![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to security.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / quipu|
Return to security.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / quipu |
1.1 root 1: /* security.c - Check security parameters */
2:
3: #ifndef lint
4: static char *rcsid = "$Header: /f/osi/quipu/RCS/security.c,v 7.1 89/12/19 16:20:47 mrose Exp $";
5: #endif
6:
7: /*
8: * $Header: /f/osi/quipu/RCS/security.c,v 7.1 89/12/19 16:20:47 mrose Exp $
9: *
10: *
11: * $Log: security.c,v $
12: * Revision 7.1 89/12/19 16:20:47 mrose
13: * sync
14: *
15: * Revision 6.0 89/09/08 10:20:02 mrose
16: * *** empty log message ***
17: *
18: */
19:
20: /*
21: * NOTICE
22: *
23: * Acquisition, use, and distribution of this module and related
24: * materials are subject to the restrictions of a license agreement.
25: * Consult the Preface in the User's Manual for the full terms of
26: * this agreement.
27: *
28: */
29:
30:
31: #include "logger.h"
32: #include "quipu/ds_error.h"
33: #include "quipu/commonarg.h"
34:
35: extern int encode_AF_CertificateToSign();
36: extern int dn_print();
37: extern LLog *log_dsap;
38: #ifndef NO_STATS
39: extern LLog *log_stat;
40: #endif
41:
42: #define adios(a, b) fatal(-1, b)
43:
44: unsigned *compute_signature();
45: struct MD4Hash *pe2hash();
46: struct signature *sign_operation_aux();
47: struct signature *sign_operation();
48:
49: /*
50: * Cache holding keys of trusted certification authorities
51: */
52:
53: struct ca_record *ca_key_cache = (struct ca_record *) 0;
54:
55: /*
56: * Cache holding keys of users (untrusted)
57: */
58:
59: struct ca_record *user_key_cache = (struct ca_record *) 0;
60:
61: /*
62: * Own certificate. (For convenient access).
63: */
64:
65: struct certificate *my_certificate = (struct certificate *) 0;
66:
67: /*
68: * RSA secret key.
69: */
70:
71: static struct RSASecretKey *my_secret_key;
72: static struct RSAParameters *my_key_parms;
73:
74: struct ca_record *find_user_keyinfo();
75: struct ca_record *find_ca_keyinfo();
76:
77: /*
78: * Check security parameters - return 0 or the number of the security error.
79: */
80:
81: /* ARGSUSED */
82: int check_security_parms(data, fnx, sp, sig, nameptr)
83: caddr_t data;
84: IFP fnx;
85: struct security_parms *sp;
86: struct signature *sig;
87: DN *nameptr;
88: {
89: extern long time();
90: long time_now;
91: long time_then;
92: long delta;
93:
94: /* If parameters are present, they must be valid */
95:
96: if (sp != (struct security_parms *) 0)
97: {
98: if (sp->sp_time != NULLCP)
99: {
100: (void) time(&time_now);
101: time_then = gtime(ut2tm(str2utct(sp->sp_time, strlen(sp->sp_time))));
102: delta = time_now - time_then;
103: }
104: else
105: delta = 0L;
106:
107: #ifndef NO_STATS
108: DLOG(log_stat, LLOG_NOTICE,
109: ("Delay=%D s, protection%s requested, certificate%s present",
110: delta,
111: (sp->sp_target == '\0') ? " not" : "",
112: (sp->sp_path == (struct certificate_list *) 0) ? " not" : ""
113: ));
114: /* NB : must use "" rather than NULLCP for the above to work. */
115: #endif
116: }
117:
118: /* If no signature is provided, nothing else to do */
119:
120: if (sig == (struct signature *) 0)
121: return (0);
122:
123: #ifndef NO_STATS
124: DLOG(log_stat, LLOG_NOTICE, ("Operation is signed"));
125: #endif
126:
127: /* Policy : signed messages must have security parameters present. */
128: if (sp == (struct security_parms *) 0)
129: return (DSE_SC_INVALIDCREDENTIALS);
130:
131: /* Policy: signed messages must have a time-stamp. */
132: if (sp->sp_time == NULLCP)
133: return (DSE_SC_INVALIDCREDENTIALS);
134:
135: /* Policy: a certification path must be provided. */
136: if (sp->sp_path == (struct certificate_list *) 0)
137: return (DSE_SC_INVALIDCREDENTIALS);
138:
139: return (DSE_SC_AUTHENTICATION);
140: }
141:
142:
143: /*
144: * Having decided that a CA is trusted (eg. by looking a tailor file),
145: * add its key to the cache.
146: */
147:
148: int add_ca_key(str)
149: char *str;
150: {
151: struct key_info key;
152: DN name;
153: char *ptr;
154: OID alg;
155:
156: ptr = index(str, '#');
157: if (ptr == NULLCP)
158: return (NOTOK);
159: *ptr = '\0';
160: ptr++;
161: name = str2dn(str);
162: if (name == NULLDN)
163: {
164: DLOG(log_dsap, LLOG_FATAL, ("Invalid CA name: %s", str));
165: return (NOTOK);
166: }
167:
168: str = ptr;
169: ptr = index(str, '#');
170: if (ptr == NULLCP)
171: return (NOTOK);
172: *ptr = '\0';
173: ptr++;
174: alg = name2oid(str);
175: if (alg == NULLOID)
176: {
177: DLOG(log_dsap, LLOG_FATAL, ("Invalid algorithm: %s", str));
178: return (NOTOK);
179: }
180: key.alg.algorithm = alg;
181:
182: str = ptr;
183: ptr = index(str, '#');
184: if (ptr == NULLCP)
185: {
186: DLOG(log_dsap, LLOG_FATAL, ("Algorithm parameters missing"));
187: return (NOTOK);
188: }
189: *ptr = '\0';
190: ptr++;
191: str2alg(str, &(key.alg));
192:
193: str = ptr;
194: str2encrypted(str, &(key.value), &(key.n_bits));
195:
196: return (add_ca_key_aux(name, &key));
197: }
198:
199: int add_ca_key_aux(name, key)
200: DN name;
201: struct key_info *key;
202: {
203: struct ca_record *new;
204:
205: pslog(log_dsap, LLOG_NOTICE, "Adding CA:", dn_print, (caddr_t) name);
206:
207: new = (struct ca_record *) calloc(1, sizeof(*new));
208: if (new == (struct ca_record *) 0)
209: return (NOTOK);
210:
211: new->name = name;
212: bcopy((char *)key, (char *)&(new->key), sizeof(struct key_info));
213: new->next = ca_key_cache;
214: ca_key_cache = new;
215:
216: return (OK);
217: }
218:
219:
220: /* ARGSUSED */
221: static struct ca_record *find_keyinfo_aux(cache, name)
222: struct ca_record *cache;
223: DN name;
224: {
225: struct ca_record *ptr;
226:
227: ptr = cache;
228:
229: while (ptr)
230: {
231: if (dn_cmp(name, ptr->name) == 0)
232: return (ptr);
233: ptr = ptr->next;
234: }
235:
236: return (ptr); /* ie. NULL */
237: }
238:
239: struct ca_record *find_user_keyinfo(name)
240: DN name;
241: {
242: return (find_keyinfo_aux(user_key_cache, name));
243: }
244:
245: struct ca_record *find_ca_keyinfo(name)
246: DN name;
247: {
248: return (find_keyinfo_aux(ca_key_cache, name));
249: }
250:
251: /*
252: * Read RSA secret key from a file.
253: */
254:
255: /* ARGSUSED */
256: int set_secret_key(str)
257: char *str;
258: {
259: int rc;
260:
261: return (NOTOK);
262: }
263:
264: /*
265: * Compute signature. To do this, have to know canonical BER encoding of the
266: * data structure. Hence, this routine takes a PEPY-produced encoder as one
267: * parameter, and uses it to produce a PE.
268: */
269:
270:
271: /* ARGSUSED */
272: struct signature *sign_operation(data, encfnx)
273: caddr_t data;
274: IFP encfnx;
275: {
276: return sign_operation_aux(data, encfnx, my_secret_key, my_key_parms);
277: }
278:
279: /* ARGSUSED */
280: struct signature *sign_operation_aux(type, fnx, key, parms)
281: caddr_t type;
282: IFP fnx;
283: struct RSASecretKey *key;
284: struct RSAParameters *parms;
285: {
286: struct signature *result;
287: unsigned *csig;
288: PE pe;
289:
290:
291: result = (struct signature *) calloc(1, sizeof(*result));
292:
293: result->encrypted = calloc(64, 1);
294: result->n_bits = 512;
295: result->alg.algorithm = oid_cpy(ode2oid("sq_mod_n_with_rsa"));
296: result->alg.p_type = ALG_PARM_NUMERIC;
297: result->alg.un.numeric = 512;
298:
299: return (result);
300: }
301:
302:
303:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.