Context Navigation

source: libabac/abac_verifier.c @ f2d67a5

mei_rt2mei_rt2_fix_1

Last change on this file since f2d67a5 was e3c7769, checked in by Mei <mei@…>, 12 years ago
1) wrap up java interface with swig/jni/abac linkup 2) java regression tests 3) update doc related to new java implmentation
Property mode set to `100644`
File size: 35.0 KB

Line
1	/**
2	** abac_verifier.c
3	**/
4
5	// include the GNU extension of asprintf
6	#define _GNU_SOURCE
7
8	#include <stdio.h>
9	#include <regex.h>
10	#include <sys/mman.h>
11	#include <fcntl.h>
12	#include <sys/types.h>
13	#include <sys/stat.h>
14	#include <unistd.h>
15
16
17	#include <assert.h>
18	#include <stdio.h>
19
20	#include <library.h>
21
22	#include "abac_internal.h"
23	#include "abac_verifier.h"
24
25	#include "abac_util.h"
26	#include "abac_rt.h"
27
28	static int debug=0;
29
30	/* from abac_attribute.c */
31	extern char get_cred_encoding(abac_attribute_t ptr);
32
33	extern abac_aspect_t *abac_yy_get_rule_head_aspect();
34	extern abac_aspect_t *abac_yy_get_rule_tail_aspect();
35	extern abac_list_t *abac_yy_get_rule_clauses();
36	extern char* abac_decode_string(char *);
37	extern void abac_yy_free_rule_clauses();
38	extern char generate_pl_type_clause(char , int);
39	extern abac_list_t generate_pl_clauses(abac_aspect_t , abac_aspect_t *);
40	extern void generate_pl_set_abac_yyfptr_encoded(char *string);
41
42	extern void abac_print_aspect_string_with_condition(abac_aspect_t role, FILE);
43
44	extern int abac_id_load_privkey_chunk(abac_id_t *ptr, chunk_t keychunk);
45
46	struct _abac_id_credential_t {
47	char *hashkeyid;
48	abac_id_t *id;
49	char *pl_clause;
50
51	UT_hash_handle hh;
52	};
53	/* hash table base on sha with a p */
54	abac_id_credential_t *id_creds = NULL;
55	/* linked list of all the ids's hashkeyid */
56	abac_list_t *id_hashkeyid_list = NULL;
57
58	/* can store either role or oset */
59	struct _abac_credential_t {
60	char *hashkeyid;
61	abac_attribute_t *attr;
62	abac_list_t *pl_clauses;
63
64	UT_hash_handle hh;
65	};
66	/* hash table base on encoded attr rule */
67	abac_credential_t *attr_creds = NULL;
68	/* linked list of all the attr's hashkeyid */
69	abac_list_t *attr_hashkeyid_list = NULL;
70
71	/*****************************************************************************/
72	void abac_print_cred_info(abac_credential_t cred, FILE fp)
73	{
74	if(fp == NULL)
75	fp=stdout;
76
77	abac_attribute_t *ptr=cred->attr;
78	abac_aspect_t *head=abac_attribute_head(ptr);
79	abac_aspect_t *tail=abac_attribute_tail(ptr);
80
81	if(debug) {
82	fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred);
83	if(head) {
84	abac_print_aspect_string_with_condition(head,fp);
85	}
86	if(tail) {
87	abac_print_aspect_string_with_condition(tail,fp);
88	}
89
90	abac_list_t *clauses=cred->pl_clauses;
91	if (clauses != NULL) {
92	char *cur=NULL;
93	abac_list_foreach(clauses, cur,
94	fprintf(fp,"\n a clause(%d):\n",(int)cur);
95	if(cur)
96	fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur);
97	);
98	}
99	} else {
100	fprintf(fp," ");
101	abac_print_aspect_string_with_condition(head,fp);
102	fprintf(fp," <- ");
103	abac_print_aspect_string_with_condition(tail,fp);
104	fprintf(fp,"\n");
105	}
106	}
107
108	void abac_print_prin_info(abac_id_credential_t prin, FILE fp)
109	{
110	if(fp == NULL)
111	return;
112
113	abac_id_t *ptr=abac_id_credential_id(prin);
114
115	if(debug) fprintf(fp,"---> printing out principal info ..\n");
116	if(abac_id_has_privkey(ptr))
117	fprintf(fp," (%s,%s,y)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
118	else
119	fprintf(fp," (%s,%s,n)\n",abac_id_name(ptr),abac_id_idtype_string(ptr));
120	}
121
122	//
123	int abac_verify_idtype_type(char *type) {
124	int i;
125
126	if (type == NULL)
127	return 0;
128
129	for (i = 1; i <= _idtypename_cnt ; i++)
130	if(strcmp(type,_idtypename[i])==0)
131	return i;
132	return 0;
133	}
134
135	char *abac_idtype_string(int i)
136	{
137	if(i > _idtypename_cnt) {
138	printf("bad idtypename idx %d\n", i);
139	panic("abac_idtype_string: went out of range on idtypename");
140	}
141	return (char*) _idtypename[i];
142	}
143
144	// convert a chunk to a lowercase binary string
145	// malloc's the string
146	static char *_chunk_to_string(chunk_t chunk) {
147	int i;
148
149	char ret = abac_xmalloc(chunk.len 2 + 1);
150
151	for (i = 0; i < chunk.len; ++i)
152	sprintf(ret + 2 * i, "%02x", chunk.ptr[i]);
153
154	return ret;
155	}
156
157	// verify that cert was issued by issuer
158	// cert and issuer can be the same, in which case the self-sig is validated
159	int verify_signature(certificate_t issuer_cert, certificate_t cert) {
160	/** XXX for 5.0.1
161	if (cert->issued_by(cert, issuer_cert, NULL))
162	*/
163	if (cert->issued_by(cert, issuer_cert))
164	if (cert->get_validity(cert, NULL, NULL, NULL))
165	return 1;
166	return 0;
167	}
168
169	// verify that cert is still valid
170	static int _verify_validity(certificate_t *cert) {
171	if (cert->get_validity(cert, NULL, NULL, NULL))
172	return 1;
173	return 0;
174	}
175
176	/**
177	* Init the verifier subsystem.
178	*/
179	void abac_verifier_init(void) {
180	// silence all debugging
181
182	if(debug)fprintf(stderr, "abac_verifier_init... init strongswan..\n");
183	if (!library_init(NULL))
184	exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
185
186	if (!lib->plugins->load(lib->plugins, NULL,
187	lib->settings->get_str(lib->settings, "pki.load", PLUGINS)))
188	exit(SS_RC_INITIALIZATION_FAILED);
189
190	attr_hashkeyid_list = abac_list_new();
191	id_hashkeyid_list = abac_list_new();
192	}
193
194	/**
195	* Uninitialize the system, free up any allocated memory.
196	*/
197	void abac_verifier_deinit(void) {
198	if(debug)fprintf(stderr, "abac_verifier_deinit... being called..\n");
199
200	abac_id_credential_t *ptr;
201	while ((ptr = id_creds) != NULL) {
202	if(debug) fprintf(stderr, "abac_verifier_deinit: deleting id (%s)\n",abac_id_name(ptr->id));
203	HASH_DEL(id_creds, ptr);
204
205	free(ptr->hashkeyid);
206	free(ptr->pl_clause);
207	abac_id_free(ptr->id);
208	free(ptr);
209	}
210
211	abac_credential_t *ptr2;
212	while ((ptr2 = attr_creds) != NULL) {
213	HASH_DEL(attr_creds, ptr2);
214	if(debug) {
215	fprintf(stderr, "abac_verifier_deinit: deleting attr hashkey(%s)\n",ptr2->hashkeyid);
216	}
217	free(ptr2->hashkeyid);
218	abac_attribute_free(ptr2->attr);
219	char *cur=NULL;
220	abac_list_foreach(ptr2->pl_clauses, cur,
221	free(cur);
222	);
223	free(ptr2->pl_clauses);
224	free(ptr2);
225	}
226
227	if(attr_hashkeyid_list) {
228	if(debug) fprintf(stderr, "looking to free attr_hashkeyid_list..\n");
229	char *cur;
230	abac_list_foreach(attr_hashkeyid_list, cur,
231	if(cur) free(cur);
232	);
233	abac_list_free(attr_hashkeyid_list);
234	}
235
236	if(id_hashkeyid_list) {
237	if(debug) fprintf(stderr, "looking to free id_hashkeyid_list..\n");
238	char *cur;
239	abac_list_foreach(id_hashkeyid_list, cur,
240	if(cur) {
241	if(debug) fprintf(stderr, "hum.. id hashkey being freed.. %s\n", cur);
242	free(cur);
243	}
244	);
245	abac_list_free(id_hashkeyid_list);
246	}
247
248	if(debug) fprintf(stderr, "now it is time to deinit strongswan lib..\n");
249	library_deinit();
250	}
251
252	abac_id_credential_t abac_verifier_add_id_credential(abac_id_t a_id)
253	{
254	abac_id_credential_t *id_cred;
255	char *cn=abac_id_cn(a_id);
256	char *keyid=abac_id_keyid(a_id);
257
258	if(debug) {
259	fprintf(stderr, "abac_verifier_add_id_credential, cn(%s),keyid(%s)\n",
260	cn, keyid);
261	}
262
263	// add the abac_id to the map of id credentials
264	id_cred = abac_xmalloc(sizeof(abac_id_credential_t));
265	id_cred->hashkeyid = abac_xstrdup(keyid);
266	id_cred->id=abac_id_dup(a_id);
267
268	/* special handling here */
269	if(USE("ABAC_CN")) {
270	id_cred->pl_clause = generate_pl_type_clause(cn, abac_id_idtype(a_id));
271	} else {
272	id_cred->pl_clause=generate_pl_type_clause(prologIt(keyid), abac_id_idtype(a_id));
273	}
274	HASH_ADD_KEYPTR(hh, id_creds, id_cred->hashkeyid, strlen(id_cred->hashkeyid), id_cred);
275	if(debug)
276	fprintf(stderr, "-->adding into id_creds, (%s)..cnt(%d)(%d)\n",
277	id_cred->hashkeyid, HASH_COUNT(id_creds),(int)id_cred);
278
279	assert(id_hashkeyid_list);
280	abac_list_add(id_hashkeyid_list, abac_xstrdup(id_cred->hashkeyid));
281	return id_cred;
282	}
283
284	/* have to find the last cn
285	CN=test/emailAddress=abac.isi.edu, CN=12345678
286	CN=client
287	..CN=255a03f3-ed30/emailAddress=..
288	*/
289	static char* _extract_cn(char *string)
290	{
291	/* find the first CN= */
292	char *ptr=strstr(string,"CN=");
293	if(ptr == NULL) return NULL;
294
295	/* look for last CN= */
296	while(1) {
297	char *tptr=ptr+3;
298	char *p=strstr(tptr,"CN=");
299	if(p) ptr=p;
300	else break;
301	}
302
303	/* remove the possible additional stuff */
304	char cn=abac_xstrdup(ptr); / it would get write over */
305	char *nptr=strtok(cn,"/");
306	char pcn=abac_xmalloc(sizeof(char) strlen(nptr));
307	pcn[0]='p';
308	/* special case.. replace empty space with _ */
309	int i=strlen(nptr);
310	while(i--)
311	if(nptr[i]==' ') nptr[i]='_';
312	sscanf(nptr,"CN=%s", &pcn[1]);
313	free(cn);
314	return pcn;
315	}
316
317	/**
318	* Load an ID
319	*/
320	static int _load_id(abac_id_t *a_id,certificate_t cert, abac_id_credential_t **id_cred_ret) {
321	abac_id_credential_t *id_cred = NULL;
322	char *keyid = NULL;
323	chunk_t id;
324	int ret;
325	x509_t x509 = (x509_t )cert;
326
327	assert(cert != NULL);
328
329	// get the key ID, add p to keyid SHA here */
330	id = x509->get_subjectKeyIdentifier(x509);
331	keyid = _chunk_to_string(id);
332
333	/* Mike said this is the way it is */
334	char *str=NULL;
335	int rv = asprintf(&str, "%Y", cert->get_issuer(cert));
336
337	/* add p to cn name here, if there is no useable one
338	reuse keyid */
339	char *cn=_extract_cn(str);
340	if(cn == NULL) {
341	if(debug)
342	fprintf(stderr, "DEBUG:did not find usable cn, reuse keyid\n");
343	cn=abac_xstrdup(keyid);
344	}
345
346	if(debug) {
347	fprintf(stderr, "DEBUG:keyid %s \n", keyid);
348	fprintf(stderr, "DEBUG:issuer '%s' \n", str);
349	fprintf(stderr, "DEBUG:cn %s \n", cn);
350	}
351	free(str);
352
353	// if we already have this cert 'error' with success
354	HASH_FIND_STR(id_creds, keyid, id_cred);
355	if (id_cred != NULL) {
356	if(debug) fprintf(stderr, "existing cert \n");
357	ret = ABAC_CERT_EXISTS;
358	goto error;
359	}
360
361	// validate validity
362	ret = _verify_validity(cert);
363	if (!ret) {
364	ret = ABAC_CERT_INVALID;
365	goto error;
366	}
367
368	// validate sig
369	ret = verify_signature(cert, cert);
370	if (!ret) {
371	/* well.. this is not a self signed cert, don't fault it anymore */
372	if(debug) fprintf(stderr, "This is not a self-signed cert \n");
373	} else {
374	if(debug) fprintf(stderr, "This is a self-signed cert \n");
375	}
376
377	// success, add a new abac_id
378	if(*a_id==NULL) {
379	*a_id=abac_id_keyid_new(keyid,cn,cert);
380	}
381
382	abac_id_credential_t n_id_cred=abac_verifier_add_id_credential(a_id);
383	*id_cred_ret=n_id_cred;
384
385	if (keyid != NULL) free(keyid);
386	if (cn != NULL) free(cn);
387
388	return ABAC_CERT_SUCCESS;
389
390	error:
391	if (keyid != NULL) free(keyid);
392	if (cn != NULL) free(cn);
393
394	return ret;
395	}
396
397	/* collect all the creds stored so far */
398	abac_stack_t *abac_verifier_dump_creds()
399	{
400	abac_stack_t *cred_list = abac_stack_new();
401
402	int cnt=0;
403	if(attr_hashkeyid_list) {
404	char *keyid;
405	abac_credential_t *cred;
406	abac_list_foreach(attr_hashkeyid_list, keyid,
407	cred=abac_credential_lookup(keyid);
408	abac_stack_push(cred_list, cred);
409	cnt++;
410	);
411	}
412	if(debug) fprintf(stderr, "abac_verifier_dump_cred: %d\n",cnt);
413	return cred_list;
414	}
415
416	/* collect all the id stored so far */
417	abac_stack_t *abac_verifier_dump_principals()
418	{
419	abac_stack_t *id_list = abac_stack_new();
420
421	int cnt=0;
422	if(id_hashkeyid_list) {
423	char *keyid;
424	abac_id_credential_t *id;
425	abac_list_foreach(id_hashkeyid_list, keyid,
426	id=abac_id_credential_lookup(keyid);
427	abac_stack_push(id_list, id);
428	cnt++;
429	);
430	}
431	if(debug) fprintf(stderr, "abac_verifier_dump_principals: %d\n",cnt);
432	return id_list;
433	}
434
435
436	static void check_id_cred(abac_id_credential_t *id_cred)
437	{
438	if(id_cred) {
439	printf("checking on this id_cred location %d\n", (int)id_cred);
440	printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id));
441	printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id));
442	}
443	}
444
445	/**
446	* Load an attribute cert as string.
447	* have minimum syntax & validity check
448	*/
449	static int _load_attribute_string(char* attr_string) {
450	printf("NOT implemented yet!!!");
451	return ABAC_CERT_INVALID;
452	}
453
454	/**
455	* Load an ID cert from a file.
456	*/
457	int abac_verifier_load_id_file_key_file(char filename, char keyfilename,
458	abac_id_credential_t **id_cred_ret)
459	{
460	abac_id_t *id=NULL;
461	if (lib == NULL)
462	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
463
464	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
465
466	// load the cert, with public key
467	certificate_t *cert = lib->creds->create(
468	lib->creds, CRED_CERTIFICATE, CERT_X509,
469	BUILD_FROM_FILE, filename,
470	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
471	BUILD_END
472	);
473
474	if (cert == NULL)
475	return ABAC_CERT_INVALID;
476
477	int rc=_load_id(&id,cert,id_cred_ret);
478	if(rc==ABAC_CERT_EXISTS) {
479	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
480	return ABAC_CERT_SUCCESS;
481	}
482
483	/* try to load the private key if it is there */
484	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
485	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
486	int keyrc=abac_id_load_privkey_file(id, keyfilename);
487	if(debug) {
488	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
489	else printf("..load_id_file: load(%s) without a private key\n",filename);
490	}
491	}
492	return ABAC_CERT_SUCCESS;
493	}
494
495	int abac_verifier_load_enc_id_file_key_file(char filename, char keyfilename,
496	char pfile, abac_id_credential_t *id_cred_ret)
497	{
498	abac_id_t *id=NULL;
499	if (lib == NULL)
500	errx(1, "looks like you didn't call libabac_init() (lib is NULL)");
501
502	if(debug) fprintf(stderr, "loading id file... %s\n", filename);
503
504	// load the cert, with public key
505	certificate_t *cert = lib->creds->create(
506	lib->creds, CRED_CERTIFICATE, CERT_X509,
507	BUILD_FROM_FILE, filename,
508	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
509	BUILD_END
510	);
511
512	if (cert == NULL)
513	return ABAC_CERT_INVALID;
514
515	int rc=_load_id(&id,cert,id_cred_ret);
516	if(rc==ABAC_CERT_EXISTS) {
517	if(debug) fprintf(stderr, "abac_verifier_load_id_files: id already exists\n");
518	return ABAC_CERT_SUCCESS;
519	}
520
521	/* try to load the private key if it is there */
522	if((rc==ABAC_CERT_SUCCESS) && keyfilename!=NULL && file_exist(keyfilename)) {
523	if(debug) fprintf(stderr, "loading... %s\n", keyfilename);
524	int keyrc=abac_id_load_enc_privkey_file(id, keyfilename, pfile);
525	if(debug) {
526	if(keyrc == 1) fprintf(stderr, "..load_id_file: load(%s) with a private key\n",filename);
527	else printf("..load_id_file: load(%s) without a private key\n",filename);
528	}
529	}
530	return ABAC_CERT_SUCCESS;
531	}
532
533	/**
534	* Load an ID cert from a abac_id_t
535	*/
536	int abac_verifier_load_id_id(abac_id_t id, abac_id_credential_t *id_cred_ret) {
537	certificate_t *cert = abac_id_cert(id);
538	return _load_id(&id,cert,id_cred_ret);
539	}
540
541	/**
542	* Load an ID cert from a chunk.
543	*/
544	int abac_verifier_load_id_pem_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
545	abac_id_t *id=NULL;
546	// load the cert
547	certificate_t *cert = lib->creds->create(
548	lib->creds, CRED_CERTIFICATE, CERT_X509,
549	BUILD_BLOB_PEM, chunk,
550	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
551	BUILD_END
552	);
553	if (cert == NULL)
554	return ABAC_CERT_INVALID;
555	return _load_id(&id, cert,id_cred_ret);
556	}
557	/**
558	* Load an ID cert from a chunk, Note, this only loads the id cert part
559	* and so it is not suitable for creating an attribute credential with.
560	* Only a complete id cert + privkey could create attribute credential.
561	*/
562	int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_credential_t **id_cred_ret) {
563	abac_id_t *id=NULL;
564	// load the cert
565	certificate_t *cert = lib->creds->create(
566	lib->creds, CRED_CERTIFICATE, CERT_X509,
567	BUILD_BLOB_ASN1_DER, chunk,
568	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
569	BUILD_END
570	);
571	if (cert == NULL)
572	return ABAC_CERT_INVALID;
573	return _load_id(&id, cert,id_cred_ret);
574	}
575
576	/**
577	* Load an ID cert from a cert chunk and a privkey chunk,
578	* this complete id cert + privkey could create attribute credential.
