Botan 3.5.0
Crypto and TLS for C&
|
#include <credentials_manager.h>
Public Member Functions | |
virtual std::vector< X509_Certificate > | cert_chain (const std::vector< std::string > &cert_key_types, const std::vector< AlgorithmIdentifier > &cert_signature_schemes, const std::string &type, const std::string &context) |
std::vector< X509_Certificate > | cert_chain_single_type (const std::string &cert_key_type, const std::vector< AlgorithmIdentifier > &cert_signature_schemes, const std::string &type, const std::string &context) |
virtual std::optional< TLS::ExternalPSK > | choose_preshared_key (std::string_view host, TLS::Connection_Side whoami, const std::vector< std::string > &identities, const std::optional< std::string > &prf=std::nullopt) |
virtual secure_vector< uint8_t > | dtls_cookie_secret () |
virtual std::vector< X509_Certificate > | find_cert_chain (const std::vector< std::string > &cert_key_types, const std::vector< AlgorithmIdentifier > &cert_signature_schemes, const std::vector< X509_DN > &acceptable_CAs, const std::string &type, const std::string &context) |
virtual std::vector< TLS::ExternalPSK > | find_preshared_keys (std::string_view host, TLS::Connection_Side whoami, const std::vector< std::string > &identities={}, const std::optional< std::string > &prf=std::nullopt) |
virtual std::shared_ptr< Public_Key > | find_raw_public_key (const std::vector< std::string > &key_types, const std::string &type, const std::string &context) |
virtual std::shared_ptr< Private_Key > | private_key_for (const Public_Key &raw_public_key, const std::string &type, const std::string &context) |
virtual std::shared_ptr< Private_Key > | private_key_for (const X509_Certificate &cert, const std::string &type, const std::string &context) |
virtual SymmetricKey | psk (const std::string &type, const std::string &context, const std::string &identity) |
virtual std::string | psk_identity (const std::string &type, const std::string &context, const std::string &identity_hint) |
virtual std::string | psk_identity_hint (const std::string &type, const std::string &context) |
virtual secure_vector< uint8_t > | session_ticket_key () |
virtual std::vector< Certificate_Store * > | trusted_certificate_authorities (const std::string &type, const std::string &context) |
virtual | ~Credentials_Manager ()=default |
Interface for a credentials manager.
A type is a fairly static value that represents the general nature of the transaction occurring. Currently used values are "tls-client" and "tls-server". Context represents a hostname, email address, username, or other identifier.
Definition at line 34 of file credentials_manager.h.
|
virtualdefault |
|
virtual |
Return a cert chain we can use, ordered from leaf to root, or else an empty vector.
This virtual function is deprecated, and will be removed in a future release. Use (and override) find_cert_chain instead.
It is assumed that the caller can get the private key of the leaf with private_key_for
cert_key_types | specifies the key types desired ("RSA", "DSA", "ECDSA", etc), or empty if there is no preference by the caller. |
cert_signature_schemes | specifies the signature types desired as signatures in the certificate(s) itself, or empty for no preference by the caller. |
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
Definition at line 96 of file credentials_manager.cpp.
Referenced by find_cert_chain().
std::vector< X509_Certificate > Botan::Credentials_Manager::cert_chain_single_type | ( | const std::string & | cert_key_type, |
const std::vector< AlgorithmIdentifier > & | cert_signature_schemes, | ||
const std::string & | type, | ||
const std::string & | context ) |
Return a cert chain we can use, ordered from leaf to root, or else an empty vector.
It is assumed that the caller can get the private key of the leaf with private_key_for
cert_key_type | specifies the type of key requested ("RSA", "DSA", "ECDSA", etc) |
cert_signature_schemes | specifies the signature types desired as signatures in the certificate(s) itself, or empty for no preference by the caller. |
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
Definition at line 103 of file credentials_manager.cpp.
References find_cert_chain().
|
virtual |
Selects a single PSK identity from the given identities
and returns its details (i.e. the secret value) for it to be used in the handshake.
The default implementation relies on the filtering capabilities provided by find_preshared_keys() and simply selects the first PSK returned. If applications need finer grained control, they should override this method.
In TLS 1.3 the identities
might contain opaque session ticket data that is not necessarily a printable string, despite the utilized std::string type. Implementations must be prepared to ignore identities generated via the TLS 1.3 resumption mechanism.
host | the host name for which a PSK is requested (may be empty) |
whoami | the type of the host (client or server) that is requesting |
identities | an optional filter for PSK identities to be returned (an empty list means: all identities are welcome) |
prf | an optional filter for the Pseudo Random Function the PRFs must be provisioned for |
Definition at line 69 of file credentials_manager.cpp.
References find_preshared_keys().
Referenced by Botan::TLS::PSK::select_offered_psk().
|
virtual |
Provides a secret to authenticate DTLS hello cookies. The default implementation returns an empty key that effectively disables hello cookies. Applications that wish to use DTLS are strongly advised to implement this method.
Definition at line 127 of file credentials_manager.cpp.
Referenced by psk().
|
virtual |
Return a cert chain we can use, ordered from leaf to root, or else an empty vector.
It is assumed that the caller can get the private key of the leaf with private_key_for
For a comprehensive write-up of how to select certificates for TLS CertificateVerify messages, see RFC 8446 Sections 4.4.2.2 and 4.4.2.3.
cert_key_types | specifies the key types desired ("RSA", "DSA", "ECDSA", etc), or empty if there is no preference by the caller. |
cert_signature_schemes | specifies the signature types desired as signatures in the certificate(s) itself, or empty for no preference by the caller. |
acceptable_CAs | the CAs the requestor will accept (possibly empty) |
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
Definition at line 81 of file credentials_manager.cpp.
References cert_chain().
Referenced by cert_chain_single_type(), Botan::TLS::Certificate_13::Certificate_13(), and Botan::TLS::Certificate_13::Certificate_13().
|
virtual |
Filters all available PSKs with the given criterions. Note that omitted criterions (like an empty identities
list or an unspecified PRF
) must be interpreted as "no restriction".
Note that this is used as the underlying API for the legacy psk() method currently still used in TLS 1.2. New applications should override find_preshared_keys() and leave psk() with the default implementation.
In TLS 1.3 the identities
might contain opaque session ticket data that is not necessarily a printable string, despite the utilized std::string type. Implementations must be prepared to ignore identities generated via the TLS 1.3 resumption mechanism.
host | the host name for which a PSK is requested (may be empty) |
whoami | the type of the host (client or server) that is requesting |
identities | an optional filter for PSK identities to be returned (an empty list means: all identities are welcome) |
prf | an optional filter for the Pseudo Random Function the PRFs must be provisioned for |
Definition at line 62 of file credentials_manager.cpp.
Referenced by choose_preshared_key(), and psk().
|
virtual |
Return a raw public key to be used for authentication or nullptr if no public key was found.
It is assumed that the caller can get the private key of the leaf with private_key_for().
key_types | specifies the key types desired ("RSA", "DSA", "ECDSA", etc), or empty if there is no preference by the caller. |
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
Definition at line 90 of file credentials_manager.cpp.
Referenced by Botan::TLS::Certificate_13::Certificate_13(), and Botan::TLS::Certificate_13::Certificate_13().
|
virtual |
This function should either return nullptr or throw an exception if the key is unavailable.
raw_public_key
was returned by find_raw_public_key() Definition at line 117 of file credentials_manager.cpp.
|
virtual |
Definition at line 111 of file credentials_manager.cpp.
Referenced by Botan::TLS::Certificate_Verify_13::Certificate_Verify_13().
|
virtual |
Retrieves the PSK with the given identity
or throws an exception. It's default implementation uses find_preshared_keys() with identity
as the single allowed identity.
This method is called by the TLS 1.2 implementation exclusively and will eventually be deprecated in favor of find_preshared_keys(). Going forward, new applications should implement find_preshared_keys() and rely on psk()'s default implementation.
Also, the default implementation delegates context
"session-ticket" and "dtls-cookie-secret" to the methods session_ticket_key() and dtls_cookie_secret() respectively. New applications should implement those methods and rely on the default implementation of psk().
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
identity | is a PSK identity previously returned by psk_identity for the same type and context. |
Definition at line 25 of file credentials_manager.cpp.
References Botan::TLS::Client, dtls_cookie_secret(), find_preshared_keys(), Botan::fmt(), Botan::TLS::Server, and session_ticket_key().
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().
|
virtual |
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
identity_hint | was passed by the server (but may be empty) |
Definition at line 19 of file credentials_manager.cpp.
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().
|
virtual |
type | specifies the type of operation occurring |
context | specifies a context relative to type. |
Definition at line 15 of file credentials_manager.cpp.
Referenced by Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
|
virtual |
Provides a secret value to encrypt session tickets for stateless session resumptions. The default implementation returns an empty key that effectively disables session tickets.
Definition at line 123 of file credentials_manager.cpp.
Referenced by psk().
|
virtual |
Return a list of the certificates of CAs that we trust in this type/context.
type | specifies the type of operation occurring |
context | specifies a context relative to type. For instance for type "tls-client", context specifies the servers name. |
Definition at line 131 of file credentials_manager.cpp.
Referenced by Botan::TLS::Certificate_Request_13::maybe_create().