Akenti Policy Engine C API
Security Hompage
![]() ![]() ![]() ![]() ![]() |
#include <AkEngInf.h>
#include <cap.h>
int akentiInit(const char *confFile, char**status);
where:
confFile | in | Name of an Akenti configuration file |
status | out | Contains a status message |
returnValue | 0 | if successful |
#include <AkEngInf.h>
#include <cap.h>
int checkAccess(const char *subjectDN,
const char *subjectCA,
const char *resource,
CapCert* cert,
AKMessage* mesg);
int checkAccessByCertFile(const char *subjectCertFile,
const char *resource,
CapCert* cert,
AKMessage* mesg);
int checkAccessByCertString(const char *subjectCert,
const char *resource,
CapCert* cert,
AKMessage* mesg);
where:
subjectDN | in | Distinguished Name of the user requesting access |
subjectCA | in | DN of the CA that issued the subjectDN |
subjectCertFile | in | PEM encoded user's X.509 certificate file |
subjectCert | PEM encoded X.509 user certificate | |
resource | in | Name of resource as requested by the user |
cert | out | Capabiltity certificate containing the resource, the user's DN, his rights, and possibly conditions on those rights. |
mesg | out | Contains a numeric code and a message |
returnValue | 0 | if a capability certifcate was generated or was found in the cache |
Methods for examining CapCert and AKMessage
The CapCert is a certificate signed with the Akenti credentials that contains the name of the resource, validity dates, the name of the user, and a list of actions which may have actions conditions attached to them See Capability Certificate. There is a complete set of methods in cap.h to look at each of the pieces of the capability certificate.
AKMessage is a structure containing a numeric error code and a description of the error. Methods to extract the pieces are also in cap.h
/**
* Program to check a user's access to a specified resource
* Usage: EngInfTest <UserCertificate> <Resource> <config-file>
* prints out unconditional and conditional actions
*/
#include <stdio.h>
#include "AkEngInf.h"
#include "cap.h"
int main (int argc, char *argv[]) {
char *status = NULL;
FILE *cert;
char certS[5000];
char *rs;
AKMessage repStatus = NULL;
CapCert cap = NULL;
CondActions cAct;
int i,j;
if (argc < 4 ) {
printf ("Usage is EngInfTest UserCertificate Resource config-file \n");
exit (-1);
}
akentiInit(argv[3],&status);
printf ("%s\n",status);
if (checkAccessByCertFile(argv[1], argv[2], &cap,&repStatus) == 0 ) {
printf ("Status: %d %s\n",AKMsg_getCode(repStatus),AKMsg_getDescription(repStatus));
printf ("Actions granted are: ");
for (i=0; i < CapCert_numOfGrantedActions(cap); i++){
printf ("%s ", CapCert_grantedActionAt(cap,i));
}
printf ("\n\n");
for (i=0;i < CapCert_numOfCondActions(cap); i++){
printf ("Conditional actions are: \n");
cAct = CapCert_condActionsAt(cap,i);
if (CondAct_isCritical(cAct)) {
printf ("Critical constraint is %s \n",CondAct_getConstraint(cAct));
} else {
printf ("Non-critical constraint is %s ", CondAct_getConstraint(cAct));
}
printf ("Actions granted are: ");
for (j = 0; j < CondAct_numOfActions(cAct); j++) {
printf ("%s ", CondAct_actionAt(cAct,j));
}
printf ("\n");
}
} else {
printf("Call failed: %d %s\n",AKMsg_getCode(repStatus),AKMsg_getDescription (repStatus));
}
CapCert_free(cap);
AKMsg_free(repStatus);
exit (0);