#ifndef __LIBCREDDY_H__ #define __LIBCREDDY_H__ #include #include // for time_t #include #define CREDDY_SUCCESS 0 #define CREDDY_GENERATE_INVALID_CN -1 #define CREDDY_GENERATE_INVALID_VALIDITY -2 #define CREDDY_ATTRIBUTE_ISSUER_NOKEY -3 #define CREDDY_ATTRIBUTE_INVALID_ROLE -4 #define CREDDY_ATTRIBUTE_INVALID_VALIDITY -5 /** * Creddy identifiers. */ typedef struct _creddy_id_t creddy_id_t; // create an ID from an X.509 certificate creddy_id_t *creddy_id_from_file(char *filename); // create an ID from a DER-encoded X.509 certificate chunk creddy_id_t *creddy_id_from_chunk(abac_chunk_t chunk); // load an X.509 private key for an from a file // handles keys with a password int creddy_id_load_privkey(creddy_id_t *id, char *filename); // generate an ID // returns one of CREDDY_SUCCESS or CREDDY_GENERATE_* (see top) int creddy_id_generate(creddy_id_t **ret, char *cn, int validity); // get the SHA1 keyid, pointer is valid for the lifetime of the object char *creddy_id_keyid(creddy_id_t *id); // get the name of the issuer // caller must free the returned string char *creddy_id_issuer(creddy_id_t *id); // get the DN of the subject // caller must free the returned string char *creddy_id_subject(creddy_id_t *id); // get the validity period of the cert void creddy_id_validity(creddy_id_t *id, time_t *not_before, time_t *not_after); // default filename for the cert: ${CN}_ID.pem // caller must free the returned string char *creddy_id_cert_filename(creddy_id_t *id); // write the cert fo an open file pointer void creddy_id_write_cert(creddy_id_t *id, FILE *out); // default filename for the private key: ${CN}_key.pem // caller must free the return value char *creddy_id_privkey_filename(creddy_id_t *id); // write the private key to a file // it is recommended that you open this file mode 0600 // returns false if there's no private key loaded int creddy_id_write_privkey(creddy_id_t *id, FILE *out); // get a chunk representing the cert // you must free the ptr of the chunk when done abac_chunk_t creddy_id_cert_chunk(creddy_id_t *id); // dup an ID (increases its refcount) creddy_id_t *creddy_id_dup(creddy_id_t *id); // destroy the id // decreases refcount and destroys when it hits 0 void creddy_id_free(creddy_id_t *id); /** * Attribute cert */ typedef struct _creddy_attribute_t creddy_attribute_t; // // Here's the skinny: // Attribute cert objects don't contain an actual cert until they're baked. // First you construct the object using creddy_attribute_create, then you add // subjects to it using creddy_attribute_{principal,role,linking_role}. // Finally you bake it. Once you've done that, you can access the DER encoding // or write it to a file. // // create an attribute cert // validity is in days // returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top) int creddy_attribute_create(creddy_attribute_t **attr, creddy_id_t *issuer, char *role, int validity); // add a principal subject to the cert int creddy_attribute_principal(creddy_attribute_t *attr, char *keyid); // add a role subject int creddy_attribute_role(creddy_attribute_t *attr, char *keyid, char *role); // add a linking role subject int creddy_attribute_linking_role(creddy_attribute_t *attr, char *keyid, char *role, char *linked); // create the attribute cert once all the subjects have been added // can return 0 if there are no subjects or there's a problem building the cert int creddy_attribute_bake(creddy_attribute_t *attr); // returns true iff the cert's been baked int creddy_attribute_baked(creddy_attribute_t *attr); // write the cert to a file. returns 0 if the cert hasn't been baked int creddy_attribute_write(creddy_attribute_t *attr, FILE *out); // get the DER-encoded cert // returns 0 if the cert isn't baked int creddy_attribute_cert_chunk(creddy_attribute_t *attr, abac_chunk_t *chunk); // destroy the cert void creddy_attribute_free(creddy_attribute_t *attr); #endif /* __LIBCREDDY_H__ */