1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
/*
* Credentials Manager
* (C) 2011,2012 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
#ifndef BOTAN_CREDENTIALS_MANAGER_H__
#define BOTAN_CREDENTIALS_MANAGER_H__
#include <botan/x509cert.h>
#include <botan/secmem.h>
#include <string>
namespace Botan {
class BigInt;
/**
* Interface for a credentials manager.
*
* A type is a fairly static value that represents the general nature
* of the transaction occuring. Currently used values are "tls-client"
* and "tls-server". Context represents a hostname, email address,
* username, or other identifier.
*/
class BOTAN_DLL Credentials_Manager
{
public:
virtual ~Credentials_Manager() {}
/**
* @return identifier for client-side SRP auth, if available
for this type/context. Should return empty string
if password auth not desired/available.
*/
virtual std::string srp_identifier(const std::string& type,
const std::string& context);
/**
* @param identifier specifies what identifier we want the
* password for. This will be a value previously returned
* by srp_identifier.
* @return password for client-side SRP auth, if available
for this identifier/type/context.
*/
virtual std::string srp_password(const std::string& identifier,
const std::string& type,
const std::string& context);
/**
* Retrieve SRP verifier parameters
*/
virtual bool srp_verifier(const std::string& identifier,
const std::string& type,
const std::string& context,
BigInt& group_prime,
BigInt& group_generator,
BigInt& verifier,
MemoryRegion<byte>& salt,
bool generate_fake_on_unknown);
/**
* Return a cert chain we can use, ordered from leaf to root.
* Assumed that we can get the private key of the leaf with
* private_key_for
*
* @param cert_key_type is a set string representing the allowed
* key type ("RSA", "DSA", "ECDSA", etc) or empty if no
* preference.
*/
virtual std::vector<X509_Certificate> cert_chain(
const std::vector<std::string>& cert_key_types,
const std::string& type,
const std::string& context);
/**
* Return a cert chain we can use, ordered from leaf to root.
* Assumed that we can get the private key of the leaf with
* private_key_for
*
* @param cert_key_type is a set string representing the allowed
* key type ("RSA", "DSA", "ECDSA", etc) or empty if no
* preference.
*/
std::vector<X509_Certificate> cert_chain_single_type(
const std::string& cert_key_type,
const std::string& type,
const std::string& context);
/**
* Return a list of the certificates of CAs that we trust in this
* type/context.
*/
virtual std::vector<X509_Certificate> trusted_certificate_authorities(
const std::string& type,
const std::string& context);
/**
* Check the certificate chain is valid up to a trusted root, and
* optionally (if hostname != "") that the hostname given is
* consistent with the leaf certificate.
*
* This function should throw an exception derived from
* std::exception with an informative what() result if the
* certificate chain cannot be verified.
*/
virtual void verify_certificate_chain(
const std::vector<X509_Certificate>& cert_chain,
const std::string& hostname = "");
/**
* @return private key associated with this certificate if we should
* use it with this context. cert was returned by cert_chain
* @note this object should retain ownership of the returned key;
* it should not be deleted by the caller.
*/
virtual Private_Key* private_key_for(const X509_Certificate& cert,
const std::string& type,
const std::string& context);
};
}
#endif
|
