void keynote_sigver(int argc, char *argv[]) { char *buf, **assertlist; int fd, i, n, j; struct stat sb; if (argc != 2) { sigverusage(); exit(0); } /* Open and read assertion file */ fd = open(argv[1], O_RDONLY, 0); if (fd < 0) { perror(argv[1]); exit(1); } if (fstat(fd, &sb) < 0) { perror("fstat()"); exit(1); } if (sb.st_size == 0) /* Paranoid */ { fprintf(stderr, "Illegal assertion-file size 0\n"); exit(1); } buf = (char *) calloc(sb.st_size + 1, sizeof(char)); if (buf == (char *) NULL) { perror("calloc()"); exit(1); } if (read(fd, buf, sb.st_size) < 0) { perror("read()"); exit(1); } close(fd); assertlist = kn_read_asserts(buf, sb.st_size, &n); if (assertlist == NULL) { fprintf(stderr, "Out of memory while allocating memory for " "assertions.\n"); exit(1); } if (n == 0) { fprintf(stderr, "No assertions found in %s.\n", argv[1]); free(assertlist); exit(1); } free(buf); for (j = 0; j < n; j++) { i = kn_verify_assertion(assertlist[j], strlen(assertlist[j])); if (i == -1) { switch (keynote_errno) { case ERROR_MEMORY: fprintf(stderr, "Out of memory while parsing assertion %d.\n", j); break; case ERROR_SYNTAX: fprintf(stderr, "Syntax error while parsing assertion %d.\n", j); break; default: fprintf(stderr, "Unknown error while parsing assertion %d.\n", j); } } else { if (i == SIGRESULT_TRUE) fprintf(stdout, "Signature on assertion %d verified.\n", j); else { if (keynote_errno != 0) fprintf(stdout, "Signature on assertion %d could not be verified " "(keynote_errno = %d).\n", j, keynote_errno); else fprintf(stdout, "Signature on assertion %d did not verify!\n", j); } } free(assertlist[j]); } free(assertlist); exit(0); }
/* * process_request_msg -- process the request that should nominally be * received from the client over the socket. * The request is a pseudo-credential, which is close enough * to the real thing that keynote can parse it and verify it. * The request has as the authoriser the key of the client * (and is signed by that key). * There is no licensees per se, we use the word 'REQUEST' as * a placeholder and so that the server can confirm that this * is a request, not a credential. * * The conditions are *assignments*. This is were it stops * looking like a real credential. We read these in as state * variables for the keynote session (actions). * * Processing takes these steps: * a) verify the request (i.e. that it signed by the authorizer) * b) extract the authorizer key and feed it into keynote as * the action authorizer (the key that makes the request) * c) extract the state variables from the request and feed * them into keynote. * * If all goes OK, we return 0, otherwise a negative number. */ int process_request_msg(int sessionid, char *rbuf, int rlen) { int n; int rval; char **assertlist; struct assertion *assertp; char *vps; char *vpe; char c; if ((assertlist = kn_read_asserts(rbuf, rlen, &n)) == NULL) { fprintf(stderr, "Out of memory while allocating memory for " "request.\n"); return(-1); } if (n != 1) { fprintf(stderr, "Request must haev only one assetion\n"); return(-1); } if (kn_verify_assertion(assertlist[0], strlen(assertlist[0])) < 0) { switch (keynote_errno) { case ERROR_MEMORY: fprintf(stderr, "Out of memory while parsing request.\n"); break; case ERROR_SYNTAX: fprintf(stderr, "Syntax error while parsing request.\n"); break; default: fprintf(stderr, "Unknown error while parsing request.\n"); } return(-1); } /* * verified, so now we use an internal keynote routine to * parse the request pseudo-credential and extract the * authoriser key and the variables. */ if ((assertp = keynote_parse_assertion(rbuf, rlen, 0)) == NULL) { fprintf(stderr, "keynote_parse_assertion failed\n"); return(-1); } /* * we now extract the authoriser key from the request and add it to the * keynote database. This is to ensure that the key which signed the * request is the authorizer key for this session. */ if ((rval = add_authorizer(sessionid, assertp->as_authorizer_string_s, assertp->as_authorizer_string_e)) < 0) { fprintf(stderr, "add_authorizer failed\n"); return(-1); } /* * we now extract the variables from the request and insert them into * the Keynote database * * Why do we trust the variables given to us by the client? * we have added variables to the root policy (e.g. app_domain, * nonce, date, etc) from our offer, in order to ensure that * the request refers to *our* offer. */ vps = assertp->as_conditions_s; vpe = assertp->as_conditions_e; c = *vpe; *vpe = '\0'; if ((rval = add_variables(sessionid, vps)) < 0) { fprintf(stderr, "add_variable, returned %d\n", rval); return(-1); } *vpe = c; return(0); }