void
keynote_sigver(int argc, char *argv[])
{
char *buf, **assertlist;
int fd, i, n, j;
struct stat sb;
if (argc != 2)
{
sigverusage();
exit(0);
}
/* Open and read assertion file */
fd = open(argv[1], O_RDONLY, 0);
if (fd < 0)
{
perror(argv[1]);
exit(1);
}
if (fstat(fd, &sb) < 0)
{
perror("fstat()");
exit(1);
}
if (sb.st_size == 0) /* Paranoid */
{
fprintf(stderr, "Illegal assertion-file size 0\n");
exit(1);
}
buf = (char *) calloc(sb.st_size + 1, sizeof(char));
if (buf == (char *) NULL)
{
perror("calloc()");
exit(1);
}
if (read(fd, buf, sb.st_size) < 0)
{
perror("read()");
exit(1);
}
close(fd);
assertlist = kn_read_asserts(buf, sb.st_size, &n);
if (assertlist == NULL)
{
fprintf(stderr, "Out of memory while allocating memory for "
"assertions.\n");
exit(1);
}
if (n == 0)
{
fprintf(stderr, "No assertions found in %s.\n", argv[1]);
free(assertlist);
exit(1);
}
free(buf);
for (j = 0; j < n; j++)
{
i = kn_verify_assertion(assertlist[j], strlen(assertlist[j]));
if (i == -1)
{
switch (keynote_errno)
{
case ERROR_MEMORY:
fprintf(stderr,
"Out of memory while parsing assertion %d.\n", j);
break;
case ERROR_SYNTAX:
fprintf(stderr,
"Syntax error while parsing assertion %d.\n", j);
break;
default:
fprintf(stderr,
"Unknown error while parsing assertion %d.\n", j);
}
}
else
{
if (i == SIGRESULT_TRUE)
fprintf(stdout, "Signature on assertion %d verified.\n", j);
else
{
if (keynote_errno != 0)
fprintf(stdout,
"Signature on assertion %d could not be verified "
"(keynote_errno = %d).\n", j, keynote_errno);
else
fprintf(stdout,
"Signature on assertion %d did not verify!\n", j);
}
}
free(assertlist[j]);
}
free(assertlist);
exit(0);
}
/*
* process_request_msg -- process the request that should nominally be
* received from the client over the socket.
* The request is a pseudo-credential, which is close enough
* to the real thing that keynote can parse it and verify it.
* The request has as the authoriser the key of the client
* (and is signed by that key).
* There is no licensees per se, we use the word 'REQUEST' as
* a placeholder and so that the server can confirm that this
* is a request, not a credential.
*
* The conditions are *assignments*. This is were it stops
* looking like a real credential. We read these in as state
* variables for the keynote session (actions).
*
* Processing takes these steps:
* a) verify the request (i.e. that it signed by the authorizer)
* b) extract the authorizer key and feed it into keynote as
* the action authorizer (the key that makes the request)
* c) extract the state variables from the request and feed
* them into keynote.
*
* If all goes OK, we return 0, otherwise a negative number.
*/
int
process_request_msg(int sessionid, char *rbuf, int rlen)
{
int n;
int rval;
char **assertlist;
struct assertion *assertp;
char *vps;
char *vpe;
char c;
if ((assertlist = kn_read_asserts(rbuf, rlen, &n)) == NULL) {
fprintf(stderr, "Out of memory while allocating memory for "
"request.\n");
return(-1);
}
if (n != 1) {
fprintf(stderr, "Request must haev only one assetion\n");
return(-1);
}
if (kn_verify_assertion(assertlist[0], strlen(assertlist[0])) < 0) {
switch (keynote_errno)
{
case ERROR_MEMORY:
fprintf(stderr,
"Out of memory while parsing request.\n");
break;
case ERROR_SYNTAX:
fprintf(stderr,
"Syntax error while parsing request.\n");
break;
default:
fprintf(stderr,
"Unknown error while parsing request.\n");
}
return(-1);
}
/*
* verified, so now we use an internal keynote routine to
* parse the request pseudo-credential and extract the
* authoriser key and the variables.
*/
if ((assertp = keynote_parse_assertion(rbuf, rlen, 0)) == NULL) {
fprintf(stderr, "keynote_parse_assertion failed\n");
return(-1);
}
/*
* we now extract the authoriser key from the request and add it to the
* keynote database. This is to ensure that the key which signed the
* request is the authorizer key for this session.
*/
if ((rval = add_authorizer(sessionid, assertp->as_authorizer_string_s,
assertp->as_authorizer_string_e)) < 0) {
fprintf(stderr, "add_authorizer failed\n");
return(-1);
}
/*
* we now extract the variables from the request and insert them into
* the Keynote database
*
* Why do we trust the variables given to us by the client?
* we have added variables to the root policy (e.g. app_domain,
* nonce, date, etc) from our offer, in order to ensure that
* the request refers to *our* offer.
*/
vps = assertp->as_conditions_s;
vpe = assertp->as_conditions_e;
c = *vpe;
*vpe = '\0';
if ((rval = add_variables(sessionid, vps)) < 0) {
fprintf(stderr, "add_variable, returned %d\n", rval);
return(-1);
}
*vpe = c;
return(0);
}
