/* * Credentials Manager * (C) 2011,2012 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ #ifndef BOTAN_CREDENTIALS_MANAGER_H__ #define BOTAN_CREDENTIALS_MANAGER_H__ #include #include #include #include namespace Botan { class BigInt; /** * Interface for a credentials manager. * * A type is a fairly static value that represents the general nature * of the transaction occurring. Currently used values are "tls-client" * and "tls-server". Context represents a hostname, email address, * username, or other identifier. */ class BOTAN_DLL Credentials_Manager { public: virtual ~Credentials_Manager() {} /** * Return a list of the certificates of CAs that we trust in this * type/context. * * @param type specifies the type of operation occurring * * @param context specifies a context relative to type. For instance * for type "tls-client", context specifies the servers name. */ virtual std::vector trusted_certificate_authorities( const std::string& type, const std::string& context); /** * Check the certificate chain is valid up to a trusted root, and * optionally (if hostname != "") that the hostname given is * consistent with the leaf certificate. * * This function should throw an exception derived from * std::exception with an informative what() result if the * certificate chain cannot be verified. * @param type specifies the type of operation occurring * @param hostname specifies the purported hostname * @param cert_chain specifies a certificate chain leading to a * trusted root CA certificate. */ virtual void verify_certificate_chain( const std::string& type, const std::string& hostname, const std::vector& cert_chain); /** * Return a cert chain we can use, ordered from leaf to root, * or else an empty vector. * * It is assumed that the caller can get the private key of the * leaf with private_key_for * * @param cert_key_types specifies the key types desired ("RSA", * "DSA", "ECDSA", etc), or empty if there * is no preference by the caller. * * @param type specifies the type of operation occurring * * @param context specifies a context relative to type. */ virtual std::vector cert_chain( const std::vector& cert_key_types, const std::string& type, const std::string& context); /** * Return a cert chain we can use, ordered from leaf to root, * or else an empty vector. * * It is assumed that the caller can get the private key of the * leaf with private_key_for * * @param cert_key_type specifies the type of key requested * ("RSA", "DSA", "ECDSA", etc) * * @param type specifies the type of operation occurring * * @param context specifies a context relative to type. */ std::vector cert_chain_single_type( const std::string& cert_key_type, const std::string& type, const std::string& context); /** * @return private key associated with this certificate if we should * use it with this context. cert was returned by cert_chain * @note this object should retain ownership of the returned key; * it should not be deleted by the caller. */ virtual Private_Key* private_key_for(const X509_Certificate& cert, const std::string& type, const std::string& context); /** * @param type specifies the type of operation occurring * @param context specifies a context relative to type. * @return true if we should attempt SRP authentication */ virtual bool attempt_srp(const std::string& type, const std::string& context); /** * @param type specifies the type of operation occurring * @param context specifies a context relative to type. * @return identifier for client-side SRP auth, if available for this type/context. Should return empty string if password auth not desired/available. */ virtual std::string srp_identifier(const std::string& type, const std::string& context); /** * @param type specifies the type of operation occurring * @param context specifies a context relative to type. * @param identifier specifies what identifier we want the * password for. This will be a value previously returned * by srp_identifier. * @return password for client-side SRP auth, if available for this identifier/type/context. */ virtual std::string srp_password(const std::string& type, const std::string& context, const std::string& identifier); /** * Retrieve SRP verifier parameters */ virtual bool srp_verifier(const std::string& type, const std::string& context, const std::string& identifier, std::string& group_name, BigInt& verifier, std::vector& salt, bool generate_fake_on_unknown); /** * @param type specifies the type of operation occurring * @param context specifies a context relative to type. * @return the PSK identity hint for this type/context */ virtual std::string psk_identity_hint(const std::string& type, const std::string& context); /** * @param type specifies the type of operation occurring * @param context specifies a context relative to type. * @param identity_hint was passed by the server (but may be empty) * @return the PSK identity we want to use */ virtual std::string psk_identity(const std::string& type, const std::string& context, const std::string& identity_hint); /** * @param type specifies the type of operation occurring * @param context specifies a context relative to type. * @param identity is a PSK identity previously returned by psk_identity for the same type and context. * @return the PSK used for identity, or throw an exception if no * key exists */ virtual SymmetricKey psk(const std::string& type, const std::string& context, const std::string& identity); }; } #endif