source: creddy/creddy.h @ b19d1f0

#ifndef __LIBCREDDY_H__
#define __LIBCREDDY_H__

#include <stdio.h>
#include <time.h> // for time_t

#include <abac_common.h>

#define CREDDY_SUCCESS                      0
#define CREDDY_GENERATE_INVALID_CN          -1
#define CREDDY_GENERATE_INVALID_VALIDITY    -2
#define CREDDY_ATTRIBUTE_ISSUER_NOKEY       -3
#define CREDDY_ATTRIBUTE_INVALID_ROLE       -4
#define CREDDY_ATTRIBUTE_INVALID_VALIDITY   -5

/**
 * Creddy identifiers.
 */

typedef struct _creddy_id_t creddy_id_t;

// create an ID from an X.509 certificate
creddy_id_t *creddy_id_from_file(char *filename);

// load an X.509 private key for an from a file
// handles keys with a password
int creddy_id_load_privkey(creddy_id_t *id, char *filename);

// generate an ID
// returns one of CREDDY_SUCCESS or CREDDY_GENERATE_* (see top)
int creddy_id_generate(creddy_id_t **ret, char *cn, int validity);

// get the SHA1 keyid, pointer is valid for the lifetime of the object
char *creddy_id_keyid(creddy_id_t *id);

// get the name of the issuer
// caller must free the returned string
char *creddy_id_issuer(creddy_id_t *id);

// get the DN of the subject
// caller must free the returned string
char *creddy_id_subject(creddy_id_t *id);

// get the validity period of the cert
void creddy_id_validity(creddy_id_t *id, time_t *not_before, time_t *not_after);

// default filename for the cert: ${CN}_ID.pem
// caller must free the returned string
char *creddy_id_cert_filename(creddy_id_t *id);

// write the cert fo an open file pointer
void creddy_id_write_cert(creddy_id_t *id, FILE *out);

// default filename for the private key: ${CN}_key.pem
// caller must free the return value
char *creddy_id_privkey_filename(creddy_id_t *id);

// write the private key to a file
// it is recommended that you open this file mode 0600
// returns false if there's no private key loaded
int creddy_id_write_privkey(creddy_id_t *id, FILE *out);

// get a chunk representing the cert
// you must free the ptr of the chunk when done
abac_chunk_t creddy_id_cert_chunk(creddy_id_t *id);

// dup an ID (increases its refcount)
creddy_id_t *creddy_id_dup(creddy_id_t *id);

// destroy the id
// decreases refcount and destroys when it hits 0
void creddy_id_free(creddy_id_t *id);

/**
 * Attribute cert
 */
typedef struct _creddy_attribute_t creddy_attribute_t;

//
// Here's the skinny:
//  Attribute cert objects don't contain an actual cert until they're baked.
//  First you construct the object using creddy_attribute_create, then you add
//  subjects to it using creddy_attribute_{principal,role,linking_role}.
//  Finally you bake it. Once you've done that, you can access the DER encoding
//  or write it to a file.
//

// create an attribute cert
// validity is in days
// returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top)
int creddy_attribute_create(creddy_attribute_t **attr, creddy_id_t *issuer, char *role, int validity);

// add a principal subject to the cert
int creddy_attribute_principal(creddy_attribute_t *attr, char *keyid);

// add a role subject
int creddy_attribute_role(creddy_attribute_t *attr, char *keyid, char *role);

// add a linking role subject
int creddy_attribute_linking_role(creddy_attribute_t *attr, char *keyid, char *role, char *linked);

// create the attribute cert once all the subjects have been added
// can return 0 if there are no subjects or there's a problem building the cert
int creddy_attribute_bake(creddy_attribute_t *attr);

// returns true iff the cert's been baked
int creddy_attribute_baked(creddy_attribute_t *attr);

// write the cert to a file. returns 0 if the cert hasn't been baked
int creddy_attribute_write(creddy_attribute_t *attr, FILE *out);

// get the DER-encoded cert
// returns 0 if the cert isn't baked
int creddy_attribute_cert_chunk(creddy_attribute_t *attr, abac_chunk_t *chunk);

// destroy the cert
void creddy_attribute_free(creddy_attribute_t *attr);

#endif /* __LIBCREDDY_H__ */