Annotation of embedaddon/strongswan/src/libstrongswan/credentials/credential_manager.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2015 Tobias Brunner
! 3: * Copyright (C) 2007-2009 Martin Willi
! 4: * HSR Hochschule fuer Technik Rapperswil
! 5: *
! 6: * This program is free software; you can redistribute it and/or modify it
! 7: * under the terms of the GNU General Public License as published by the
! 8: * Free Software Foundation; either version 2 of the License, or (at your
! 9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 10: *
! 11: * This program is distributed in the hope that it will be useful, but
! 12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 14: * for more details.
! 15: */
! 16:
! 17: /**
! 18: * @defgroup credential_manager credential_manager
! 19: * @{ @ingroup credentials
! 20: */
! 21:
! 22: #ifndef CREDENTIAL_MANAGER_H_
! 23: #define CREDENTIAL_MANAGER_H_
! 24:
! 25: typedef struct credential_manager_t credential_manager_t;
! 26: typedef enum credential_hook_type_t credential_hook_type_t;
! 27:
! 28: #include <utils/identification.h>
! 29: #include <collections/enumerator.h>
! 30: #include <credentials/auth_cfg.h>
! 31: #include <credentials/credential_set.h>
! 32: #include <credentials/keys/private_key.h>
! 33: #include <credentials/keys/shared_key.h>
! 34: #include <credentials/certificates/certificate.h>
! 35: #include <credentials/cert_validator.h>
! 36:
! 37: /**
! 38: * Type of a credential hook error/event.
! 39: */
! 40: enum credential_hook_type_t {
! 41: /** The certificate has expired (or is not yet valid) */
! 42: CRED_HOOK_EXPIRED,
! 43: /** The certificate has been revoked */
! 44: CRED_HOOK_REVOKED,
! 45: /** Checking certificate revocation failed. This does not necessarily mean
! 46: * the certificate is rejected, just that revocation checking failed. */
! 47: CRED_HOOK_VALIDATION_FAILED,
! 48: /** No trusted issuer certificate has been found for this certificate */
! 49: CRED_HOOK_NO_ISSUER,
! 50: /** Encountered a self-signed (root) certificate, but it is not trusted */
! 51: CRED_HOOK_UNTRUSTED_ROOT,
! 52: /** Maximum trust chain length exceeded for certificate */
! 53: CRED_HOOK_EXCEEDED_PATH_LEN,
! 54: /** The certificate violates some other kind of policy and gets rejected */
! 55: CRED_HOOK_POLICY_VIOLATION,
! 56: };
! 57:
! 58: /**
! 59: * Hook function to invoke on certificate validation errors.
! 60: *
! 61: * @param data user data supplied during hook registration
! 62: * @param type type of validation error/event
! 63: * @param cert associated certificate
! 64: */
! 65: typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
! 66: certificate_t *cert);
! 67:
! 68: /**
! 69: * Manages credentials using credential_sets.
! 70: *
! 71: * The credential manager is the entry point of the credential framework. It
! 72: * uses so called "sets" to access credentials in a modular fashion. These
! 73: * are implemented through the credential_set_t interface.
! 74: * The manager additionally does trust chain verification and trust status
! 75: * caching. A set may call the managers methods if it needs credentials itself.
! 76: * The manager uses recursive locking.
! 77: *
! 78: * @verbatim
! 79:
! 80: +-------+ +----------------+
! 81: | A | | | +------------------+
! 82: | u | -----> | | ------> | +------------------+
! 83: | t | | credential- | | | +------------------+
! 84: | h | -----> | manager | ------> +--| | credential- | => IPC
! 85: | e | | | +--| sets |
! 86: | n | +--> | | ------> +------------------+
! 87: | t | | | | |
! 88: | i | | | | |
! 89: | c | | +----------------+ |
! 90: | a | | |
! 91: | t | +----------------------------------------------+
! 92: | o | may be recursive
! 93: | r |
! 94: +-------+
! 95:
! 96: @endverbatim
! 97: *
! 98: * The credential manager uses rwlocks for performance reasons. Credential
! 99: * sets must be fully thread-safe.
! 100: */
! 101: struct credential_manager_t {
! 102:
! 103: /**
! 104: * Create an enumerator over all certificates.
! 105: *
! 106: * @param cert kind of certificate
! 107: * @param key kind of key in certificate
! 108: * @param id subject this certificate belongs to
! 109: * @param trusted TRUE to list trusted certificates only
! 110: * @return enumerator over the certificates
! 111: */
! 112: enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
! 113: certificate_type_t cert, key_type_t key,
! 114: identification_t *id, bool trusted);
! 115: /**
! 116: * Create an enumerator over all shared keys.
! 117: *
! 118: * The enumerator enumerates over:
! 119: * shared_key_t*, id_match_t me, id_match_t other
! 120: * But must accept values for the id_matches.
! 121: *
! 122: * @param type kind of requested shared key
! 123: * @param first first subject between key is shared
! 124: * @param second second subject between key is shared
! 125: * @return enumerator over (shared_key_t*,id_match_t,id_match_t)
! 126: */
! 127: enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
! 128: shared_key_type_t type,
! 129: identification_t *first, identification_t *second);
! 130: /**
! 131: * Create an enumerator over all Certificate Distribution Points.
! 132: *
! 133: * @param type kind of certificate the point distributes
! 134: * @param id identification of the distributed certificate
! 135: * @return enumerator of CDPs as char*
! 136: */
! 137: enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
! 138: certificate_type_t type, identification_t *id);
! 139: /**
! 140: * Get a trusted or untrusted certificate.
! 141: *
! 142: * @param cert kind of certificate
! 143: * @param key kind of key in certificate
! 144: * @param id subject this certificate belongs to
! 145: * @param trusted TRUE to get a trusted certificate only
! 146: * @return certificate, if found, NULL otherwise
! 147: */
! 148: certificate_t *(*get_cert)(credential_manager_t *this,
! 149: certificate_type_t cert, key_type_t key,
! 150: identification_t *id, bool trusted);
! 151: /**
! 152: * Get the best matching shared key for two IDs.
! 153: *
! 154: * @param type kind of requested shared key
! 155: * @param me own identity
! 156: * @param other peer identity
! 157: * @return shared_key_t, NULL if none found
! 158: */
! 159: shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
! 160: identification_t *me, identification_t *other);
! 161: /**
! 162: * Get a private key to create a signature.
! 163: *
! 164: * The get_private() method gets a secret private key identified by either
! 165: * the keyid itself or an id the key belongs to.
! 166: * The auth parameter contains additional information, such as recipients
! 167: * trusted CA certs. Auth gets filled with subject and CA certificates
! 168: * needed to validate a created signature.
! 169: *
! 170: * @param type type of the key to get
! 171: * @param id identification the key belongs to
! 172: * @param auth auth config, including trusted CA certificates
! 173: * @return private_key_t, NULL if none found
! 174: */
! 175: private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
! 176: identification_t *id, auth_cfg_t *auth);
! 177:
! 178: /**
! 179: * Create an enumerator over trusted certificates.
! 180: *
! 181: * This method creates an enumerator over trusted certificates. The auth
! 182: * parameter (if given) receives the trustchain used to validate
! 183: * the certificate. The resulting enumerator enumerates over
! 184: * certificate_t*, auth_cfg_t*.
! 185: * If online is set, revocations are checked online for the whole
! 186: * trustchain.
! 187: *
! 188: * @param type type of the key we want a certificate for
! 189: * @param id subject of the certificate
! 190: * @param online whether revocations should be checked online
! 191: * @return enumerator
! 192: */
! 193: enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this,
! 194: key_type_t type, identification_t *id, bool online);
! 195:
! 196: /**
! 197: * Create an enumerator over trusted public keys.
! 198: *
! 199: * This method creates an enumerator over trusted public keys to verify a
! 200: * signature created by id. The auth parameter contains additional
! 201: * authentication infos, e.g. peer and intermediate certificates.
! 202: * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
! 203: * where the auth config helper contains rules for constraint checks.
! 204: * This function is very similar to create_trusted_enumerator(), but
! 205: * gets public keys directly.
! 206: * If online is set, revocations are checked online for the whole
! 207: * trustchain.
! 208: *
! 209: * @param type type of the key to get
! 210: * @param id owner of the key, signer of the signature
! 211: * @param auth authentication infos
! 212: * @param online whether revocations should be checked online
! 213: * @return enumerator
! 214: */
! 215: enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
! 216: key_type_t type, identification_t *id, auth_cfg_t *auth,
! 217: bool online);
! 218:
! 219: /**
! 220: * Cache a certificate by invoking cache_cert() on all registered sets.
! 221: *
! 222: * @param cert certificate to cache
! 223: */
! 224: void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
! 225:
! 226: /**
! 227: * Flush the certificate cache.
! 228: *
! 229: * Only the managers local cache is flushed, but not the sets cache filled
! 230: * by the cache_cert() method.
! 231: *
! 232: * @param type type of certificate to flush, or CERT_ANY
! 233: */
! 234: void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
! 235:
! 236: /**
! 237: * Check if a given subject certificate is issued by an issuer certificate.
! 238: *
! 239: * This operation does signature verification using the credential
! 240: * manager's cache to speed up the operation.
! 241: *
! 242: * @param subject subject certificate to check
! 243: * @param issuer issuer certificate that potentially has signed subject
! 244: * @param scheme receives used signature scheme and parameters, if
! 245: * given (allocated)
! 246: * @return TRUE if issuer signed subject
! 247: */
! 248: bool (*issued_by)(credential_manager_t *this,
! 249: certificate_t *subject, certificate_t *issuer,
! 250: signature_params_t **scheme);
! 251:
! 252: /**
! 253: * Register a credential set to the manager.
! 254: *
! 255: * @param set set to register
! 256: */
! 257: void (*add_set)(credential_manager_t *this, credential_set_t *set);
! 258:
! 259: /**
! 260: * Unregister a credential set from the manager.
! 261: *
! 262: * @param set set to unregister
! 263: */
! 264: void (*remove_set)(credential_manager_t *this, credential_set_t *set);
! 265:
! 266: /**
! 267: * Register a thread local credential set to the manager.
! 268: *
! 269: * To add a credential set for the current trustchain verification
! 270: * operation, sets may be added for the calling thread only. This
! 271: * does not require a write lock and is therefore a much cheaper
! 272: * operation.
! 273: * The exclusive option allows to disable all other credential sets
! 274: * until the set is deregistered.
! 275: *
! 276: * @param set set to register
! 277: * @param exclusive TRUE to disable all other sets for this thread
! 278: */
! 279: void (*add_local_set)(credential_manager_t *this, credential_set_t *set,
! 280: bool exclusive);
! 281:
! 282: /**
! 283: * Unregister a thread local credential set from the manager.
! 284: *
! 285: * @param set set to unregister
! 286: */
! 287: void (*remove_local_set)(credential_manager_t *this, credential_set_t *set);
! 288:
! 289: /**
! 290: * Register a certificate validator to the manager.
! 291: *
! 292: * @param vdtr validator to register
! 293: */
! 294: void (*add_validator)(credential_manager_t *this, cert_validator_t *vdtr);
! 295:
! 296: /**
! 297: * Remove a certificate validator from the manager.
! 298: *
! 299: * @param vdtr validator to unregister
! 300: */
! 301: void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
! 302:
! 303: /**
! 304: * Set a hook to call on certain credential validation errors.
! 305: *
! 306: * @param hook hook to register, NULL to unregister
! 307: * @param data data to pass to hook
! 308: */
! 309: void (*set_hook)(credential_manager_t *this, credential_hook_t hook,
! 310: void *data);
! 311:
! 312: /**
! 313: * Call the registered credential hook, if any.
! 314: *
! 315: * While hooks are usually called by the credential manager itself, some
! 316: * validator plugins might raise hooks as well if they consider certificates
! 317: * invalid.
! 318: *
! 319: * @param type type of the event
! 320: * @param cert associated certificate
! 321: */
! 322: void (*call_hook)(credential_manager_t *this, credential_hook_type_t type,
! 323: certificate_t *cert);
! 324:
! 325: /**
! 326: * Destroy a credential_manager instance.
! 327: */
! 328: void (*destroy)(credential_manager_t *this);
! 329: };
! 330:
! 331: /**
! 332: * Create a credential_manager instance.
! 333: */
! 334: credential_manager_t *credential_manager_create();
! 335:
! 336: #endif /** CREDENTIAL_MANAGER_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>