac_chunk_t ret = { encoding.ptr, encoding.len };
472	return ret;
473	}
474
475	/**
476	* Return the clause of the cert
477	*/
478	char * abac_credential_clause(abac_credential_t *cred) {
479	return cred->clause;
480	}
481
482	/**
483	* Increase the ref count of a credential.
484	*/
485	abac_credential_t abac_credential_dup(abac_credential_t cred) {
486	assert(cred != NULL);
487
488	++cred->refcount;
489	return cred;
490	}
491
492	/**
493	* lookup for a credential.
494	*/
495	abac_credential_t abac_credential_lookup(char cred_string) {
496	abac_str_cred_t *str_cred;
497	HASH_FIND_STR(str_creds, cred_string, str_cred);
498	if (str_cred == NULL) {
499	return NULL;
500	}
501	return str_cred->cred;
502	}
503
504	/**
505	* Decrease the reference count of a credential, freeing it when it reaches 0.
506	*/
507	void abac_credential_free(abac_credential_t *cred) {
508	if (cred == NULL)
509	return;
510
511	--cred->refcount;
512	if (cred->refcount > 0)
513	return;
514
515	abac_role_free(cred->head);
516	abac_role_free(cred->tail);
517	cred->cert->destroy(cred->cert);
518	cred->issuer->destroy(cred->issuer); // reference counted
519	if (cred->clause)
520	free(cred->clause);
521
522	free(cred);
523	}
524
525	/* retrieve the cn that is associated with this sha_string */
526	char abac_cn_with_sha(char sha_string) {
527
528	// get the issuer based on keyid
529	abac_id_cert_t *id_cert;
530	HASH_FIND_STR(id_certs, sha_string, id_cert);
531	if (id_cert == NULL) {
532	return NULL;
533	}
534	return id_cert->cn;
535	}
536
537	/* retrieve the cn that is associated with the principal of this role */
538	char abac_cn_with_role(abac_role_t head_role) {
539
540	// get the issuer based on keyid
541	char *principal = abac_role_principal(head_role);
542	return abac_cn_with_sha(principal);
543	}
544

Note: See TracBrowser for help on using the repository browser.

Download in other formats: