Akenti Policy Engine C API

C library interface

There are three functions avalaible for checking a user's access to a resource. They all return a capability certificate if successful. Functions are provided to extract the relevant information from this capability. The Akenti Library needs to be intialized from an Akenti configuration file before the first checkAccess call.

#include <AkEngInf.h>
#include <cap.h>

int akentiInit(const char *confFile, char**status);

where:
confFile in Name of an Akenti configuration file
status out Contains a status message
returnValue 0 if successful


#include <AkEngInf.h>
#include <cap.h>

int checkAccess(const char *subjectDN,
                const char *subjectCA,
                const char *resource,
                CapCert* cert,
                AKMessage* mesg);

int checkAccessByCertFile(const char *subjectCertFile,
                          const char *resource,
                          CapCert* cert,
                          AKMessage* mesg);

int checkAccessByCertString(const char *subjectCert,
                            const char *resource,
                            CapCert* cert,
                            AKMessage* mesg);


where:
subjectDN in Distinguished Name of the user requesting access
subjectCA in DN of the CA that issued the subjectDN
subjectCertFile in PEM encoded user's X.509 certificate file
subjectCert PEM encoded X.509 user certificate
resource in Name of resource as requested by the user
cert out Capabiltity certificate containing the resource, the user's DN, his rights, and possibly conditions on those rights.
mesg out Contains a numeric code and a message
returnValue 0 if a capability certifcate was generated or was found in the cache

Methods for examining CapCert and AKMessage

The CapCert is a certificate signed with the Akenti credentials that contains the name of the resource, validity dates, the name of the user, and a list of actions which may have actions conditions attached to them See Capability Certificate. There is a complete set of methods in cap.h to look at each of the pieces of the capability certificate.

AKMessage is a structure containing a numeric error code and a description of the error. Methods to extract the pieces are also in cap.h

Example C program to check access


/**
  * Program to check a user's access to a specified resource
  *   Usage: EngInfTest <UserCertificate> <Resource> <config-file>
  *        prints out unconditional and conditional actions
  */
#include <stdio.h>
#include "AkEngInf.h"
#include "cap.h"

int main (int argc, char *argv[]) {

  char *status = NULL;
  FILE *cert;
  char certS[5000];
  char *rs;
  AKMessage repStatus = NULL;
  CapCert cap = NULL;
  CondActions cAct;
  int i,j;

  if (argc < 4 ) {
    printf ("Usage is EngInfTest UserCertificate Resource config-file \n");
    exit (-1);
  }

  akentiInit(argv[3],&status);
  printf ("%s\n",status);

  if (checkAccessByCertFile(argv[1], argv[2], &cap,&repStatus) == 0 ) {
     printf ("Status: %d  %s\n",AKMsg_getCode(repStatus),AKMsg_getDescription(repStatus));
     printf ("Actions granted are: ");

     for (i=0; i < CapCert_numOfGrantedActions(cap); i++){
        printf ("%s ", CapCert_grantedActionAt(cap,i));
     }

     printf ("\n\n");

     for (i=0;i < CapCert_numOfCondActions(cap); i++){
        printf ("Conditional actions are: \n");
        cAct = CapCert_condActionsAt(cap,i);
        if (CondAct_isCritical(cAct)) {
           printf ("Critical constraint is %s \n",CondAct_getConstraint(cAct));
        } else {
           printf ("Non-critical constraint is %s ", CondAct_getConstraint(cAct));
        }
        printf ("Actions granted are: ");
        for (j = 0; j < CondAct_numOfActions(cAct); j++) {
           printf ("%s ", CondAct_actionAt(cAct,j));
        }
        printf ("\n");
     }
  } else {
    printf("Call failed: %d %s\n",AKMsg_getCode(repStatus),AKMsg_getDescription (repStatus));
  }
  CapCert_free(cap);
  AKMsg_free(repStatus);
  exit (0);


Last modified: Mon Dec 9 15:36:24 PST 2002