Context Navigation

source: libabac/abac_verifier.c @ 646e57e

mei_rt2mei_rt2_fix_1

Last change on this file since 646e57e was 9a0e1c1, checked in by Mei <mei@…>, 12 years ago
1) tweak an error message to make it more clearer
Property mode set to `100644`
File size: 34.8 KB

Line
1	/**
2	** abac_verifier.c
3	**/
4
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	#include <stdio.h>
9	#include <regex.h>
10	#include <sys/mman.h>
11	#include <fcntl.h>
12	#include <sys/types.h>
13	#include <sys/stat.h>
14	#include <unistd.h>
15
16
17	#include <assert.h>
18	#include <stdio.h>
19
20	#include <library.h>
21
22	#include "abac_internal.h"
23	#include "abac_verifier.h"
24
25	#include "abac_util.h"
26	#include "abac_rt.h"
27
28	static int debug=0;
29
30	/* from abac_attribute.c */
31	extern char get_cred_encoding(abac_attribute_t ptr);
32
33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
35	extern abac_list_t *abac_yy_get_rule_clauses();
36	extern char* abac_decode_string(char *);
37	extern void abac_yy_free_rule_clauses();
38	extern char generate_pl_type_clause(char , int);
39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
41
42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
43
44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
45
46	struct _abac_id_credential_t {
47	char *hashkeyid;
48	abac_id_t *id;
49	char *pl_clause;
50
51	UT_hash_handle hh;
52	};
53	/* hash table base on sha with a p */
54	abac_id_credential_t *id_creds = NULL;
55	/* linked list of all the ids's hashkeyid */
56	abac_list_t *id_hashkeyid_list = NULL;
57
58	/* can store either role or oset */
59	struct _abac_credential_t {
60	char *hashkeyid;
61	abac_attribute_t *attr;
62	abac_list_t *pl_clauses;
63
64	UT_hash_handle hh;
65	};
66	/* hash table base on encoded attr rule */
67	abac_credential_t *attr_creds = NULL;
68	/* linked list of all the attr's hashkeyid */
69	abac_list_t *attr_hashkeyid_list = NULL;
70
71	/*****************************************************************************/
72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
73	{
74	if(fp == NULL)
75	fp=stdout;
76
77	abac_attribute_t *ptr=cred->attr;
78	abac_aspect_t *head=abac_attribute_head(ptr);
79	abac_aspect_t *tail=abac_attribute_tail(ptr);
80
81	if(debug) {
82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
83	if(head) {
84	abac_print_aspect_string_with_condition(head,fp);
85	}
86	if(tail) {
87	abac_print_aspect_string_with_condition(tail,fp);
88	}
89
90	abac_list_t *clauses=cred->pl_clauses;
91	if (clauses != NULL) {
92	char *cur=NULL;
93	abac_list_foreach(clauses, cur,
94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
95	if(cur)
96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
97	);
98	}
99	} else {
100	fprintf(fp," ");
101	abac_print_aspect_string_with_condition(head,fp);
102	fprintf(fp," <- ");
103	abac_print_aspect_string_with_condition(tail,fp);
104	fprintf(fp,"\n");
105	}
106	}
107
108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
109	{
110	if(fp == NULL)
111	return;
112
113	abac_id_t *ptr=abac_id_credential_id(prin);
114
115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
116	if(abac_id_has_privkey(ptr))
117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
118	else
119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
120	}
121
122	//
123	int abac_verify_idtype_type(char *type) {
124	int i;
125
126	if (type == NULL)
127	return 0;
128
129	for (i = 1; i <= _idtypename_cnt ; i++)
130	if(strcmp(type,_idtypename[i])==0)
131	return i;
132	return 0;
133	}
134
135	char *abac_idtype_string(int i)
136	{
137	if(i > _idtypename_cnt) {
138	printf("bad idtypename idx %d\n", i);
139	panic("abac_idtype_string: went out of range on idtypename");
140	}
141	return (char*) _idtypename[i];
142	}
143
144	// convert a chunk to a lowercase binary string
145	// malloc's the string
146	static char *_chunk_to_string(chunk_t chunk) {
147	int i;
148
149	char ret = abac_xmalloc(chunk.len 2 + 1);
150
151	for (i = 0; i < chunk.len; ++i)
152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
153
154	return ret;
155	}
156
157	// verify that cert was issued by issuer
158	// cert and issuer can be the same, in which case the self-sig is validated
159	int verify_signature(certificate_t issuer_cert, certificate_t cert) {
160	if (cert->issued_by(cert, issuer_cert))
161	if (cert->get_validity(cert, NULL, NULL, NULL))
162	return 1;
163	return 0;
164	}
165
166	// verify that cert is still valid
167	static int _verify_validity(certificate_t *cert) {
168	if (cert->get_validity(cert, NULL, NULL, NULL))
169	return 1;
170	return 0;
171	}
172
173	/**
174	* Init the verifier subsystem.
175	*/
176	void abac_verifier_init(void) {
177	// silence all debugging
178
179	if (!library_init(NULL))
180	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
181
182	if (!lib->plugins->load(lib->plugins, NULL,
183	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
184	exit(SS_RC_INITIALIZATION_FAILED);
185
186	attr_hashkeyid_list = abac_list_new();
187	id_hashkeyid_list = abac_list_new();
188	}
189
190	/**
191	* Uninitialize the system, free up any allocated memory.
192	*/
193	void abac_verifier_deinit(void) {
194	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
195
196	abac_id_credential_t *ptr;
197	while ((ptr = id_creds) != NULL) {
198	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
199	HASH_DEL(id_creds, ptr);
200
201	free(ptr->hashkeyid);
202	free(ptr->pl_clause);
203	abac_id_free(ptr->id);
204	free(ptr);
205	}
206
207	abac_credential_t *ptr2;
208	while ((ptr2 = attr_creds) != NULL) {
209	HASH_DEL(attr_creds, ptr2);
210	if(debug) {
211	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
212	}
213	free(ptr2->hashkeyid);
214	abac_attribute_free(ptr2->attr);
215	char *cur=NULL;
216	abac_list_foreach(ptr2->pl_clauses, cur,
217	free(cur);
218	);
219	free(ptr2->pl_clauses);
220	free(ptr2);
221	}
222
223	if(attr_hashkeyid_list) {
224	char *cur;
225	if(attr_hashkeyid_list) {
226	abac_list_foreach(attr_hashkeyid_list, cur,
227	if(cur) free(cur);
228	);
229	}
230	abac_list_free(attr_hashkeyid_list);
231	}
232
233	if(id_hashkeyid_list) {
234	if(debug) fprintf(stderr, "looking to free id_hashkeyid_lst..\n");
235	char *cur;
236	if(id_hashkeyid_list) {
237	abac_list_foreach(id_hashkeyid_list, cur,
238	if(cur) {
239	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
240	free(cur);
241	}
242	);
243	}
244	abac_list_free(id_hashkeyid_list);
245	}
246
247	library_deinit();
248	}
249
250	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
251	{
252	abac_id_credential_t *id_cred;
253	char *cn=abac_id_cn(a_id);
254	char *keyid=abac_id_keyid(a_id);
255
256	if(debug) {
257	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
258	cn, keyid);
259	}
260
261	// add the abac_id to the map of id credentials
262	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
263	id_cred->hashkeyid = abac_xstrdup(keyid);
264	id_cred->id=abac_id_dup(a_id);
265
266	/* special handling here */
267	if(USE("ABAC_CN")) {
268	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
269	} else {
270	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
271	}
272	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
273	if(debug)
274	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
275	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
276
277	assert(id_hashkeyid_list);
278	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
279	return id_cred;
280	}
281
282	/* have to find the last cn
283	CN=test/emailAddress=abac.isi.edu, CN=12345678
284	CN=client
285	..CN=255a03f3-ed30/emailAddress=..
