Context Navigation

source: libabac/abac_verifier.c @ 888df49

mei_rt2mei_rt2_fix_1

Last change on this file since 888df49 was 2efdff5, checked in by Mei <mei@…>, 12 years ago

1) fix the missing check for 'This' rt2.y when called from creddy/prover

combo

2) patch up the stringify of abac_term that is of time type.
3) update the testing to reflect the changes to baseline output

Property mode set to 100644

File size: 27.0 KB

Line
1	/**
2	** abac_verifier.c
3	**/
4
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	#include <stdio.h>
9	#include <regex.h>
10	#include <sys/mman.h>
11	#include <fcntl.h>
12	#include <sys/types.h>
13	#include <sys/stat.h>
14	#include <unistd.h>
15
16
17	#include <assert.h>
18	#include <stdio.h>
19
20	#include <library.h>
21
22	#include "abac_internal.h"
23	#include "abac_verifier.h"
24
25	#include "abac_util.h"
26	#include "abac_rt.h"
27
28	static int debug=0;
29
30	/* from abac_attribute.c */
31	extern char get_cred_encoding(abac_attribute_t ptr);
32
33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
35	extern abac_list_t *abac_yy_get_rule_clauses();
36	extern char* abac_decode_string(char *);
37	extern void abac_yy_free_rule_clauses();
38	extern char generate_pl_type_clause(char , int);
39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
40
41	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
42
43	struct _abac_id_credential_t {
44	char *hashkeyid;
45	abac_id_t *id;
46	char *pl_clause;
47
48	UT_hash_handle hh;
49	};
50	/* hash table base on sha with a p */
51	abac_id_credential_t *id_creds = NULL;
52	/* linked list of all the ids's hashkeyid */
53	abac_list_t *id_hashkeyid_list = NULL;
54
55	/* can store either role or oset */
56	struct _abac_credential_t {
57	char *hashkeyid;
58	abac_attribute_t *attr;
59	abac_list_t *pl_clauses;
60
61	UT_hash_handle hh;
62	};
63	/* hash table base on encoded attr rule */
64	abac_credential_t *attr_creds = NULL;
65	/* linked list of all the attr's hashkeyid */
66	abac_list_t *attr_hashkeyid_list = NULL;
67
68	/*****************************************************************************/
69	void abac_print_cred_info(abac_credential_t cred, FILE fp)
70	{
71	if(fp == NULL)
72	fp=stdout;
73
74	abac_attribute_t *ptr=cred->attr;
75	abac_aspect_t *head=abac_attribute_head(ptr);
76	abac_aspect_t *tail=abac_attribute_tail(ptr);
77
78	if(debug) {
79	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
80	if(head) {
81	abac_print_aspect_string_with_condition(head,fp);
82	}
83	if(tail) {
84	abac_print_aspect_string_with_condition(tail,fp);
85	}
86
87	abac_list_t *clauses=cred->pl_clauses;
88	if (clauses != NULL) {
89	char *cur=NULL;
90	abac_list_foreach(clauses, cur,
91	fprintf(fp,"\n a clause(%d):\n",(int)cur);
92	if(cur)
93	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
94	);
95	}
96	} else {
97	fprintf(fp," ");
98	abac_print_aspect_string_with_condition(head,fp);
99	fprintf(fp," <- ");
100	abac_print_aspect_string_with_condition(tail,fp);
101	fprintf(fp,"\n");
102	}
103	}
104
105	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
106	{
107	if(fp == NULL)
108	return;
109
110	abac_id_t *ptr=abac_id_credential_id(prin);
111
112	if(debug) fprintf(fp,"---> printing out principal info ..\n");
113	if(abac_id_has_privkey(ptr))
114	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
115	else
116	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
117	}
118
119	//
120	int abac_verify_idtype_type(char *type) {
121	int i;
122
123	if (type == NULL)
124	return 0;
125
126	for (i = 1; i <= _idtypename_cnt ; i++)
127	if(strcmp(type,_idtypename[i])==0)
128	return i;
129	return 0;
130	}
131
132	char *abac_idtype_string(int i)
133	{
134	if(i > _idtypename_cnt) {
135	printf("bad idtypename idx %d\n", i);
136	panic("abac_idtype_string: went out of range on idtypename");
137	}
138	return (char*) _idtypename[i];
139	}
140
141	// convert a chunk to a lowercase binary string
142	// malloc's the string
143	static char *_chunk_to_string(chunk_t chunk) {
144	int i;
145
146	char ret = abac_xmalloc(chunk.len 2 + 1);
147
148	for (i = 0; i < chunk.len; ++i)
149	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
150
151	return ret;
152	}
153
154	// verify that cert was issued by issuer
155	// cert and issuer can be the same, in which case the self-sig is validated
156	static int _verify_signature(certificate_t issuer_cert, certificate_t cert) {
157	if (cert->issued_by(cert, issuer_cert))
158	if (cert->get_validity(cert, NULL, NULL, NULL))
159	return 1;
160	return 0;
161	}
162
163	/**
164	* Init the verifier subsystem.
165	*/
166	void abac_verifier_init(void) {
167	// silence all debugging
168
169	if (!library_init(NULL))
170	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
171
172	if (!lib->plugins->load(lib->plugins, NULL,
173	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
174	exit(SS_RC_INITIALIZATION_FAILED);
175
176	attr_hashkeyid_list = abac_list_new();
177	id_hashkeyid_list = abac_list_new();
178	}
179
180	/**
181	* Uninitialize the system, free up any allocated memory.
182	*/
183	void abac_verifier_deinit(void) {
184	if(debug)printf("abac_verifier_deinit... being called..\n");
185
186	abac_id_credential_t *ptr;
187	while ((ptr = id_creds) != NULL) {
188	if(debug) printf("abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
189	HASH_DEL(id_creds, ptr);
190
191	free(ptr->hashkeyid);
192	free(ptr->pl_clause);
193	abac_id_free(ptr->id);
194	free(ptr);
195	}
196
197	abac_credential_t *ptr2;
198	while ((ptr2 = attr_creds) != NULL) {
199	HASH_DEL(attr_creds, ptr2);
200	if(debug) {
201	printf("abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
202	}
203	free(ptr2->hashkeyid);
204	abac_attribute_free(ptr2->attr);
205	char *cur=NULL;
206	abac_list_foreach(ptr2->pl_clauses, cur,
207	free(cur);
208	);
209	free(ptr2->pl_clauses);
210	free(ptr2);
211	}
212
213	if(attr_hashkeyid_list) {
214	char *cur;
215	if(attr_hashkeyid_list) {
216	abac_list_foreach(attr_hashkeyid_list, cur,
217	if(cur) free(cur);
218	);
219	}
220	abac_list_free(attr_hashkeyid_list);
221	}
222
223	if(id_hashkeyid_list) {
224	if(debug) printf("looking to free id_hashkeyid_lst..\n");
225	char *cur;
226	if(id_hashkeyid_list) {
227	abac_list_foreach(id_hashkeyid_list, cur,
228	if(cur) {
229	if(debug) printf("hum.. id hashkey being freed.. %s\n", cur);
230	free(cur);
231	}
232	);
233	}
234	abac_list_free(id_hashkeyid_list);
235	}
236
237	library_deinit();
238	}
239
240	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
241	{
242	abac_id_credential_t *id_cred;
243	char *cn=abac_id_cn(a_id);
244	char *keyid=abac_id_keyid(a_id);
245
246	if(debug) {
247	printf("abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
248	cn, keyid);
249	}
250
251	// add the abac_id to the map of id credentials
252	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
253	id_cred->hashkeyid = abac_xstrdup(keyid);
254	id_cred->id=abac_id_dup(a_id);
255
256	/* special handling here */
257	if(USE("ABAC_CN")) {
258	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
259	} else {
260	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
261	}
262	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
263	if(debug)
264	printf("-->adding into id_creds, (%s)..cnt(%d)\n",
265	id_cred->hashkeyid, HASH_COUNT(id_creds));
266
267	assert(id_hashkeyid_list);
268	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
269	return id_cred;
270	}
271
272	/**
273	* Load an ID
274	*/
275	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
276	abac_id_credential_t *id_cred = NULL;
277	char *keyid = NULL;
278	chunk_t id;
279	int ret;
280	x509_t x509 = (x509_t )cert;
281
282	assert(cert != NULL);
283
284	// get the key ID, add p to keyid SHA here */
285	id = x509->get_subjectKeyIdentifier(x509);
286	keyid = _chunk_to_string(id);
287
288	/* Mike said this is the way it is */
289	char *str;
290	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
291
292	/* add p to cn name here */
293	char cn=(char )abac_xmalloc(strlen(str)+2);
294	cn[0]='p';
295	int n=sscanf(str,"CN=%s", &(cn[1]));
296	if ( n!=1 ) {
297	ret = ABAC_CERT_BAD_CN;
298	goto error;
299	}
300
301	if(debug) {
302	printf ("DEBUG:keyid %s \n", keyid);
303	printf( "DEBUG:issuer '%s' \n", str);
304	printf ("DEBUG:cn %s \n", cn);
305	}
306	free(str);
307
308	// if we already have this cert 'error' with success
309	HASH_FIND_STR(id_creds, keyid, id_cred);
310	if (id_cred != NULL) {
311	if(debug) printf("existing cert \n");
312	ret = ABAC_CERT_EXISTS;
313	goto error;
314	}
315
316	// validate sig
317	ret = _verify_signature(cert, cert);
318	if (!ret) {
319	ret = ABAC_CERT_BAD_SIG;
320	goto error;
321	}
322
323	// success, add a new abac_id
324	if(*a_id==NULL) {
325	*a_id=abac_id_keyid_new(keyid,cn,cert);
326	}
327
328	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
329	*id_cred_ret=n_id_cred;
330
331	return ABAC_CERT_SUCCESS;
332
333	error:
334	if (keyid != NULL) free(keyid);
335	if (cn != NULL) free(cn);
336
337	return ret;
338	}
339
340	/* collect all the creds stored so far */
341	abac_stack_t *abac_verifier_dump_creds()
342	{
343	abac_stack_t *cred_list = abac_stack_new();
344
345	int cnt=0;
346	if(attr_hashkeyid_list) {
347	char *keyid;
348	abac_credential_t *cred;
349	abac_list_foreach(attr_hashkeyid_list, keyid,
350	cred=abac_credential_lookup(keyid);
351	abac_stack_push(cred_list, cred);
352	cnt++;
353	);
354	}
355	if(debug) printf("abac_verifier_dump_cred: %d\n",cnt);
356	return cred_list;
357	}
358
359	/* collect all the id stored so far */
360	abac_stack_t *abac_verifier_dump_principals()
361	{
362	abac_stack_t *id_list = abac_stack_new();
363
364	int cnt=0;
365	if(id_hashkeyid_list) {
366	char *keyid;
367	abac_id_credential_t *id;
368	abac_list_foreach(id_hashkeyid_list, keyid,
369	id=abac_id_credential_lookup(keyid);
370	abac_stack_push(id_list, id);
371	cnt++;
372	);
373	}
374	if(debug) printf("abac_verifier_dump_principals: %d\n",cnt);
375	return id_list;
376	}
377
378
379	static void check_id_cred(abac_id_credential_t *id_cred)
380	{
381	if(id_cred) {
382	printf("checking on this id_cred location %d\n", (int)id_cred);
383	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
384	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
385	}
386	}
387
388	/**
389	* Load an attribute cert as string.
390	* have minimum syntax & validity check
391	*/
392	static int _load_attribute_string(char* attr_string) {
393	printf("NOT implemented yet!!!");
394	return ABAC_CERT_INVALID;
395	}
396
397	/**
398	* Load an ID cert from a file.
399	*/
400	int abac_verifier_load_id_file_key_file(char filename, char keyfilename, abac_id_credential_t **id_cred_ret) {
401	abac_id_t *id=NULL;
402	if (lib == NULL)
403	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
404
405	if(debug) printf("loading id file... %s\n", filename);
406
407	// load the cert, with public key
408	certificate_t *cert = lib->creds->create(
409	lib->creds, CRED_CERTIFICATE, CERT_X509,
410	BUILD_FROM_FILE, filename,
411	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
412	BUILD_END
413	);
414
415	if (cert == NULL)
416	return ABAC_CERT_INVALID;
417
418	int rc=_load_id(&id,cert,id_cred_ret);
419	if(rc==ABAC_CERT_EXISTS) {
420	if(debug) printf("abac_verifier_load_id_files: id already exists\n");
421	return ABAC_CERT_SUCCESS;
422	}
423
424	/* try to load the private key if it is there */
425	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
426	if(debug) printf("loading... %s\n", keyfilename);
427	int keyrc=abac_id_load_privkey_file(id, keyfilename);
428	if(debug) {
429	if(keyrc == 1) printf("..load_id_file: load(%s) with a private key\n",filename);
430	else printf("..load_id_file: load(%s) without a private key\n",filename);
431	}
432	}
433	return ABAC_CERT_SUCCESS;
434	}
435
436	/**
437	* Load an ID cert from a abac_id_t
438	*/
439	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
440	certificate_t *cert = abac_id_cert(id);
441	return _load_id(&id,cert,id_cred_ret);
442	}
443
444	/**
445	* Load an ID cert from a chunk.
446	*/
447	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
448	abac_id_t *id=NULL;
449	// load the cert
450	certificate_t *cert = lib->creds->create(
451	lib->creds, CRED_CERTIFICATE, CERT_X509,
452	BUILD_BLOB_PEM, chunk,
453	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
454	BUILD_END
455	);
456	if (cert == NULL)
457	return ABAC_CERT_INVALID;
458	return _load_id(&id, cert,id_cred_ret);
459	}
460	/**
461	* Load an ID cert from a chunk.
462	*/
463	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
464	abac_id_t *id=NULL;
465	// load the cert
466	certificate_t *cert = lib->creds->create(
467	lib->creds, CRED_CERTIFICATE, CERT_X509,
468	BUILD_BLOB_ASN1_DER, chunk,
469	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
470	BUILD_END
471	);
472	if (cert == NULL)
473	return ABAC_CERT_INVALID;
474	return _load_id(&id, cert,id_cred_ret);
475	}
476
477	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
478	{
479	abac_id_credential_t *id_cred=NULL;
480	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
481	if(ret !=ABAC_CERT_SUCCESS)
482	return NULL;
483	abac_id_t *issuer=abac_id_credential_id(id_cred);
484	return issuer;
485	}
486
487
488	static int matchex(const char subject, const char pattern, int so, int eo)
489	{
490	int rc; // Returned code
491	regmatch_t pmatch;
492
493	regex_t re; // Compiled regexp pattern
494
495	if (regcomp(&re, pattern, 0) != 0) return 0;
496
497	rc = regexec(&re, subject, 1 , &pmatch, 0);
498	regfree(&re);
499
500	if (rc == REG_NOMATCH ) return 0;
501
502	*so=pmatch.rm_so;
503	*eo=pmatch.rm_eo;
504
505	return 1;
506	}
507
508
509
510	static chunk_t _extract_chunk(char data, char startline, char* endline)
511	{
512	int found=0;
513	int startos=0;
514	int endos=0;
515	regex_t re;
516	regmatch_t pm;
517	int rc;
518
519	int st;
520	int et;
521
522	rc=matchex(data, startline, &st, &et);
523	if(rc==0) return chunk_empty;
524	startos=st;
525
526	rc=matchex(data, endline, &st, &et);
527	if(rc==0) return chunk_empty;
528	endos=et;
529
530	int len=endos - startos;
531
532	if(debug) printf("making a chunk of size (%d) from %d and %d\n",len, startos,endos);
533	char *ptr=strndup(data+startos,len);
534
535	chunk_t ret = { ptr, len };
536	return ret;
537	}
538
539
540	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
541	{
542	struct stat sb;
543	int fd;
544	int rc;
545
546	fd = open(filename, O_RDONLY);
547	if (fd == -1) { return 1; }
548	if(stat(filename, &sb) == -1) {
549	close(fd);
550	return 1;
551	}
552	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
553	if(data == MAP_FAILED) {
554	close(fd);
555	return 1;
556	}
557	close(fd);
558
559	chunk_t key_pem_chunk=_extract_chunk(data,
560	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
561	chunk_t cert_pem_chunk=_extract_chunk(data,
562	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
563
564	/* key=0, cert=0 */
565	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
566	if(debug) printf("abac_verifier_load_idkey_file: no key or id in idkey_file\n");
567	goto error;
568	}
569
570	/* key=0, cert=1 */
571	if(key_pem_chunk.len==0) {
572	if(debug) printf("abac_verifier_load_idkey_file: no key in idkey_file\n");
573	munmap(data, sb.st_size);
574	chunk_free(&key_pem_chunk);
575	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
576	}
577
578	/* key=1, cert=1 */
579	if(cert_pem_chunk.len!=0) {
580	if(debug) {
581	printf("loading cert pem chunk %d\n", cert_pem_chunk.len);
582	printf("(%s)\n",cert_pem_chunk.ptr);
583	}
584	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
585	if(rc != 0) {
586	if(debug) printf("abac_verifier_load_idkey_file: fail to load the id\n");
587	goto error;
588	}
589	/* key=1, cert=0 */
590	} else {
591	if(debug) printf("abac_verifier_load_idkey_file: there is no id info in there\n");
592	goto error;
593	}
594
595	/* handle the key_pem_chunk */
596	if(debug) {
597	printf("loading key pem chunk %d\n", key_pem_chunk.len);
598	printf("(%s)\n",key_pem_chunk.ptr);
599	}
600	abac_id_t id=abac_id_credential_id(id_cred_ret);
601	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
602	if(rc==0) {
603	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
604	goto error;
605	}
606
607	munmap(data, sb.st_size);
608	return 0;
609
610	error:
611	munmap(data, sb.st_size);
612	return 1;
613	}
614
615
616
617	void abac_print_clauses(abac_list_t clauses, FILE fp)
618	{
619	if (clauses != NULL) {
620	char *cur;
621	printf("total-- %d clauses\n", abac_list_size(clauses));
622	abac_list_foreach(clauses, cur,
623	if(cur) {
624	if(fp)
625	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
626	else printf ("a clause, %d(%s)\n", (int)cur,cur);
627	}
628	);
629	}
630	}
631
632	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
633	assert(ptr != NULL);
634	abac_id_dup(ptr->id);
635	return ptr;
636	}
637
638	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
639	{
640	assert(ptr);
641	return ptr->id;
642	}
643
644
645	abac_id_credential_t abac_id_credential_lookup(char pname)
646	{
647	abac_id_credential_t *id_cred=NULL;
648	HASH_FIND_STR(id_creds, pname, id_cred);
649	if(id_cred != NULL)
650	return abac_id_credential_dup(id_cred);
651	else return NULL;
652	}
653
654	void abac_id_credential_free(abac_id_credential_t *ptr)
655	{
656	if (ptr == NULL)
657	return;
658
659	if(debug)
660	printf("abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
661
662	// this is very hacky...
663	int last=abac_id_lastone(ptr->id);
664	if(!last) {
665	if(debug) printf("abac_id_credential_free:not last one\n");
666	abac_id_free(ptr->id);
667	} else {
668	if(debug) printf("abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
669	free(ptr->hashkeyid);
670	if(ptr->pl_clause)
671	free(ptr->pl_clause);
672	abac_id_free(ptr->id);
673	HASH_DEL(id_creds, ptr);
674	free(ptr);
675	}
676	}
677
678	/****************************************************************************/
679
680	static int _verify_valid_credential_string(certificate_t *cert,
681	abac_credential_t *cred_ret, char encoded_attr_string)
682	{
683	abac_aspect_t *head_aspect = NULL;
684	abac_aspect_t *tail_aspect = NULL;
685	abac_list_t *clauses=NULL;
686	abac_id_credential_t *id_cred;
687	abac_id_t *issuer_id;
688	int ret, i;
689
690	// get the attr
691	head_aspect = abac_yy_get_rule_head_aspect();
692	tail_aspect = abac_yy_get_rule_tail_aspect();
693	clauses = abac_yy_get_rule_clauses();
694
695	// get the issuer based on keyid
696	char *principalname = abac_aspect_principal_principalname(head_aspect);
697	if(debug) printf("LOOKING for %s\n", principalname);
698
699	HASH_FIND_STR(id_creds, principalname, id_cred);
700	if(id_cred == NULL) {
701	ret = ABAC_CERT_MISSING_ISSUER;
702	if(debug)
703	printf("can not find %s in id_creds\n", principalname);
704	goto error;
705	}
706	issuer_id=id_cred->id;
707	if (issuer_id == NULL) {
708	ret = ABAC_CERT_MISSING_ISSUER;
709	if(debug)
710	printf("can not find %s in id_creds\n", principalname);
711	goto error;
712	}
713
714
715	// make sure the issuer's signed it
716	ret = _verify_signature(abac_id_cert(issuer_id), cert);
717	if (!ret) {
718	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
719	ret=ABAC_CERT_BAD_SIG;
720	goto error;
721	}
722
723	// at this point we know we have a good attribute cert baked it in
724	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
725	abac_attribute_set_head(attr, head_aspect);
726	abac_attribute_add_tail(attr, tail_aspect);
727
728	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
729	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
730	cred->attr=attr;
731	cred->pl_clauses = clauses;
732	*cred_ret = cred;
733
734	// success, add the key to the map of certificates
735	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
736
737	assert(attr_hashkeyid_list);
738	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
739	return ABAC_CERT_SUCCESS;
740
741	error:
742	if (head_aspect) abac_aspect_free(head_aspect);
743	if (tail_aspect) abac_aspect_free(tail_aspect);
744	abac_yy_free_rule_clauses();
745
746	return ret;
747	}
748
749	/**
750	* Load an attribute cert.
751	* Returns true only if the certificate is valid and is issued by the proper
752	* authority.
753	* attribute string is parsed via yyparse call
754	*/
755	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
756	ietf_attributes_t *attr_cert = NULL;
757	abac_id_credential_t *issuer;
758	int ret, i;
759
760	// get the attr
761	ac_t ac = (ac_t )cert;
762	attr_cert = ac->get_groups(ac);
763	if (attr_cert == NULL) {
764	ret = ABAC_CERT_INVALID;
765	goto error;
766	}
767
768	char *encoded_attr_string=attr_cert->get_string(attr_cert);
769	char *attr_string = abac_decode_string(encoded_attr_string);
770	if(debug)
771	printf("string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
772
773	if (attr_string == NULL) {
774	ret = ABAC_CERT_INVALID;
775	goto error;
776	}
777
778	/* call into yacc parser */
779	abac_reset_yyfptr(attr_string);
780	abac_yy_init();
781	int rc=yyparse();
782	if (rc) {
783	ret = ABAC_CERT_INVALID;
784	goto error;
785	}
786
787	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
788
789	if(ret != ABAC_CERT_SUCCESS) {
790	panic("_load_attribute_cert: fail to process (%s)",encoded_attr_string);
791	}
792
793	// free up some crap
794	attr_cert->destroy(attr_cert);
795
796	return ret;
797
798	error:
799	if (cert) cert->destroy(cert);
800	if (attr_cert) attr_cert->destroy(attr_cert);
801	return ret;
802	}
803
804	/**
805	* Load an attribute cert from a abac_attribute_t.
806	* attr should be all checked out before arriving here
807	*/
808	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
809	// get the attr
810	abac_aspect_t *head=abac_attribute_head(ptr);
811	abac_aspect_t *tail=abac_attribute_tail(ptr);
812
813	// preprocess for constraint part
814	preprocess_pl_head(head);
815	preprocess_pl_tail(tail);
816
817	/* XXX collect up type clauses, constraint clauses and
818	generate rule clauses */
819	abac_list_t *clauses=generate_pl_clauses(head,tail);
820	char *encoded_attr_string=get_cred_encoding(ptr);
821
822	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
823	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
824	cred->attr=abac_attribute_dup(ptr);
825	cred->pl_clauses = clauses;
826	*cred_ret = cred;
827
828	// success, add the key to the map of certificates
829	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
830
831	assert(attr_hashkeyid_list);
832	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
833	return ABAC_CERT_SUCCESS;
834	}
835
836	/**
837	* Load an attribute cert from a file.
838	*/
839	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
840	// load the cert
841	if(debug) printf("..loading attr file %s\n", filename);
842	certificate_t *cert = lib->creds->create(
843	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
844	BUILD_FROM_FILE, filename,
845	BUILD_END
846	);
847	if (cert == NULL)
848	return ABAC_CERT_INVALID;
849	return _load_attribute_cert(cert, cred);
850	}
851
852	/**
853	* Load an attribute cert from a chunk.
854	*/
855	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
856	// load the cert
857	certificate_t *cert = lib->creds->create(
858	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
859	BUILD_BLOB_ASN1_DER, chunk,
860	BUILD_END
861	);
862	if (cert == NULL)
863	return ABAC_CERT_INVALID;
864	return _load_attribute_cert(cert, cred);
865	}
866
867	/**
868	* Return the encoding of the attribute cert.
869	*/
870	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
871	abac_attribute_t *ptr=cred->attr;
872	certificate_t *cert=abac_attribute_cert(ptr);
873	chunk_t encoding = chunk_empty;
874	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
875	abac_chunk_t ret = { encoding.ptr, encoding.len };
876	return ret;
877	}
878
879	/**
880	* Return the encoding of the issuer cert.
881	*/
882	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
883	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
884	assert(issuer_cert);
885	chunk_t encoding = chunk_empty;
886	// XXX MEI, not sure ??
887	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
888	abac_chunk_t ret = { encoding.ptr, encoding.len };
889	return ret;
890	}
891
892	/**
893	* Return the clause of the cert
894	*/
895	abac_list_t abac_credential_clauses(abac_credential_t cred) {
896	return cred->pl_clauses;
897	}
898
899	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
900	assert(cred);
901	return cred->attr;
902	}
903
904	/**
905	* Increase the ref count of a credential.
906	*/
907	abac_credential_t abac_credential_dup(abac_credential_t cred) {
908	assert(cred != NULL);
909
910	abac_attribute_dup(cred->attr);
911	return cred;
912	}
913
914	/**
915	* lookup for a credential.
916	*/
917	abac_credential_t abac_credential_lookup(char cred_string)
918	{
919	if(debug)
920	printf("abac_credential_lookup: looking for (%s)\n", cred_string);
921	abac_credential_t *attr_cred;
922	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
923	if (attr_cred == NULL) {
924	if(debug) printf("DEBUG:NOT FOUND..\n");
925	return NULL;
926	}
927	abac_credential_t *rt=abac_credential_dup(attr_cred);
928	if(debug) printf("DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
929	return rt;
930	}
931
932	/**
933	* Decrease the reference count of a credential, freeing it when it reaches 0.
934	*/
935	void abac_credential_free(abac_credential_t *cred)
936	{
937	if(debug)
938	printf("abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
939
940	if (cred == NULL)
941	return;
942
943	// this is very hacky...
944	int last=abac_attribute_lastone(cred->attr);
945	if(!last) {
946	abac_attribute_free(cred->attr);
947	} else {
948	free(cred->hashkeyid);
949	char *cur=NULL;
950	abac_list_foreach(cred->pl_clauses, cur,
951	free(cur);
952	);
953	abac_attribute_free(cred->attr);
954	HASH_DEL(attr_creds, cred);
955	free(cred);
956	}
957	}
958
959	char abac_id_clause(abac_id_credential_t id_cred)
960	{
961	if(id_cred)
962	return id_cred->pl_clause;
963	return NULL;
964	}
965
966	/* retrieve the cn that is associated with this sha_string */
967	char abac_cn_with_sha(char sha_string)
968	{
969	// get the issuer based on keyid
970	abac_id_credential_t *id_cred;
971	HASH_FIND_STR(id_creds, sha_string, id_cred);
972	if (id_cred == NULL) {
973	return NULL;
974	}
975	if(debug)
976	check_id_cred(id_cred);
977	return abac_id_cn(id_cred->id);
978	}
979
980	char abac_idtype_with_sha(char sha_string)
981	{
982	// get the issuer based on keyid
983	abac_id_credential_t *id_cred;
984	HASH_FIND_STR(id_creds, sha_string, id_cred);
985	if (id_cred == NULL) {
986	return NULL;
987	}
988	int idtype=abac_id_idtype(id_cred->id);
989
990	return abac_idtype_string(idtype);
991	}
992
993	abac_aspect_t abac_credential_head(abac_credential_t cred) {
994	return abac_attribute_head(cred->attr);
995	}
996
997	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
998	return abac_attribute_tail(cred->attr);
999	}
1000
1001

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac_verifier.c @ 888df49

Download in other formats: