keynote(3) OpenBSD Programmer's Manual keynote(3)
keynote - a trust-management system library
struct environment *env_next;
struct keynote_keylist *key_next;
kn_add_assertion(int sessid, char *assertion, int len, int flags);
kn_remove_assertion(int sessid, int assertid);
kn_add_action(int sessid, char *name, char *value, int flags);
kn_remove_action(int sessid, char *name);
kn_add_authorizer(int sessid, char *principal);
kn_remove_authorizer(int sessid, char *principal);
kn_do_query(int sessid, char **returnvalues, int numvalues);
kn_get_failed(int sessid, int type, int seq);
kn_query(struct environment *env, char **returnvalues, int numvalues,
char **trusted, int *trustedlen, int numtrusted,
char **untrusted, int *untrustedlen, int numuntrusted,
char **authorizers, int numauthauthorizers);
kn_read_asserts(char *array, int arraylen, int *numassertions);
kn_keycompare(void *key1, void *key2, int algorithm);
kn_get_authorizer(int sessid, int assertid, int *algorithm);
struct keynote_keylist *
kn_get_licensees(int sessid, int assertid);
kn_encode_base64(unsigned char const *src, unsigned int srclen,
char *dst, unsigned int dstlen);
kn_decode_base64(char const *src, unsigned char *dst,
unsigned int dstlen);
kn_encode_hex(unsigned char *src, char **dst, int srclen);
kn_decode_hex(char *src, char **dst);
kn_encode_key(struct keynote_deckey *dc, int iencoding, int encoding,
kn_decode_key(struct keynote_deckey *dc, char *key, int keytype);
kn_sign_assertion(char *assertion, int len, char *key, char *algorithm,
kn_verify_assertion(char *assertion, int len);
Link options: -lkeynote -lm -lcrypto
For more details on KeyNote, see RFC 2704.
keynote_errno contains an error code if some library call failed. Failed
calls return -1 (if their return value is integer), or NULL (if their re-
turn value is a pointer) and set keynote_errno. The defined error codes
ERROR_MEMORY Some memory allocation or usage error was encoun-
ERROR_SYNTAX Some syntactic or logical error was encountered.
ERROR_NOTFOUND One of the arguments referred to a nonexistent
structure or entry.
If no errors were encountered, keynote_errno will be set to 0. This vari-
able should be reset to 0 if an error was encountered, prior to calling
other library routines.
The main interface to KeyNote is centered around the concept of a ses-
sion. A session describes a collection of policies, assertions, action
authorizers, return values, and action attributes that the KeyNote system
uses to evaluate a query. Information is not shared between sessions.
Policies, credentials, action authorizers, and action attributes can be
added or deleted at any point during the lifetime of a session. Further-
more, an application can discover which assertions failed to be evaluat-
ed, and in what way, during a query.
For those applications that only need to do a simple query, there exists
a single call that takes as arguments all the necessary information and
performs all the necessary steps. This is essentially a wrapper that
calls the session API functions as necessary.
Finally, there exist functions for doing ASCII to hexadecimal and Base64
encoding (and vice versa), for encoding/decoding keys between ASCII and
binary formats, and for signing and verifying assertions.
The description of all KeyNote library functions follows.
kn_init() creates a new KeyNote session, and performs any necessary ini-
tializations. On success, this function returns the new session ID, which
is used by all subsequent calls with a sessid argument. On failure, it
returns -1 and sets keynote_errno to ERROR_MEMORY.
kn_add_assertion() adds the assertion pointed to by the array assertion,
of length len in the session identified by sessid. The first argument can
be discarded after the call to this function. The following flags are
ASSERT_FLAG_LOCAL Mark this assertion as ultimately trusted.
Trusted assertions need not be signed, and the
Authorizer and Licensees fields can have non-key
At least one (trusted) assertion should have POLICY as the Authorizer. On
success, this function will return an assertion ID which can be used to
remove the assertion from the session, by using kn_remove_assertion(3).
On failure, -1 is returned, and keynote_errno is set to ERROR_NOTFOUND if
the session was not found, ERROR_SYNTAX if the assertion was syntactical-
ly incorrect, or ERROR_MEMORY if necessary memory could not be allocated.
kn_remove_assertion() removes the assertion identified by assertid from
the session identified by sessid. On success, this function returns 0. On
failure, it returns -1 and sets keynote_errno to ERROR_NOTFOUND.
kn_add_action() inserts the variable name in the action environment of
session sessid, with the value value. The same attribute may be added
more than once, but only the last instance will be used (memory resources
are consumed however).
The flags specified are formed by or'ing the following values:
ENVIRONMENT_FLAG_FUNC In this case, value is a pointer to a func-
tion that takes as argument a string and
returns a string. This is used to implement
callbacks for getting action attribute val-
ues. The argument passed to such a callback
function is a string identifying the action
attribute whose value is requested, and
should return a pointer to string contain-
ing that value (this pointer will not be
freed by the library), the empty string if
the value was not found, or a NULL to indi-
cate an error (and may set keynote_errno
appropriately). Prior to first use (cur-
rently, at the time the attribute is added
to the session environment), such functions
are called with KEYNOTE_CALLBACK_INITIALIZE
as the argument (defined in keynote.h) so
that they can perform any special initial-
izations. Furthermore, when the session is
deleted, all such functions will be called
with KEYNOTE_CALLBACK_CLEANUP to perform
any special cleanup (such as free any allo-
cated memory). A function may be called
with either of these arguments more than
once, if it has been defined as the call-
back function for more than one attribute.
ENVIRONMENT_FLAG_REGEX In this case, name is a regular expression
that may match more than one attribute. In
case of conflict between a regular expres-
sion and a ``simple'' attribute, the latter
will be given priority. In case of conflict
between two regular expression attributes,
the one added later will be given priority.
A callback function should never change the
current KeyNote session, start/invoke/oper-
ate on another session, or call one of the
The combination of the two flags may be used to specify callback func-
tions that handle large sets of attributes (even to the extent of having
one callback function handling all attribute references). This is partic-
ularly useful when the action attribute set is particularly large.
On success, keynote_add_action(3) returns 0. On failure, it returns -1
and sets keynote_errno to ERROR_NOTFOUND if the session was not found,
ERROR_SYNTAX if the name was invalid (e.g., started with an underscore
character) or was NULL, or ERROR_MEMORY if necessary memory could not be
kn_remove_action() removes action attribute name from the environment of
session sessid. Notice that if more than one instances of name exist, on-
ly the one added last will be deleted. On success, this function returns
0. On failure, it returns -1 and keynote_errno is set to ERROR_NOTFOUND
if the session or the attribute were not found, or ERROR_SYNTAX if the
name was invalid. If the attribute value was a callback, that function
will be called with the define KEYNOTE_CALLBACK_CLEANUP as the argument.
kn_add_authorizer() adds the principal pointed to by principal to the ac-
tion authorizers list of session sessid. The principal is typically an
ASCII-encoded key. On success, this function will return 0. On failure,
it returns -1 and sets keynote_errno to ERROR_NOTFOUND if the session was
not found, ERROR_SYNTAX if the encoding was invalid, or ERROR_MEMORY if
necessary memory could not be allocated.
kn_remove_authorizer() removes principal from the action authorizer list
of session sessid. On success, this function returns 0. On failure, it
returns -1 and sets keynote_errno to ERROR_NOTFOUND if the session was
kn_do_query() evaluates the request based on the assertions, action at-
tributes, and action authorizers added to session sessid. returnvalues is
an ordered array of strings that contain the return values. The lowest-
ordered return value is contained in returnvalues, and the highest-or-
dered value is returnvalues[numvalues - 1]. If returnvalues is NULL, the
returnvalues from the previous call to kn_do_query(3) will be used. The
programmer SHOULD NOT free returnvalues after the call to kn_do_query(3)
if this feature is used, as the array is not replicated internally. On
success, this function returns an index into the returnvalues array. On
failure, it returns -1 and sets keynote_errno to ERROR_NOTFOUND if the
session was not found or the authorizers list was empty, ERROR_SYNTAX if
no returnvalues have been specified, or ERROR_MEMORY if necessary memory
could not be allocated.
kn_get_failed() returns the assertion ID of the num'th assertion (start-
ing from zero) in session sessid that was somehow invalid during evalua-
tion. This function is typically called after kn_do_query(3) is used to
evaluate a request. type specifies the type of failure the application
is interested in. It can be set to:
KEYNOTE_ERROR_ANY to indicate interest in any error.
KEYNOTE_ERROR_SYNTAX for syntactic or semantic errors.
KEYNOTE_ERROR_MEMORY for memory-related problems.
KEYNOTE_ERROR_SIGNATURE if the assertion could not be cryptograph-
These values are defined in keynote.h. An application can then delete the
offending assertion using kn_remove_assertion(3). For example, to remove
all assertion whose signature failed, an application could do something
while ((assertid = kn_get_failed(sessid, KEYNOTE_ERROR_SIGNATURE, 0)
On success, kn_get_failed(3) returns an assertion ID. On failure, or when
no assertion matching the given criteria is found, it returns -1 and set
keynote_errno to ERROR_NOTFOUND.
kn_cleanup_action_environment() removes all action attributes from the
action environment of session sessid. It returns 0 on success.
kn_close() closes session sessid and frees all related resources, delet-
ing action attributes, action authorizers, and assertions. On success,
this function returns 0. On failure, it returns -1 and sets keynote_errno
to ERROR_NOTFOUND if the session was not found.
kn_read_asserts() parses the string array of length arraylen and returns
an array of strings containing the assertions found in array.
numassertions contains the number of assertions (and thus strings in the
returned array) found in array. On failure, this function returns -1 and
sets keynote_errno to ERROR_MEMORY if necessary memory could not be allo-
cated, or ERROR_SYNTAX if array was NULL.
kn_keycompare() compares key1 and key2 (which must be of the same
algorithm) and returns 1 if equal and 0 otherwise.
kn_get_authorizer() returns the authorizer key (in binary format) for as-
sertion assertid in session sessid. It also sets the algorithm argument
to the algorithm of the authorizer key. On failure, kn_get_authorizer()
returns and sets keynote_errno to ERROR_NOTFOUND.
kn_get_licensees() returns the licensee key(s) for assertion assertid in
session sessid. The keys are returned in a linked list of struct
keynote_keylist structures. On failure, kn_get_licensees() returns and
sets keynote_errno to ERROR_NOTFOUND.
kn_query() takes as arguments a list of action attributes in env, a list
of return values in returnvalues (the number of returnvalues in indicated
by numvalues ), a number ( numtrusted) of locally-trusted assertions in
trusted (the length of each assertion is given by the respective element
of trustedlen ), a number ( numuntrusted) of assertions that need to be
cryptographically verified in untrusted (the length of each assertion is
given by the respective element of untrustedlen ), and a number (
numauthorizers) of action authorizers in authorizers. env is a linked
list of struct environment structures. The env_name, env_value, and
env_flags fields correspond to the name, value, and flags arguments to
kn_add_assertion(3) respectively. env_regex is not used. On success,
this function returns an index in returnvalues indicating the returned
value to the query. On failure, it returns -1 and sets keynote_errno to
the same values as kn_do_query(3), or to ERROR_MEMORY if a trusted or
untrusted assertion could not be added to the session due to lack of mem-
ory resources. Syntax errors in assertions will not be reported by
kn_encode_base64() converts the data of length srclen contained in src in
Base64 encoding and stores them in dst which is of length dstlen. The ac-
tual length of the encoding stored in dst is returned. dst should be
long enough to also contain the dst0 string terminator. If srclen is not
a multiple of 4, or dst is not long enough to contain the encoded data,
this function returns -1 and sets keynote_errno to ERROR_SYNTAX.
kn_decode_base64() decodes the Base64-encoded data stored in src and
stores the result in dst, which is of length dstlen. The actual length of
the decoded data is returned on success. On failure, this function re-
turns -1 and sets keynote_errno to ERROR_SYNTAX, denoting either an in-
valid Base64 encoding or insufficient space in dst.
kn_encode_hex() encodes in ASCII-hexadecimal format the data of length
srclen contained in src. This function allocates a chunk of memory to
store the result, which is returned in dst. Thus, this function should be
used as follows:
kn_encode_hex(src, &dst, srclen);
The length of the allocated buffer will be (2 * srclen + 1). On success,
this function returns 0. On failure, it returns -1 and sets keynote_errno
to ERROR_MEMORY if it failed to allocate enough memory, ERROR_SYNTAX if
dst was NULL.
kn_decode_hex() decodes the ASCII hex-encoded string in src and stores
the result in a memory chunk allocated by the function. A pointer to that
memory is stored in dst. The length of the allocated memory will be
(strlen(src) / 2). On success, this function returns 0. On failure, it
returns -1 and sets keynote_errno to ERROR_MEMORY if it could not allo-
cate enough memory, or ERROR_SYNTAX if dst was NULL, or the length of src
is not even.
kn_encode_key() ASCII-encodes a cryptographic key. The binary representa-
tion of the key is contained in dc. The field dec_key in that structure
is a pointer to some cryptographic algorithm dependent information de-
scribing the key. In this implementation, this pointer should be a DSA *
or RSA * for DSA or RSA keys respectively, as used in the SSL library, or
a keynote_binary * for cryptographic keys whose algorithm KeyNote does
not know about but the application wishes to include in the action autho-
rizers (and thus need to be canonicalized). The field dec_algorithm de-
scribes the cryptographic algorithm, and may be one of
KEYNOTE_ALGORITHM_DSA, KEYNOTE_ALGORITHM_RSA, or KEYNOTE_ALGORITHM_BINARY
in this implementation.
iencoding describes how the key should be binary-encoded. This implemen-
tation supports for RSA keys, INTERNAL_ENC_ASN1 for DSA keys, and
INTERNAL_ENC_NONE for BINARY keys. encoding describes what ASCII encod-
ing should be applied to the key. Valid values are ENCODING_HEX and
ENCODING_BASE64, for hexadecimal and Base64 encoding respectively.
keytype is one of KEYNOTE_PUBLIC_KEY or KEYNOTE_PRIVATE_KEY to indicate
whether the key is public or private. Private keys have the string
KEYNOTE_PRIVATE_KEY_PREFIX (defined in keynote.h) prefixed to the algo-
rithm name. On success, this function returns a string containing the en-
coded key. On failure, it returns NULL and sets keynote_errno to
ERROR_NOTFOUND if the dc argument was invalid, ERROR_MEMORY if it failed
to allocate the necessary memory, or ERROR_SYNTAX if the key to be con-
verted was invalid.
kn_decode_key() decodes the ASCII-encoded string contained in key. The
result is placed in dc, with dec_algorithm describing the algorithm (see
kn_encode_key(3)), and dec_key pointing to an algorithm-dependent struc-
ture. In this implementation, this is an SSLeay/OpenSSL-defined DSA * for
DSA keys, RSA * for RSA and X509-based keys, and a keynote_binary * for
BINARY keys. keytype takes the values KEYNOTE_PUBLIC_KEY or
KEYNOTE_PRIVATE_KEY to specify a public or private key, where applicable.
On success, this function returns 0. On failure, it returns -1 and sets
keynote_errno to ERROR_MEMORY if necessary memory could not be allocated,
or ERROR_SYNTAX if the key or the ASCII encoding was malformed.
kn_sign_assertion() produces the cryptographic signature for the asser-
tion of length len stored in assertion, using the ASCII-encoded crypto-
graphic key contained in key. The type of signature to be produced is de-
scribed by the string algorithm. Possible values for this string are
SIG_RSA_SHA1_HEX SIG_RSA_SHA1_BASE64, SIG_RSA_MD5_HEX, and
SIG_RSA_MD5_HEX for RSA keys, SIG_DSA_SHA1_HEX and SIG_DSA_SHA1_BASE64
for DSA keys, SIG_X509_SHA1_HEX, and SIG_X509_SHA1_BASE64 for X509-based
keys. No other cryptographic signatures are currently supported by this
implementation. If vflag is set to 1, then the generated signature will
also be verified. On success, this function returns a string containing
the ASCII-encoded signature, without modifying the assertion. On failure,
it returns NULL and sets keynote_errno to ERROR_NOTFOUND if one of the
arguments was NULL, ERROR_MEMORY if necessary memory could not be allo-
cated, or ERROR_SYNTAX if the algorithm, the key, or the assertion (if
signature verification was requested) was invalid.
kn_verify_assertion() verifies the cryptographic signature on the asser-
tion of length len contained in string assertion. On success, this func-
tion returns SIGRESULT_TRUE if the signature could be verified, or
SIGRESULT_FALSE otherwise. On failure, this function returns -1 and sets
keynote_errno to ERROR_MEMORY if necessary memory could not be allocated,
or ERROR_SYNTAX if the assertion contained a syntactic error, or the
cryptographic algorithm was not supported.
keynote(1), keynote(4), keynote(5)
``The KeyNote Trust-Management System, Version 2''
M. Blaze, J. Feigenbaum, A. D. Keromytis, Internet Drafts, RFC
``Decentralized Trust Management''
M. Blaze, J. Feigenbaum, J. Lacy, 1996 IEEE Conference on Priva-
cy and Security
``Compliance-Checking in the PolicyMaker Trust Management System''
M. Blaze, J. Feigenbaum, M. Strauss, 1998 Financial Crypto Con-
Angelos D. Keromytis (email@example.com)
The return values of all the functions have been given along with the
function description above.
None that we know of. If you find any, please report them at
OpenBSD 2.6 April 29, 1999 8
Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others.