579	*/
580	int abac_verifier_load_id_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
581	abac_id_credential_t **id_cred_ret) {
582
583	abac_id_t *id=NULL;
584	// load the cert
585	certificate_t *cert = lib->creds->create(
586	lib->creds, CRED_CERTIFICATE, CERT_X509,
587	BUILD_BLOB_ASN1_DER, chunk,
588	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
589	BUILD_END
590	);
591	if (cert == NULL)
592	return ABAC_CERT_INVALID;
593
594	int rc=_load_id(&id, cert,id_cred_ret);
595	if(rc == ABAC_CERT_SUCCESS) {
596	rc=abac_id_load_privkey_chunk(id, privkey_chunk);
597	}
598
599	return rc;
600	}
601
602	int abac_verifier_load_id_enc_privkey_chunk(chunk_t chunk, chunk_t privkey_chunk,
603	char* pfile, abac_id_credential_t **id_cred_ret) {
604
605	abac_id_t *id=NULL;
606	// load the cert
607	certificate_t *cert = lib->creds->create(
608	lib->creds, CRED_CERTIFICATE, CERT_X509,
609	BUILD_BLOB_ASN1_DER, chunk,
610	BUILD_X509_FLAG, X509_AA, // attribute authority, dumb
611	BUILD_END
612	);
613	if (cert == NULL)
614	return ABAC_CERT_INVALID;
615
616	int rc=_load_id(&id, cert,id_cred_ret);
617	if(rc == ABAC_CERT_SUCCESS) {
618	rc=abac_id_load_enc_privkey_chunk(id, privkey_chunk, pfile);
619	}
620
621	return rc;
622	}
623
624
625
626	abac_id_t abac_verifier_load_issuer(char filename, char *keyfilename)
627	{
628	abac_id_credential_t *id_cred=NULL;
629	int ret=abac_verifier_load_id_file_key_file(filename,keyfilename,&id_cred);
630	if(ret !=ABAC_CERT_SUCCESS)
631	return NULL;
632	abac_id_t *issuer=abac_id_credential_id(id_cred);
633	return issuer;
634	}
635
636
637	static int matchex(const char subject, const char pattern, int so, int eo)
638	{
639	int rc; // Returned code
640	regmatch_t pmatch;
641
642	regex_t re; // Compiled regexp pattern
643
644	if (regcomp(&re, pattern, 0) != 0) return 0;
645
646	rc = regexec(&re, subject, 1 , &pmatch, 0);
647	regfree(&re);
648
649	if (rc == REG_NOMATCH ) return 0;
650
651	*so=pmatch.rm_so;
652	*eo=pmatch.rm_eo;
653
654	return 1;
655	}
656
657
658
659	static chunk_t _extract_chunk(char data, char startline, char* endline)
660	{
661	int found=0;
662	int startos=0;
663	int endos=0;
664	regex_t re;
665	regmatch_t pm;
666	int rc;
667
668	int st;
669	int et;
670
671	rc=matchex(data, startline, &st, &et);
672	if(rc==0) return chunk_empty;
673	startos=st;
674
675	rc=matchex(data, endline, &st, &et);
676	if(rc==0) return chunk_empty;
677	endos=et;
678
679	int len=endos - startos;
680
681	if(debug) fprintf(stderr, "making a chunk of size (%d) from %d and %d\n",len, startos,endos);
682	char *ptr=strndup(data+startos,len);
683
684	chunk_t ret = { ptr, len };
685	return ret;
686	}
687
688
689	int abac_verifier_load_idkey_file(char filename, abac_id_credential_t *id_cred_ret)
690	{
691	struct stat sb;
692	int fd;
693	int rc;
694
695	fd = open(filename, O_RDONLY);
696	if (fd == -1) { return 1; }
697	if(stat(filename, &sb) == -1) {
698	close(fd);
699	return 1;
700	}
701	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
702	if(data == MAP_FAILED) {
703	close(fd);
704	return 1;
705	}
706	close(fd);
707
708	chunk_t key_pem_chunk=_extract_chunk(data,
709	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
710	chunk_t cert_pem_chunk=_extract_chunk(data,
711	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
712
713	/* key=0, cert=0 */
714	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
715	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
716	goto error;
717	}
718
719	/* key=0, cert=1 */
720	if(key_pem_chunk.len==0) {
721	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
722	munmap(data, sb.st_size);
723	chunk_free(&key_pem_chunk);
724	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
725	}
726
727	/* key=1, cert=1 */
728	if(cert_pem_chunk.len!=0) {
729	if(debug) {
730	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
731	printf("(%s)\n",cert_pem_chunk.ptr);
732	}
733	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
734	if(rc != 0) {
735	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
736	goto error;
737	}
738	/* key=1, cert=0 */
739	} else {
740	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
741	goto error;
742	}
743
744	/* handle the key_pem_chunk */
745	if(debug) {
746	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
747	printf("(%s)\n",key_pem_chunk.ptr);
748	}
749	abac_id_t id=abac_id_credential_id(id_cred_ret);
750	rc=abac_id_load_privkey_chunk(id, key_pem_chunk);
751	if(rc==0) {
752	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
753	goto error;
754	}
755
756	munmap(data, sb.st_size);
757	return 0;
758
759	error:
760	munmap(data, sb.st_size);
761	return 1;
762	}
763
764
765	int abac_verifier_load_enc_idkey_file(char filename, char pfile,
766	abac_id_credential_t **id_cred_ret)
767	{
768	struct stat sb;
769	int fd;
770	int rc;
771
772	fd = open(filename, O_RDONLY);
773	if (fd == -1) { return 1; }
774	if(stat(filename, &sb) == -1) {
775	close(fd);
776	return 1;
777	}
778	char* data = (char *)mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
779	if(data == MAP_FAILED) {
780	close(fd);
781	return 1;
782	}
783	close(fd);
784
785	chunk_t key_pem_chunk=_extract_chunk(data,
786	"-----BEGIN RSA PRIVATE KEY-----","-----END RSA PRIVATE KEY-----");
787	chunk_t cert_pem_chunk=_extract_chunk(data,
788	"-----BEGIN CERTIFICATE-----","-----END CERTIFICATE-----");
789
790	/* key=0, cert=0 */
791	if(key_pem_chunk.len==0 && cert_pem_chunk.len==0) {
792	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key or id in idkey_file\n");
793	goto error;
794	}
795
796	/* key=0, cert=1 */
797	if(key_pem_chunk.len==0) {
798	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: no key in idkey_file\n");
799	munmap(data, sb.st_size);
800	chunk_free(&key_pem_chunk);
801	return abac_verifier_load_id_file_key_file(filename,NULL,id_cred_ret);
802	}
803
804	/* key=1, cert=1 */
805	if(cert_pem_chunk.len!=0) {
806	if(debug) {
807	fprintf(stderr, "loading cert pem chunk %d\n", cert_pem_chunk.len);
808	printf("(%s)\n",cert_pem_chunk.ptr);
809	}
810	rc=abac_verifier_load_id_pem_chunk(cert_pem_chunk, id_cred_ret);
811	if(rc != 0) {
812	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: fail to load the id\n");
813	goto error;
814	}
815	/* key=1, cert=0 */
816	} else {
817	if(debug) fprintf(stderr, "abac_verifier_load_idkey_file: there is no id info in there\n");
818	goto error;
819	}
820
821	/* handle the key_pem_chunk */
822	if(debug) {
823	fprintf(stderr, "loading key pem chunk %d\n", key_pem_chunk.len);
824	printf("(%s)\n",key_pem_chunk.ptr);
825	printf("(%d)\n",strlen(key_pem_chunk.ptr));
826	}
827	abac_id_t id=abac_id_credential_id(id_cred_ret);
828	rc=abac_id_load_enc_privkey_chunk(id, key_pem_chunk, pfile);
829	if(rc==0) {
830	printf("abac_verifier_load_idkey_file:failed to load priv key!!!\n");
831	goto error;
832	}
833
834	munmap(data, sb.st_size);
835	return 0;
836
837	error:
838	munmap(data, sb.st_size);
839	return 1;
840	}
841
842	void abac_print_clauses(abac_list_t clauses, FILE fp)
843	{
844	if (clauses != NULL) {
845	char *cur;
846	printf("total-- %d clauses\n", abac_list_size(clauses));
847	abac_list_foreach(clauses, cur,
848	if(cur) {
849	if(fp)
850	fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur);
851	else printf ("a clause, %d(%s)\n", (int)cur,cur);
852	}
853	);
854	}
855	}
856
857	abac_id_credential_t abac_id_credential_dup(abac_id_credential_t ptr) {
858	assert(ptr != NULL);
859	if(debug)
860	fprintf(stderr, "calling abac_id_credential_dup, increment id ref count\n");
861	abac_id_dup(ptr->id);
862	return ptr;
863	}
864
865	abac_id_t abac_id_credential_id(abac_id_credential_t ptr)
866	{
867	assert(ptr);
868	return ptr->id;
869	}
870
871
872	abac_id_credential_t abac_id_credential_lookup(char pname)
873	{
874	abac_id_credential_t *id_cred=NULL;
875	HASH_FIND_STR(id_creds, pname, id_cred);
876	if(id_cred != NULL)
877	return abac_id_credential_dup(id_cred);
878	else return NULL;
879	}
880
881	void abac_id_credential_free(abac_id_credential_t *ptr)
882	{
883	if (ptr == NULL)
884	return;
885
886	if(debug)
887	fprintf(stderr, "abac_id_credential_free:freeing (%s)\n", abac_id_name(ptr->id));
888
889	// this is very hacky...
890	int last=abac_id_lastone(ptr->id);
891	if(!last) {
892	if(debug) fprintf(stderr, "abac_id_credential_free:not last one\n");
893	abac_id_free(ptr->id);
894	} else {
895	if(debug) fprintf(stderr, "abac_id_credential_free: deleting id (%s)\n",abac_id_name(ptr->id));
896	free(ptr->hashkeyid);
897	if(ptr->pl_clause)
898	free(ptr->pl_clause);
899	abac_id_free(ptr->id);
900	HASH_DEL(id_creds, ptr);
901	free(ptr);
902	}
903	}
904
905	/****************************************************************************/
906
907	static int _verify_valid_credential_string(certificate_t *cert,
908	abac_credential_t *cred_ret, char encoded_attr_string)
909	{
910	abac_aspect_t *head_aspect = NULL;
911	abac_aspect_t *tail_aspect = NULL;
912	abac_list_t *clauses=NULL;
913	abac_id_credential_t *id_cred;
914	abac_id_t *issuer_id;
915	int ret, i;
916
917	// get the attr
918	head_aspect = abac_yy_get_rule_head_aspect();
919	tail_aspect = abac_yy_get_rule_tail_aspect();
920	clauses = abac_yy_get_rule_clauses();
921
922	// get the issuer based on keyid
923	char *principalname = abac_aspect_principal_principalname(head_aspect);
924	if(debug) fprintf(stderr, "LOOKING for %s\n", principalname);
925
926	HASH_FIND_STR(id_creds, principalname, id_cred);
927	if(id_cred == NULL) {
928	ret = ABAC_CERT_MISSING_ISSUER;
929	if(debug)
930	fprintf(stderr, "can not find %s in id_creds\n", principalname);
931	goto error;
932	}
933	issuer_id=id_cred->id;
934	if (issuer_id == NULL) {
935	ret = ABAC_CERT_MISSING_ISSUER;
936	if(debug)
937	fprintf(stderr, "can not find %s in id_creds\n", principalname);
938	goto error;
939	}
940
941	// make sure the issuer's signed it
942	ret = verify_signature(abac_id_cert(issuer_id), cert);
943	if (!ret) {
944	abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG);
945	ret=ABAC_CERT_BAD_SIG;
946	goto error;
947	}
948
949	// at this point we know we have a good attribute cert baked it in
950	abac_attribute_t *attr=abac_attribute_new(issuer_id, cert, cert->get_ref(cert));
951	abac_attribute_set_head(attr, head_aspect);
952	abac_attribute_add_tail(attr, tail_aspect);
953
954	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
955	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
956	cred->attr=attr;
957	cred->pl_clauses = clauses;
958	*cred_ret = cred;
959
960	// success, add the key to the map of certificates
961	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
962
963	assert(attr_hashkeyid_list);
964	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
965
966	if(debug)
967	fprintf(stderr, "-->adding into attr_creds 2, (%s)..cnt(%d)\n",
968	cred->hashkeyid, HASH_COUNT(attr_creds));
969
970	return ABAC_CERT_SUCCESS;
971
972	error:
973	if (head_aspect) abac_aspect_free(head_aspect);
974	if (tail_aspect) abac_aspect_free(tail_aspect);
975	abac_yy_free_rule_clauses();
976
977	return ret;
978	}
979
980	/**
981	* Load an attribute cert.
982	* Returns true only if the certificate is valid and is issued by the proper
983	* authority.
984	* attribute string is parsed via yyparse call
985	*/
986	static int _load_attribute_cert(certificate_t cert, abac_credential_t *cred_ret) {
987	ietf_attributes_t *attr_cert = NULL;
988	int ret, i;
989
990	// get the attr
991	ac_t ac = (ac_t )cert;
992	attr_cert = ac->get_groups(ac);
993	if (attr_cert == NULL) {
994	ret = ABAC_CERT_INVALID;
995	goto error;
996	}
997
998	char *encoded_attr_string=attr_cert->get_string(attr_cert);
999	char *attr_string = abac_decode_string(encoded_attr_string);
1000	if(debug)
1001	fprintf(stderr, "string to be yyparse..(%d)(%s)\n",strlen(attr_string),attr_string);
1002
1003	if (attr_string == NULL) {
1004	ret = ABAC_CERT_INVALID;
1005	goto error;
1006	}
1007
1008	/* call into yacc parser */
1009	abac_reset_yyfptr(attr_string);
1010	abac_yy_init();
1011	int rc=yyparse();
1012	if (rc) {
1013	ret = ABAC_CERT_INVALID;
1014	goto error;
1015	}
1016
1017	ret=_verify_valid_credential_string(cert,cred_ret,encoded_attr_string);
1018
1019	if(ret != ABAC_CERT_SUCCESS) {
1020	char *tmp=NULL;
1021	asprintf(&tmp,"_load_attribute_cert: fail to verify credential (%s)",attr_string);
1022	panic(tmp);
1023	}
1024
1025	// free up some crap
1026	attr_cert->destroy(attr_cert);
1027
1028	return ret;
1029
1030	error:
1031	if (cert) cert->destroy(cert);
1032	if (attr_cert) attr_cert->destroy(attr_cert);
1033	return ret;
1034	}
1035
1036	/**
1037	* Load an attribute cert from a abac_attribute_t.
1038	* attr should be all checked out before arriving here
1039	*/
1040	int abac_verifier_load_attribute_cert_attribute(abac_attribute_t ptr, abac_credential_t *cred_ret) {
1041	// get the attr
1042	abac_aspect_t *head=abac_attribute_head(ptr);
1043	abac_aspect_t *tail=abac_attribute_tail(ptr);
1044
1045	// preprocess for constraint part
1046	preprocess_pl_head(head);
1047	preprocess_pl_tail(tail);
1048
1049	/* setup the encoded attribute string */
1050	char *encoded_attr_string=get_cred_encoding(ptr);
1051	generate_pl_set_abac_yyfptr_encoded(encoded_attr_string);
1052	/* collect up type clauses, constraint clauses and
1053	generate rule clauses */
1054	abac_list_t *clauses=generate_pl_clauses(head,tail);
1055
1056	if(debug) abac_print_clauses(clauses,NULL);
1057
1058	abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t));
1059	cred->hashkeyid=abac_xstrdup(encoded_attr_string);
1060	cred->attr=abac_attribute_dup(ptr);
1061	cred->pl_clauses = clauses;
1062	*cred_ret = cred;
1063
1064	// success, add the key to the map of certificates
1065	HASH_ADD_KEYPTR(hh, attr_creds, cred->hashkeyid, strlen(cred->hashkeyid), cred);
1066
1067	assert(attr_hashkeyid_list);
1068	abac_list_add(attr_hashkeyid_list, abac_xstrdup(cred->hashkeyid));
1069
1070	if(debug)
1071	fprintf(stderr, "-->adding into attr_creds, (%s)..cnt(%d)\n",
1072	cred->hashkeyid, HASH_COUNT(attr_creds));
1073	return ABAC_CERT_SUCCESS;
1074	}
1075
1076	/**
1077	* Load an attribute cert from a file.
1078	*/
1079	int abac_verifier_load_attribute_cert_file(char filename, abac_credential_t *cred) {
1080	// load the cert
1081	if(debug) fprintf(stderr, "..loading attr file %s\n", filename);
1082	certificate_t *cert = lib->creds->create(
1083	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1084	BUILD_FROM_FILE, filename,
1085	BUILD_END
1086	);
1087	if (cert == NULL)
1088	return ABAC_CERT_INVALID;
1089	return _load_attribute_cert(cert, cred);
1090	}
1091
1092	/**
1093	* Load an attribute cert from a chunk.
1094	*/
1095	int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) {
1096	// load the cert
1097	certificate_t *cert = lib->creds->create(
1098	lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
1099	BUILD_BLOB_ASN1_DER, chunk,
1100	BUILD_END
1101	);
1102	if (cert == NULL)
1103	return ABAC_CERT_INVALID;
1104
1105	return _load_attribute_cert(cert, cred);
1106	}
1107
1108	/**
1109	* Return the encoding of the attribute cert.
1110	*/
1111	abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) {
1112	abac_attribute_t *ptr=cred->attr;
1113	certificate_t *cert=abac_attribute_cert(ptr);
1114	chunk_t encoding = chunk_empty;
1115	int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding);
1116	abac_chunk_t ret = { encoding.ptr, encoding.len };
1117	return ret;
1118	}
1119
1120	/**
1121	* Return the encoding of the issuer cert.
1122	*/
1123	abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) {
1124	certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr);
1125	assert(issuer_cert);
1126	chunk_t encoding = chunk_empty;
1127	// XXX MEI, not sure ??
1128	int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding);
1129	abac_chunk_t ret = { encoding.ptr, encoding.len };
1130	return ret;
1131	}
1132
1133	/**
1134	* Return the clause of the cert
1135	*/
1136	abac_list_t abac_credential_clauses(abac_credential_t cred) {
1137	return cred->pl_clauses;
1138	}
1139
1140	abac_attribute_t abac_credential_attribute(abac_credential_t cred) {
1141	assert(cred);
1142	return cred->attr;
1143	}
1144
1145	/**
1146	* Increase the ref count of a credential.
1147	*/
1148	abac_credential_t abac_credential_dup(abac_credential_t cred) {
1149	assert(cred != NULL);
1150
1151	abac_attribute_dup(cred->attr);
1152	return cred;
1153	}
1154
1155	/**
1156	* lookup for a credential.
1157	*/
1158	abac_credential_t abac_credential_lookup(char cred_string)
1159	{
1160	if(debug)
1161	fprintf(stderr, "abac_credential_lookup: looking for (%s)\n", cred_string);
1162	abac_credential_t *attr_cred;
1163
1164	HASH_FIND_STR(attr_creds, cred_string, attr_cred);
1165	if (attr_cred == NULL) {
1166	if(debug) fprintf(stderr, "DEBUG:NOT FOUND..\n");
1167	return NULL;
1168	}
1169	abac_credential_t *rt=abac_credential_dup(attr_cred);
1170	if(debug) fprintf(stderr, "DEBUG:FOUND.. (%d) returning, (%d)\n", (int)attr_cred, (int) rt);
1171	return rt;
1172	}
1173
1174	/**
1175	* Decrease the reference count of a credential, freeing it when it reaches 0.
1176	*/
1177	void abac_credential_free(abac_credential_t *cred)
1178	{
1179	if(debug)
1180	fprintf(stderr, "abac_credential_free:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->pl_clauses);
1181
1182	if (cred == NULL)
1183	return;
1184
1185	// this is very hacky...
1186	int last=abac_attribute_lastone(cred->attr);
1187	if(!last) {
1188	abac_attribute_free(cred->attr);
1189	} else {
1190	if(debug) fprintf(stderr, "abac_credential_free: real free for (%d)\n",(int) cred);
1191	free(cred->hashkeyid);
1192	char *cur=NULL;
1193	abac_list_foreach(cred->pl_clauses, cur,
1194	free(cur);
1195	);
1196	abac_attribute_free(cred->attr);
1197	HASH_DEL(attr_creds, cred);
1198	free(cred);
1199	}
1200	}
1201
1202	char abac_id_clause(abac_id_credential_t id_cred)
1203	{
1204	if(id_cred)
1205	return id_cred->pl_clause;
1206	return NULL;
1207	}
1208
1209	/* retrieve the cn that is associated with this sha_string */
1210	char abac_cn_with_sha(char sha_string)
1211	{
1212	// get the issuer based on keyid
1213	abac_id_credential_t *id_cred;
1214	HASH_FIND_STR(id_creds, sha_string, id_cred);
1215	if (id_cred == NULL) {
1216	return NULL;
1217	}
1218	if(debug)
1219	check_id_cred(id_cred);
1220	return abac_id_cn(id_cred->id);
1221	}
1222
1223	char abac_idtype_with_sha(char sha_string)
1224	{
1225	// get the issuer based on keyid
1226	abac_id_credential_t *id_cred;
1227	HASH_FIND_STR(id_creds, sha_string, id_cred);
1228	if (id_cred == NULL) {
1229	// this id, sha string is not in the db...
1230	if(debug)
1231	fprintf(stderr,"abac_idtype_with_sha: this id is not in the id_creds list\n");
1232	return NULL;
1233	}
1234	int idtype=abac_id_idtype(id_cred->id);
1235
1236	return abac_idtype_string(idtype);
1237	}
1238
1239	abac_aspect_t abac_credential_head(abac_credential_t cred) {
1240	return abac_attribute_head(cred->attr);
1241	}
1242
1243	abac_aspect_t abac_credential_tail(abac_credential_t cred) {
1244	return abac_attribute_tail(cred->attr);
1245	}
1246
1247

Note: See TracBrowser for help on using the repository browser.

Download in other formats: