Botan 3.9.0
Crypto and TLS for C&
tls_callbacks.h
Go to the documentation of this file.
1/*
2* TLS Callbacks
3* (C) 2016 Matthias Gierlings
4* 2016 Jack Lloyd
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6* 2022 René Meusel, Rohde & Schwarz Cybersecurity
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#ifndef BOTAN_TLS_CALLBACKS_H_
12#define BOTAN_TLS_CALLBACKS_H_
13
14#include <botan/dl_group.h>
15#include <botan/ocsp.h>
16#include <botan/pubkey.h>
17#include <botan/tls_alert.h>
18#include <botan/tls_session.h>
19#include <chrono>
20#include <optional>
21
22namespace Botan {
23
26
27namespace OCSP {
28
29class Response;
30
31}
32
33namespace TLS {
34
35class Handshake_Message;
36class Policy;
37class Extensions;
38class Certificate_Status_Request;
39
40/**
41* Encapsulates the callbacks that a TLS channel will make which are due to
42* channel specific operations.
43*/
44class BOTAN_PUBLIC_API(2, 0) Callbacks /* NOLINT(*-special-member-functions) */ {
45 public:
46 virtual ~Callbacks() = default;
47
48 /**
49 * @name Mandatory
50 *
51 * Those callbacks must be implemented by all applications that use TLS.
52 * @{
53 */
54
55 /**
56 * Mandatory callback: output function
57 *
58 * The channel will call this with data which needs to be sent to the peer
59 * (eg, over a socket or some other form of IPC). The array will be overwritten
60 * when the function returns so a copy must be made if the data cannot be
61 * sent immediately.
62 *
63 * As an example you could use the syscall ``send`` to perform a blocking
64 * write on a socket, or append the data to a queue managed by your
65 * application and initiate an asynchronous write.
66 *
67 * For TLS all writes must occur *in the order requested*. For DTLS this
68 * ordering is not strictly required, but is still recommended.
69 *
70 * @param data a contiguous data buffer to send
71 */
72 virtual void tls_emit_data(std::span<const uint8_t> data) = 0;
73
74 /**
75 * Mandatory callback: process application data
76 *
77 * Called when application data record is received from the peer. The
78 * array is overwritten immediately after the function returns.
79 *
80 * Currently empty records are ignored and do not instigate a callback,
81 * but this may change in a future release.
82 *
83 * For TLS the record number will always increase. For DTLS, it is
84 * possible to receive records with the @p seq_no field out of order, or
85 * with gaps, corresponding to reordered or lost datagrams.
86 *
87 * @param seq_no the underlying TLS/DTLS record sequence number
88 *
89 * @param data a contiguous data buffer containing the received record
90 */
91 virtual void tls_record_received(uint64_t seq_no, std::span<const uint8_t> data) = 0;
92
93 /**
94 * Mandatory callback: alert received
95 *
96 * Called when an alert is received from the peer. If fatal, the
97 * connection is closing. If not fatal, the connection may still be
98 * closing (depending on the error and the peer).
99 *
100 * Note that alerts received before the handshake is complete are not
101 * authenticated and could have been inserted by a MITM attacker.
102 */
103 virtual void tls_alert(Alert alert) = 0;
104
105 /// @}
106 // End of mandatory callbacks
107
108 /**
109 * @name Informational
110 *
111 * Override these to obtain deeper insights into the TLS connection.
112 * Throwing from any of these callbacks will result in the termination of
113 * the TLS connection.
114 * @{
115 */
116
117 /**
118 * Optional callback: session established
119 *
120 * Called whenever a negotiation completes. This can happen more than once
121 * on TLS 1.2 connections, if renegotiation occurs. The @p session
122 * parameter provides information about the session which was just
123 * established.
124 *
125 * If this function wishes to cancel the handshake, it can throw an
126 * exception which will send a close message to the counterparty and reset
127 * the connection state.
128 *
129 * @param session the session descriptor
130 */
131 virtual void tls_session_established(const Session_Summary& session);
132
133 /**
134 * Optional callback: session activated
135 *
136 * By default does nothing. This is called when the session is activated,
137 * that is once it is possible to send or receive data on the channel. In
138 * particular it is possible for an implementation of this function to
139 * perform an initial write on the channel.
140 */
141 virtual void tls_session_activated() {}
142
143 /**
144 * Optional callback: peer closed connection (sent a "close_notify" alert)
145 *
146 * The peer signaled that it wishes to shut down the connection. The
147 * application should not expect to receive any more data from the peer
148 * and may tear down the underlying transport socket.
149 *
150 * Prior to TLS 1.3 it was required that peers discard pending writes
151 * and immediately respond with their own "close_notify". With TLS 1.3,
152 * applications can continue to send data despite the peer having already
153 * signaled their wish to shut down.
154 *
155 * Returning `true` will cause the TLS 1.3 implementation to write all
156 * pending data and then also signal a connection shut down. Otherwise
157 * the application is responsible to call the `Channel::close()` method.
158 *
159 * For TLS 1.2 the return value has no effect.
160 *
161 * @return true causes the implementation to respond with a "close_notify"
162 */
163 virtual bool tls_peer_closed_connection() { return true; }
164
165 /**
166 * Optional callback: Resumption information was received/established
167 *
168 * TLS 1.3 calls this when we sent or received a TLS 1.3 session ticket at
169 * any point after the initial handshake has finished.
170 *
171 * TLS 1.2 calls this when a session was established successfully and
172 * its resumption information may be stored for later usage.
173 *
174 * Note that for servers this is called as soon as resumption information
175 * is available and _could_ be sent to the client. If this callback
176 * returns 'false', the information will neither be cached nor sent.
177 *
178 * @param session the session descriptor
179 *
180 * @return false to prevent the resumption information from being cached,
181 * and true to cache it in the configured Session_Manager
182 */
183 virtual bool tls_should_persist_resumption_information(const Session& session);
184
185 /**
186 * Optional callback with default impl: verify cert chain
187 *
188 * Default implementation performs a standard PKIX validation
189 * and initiates network OCSP request for end-entity cert.
190 * Override to provide different behavior.
191 *
192 * Check the certificate chain is valid up to a trusted root, and
193 * optionally (if hostname != "") that the hostname given is
194 * consistent with the leaf certificate.
195 *
196 * This function should throw an exception derived from
197 * std::exception with an informative what() result if the
198 * certificate chain cannot be verified.
199 *
200 * @param cert_chain specifies a certificate chain leading to a
201 * trusted root CA certificate.
202 * @param ocsp_responses the server may have provided some
203 * @param trusted_roots the list of trusted certificates
204 * @param usage what this cert chain is being used for
205 * Usage_Type::TLS_SERVER_AUTH for server chains,
206 * Usage_Type::TLS_CLIENT_AUTH for client chains,
207 * Usage_Type::UNSPECIFIED for other uses
208 * @param hostname when authenticating a server, this is the hostname
209 * the client requested (eg via SNI). When authenticating a client,
210 * this is the server name the client is authenticating *to*.
211 * Empty in other cases or if no hostname was used.
212 * @param policy the TLS policy associated with the session being authenticated
213 * using the certificate chain
214 */
215 virtual void tls_verify_cert_chain(const std::vector<X509_Certificate>& cert_chain,
216 const std::vector<std::optional<OCSP::Response>>& ocsp_responses,
217 const std::vector<Certificate_Store*>& trusted_roots,
218 Usage_Type usage,
219 std::string_view hostname,
220 const TLS::Policy& policy);
221
222 /**
223 * Optional callback. Default impl always rejects.
224 *
225 * This allows using raw public keys for authentication of peers as
226 * described in RFC 7250 and RFC 8446 4.2.2. Applications that wish
227 * to use raw public keys MUST override this callback to verify the
228 * authenticity of the received public keys.
229 *
230 * Default implementation always rejects the raw public key.
231 *
232 * This function should throw an exception derived from
233 * std::exception with an informative what() result if the
234 * raw public key cannot be verified.
235 *
236 * @param raw_public_key specifies the raw public key to be used
237 * for peer authentication
238 * @param usage what this cert chain is being used for
239 * Usage_Type::TLS_SERVER_AUTH for server chains,
240 * Usage_Type::TLS_CLIENT_AUTH for client chains,
241 * @param hostname when authenticating a server, this is the hostname
242 * the client requested (eg via SNI). When authenticating a client,
243 * this is the server name the client is authenticating *to*.
244 * Empty in other cases or if no hostname was used.
245 * @param policy the TLS policy associated with the session being authenticated
246 * using the raw public key
247 */
248 virtual void tls_verify_raw_public_key(const Public_Key& raw_public_key,
249 Usage_Type usage,
250 std::string_view hostname,
251 const TLS::Policy& policy);
252
253 /**
254 * Called by default `tls_verify_cert_chain` to get the timeout to use for OCSP
255 * requests. Return 0 to disable online OCSP checks.
256 *
257 * This function should not be "const" since the implementation might need
258 * to perform some side effecting operation to compute the result.
259 */
260 virtual std::chrono::milliseconds tls_verify_cert_chain_ocsp_timeout() const {
261 return std::chrono::milliseconds(0);
262 }
263
264 /**
265 * Called by the TLS server whenever the client included the
266 * status_request extension (see RFC 6066, a.k.a OCSP stapling)
267 * in the ClientHello.
268 *
269 * @return the encoded OCSP response to be sent to the client which
270 * indicates the revocation status of the server certificate. Return an
271 * empty vector to indicate that no response is available, and thus
272 * suppress the Certificate_Status message.
273 *
274 * Default implementation returns an empty vector, disabling certificate status
275 */
276 virtual std::vector<uint8_t> tls_provide_cert_status(const std::vector<X509_Certificate>& chain,
277 const Certificate_Status_Request& csr);
278
279 /**
280 * Called by TLS 1.3 client or server whenever the peer indicated that
281 * OCSP stapling is supported. In contrast to `tls_provide_cert_status`,
282 * this allows providing OCSP responses for each certificate in the chain.
283 *
284 * The default implementation invokes `tls_provide_cert_status` assuming
285 * that no OCSP responses for intermediate certificates are available.
286 *
287 * @return a vector of OCSP response buffers. An empty buffer indicates
288 * that no OCSP response should be provided for the respective
289 * certificate (at the same list index). The returned vector
290 * MUST be exactly the same length as the incoming \p chain.
291 */
292 virtual std::vector<std::vector<uint8_t>> tls_provide_cert_chain_status(
293 const std::vector<X509_Certificate>& chain, const Certificate_Status_Request& csr);
294
295 /**
296 * Optional callback with default impl: sign a message
297 *
298 * Default implementation uses PK_Signer::sign_message().
299 * Override to provide a different approach, e.g. using an external device.
300 *
301 * @param key the private key of the signer
302 * @param rng a random number generator
303 * @param padding the encoding method to be applied to the message
304 * @param format the signature format
305 * @param msg the input data for the signature
306 *
307 * @return the signature
308 */
309 virtual std::vector<uint8_t> tls_sign_message(const Private_Key& key,
311 std::string_view padding,
312 Signature_Format format,
313 const std::vector<uint8_t>& msg);
314
315 /**
316 * Optional callback with default impl: verify a message signature
317 *
318 * Default implementation uses PK_Verifier::verify_message().
319 * Override to provide a different approach, e.g. using an external device.
320 *
321 * @param key the public key of the signer
322 * @param padding the encoding method to be applied to the message
323 * @param format the signature format
324 * @param msg the input data for the signature
325 * @param sig the signature to be checked
326 *
327 * @return true if the signature is valid, false otherwise
328 */
329 virtual bool tls_verify_message(const Public_Key& key,
330 std::string_view padding,
331 Signature_Format format,
332 const std::vector<uint8_t>& msg,
333 const std::vector<uint8_t>& sig);
334
335 /**
336 * Optional callback: deserialize a public key received from the peer
337 *
338 * Default implementation simply parses the public key using Botan's
339 * public keys. Override to provide a different approach, e.g. using an
340 * external device.
341 *
342 * If deserialization fails, the default implementation throws a
343 * Botan::Decoding_Error exception that will be translated into a
344 * TLS_Exception with an Alert::IllegalParamter.
345 *
346 * @param group the group identifier or (in case of TLS 1.2) an explicit
347 * discrete-log group of the public key
348 * @param key_bits the serialized public key
349 *
350 * @return the deserialized and ready-to-use public key
351 */
352 virtual std::unique_ptr<Public_Key> tls_deserialize_peer_public_key(
353 const std::variant<TLS::Group_Params, DL_Group>& group, std::span<const uint8_t> key_bits);
354
355 /**
356 * Generate an ephemeral KEM key for a TLS 1.3 handshake
357 *
358 * Applications may use this to add custom KEM algorithms or entirely
359 * different key exchange schemes to the TLS 1.3 handshake. For instance,
360 * this could provide an entry point to implement a hybrid key exchange
361 * with both a traditional algorithm like ECDH and a quantum-secure KEM.
362 * Typical use cases of the library don't need to do that and serious
363 * security risks are associated with customizing TLS's key encapsulation
364 * mechanism.
365 *
366 * Note that the KEM interface is usable for TLS 1.3 handshakes, only.
367 *
368 * The default implementation simply delegates this to the
369 * tls_generate_ephemeral_key() call when appropriate.
370 *
371 * @param group the group identifier to generate an ephemeral keypair for
372 * @param rng a random number generator
373 *
374 * @returns a keypair whose public key will be provided to the peer and
375 * the private key will be provided to tls_kem_decapsulate later
376 * in the handshake.
377 */
378 virtual std::unique_ptr<Private_Key> tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng);
379
380 /**
381 * Performs a key encapsulation operation (used for TLS 1.3 servers)
382 *
383 * Applications may use this to add custom KEM algorithms or entirely
384 * different key exchange schemes to the TLS 1.3 handshake. For instance,
385 * this could provide an entry point to implement a hybrid key exchange
386 * with both a traditional algorithm like ECDH and a quantum-secure KEM.
387 * Typical use cases of the library don't need to do that and serious
388 * security risks are associated with customizing TLS's key encapsulation
389 * mechanism.
390 *
391 * Note that the KEM interface is usable for TLS 1.3 handshakes, only.
392 *
393 * The default implementation implements this key encapsulation as a
394 * combination of tls_generate_ephemeral_key() followed by
395 * tls_ephemeral_key_agreement() with the provided @p encoded_public_key.
396 * The just-generated ephemeral private key is destroyed immediately.
397 *
398 * @param group the group identifier of the KEM/KEX algorithm
399 * @param encoded_public_key the public key used for encapsulation/KEX
400 * @param rng a random number generator
401 * @param policy a TLS policy object
402 *
403 * @returns the shared secret both in plaintext and encapsulated with
404 * @p encoded_public_key.
405 */
406 virtual KEM_Encapsulation tls_kem_encapsulate(TLS::Group_Params group,
407 const std::vector<uint8_t>& encoded_public_key,
409 const Policy& policy);
410
411 /**
412 * Performs a key decapsulation operation (used for TLS 1.3 clients).
413 *
414 * Applications may use this to add custom KEM algorithms or entirely
415 * different key exchange schemes to the TLS 1.3 handshake. For instance,
416 * this could provide an entry point to implement a hybrid key exchange
417 * with both a traditional algorithm like ECDH and a quantum-secure KEM.
418 * Typical use cases of the library don't need to do that and serious
419 * security risks are associated with customizing TLS's key encapsulation
420 * mechanism.
421 *
422 * Note that the KEM interface is usable for TLS 1.3 handshakes, only.
423 *
424 * The default implementation simply delegates this to the
425 * tls_ephemeral_key_agreement() callback to obtain the shared secret.
426 *
427 * @param group the group identifier of the KEM/KEX algorithm
428 * @param private_key the private key used for decapsulation/KEX
429 * @param encapsulated_bytes the content to decapsulate (or the public key share)
430 * @param rng a random number generator
431 * @param policy a TLS policy object
432 *
433 * @returns the plaintext shared secret from @p encapsulated_bytes after
434 * decapsulation with @p private_key.
435 */
436 virtual secure_vector<uint8_t> tls_kem_decapsulate(TLS::Group_Params group,
437 const Private_Key& private_key,
438 const std::vector<uint8_t>& encapsulated_bytes,
440 const Policy& policy);
441
442 /**
443 * Generate an ephemeral key pair for the TLS handshake.
444 *
445 * Applications may use this to add custom groups, curves or entirely
446 * different ephemeral key agreement mechanisms to the TLS handshake.
447 * Note that this callback must be used in conjunction with
448 * Callbacks::tls_ephemeral_key_agreement.
449 *
450 * Typical use cases of the library don't need to do that and serious
451 * security risks are associated with customizing TLS's key exchange
452 * mechanism.
453 *
454 * @throws TLS_Exception(Alert::DecodeError) if the @p group is not known.
455 *
456 * @param group the group identifier to generate an ephemeral keypair for
457 * TLS 1.2 allows for specifying custom discrete logarithm
458 * parameters as part of the protocol. Hence the variant<>.
459 * @param rng a random number generator
460 *
461 * @return a private key of an algorithm usable for key agreement
462 */
463 virtual std::unique_ptr<PK_Key_Agreement_Key> tls_generate_ephemeral_key(
464 const std::variant<TLS::Group_Params, DL_Group>& group, RandomNumberGenerator& rng);
465
466 /**
467 * Agree on a shared secret with the peer's ephemeral public key for
468 * the TLS handshake.
469 *
470 * Applications may use this to add custom groups, curves or entirely
471 * different ephemeral key agreement mechanisms to the TLS handshake.
472 * Note that this callback must be used in conjunction with
473 * Callbacks::tls_generate_ephemeral_key.
474 *
475 * Typical use cases of the library don't need to do that and serious
476 * security risks are associated with customizing TLS's key exchange
477 * mechanism.
478 *
479 * @param group the TLS group identifier to be used
480 * TLS 1.2 allows for specifying custom discrete
481 * logarithm parameters as part of the protocol.
482 * Hence the variant<>.
483 * @param private_key the private key (generated ahead in tls_generate_ephemeral_key)
484 * @param public_value the public key exchange information received by the peer
485 * @param rng a random number generator
486 * @param policy a TLS policy object
487 *
488 * @return the shared secret derived from public_value and private_key
489 */
490 virtual secure_vector<uint8_t> tls_ephemeral_key_agreement(const std::variant<TLS::Group_Params, DL_Group>& group,
491 const PK_Key_Agreement_Key& private_key,
492 const std::vector<uint8_t>& public_value,
494 const Policy& policy);
495
496 /**
497 * Optional callback: inspect handshake message
498 * Throw an exception to abort the handshake.
499 * Default simply ignores the message.
500 *
501 * Note: On connections that negotiated TLS 1.3 this callback is also
502 * invoked for post-handshake messages.
503 *
504 * @param message the handshake message
505 */
506 virtual void tls_inspect_handshake_msg(const Handshake_Message& message);
507
508 /**
509 * Optional callback for server: choose ALPN protocol
510 *
511 * ALPN (RFC 7301) works by the client sending a list of application
512 * protocols it is willing to negotiate. The server then selects which
513 * protocol to use. RFC 7301 requires that if the server does not support
514 * any protocols offered by the client, then it should close the connection
515 * with an alert of no_application_protocol. Within this callback this would
516 * be done by throwing a TLS_Exception(Alert::NoApplicationProtocol)
517 *
518 * @param client_protos the vector of protocols the client is willing to negotiate
519 *
520 * @return the protocol selected by the server; if the empty string is
521 * returned, the server does not reply to the client ALPN extension.
522 *
523 * The default implementation returns the empty string, causing client
524 * ALPN to be ignored.
525 *
526 * It is highly recommended to support ALPN whenever possible to avoid
527 * cross-protocol attacks.
528 */
529 virtual std::string tls_server_choose_app_protocol(const std::vector<std::string>& client_protos);
530
531 /**
532 * Optional callback: examine/modify Extensions before sending.
533 *
534 * Both client and server will call this callback on the Extensions object
535 * before serializing it in the specific handshake message. This allows an
536 * application to modify which extensions are sent during the handshake.
537 *
538 * Default implementation does nothing.
539 *
540 * @param extn the extensions
541 * @param which_side will be Connection_Side::Client or Connection_Side::Server which is the current
542 * applications role in the exchange.
543 * @param which_message will state the handshake message type containing the extensions
544 */
545 virtual void tls_modify_extensions(Extensions& extn, Connection_Side which_side, Handshake_Type which_message);
546
547 /**
548 * Optional callback: examine peer extensions.
549 *
550 * Both client and server will call this callback with the Extensions
551 * object after receiving it from the peer. This allows examining the
552 * Extensions, for example to implement a custom extension. It also allows
553 * an application to require that a particular extension be implemented;
554 * throw an exception from this function to abort the handshake.
555 *
556 * Default implementation does nothing.
557 *
558 * @param extn the extensions
559 * @param which_side will be Connection_Side::Client if these are are the clients extensions (ie we are
560 * the server) or Connection_Side::Server if these are the server extensions (we are the client).
561 * @param which_message will state the handshake message type containing the extensions
562 */
563 virtual void tls_examine_extensions(const Extensions& extn,
564 Connection_Side which_side,
565 Handshake_Type which_message);
566
567 /**
568 * Optional callback: parse a single OCSP Response
569 *
570 * Note: Typically a user of the library would not want to override this
571 * callback. We provide this callback to be able to support OCSP
572 * related tests from BoringSSL's BoGo tests that provide unparsable
573 * responses.
574 *
575 * Default implementation tries to parse the provided raw OCSP response.
576 *
577 * This function should not throw an exception but return a std::nullopt
578 * if the OCSP response cannot be parsed.
579 *
580 * @param raw_response raw OCSP response buffer
581 * @returns the parsed OCSP response or std::nullopt on error
582 */
583 virtual std::optional<OCSP::Response> tls_parse_ocsp_response(const std::vector<uint8_t>& raw_response);
584
585 /**
586 * Optional callback: return peer network identity
587 *
588 * There is no expected or specified format. The only expectation is this
589 * function will return a unique value. For example returning the peer
590 * host IP and port.
591 *
592 * This is used to bind the DTLS cookie to a particular network identity.
593 * It is only called if the dtls-cookie-secret PSK is also defined.
594 */
595 virtual std::string tls_peer_network_identity();
596
597 /**
598 * Optional callback: return a custom time stamp value
599 *
600 * This allows the library user to specify a custom "now" timestamp when
601 * needed. By default it will use the current system clock time.
602 *
603 * Note that typical usages will not need to override this callback but it
604 * is useful for testing purposes to allow for deterministic test outcomes.
605 */
606 virtual std::chrono::system_clock::time_point tls_current_timestamp();
607
608 /**
609 * Optional callback: error logging. (not currently called)
610 * @param err An error message related to this connection.
611 */
612 virtual void tls_log_error(const char* err);
613
614 /**
615 * Optional callback: debug logging. (not currently called)
616 * @param what Some hopefully informative string
617 */
618 virtual void tls_log_debug(const char* what);
619
620 /**
621 * Optional callback: debug logging taking a buffer. (not currently called)
622 * @param descr What this buffer is
623 * @param val the bytes
624 * @param val_len length of val
625 */
626 virtual void tls_log_debug_bin(const char* descr, const uint8_t val[], size_t val_len);
627
628 /**
629 * Optional callback: Allows access to a connection's secret data
630 *
631 * Useful to implement the SSLKEYLOGFILE for connection debugging as
632 * specified in ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html
633 *
634 * Invoked if Policy::allow_ssl_key_log_file returns true.
635 *
636 * Default implementation simply ignores the inputs.
637 *
638 * @param label Identifies the reported secret type
639 * See draft-thomson-tls-keylogfile-00 Section 3.1 and 3.2
640 * @param client_random random value from ClientHello message acting as
641 * an identifier of the TLS sessions
642 * @param secret the actual secret value
643 */
644 virtual void tls_ssl_key_log_data(std::string_view label,
645 std::span<const uint8_t> client_random,
646 std::span<const uint8_t> secret) const;
647};
648
649} // namespace TLS
650
651} // namespace Botan
652
653#endif
#define BOTAN_PUBLIC_API(maj, min)
Definition api.h:21
virtual std::chrono::milliseconds tls_verify_cert_chain_ocsp_timeout() const
virtual ~Callbacks()=default
virtual void tls_session_activated()
virtual void tls_session_established(const Session_Summary &session)
virtual void tls_record_received(uint64_t seq_no, std::span< const uint8_t > data)=0
virtual void tls_alert(Alert alert)=0
virtual bool tls_peer_closed_connection()
virtual void tls_emit_data(std::span< const uint8_t > data)=0
Signature_Format
Definition pk_keys.h:32
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Usage_Type
Definition x509cert.h:22