SSLconfig.h
Go to the documentation of this file.
1// -*- C++ -*-
2// Copyright (c) 2006-2010,2012 Isode Limited, London, England.
3// All rights reserved.
4//
5// Acquisition and use of this software and related materials for any
6// purpose requires a written licence agreement from Isode Limited,
7// or a written licence from an organisation licenced by Isode Limited
8// to grant such a licence.
9
10
11//
12//
14//
16//
17// Based largely on the DSA's version.
18//
19// @VERSION@
20
21#ifndef _SSL_CONFIG_H_
22#define _SSL_CONFIG_H_
23
24#include <set>
25#include <list>
26#include <string>
27#include <vector>
28
29#include <isode/base/compat.h>
30#include <isode/base/messages.h>
31#include <isode/crypto/cipher_suites.h>
32#include <crypto/icrypto/include/icrypto.hpp>
33#include "cdecl.h"
34
35// Version of TLS implementation (currently used by DsaCSSLConfig).
36// This is the version of the Isode implementation, not necessarily
37// corresponding to any specific TLS/SSL version.
38
39#define IC_TLS_IMPLEMENTATION_VERSION 3
40
41namespace SSLTLS {
42
44 typedef std::set<TLS_CipherSuite> cipher_suites_t;
45
48 EVENTSVC_DLL const char* suite_name(TLS_CipherSuite);
49
51 typedef enum {
52 tls_verify_none,
53 tls_verify_optional,
54 tls_verify_require
55 } tls_verify_client_choice;
56
58
59 // Just holds the configuration: the constructor creates some
60 // default values, and users should change some of them based on
61 // configuration. Cipher suites can be set by setting with set of
62 // integers. Most likely we'll also want to permit a string
63 // (which'll be passed directly to OpenSSL) and/or change the set
64 // to a list to allow ordering.
65 class Config {
66 public:
67 // Connection specific items
68 const char* IDcontext;
69 unsigned long supportFlags;
70 long sessionCacheTimeout;
71 tls_verify_client_choice verify_choice;
72 // Config items when have permanent DB
73 ICrypto::Environment::ptr_t envptr;
74 std::string confset;
75
76 // Config items for ephemeral DB
77 cipher_suites_t suites;
78 std::string suitesstr;
79
80 std::string defaultFileDirectory;
81
82 std::string randomSeedFile;
83 std::string DHparametersFile;
84 bool disable_rsa_blinding;
85 std::string identity_p12Bytes;
86 std::string identity_passphrase;
87 std::string identity;
88 int verify_depth;
89 std::string trustedCA_File;
90 std::list<std::string> trustedCA_Files;
91 std::list<std::string> untrusted_Files;
92 std::string LDAPhost;
93 int LDAPport;
94 int checkRevocation;
95 bool dontTrustIdentities;
96 bool OCSPnonce;
97 std::string OCSPuri;
98 std::string OCSPresponder;
99 int lookup_flags;
100
101 std::string pkcs11_module_path;
102 std::string pkcs11_module_init;
103 std::string pkcs11_user_pphr;
104 std::string pkcs11_uri;
105 std::string pkcs11_cert;
106
108 EVENTSVC_DLL std::string path(const std::string& file);
109
110 EVENTSVC_DLL Config(const char*context);
111
112 private:
114 EVENTSVC_DLL Config ();
115 };
116
118 // This can be reused for many actual connections
119 // It is configured using information from the SSL::Config object
120 // passed to the factory method.
121 // This is an abstract class to hide the actual SSL implementation
122
123 class Context {
124 protected:
126 Context () {}
127
128 public:
130 static EVENTSVC_DLL Context *Factory (Config *confobj, MSGstruct *msp);
131
132 virtual ~Context() {}
133
135 virtual int Configure (Config *confobj, MSGstruct *msp) = 0;
136
138 virtual const cipher_suites_t & AvailableSuites () = 0;
139
141 virtual const cipher_suites_t & DefaultSuites () = 0;
142
144 virtual bool HaveTLSIdentity () = 0;
145
147 virtual bool IsUsable () = 0;
148
150 virtual std::list<X509*> ServerCertificates(void) = 0;
151
153 virtual std::list<X509*> GetTrustAnchors () const = 0;
154
155 virtual int GetTlsInfo (const ICryptoKeyType keyType,
156 EVP_PKEY** key,
157 std::vector<std::string>& san,
158 std::vector<std::vector<unsigned char>>& cert_chain) const = 0;
159
160 virtual size_t GetNbIdentities() const = 0;
161 };
162
163
164}
165
166#endif /* __SSL_CONFIG_H_ */
SSLTLS::suite_name
EVENTSVC_DLL const char * suite_name(TLS_CipherSuite)
Function returning a name for a cipher suite.
Definition ssl_context.C:64
SSLTLS::tls_verify_client_choice
tls_verify_client_choice
Values for choosing client verification.
Definition SSLconfig.h:51
SSLTLS::cipher_suites_t
std::set< TLS_CipherSuite > cipher_suites_t
Set of Cipher Suites (using the number)
Definition SSLconfig.h:44
SSLTLS::Config
Class for SSL configuration.
Definition SSLconfig.h:65
SSLTLS::Config::verify_choice
tls_verify_client_choice verify_choice
whether to do client authentication
Definition SSLconfig.h:71
SSLTLS::Config::identity_passphrase
std::string identity_passphrase
passphrase for identity_p12Bytes
Definition SSLconfig.h:86
SSLTLS::Config::dontTrustIdentities
bool dontTrustIdentities
whether to trust root CAs in identities
Definition SSLconfig.h:95
SSLTLS::Config::pkcs11_cert
std::string pkcs11_cert
path to PEM containing certificate issued for pkcs11 key and all CA
Definition SSLconfig.h:105
SSLTLS::Config::OCSPuri
std::string OCSPuri
URI for an OCSP trusted responder.
Definition SSLconfig.h:97
SSLTLS::Config::pkcs11_uri
std::string pkcs11_uri
pkcs11 uri accessible by user_pin containing private key
Definition SSLconfig.h:104
SSLTLS::Config::envptr
ICrypto::Environment::ptr_t envptr
Smart ptr to environment.
Definition SSLconfig.h:73
SSLTLS::Config::checkRevocation
int checkRevocation
whether to check CRLs
Definition SSLconfig.h:94
SSLTLS::Config::confset
std::string confset
TLS configuration set.
Definition SSLconfig.h:74
SSLTLS::Config::LDAPhost
std::string LDAPhost
LDAP hostname.
Definition SSLconfig.h:92
SSLTLS::Config::pkcs11_user_pphr
std::string pkcs11_user_pphr
pkcs11 user pphr file (servepass encoded)
Definition SSLconfig.h:103
SSLTLS::Config::identity
std::string identity
identity directory name, presuming identity_p12Bytes isn't set
Definition SSLconfig.h:87
SSLTLS::Config::identity_p12Bytes
std::string identity_p12Bytes
some passed in identity (self-issued for bootstrap, probably)
Definition SSLconfig.h:85
SSLTLS::Config::supportFlags
unsigned long supportFlags
option flags
Definition SSLconfig.h:69
SSLTLS::Config::randomSeedFile
std::string randomSeedFile
name of random seed file
Definition SSLconfig.h:82
SSLTLS::Config::suitesstr
std::string suitesstr
Suites as OpenSSL string.
Definition SSLconfig.h:78
SSLTLS::Config::suites
cipher_suites_t suites
Configured cipher suites.
Definition SSLconfig.h:77
SSLTLS::Config::disable_rsa_blinding
bool disable_rsa_blinding
whether to disable RSA blinding
Definition SSLconfig.h:84
SSLTLS::Config::IDcontext
const char * IDcontext
Session ID context.
Definition SSLconfig.h:68
SSLTLS::Config::path
EVENTSVC_DLL std::string path(const std::string &file)
Build a complete filesystem path from directory and filename.
Definition ssl_context.C:860
SSLTLS::Config::OCSPresponder
std::string OCSPresponder
name of file for certificate of trusted responder signer
Definition SSLconfig.h:98
SSLTLS::Config::LDAPport
int LDAPport
LDAP port.
Definition SSLconfig.h:93
SSLTLS::Config::trustedCA_Files
std::list< std::string > trustedCA_Files
DER CA files.
Definition SSLconfig.h:90
SSLTLS::Config::pkcs11_module_init
std::string pkcs11_module_init
pkcs11 module specific arguments
Definition SSLconfig.h:102
SSLTLS::Config::trustedCA_File
std::string trustedCA_File
PEM file of CA files.
Definition SSLconfig.h:89
SSLTLS::Config::untrusted_Files
std::list< std::string > untrusted_Files
DER certificates.
Definition SSLconfig.h:91
SSLTLS::Config::verify_depth
int verify_depth
permitted max length of chain
Definition SSLconfig.h:88
SSLTLS::Config::defaultFileDirectory
std::string defaultFileDirectory
default filesystem directory location
Definition SSLconfig.h:80
SSLTLS::Config::DHparametersFile
std::string DHparametersFile
DH parameters file.
Definition SSLconfig.h:83
SSLTLS::Config::lookup_flags
int lookup_flags
Things not to use for lookup.
Definition SSLconfig.h:99
SSLTLS::Config::OCSPnonce
bool OCSPnonce
whether to use (and require) nonces
Definition SSLconfig.h:96
SSLTLS::Config::sessionCacheTimeout
long sessionCacheTimeout
session timeout (seconds)
Definition SSLconfig.h:70
SSLTLS::Config::pkcs11_module_path
std::string pkcs11_module_path
path to pkcs11 module
Definition SSLconfig.h:101
SSLTLS::Context
Class defining an SSL context.
Definition SSLconfig.h:123
SSLTLS::Context::ServerCertificates
virtual std::list< X509 * > ServerCertificates(void)=0
Return list of server certificates.
SSLTLS::Context::Configure
virtual int Configure(Config *confobj, MSGstruct *msp)=0
Reconfigure the context.
SSLTLS::Context::AvailableSuites
virtual const cipher_suites_t & AvailableSuites()=0
Return set of available cipher suites.
SSLTLS::Context::HaveTLSIdentity
virtual bool HaveTLSIdentity()=0
Whether a TLS identity is available.
SSLTLS::Context::IsUsable
virtual bool IsUsable()=0
Whether it is actually usable.
SSLTLS::Context::Context
Context()
Protect constructor to avoid making base objects.
Definition SSLconfig.h:126
SSLTLS::Context::Factory
static EVENTSVC_DLL Context * Factory(Config *confobj, MSGstruct *msp)
Factory method for context, creates concrete object.
Definition ssl_context.C:43
SSLTLS::Context::DefaultSuites
virtual const cipher_suites_t & DefaultSuites()=0
Return set of default cipher suites.
SSLTLS::Context::GetTrustAnchors
virtual std::list< X509 * > GetTrustAnchors() const =0
Return the list of trust anchors.

All rights reserved © 2002 - 2024 Isode Ltd.