286	*/
287	static char* _extract_cn(char *string)
288	{
289	/* find the first CN= */
290	char *ptr=strstr(string,"CN=");
291	if(ptr == NULL) return NULL;
292
293	/* look for last CN= */
294	while(1) {
295	char *tptr=ptr+3;
296	char *p=strstr(tptr,"CN=");
297	if(p) ptr=p;
298	else break;
299	}
300
301	/* remove the possible additional stuff */
302	char cn=abac_xstrdup(ptr); / it would get write over */
303	char *nptr=strtok(cn,"/");
304	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
305	pcn[0]='p';
306	/* special case.. replace empty space with _ */
307	int i=strlen(nptr);
308	while(i--)
309	if(nptr[i]==' ') nptr[i]='_';
310	sscanf(nptr,"CN=%s", &pcn[1]);
311	free(cn);
312	return pcn;
313	}
314
315	/**
316	* Load an ID
317	*/
318	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
319	abac_id_credential_t *id_cred = NULL;
320	char *keyid = NULL;
321	chunk_t id;
322	int ret;
323	x509_t x509 = (x509_t )cert;
324
325	assert(cert != NULL);
326
327	// get the key ID, add p to keyid SHA here */
328	id = x509->get_subjectKeyIdentifier(x509);
329	keyid = _chunk_to_string(id);
330
331	/* Mike said this is the way it is */
332	char *str=NULL;
333	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
334
335	/* add p to cn name here, if there is no useable one
336	reuse keyid */
337	char *cn=_extract_cn(str);
338	if(cn == NULL) {
339	if(debug)
340	fprintf(stderr, "DEBUG:did not find usable cn, reuse keyid\n");
341	cn=abac_xstrdup(keyid);
342	}
343
344	if(debug) {
345	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
346	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
347	fprintf(stderr, "DEBUG:cn %s \n", cn);
348	}
349	free(str);
350
351	// if we already have this cert 'error' with success
352	HASH_FIND_STR(id_creds, keyid, id_cred);
353	if (id_cred != NULL) {
354	if(debug) fprintf(stderr, "existing cert \n");
355	ret = ABAC_CERT_EXISTS;
356	goto error;
357	}
358
359	// validate validity
360	ret = _verify_validity(cert);
361	if (!ret) {
362	ret = ABAC_CERT_INVALID;
363	goto error;
364	}
365
366	// validate sig
367	ret = verify_signature(cert, cert);
368	if (!ret) {
369	/* well.. this is not a self signed cert, don't fault it anymore */
370	if(debug) fprintf(stderr, "This is not a self-signed cert \n");
371	} else {
372	if(debug) fprintf(stderr, "This is a self-signed cert \n");
373	}
374
375	// success, add a new abac_id
376	if(*a_id==NULL) {
377	*a_id=abac_id_keyid_new(keyid,cn,cert);
378	}
379
380	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
381	*id_cred_ret=n_id_cred;
382
383	if (keyid != NULL) free(keyid);
384	if (cn != NULL) free(cn);
385
386	return ABAC_CERT_SUCCESS;
387
388	error:
389	if (keyid != NULL) free(keyid);
390	if (cn != NULL) free(cn);
391
392	return ret;
393	}
394
395	/* collect all the creds stored so far */
396	abac_stack_t *abac_verifier_dump_creds()
397	{
398	abac_stack_t *cred_list = abac_stack_new();
399
400	int cnt=0;
401	if(attr_hashkeyid_list) {
402	char *keyid;
403	abac_credential_t *cred;
404	abac_list_foreach(attr_hashkeyid_list, keyid,
405	cred=abac_credential_lookup(keyid);
406	abac_stack_push(cred_list, cred);
407	cnt++;
408	);
409	}
410	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
411	return cred_list;
412	}
413
414	/* collect all the id stored so far */
415	abac_stack_t *abac_verifier_dump_principals()
416	{
417	abac_stack_t *id_list = abac_stack_new();
418
419	int cnt=0;
420	if(id_hashkeyid_list) {
421	char *keyid;
422	abac_id_credential_t *id;
423	abac_list_foreach(id_hashkeyid_list, keyid,
424	id=abac_id_credential_lookup(keyid);
425	abac_stack_push(id_list, id);
426	cnt++;
427	);
428	}
429	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
430	return id_list;
431	}
432
433
434	static void check_id_cred(abac_id_credential_t *id_cred)
435	{
436	if(id_cred) {
437	printf("checking on this id_cred location %d\n", (int)id_cred);
438	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
439	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
440	}
441	}
442
443	/**
444	* Load an attribute cert as string.
445	* have minimum syntax & validity check
446	*/
447	static int _load_attribute_string(char* attr_string) {
448	printf("NOT implemented yet!!!");
449	return ABAC_CERT_INVALID;
450	}
451
452	/**
453	* Load an ID cert from a file.
454	*/
455	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
456	abac_id_credential_t **id_cred_ret)
457	{
458	abac_id_t *id=NULL;
459	if (lib == NULL)
460	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
461
462	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
463
464	// load the cert, with public key
465	certificate_t *cert = lib->creds->create(
466	lib->creds, CRED_CERTIFICATE, CERT_X509,
467	BUILD_FROM_FILE, filename,
468	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
469	BUILD_END
470	);
471
472	if (cert == NULL)
473	return ABAC_CERT_INVALID;
474
475	int rc=_load_id(&id,cert,id_cred_ret);
476	if(rc==ABAC_CERT_EXISTS) {
477	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
478	return ABAC_CERT_SUCCESS;
479	}
480
481	/* try to load the private key if it is there */
482	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
483	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
484	int keyrc=abac_id_load_privkey_file(id, keyfilename);
485	if(debug) {
486	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
487	else printf("..load_id_file: load(%s) without a private key\n",filename);
488	}
489	}
490	return ABAC_CERT_SUCCESS;
491	}
492
493	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
494	char pfile, abac_id_credential_t *id_cred_ret)
495	{
496	abac_id_t *id=NULL;
497	if (lib == NULL)
498	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
499
500	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
501
502	// load the cert, with public key
503	certificate_t *cert = lib->creds->create(
504	lib->creds, CRED_CERTIFICATE, CERT_X509,
505	BUILD_FROM_FILE, filename,
506	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
507	BUILD_END
508	);
509
510	if (cert == NULL)
511	return ABAC_CERT_INVALID;
512
513	int rc=_load_id(&id,cert,id_cred_ret);
514	if(rc==ABAC_CERT_EXISTS) {
515	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
516	return ABAC_CERT_SUCCESS;
517	}
518
519	/* try to load the private key if it is there */
520	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
521	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
522	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
523	if(debug) {
524	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
525	else printf("..load_id_file: load(%s) without a private key\n",filename);
526	}
527	}
528	return ABAC_CERT_SUCCESS;
529	}
530
531	/**
532	* Load an ID cert from a abac_id_t
533	*/
534	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
535	certificate_t *cert = abac_id_cert(id);
536	return _load_id(&id,cert,id_cred_ret);
537	}
538
539	/**
540	* Load an ID cert from a chunk.
541	*/
542	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
543	abac_id_t *id=NULL;
544	// load the cert
545	certificate_t *cert = lib->creds->create(
546	lib->creds, CRED_CERTIFICATE, CERT_X509,
547	BUILD_BLOB_PEM, chunk,
548	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
549	BUILD_END
550	);
551	if (cert == NULL)
552	return ABAC_CERT_INVALID;
553	return _load_id(&id, cert,id_cred_ret);
554	}
555	/**
556	* Load an ID cert from a chunk, Note, this only loads the id cert part
557	* and so it is not suitable for creating an attribute credential with.
558	* Only a complete id cert + privkey could create attribute credential.
559	*/
560	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
561	abac_id_t *id=NULL;
562	// load the cert
563	certificate_t *cert = lib->creds->create(
564	lib->creds, CRED_CERTIFICATE, CERT_X509,
565	BUILD_BLOB_ASN1_DER, chunk,
566	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
567	BUILD_END
568	);
569	if (cert == NULL)
570	return ABAC_CERT_INVALID;
571	return _load_id(&id, cert,id_cred_ret);
572	}
573
574	/**
575	* Load an ID cert from a cert chunk and a privkey chunk,
576	* this complete id cert + privkey could create attribute credential.
577	*/
578	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
579	abac_id_credential_t **id_cred_ret) {
580
581	abac_id_t *id=NULL;
582	// load the cert
583	certificate_t *cert = lib->creds->create(
584	lib->creds, CRED_CERTIFICATE, CERT_X509,
585	BUILD_BLOB_ASN1_DER, chunk,
586	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
587	BUILD_END
588	);
589	if (cert == NULL)
590	return ABAC_CERT_INVALID;
591
592	int rc=_load_id(&id, cert,id_cred_ret);
593	if(rc == ABAC_CERT_SUCCESS) {
594	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
595	}
596
597	return rc;
598	}
599
600	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
601	char* pfile, abac_id_credential_t **id_cred_ret) {
602
603	abac_id_t *id=NULL;
604	// load the cert
605	certificate_t *cert = lib->creds->create(
606	lib->creds, CRED_CERTIFICATE, CERT_X509,
607	BUILD_BLOB_ASN1_DER, chunk,
608	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
609	BUILD_END
610	);
611	if (cert == NULL)
612	return ABAC_CERT_INVALID;
613
614	int rc=_load_id(&id, cert,id_cred_ret);
615	if(rc == ABAC_CERT_SUCCESS) {
616	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
617	}
618
619	return rc;
620	}
621
622
623
624	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
625	{
626	abac_id_credential_t *id_cred=NULL;
627	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
628	if(ret !=ABAC_CERT_SUCCESS)
629	return NULL;
630	abac_id_t *issuer=abac_id_credential_id(id_cred);
631	return issuer;
632	}
633
634
635	static int matchex(const char subject, const char pattern, int so, int eo)
636	{
637	int rc; // Returned code
638	regmatch_t pmatch;
639
640	regex_t re; // Compiled regexp pattern
641
642	if (regcomp(&re, pattern, 0) != 0) return 0;
643
644	rc = regexec(&re, subject, 1 , &pmatch, 0);
645	regfree(&re);
646
647	if (rc == REG_NOMATCH ) return 0;
648
649	*so=pmatch.rm_so;
650	*eo=pmatch.rm_eo;
651
652	return 1;
653	}
654
655
656
657	static chunk_t _extract_chunk(char data, char startline, char* endline)
658	{
659	int found=0;
660	int startos=0;
661	int endos=0;
662	regex_t re;
663	regmatch_t pm;
664	int rc;
665
666	int st;
667	int et;
668
669	rc=matchex(data, startline, &st, &et);
670	if(rc==0) return chunk_empty;
671	startos=st;
672
673	rc=matchex(data, endline, &st, &et);
674	if(rc==0) return chunk_empty;
675	endos=et;
676
677	int len=endos - startos;
678
679	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
680	char *ptr=strndup(data+startos,len);
681
682	chunk_t ret = { ptr, len };
683	return ret;
684	}
685
686
687	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
688	{
689	struct stat sb;
690	int fd;
691	int rc;
692
693	fd = open(filename, O_RDONLY);
694	if (fd == -1) { return 1; }
695	if(stat(filename, &sb) == -1) {
696	close(fd);
697	return 1;
698	}
699	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
700	if(data == MAP_FAILED) {
701	close(fd);
702	return 1;
703	}
704	close(fd);
705
706	chunk_t key_pem_chunk=_extract_chunk(data,
707	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
708	chunk_t cert_pem_chunk=_extract_chunk(data,
709	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
710
711	/* key=0, cert=0 */
712	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
713	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
714	goto error;
715	}
716
717	/* key=0, cert=1 */
718	if(key_pem_chunk.len==0) {
719	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
720	munmap(data, sb.st_size);
721	chunk_free(&key_pem_chunk);
722	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
723	}
724
725	/* key=1, cert=1 */
726	if(cert_pem_chunk.len!=0) {
727	if(debug) {
728	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
729	printf("(%s)\n",cert_pem_chunk.ptr);
730	}
731	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
732	if(rc != 0) {
733	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
734	goto error;
735	}
736	/* key=1, cert=0 */
737	} else {
738	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
739	goto error;
740	}
741
742	/* handle the key_pem_chunk */
743	if(debug) {
744	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
745	printf("(%s)\n",key_pem_chunk.ptr);
746	}
747	abac_id_t id=abac_id_credential_id(id_cred_ret);
748	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
749	if(rc==0) {
750	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
751	goto error;
752	}
753
754	munmap(data, sb.st_size);
755	return 0;
756
757	error:
758	munmap(data, sb.st_size);
759	return 1;
760	}
761
762
763	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
764	abac_id_credential_t **id_cred_ret)
765	{
766	struct stat sb;
767	int fd;
768	int rc;
769
770	fd = open(filename, O_RDONLY);
771	if (fd == -1) { return 1; }
772	if(stat(filename, &sb) == -1) {
773	close(fd);
774	return 1;
775	}
776	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
777	if(data == MAP_FAILED) {
778	close(fd);
779	return 1;
780	}
781	close(fd);
782
783	chunk_t key_pem_chunk=_extract_chunk(data,
784	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
785	chunk_t cert_pem_chunk=_extract_chunk(data,
786	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
787
788	/* key=0, cert=0 */
789	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
790	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
791	goto error;
792	}
793
794	/* key=0, cert=1 */
795	if(key_pem_chunk.len==0) {
796	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
797	munmap(data, sb.st_size);
798	chunk_free(&key_pem_chunk);
799	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
800	}
801
802	/* key=1, cert=1 */
803	if(cert_pem_chunk.len!=0) {
804	if(debug) {
805	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
806	printf("(%s)\n",cert_pem_chunk.ptr);
807	}
808	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
809	if(rc != 0) {
810	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
811	goto error;
812	}
813	/* key=1, cert=0 */
814	} else {
815	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
816	goto error;
817	}
818
819	/* handle the key_pem_chunk */
820	if(debug) {
821	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
822	printf("(%s)\n",key_pem_chunk.ptr);
823	printf("(%d)\n",strlen(key_pem_chunk.ptr));
824	}
825	abac_id_t id=abac_id_credential_id(id_cred_ret);
826	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
827	if(rc==0) {
828	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
829	goto error;
830	}
831
832	munmap(data, sb.st_size);
833	return 0;
834
835	error:
836	munmap(data, sb.st_size);
837	return 1;
838	}
839
840	void abac_print_clauses(abac_list_t clauses, FILE fp)
841	{
842	if (clauses != NULL) {
843	char *cur;
844	printf("total-- %d clauses\n", abac_list_size(clauses));
845	abac_list_foreach(clauses, cur,
846	if(cur) {
847	if(fp)
848	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
849	else printf ("a clause, %d(%s)\n", (int)cur,cur);
850	}
851	);
852	}
853	}
854
855	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
856	assert(ptr != NULL);
857	if(debug)
858	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
859	abac_id_dup(ptr->id);
860	return ptr;
861	}
862
863	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
864	{
865	assert(ptr);
866	return ptr->id;
867	}
868
869
870	abac_id_credential_t abac_id_credential_lookup(char pname)
871	{
872	abac_id_credential_t *id_cred=NULL;
873	HASH_FIND_STR(id_creds, pname, id_cred);
874	if(id_cred != NULL)
875	return abac_id_credential_dup(id_cred);
876	else return NULL;
877	}
878
879	void abac_id_credential_free(abac_id_credential_t *ptr)
880	{
881	if (ptr == NULL)
882	return;
883
884	if(debug)
885	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
886
887	// this is very hacky...
888	int last=abac_id_lastone(ptr->id);
889	if(!last) {
890	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
891	abac_id_free(ptr->id);
892	} else {
893	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
894	free(ptr->hashkeyid);
895	if(ptr->pl_clause)
896	free(ptr->pl_clause);
897	abac_id_free(ptr->id);
898	HASH_DEL(id_creds, ptr);
899	free(ptr);
900	}
901	}
902
903	/****************************************************************************/
904
905	static int _verify_valid_credential_string(certificate_t *cert,
906	abac_credential_t *cred_ret, char encoded_attr_string)
907	{
908	abac_aspect_t *head_aspect = NULL;
909	abac_aspect_t *tail_aspect = NULL;
910	abac_list_t *clauses=NULL;
911	abac_id_credential_t *id_cred;
912	abac_id_t *issuer_id;
913	int ret, i;
914
915	// get the attr
916	head_aspect = abac_yy_get_rule_head_aspect();
917	tail_aspect = abac_yy_get_rule_tail_aspect();
918	clauses = abac_yy_get_rule_clauses();
919
920	// get the issuer based on keyid
921	char *principalname = abac_aspect_principal_principalname(head_aspect);
922	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
923
924	HASH_FIND_STR(id_creds, principalname, id_cred);
925	if(id_cred == NULL) {
926	ret = ABAC_CERT_MISSING_ISSUER;
927	if(debug)
928	fprintf(stderr, "can not find %s in id_creds\n", principalname);
929	goto error;
930	}
931	issuer_id=id_cred->id;
932	if (issuer_id == NULL) {
933	ret = ABAC_CERT_MISSING_ISSUER;
934	if(debug)
935	fprintf(stderr, "can not find %s in id_creds\n", principalname);
936	goto error;
937	}
938
939	// make sure the issuer's signed it
940	ret = verify_signature(abac_id_cert(issuer_id), cert);
941	if (!ret) {
942	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
943	ret=ABAC_CERT_BAD_SIG;
944	goto error;
945	}
946
947	// at this point we know we have a good attribute cert baked it in
948	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
949	abac_attribute_set_head(attr, head_aspect);
950	abac_attribute_add_tail(attr, tail_aspect);
951
952	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
953	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
954	cred->attr=attr;
955	cred->pl_clauses = clauses;
956	*cred_ret = cred;
957
958	// success, add the key to the map of certificates
959	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
960
961	assert(attr_hashkeyid_list);
962	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
963
964	if(debug)
965	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
966	cred->hashkeyid, HASH_COUNT(attr_creds));
967
968	return ABAC_CERT_SUCCESS;
969
970	error:
971	if (head_aspect) abac_aspect_free(head_aspect);
972	if (tail_aspect) abac_aspect_free(tail_aspect);
973	abac_yy_free_rule_clauses();
974
975	return ret;
976	}
977
978	/**
979	* Load an attribute cert.
980	* Returns true only if the certificate is valid and is issued by the proper
981	* authority.
982	* attribute string is parsed via yyparse call
983	*/
984	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
985	ietf_attributes_t *attr_cert = NULL;
986	int ret, i;
987
988	// get the attr
989	ac_t ac = (ac_t )cert;
990	attr_cert = ac->get_groups(ac);
991	if (attr_cert == NULL) {
992	ret = ABAC_CERT_INVALID;
993	goto error;
994	}
995
996	char *encoded_attr_string=attr_cert->get_string(attr_cert);
997	char *attr_string = abac_decode_string(encoded_attr_string);
998	if(debug)
999	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
1000
1001	if (attr_string == NULL) {
1002	ret = ABAC_CERT_INVALID;
1003	goto error;
1004	}
1005
1006	/* call into yacc parser */
1007	abac_reset_yyfptr(attr_string);
1008	abac_yy_init();
1009	int rc=yyparse();
1010	if (rc) {
1011	ret = ABAC_CERT_INVALID;
1012	goto error;
1013	}
1014
1015	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
1016
1017	if(ret != ABAC_CERT_SUCCESS) {
1018	char *tmp=NULL;
1019	asprintf(&tmp,"_load_attribute_cert: fail to verify credential (%s)",attr_string);
1020	panic(tmp);
1021	}
1022
1023	// free up some crap
1024	attr_cert->destroy(attr_cert);
1025
1026	return ret;
1027
1028	error:
1029	if (cert) cert->destroy(cert);
1030	if (attr_cert) attr_cert->destroy(attr_cert);
1031	return ret;
1032	}
1033
1034	/**
1035	* Load an attribute cert from a abac_attribute_t.
1036	* attr should be all checked out before arriving here
1037	*/
1038	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
1039	// get the attr
1040	abac_aspect_t *head=abac_attribute_head(ptr);
1041	abac_aspect_t *tail=abac_attribute_tail(ptr);
1042
1043	// preprocess for constraint part
1044	preprocess_pl_head(head);
1045	preprocess_pl_tail(tail);
1046
1047	/* setup the encoded attribute string */
1048	char *encoded_attr_string=get_cred_encoding(ptr);
1049	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
1050	/* collect up type clauses, constraint clauses and
1051	generate rule clauses */
1052	abac_list_t *clauses=generate_pl_clauses(head,tail);
1053
1054	if(debug) abac_print_clauses(clauses,NULL);
1055
1056	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
1057	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
1058	cred->attr=abac_attribute_dup(ptr);
1059	cred->pl_clauses = clauses;
1060	*cred_ret = cred;
1061
1062	// success, add the key to the map of certificates
1063	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
1064
1065	assert(attr_hashkeyid_list);
1066	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
1067
1068	if(debug)
1069	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
1070	cred->hashkeyid, HASH_COUNT(attr_creds));
1071	return ABAC_CERT_SUCCESS;
1072	}
1073
1074	/**
1075	* Load an attribute cert from a file.
1076	*/
1077	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
1078	// load the cert
1079	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
1080	certificate_t *cert = lib->creds->create(
1081	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1082	BUILD_FROM_FILE, filename,
1083	BUILD_END
1084	);
1085	if (cert == NULL)
1086	return ABAC_CERT_INVALID;
1087	return _load_attribute_cert(cert, cred);
1088	}
1089
1090	/**
1091	* Load an attribute cert from a chunk.
1092	*/
1093	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
1094	// load the cert
1095	certificate_t *cert = lib->creds->create(
1096	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1097	BUILD_BLOB_ASN1_DER, chunk,
1098	BUILD_END
1099	);
1100	if (cert == NULL)
1101	return ABAC_CERT_INVALID;
1102
1103	return _load_attribute_cert(cert, cred);
1104	}
1105
1106	/**
1107	* Return the encoding of the attribute cert.
1108	*/
1109	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
1110	abac_attribute_t *ptr=cred->attr;
1111	certificate_t *cert=abac_attribute_cert(ptr);
1112	chunk_t encoding = chunk_empty;
1113	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
1114	abac_chunk_t ret = { encoding.ptr, encoding.len };
1115	return ret;
1116	}
1117
1118	/**
1119	* Return the encoding of the issuer cert.
1120	*/
1121	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
1122	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
1123	assert(issuer_cert);
1124	chunk_t encoding = chunk_empty;
1125	// XXX MEI, not sure ??
1126	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
1127	abac_chunk_t ret = { encoding.ptr, encoding.len };
1128	return ret;
1129	}
1130
1131	/**
1132	* Return the clause of the cert
1133	*/
1134	abac_list_t abac_credential_clauses(abac_credential_t cred) {
1135	return cred->pl_clauses;
1136	}
1137
1138	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
1139	assert(cred);
1140	return cred->attr;
1141	}
1142
1143	/**
1144	* Increase the ref count of a credential.
1145	*/
1146	abac_credential_t abac_credential_dup(abac_credential_t cred) {
1147	assert(cred != NULL);
1148
1149	abac_attribute_dup(cred->attr);
1150	return cred;
1151	}
1152
1153	/**
1154	* lookup for a credential.
1155	*/
1156	abac_credential_t abac_credential_lookup(char cred_string)
1157	{
1158	if(debug)
1159	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
1160	abac_credential_t *attr_cred;
1161
1162	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
1163	if (attr_cred == NULL) {
1164	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
1165	return NULL;
1166	}
1167	abac_credential_t *rt=abac_credential_dup(attr_cred);
1168	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
1169	return rt;
1170	}
1171
1172	/**
1173	* Decrease the reference count of a credential, freeing it when it reaches 0.
1174	*/
1175	void abac_credential_free(abac_credential_t *cred)
1176	{
1177	if(debug)
1178	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
1179
1180	if (cred == NULL)
1181	return;
1182
1183	// this is very hacky...
1184	int last=abac_attribute_lastone(cred->attr);
1185	if(!last) {
1186	abac_attribute_free(cred->attr);
1187	} else {
1188	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
1189	free(cred->hashkeyid);
1190	char *cur=NULL;
1191	abac_list_foreach(cred->pl_clauses, cur,
1192	free(cur);
1193	);
1194	abac_attribute_free(cred->attr);
1195	HASH_DEL(attr_creds, cred);
1196	free(cred);
1197	}
1198	}
1199
1200	char abac_id_clause(abac_id_credential_t id_cred)
1201	{
1202	if(id_cred)
1203	return id_cred->pl_clause;
1204	return NULL;
1205	}
1206
1207	/* retrieve the cn that is associated with this sha_string */
1208	char abac_cn_with_sha(char sha_string)
1209	{
1210	// get the issuer based on keyid
1211	abac_id_credential_t *id_cred;
1212	HASH_FIND_STR(id_creds, sha_string, id_cred);
1213	if (id_cred == NULL) {
1214	return NULL;
1215	}
1216	if(debug)
1217	check_id_cred(id_cred);
1218	return abac_id_cn(id_cred->id);
1219	}
1220
1221	char abac_idtype_with_sha(char sha_string)
1222	{
1223	// get the issuer based on keyid
1224	abac_id_credential_t *id_cred;
1225	HASH_FIND_STR(id_creds, sha_string, id_cred);
1226	if (id_cred == NULL) {
1227	// this id, sha string is not in the db...
1228	if(debug)
1229	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
1230	return NULL;
1231	}
1232	int idtype=abac_id_idtype(id_cred->id);
1233
1234	return abac_idtype_string(idtype);
1235	}
1236
1237	abac_aspect_t abac_credential_head(abac_credential_t cred) {
1238	return abac_attribute_head(cred->attr);
1239	}
1240
1241	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
1242	return abac_attribute_tail(cred->attr);
1243	}
1244
1245

Note: See TracBrowser for help on using the repository browser.

Download in other formats: