Context Navigation

source: libabac/abac_verifier.c @ 9b43fc3

mei_rt2mei_rt2_fix_1

Last change on this file since 9b43fc3 was 9b43fc3, checked in by Mei <mei@…>, 12 years ago
1) add code to load id into context with both cert chunk and privkey chunk 2) test out the sample scripts in swig/perl and swig/python
Property mode set to `100644`
File size: 28.4 KB

Line
1	/**
2	** abac_verifier.c
3	**/
4
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	#include <stdio.h>
9	#include <regex.h>
10	#include <sys/mman.h>
11	#include <fcntl.h>
12	#include <sys/types.h>
13	#include <sys/stat.h>
14	#include <unistd.h>
15
16
17	#include <assert.h>
18	#include <stdio.h>
19
20	#include <library.h>
21
22	#include "abac_internal.h"
23	#include "abac_verifier.h"
24
25	#include "abac_util.h"
26	#include "abac_rt.h"
27
28	static int debug=0;
29
30	/* from abac_attribute.c */
31	extern char get_cred_encoding(abac_attribute_t ptr);
32
33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
35	extern abac_list_t *abac_yy_get_rule_clauses();
36	extern char* abac_decode_string(char *);
37	extern void abac_yy_free_rule_clauses();
38	extern char generate_pl_type_clause(char , int);
39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
41
42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
43
44	struct _abac_id_credential_t {
45	char *hashkeyid;
46	abac_id_t *id;
47	char *pl_clause;
48
49	UT_hash_handle hh;
50	};
51	/* hash table base on sha with a p */
52	abac_id_credential_t *id_creds = NULL;
53	/* linked list of all the ids's hashkeyid */
54	abac_list_t *id_hashkeyid_list = NULL;
55
56	/* can store either role or oset */
57	struct _abac_credential_t {
58	char *hashkeyid;
59	abac_attribute_t *attr;
60	abac_list_t *pl_clauses;
61
62	UT_hash_handle hh;
63	};
64	/* hash table base on encoded attr rule */
65	abac_credential_t *attr_creds = NULL;
66	/* linked list of all the attr's hashkeyid */
67	abac_list_t *attr_hashkeyid_list = NULL;
68
69	/*****************************************************************************/
70	void abac_print_cred_info(abac_credential_t cred, FILE fp)
71	{
72	if(fp == NULL)
73	fp=stdout;
74
75	abac_attribute_t *ptr=cred->attr;
76	abac_aspect_t *head=abac_attribute_head(ptr);
77	abac_aspect_t *tail=abac_attribute_tail(ptr);
78
79	if(debug) {
80	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
81	if(head) {
82	abac_print_aspect_string_with_condition(head,fp);
83	}
84	if(tail) {
85	abac_print_aspect_string_with_condition(tail,fp);
86	}
87
88	abac_list_t *clauses=cred->pl_clauses;
89	if (clauses != NULL) {
90	char *cur=NULL;
91	abac_list_foreach(clauses, cur,
92	fprintf(fp,"\n a clause(%d):\n",(int)cur);
93	if(cur)
94	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
95	);
96	}
97	} else {
98	fprintf(fp," ");
99	abac_print_aspect_string_with_condition(head,fp);
100	fprintf(fp," <- ");
101	abac_print_aspect_string_with_condition(tail,fp);
102	fprintf(fp,"\n");
103	}
104	}
105
106	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
107	{
108	if(fp == NULL)
109	return;
110
111	abac_id_t *ptr=abac_id_credential_id(prin);
112
113	if(debug) fprintf(fp,"---> printing out principal info ..\n");
114	if(abac_id_has_privkey(ptr))
115	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
116	else
117	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
118	}
119
120	//
121	int abac_verify_idtype_type(char *type) {
122	int i;
123
124	if (type == NULL)
125	return 0;
126
127	for (i = 1; i <= _idtypename_cnt ; i++)
128	if(strcmp(type,_idtypename[i])==0)
129	return i;
130	return 0;
131	}
132
133	char *abac_idtype_string(int i)
134	{
135	if(i > _idtypename_cnt) {
136	printf("bad idtypename idx %d\n", i);
137	panic("abac_idtype_string: went out of range on idtypename");
138	}
139	return (char*) _idtypename[i];
140	}
141
142	// convert a chunk to a lowercase binary string
143	// malloc's the string
144	static char *_chunk_to_string(chunk_t chunk) {
145	int i;
146
147	char ret = abac_xmalloc(chunk.len 2 + 1);
148
149	for (i = 0; i < chunk.len; ++i)
150	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
151
152	return ret;
153	}
154
155	// verify that cert was issued by issuer
156	// cert and issuer can be the same, in which case the self-sig is validated
157	static int _verify_signature(certificate_t issuer_cert, certificate_t cert) {
158	if (cert->issued_by(cert, issuer_cert))
159	if (cert->get_validity(cert, NULL, NULL, NULL))
160	return 1;
161	return 0;
162	}
163
164	/**
165	* Init the verifier subsystem.
166	*/
167	void abac_verifier_init(void) {
168	// silence all debugging
169
170	if (!library_init(NULL))
171	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
172
173	if (!lib->plugins->load(lib->plugins, NULL,
174	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
175	exit(SS_RC_INITIALIZATION_FAILED);
176
177	attr_hashkeyid_list = abac_list_new();
178	id_hashkeyid_list = abac_list_new();
179	}
180
181	/**
182	* Uninitialize the system, free up any allocated memory.
183	*/
184	void abac_verifier_deinit(void) {
185	if(debug)printf("abac_verifier_deinit... being called..\n");
186
187	abac_id_credential_t *ptr;
188	while ((ptr = id_creds) != NULL) {
189	if(debug) printf("abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
190	HASH_DEL(id_creds, ptr);
191
192	free(ptr->hashkeyid);
193	free(ptr->pl_clause);
194	abac_id_free(ptr->id);
195	free(ptr);
196	}
197
198	abac_credential_t *ptr2;
199	while ((ptr2 = attr_creds) != NULL) {
200	HASH_DEL(attr_creds, ptr2);
201	if(debug) {
202	printf("abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
203	}
204	free(ptr2->hashkeyid);
205	abac_attribute_free(ptr2->attr);
206	char *cur=NULL;
207	abac_list_foreach(ptr2->pl_clauses, cur,
208	free(cur);
209	);
210	free(ptr2->pl_clauses);
211	free(ptr2);
212	}
213
214	if(attr_hashkeyid_list) {
215	char *cur;
216	if(attr_hashkeyid_list) {
217	abac_list_foreach(attr_hashkeyid_list, cur,
218	if(cur) free(cur);
219	);
220	}
221	abac_list_free(attr_hashkeyid_list);
222	}
223
224	if(id_hashkeyid_list) {
225	if(debug) printf("looking to free id_hashkeyid_lst..\n");
226	char *cur;
227	if(id_hashkeyid_list) {
228	abac_list_foreach(id_hashkeyid_list, cur,
229	if(cur) {
230	if(debug) printf("hum.. id hashkey being freed.. %s\n", cur);
231	free(cur);
232	}
233	);
234	}
235	abac_list_free(id_hashkeyid_list);
236	}
237
238	library_deinit();
239	}
240
241	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
242	{
243	abac_id_credential_t *id_cred;
244	char *cn=abac_id_cn(a_id);
245	char *keyid=abac_id_keyid(a_id);
246
247	if(debug) {
248	printf("abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
249	cn, keyid);
250	}
251
252	// add the abac_id to the map of id credentials
253	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
254	id_cred->hashkeyid = abac_xstrdup(keyid);
255	id_cred->id=abac_id_dup(a_id);
256
257	/* special handling here */
258	if(USE("ABAC_CN")) {
259	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
260	} else {
261	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
262	}
263	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
264	if(debug)
265	printf("-->adding into id_creds, (%s)..cnt(%d)\n",
266	id_cred->hashkeyid, HASH_COUNT(id_creds));
267
268	assert(id_hashkeyid_list);
269	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
270	return id_cred;
271	}
272
273	/**
274	* Load an ID
275	*/
276	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
277	abac_id_credential_t *id_cred = NULL;
278	char *keyid = NULL;
279	chunk_t id;
280	int ret;
281	x509_t x509 = (x509_t )cert;
282
283	assert(cert != NULL);
284
285	// get the key ID, add p to keyid SHA here */
286	id = x509->get_subjectKeyIdentifier(x509);
287	keyid = _chunk_to_string(id);
288
289	/* Mike said this is the way it is */
290	char *str;
291	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
292
293	/* add p to cn name here */
294	char cn=(char )abac_xmalloc(strlen(str)+2);
295	cn[0]='p';
296	int n=sscanf(str,"CN=%s", &(cn[1]));
297	if ( n!=1 ) {
298	ret = ABAC_CERT_BAD_CN;
299	goto error;
300	}
301
302	if(debug) {
303	printf ("DEBUG:keyid %s \n", keyid);
304	printf( "DEBUG:issuer '%s' \n", str);
305	printf ("DEBUG:cn %s \n", cn);
306	}
307	free(str);
308
309	// if we already have this cert 'error' with success
310	HASH_FIND_STR(id_creds, keyid, id_cred);
311	if (id_cred != NULL) {
312	if(debug) printf("existing cert \n");
313	ret = ABAC_CERT_EXISTS;
314	goto error;
315	}
316
317	// validate sig
318	ret = _verify_signature(cert, cert);
319	if (!ret) {
320	ret = ABAC_CERT_BAD_SIG;
321	goto error;
322	}
323
324	// success, add a new abac_id
325	if(*a_id==NULL) {
326	*a_id=abac_id_keyid_new(keyid,cn,cert);
327	}
328
329	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
330	*id_cred_ret=n_id_cred;
331
332	return ABAC_CERT_SUCCESS;
333
334	error:
335	if (keyid != NULL) free(keyid);
336	if (cn != NULL) free(cn);
337
338	return ret;
339	}
340
341	/* collect all the creds stored so far */
342	abac_stack_t *abac_verifier_dump_creds()
343	{
344	abac_stack_t *cred_list = abac_stack_new();
345
346	int cnt=0;
347	if(attr_hashkeyid_list) {
348	char *keyid;
349	abac_credential_t *cred;
350	abac_list_foreach(attr_hashkeyid_list, keyid,
351	cred=abac_credential_lookup(keyid);
352	abac_stack_push(cred_list, cred);
353	cnt++;
354	);
355	}
356	if(debug) printf("abac_verifier_dump_cred: %d\n",cnt);
357	return cred_list;
358	}
359
360	/* collect all the id stored so far */
361	abac_stack_t *abac_verifier_dump_principals()
362	{
363	abac_stack_t *id_list = abac_stack_new();
364
365	int cnt=0;
366	if(id_hashkeyid_list) {
367	char *keyid;
368	abac_id_credential_t *id;
369	abac_list_foreach(id_hashkeyid_list, keyid,
370	id=abac_id_credential_lookup(keyid);
371	abac_stack_push(id_list, id);
372	cnt++;
373	);
374	}
375	if(debug) printf("abac_verifier_dump_principals: %d\n",cnt);
376	return id_list;
377	}
378
379
380	static void check_id_cred(abac_id_credential_t *id_cred)
381	{
382	if(id_cred) {
383	printf("checking on this id_cred location %d\n", (int)id_cred);
384	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
385	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
386	}
387	}
388
389	/**
390	* Load an attribute cert as string.
391	* have minimum syntax & validity check
392	*/
393	static int _load_attribute_string(char* attr_string) {
394	printf("NOT implemented yet!!!");
395	return ABAC_CERT_INVALID;
396	}
397
398	/**
399	* Load an ID cert from a file.
400	*/
401	int abac_verifier_load_id_file_key_file(char filename, char keyfilename, abac_id_credential_t **id_cred_ret) {
402	abac_id_t *id=NULL;
403	if (lib == NULL)
404	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
405
406	if(debug) printf("loading id file... %s\n", filename);
407
408	// load the cert, with public key
409	certificate_t *cert = lib->creds->create(
410	lib->creds, CRED_CERTIFICATE, CERT_X509,
411	BUILD_FROM_FILE, filename,
412	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
413	BUILD_END
414	);
415
416	if (cert == NULL)
417	return ABAC_CERT_INVALID;
418
419	int rc=_load_id(&id,cert,id_cred_ret);
420	if(rc==ABAC_CERT_EXISTS) {
421	if(debug) printf("abac_verifier_load_id_files: id already exists\n");
422	return ABAC_CERT_SUCCESS;
423	}
424
425	/* try to load the private key if it is there */
426	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
427	if(debug) printf("loading... %s\n", keyfilename);
428	int keyrc=abac_id_load_privkey_file(id, keyfilename);
429	if(debug) {
430	if(keyrc == 1) printf("..load_id_file: load(%s) with a private key\n",filename);
431	else printf("..load_id_file: load(%s) without a private key\n",filename);
432	}
433	}
434	return ABAC_CERT_SUCCESS;
435	}
436
437	/**
438	* Load an ID cert from a abac_id_t
439	*/
440	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
441	certificate_t *cert = abac_id_cert(id);
442	return _load_id(&id,cert,id_cred_ret);
443	}
444
445	/**
446	* Load an ID cert from a chunk.
447	*/
448	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
449	abac_id_t *id=NULL;
450	// load the cert
451	certificate_t *cert = lib->creds->create(
452	lib->creds, CRED_CERTIFICATE, CERT_X509,
453	BUILD_BLOB_PEM, chunk,
454	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
455	BUILD_END
456	);
457	if (cert == NULL)
458	return ABAC_CERT_INVALID;
459	return _load_id(&id, cert,id_cred_ret);
460	}
461	/**
462	* Load an ID cert from a chunk, Note, this only loads the id cert part
463	* and so it is not suitable for creating an attribute credential with.
464	* Only a complete id cert + privkey could create attribute credential.
465	*/
466	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
467	abac_id_t *id=NULL;
468	// load the cert
469	certificate_t *cert = lib->creds->create(
470	lib->creds, CRED_CERTIFICATE, CERT_X509,
471	BUILD_BLOB_ASN1_DER, chunk,
472	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
473	BUILD_END
474	);
475	if (cert == NULL)
476	return ABAC_CERT_INVALID;
477	return _load_id(&id, cert,id_cred_ret);
478	}
479
480	/**
481	* Load an ID cert from a cert chunk and a privkey chunk,
482	* this complete id cert + privkey could create attribute credential.
483	*/
484	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
485	abac_id_credential_t **id_cred_ret) {
486
487	abac_id_t *id=NULL;
488	// load the cert
489	certificate_t *cert = lib->creds->create(
490	lib->creds, CRED_CERTIFICATE, CERT_X509,
491	BUILD_BLOB_ASN1_DER, chunk,
492	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
493	BUILD_END
494	);
495	if (cert == NULL)
496	return ABAC_CERT_INVALID;
497
498	int rc=_load_id(&id, cert,id_cred_ret);
499	if(rc == ABAC_CERT_SUCCESS) {
500	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
501	}
502
503	return rc;
504	}
505
506
507	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
508	{
509	abac_id_credential_t *id_cred=NULL;
510	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
511	if(ret !=ABAC_CERT_SUCCESS)
512	return NULL;
513	abac_id_t *issuer=abac_id_credential_id(id_cred);
514	return issuer;
515	}
516
517
518	static int matchex(const char subject, const char pattern, int so, int eo)
519	{
520	int rc; // Returned code
521	regmatch_t pmatch;
522
523	regex_t re; // Compiled regexp pattern
524
525	if (regcomp(&re, pattern, 0) != 0) return 0;
526
527	rc = regexec(&re, subject, 1 , &pmatch, 0);
528	regfree(&re);
529
530	if (rc == REG_NOMATCH ) return 0;
531
532	*so=pmatch.rm_so;
533	*eo=pmatch.rm_eo;
534
535	return 1;
536	}
537
538
539
540	static chunk_t _extract_chunk(char data, char startline, char* endline)
541	{
542	int found=0;
543	int startos=0;
544	int endos=0;
545	regex_t re;
546	regmatch_t pm;
547	int rc;
548
549	int st;
550	int et;
551
552	rc=matchex(data, startline, &st, &et);
553	if(rc==0) return chunk_empty;
554	startos=st;
555
556	rc=matchex(data, endline, &st, &et);
557	if(rc==0) return chunk_empty;
558	endos=et;
559
560	int len=endos - startos;
561
562	if(debug) printf("making a chunk of size (%d) from %d and %d\n",len, startos,endos);
563	char *ptr=strndup(data+startos,len);
564
565	chunk_t ret = { ptr, len };
566	return ret;
567	}
568
569
570	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
571	{
572	struct stat sb;
573	int fd;
574	int rc;
575
576	fd = open(filename, O_RDONLY);
577	if (fd == -1) { return 1; }
578	if(stat(filename, &sb) == -1) {
579	close(fd);
580	return 1;
581	}
582	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
583	if(data == MAP_FAILED) {
584	close(fd);
585	return 1;
586	}
587	close(fd);
588
589	chunk_t key_pem_chunk=_extract_chunk(data,
590	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
591	chunk_t cert_pem_chunk=_extract_chunk(data,
592	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
593
594	/* key=0, cert=0 */
595	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
596	if(debug) printf("abac_verifier_load_idkey_file: no key or id in idkey_file\n");
597	goto error;
598	}
599
600	/* key=0, cert=1 */
601	if(key_pem_chunk.len==0) {
602	if(debug) printf("abac_verifier_load_idkey_file: no key in idkey_file\n");
603	munmap(data, sb.st_size);
604	chunk_free(&key_pem_chunk);
605	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
606	}
607
608	/* key=1, cert=1 */
609	if(cert_pem_chunk.len!=0) {
610	if(debug) {
611	printf("loading cert pem chunk %d\n", cert_pem_chunk.len);
612	printf("(%s)\n",cert_pem_chunk.ptr);
613	}
614	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
615	if(rc != 0) {
616	if(debug) printf("abac_verifier_load_idkey_file: fail to load the id\n");
617	goto error;
618	}
619	/* key=1, cert=0 */
620	} else {
621	if(debug) printf("abac_verifier_load_idkey_file: there is no id info in there\n");
622	goto error;
623	}
624
625	/* handle the key_pem_chunk */
626	if(debug) {
627	printf("loading key pem chunk %d\n", key_pem_chunk.len);
628	printf("(%s)\n",key_pem_chunk.ptr);
629	}
630	abac_id_t id=abac_id_credential_id(id_cred_ret);
631	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
632	if(rc==0) {
633	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
634	goto error;
635	}
636
637	munmap(data, sb.st_size);
638	return 0;
639
640	error:
641	munmap(data, sb.st_size);
642	return 1;
643	}
644
645
646
647	void abac_print_clauses(abac_list_t clauses, FILE fp)
648	{
649	if (clauses != NULL) {
650	char *cur;
651	printf("total-- %d clauses\n", abac_list_size(clauses));
652	abac_list_foreach(clauses, cur,
653	if(cur) {
654	if(fp)
655	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
656	else printf ("a clause, %d(%s)\n", (int)cur,cur);
657	}
658	);
659	}
660	}
661
662	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
663	assert(ptr != NULL);
664	abac_id_dup(ptr->id);
665	return ptr;
666	}
667
668	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
669	{
670	assert(ptr);
671	return ptr->id;
672	}
673
674
675	abac_id_credential_t abac_id_credential_lookup(char pname)
676	{
677	abac_id_credential_t *id_cred=NULL;
678	HASH_FIND_STR(id_creds, pname, id_cred);
679	if(id_cred != NULL)
680	return abac_id_credential_dup(id_cred);
681	else return NULL;
682	}
683
684	void abac_id_credential_free(abac_id_credential_t *ptr)
685	{
686	if (ptr == NULL)
687	return;
688
689	if(debug)
690	printf("abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
691
692	// this is very hacky...
693	int last=abac_id_lastone(ptr->id);
694	if(!last) {
695	if(debug) printf("abac_id_credential_free:not last one\n");
696	abac_id_free(ptr->id);
697	} else {
698	if(debug) printf("abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
699	free(ptr->hashkeyid);
700	if(ptr->pl_clause)
701	free(ptr->pl_clause);
702	abac_id_free(ptr->id);
703	HASH_DEL(id_creds, ptr);
704	free(ptr);
705	}
706	}
707
708	/****************************************************************************/
709
710	static int _verify_valid_credential_string(certificate_t *cert,
711	abac_credential_t *cred_ret, char encoded_attr_string)
712	{
713	abac_aspect_t *head_aspect = NULL;
714	abac_aspect_t *tail_aspect = NULL;
715	abac_list_t *clauses=NULL;
716	abac_id_credential_t *id_cred;
717	abac_id_t *issuer_id;
718	int ret, i;
719
720	// get the attr
721	head_aspect = abac_yy_get_rule_head_aspect();
722	tail_aspect = abac_yy_get_rule_tail_aspect();
723	clauses = abac_yy_get_rule_clauses();
724
725	// get the issuer based on keyid
726	char *principalname = abac_aspect_principal_principalname(head_aspect);
727	if(debug) printf("LOOKING for %s\n", principalname);
728
729	HASH_FIND_STR(id_creds, principalname, id_cred);
730	if(id_cred == NULL) {
731	ret = ABAC_CERT_MISSING_ISSUER;
732	if(debug)
733	printf("can not find %s in id_creds\n", principalname);
734	goto error;
735	}
736	issuer_id=id_cred->id;
737	if (issuer_id == NULL) {
738	ret = ABAC_CERT_MISSING_ISSUER;
739	if(debug)
740	printf("can not find %s in id_creds\n", principalname);
741	goto error;
742	}
743
744
745	// make sure the issuer's signed it
746	ret = _verify_signature(abac_id_cert(issuer_id), cert);
747	if (!ret) {
748	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
749	ret=ABAC_CERT_BAD_SIG;
750	goto error;
751	}
752
753	// at this point we know we have a good attribute cert baked it in
754	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
755	abac_attribute_set_head(attr, head_aspect);
756	abac_attribute_add_tail(attr, tail_aspect);
757
758	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
759	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
760	cred->attr=attr;
761	cred->pl_clauses = clauses;
762	*cred_ret = cred;
763
764	// success, add the key to the map of certificates
765	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
766
767	assert(attr_hashkeyid_list);
768	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
769
770	if(debug)
771	printf("-->adding into attr_creds 2, (%s)..cnt(%d)\n",
772	cred->hashkeyid, HASH_COUNT(attr_creds));
773
774	return ABAC_CERT_SUCCESS;
775
776	error:
777	if (head_aspect) abac_aspect_free(head_aspect);
778	if (tail_aspect) abac_aspect_free(tail_aspect);
779	abac_yy_free_rule_clauses();
780
781	return ret;
782	}
783
784	/**
785	* Load an attribute cert.
786	* Returns true only if the certificate is valid and is issued by the proper
787	* authority.
788	* attribute string is parsed via yyparse call
789	*/
790	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
791	ietf_attributes_t *attr_cert = NULL;
792	abac_id_credential_t *issuer;
793	int ret, i;
794
795	// get the attr
796	ac_t ac = (ac_t )cert;
797	attr_cert = ac->get_groups(ac);
798	if (attr_cert == NULL) {
799	ret = ABAC_CERT_INVALID;
800	goto error;
801	}
802
803	char *encoded_attr_string=attr_cert->get_string(attr_cert);
804	char *attr_string = abac_decode_string(encoded_attr_string);
805	if(debug)
806	printf("string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
807
808	if (attr_string == NULL) {
809	ret = ABAC_CERT_INVALID;
810	goto error;
811	}
812
813	/* call into yacc parser */
814	abac_reset_yyfptr(attr_string);
815	abac_yy_init();
816	int rc=yyparse();
817	if (rc) {
818	ret = ABAC_CERT_INVALID;
819	goto error;
820	}
821
822	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
823
824	if(ret != ABAC_CERT_SUCCESS) {
825	panic("_load_attribute_cert: fail to process (%s)",encoded_attr_string);
826	}
827
828	// free up some crap
829	attr_cert->destroy(attr_cert);
830
831	return ret;
832
833	error:
834	if (cert) cert->destroy(cert);
835	if (attr_cert) attr_cert->destroy(attr_cert);
836	return ret;
837	}
838
839	/**
840	* Load an attribute cert from a abac_attribute_t.
841	* attr should be all checked out before arriving here
842	*/
843	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
844	// get the attr
845	abac_aspect_t *head=abac_attribute_head(ptr);
846	abac_aspect_t *tail=abac_attribute_tail(ptr);
847
848	// preprocess for constraint part
849	preprocess_pl_head(head);
850	preprocess_pl_tail(tail);
851
852	/* setup the encoded attribute string */
853	char *encoded_attr_string=get_cred_encoding(ptr);
854	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
855	/* collect up type clauses, constraint clauses and
856	generate rule clauses */
857	abac_list_t *clauses=generate_pl_clauses(head,tail);
858
859	abac_print_clauses(clauses,NULL);
860
861	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
862	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
863	cred->attr=abac_attribute_dup(ptr);
864	cred->pl_clauses = clauses;
865	*cred_ret = cred;
866
867	// success, add the key to the map of certificates
868	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
869
870	assert(attr_hashkeyid_list);
871	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
872
873	if(debug)
874	printf("-->adding into attr_creds, (%s)..cnt(%d)\n",
875	cred->hashkeyid, HASH_COUNT(attr_creds));
876	return ABAC_CERT_SUCCESS;
877	}
878
879	/**
880	* Load an attribute cert from a file.
881	*/
882	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
883	// load the cert
884	if(debug) printf("..loading attr file %s\n", filename);
885	certificate_t *cert = lib->creds->create(
886	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
887	BUILD_FROM_FILE, filename,
888	BUILD_END
889	);
890	if (cert == NULL)
891	return ABAC_CERT_INVALID;
892	return _load_attribute_cert(cert, cred);
893	}
894
895	/**
896	* Load an attribute cert from a chunk.
897	*/
898	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
899	// load the cert
900	certificate_t *cert = lib->creds->create(
901	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
902	BUILD_BLOB_ASN1_DER, chunk,
903	BUILD_END
904	);
905	if (cert == NULL)
906	return ABAC_CERT_INVALID;
907
908	return _load_attribute_cert(cert, cred);
909	}
910
911	/**
912	* Return the encoding of the attribute cert.
913	*/
914	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
915	abac_attribute_t *ptr=cred->attr;
916	certificate_t *cert=abac_attribute_cert(ptr);
917	chunk_t encoding = chunk_empty;
918	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
919	abac_chunk_t ret = { encoding.ptr, encoding.len };
920	return ret;
921	}
922
923	/**
924	* Return the encoding of the issuer cert.
925	*/
926	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
927	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
928	assert(issuer_cert);
929	chunk_t encoding = chunk_empty;
930	// XXX MEI, not sure ??
931	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
932	abac_chunk_t ret = { encoding.ptr, encoding.len };
933	return ret;
934	}
935
936	/**
937	* Return the clause of the cert
938	*/
939	abac_list_t abac_credential_clauses(abac_credential_t cred) {
940	return cred->pl_clauses;
941	}
942
943	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
944	assert(cred);
945	return cred->attr;
946	}
947
948	/**
949	* Increase the ref count of a credential.
950	*/
951	abac_credential_t abac_credential_dup(abac_credential_t cred) {
952	assert(cred != NULL);
953
954	abac_attribute_dup(cred->attr);
955	return cred;
956	}
957
958	/**
959	* lookup for a credential.
960	*/
961	abac_credential_t abac_credential_lookup(char cred_string)
962	{
963	if(debug)
964	printf("abac_credential_lookup: looking for (%s)\n", cred_string);
965	abac_credential_t *attr_cred;
966
967	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
968	if (attr_cred == NULL) {
969	if(debug) printf("DEBUG:NOT FOUND..\n");
970	return NULL;
971	}
972	abac_credential_t *rt=abac_credential_dup(attr_cred);
973	if(debug) printf("DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
974	return rt;
975	}
976
977	/**
978	* Decrease the reference count of a credential, freeing it when it reaches 0.
979	*/
980	void abac_credential_free(abac_credential_t *cred)
981	{
982	if(debug)
983	printf("abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
984
985	if (cred == NULL)
986	return;
987
988	// this is very hacky...
989	int last=abac_attribute_lastone(cred->attr);
990	if(!last) {
991	abac_attribute_free(cred->attr);
992	} else {
993	free(cred->hashkeyid);
994	char *cur=NULL;
995	abac_list_foreach(cred->pl_clauses, cur,
996	free(cur);
997	);
998	abac_attribute_free(cred->attr);
999	HASH_DEL(attr_creds, cred);
1000	free(cred);
1001	}
1002	}
1003
1004	char abac_id_clause(abac_id_credential_t id_cred)
1005	{
1006	if(id_cred)
1007	return id_cred->pl_clause;
1008	return NULL;
1009	}
1010
1011	/* retrieve the cn that is associated with this sha_string */
1012	char abac_cn_with_sha(char sha_string)
1013	{
1014	// get the issuer based on keyid
1015	abac_id_credential_t *id_cred;
1016	HASH_FIND_STR(id_creds, sha_string, id_cred);
1017	if (id_cred == NULL) {
1018	return NULL;
1019	}
1020	if(debug)
1021	check_id_cred(id_cred);
1022	return abac_id_cn(id_cred->id);
1023	}
1024
1025	char abac_idtype_with_sha(char sha_string)
1026	{
1027	// get the issuer based on keyid
1028	abac_id_credential_t *id_cred;
1029	HASH_FIND_STR(id_creds, sha_string, id_cred);
1030	if (id_cred == NULL) {
1031	return NULL;
1032	}
1033	int idtype=abac_id_idtype(id_cred->id);
1034
1035	return abac_idtype_string(idtype);
1036	}
1037
1038	abac_aspect_t abac_credential_head(abac_credential_t cred) {
1039	return abac_attribute_head(cred->attr);
1040	}
1041
1042	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
1043	return abac_attribute_tail(cred->attr);
1044	}
1045
1046

Note: See TracBrowser for help on using the repository browser.

Download in other formats: