/* * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ /** * @defgroup credential_manager credential_manager * @{ @ingroup credentials */ #ifndef CREDENTIAL_MANAGER_H_ #define CREDENTIAL_MANAGER_H_ typedef struct credential_manager_t credential_manager_t; typedef enum credential_hook_type_t credential_hook_type_t; #include #include #include #include #include #include #include #include /** * Type of a credential hook error/event. */ enum credential_hook_type_t { /** The certificate has expired (or is not yet valid) */ CRED_HOOK_EXPIRED, /** The certificate has been revoked */ CRED_HOOK_REVOKED, /** Checking certificate revocation failed. This does not necessarily mean * the certificate is rejected, just that revocation checking failed. */ CRED_HOOK_VALIDATION_FAILED, /** No trusted issuer certificate has been found for this certificate */ CRED_HOOK_NO_ISSUER, /** Encountered a self-signed (root) certificate, but it is not trusted */ CRED_HOOK_UNTRUSTED_ROOT, /** Maximum trust chain length exceeded for certificate */ CRED_HOOK_EXCEEDED_PATH_LEN, /** The certificate violates some other kind of policy and gets rejected */ CRED_HOOK_POLICY_VIOLATION, }; /** * Hook function to invoke on certificate validation errors. * * @param data user data supplied during hook registration * @param type type of validation error/event * @param cert associated certificate */ typedef void (*credential_hook_t)(void *data, credential_hook_type_t type, certificate_t *cert); /** * Manages credentials using credential_sets. * * The credential manager is the entry point of the credential framework. It * uses so called "sets" to access credentials in a modular fashion. These * are implemented through the credential_set_t interface. * The manager additionally does trust chain verification and trust status * caching. A set may call the managers methods if it needs credentials itself. * The manager uses recursive locking. * * @verbatim +-------+ +----------------+ | A | | | +------------------+ | u | -----> | | ------> | +------------------+ | t | | credential- | | | +------------------+ | h | -----> | manager | ------> +--| | credential- | => IPC | e | | | +--| sets | | n | +--> | | ------> +------------------+ | t | | | | | | i | | | | | | c | | +----------------+ | | a | | | | t | +----------------------------------------------+ | o | may be recursive | r | +-------+ @endverbatim * * The credential manager uses rwlocks for performance reasons. Credential * sets must be fully thread-safe. */ struct credential_manager_t { /** * Create an enumerator over all certificates. * * @param cert kind of certificate * @param key kind of key in certificate * @param id subject this certificate belongs to * @param trusted TRUE to list trusted certificates only * @return enumerator over the certificates */ enumerator_t *(*create_cert_enumerator)(credential_manager_t *this, certificate_type_t cert, key_type_t key, identification_t *id, bool trusted); /** * Create an enumerator over all shared keys. * * The enumerator enumerates over: * shared_key_t*, id_match_t me, id_match_t other * But must accept values for the id_matches. * * @param type kind of requested shared key * @param first first subject between key is shared * @param second second subject between key is shared * @return enumerator over (shared_key_t*,id_match_t,id_match_t) */ #ifdef NETAPP enumerator_t *(*create_shared_enumerator)(credential_manager_t *this, shared_key_type_t type, identification_t *first, identification_t *second, uint32_t vserverid); #else /* !NETAPP */ enumerator_t *(*create_shared_enumerator)(credential_manager_t *this, shared_key_type_t type, identification_t *first, identification_t *second); #endif /* NETAPP */ /** * Create an enumerator over all Certificate Distribution Points. * * @param type kind of certificate the point distributes * @param id identification of the distributed certificate * @return enumerator of CDPs as char* */ enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this, certificate_type_t type, identification_t *id); /** * Get a trusted or untrusted certificate. * * @param cert kind of certificate * @param key kind of key in certificate * @param id subject this certificate belongs to * @param trusted TRUE to get a trusted certificate only * @return certificate, if found, NULL otherwise */ certificate_t *(*get_cert)(credential_manager_t *this, certificate_type_t cert, key_type_t key, identification_t *id, bool trusted); /** * Get the best matching shared key for two IDs. * * @param type kind of requested shared key * @param me own identity * @param other peer identity * @return shared_key_t, NULL if none found */ #ifdef NETAPP shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type, identification_t *me, identification_t *other, uint32_t vserverid); #else /* !NETAPP */ shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type, identification_t *me, identification_t *other); #endif /* NETAPP */ /** * Get a private key to create a signature. * * The get_private() method gets a secret private key identified by either * the keyid itself or an id the key belongs to. * The auth parameter contains additional information, such as recipients * trusted CA certs. Auth gets filled with subject and CA certificates * needed to validate a created signature. * * @param type type of the key to get * @param id identification the key belongs to * @param auth auth config, including trusted CA certificates * @return private_key_t, NULL if none found */ private_key_t* (*get_private)(credential_manager_t *this, key_type_t type, identification_t *id, auth_cfg_t *auth); /** * Create an enumerator over trusted certificates. * * This method creates an enumerator over trusted certificates. The auth * parameter (if given) receives the trustchain used to validate * the certificate. The resulting enumerator enumerates over * certificate_t*, auth_cfg_t*. * If online is set, revocations are checked online for the whole * trustchain. * * @param type type of the key we want a certificate for * @param id subject of the certificate * @param online whether revocations should be checked online * @return enumerator */ enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this, key_type_t type, identification_t *id, bool online); /** * Create an enumerator over trusted public keys. * * This method creates an enumerator over trusted public keys to verify a * signature created by id. The auth parameter contains additional * authentication infos, e.g. peer and intermediate certificates. * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *, * where the auth config helper contains rules for constraint checks. * This function is very similar to create_trusted_enumerator(), but * gets public keys directly. * If online is set, revocations are checked online for the whole * trustchain. * * @param type type of the key to get * @param id owner of the key, signer of the signature * @param auth authentication infos * @param online whether revocations should be checked online * @return enumerator */ enumerator_t* (*create_public_enumerator)(credential_manager_t *this, key_type_t type, identification_t *id, auth_cfg_t *auth, bool online); /** * Cache a certificate by invoking cache_cert() on all registered sets. * * @param cert certificate to cache */ void (*cache_cert)(credential_manager_t *this, certificate_t *cert); /** * Flush the certificate cache. * * Only the managers local cache is flushed, but not the sets cache filled * by the cache_cert() method. * * @param type type of certificate to flush, or CERT_ANY */ void (*flush_cache)(credential_manager_t *this, certificate_type_t type); /** * Check if a given subject certificate is issued by an issuer certificate. * * This operation does signature verification using the credential * manager's cache to speed up the operation. * * @param subject subject certificate to check * @param issuer issuer certificate that potentially has signed subject * @param scheme receives used signature scheme and parameters, if * given (allocated) * @return TRUE if issuer signed subject */ bool (*issued_by)(credential_manager_t *this, certificate_t *subject, certificate_t *issuer, signature_params_t **scheme); /** * Register a credential set to the manager. * * @param set set to register */ void (*add_set)(credential_manager_t *this, credential_set_t *set); /** * Unregister a credential set from the manager. * * @param set set to unregister */ void (*remove_set)(credential_manager_t *this, credential_set_t *set); /** * Register a thread local credential set to the manager. * * To add a credential set for the current trustchain verification * operation, sets may be added for the calling thread only. This * does not require a write lock and is therefore a much cheaper * operation. * The exclusive option allows to disable all other credential sets * until the set is deregistered. * * @param set set to register * @param exclusive TRUE to disable all other sets for this thread */ void (*add_local_set)(credential_manager_t *this, credential_set_t *set, bool exclusive); /** * Unregister a thread local credential set from the manager. * * @param set set to unregister */ void (*remove_local_set)(credential_manager_t *this, credential_set_t *set); /** * Register a certificate validator to the manager. * * @param vdtr validator to register */ void (*add_validator)(credential_manager_t *this, cert_validator_t *vdtr); /** * Remove a certificate validator from the manager. * * @param vdtr validator to unregister */ void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr); /** * Set a hook to call on certain credential validation errors. * * @param hook hook to register, NULL to unregister * @param data data to pass to hook */ void (*set_hook)(credential_manager_t *this, credential_hook_t hook, void *data); /** * Call the registered credential hook, if any. * * While hooks are usually called by the credential manager itself, some * validator plugins might raise hooks as well if they consider certificates * invalid. * * @param type type of the event * @param cert associated certificate */ void (*call_hook)(credential_manager_t *this, credential_hook_type_t type, certificate_t *cert); /** * Destroy a credential_manager instance. */ void (*destroy)(credential_manager_t *this); }; /** * Create a credential_manager instance. */ credential_manager_t *credential_manager_create(); #endif /** CREDENTIAL_MANAGER_H_ @}*/