Context Navigation

source: libabac/abac_verifier.c @ a334115

mei_rt2mei_rt2_fix_1

Last change on this file since a334115 was 97a6a36, checked in by Mei <mei@…>, 12 years ago
1) added java to libabac using swig 2) added java examples (setup/prover) into regression test suites (note. still have that libstrongswan/src/threading/threads.c/thread_deinit() problem when using using libabac with java)
Property mode set to `100644`
File size: 34.9 KB

Line
1	/**
2	** abac_verifier.c
3	**/
4
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	#include <stdio.h>
9	#include <regex.h>
10	#include <sys/mman.h>
11	#include <fcntl.h>
12	#include <sys/types.h>
13	#include <sys/stat.h>
14	#include <unistd.h>
15
16
17	#include <assert.h>
18	#include <stdio.h>
19
20	#include <library.h>
21
22	#include "abac_internal.h"
23	#include "abac_verifier.h"
24
25	#include "abac_util.h"
26	#include "abac_rt.h"
27
28	static int debug=0;
29
30	/* from abac_attribute.c */
31	extern char get_cred_encoding(abac_attribute_t ptr);
32
33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
35	extern abac_list_t *abac_yy_get_rule_clauses();
36	extern char* abac_decode_string(char *);
37	extern void abac_yy_free_rule_clauses();
38	extern char generate_pl_type_clause(char , int);
39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
41
42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
43
44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
45
46	struct _abac_id_credential_t {
47	char *hashkeyid;
48	abac_id_t *id;
49	char *pl_clause;
50
51	UT_hash_handle hh;
52	};
53	/* hash table base on sha with a p */
54	abac_id_credential_t *id_creds = NULL;
55	/* linked list of all the ids's hashkeyid */
56	abac_list_t *id_hashkeyid_list = NULL;
57
58	/* can store either role or oset */
59	struct _abac_credential_t {
60	char *hashkeyid;
61	abac_attribute_t *attr;
62	abac_list_t *pl_clauses;
63
64	UT_hash_handle hh;
65	};
66	/* hash table base on encoded attr rule */
67	abac_credential_t *attr_creds = NULL;
68	/* linked list of all the attr's hashkeyid */
69	abac_list_t *attr_hashkeyid_list = NULL;
70
71	/*****************************************************************************/
72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
73	{
74	if(fp == NULL)
75	fp=stdout;
76
77	abac_attribute_t *ptr=cred->attr;
78	abac_aspect_t *head=abac_attribute_head(ptr);
79	abac_aspect_t *tail=abac_attribute_tail(ptr);
80
81	if(debug) {
82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
83	if(head) {
84	abac_print_aspect_string_with_condition(head,fp);
85	}
86	if(tail) {
87	abac_print_aspect_string_with_condition(tail,fp);
88	}
89
90	abac_list_t *clauses=cred->pl_clauses;
91	if (clauses != NULL) {
92	char *cur=NULL;
93	abac_list_foreach(clauses, cur,
94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
95	if(cur)
96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
97	);
98	}
99	} else {
100	fprintf(fp," ");
101	abac_print_aspect_string_with_condition(head,fp);
102	fprintf(fp," <- ");
103	abac_print_aspect_string_with_condition(tail,fp);
104	fprintf(fp,"\n");
105	}
106	}
107
108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
109	{
110	if(fp == NULL)
111	return;
112
113	abac_id_t *ptr=abac_id_credential_id(prin);
114
115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
116	if(abac_id_has_privkey(ptr))
117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
118	else
119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
120	}
121
122	//
123	int abac_verify_idtype_type(char *type) {
124	int i;
125
126	if (type == NULL)
127	return 0;
128
129	for (i = 1; i <= _idtypename_cnt ; i++)
130	if(strcmp(type,_idtypename[i])==0)
131	return i;
132	return 0;
133	}
134
135	char *abac_idtype_string(int i)
136	{
137	if(i > _idtypename_cnt) {
138	printf("bad idtypename idx %d\n", i);
139	panic("abac_idtype_string: went out of range on idtypename");
140	}
141	return (char*) _idtypename[i];
142	}
143
144	// convert a chunk to a lowercase binary string
145	// malloc's the string
146	static char *_chunk_to_string(chunk_t chunk) {
147	int i;
148
149	char ret = abac_xmalloc(chunk.len 2 + 1);
150
151	for (i = 0; i < chunk.len; ++i)
152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
153
154	return ret;
155	}
156
157	// verify that cert was issued by issuer
158	// cert and issuer can be the same, in which case the self-sig is validated
159	int verify_signature(certificate_t issuer_cert, certificate_t cert) {
160	if (cert->issued_by(cert, issuer_cert))
161	if (cert->get_validity(cert, NULL, NULL, NULL))
162	return 1;
163	return 0;
164	}
165
166	// verify that cert is still valid
167	static int _verify_validity(certificate_t *cert) {
168	if (cert->get_validity(cert, NULL, NULL, NULL))
169	return 1;
170	return 0;
171	}
172
173	/**
174	* Init the verifier subsystem.
175	*/
176	void abac_verifier_init(void) {
177	// silence all debugging
178
179	if (!library_init(NULL))
180	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
181
182	if (!lib->plugins->load(lib->plugins, NULL,
183	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
184	exit(SS_RC_INITIALIZATION_FAILED);
185
186	attr_hashkeyid_list = abac_list_new();
187	id_hashkeyid_list = abac_list_new();
188	}
189
190	/**
191	* Uninitialize the system, free up any allocated memory.
192	*/
193	void abac_verifier_deinit(void) {
194	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
195
196	abac_id_credential_t *ptr;
197	while ((ptr = id_creds) != NULL) {
198	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
199	HASH_DEL(id_creds, ptr);
200
201	free(ptr->hashkeyid);
202	free(ptr->pl_clause);
203	abac_id_free(ptr->id);
204	free(ptr);
205	}
206
207	abac_credential_t *ptr2;
208	while ((ptr2 = attr_creds) != NULL) {
209	HASH_DEL(attr_creds, ptr2);
210	if(debug) {
211	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
212	}
213	free(ptr2->hashkeyid);
214	abac_attribute_free(ptr2->attr);
215	char *cur=NULL;
216	abac_list_foreach(ptr2->pl_clauses, cur,
217	free(cur);
218	);
219	free(ptr2->pl_clauses);
220	free(ptr2);
221	}
222
223	if(attr_hashkeyid_list) {
224	if(debug) fprintf(stderr, "looking to free attr_hashkeyid_list..\n");
225	char *cur;
226	abac_list_foreach(attr_hashkeyid_list, cur,
227	if(cur) free(cur);
228	);
229	abac_list_free(attr_hashkeyid_list);
230	}
231
232	if(id_hashkeyid_list) {
233	if(debug) fprintf(stderr, "looking to free id_hashkeyid_list..\n");
234	char *cur;
235	abac_list_foreach(id_hashkeyid_list, cur,
236	if(cur) {
237	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
238	free(cur);
239	}
240	);
241	abac_list_free(id_hashkeyid_list);
242	}
243
244	if(debug) fprintf(stderr, "now it is time to deinit strongswan lib..\n");
245	library_deinit();
246	}
247
248	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
249	{
250	abac_id_credential_t *id_cred;
251	char *cn=abac_id_cn(a_id);
252	char *keyid=abac_id_keyid(a_id);
253
254	if(debug) {
255	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
256	cn, keyid);
257	}
258
259	// add the abac_id to the map of id credentials
260	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
261	id_cred->hashkeyid = abac_xstrdup(keyid);
262	id_cred->id=abac_id_dup(a_id);
263
264	/* special handling here */
265	if(USE("ABAC_CN")) {
266	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
267	} else {
268	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
269	}
270	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
271	if(debug)
272	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
273	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
274
275	assert(id_hashkeyid_list);
276	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
277	return id_cred;
278	}
279
280	/* have to find the last cn
281	CN=test/emailAddress=abac.isi.edu, CN=12345678
282	CN=client
283	..CN=255a03f3-ed30/emailAddress=..
284	*/
285	static char* _extract_cn(char *string)
286	{
287	/* find the first CN= */
288	char *ptr=strstr(string,"CN=");
289	if(ptr == NULL) return NULL;
290
291	/* look for last CN= */
292	while(1) {
293	char *tptr=ptr+3;
294	char *p=strstr(tptr,"CN=");
295	if(p) ptr=p;
296	else break;
297	}
298
299	/* remove the possible additional stuff */
300	char cn=abac_xstrdup(ptr); / it would get write over */
301	char *nptr=strtok(cn,"/");
302	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
303	pcn[0]='p';
304	/* special case.. replace empty space with _ */
305	int i=strlen(nptr);
306	while(i--)
307	if(nptr[i]==' ') nptr[i]='_';
308	sscanf(nptr,"CN=%s", &pcn[1]);
309	free(cn);
310	return pcn;
311	}
312
313	/**
314	* Load an ID
315	*/
316	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
317	abac_id_credential_t *id_cred = NULL;
318	char *keyid = NULL;
319	chunk_t id;
320	int ret;
321	x509_t x509 = (x509_t )cert;
322
323	assert(cert != NULL);
324
325	// get the key ID, add p to keyid SHA here */
326	id = x509->get_subjectKeyIdentifier(x509);
327	keyid = _chunk_to_string(id);
328
329	/* Mike said this is the way it is */
330	char *str=NULL;
331	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
332
333	/* add p to cn name here, if there is no useable one
334	reuse keyid */
335	char *cn=_extract_cn(str);
336	if(cn == NULL) {
337	if(debug)
338	fprintf(stderr, "DEBUG:did not find usable cn, reuse keyid\n");
339	cn=abac_xstrdup(keyid);
340	}
341
342	if(debug) {
343	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
344	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
345	fprintf(stderr, "DEBUG:cn %s \n", cn);
346	}
347	free(str);
348
349	// if we already have this cert 'error' with success
350	HASH_FIND_STR(id_creds, keyid, id_cred);
351	if (id_cred != NULL) {
352	if(debug) fprintf(stderr, "existing cert \n");
353	ret = ABAC_CERT_EXISTS;
354	goto error;
355	}
356
357	// validate validity
358	ret = _verify_validity(cert);
359	if (!ret) {
360	ret = ABAC_CERT_INVALID;
361	goto error;
362	}
363
364	// validate sig
365	ret = verify_signature(cert, cert);
366	if (!ret) {
367	/* well.. this is not a self signed cert, don't fault it anymore */
368	if(debug) fprintf(stderr, "This is not a self-signed cert \n");
369	} else {
370	if(debug) fprintf(stderr, "This is a self-signed cert \n");
371	}
372
373	// success, add a new abac_id
374	if(*a_id==NULL) {
375	*a_id=abac_id_keyid_new(keyid,cn,cert);
376	}
377
378	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
379	*id_cred_ret=n_id_cred;
380
381	if (keyid != NULL) free(keyid);
382	if (cn != NULL) free(cn);
383
384	return ABAC_CERT_SUCCESS;
385
386	error:
387	if (keyid != NULL) free(keyid);
388	if (cn != NULL) free(cn);
389
390	return ret;
391	}
392
393	/* collect all the creds stored so far */
394	abac_stack_t *abac_verifier_dump_creds()
395	{
396	abac_stack_t *cred_list = abac_stack_new();
397
398	int cnt=0;
399	if(attr_hashkeyid_list) {
400	char *keyid;
401	abac_credential_t *cred;
402	abac_list_foreach(attr_hashkeyid_list, keyid,
403	cred=abac_credential_lookup(keyid);
404	abac_stack_push(cred_list, cred);
405	cnt++;
406	);
407	}
408	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
409	return cred_list;
410	}
411
412	/* collect all the id stored so far */
413	abac_stack_t *abac_verifier_dump_principals()
414	{
415	abac_stack_t *id_list = abac_stack_new();
416
417	int cnt=0;
418	if(id_hashkeyid_list) {
419	char *keyid;
420	abac_id_credential_t *id;
421	abac_list_foreach(id_hashkeyid_list, keyid,
422	id=abac_id_credential_lookup(keyid);
423	abac_stack_push(id_list, id);
424	cnt++;
425	);
426	}
427	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
428	return id_list;
429	}
430
431
432	static void check_id_cred(abac_id_credential_t *id_cred)
433	{
434	if(id_cred) {
435	printf("checking on this id_cred location %d\n", (int)id_cred);
436	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
437	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
438	}
439	}
440
441	/**
442	* Load an attribute cert as string.
443	* have minimum syntax & validity check
444	*/
445	static int _load_attribute_string(char* attr_string) {
446	printf("NOT implemented yet!!!");
447	return ABAC_CERT_INVALID;
448	}
449
450	/**
451	* Load an ID cert from a file.
452	*/
453	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
454	abac_id_credential_t **id_cred_ret)
455	{
456	abac_id_t *id=NULL;
457	if (lib == NULL)
458	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
459
460	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
461
462	// load the cert, with public key
463	certificate_t *cert = lib->creds->create(
464	lib->creds, CRED_CERTIFICATE, CERT_X509,
465	BUILD_FROM_FILE, filename,
466	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
467	BUILD_END
468	);
469
470	if (cert == NULL)
471	return ABAC_CERT_INVALID;
472
473	int rc=_load_id(&id,cert,id_cred_ret);
474	if(rc==ABAC_CERT_EXISTS) {
475	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
476	return ABAC_CERT_SUCCESS;
477	}
478
479	/* try to load the private key if it is there */
480	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
481	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
482	int keyrc=abac_id_load_privkey_file(id, keyfilename);
483	if(debug) {
484	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
485	else printf("..load_id_file: load(%s) without a private key\n",filename);
486	}
487	}
488	return ABAC_CERT_SUCCESS;
489	}
490
491	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
492	char pfile, abac_id_credential_t *id_cred_ret)
493	{
494	abac_id_t *id=NULL;
495	if (lib == NULL)
496	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
497
498	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
499
500	// load the cert, with public key
501	certificate_t *cert = lib->creds->create(
502	lib->creds, CRED_CERTIFICATE, CERT_X509,
503	BUILD_FROM_FILE, filename,
504	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
505	BUILD_END
506	);
507
508	if (cert == NULL)
509	return ABAC_CERT_INVALID;
510
511	int rc=_load_id(&id,cert,id_cred_ret);
512	if(rc==ABAC_CERT_EXISTS) {
513	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
514	return ABAC_CERT_SUCCESS;
515	}
516
517	/* try to load the private key if it is there */
518	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
519	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
520	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
521	if(debug) {
522	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
523	else printf("..load_id_file: load(%s) without a private key\n",filename);
524	}
525	}
526	return ABAC_CERT_SUCCESS;
527	}
528
529	/**
530	* Load an ID cert from a abac_id_t
531	*/
532	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
533	certificate_t *cert = abac_id_cert(id);
534	return _load_id(&id,cert,id_cred_ret);
535	}
536
537	/**
538	* Load an ID cert from a chunk.
539	*/
540	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
541	abac_id_t *id=NULL;
542	// load the cert
543	certificate_t *cert = lib->creds->create(
544	lib->creds, CRED_CERTIFICATE, CERT_X509,
545	BUILD_BLOB_PEM, chunk,
546	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
547	BUILD_END
548	);
549	if (cert == NULL)
550	return ABAC_CERT_INVALID;
551	return _load_id(&id, cert,id_cred_ret);
552	}
553	/**
554	* Load an ID cert from a chunk, Note, this only loads the id cert part
555	* and so it is not suitable for creating an attribute credential with.
556	* Only a complete id cert + privkey could create attribute credential.
557	*/
558	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
559	abac_id_t *id=NULL;
560	// load the cert
561	certificate_t *cert = lib->creds->create(
562	lib->creds, CRED_CERTIFICATE, CERT_X509,
563	BUILD_BLOB_ASN1_DER, chunk,
564	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
565	BUILD_END
566	);
567	if (cert == NULL)
568	return ABAC_CERT_INVALID;
569	return _load_id(&id, cert,id_cred_ret);
570	}
571
572	/**
573	* Load an ID cert from a cert chunk and a privkey chunk,
574	* this complete id cert + privkey could create attribute credential.
575	*/
576	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
577	abac_id_credential_t **id_cred_ret) {
578
579	abac_id_t *id=NULL;
580	// load the cert
581	certificate_t *cert = lib->creds->create(
582	lib->creds, CRED_CERTIFICATE, CERT_X509,
583	BUILD_BLOB_ASN1_DER, chunk,
584	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
585	BUILD_END
586	);
587	if (cert == NULL)
588	return ABAC_CERT_INVALID;
589
590	int rc=_load_id(&id, cert,id_cred_ret);
591	if(rc == ABAC_CERT_SUCCESS) {
592	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
593	}
594
595	return rc;
596	}
597
598	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
599	char* pfile, abac_id_credential_t **id_cred_ret) {
600
601	abac_id_t *id=NULL;
602	// load the cert
603	certificate_t *cert = lib->creds->create(
604	lib->creds, CRED_CERTIFICATE, CERT_X509,
605	BUILD_BLOB_ASN1_DER, chunk,
606	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
607	BUILD_END
608	);
609	if (cert == NULL)
610	return ABAC_CERT_INVALID;
611
612	int rc=_load_id(&id, cert,id_cred_ret);
613	if(rc == ABAC_CERT_SUCCESS) {
614	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
615	}
616
617	return rc;
618	}
619
620
621
622	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
623	{
624	abac_id_credential_t *id_cred=NULL;
625	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
626	if(ret !=ABAC_CERT_SUCCESS)
627	return NULL;
628	abac_id_t *issuer=abac_id_credential_id(id_cred);
629	return issuer;
630	}
631
632
633	static int matchex(const char subject, const char pattern, int so, int eo)
634	{
635	int rc; // Returned code
636	regmatch_t pmatch;
637
638	regex_t re; // Compiled regexp pattern
639
640	if (regcomp(&re, pattern, 0) != 0) return 0;
641
642	rc = regexec(&re, subject, 1 , &pmatch, 0);
643	regfree(&re);
644
645	if (rc == REG_NOMATCH ) return 0;
646
647	*so=pmatch.rm_so;
648	*eo=pmatch.rm_eo;
649
650	return 1;
651	}
652
653
654
655	static chunk_t _extract_chunk(char data, char startline, char* endline)
656	{
657	int found=0;
658	int startos=0;
659	int endos=0;
660	regex_t re;
661	regmatch_t pm;
662	int rc;
663
664	int st;
665	int et;
666
667	rc=matchex(data, startline, &st, &et);
668	if(rc==0) return chunk_empty;
669	startos=st;
670
671	rc=matchex(data, endline, &st, &et);
672	if(rc==0) return chunk_empty;
673	endos=et;
674
675	int len=endos - startos;
676
677	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
678	char *ptr=strndup(data+startos,len);
679
680	chunk_t ret = { ptr, len };
681	return ret;
682	}
683
684
685	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
686	{
687	struct stat sb;
688	int fd;
689	int rc;
690
691	fd = open(filename, O_RDONLY);
692	if (fd == -1) { return 1; }
693	if(stat(filename, &sb) == -1) {
694	close(fd);
695	return 1;
696	}
697	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
698	if(data == MAP_FAILED) {
699	close(fd);
700	return 1;
701	}
702	close(fd);
703
704	chunk_t key_pem_chunk=_extract_chunk(data,
705	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
706	chunk_t cert_pem_chunk=_extract_chunk(data,
707	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
708
709	/* key=0, cert=0 */
710	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
711	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
712	goto error;
713	}
714
715	/* key=0, cert=1 */
716	if(key_pem_chunk.len==0) {
717	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
718	munmap(data, sb.st_size);
719	chunk_free(&key_pem_chunk);
720	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
721	}
722
723	/* key=1, cert=1 */
724	if(cert_pem_chunk.len!=0) {
725	if(debug) {
726	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
727	printf("(%s)\n",cert_pem_chunk.ptr);
728	}
729	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
730	if(rc != 0) {
731	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
732	goto error;
733	}
734	/* key=1, cert=0 */
735	} else {
736	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
737	goto error;
738	}
739
740	/* handle the key_pem_chunk */
741	if(debug) {
742	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
743	printf("(%s)\n",key_pem_chunk.ptr);
744	}
745	abac_id_t id=abac_id_credential_id(id_cred_ret);
746	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
747	if(rc==0) {
748	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
749	goto error;
750	}
751
752	munmap(data, sb.st_size);
753	return 0;
754
755	error:
756	munmap(data, sb.st_size);
757	return 1;
758	}
759
760
761	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
762	abac_id_credential_t **id_cred_ret)
763	{
764	struct stat sb;
765	int fd;
766	int rc;
767
768	fd = open(filename, O_RDONLY);
769	if (fd == -1) { return 1; }
770	if(stat(filename, &sb) == -1) {
771	close(fd);
772	return 1;
773	}
774	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
775	if(data == MAP_FAILED) {
776	close(fd);
777	return 1;
778	}
779	close(fd);
780
781	chunk_t key_pem_chunk=_extract_chunk(data,
782	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
783	chunk_t cert_pem_chunk=_extract_chunk(data,
784	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
785
786	/* key=0, cert=0 */
787	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
788	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
789	goto error;
790	}
791
792	/* key=0, cert=1 */
793	if(key_pem_chunk.len==0) {
794	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
795	munmap(data, sb.st_size);
796	chunk_free(&key_pem_chunk);
797	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
798	}
799
800	/* key=1, cert=1 */
801	if(cert_pem_chunk.len!=0) {
802	if(debug) {
803	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
804	printf("(%s)\n",cert_pem_chunk.ptr);
805	}
806	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
807	if(rc != 0) {
808	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
809	goto error;
810	}
811	/* key=1, cert=0 */
812	} else {
813	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
814	goto error;
815	}
816
817	/* handle the key_pem_chunk */
818	if(debug) {
819	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
820	printf("(%s)\n",key_pem_chunk.ptr);
821	printf("(%d)\n",strlen(key_pem_chunk.ptr));
822	}
823	abac_id_t id=abac_id_credential_id(id_cred_ret);
824	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
825	if(rc==0) {
826	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
827	goto error;
828	}
829
830	munmap(data, sb.st_size);
831	return 0;
832
833	error:
834	munmap(data, sb.st_size);
835	return 1;
836	}
837
838	void abac_print_clauses(abac_list_t clauses, FILE fp)
839	{
840	if (clauses != NULL) {
841	char *cur;
842	printf("total-- %d clauses\n", abac_list_size(clauses));
843	abac_list_foreach(clauses, cur,
844	if(cur) {
845	if(fp)
846	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
847	else printf ("a clause, %d(%s)\n", (int)cur,cur);
848	}
849	);
850	}
851	}
852
853	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
854	assert(ptr != NULL);
855	if(debug)
856	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
857	abac_id_dup(ptr->id);
858	return ptr;
859	}
860
861	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
862	{
863	assert(ptr);
864	return ptr->id;
865	}
866
867
868	abac_id_credential_t abac_id_credential_lookup(char pname)
869	{
870	abac_id_credential_t *id_cred=NULL;
871	HASH_FIND_STR(id_creds, pname, id_cred);
872	if(id_cred != NULL)
873	return abac_id_credential_dup(id_cred);
874	else return NULL;
875	}
876
877	void abac_id_credential_free(abac_id_credential_t *ptr)
878	{
879	if (ptr == NULL)
880	return;
881
882	if(debug)
883	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
884
885	// this is very hacky...
886	int last=abac_id_lastone(ptr->id);
887	if(!last) {
888	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
889	abac_id_free(ptr->id);
890	} else {
891	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
892	free(ptr->hashkeyid);
893	if(ptr->pl_clause)
894	free(ptr->pl_clause);
895	abac_id_free(ptr->id);
896	HASH_DEL(id_creds, ptr);
897	free(ptr);
898	}
899	}
900
901	/****************************************************************************/
902
903	static int _verify_valid_credential_string(certificate_t *cert,
904	abac_credential_t *cred_ret, char encoded_attr_string)
905	{
906	abac_aspect_t *head_aspect = NULL;
907	abac_aspect_t *tail_aspect = NULL;
908	abac_list_t *clauses=NULL;
909	abac_id_credential_t *id_cred;
910	abac_id_t *issuer_id;
911	int ret, i;
912
913	// get the attr
914	head_aspect = abac_yy_get_rule_head_aspect();
915	tail_aspect = abac_yy_get_rule_tail_aspect();
916	clauses = abac_yy_get_rule_clauses();
917
918	// get the issuer based on keyid
919	char *principalname = abac_aspect_principal_principalname(head_aspect);
920	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
921
922	HASH_FIND_STR(id_creds, principalname, id_cred);
923	if(id_cred == NULL) {
924	ret = ABAC_CERT_MISSING_ISSUER;
925	if(debug)
926	fprintf(stderr, "can not find %s in id_creds\n", principalname);
927	goto error;
928	}
929	issuer_id=id_cred->id;
930	if (issuer_id == NULL) {
931	ret = ABAC_CERT_MISSING_ISSUER;
932	if(debug)
933	fprintf(stderr, "can not find %s in id_creds\n", principalname);
934	goto error;
935	}
936
937	// make sure the issuer's signed it
938	ret = verify_signature(abac_id_cert(issuer_id), cert);
939	if (!ret) {
940	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
941	ret=ABAC_CERT_BAD_SIG;
942	goto error;
943	}
944
945	// at this point we know we have a good attribute cert baked it in
946	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
947	abac_attribute_set_head(attr, head_aspect);
948	abac_attribute_add_tail(attr, tail_aspect);
949
950	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
951	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
952	cred->attr=attr;
953	cred->pl_clauses = clauses;
954	*cred_ret = cred;
955
956	// success, add the key to the map of certificates
957	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
958
959	assert(attr_hashkeyid_list);
960	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
961
962	if(debug)
963	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
964	cred->hashkeyid, HASH_COUNT(attr_creds));
965
966	return ABAC_CERT_SUCCESS;
967
968	error:
969	if (head_aspect) abac_aspect_free(head_aspect);
970	if (tail_aspect) abac_aspect_free(tail_aspect);
971	abac_yy_free_rule_clauses();
972
973	return ret;
974	}
975
976	/**
977	* Load an attribute cert.
978	* Returns true only if the certificate is valid and is issued by the proper
979	* authority.
980	* attribute string is parsed via yyparse call
981	*/
982	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
983	ietf_attributes_t *attr_cert = NULL;
984	int ret, i;
985
986	// get the attr
987	ac_t ac = (ac_t )cert;
988	attr_cert = ac->get_groups(ac);
989	if (attr_cert == NULL) {
990	ret = ABAC_CERT_INVALID;
991	goto error;
992	}
993
994	char *encoded_attr_string=attr_cert->get_string(attr_cert);
995	char *attr_string = abac_decode_string(encoded_attr_string);
996	if(debug)
997	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
998
999	if (attr_string == NULL) {
1000	ret = ABAC_CERT_INVALID;
1001	goto error;
1002	}
1003
1004	/* call into yacc parser */
1005	abac_reset_yyfptr(attr_string);
1006	abac_yy_init();
1007	int rc=yyparse();
1008	if (rc) {
1009	ret = ABAC_CERT_INVALID;
1010	goto error;
1011	}
1012
1013	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
1014
1015	if(ret != ABAC_CERT_SUCCESS) {
1016	char *tmp=NULL;
1017	asprintf(&tmp,"_load_attribute_cert: fail to verify credential (%s)",attr_string);
1018	panic(tmp);
1019	}
1020
1021	// free up some crap
1022	attr_cert->destroy(attr_cert);
1023
1024	return ret;
1025
1026	error:
1027	if (cert) cert->destroy(cert);
1028	if (attr_cert) attr_cert->destroy(attr_cert);
1029	return ret;
1030	}
1031
1032	/**
1033	* Load an attribute cert from a abac_attribute_t.
1034	* attr should be all checked out before arriving here
1035	*/
1036	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
1037	// get the attr
1038	abac_aspect_t *head=abac_attribute_head(ptr);
1039	abac_aspect_t *tail=abac_attribute_tail(ptr);
1040
1041	// preprocess for constraint part
1042	preprocess_pl_head(head);
1043	preprocess_pl_tail(tail);
1044
1045	/* setup the encoded attribute string */
1046	char *encoded_attr_string=get_cred_encoding(ptr);
1047	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
1048	/* collect up type clauses, constraint clauses and
1049	generate rule clauses */
1050	abac_list_t *clauses=generate_pl_clauses(head,tail);
1051
1052	if(debug) abac_print_clauses(clauses,NULL);
1053
1054	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
1055	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
1056	cred->attr=abac_attribute_dup(ptr);
1057	cred->pl_clauses = clauses;
1058	*cred_ret = cred;
1059
1060	// success, add the key to the map of certificates
1061	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
1062
1063	assert(attr_hashkeyid_list);
1064	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
1065
1066	if(debug)
1067	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
1068	cred->hashkeyid, HASH_COUNT(attr_creds));
1069	return ABAC_CERT_SUCCESS;
1070	}
1071
1072	/**
1073	* Load an attribute cert from a file.
1074	*/
1075	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
1076	// load the cert
1077	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
1078	certificate_t *cert = lib->creds->create(
1079	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1080	BUILD_FROM_FILE, filename,
1081	BUILD_END
1082	);
1083	if (cert == NULL)
1084	return ABAC_CERT_INVALID;
1085	return _load_attribute_cert(cert, cred);
1086	}
1087
1088	/**
1089	* Load an attribute cert from a chunk.
1090	*/
1091	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
1092	// load the cert
1093	certificate_t *cert = lib->creds->create(
1094	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1095	BUILD_BLOB_ASN1_DER, chunk,
1096	BUILD_END
1097	);
1098	if (cert == NULL)
1099	return ABAC_CERT_INVALID;
1100
1101	return _load_attribute_cert(cert, cred);
1102	}
1103
1104	/**
1105	* Return the encoding of the attribute cert.
1106	*/
1107	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
1108	abac_attribute_t *ptr=cred->attr;
1109	certificate_t *cert=abac_attribute_cert(ptr);
1110	chunk_t encoding = chunk_empty;
1111	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
1112	abac_chunk_t ret = { encoding.ptr, encoding.len };
1113	return ret;
1114	}
1115
1116	/**
1117	* Return the encoding of the issuer cert.
1118	*/
1119	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
1120	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
1121	assert(issuer_cert);
1122	chunk_t encoding = chunk_empty;
1123	// XXX MEI, not sure ??
1124	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
1125	abac_chunk_t ret = { encoding.ptr, encoding.len };
1126	return ret;
1127	}
1128
1129	/**
1130	* Return the clause of the cert
1131	*/
1132	abac_list_t abac_credential_clauses(abac_credential_t cred) {
1133	return cred->pl_clauses;
1134	}
1135
1136	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
1137	assert(cred);
1138	return cred->attr;
1139	}
1140
1141	/**
1142	* Increase the ref count of a credential.
1143	*/
1144	abac_credential_t abac_credential_dup(abac_credential_t cred) {
1145	assert(cred != NULL);
1146
1147	abac_attribute_dup(cred->attr);
1148	return cred;
1149	}
1150
1151	/**
1152	* lookup for a credential.
1153	*/
1154	abac_credential_t abac_credential_lookup(char cred_string)
1155	{
1156	if(debug)
1157	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
1158	abac_credential_t *attr_cred;
1159
1160	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
1161	if (attr_cred == NULL) {
1162	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
1163	return NULL;
1164	}
1165	abac_credential_t *rt=abac_credential_dup(attr_cred);
1166	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
1167	return rt;
1168	}
1169
1170	/**
1171	* Decrease the reference count of a credential, freeing it when it reaches 0.
1172	*/
1173	void abac_credential_free(abac_credential_t *cred)
1174	{
1175	if(debug)
1176	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
1177
1178	if (cred == NULL)
1179	return;
1180
1181	// this is very hacky...
1182	int last=abac_attribute_lastone(cred->attr);
1183	if(!last) {
1184	abac_attribute_free(cred->attr);
1185	} else {
1186	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
1187	free(cred->hashkeyid);
1188	char *cur=NULL;
1189	abac_list_foreach(cred->pl_clauses, cur,
1190	free(cur);
1191	);
1192	abac_attribute_free(cred->attr);
1193	HASH_DEL(attr_creds, cred);
1194	free(cred);
1195	}
1196	}
1197
1198	char abac_id_clause(abac_id_credential_t id_cred)
1199	{
1200	if(id_cred)
1201	return id_cred->pl_clause;
1202	return NULL;
1203	}
1204
1205	/* retrieve the cn that is associated with this sha_string */
1206	char abac_cn_with_sha(char sha_string)
1207	{
1208	// get the issuer based on keyid
1209	abac_id_credential_t *id_cred;
1210	HASH_FIND_STR(id_creds, sha_string, id_cred);
1211	if (id_cred == NULL) {
1212	return NULL;
1213	}
1214	if(debug)
1215	check_id_cred(id_cred);
1216	return abac_id_cn(id_cred->id);
1217	}
1218
1219	char abac_idtype_with_sha(char sha_string)
1220	{
1221	// get the issuer based on keyid
1222	abac_id_credential_t *id_cred;
1223	HASH_FIND_STR(id_creds, sha_string, id_cred);
1224	if (id_cred == NULL) {
1225	// this id, sha string is not in the db...
1226	if(debug)
1227	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
1228	return NULL;
1229	}
1230	int idtype=abac_id_idtype(id_cred->id);
1231
1232	return abac_idtype_string(idtype);
1233	}
1234
1235	abac_aspect_t abac_credential_head(abac_credential_t cred) {
1236	return abac_attribute_head(cred->attr);
1237	}
1238
1239	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
1240	return abac_attribute_tail(cred->attr);
1241	}
1242
1243

Note: See TracBrowser for help on using the repository browser.

Download in other formats: