aboutsummaryrefslogtreecommitdiffstats
path: root/lib/credentials
diff options
context:
space:
mode:
Diffstat (limited to 'lib/credentials')
-rw-r--r--lib/credentials/credentials_manager.cpp135
-rw-r--r--lib/credentials/credentials_manager.h189
-rw-r--r--lib/credentials/info.txt5
3 files changed, 329 insertions, 0 deletions
diff --git a/lib/credentials/credentials_manager.cpp b/lib/credentials/credentials_manager.cpp
new file mode 100644
index 000000000..1077edf61
--- /dev/null
+++ b/lib/credentials/credentials_manager.cpp
@@ -0,0 +1,135 @@
+/*
+* Credentials Manager
+* (C) 2011,2012 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/credentials_manager.h>
+#include <botan/x509path.h>
+
+namespace Botan {
+
+std::string Credentials_Manager::psk_identity_hint(const std::string&,
+ const std::string&)
+ {
+ return "";
+ }
+
+std::string Credentials_Manager::psk_identity(const std::string&,
+ const std::string&,
+ const std::string&)
+ {
+ return "";
+ }
+
+SymmetricKey Credentials_Manager::psk(const std::string&,
+ const std::string&,
+ const std::string& identity)
+ {
+ throw Internal_Error("No PSK set for identity " + identity);
+ }
+
+bool Credentials_Manager::attempt_srp(const std::string&,
+ const std::string&)
+ {
+ return false;
+ }
+
+std::string Credentials_Manager::srp_identifier(const std::string&,
+ const std::string&)
+ {
+ return "";
+ }
+
+std::string Credentials_Manager::srp_password(const std::string&,
+ const std::string&,
+ const std::string&)
+ {
+ return "";
+ }
+
+bool Credentials_Manager::srp_verifier(const std::string&,
+ const std::string&,
+ const std::string&,
+ std::string&,
+ BigInt&,
+ std::vector<byte>&,
+ bool)
+ {
+ return false;
+ }
+
+std::vector<X509_Certificate> Credentials_Manager::cert_chain(
+ const std::vector<std::string>&,
+ const std::string&,
+ const std::string&)
+ {
+ return std::vector<X509_Certificate>();
+ }
+
+std::vector<X509_Certificate> Credentials_Manager::cert_chain_single_type(
+ const std::string& cert_key_type,
+ const std::string& type,
+ const std::string& context)
+ {
+ std::vector<std::string> cert_types;
+ cert_types.push_back(cert_key_type);
+ return cert_chain(cert_types, type, context);
+ }
+
+Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&,
+ const std::string&,
+ const std::string&)
+ {
+ return nullptr;
+ }
+
+std::vector<Certificate_Store*>
+Credentials_Manager::trusted_certificate_authorities(
+ const std::string&,
+ const std::string&)
+ {
+ return std::vector<Certificate_Store*>();
+ }
+
+namespace {
+
+bool cert_in_some_store(const std::vector<Certificate_Store*>& trusted_CAs,
+ const X509_Certificate& trust_root)
+ {
+ for(auto CAs : trusted_CAs)
+ if(CAs->certificate_known(trust_root))
+ return true;
+ return false;
+ }
+
+}
+
+void Credentials_Manager::verify_certificate_chain(
+ const std::string& type,
+ const std::string& purported_hostname,
+ const std::vector<X509_Certificate>& cert_chain)
+ {
+ if(cert_chain.empty())
+ throw std::invalid_argument("Certificate chain was empty");
+
+ auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname);
+
+ Path_Validation_Restrictions restrictions;
+
+ auto result = x509_path_validate(cert_chain,
+ restrictions,
+ trusted_CAs);
+
+ if(!result.successful_validation())
+ throw std::runtime_error("Certificate validation failure: " + result.result_string());
+
+ if(!cert_in_some_store(trusted_CAs, result.trust_root()))
+ throw std::runtime_error("Certificate chain roots in unknown/untrusted CA");
+
+ if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname))
+ throw std::runtime_error("Certificate did not match hostname");
+ }
+
+}
diff --git a/lib/credentials/credentials_manager.h b/lib/credentials/credentials_manager.h
new file mode 100644
index 000000000..85db078e3
--- /dev/null
+++ b/lib/credentials/credentials_manager.h
@@ -0,0 +1,189 @@
+/*
+* Credentials Manager
+* (C) 2011,2012 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_CREDENTIALS_MANAGER_H__
+#define BOTAN_CREDENTIALS_MANAGER_H__
+
+#include <botan/x509cert.h>
+#include <botan/certstor.h>
+#include <botan/symkey.h>
+#include <string>
+
+namespace Botan {
+
+class BigInt;
+
+/**
+* Interface for a credentials manager.
+*
+* A type is a fairly static value that represents the general nature
+* of the transaction occuring. Currently used values are "tls-client"
+* and "tls-server". Context represents a hostname, email address,
+* username, or other identifier.
+*/
+class BOTAN_DLL Credentials_Manager
+ {
+ public:
+ virtual ~Credentials_Manager() {}
+
+ /**
+ * Return a list of the certificates of CAs that we trust in this
+ * type/context.
+ *
+ * @param type specifies the type of operation occuring
+ *
+ * @param context specifies a context relative to type. For instance
+ * for type "tls-client", context specifies the servers name.
+ */
+ virtual std::vector<Certificate_Store*> trusted_certificate_authorities(
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * Check the certificate chain is valid up to a trusted root, and
+ * optionally (if hostname != "") that the hostname given is
+ * consistent with the leaf certificate.
+ *
+ * This function should throw an exception derived from
+ * std::exception with an informative what() result if the
+ * certificate chain cannot be verified.
+
+ * @param type specifies the type of operation occuring
+ * @param hostname specifies the purported hostname
+ * @param cert_chain specifies a certificate chain leading to a
+ * trusted root CA certificate.
+ */
+ virtual void verify_certificate_chain(
+ const std::string& type,
+ const std::string& hostname,
+ const std::vector<X509_Certificate>& cert_chain);
+
+ /**
+ * Return a cert chain we can use, ordered from leaf to root,
+ * or else an empty vector.
+ *
+ * It is assumed that the caller can get the private key of the
+ * leaf with private_key_for
+ *
+ * @param cert_key_types specifies the key types desired ("RSA",
+ * "DSA", "ECDSA", etc), or empty if there
+ * is no preference by the caller.
+ *
+ * @param type specifies the type of operation occuring
+ *
+ * @param context specifies a context relative to type.
+ */
+ virtual std::vector<X509_Certificate> cert_chain(
+ const std::vector<std::string>& cert_key_types,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * Return a cert chain we can use, ordered from leaf to root,
+ * or else an empty vector.
+ *
+ * It is assumed that the caller can get the private key of the
+ * leaf with private_key_for
+ *
+ * @param cert_key_type specifies the type of key requested
+ * ("RSA", "DSA", "ECDSA", etc)
+ *
+ * @param type specifies the type of operation occuring
+ *
+ * @param context specifies a context relative to type.
+ */
+ std::vector<X509_Certificate> cert_chain_single_type(
+ const std::string& cert_key_type,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * @return private key associated with this certificate if we should
+ * use it with this context. cert was returned by cert_chain
+ * @note this object should retain ownership of the returned key;
+ * it should not be deleted by the caller.
+ */
+ virtual Private_Key* private_key_for(const X509_Certificate& cert,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occuring
+ * @param context specifies a context relative to type.
+ * @return true if we should attempt SRP authentication
+ */
+ virtual bool attempt_srp(const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occuring
+ * @param context specifies a context relative to type.
+ * @return identifier for client-side SRP auth, if available
+ for this type/context. Should return empty string
+ if password auth not desired/available.
+ */
+ virtual std::string srp_identifier(const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occuring
+ * @param context specifies a context relative to type.
+ * @param identifier specifies what identifier we want the
+ * password for. This will be a value previously returned
+ * by srp_identifier.
+ * @return password for client-side SRP auth, if available
+ for this identifier/type/context.
+ */
+ virtual std::string srp_password(const std::string& type,
+ const std::string& context,
+ const std::string& identifier);
+
+ /**
+ * Retrieve SRP verifier parameters
+ */
+ virtual bool srp_verifier(const std::string& type,
+ const std::string& context,
+ const std::string& identifier,
+ std::string& group_name,
+ BigInt& verifier,
+ std::vector<byte>& salt,
+ bool generate_fake_on_unknown);
+
+ /**
+ * @param type specifies the type of operation occuring
+ * @param context specifies a context relative to type.
+ * @return the PSK identity hint for this type/context
+ */
+ virtual std::string psk_identity_hint(const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occuring
+ * @param context specifies a context relative to type.
+ * @param identity_hint was passed by the server (but may be empty)
+ * @return the PSK identity we want to use
+ */
+ virtual std::string psk_identity(const std::string& type,
+ const std::string& context,
+ const std::string& identity_hint);
+
+ /**
+ * @param type specifies the type of operation occuring
+ * @param context specifies a context relative to type.
+ * @param identity is a PSK identity previously returned by
+ psk_identity for the same type and context.
+ * @return the PSK used for identity, or throw an exception if no
+ * key exists
+ */
+ virtual SymmetricKey psk(const std::string& type,
+ const std::string& context,
+ const std::string& identity);
+ };
+
+}
+
+#endif
diff --git a/lib/credentials/info.txt b/lib/credentials/info.txt
new file mode 100644
index 000000000..303139c4c
--- /dev/null
+++ b/lib/credentials/info.txt
@@ -0,0 +1,5 @@
+define CREDENTIALS_MANAGER 20131128
+
+<requires>
+x509
+</requires>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-22 18:48:47 +0000