aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/credentials_manager.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/tls/credentials_manager.h')
-rw-r--r--src/lib/tls/credentials_manager.h189
1 files changed, 189 insertions, 0 deletions
diff --git a/src/lib/tls/credentials_manager.h b/src/lib/tls/credentials_manager.h
new file mode 100644
index 000000000..96e840d13
--- /dev/null
+++ b/src/lib/tls/credentials_manager.h
@@ -0,0 +1,189 @@
+/*
+* Credentials Manager
+* (C) 2011,2012 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_CREDENTIALS_MANAGER_H__
+#define BOTAN_CREDENTIALS_MANAGER_H__
+
+#include <botan/x509cert.h>
+#include <botan/certstor.h>
+#include <botan/symkey.h>
+#include <string>
+
+namespace Botan {
+
+class BigInt;
+
+/**
+* Interface for a credentials manager.
+*
+* A type is a fairly static value that represents the general nature
+* of the transaction occurring. Currently used values are "tls-client"
+* and "tls-server". Context represents a hostname, email address,
+* username, or other identifier.
+*/
+class BOTAN_DLL Credentials_Manager
+ {
+ public:
+ virtual ~Credentials_Manager() {}
+
+ /**
+ * Return a list of the certificates of CAs that we trust in this
+ * type/context.
+ *
+ * @param type specifies the type of operation occurring
+ *
+ * @param context specifies a context relative to type. For instance
+ * for type "tls-client", context specifies the servers name.
+ */
+ virtual std::vector<Certificate_Store*> trusted_certificate_authorities(
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * Check the certificate chain is valid up to a trusted root, and
+ * optionally (if hostname != "") that the hostname given is
+ * consistent with the leaf certificate.
+ *
+ * This function should throw an exception derived from
+ * std::exception with an informative what() result if the
+ * certificate chain cannot be verified.
+
+ * @param type specifies the type of operation occurring
+ * @param hostname specifies the purported hostname
+ * @param cert_chain specifies a certificate chain leading to a
+ * trusted root CA certificate.
+ */
+ virtual void verify_certificate_chain(
+ const std::string& type,
+ const std::string& hostname,
+ const std::vector<X509_Certificate>& cert_chain);
+
+ /**
+ * Return a cert chain we can use, ordered from leaf to root,
+ * or else an empty vector.
+ *
+ * It is assumed that the caller can get the private key of the
+ * leaf with private_key_for
+ *
+ * @param cert_key_types specifies the key types desired ("RSA",
+ * "DSA", "ECDSA", etc), or empty if there
+ * is no preference by the caller.
+ *
+ * @param type specifies the type of operation occurring
+ *
+ * @param context specifies a context relative to type.
+ */
+ virtual std::vector<X509_Certificate> cert_chain(
+ const std::vector<std::string>& cert_key_types,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * Return a cert chain we can use, ordered from leaf to root,
+ * or else an empty vector.
+ *
+ * It is assumed that the caller can get the private key of the
+ * leaf with private_key_for
+ *
+ * @param cert_key_type specifies the type of key requested
+ * ("RSA", "DSA", "ECDSA", etc)
+ *
+ * @param type specifies the type of operation occurring
+ *
+ * @param context specifies a context relative to type.
+ */
+ std::vector<X509_Certificate> cert_chain_single_type(
+ const std::string& cert_key_type,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * @return private key associated with this certificate if we should
+ * use it with this context. cert was returned by cert_chain
+ * @note this object should retain ownership of the returned key;
+ * it should not be deleted by the caller.
+ */
+ virtual Private_Key* private_key_for(const X509_Certificate& cert,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ * @return true if we should attempt SRP authentication
+ */
+ virtual bool attempt_srp(const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ * @return identifier for client-side SRP auth, if available
+ for this type/context. Should return empty string
+ if password auth not desired/available.
+ */
+ virtual std::string srp_identifier(const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ * @param identifier specifies what identifier we want the
+ * password for. This will be a value previously returned
+ * by srp_identifier.
+ * @return password for client-side SRP auth, if available
+ for this identifier/type/context.
+ */
+ virtual std::string srp_password(const std::string& type,
+ const std::string& context,
+ const std::string& identifier);
+
+ /**
+ * Retrieve SRP verifier parameters
+ */
+ virtual bool srp_verifier(const std::string& type,
+ const std::string& context,
+ const std::string& identifier,
+ std::string& group_name,
+ BigInt& verifier,
+ std::vector<byte>& salt,
+ bool generate_fake_on_unknown);
+
+ /**
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ * @return the PSK identity hint for this type/context
+ */
+ virtual std::string psk_identity_hint(const std::string& type,
+ const std::string& context);
+
+ /**
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ * @param identity_hint was passed by the server (but may be empty)
+ * @return the PSK identity we want to use
+ */
+ virtual std::string psk_identity(const std::string& type,
+ const std::string& context,
+ const std::string& identity_hint);
+
+ /**
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ * @param identity is a PSK identity previously returned by
+ psk_identity for the same type and context.
+ * @return the PSK used for identity, or throw an exception if no
+ * key exists
+ */
+ virtual SymmetricKey psk(const std::string& type,
+ const std::string& context,
+ const std::string& identity);
+ };
+
+}
+
+#endif