kn_remove_assertion man page on OpenBSD

Man page or keyword search:  
man Server   11362 pages
apropos Keyword Search (all sections)
Output format
OpenBSD logo
[printable version]

KEYNOTE(3)		  OpenBSD Programmer's Manual		    KEYNOTE(3)

NAME
     keynote - a trust-management system library

SYNOPSIS
     #include <sys/types.h>
     #include <regex.h>
     #include <keynote.h>

     struct environment {
	     char		*env_name;
	     char		*env_value;
	     int		 env_flags;
	     regex_t		 env_regex;
	     struct environment *env_next;
     };

     struct keynote_deckey {
	     int   dec_algorithm;
	     void *dec_key;
     };

     struct keynote_binary {
	     int   bn_len;
	     char *bn_key;
     };

     struct keynote_keylist {
	     int		     key_alg;
	     void		    *key_key;
	     char		    *key_stringkey;
	     struct keynote_keylist *key_next;
     };
     extern int keynote_errno;

     int
     kn_init(void);

     int
     kn_add_assertion(int sessid, char *assertion, int len, int flags);

     int
     kn_remove_assertion(int sessid, int assertid);

     int
     kn_add_action(int sessid, char *name, char *value, int flags);

     int
     kn_remove_action(int sessid, char *name);

     int
     kn_add_authorizer(int sessid, char *principal);

     int
     kn_remove_authorizer(int sessid, char *principal);

     int
     kn_do_query(int sessid, char **returnvalues, int numvalues);

     int
     kn_get_failed(int sessid, int type, int seq);

     int
     kn_cleanup_action_environment(int sessid);

     int
     kn_close(int sessid);

     int
     kn_query(struct environment *env, char **returnvalues, int
     numvalues, char **trusted, int *trustedlen, int numtrusted, char
     **untrusted, int *untrustedlen, int numuntrusted, char **authorizers, int
     numauthauthorizers);

     char **
     kn_read_asserts(char *array, int arraylen, int *numassertions);

     int
     kn_keycompare(void *key1, void *key2, int algorithm);

     void *
     kn_get_authorizer(int sessid, int assertid, int *algorithm);

     struct keynote_keylist *
     kn_get_licensees(int sessid, int assertid);

     int
     kn_encode_base64(unsigned char const *src, unsigned int srclen, char
     *dst, unsigned int dstlen);

     int
     kn_decode_base64(char const *src, unsigned char *dst, unsigned int
     dstlen);

     int
     kn_encode_hex(unsigned char *src, char **dst, int srclen);

     int
     kn_decode_hex(char *src, char **dst);

     char *
     kn_encode_key(struct keynote_deckey *dc, int iencoding, int encoding, int
     keytype);

     int
     kn_decode_key(struct keynote_deckey *dc, char *key, int keytype);

     char *
     kn_sign_assertion(char *assertion, int len, char *key, char
     *algorithm, int vflag);

     int
     kn_verify_assertion(char *assertion, int len);

     void
     kn_free_key(struct keynote_deckey *);

     char *
     kn_get_string(char *);

     Link options: -lkeynote -lm -lcrypto

DESCRIPTION
     For more details on keynote, see RFC 2704.

     keynote_errno contains an error code if some library call failed.	Failed
     calls return -1 (if their return value is integer), or NULL (if their
     return value is a pointer) and set keynote_errno.	The defined error
     codes are:

	   ERROR_MEMORY	   Some memory allocation or usage error was
			   encountered.

	   ERROR_SYNTAX	   Some syntactic or logical error was encountered.

	   ERROR_NOTFOUND  One of the arguments referred to a nonexistent
			   structure or entry.

     If no errors were encountered, keynote_errno will be set to 0.  This
     variable should be reset to 0 if an error was encountered, prior to
     calling other library routines.

     The main interface to keynote is centered around the concept of a
     session.  A session describes a collection of policies, assertions,
     action authorizers, return values, and action attributes that the keynote
     system uses to evaluate a query.  Information is not shared between
     sessions.	Policies, credentials, action authorizers, and action
     attributes can be added or deleted at any point during the lifetime of a
     session.  Furthermore, an application can discover which assertions
     failed to be evaluated, and in what way, during a query.

     For those applications that only need to do a simple query, there exists
     a single call that takes as arguments all the necessary information and
     performs all the necessary steps.	This is essentially a wrapper that
     calls the session API functions as necessary.

     Finally, there exist functions for doing ASCII to hexadecimal and Base64
     encoding (and vice versa), for encoding/decoding keys between ASCII and
     binary formats, and for signing and verifying assertions.

     The description of all keynote library functions follows.

     kn_init() creates a new keynote session, and performs any necessary
     initializations.  On success, this function returns the new session ID,
     which is used by all subsequent calls with a sessid argument.  On
     failure, it returns -1 and sets keynote_errno to ERROR_MEMORY.

     kn_add_assertion() adds the assertion pointed to by the array assertion,
     of length len in the session identified by sessid.	 The first argument
     can be discarded after the call to this function.	The following flags
     are defined:

	   ASSERT_FLAG_LOCAL  Mark this assertion as ultimately trusted.
			      Trusted assertions need not be signed, and the
			      Authorizer and Licensees fields can have non-key
			      entries.

     At least one (trusted) assertion should have POLICY as the Authorizer.
     On success, this function will return an assertion ID which can be used
     to remove the assertion from the session, by using
     kn_remove_assertion(3).  On failure, -1 is returned, and keynote_errno is
     set to ERROR_NOTFOUND if the session was not found, ERROR_SYNTAX if the
     assertion was syntactically incorrect, or ERROR_MEMORY if necessary
     memory could not be allocated.

     kn_remove_assertion() removes the assertion identified by assertid from
     the session identified by sessid.	On success, this function returns 0.
     On failure, it returns -1 and sets keynote_errno to ERROR_NOTFOUND.

     kn_add_action() inserts the variable name in the action environment of
     session sessid, with the value value.  The same attribute may be added
     more than once, but only the last instance will be used (memory resources
     are consumed however).

     The flags specified are formed by or'ing the following values:

	   ENVIRONMENT_FLAG_FUNC   In this case, value is a pointer to a
				   function that takes as argument a string
				   and returns a string.  This is used to
				   implement callbacks for getting action
				   attribute values.  The argument passed to
				   such a callback function is a string
				   identifying the action attribute whose
				   value is requested, and should return a
				   pointer to string containing that value
				   (this pointer will not be freed by the
				   library), the empty string if the value was
				   not found, or a NULL to indicate an error
				   (and may set keynote_errno appropriately).
				   Prior to first use (currently, at the time
				   the attribute is added to the session
				   environment), such functions are called
				   with KEYNOTE_CALLBACK_INITIALIZE as the
				   argument (defined in keynote.h) so that
				   they can perform any special
				   initializations.  Furthermore, when the
				   session is deleted, all such functions will
				   be called with KEYNOTE_CALLBACK_CLEANUP to
				   perform any special cleanup (such as free
				   any allocated memory).  A function may be
				   called with either of these arguments more
				   than once, if it has been defined as the
				   callback function for more than one
				   attribute.

	   ENVIRONMENT_FLAG_REGEX  In this case, name is a regular expression
				   that may match more than one attribute.  In
				   case of conflict between a regular
				   expression and a ``simple'' attribute, the
				   latter will be given priority.  In case of
				   conflict between two regular expression
				   attributes, the one added later will be
				   given priority.  A callback function should
				   never change the current keynote session,
				   start/invoke/operate on another session, or
				   call one of the session-API functions.

     The combination of the two flags may be used to specify callback
     functions that handle large sets of attributes (even to the extent of
     having one callback function handling all attribute references).  This is
     particularly useful when the action attribute set is particularly large.

     On success, kn_add_action(3) returns 0. On failure, it returns -1 and
     sets keynote_errno to ERROR_NOTFOUND if the session was not found,
     ERROR_SYNTAX if the name was invalid (e.g., started with an underscore
     character) or was NULL, or ERROR_MEMORY if necessary memory could not be
     allocated.

     kn_remove_action() removes action attribute name from the environment of
     session sessid.  Notice that if more than one instances of name exist,
     only the one added last will be deleted.  On success, this function
     returns 0.	 On failure, it returns -1 and keynote_errno is set to
     ERROR_NOTFOUND if the session or the attribute were not found, or
     ERROR_SYNTAX if the name was invalid.  If the attribute value was a
     callback, that function will be called with the define
     KEYNOTE_CALLBACK_CLEANUP as the argument.

     kn_add_authorizer() adds the principal pointed to by principal to the
     action authorizers list of session sessid.	 The principal is typically an
     ASCII-encoded key.	 On success, this function will return 0.  On failure,
     it returns -1 and sets keynote_errno to ERROR_NOTFOUND if the session was
     not found, ERROR_SYNTAX if the encoding was invalid, or ERROR_MEMORY if
     necessary memory could not be allocated.

     kn_remove_authorizer() removes principal from the action authorizer list
     of session sessid.	 On success, this function returns 0.  On failure, it
     returns -1 and sets keynote_errno to ERROR_NOTFOUND if the session was
     not found.

     kn_do_query() evaluates the request based on the assertions, action
     attributes, and action authorizers added to session sessid.  returnvalues
     is an ordered array of strings that contain the return values.  The
     lowest-ordered return value is contained in returnvalues[0], and the
     highest-ordered value is returnvalues[numvalues - 1].  If returnvalues is
     NULL, the returnvalues from the previous call to kn_do_query(3) will be
     used.  The programmer SHOULD NOT free returnvalues after the call to
     kn_do_query(3) if this feature is used, as the array is not replicated
     internally.  On success, this function returns an index into the
     returnvalues array.  On failure, it returns -1 and sets keynote_errno to
     ERROR_NOTFOUND if the session was not found or the authorizers list was
     empty, ERROR_SYNTAX if no returnvalues have been specified, or
     ERROR_MEMORY if necessary memory could not be allocated.

     kn_get_failed() returns the assertion ID of the num'th assertion
     (starting from zero) in session sessid that was somehow invalid during
     evaluation.  This function is typically called after kn_do_query(3) is
     used to evaluate a request.  type specifies the type of failure the
     application is interested in.  It can be set to:

	   KEYNOTE_ERROR_ANY	    to indicate interest in any error.

	   KEYNOTE_ERROR_SYNTAX	    for syntactic or semantic errors.

	   KEYNOTE_ERROR_MEMORY	    for memory-related problems.

	   KEYNOTE_ERROR_SIGNATURE  if the assertion could not be
				    cryptographically verified.

     These values are defined in keynote.h.  An application can then delete
     the offending assertion using kn_remove_assertion(3).  For example, to
     remove all assertion whose signature failed, an application could do
     something like:

       while ((assertid = kn_get_failed(sessid, KEYNOTE_ERROR_SIGNATURE, 0)
	      != -1)
	 kn_remove_assertion(sessid, assertid);

     On success, kn_get_failed(3) returns an assertion ID.  On failure, or
     when no assertion matching the given criteria is found, it returns -1 and
     set keynote_errno to ERROR_NOTFOUND.

     kn_cleanup_action_environment() removes all action attributes from the
     action environment of session sessid.  It returns 0 on success.

     kn_close() closes session sessid and frees all related resources,
     deleting action attributes, action authorizers, and assertions.  On
     success, this function returns 0.	On failure, it returns -1 and sets
     keynote_errno to ERROR_NOTFOUND if the session was not found.

     kn_read_asserts() parses the string array of length arraylen and returns
     an array of pointers to strings containing copies of the assertions found
     in array.	Both the array of pointers and the strings are allocated by
     kn_read_asserts() dynamically, and thus should be freed by the programmer
     when they are no longer needed.  numassertions contains the number of
     assertions (and thus strings in the returned array) found in array.  On
     failure, this function returns NULL and sets keynote_errno to
     ERROR_MEMORY if necessary memory could not be allocated, or ERROR_SYNTAX
     if array was NULL.	 Note that if there were no assertions found in array,
     a valid pointer will be returned, but numassertions will contain the
     value zero on return.  The returned pointer should be freed by the
     programmer.

     kn_keycompare() compares key1 and key2 (which must be of the same
     algorithm) and returns 1 if equal and 0 otherwise.

     kn_get_authorizer() returns the authorizer key (in binary format) for
     assertion assertid in session sessid.  It also sets the algorithm
     argument to the algorithm of the authorizer key.  On failure,
     kn_get_authorizer() returns NULL, and sets keynote_errno to
     ERROR_NOTFOUND.

     kn_get_licensees() returns the licensee key(s) for assertion assertid in
     session sessid.  The keys are returned in a linked list of struct
     keynote_keylist structures.  On failure, kn_get_licensees() returns NULL.
     and sets keynote_errno to ERROR_NOTFOUND.

     kn_query() takes as arguments a list of action attributes in env, a list
     of return values in returnvalues (the number of returnvalues is indicated
     by numvalues), a number (numtrusted) of locally-trusted assertions in
     trusted (the length of each assertion is given by the respective element
     of trustedlen), a number (numuntrusted) of assertions that need to be
     cryptographically verified in untrusted (the length of each assertion is
     given by the respective element of untrustedlen), and a number
     (numauthorizers) of action authorizers in authorizers.  env is a linked
     list of struct environment structures.  The env_name, env_value, and
     env_flags fields correspond to the name, value, and flags arguments to
     kn_add_assertion(3) respectively.	env_regex is not used.	On success,
     this function returns an index in returnvalues indicating the returned
     value to the query.  On failure, it returns -1 and sets keynote_errno to
     the same values as kn_do_query(3), or to ERROR_MEMORY if a trusted or
     untrusted assertion could not be added to the session due to lack of
     memory resources.	Syntax errors in assertions will not be reported by
     kn_query().

     kn_encode_base64() converts the data of length srclen contained in src in
     Base64 encoding and stores them in dst which is of length dstlen.	The
     actual length of the encoding stored in dst is returned.  dst should be
     long enough to also contain the trailing string terminator.  If srclen is
     not a multiple of 4, or dst is not long enough to contain the encoded
     data, this function returns -1 and sets keynote_errno to ERROR_SYNTAX.

     kn_decode_base64() decodes the Base64-encoded data stored in src and
     stores the result in dst, which is of length dstlen.  The actual length
     of the decoded data is returned on success.  On failure, this function
     returns -1 and sets keynote_errno to ERROR_SYNTAX, denoting either an
     invalid Base64 encoding or insufficient space in dst.

     kn_encode_hex() encodes in ASCII-hexadecimal format the data of length
     srclen contained in src.  This function allocates a chunk of memory to
     store the result, which is returned in dst.  Thus, this function should
     be used as follows:

       char *dst;

       kn_encode_hex(src, &dst, srclen);

     The length of the allocated buffer will be (2 * srclen + 1).  On success,
     this function returns 0.  On failure, it returns -1 and sets
     keynote_errno to ERROR_MEMORY if it failed to allocate enough memory,
     ERROR_SYNTAX if dst was NULL.

     kn_decode_hex() decodes the ASCII hex-encoded string in src and stores
     the result in a memory chunk allocated by the function.  A pointer to
     that memory is stored in dst.  The length of the allocated memory will be
     (strlen(src) / 2).	 On success, this function returns 0.  On failure, it
     returns -1 and sets keynote_errno to ERROR_MEMORY if it could not
     allocate enough memory, or ERROR_SYNTAX if dst was NULL, or the length of
     src is not even.

     kn_encode_key() ASCII-encodes a cryptographic key.	 The binary
     representation of the key is contained in dc.  The field dec_key in that
     structure is a pointer to some cryptographic algorithm dependent
     information describing the key.  In this implementation, this pointer
     should be a DSA * or RSA * for DSA or RSA keys respectively, as used in
     the SSL library, or a keynote_binary * for cryptographic keys whose
     algorithm keynote does not know about but the application wishes to
     include in the action authorizers (and thus need to be canonicalized).
     The field dec_algorithm describes the cryptographic algorithm, and may be
     one of KEYNOTE_ALGORITHM_DSA, KEYNOTE_ALGORITHM_RSA, or
     KEYNOTE_ALGORITHM_BINARY in this implementation.

     iencoding describes how the key should be binary-encoded.	This
     implementation supports INTERNAL_ENC_PKCS1 for RSA keys,
     INTERNAL_ENC_ASN1 for DSA keys, and INTERNAL_ENC_NONE for BINARY keys.
     encoding describes what ASCII encoding should be applied to the key.
     Valid values are ENCODING_HEX and ENCODING_BASE64, for hexadecimal and
     Base64 encoding respectively.  keytype is one of KEYNOTE_PUBLIC_KEY or
     KEYNOTE_PRIVATE_KEY to indicate whether the key is public or private.
     Private keys have the string KEYNOTE_PRIVATE_KEY_PREFIX (defined in
     keynote.h) prefixed to the algorithm name.	 On success, this function
     returns a string containing the encoded key.  On failure, it returns NULL
     and sets keynote_errno to ERROR_NOTFOUND if the dc argument was invalid,
     ERROR_MEMORY if it failed to allocate the necessary memory, or
     ERROR_SYNTAX if the key to be converted was invalid.

     kn_decode_key() decodes the ASCII-encoded string contained in key.	 The
     result is placed in dc, with dec_algorithm describing the algorithm (see
     kn_encode_key(3)), and dec_key pointing to an algorithm-dependent
     structure.	 In this implementation, this is an SSLeay/OpenSSL-defined DSA
     * for DSA keys, RSA * for RSA and X509-based keys, and a keynote_binary *
     for BINARY keys.  keytype takes the values KEYNOTE_PUBLIC_KEY or
     KEYNOTE_PRIVATE_KEY to specify a public or private key, where applicable.
     On success, this function returns 0.  On failure, it returns -1 and sets
     keynote_errno to ERROR_MEMORY if necessary memory could not be allocated,
     or ERROR_SYNTAX if the key or the ASCII encoding was malformed.

     kn_sign_assertion() produces the cryptographic signature for the
     assertion of length len stored in assertion, using the ASCII-encoded
     cryptographic key contained in key.  The type of signature to be produced
     is described by the string algorithm.  Possible values for this string
     are SIG_RSA_SHA1_PKCS1_HEX, SIG_RSA_SHA1_PKCS1_BASE64, SIG_RSA_MD5_HEX
     and SIG_RSA_MD5_HEX for RSA keys, SIG_DSA_SHA1_HEX and
     SIG_DSA_SHA1_BASE64 for DSA keys, SIG_X509_SHA1_HEX and
     SIG_X509_SHA1_BASE64 for X509-based keys.	No other cryptographic
     signatures are currently supported by this implementation.	 If vflag is
     set to 1, then the generated signature will also be verified.  On
     success, this function returns a string containing the ASCII-encoded
     signature, without modifying the assertion.  On failure, it returns NULL
     and sets keynote_errno to ERROR_NOTFOUND if one of the arguments was
     NULL, ERROR_MEMORY if necessary memory could not be allocated, or
     ERROR_SYNTAX if the algorithm, the key, or the assertion (if signature
     verification was requested) was invalid.

     kn_verify_assertion() verifies the cryptographic signature on the
     assertion of length len contained in string assertion.  On success, this
     function returns SIGRESULT_TRUE if the signature could be verified, or
     SIGRESULT_FALSE otherwise.	 On failure, this function returns -1 and sets
     keynote_errno to ERROR_MEMORY if necessary memory could not be allocated,
     or ERROR_SYNTAX if the assertion contained a syntactic error, or the
     cryptographic algorithm was not supported.

     kn_free_key() frees a cryptographic key.

     kn_get_string() parses the argument, treating it as a keynote(4) (quoted)
     string.  This is useful for parsing key files.  On success, this function
     returns a pointer to the parsing result.  The result is dynamically
     allocated and should be freed after use.  On failure, NULL is returned.

FILES
     keynote.h
     libkeynote.a

DIAGNOSTICS
     The return values of all the functions have been given along with the
     function description above.

SEE ALSO
     keynote(1), keynote(4), keynote(5)

     M. Blaze, J. Feigenbaum, and A. D. Keromytis, The KeyNote
     Trust-Management System, Version 2, RFC 2704, 1999.

     M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized Trust Management",
     IEEE Symposium on Security and Privacy, 1996.

     M. Blaze, J. Feigenbaum, and M. Strauss, "Compliance-Checking in the
     PolicyMaker Trust Management System", Financial Crypto Conference, 1998.

AUTHORS
     Angelos D. Keromytis <angelos@cs.columbia.edu>

WEB PAGE
     http://www1.cs.columbia.edu/~angelos/keynote.html

BUGS
     None that we know of.  If you find any, please report them to
	   <keynote@research.att.com>

OpenBSD 4.9		       December 22, 2010		   OpenBSD 4.9
[top]

List of man pages available for OpenBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net