Context Navigation

source: libabac/abac_verifier.c @ ec550f7

abac0-leakabac0-meimei-idtvf-new-xml

Last change on this file since ec550f7 was ec550f7, checked in by Mei <mei@…>, 11 years ago

1) reworked how API doc is generated
2) tweak top level Makefile.am
3) loading issuer principal as side-effect of loading

an attribute credentials

4) add examples of GENI specific attribute credentials

and principal certificates into the regression testing

5) rename examples to tests

Property mode set to 100644

File size: 8.6 KB

Line
1
2	/* abac_verifier.c */
3	#include <assert.h>
4
5	#include "libabac_common.h"
6	#include "abac.h"
7	#include "abac_list.h"
8	#include "uthash.h"
9	#include "abac_util.h"
10
11	typedef struct _abac_id_cert_t {
12	char *keyid; // using cert's keyid
13	abac_id_t *cert;
14
15	UT_hash_handle hh;
16	} abac_id_cert_t;
17
18	struct _abac_credential_t {
19	abac_role_t *head;
20	abac_role_t *tail;
21	abac_id_t issuer; / Acme of Acme.customer <- Coyote */
22	abac_attribute_t *cert;
23
24	int refcount;
25	};
26
27	/* hash table of all the principal id credentials */
28	abac_id_cert_t *id_certs = NULL;
29
30	extern int abac_id_pass_privkey_from_id(abac_id_t to_id, abac_id_t from_id);
31	extern char make_pem_from_naked_pem(char naked_pem);
32
33	/***********************************************************************/
34	// convert a chunk to a lowercase binary string
35	// malloc's the string
36	/*** not used,
37	static char *_chunk_to_string(abac_chunk_t chunk) {
38	int i;
39
40	char ret = abac_xmalloc(chunk.len 2 + 1);
41
42	for (i = 0; i < chunk.len; ++i)
43	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
44
45	return ret;
46	}
47	***/
48
49	// verify that cert was issued by issuer
50	// cert and issuer can be the same, in which case the self-sig is validated
51	/*** not used
52	static int _verify_cert(abac_id_t *cert) {
53
54	assert(cert);
55	if(!abac_id_still_valid(cert))
56	return 0;
57	return 1;
58	}
59	***/
60
61	/**
62	* Init the verifier subsystem.
63	*/
64	void abac_verifier_init(void) {
65	init_openssl();
66	init_xmlsec();
67	}
68
69	/**
70	* Uninitialize the system, free up any allocated memory.
71	*/
72	void abac_verifier_deinit(void) {
73	abac_id_cert_t *id;
74
75	while ((id = id_certs) != NULL) {
76	HASH_DEL(id_certs, id);
77
78	free(id->keyid);
79	abac_id_free(id->cert);
80	free(id);
81	}
82	deinit_xmlsec();
83	deinit_openssl();
84	}
85
86	/**
87	* Load an ID certificate.
88	*/
89	static int _load_id(abac_id_t *cert) {
90	abac_id_cert_t *id_cert = NULL;
91	char *keyid = NULL;
92	int ret;
93
94	assert(cert);
95
96	// get the key ID
97	keyid = abac_id_keyid(cert);
98
99	// if we already have this cert 'error' with success
100	HASH_FIND_STR(id_certs, keyid, id_cert);
101	if (id_cert != NULL) {
102	/* special case, if
103	existing id does not have private key and
104	incoming does, then need to bring that bit of
105	information in */
106	if(abac_id_has_privkey(cert) &&
107	!abac_id_has_privkey(id_cert->cert)) {
108	abac_id_pass_privkey_from_id(id_cert->cert, cert);
109	}
110	ret = ABAC_CERT_SUCCESS;
111	goto error;
112	}
113
114	ret = abac_id_still_valid(cert);
115	if (!ret) {
116	ret = ABAC_CERT_INVALID;
117	goto error;
118	}
119
120	// success, add the key to the map of certificates
121	id_cert = abac_xmalloc(sizeof(abac_id_cert_t));
122	id_cert->keyid = abac_xstrdup(keyid);
123	id_cert->cert = cert;
124	HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert);
125
126	return ABAC_CERT_SUCCESS;
127
128	error:
129	if (keyid != NULL) free(keyid);
130	return ret;
131	}
132
133	abac_id_t abac_verifier_lookup_id(char keyid)
134	{
135	abac_id_cert_t *id_cert;
136	HASH_FIND_STR(id_certs, keyid, id_cert);
137	if(id_cert == NULL) return NULL;
138	return id_cert->cert;
139	}
140
141	/**
142	* Load an ID cert from a file.
143	*/
144	int abac_verifier_load_id_file(char *filename) {
145	// load the cert
146	abac_id_t *cert = abac_id_from_file(filename);
147
148	if (cert == NULL)
149	return ABAC_CERT_INVALID;
150
151	return _load_id(cert);
152	}
153
154	/**
155	* Load an ID cert from a chunk.
156	*/
157	int abac_verifier_load_id_chunk(abac_chunk_t chunk) {
158
159	// load the cert
160	abac_id_t *cert= abac_id_from_chunk(chunk);
161
162	if (cert == NULL)
163	return ABAC_CERT_INVALID;
164	return _load_id(cert);
165	}
166
167	/**
168	* Load an ID cert from a char ptr of a X509 pem data
169	* this is called from parse_privilege(..)
170	*/
171	int abac_verifier_load_id_chars(char *naked_pem) {
172	/* make a well formed pem from this */
173	char *new_naked_pem=abac_xstrdup(naked_pem);
174	char *pem=make_pem_from_naked_pem(new_naked_pem);
175	int len=strlen(pem);
176	abac_chunk_t chunk = { pem, len };
177	free(new_naked_pem);
178	return abac_verifier_load_id_chunk(chunk);
179	}
180	/**
181	* Load an attribute cert.
182	* Returns true only if the certificate is valid and is issued by the proper
183	* authority.
184	*/
185	static int _load_attribute_cert(abac_attribute_t cert, abac_credential_t *cred_ret) {
186	abac_role_t *head_role = NULL;
187	abac_role_t *tail_role = NULL;
188	abac_id_cert_t *issuer=NULL;
189	int ret;
190
191	char *attr_string=abac_attribute_role_string(cert);
192
193	if(attr_string == NULL) {
194	ret = ABAC_CERT_INVALID;
195	goto error;
196	}
197
198	// split into head/tail parts
199	char *head_tail[2];
200	abac_split(attr_string, "<-", head_tail, &ret);
201	if (ret != 2) {
202	ret = ABAC_CERT_INVALID;
203	goto error;
204	}
205
206	// must be a role
207	head_role = abac_role_from_string(head_tail[0]);
208	if (head_role == NULL) goto error;
209	if (!abac_role_is_role(head_role)) {
210	ret = ABAC_CERT_INVALID;
211	goto error;
212	}
213
214	// make sure the tail's valid too
215	tail_role = abac_role_from_string(head_tail[1]);
216	if (tail_role == NULL) {
217	ret = ABAC_CERT_INVALID;
218	goto error;
219	}
220
221	char *principal = abac_role_principal(head_role);
222	HASH_FIND_STR(id_certs, principal, issuer);
223	if (issuer == NULL) {
224	ret = ABAC_CERT_MISSING_ISSUER;
225	goto error;
226	}
227
228	// check if issuer is still valid
229	if (!abac_id_still_valid(issuer->cert)) {
230	ret = ABAC_CERT_INVALID_ISSUER;
231	goto error;
232	}
233
234	// make sure principal match up with keyid
235	if(!abac_id_has_keyid(issuer->cert,principal)) {
236	ret = ABAC_CERT_BAD_PRINCIPAL;
237	goto error;
238	}
239
240	// at this point we know we have a good attribute cert
241	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
242	cred->head = head_role;
243	cred->tail = tail_role;
244	cred->cert = cert;
245	/* acme's cert */
246	cred->issuer = abac_id_dup(issuer->cert);
247	cred->refcount = 1;
248	*cred_ret = cred;
249
250	return ABAC_CERT_SUCCESS;
251
252	error:
253	if (head_role != NULL) abac_role_free(head_role);
254	if (tail_role != NULL) abac_role_free(tail_role);
255
256	return ret;
257	}
258
259	static int _load_attribute_certs(abac_list_t attr_list, abac_list_t cred_list) {
260
261	int sz=abac_list_size(attr_list);
262	abac_credential_t *cred_ret=NULL;
263	abac_attribute_t *attr;
264	if(sz) {
265	abac_list_foreach(attr_list, attr,
266	int ret=_load_attribute_cert(attr, &cred_ret);
267	if(ret==ABAC_CERT_SUCCESS) {
268	abac_list_add(cred_list, cred_ret);
269	}
270	);
271	}
272	return sz;
273	}
274
275	/**
276	* Load an attribute cert from a file.
277	*/
278	int abac_verifier_load_attribute_cert_file(char filename, abac_list_t cred_list) {
279
280	// load the cert
281	abac_list_t *attr_list = abac_attribute_certs_from_file(filename);
282
283	if (abac_list_size(attr_list) == 0)
284	return ABAC_CERT_INVALID;
285
286	int ret=_load_attribute_certs(attr_list, cred_list);
287
288	if(ret) return ABAC_CERT_SUCCESS;
289	return ABAC_CERT_INVALID;
290	}
291
292	/**
293	* Load an attribute cert from a chunk.
294	*/
295	int abac_verifier_load_attribute_cert_chunk(abac_chunk_t chunk, abac_list_t *cred_list) {
296
297	// load the cert
298	abac_list_t *attr_list = abac_attribute_certs_from_chunk(chunk);
299
300	if (abac_list_size(attr_list) == 0)
301	return ABAC_CERT_INVALID;
302
303	int ret=_load_attribute_certs(attr_list,cred_list);
304
305	if(ret) return ABAC_CERT_SUCCESS;
306	return ABAC_CERT_INVALID;
307	}
308
309	/**
310	* Return the head role.
311	*/
312	abac_role_t abac_credential_head(abac_credential_t cred) {
313	return cred->head;
314	}
315
316	/**
317	* Return the tail role.
318	*/
319	abac_role_t abac_credential_tail(abac_credential_t cred) {
320	return cred->tail;
321	}
322
323	/**
324	* Return the xml chunk of the attribute cert.
325	*/
326	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
327	assert(cred); assert(cred->cert);
328	return abac_attribute_cert(cred->cert);
329	}
330
331	/**
332	* Return the chunk of the issuer cert.
333	*/
334	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
335	assert(cred); assert(cred->issuer);
336	abac_chunk_t ret= abac_id_in_PEM(cred->issuer);
337	return ret;
338	}
339
340	/**
341	* Increase the ref count of a credential.
342	*/
343	abac_credential_t abac_credential_dup(abac_credential_t cred) {
344	assert(cred != NULL);
345
346	++cred->refcount;
347	return cred;
348	}
349
350	/**
351	* Decrease the reference count of a credential, freeing it when it reaches 0.
352	*/
353	void abac_credential_free(abac_credential_t *cred) {
354	if (cred == NULL)
355	return;
356
357	--cred->refcount;
358	if (cred->refcount > 0)
359	return;
360
361	abac_role_free(cred->head);
362	abac_role_free(cred->tail);
363	abac_attribute_free(cred->cert);
364	abac_id_free(cred->issuer);
365
366	free(cred);
367	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: libabac/abac_verifier.c @ ec550f7

Download in other formats: