From 6ec30c701a38f1abc39b60d23e0442d61e80c196 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Sat, 29 Aug 2015 12:15:25 -0400 Subject: Move Credentials_Manager to TLS --- src/lib/credentials/credentials_manager.cpp | 135 -------------------- src/lib/credentials/credentials_manager.h | 189 ---------------------------- src/lib/credentials/info.txt | 5 - src/lib/tls/credentials_manager.cpp | 135 ++++++++++++++++++++ src/lib/tls/credentials_manager.h | 189 ++++++++++++++++++++++++++++ src/lib/tls/info.txt | 2 +- 6 files changed, 325 insertions(+), 330 deletions(-) delete mode 100644 src/lib/credentials/credentials_manager.cpp delete mode 100644 src/lib/credentials/credentials_manager.h delete mode 100644 src/lib/credentials/info.txt create mode 100644 src/lib/tls/credentials_manager.cpp create mode 100644 src/lib/tls/credentials_manager.h (limited to 'src') diff --git a/src/lib/credentials/credentials_manager.cpp b/src/lib/credentials/credentials_manager.cpp deleted file mode 100644 index 6443bb246..000000000 --- a/src/lib/credentials/credentials_manager.cpp +++ /dev/null @@ -1,135 +0,0 @@ -/* -* Credentials Manager -* (C) 2011,2012 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include -#include - -namespace Botan { - -std::string Credentials_Manager::psk_identity_hint(const std::string&, - const std::string&) - { - return ""; - } - -std::string Credentials_Manager::psk_identity(const std::string&, - const std::string&, - const std::string&) - { - return ""; - } - -SymmetricKey Credentials_Manager::psk(const std::string&, - const std::string&, - const std::string& identity) - { - throw Internal_Error("No PSK set for identity " + identity); - } - -bool Credentials_Manager::attempt_srp(const std::string&, - const std::string&) - { - return false; - } - -std::string Credentials_Manager::srp_identifier(const std::string&, - const std::string&) - { - return ""; - } - -std::string Credentials_Manager::srp_password(const std::string&, - const std::string&, - const std::string&) - { - return ""; - } - -bool Credentials_Manager::srp_verifier(const std::string&, - const std::string&, - const std::string&, - std::string&, - BigInt&, - std::vector&, - bool) - { - return false; - } - -std::vector Credentials_Manager::cert_chain( - const std::vector&, - const std::string&, - const std::string&) - { - return std::vector(); - } - -std::vector Credentials_Manager::cert_chain_single_type( - const std::string& cert_key_type, - const std::string& type, - const std::string& context) - { - std::vector cert_types; - cert_types.push_back(cert_key_type); - return cert_chain(cert_types, type, context); - } - -Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&, - const std::string&, - const std::string&) - { - return nullptr; - } - -std::vector -Credentials_Manager::trusted_certificate_authorities( - const std::string&, - const std::string&) - { - return std::vector(); - } - -namespace { - -bool cert_in_some_store(const std::vector& trusted_CAs, - const X509_Certificate& trust_root) - { - for(auto CAs : trusted_CAs) - if(CAs->certificate_known(trust_root)) - return true; - return false; - } - -} - -void Credentials_Manager::verify_certificate_chain( - const std::string& type, - const std::string& purported_hostname, - const std::vector& cert_chain) - { - if(cert_chain.empty()) - throw std::invalid_argument("Certificate chain was empty"); - - auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname); - - Path_Validation_Restrictions restrictions; - - auto result = x509_path_validate(cert_chain, - restrictions, - trusted_CAs); - - if(!result.successful_validation()) - throw std::runtime_error("Certificate validation failure: " + result.result_string()); - - if(!cert_in_some_store(trusted_CAs, result.trust_root())) - throw std::runtime_error("Certificate chain roots in unknown/untrusted CA"); - - if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname)) - throw std::runtime_error("Certificate did not match hostname"); - } - -} diff --git a/src/lib/credentials/credentials_manager.h b/src/lib/credentials/credentials_manager.h deleted file mode 100644 index 96e840d13..000000000 --- a/src/lib/credentials/credentials_manager.h +++ /dev/null @@ -1,189 +0,0 @@ -/* -* Credentials Manager -* (C) 2011,2012 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef BOTAN_CREDENTIALS_MANAGER_H__ -#define BOTAN_CREDENTIALS_MANAGER_H__ - -#include -#include -#include -#include - -namespace Botan { - -class BigInt; - -/** -* Interface for a credentials manager. -* -* A type is a fairly static value that represents the general nature -* of the transaction occurring. Currently used values are "tls-client" -* and "tls-server". Context represents a hostname, email address, -* username, or other identifier. -*/ -class BOTAN_DLL Credentials_Manager - { - public: - virtual ~Credentials_Manager() {} - - /** - * Return a list of the certificates of CAs that we trust in this - * type/context. - * - * @param type specifies the type of operation occurring - * - * @param context specifies a context relative to type. For instance - * for type "tls-client", context specifies the servers name. - */ - virtual std::vector trusted_certificate_authorities( - const std::string& type, - const std::string& context); - - /** - * Check the certificate chain is valid up to a trusted root, and - * optionally (if hostname != "") that the hostname given is - * consistent with the leaf certificate. - * - * This function should throw an exception derived from - * std::exception with an informative what() result if the - * certificate chain cannot be verified. - - * @param type specifies the type of operation occurring - * @param hostname specifies the purported hostname - * @param cert_chain specifies a certificate chain leading to a - * trusted root CA certificate. - */ - virtual void verify_certificate_chain( - const std::string& type, - const std::string& hostname, - const std::vector& cert_chain); - - /** - * Return a cert chain we can use, ordered from leaf to root, - * or else an empty vector. - * - * It is assumed that the caller can get the private key of the - * leaf with private_key_for - * - * @param cert_key_types specifies the key types desired ("RSA", - * "DSA", "ECDSA", etc), or empty if there - * is no preference by the caller. - * - * @param type specifies the type of operation occurring - * - * @param context specifies a context relative to type. - */ - virtual std::vector cert_chain( - const std::vector& cert_key_types, - const std::string& type, - const std::string& context); - - /** - * Return a cert chain we can use, ordered from leaf to root, - * or else an empty vector. - * - * It is assumed that the caller can get the private key of the - * leaf with private_key_for - * - * @param cert_key_type specifies the type of key requested - * ("RSA", "DSA", "ECDSA", etc) - * - * @param type specifies the type of operation occurring - * - * @param context specifies a context relative to type. - */ - std::vector cert_chain_single_type( - const std::string& cert_key_type, - const std::string& type, - const std::string& context); - - /** - * @return private key associated with this certificate if we should - * use it with this context. cert was returned by cert_chain - * @note this object should retain ownership of the returned key; - * it should not be deleted by the caller. - */ - virtual Private_Key* private_key_for(const X509_Certificate& cert, - const std::string& type, - const std::string& context); - - /** - * @param type specifies the type of operation occurring - * @param context specifies a context relative to type. - * @return true if we should attempt SRP authentication - */ - virtual bool attempt_srp(const std::string& type, - const std::string& context); - - /** - * @param type specifies the type of operation occurring - * @param context specifies a context relative to type. - * @return identifier for client-side SRP auth, if available - for this type/context. Should return empty string - if password auth not desired/available. - */ - virtual std::string srp_identifier(const std::string& type, - const std::string& context); - - /** - * @param type specifies the type of operation occurring - * @param context specifies a context relative to type. - * @param identifier specifies what identifier we want the - * password for. This will be a value previously returned - * by srp_identifier. - * @return password for client-side SRP auth, if available - for this identifier/type/context. - */ - virtual std::string srp_password(const std::string& type, - const std::string& context, - const std::string& identifier); - - /** - * Retrieve SRP verifier parameters - */ - virtual bool srp_verifier(const std::string& type, - const std::string& context, - const std::string& identifier, - std::string& group_name, - BigInt& verifier, - std::vector& salt, - bool generate_fake_on_unknown); - - /** - * @param type specifies the type of operation occurring - * @param context specifies a context relative to type. - * @return the PSK identity hint for this type/context - */ - virtual std::string psk_identity_hint(const std::string& type, - const std::string& context); - - /** - * @param type specifies the type of operation occurring - * @param context specifies a context relative to type. - * @param identity_hint was passed by the server (but may be empty) - * @return the PSK identity we want to use - */ - virtual std::string psk_identity(const std::string& type, - const std::string& context, - const std::string& identity_hint); - - /** - * @param type specifies the type of operation occurring - * @param context specifies a context relative to type. - * @param identity is a PSK identity previously returned by - psk_identity for the same type and context. - * @return the PSK used for identity, or throw an exception if no - * key exists - */ - virtual SymmetricKey psk(const std::string& type, - const std::string& context, - const std::string& identity); - }; - -} - -#endif diff --git a/src/lib/credentials/info.txt b/src/lib/credentials/info.txt deleted file mode 100644 index 303139c4c..000000000 --- a/src/lib/credentials/info.txt +++ /dev/null @@ -1,5 +0,0 @@ -define CREDENTIALS_MANAGER 20131128 - - -x509 - diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp new file mode 100644 index 000000000..6443bb246 --- /dev/null +++ b/src/lib/tls/credentials_manager.cpp @@ -0,0 +1,135 @@ +/* +* Credentials Manager +* (C) 2011,2012 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include +#include + +namespace Botan { + +std::string Credentials_Manager::psk_identity_hint(const std::string&, + const std::string&) + { + return ""; + } + +std::string Credentials_Manager::psk_identity(const std::string&, + const std::string&, + const std::string&) + { + return ""; + } + +SymmetricKey Credentials_Manager::psk(const std::string&, + const std::string&, + const std::string& identity) + { + throw Internal_Error("No PSK set for identity " + identity); + } + +bool Credentials_Manager::attempt_srp(const std::string&, + const std::string&) + { + return false; + } + +std::string Credentials_Manager::srp_identifier(const std::string&, + const std::string&) + { + return ""; + } + +std::string Credentials_Manager::srp_password(const std::string&, + const std::string&, + const std::string&) + { + return ""; + } + +bool Credentials_Manager::srp_verifier(const std::string&, + const std::string&, + const std::string&, + std::string&, + BigInt&, + std::vector&, + bool) + { + return false; + } + +std::vector Credentials_Manager::cert_chain( + const std::vector&, + const std::string&, + const std::string&) + { + return std::vector(); + } + +std::vector Credentials_Manager::cert_chain_single_type( + const std::string& cert_key_type, + const std::string& type, + const std::string& context) + { + std::vector cert_types; + cert_types.push_back(cert_key_type); + return cert_chain(cert_types, type, context); + } + +Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&, + const std::string&, + const std::string&) + { + return nullptr; + } + +std::vector +Credentials_Manager::trusted_certificate_authorities( + const std::string&, + const std::string&) + { + return std::vector(); + } + +namespace { + +bool cert_in_some_store(const std::vector& trusted_CAs, + const X509_Certificate& trust_root) + { + for(auto CAs : trusted_CAs) + if(CAs->certificate_known(trust_root)) + return true; + return false; + } + +} + +void Credentials_Manager::verify_certificate_chain( + const std::string& type, + const std::string& purported_hostname, + const std::vector& cert_chain) + { + if(cert_chain.empty()) + throw std::invalid_argument("Certificate chain was empty"); + + auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname); + + Path_Validation_Restrictions restrictions; + + auto result = x509_path_validate(cert_chain, + restrictions, + trusted_CAs); + + if(!result.successful_validation()) + throw std::runtime_error("Certificate validation failure: " + result.result_string()); + + if(!cert_in_some_store(trusted_CAs, result.trust_root())) + throw std::runtime_error("Certificate chain roots in unknown/untrusted CA"); + + if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname)) + throw std::runtime_error("Certificate did not match hostname"); + } + +} diff --git a/src/lib/tls/credentials_manager.h b/src/lib/tls/credentials_manager.h new file mode 100644 index 000000000..96e840d13 --- /dev/null +++ b/src/lib/tls/credentials_manager.h @@ -0,0 +1,189 @@ +/* +* Credentials Manager +* (C) 2011,2012 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_CREDENTIALS_MANAGER_H__ +#define BOTAN_CREDENTIALS_MANAGER_H__ + +#include +#include +#include +#include + +namespace Botan { + +class BigInt; + +/** +* Interface for a credentials manager. +* +* A type is a fairly static value that represents the general nature +* of the transaction occurring. Currently used values are "tls-client" +* and "tls-server". Context represents a hostname, email address, +* username, or other identifier. +*/ +class BOTAN_DLL Credentials_Manager + { + public: + virtual ~Credentials_Manager() {} + + /** + * Return a list of the certificates of CAs that we trust in this + * type/context. + * + * @param type specifies the type of operation occurring + * + * @param context specifies a context relative to type. For instance + * for type "tls-client", context specifies the servers name. + */ + virtual std::vector trusted_certificate_authorities( + const std::string& type, + const std::string& context); + + /** + * Check the certificate chain is valid up to a trusted root, and + * optionally (if hostname != "") that the hostname given is + * consistent with the leaf certificate. + * + * This function should throw an exception derived from + * std::exception with an informative what() result if the + * certificate chain cannot be verified. + + * @param type specifies the type of operation occurring + * @param hostname specifies the purported hostname + * @param cert_chain specifies a certificate chain leading to a + * trusted root CA certificate. + */ + virtual void verify_certificate_chain( + const std::string& type, + const std::string& hostname, + const std::vector& cert_chain); + + /** + * Return a cert chain we can use, ordered from leaf to root, + * or else an empty vector. + * + * It is assumed that the caller can get the private key of the + * leaf with private_key_for + * + * @param cert_key_types specifies the key types desired ("RSA", + * "DSA", "ECDSA", etc), or empty if there + * is no preference by the caller. + * + * @param type specifies the type of operation occurring + * + * @param context specifies a context relative to type. + */ + virtual std::vector cert_chain( + const std::vector& cert_key_types, + const std::string& type, + const std::string& context); + + /** + * Return a cert chain we can use, ordered from leaf to root, + * or else an empty vector. + * + * It is assumed that the caller can get the private key of the + * leaf with private_key_for + * + * @param cert_key_type specifies the type of key requested + * ("RSA", "DSA", "ECDSA", etc) + * + * @param type specifies the type of operation occurring + * + * @param context specifies a context relative to type. + */ + std::vector cert_chain_single_type( + const std::string& cert_key_type, + const std::string& type, + const std::string& context); + + /** + * @return private key associated with this certificate if we should + * use it with this context. cert was returned by cert_chain + * @note this object should retain ownership of the returned key; + * it should not be deleted by the caller. + */ + virtual Private_Key* private_key_for(const X509_Certificate& cert, + const std::string& type, + const std::string& context); + + /** + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + * @return true if we should attempt SRP authentication + */ + virtual bool attempt_srp(const std::string& type, + const std::string& context); + + /** + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + * @return identifier for client-side SRP auth, if available + for this type/context. Should return empty string + if password auth not desired/available. + */ + virtual std::string srp_identifier(const std::string& type, + const std::string& context); + + /** + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + * @param identifier specifies what identifier we want the + * password for. This will be a value previously returned + * by srp_identifier. + * @return password for client-side SRP auth, if available + for this identifier/type/context. + */ + virtual std::string srp_password(const std::string& type, + const std::string& context, + const std::string& identifier); + + /** + * Retrieve SRP verifier parameters + */ + virtual bool srp_verifier(const std::string& type, + const std::string& context, + const std::string& identifier, + std::string& group_name, + BigInt& verifier, + std::vector& salt, + bool generate_fake_on_unknown); + + /** + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + * @return the PSK identity hint for this type/context + */ + virtual std::string psk_identity_hint(const std::string& type, + const std::string& context); + + /** + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + * @param identity_hint was passed by the server (but may be empty) + * @return the PSK identity we want to use + */ + virtual std::string psk_identity(const std::string& type, + const std::string& context, + const std::string& identity_hint); + + /** + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + * @param identity is a PSK identity previously returned by + psk_identity for the same type and context. + * @return the PSK used for identity, or throw an exception if no + * key exists + */ + virtual SymmetricKey psk(const std::string& type, + const std::string& context, + const std::string& identity); + }; + +} + +#endif diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt index 3f3b323f1..1b0cf1415 100644 --- a/src/lib/tls/info.txt +++ b/src/lib/tls/info.txt @@ -3,6 +3,7 @@ define TLS 20150319 load_on auto +credentials_manager.h tls_alert.h tls_blocking.h tls_channel.h @@ -36,7 +37,6 @@ tls_session_key.h aead aes asn1 -credentials dh ecdh ecdsa -- cgit v1.2.3