Botan 3.4.0
Crypto and TLS for C&
credentials_manager.h
Go to the documentation of this file.
1/*
2* Credentials Manager
3* (C) 2011,2012 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#ifndef BOTAN_CREDENTIALS_MANAGER_H_
9#define BOTAN_CREDENTIALS_MANAGER_H_
10
11#include <botan/asn1_obj.h>
12#include <botan/certstor.h>
13#include <botan/pk_keys.h>
14#include <botan/strong_type.h>
15#include <botan/symkey.h>
16#include <botan/tls_external_psk.h>
17#include <botan/tls_magic.h>
18#include <botan/x509cert.h>
19#include <string>
20
21namespace Botan {
22
23class X509_DN;
24class BigInt;
25
26/**
27* Interface for a credentials manager.
28*
29* A type is a fairly static value that represents the general nature
30* of the transaction occurring. Currently used values are "tls-client"
31* and "tls-server". Context represents a hostname, email address,
32* username, or other identifier.
33*/
34class BOTAN_PUBLIC_API(2, 0) Credentials_Manager {
35 public:
36 virtual ~Credentials_Manager() = default;
37
38 /**
39 * Return a list of the certificates of CAs that we trust in this
40 * type/context.
41 *
42 * @param type specifies the type of operation occurring
43 *
44 * @param context specifies a context relative to type. For instance
45 * for type "tls-client", context specifies the servers name.
46 */
47 virtual std::vector<Certificate_Store*> trusted_certificate_authorities(const std::string& type,
48 const std::string& context);
49
50 /**
51 * Return a cert chain we can use, ordered from leaf to root,
52 * or else an empty vector.
53 *
54 * It is assumed that the caller can get the private key of the
55 * leaf with private_key_for
56 *
57 * For a comprehensive write-up of how to select certificates for TLS
58 * CertificateVerify messages, see RFC 8446 Sections 4.4.2.2 and 4.4.2.3.
59 *
60 * @param cert_key_types specifies the key types desired ("RSA",
61 * "DSA", "ECDSA", etc), or empty if there
62 * is no preference by the caller.
63 * @param cert_signature_schemes specifies the signature types desired
64 * as signatures in the certificate(s) itself,
65 * or empty for no preference by the caller.
66 *
67 * @param acceptable_CAs the CAs the requestor will accept (possibly empty)
68 * @param type specifies the type of operation occurring
69 * @param context specifies a context relative to type.
70 */
71 virtual std::vector<X509_Certificate> find_cert_chain(
72 const std::vector<std::string>& cert_key_types,
73 const std::vector<AlgorithmIdentifier>& cert_signature_schemes,
74 const std::vector<X509_DN>& acceptable_CAs,
75 const std::string& type,
76 const std::string& context);
77
78 /**
79 * Return a raw public key to be used for authentication or nullptr if no
80 * public key was found.
81 *
82 * It is assumed that the caller can get the private key of the leaf with
83 * private_key_for().
84 *
85 * @param key_types specifies the key types desired ("RSA", "DSA",
86 * "ECDSA", etc), or empty if there is no preference by
87 * the caller.
88 * @param type specifies the type of operation occurring
89 * @param context specifies a context relative to type.
90 */
91 virtual std::shared_ptr<Public_Key> find_raw_public_key(const std::vector<std::string>& key_types,
92 const std::string& type,
93 const std::string& context);
94
95 /**
96 * Return a cert chain we can use, ordered from leaf to root,
97 * or else an empty vector.
98 *
99 * This virtual function is deprecated, and will be removed in a
100 * future release. Use (and override) find_cert_chain instead.
101 *
102 * It is assumed that the caller can get the private key of the
103 * leaf with private_key_for
104 *
105 * @param cert_key_types specifies the key types desired ("RSA",
106 * "DSA", "ECDSA", etc), or empty if there
107 * is no preference by the caller.
108 * @param cert_signature_schemes specifies the signature types desired
109 * as signatures in the certificate(s) itself,
110 * or empty for no preference by the caller.
111 *
112 * @param type specifies the type of operation occurring
113 *
114 * @param context specifies a context relative to type.
115 */
116 virtual std::vector<X509_Certificate> cert_chain(const std::vector<std::string>& cert_key_types,
117 const std::vector<AlgorithmIdentifier>& cert_signature_schemes,
118 const std::string& type,
119 const std::string& context);
120
121 /**
122 * Return a cert chain we can use, ordered from leaf to root,
123 * or else an empty vector.
124 *
125 * It is assumed that the caller can get the private key of the
126 * leaf with private_key_for
127 *
128 * @param cert_key_type specifies the type of key requested
129 * ("RSA", "DSA", "ECDSA", etc)
130 * @param cert_signature_schemes specifies the signature types desired
131 * as signatures in the certificate(s) itself,
132 * or empty for no preference by the caller.
133 *
134 * @param type specifies the type of operation occurring
135 *
136 * @param context specifies a context relative to type.
137 */
138 std::vector<X509_Certificate> cert_chain_single_type(
139 const std::string& cert_key_type,
140 const std::vector<AlgorithmIdentifier>& cert_signature_schemes,
141 const std::string& type,
142 const std::string& context);
143
144 /**
145 * @return private key associated with this certificate if we should
146 * use it with this context. cert was returned by cert_chain
147 * This function should either return null or throw an exception if
148 * the key is unavailable.
149 */
150 virtual std::shared_ptr<Private_Key> private_key_for(const X509_Certificate& cert,
151 const std::string& type,
152 const std::string& context);
153
154 /**
155 * This function should either return nullptr or throw an exception if
156 * the key is unavailable.
157 *
158 * @return private key associated with this raw public key if we should
159 * use it with this context. @p raw_public_key was returned by
160 * find_raw_public_key()
161 */
162 virtual std::shared_ptr<Private_Key> private_key_for(const Public_Key& raw_public_key,
163 const std::string& type,
164 const std::string& context);
165
166 /**
167 * Provides a secret value to encrypt session tickets for stateless
168 * session resumptions. The default implementation returns an empty
169 * key that effectively disables session tickets.
170 *
171 * @returns a secret value to be used to encrypt session tickets in
172 * subclasses of Session_Manager_Stateless.
173 */
174 virtual secure_vector<uint8_t> session_ticket_key();
175
176 /**
177 * Provides a secret to authenticate DTLS hello cookies. The default
178 * implementation returns an empty key that effectively disables hello
179 * cookies. Applications that wish to use DTLS are strongly advised to
180 * implement this method.
181 *
182 * @returns a secret value to authenticate DTLS hello cookies
183 */
184 virtual secure_vector<uint8_t> dtls_cookie_secret();
185
186 /**
187 * @param type specifies the type of operation occurring
188 * @param context specifies a context relative to type.
189 * @return the PSK identity hint for this type/context
190 */
191 virtual std::string psk_identity_hint(const std::string& type, const std::string& context);
192
193 /**
194 * @param type specifies the type of operation occurring
195 * @param context specifies a context relative to type.
196 * @param identity_hint was passed by the server (but may be empty)
197 * @return the PSK identity we want to use
198 */
199 virtual std::string psk_identity(const std::string& type,
200 const std::string& context,
201 const std::string& identity_hint);
202
203 /**
204 * Retrieves the PSK with the given @p identity or throws an exception.
205 * It's default implementation uses find_preshared_keys() with @p identity
206 * as the single allowed identity.
207 *
208 * This method is called by the TLS 1.2 implementation exclusively and will
209 * eventually be deprecated in favor of find_preshared_keys(). Going
210 * forward, new applications should implement find_preshared_keys() and
211 * rely on psk()'s default implementation.
212 *
213 * Also, the default implementation delegates @p context "session-ticket"
214 * and "dtls-cookie-secret" to the methods session_ticket_key() and
215 * dtls_cookie_secret() respectively. New applications should implement
216 * those methods and rely on the default implementation of psk().
217 *
218 * @param type specifies the type of operation occurring
219 * @param context specifies a context relative to type.
220 * @param identity is a PSK identity previously returned by
221 psk_identity for the same type and context.
222 * @return the PSK used for identity, or throw an exception if no
223 * key exists
224 */
225 virtual SymmetricKey psk(const std::string& type, const std::string& context, const std::string& identity);
226
227 /**
228 * Filters all available PSKs with the given criterions. Note that omitted
229 * criterions (like an empty @p identities list or an unspecified @p PRF)
230 * must be interpreted as "no restriction".
231 *
232 * Note that this is used as the underlying API for the legacy psk()
233 * method currently still used in TLS 1.2. New applications should override
234 * find_preshared_keys() and leave psk() with the default implementation.
235 *
236 * In TLS 1.3 the @p identities might contain opaque session ticket data
237 * that is not necessarily a printable string, despite the utilized
238 * std::string type. Implementations must be prepared to ignore identities
239 * generated via the TLS 1.3 resumption mechanism.
240 *
241 * @param host the host name for which a PSK is requested (may be empty)
242 * @param whoami the type of the host (client or server) that is requesting
243 * @param identities an optional filter for PSK identities to be returned
244 * (an empty list means: all identities are welcome)
245 * @param prf an optional filter for the Pseudo Random Function the PRFs
246 * must be provisioned for
247 *
248 * @returns a list of PSKs that meet the defined criterions in preference order
249 */
250 virtual std::vector<TLS::ExternalPSK> find_preshared_keys(std::string_view host,
251 TLS::Connection_Side whoami,
252 const std::vector<std::string>& identities = {},
253 const std::optional<std::string>& prf = std::nullopt);
254
255 /**
256 * Selects a single PSK identity from the given @p identities and returns
257 * its details (i.e. the secret value) for it to be used in the handshake.
258 *
259 * The default implementation relies on the filtering capabilities
260 * provided by find_preshared_keys() and simply selects the first PSK
261 * returned. If applications need finer grained control, they should
262 * override this method.
263 *
264 * In TLS 1.3 the @p identities might contain opaque session ticket data
265 * that is not necessarily a printable string, despite the utilized
266 * std::string type. Implementations must be prepared to ignore identities
267 * generated via the TLS 1.3 resumption mechanism.
268 *
269 * @param host the host name for which a PSK is requested (may be empty)
270 * @param whoami the type of the host (client or server) that is requesting
271 * @param identities an optional filter for PSK identities to be returned
272 * (an empty list means: all identities are welcome)
273 * @param prf an optional filter for the Pseudo Random Function the PRFs
274 * must be provisioned for
275 *
276 * @returns the PSK for the selected identity or std::nullopt if no PSK
277 * meets the requirements
278 */
279 virtual std::optional<TLS::ExternalPSK> choose_preshared_key(
280 std::string_view host,
281 TLS::Connection_Side whoami,
282 const std::vector<std::string>& identities,
283 const std::optional<std::string>& prf = std::nullopt);
284};
285
286} // namespace Botan
287
288#endif
Botan::Credentials_Manager
Definition credentials_manager.h:34
Botan::Credentials_Manager::~Credentials_Manager
virtual ~Credentials_Manager()=default
Botan::Public_Key
Definition pk_keys.h:119
Botan::X509_Certificate
Definition x509cert.h:36
BOTAN_PUBLIC_API
#define BOTAN_PUBLIC_API(maj, min)
Definition compiler.h:31
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Generated by doxygen 1.10.0