2 * Copyright (C) 2007-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * @defgroup credential_manager credential_manager
18 * @{ @ingroup credentials
21 #ifndef CREDENTIAL_MANAGER_H_
22 #define CREDENTIAL_MANAGER_H_
24 typedef struct credential_manager_t credential_manager_t
;
26 #include <utils/identification.h>
27 #include <utils/enumerator.h>
28 #include <credentials/auth_cfg.h>
29 #include <credentials/credential_set.h>
30 #include <credentials/keys/private_key.h>
31 #include <credentials/keys/shared_key.h>
32 #include <credentials/certificates/certificate.h>
33 #include <credentials/cert_validator.h>
36 * Manages credentials using credential_sets.
38 * The credential manager is the entry point of the credential framework. It
39 * uses so called "sets" to access credentials in a modular fashion. These
40 * are implemented through the credential_set_t interface.
41 * The manager additionally does trust chain verification and trust status
42 * caching. A set may call the managers methods if it needs credentials itself.
43 * The manager uses recursive locking.
47 +-------+ +----------------+
48 | A | | | +------------------+
49 | u | -----> | | ------> | +------------------+
50 | t | | credential- | | | +------------------+
51 | h | -----> | manager | ------> +--| | credential- | => IPC
53 | n | +--> | | ------> +------------------+
56 | c | | +----------------+ |
58 | t | +----------------------------------------------+
59 | o | may be recursive
65 * The credential manager uses rwlocks for performance reasons. Credential
66 * sets must be fully thread-safe.
68 struct credential_manager_t
{
71 * Create an enumerator over all certificates.
73 * @param cert kind of certificate
74 * @param key kind of key in certificate
75 * @param id subject this certificate belongs to
76 * @param trusted TRUE to list trusted certificates only
77 * @return enumerator over the certificates
79 enumerator_t
*(*create_cert_enumerator
)(credential_manager_t
*this,
80 certificate_type_t cert
, key_type_t key
,
81 identification_t
*id
, bool trusted
);
83 * Create an enumerator over all shared keys.
85 * The enumerator enumerates over:
86 * shared_key_t*, id_match_t me, id_match_t other
87 * But must accept values for the id_matches.
89 * @param type kind of requested shared key
90 * @param first first subject between key is shared
91 * @param second second subject between key is shared
92 * @return enumerator over shared keys
94 enumerator_t
*(*create_shared_enumerator
)(credential_manager_t
*this,
95 shared_key_type_t type
,
96 identification_t
*first
, identification_t
*second
);
98 * Create an enumerator over all Certificate Distribution Points.
100 * @param type kind of certificate the point distributes
101 * @param id identification of the distributed certificate
102 * @return enumerator of CDPs as char*
104 enumerator_t
*(*create_cdp_enumerator
)(credential_manager_t
*this,
105 certificate_type_t type
, identification_t
*id
);
107 * Get a trusted or untrusted certificate.
109 * @param cert kind of certificate
110 * @param key kind of key in certificate
111 * @param id subject this certificate belongs to
112 * @param trusted TRUE to get a trusted certificate only
113 * @return certificate, if found, NULL otherwise
115 certificate_t
*(*get_cert
)(credential_manager_t
*this,
116 certificate_type_t cert
, key_type_t key
,
117 identification_t
*id
, bool trusted
);
119 * Get the best matching shared key for two IDs.
121 * @param type kind of requested shared key
122 * @param me own identity
123 * @param other peer identity
124 * @return shared_key_t, NULL if none found
126 shared_key_t
*(*get_shared
)(credential_manager_t
*this, shared_key_type_t type
,
127 identification_t
*me
, identification_t
*other
);
129 * Get a private key to create a signature.
131 * The get_private() method gets a secret private key identified by either
132 * the keyid itself or an id the key belongs to.
133 * The auth parameter contains additional information, such as recipients
134 * trusted CA certs. Auth gets filled with subject and CA certificates
135 * needed to validate a created signature.
137 * @param type type of the key to get
138 * @param id identification the key belongs to
139 * @param auth auth config, including trusted CA certificates
140 * @return private_key_t, NULL if none found
142 private_key_t
* (*get_private
)(credential_manager_t
*this, key_type_t type
,
143 identification_t
*id
, auth_cfg_t
*auth
);
146 * Create an enumerator over trusted certificates.
148 * This method creates an enumerator over trusted certificates. The auth
149 * parameter (if given) receives the trustchain used to validate
150 * the certificate. The resulting enumerator enumerates over
151 * certificate_t*, auth_cfg_t*.
152 * If online is set, revocations are checked online for the whole
155 * @param type type of the key we want a certificate for
156 * @param id subject of the certificate
157 * @param online whether revocations should be checked online
160 enumerator_t
* (*create_trusted_enumerator
)(credential_manager_t
*this,
161 key_type_t type
, identification_t
*id
, bool online
);
164 * Create an enumerator over trusted public keys.
166 * This method creates an enumerator over trusted public keys to verify a
167 * signature created by id. The auth parameter contains additional
168 * authentication infos, e.g. peer and intermediate certificates.
169 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
170 * where the auth config helper contains rules for constraint checks.
171 * This function is very similar to create_trusted_enumerator(), but
172 * gets public keys directly.
174 * @param type type of the key to get
175 * @param id owner of the key, signer of the signature
176 * @param auth authentication infos
179 enumerator_t
* (*create_public_enumerator
)(credential_manager_t
*this,
180 key_type_t type
, identification_t
*id
, auth_cfg_t
*auth
);
183 * Cache a certificate by invoking cache_cert() on all registered sets.
185 * @param cert certificate to cache
187 void (*cache_cert
)(credential_manager_t
*this, certificate_t
*cert
);
190 * Flush the certificate cache.
192 * Only the managers local cache is flushed, but not the sets cache filled
193 * by the cache_cert() method.
195 * @param type type of certificate to flush, or CERT_ANY
197 void (*flush_cache
)(credential_manager_t
*this, certificate_type_t type
);
200 * Check if a given subject certificate is issued by an issuer certificate.
202 * This operation does signature verification using the credential
203 * manager's cache to speed up the operation.
205 * @param subject subject certificate to check
206 * @param issuer issuer certificate that potentially has signed subject
207 * @return TRUE if issuer signed subject
209 bool (*issued_by
)(credential_manager_t
*this,
210 certificate_t
*subject
, certificate_t
*issuer
);
213 * Register a credential set to the manager.
215 * @param set set to register
217 void (*add_set
)(credential_manager_t
*this, credential_set_t
*set
);
220 * Unregister a credential set from the manager.
222 * @param set set to unregister
224 void (*remove_set
)(credential_manager_t
*this, credential_set_t
*set
);
227 * Register a thread local credential set to the manager.
229 * To add a credential set for the current trustchain verification
230 * operation, sets may be added for the calling thread only. This
231 * does not require a write lock and is therefore a much cheaper
234 * @param set set to register
236 void (*add_local_set
)(credential_manager_t
*this, credential_set_t
*set
);
239 * Unregister a thread local credential set from the manager.
241 * @param set set to unregister
243 void (*remove_local_set
)(credential_manager_t
*this, credential_set_t
*set
);
246 * Register a certificate validator to the manager.
248 * @param vdtr validator to register
250 void (*add_validator
)(credential_manager_t
*this, cert_validator_t
*vdtr
);
253 * Remove a certificate validator from the manager.
255 * @param vdtr validator to unregister
257 void (*remove_validator
)(credential_manager_t
*this, cert_validator_t
*vdtr
);
260 * Destroy a credential_manager instance.
262 void (*destroy
)(credential_manager_t
*this);
266 * Create a credential_manager instance.
268 credential_manager_t
*credential_manager_create();
270 #endif /** CREDENTIAL_MANAGER_H_ @}*/