1 | #ifndef __LIBCREDDY_H__ |
---|
2 | #define __LIBCREDDY_H__ |
---|
3 | |
---|
4 | #include <stdio.h> |
---|
5 | #include <time.h> // for time_t |
---|
6 | |
---|
7 | #include <abac_common.h> |
---|
8 | |
---|
9 | #define CREDDY_SUCCESS 0 |
---|
10 | #define CREDDY_GENERATE_INVALID_CN -1 |
---|
11 | #define CREDDY_GENERATE_INVALID_VALIDITY -2 |
---|
12 | #define CREDDY_ATTRIBUTE_ISSUER_NOKEY -3 |
---|
13 | #define CREDDY_ATTRIBUTE_INVALID_ROLE -4 |
---|
14 | #define CREDDY_ATTRIBUTE_INVALID_VALIDITY -5 |
---|
15 | |
---|
16 | /** |
---|
17 | * Creddy identifiers. |
---|
18 | */ |
---|
19 | |
---|
20 | typedef struct _creddy_id_t creddy_id_t; |
---|
21 | |
---|
22 | // create an ID from an X.509 certificate |
---|
23 | creddy_id_t *creddy_id_from_file(char *filename); |
---|
24 | |
---|
25 | // load an X.509 private key for an from a file |
---|
26 | // handles keys with a password |
---|
27 | int creddy_id_load_privkey(creddy_id_t *id, char *filename); |
---|
28 | |
---|
29 | // generate an ID |
---|
30 | // returns one of CREDDY_SUCCESS or CREDDY_GENERATE_* (see top) |
---|
31 | int creddy_id_generate(creddy_id_t **ret, char *cn, int validity); |
---|
32 | |
---|
33 | // get the SHA1 keyid, pointer is valid for the lifetime of the object |
---|
34 | char *creddy_id_keyid(creddy_id_t *id); |
---|
35 | |
---|
36 | // get the name of the issuer |
---|
37 | // caller must free the returned string |
---|
38 | char *creddy_id_issuer(creddy_id_t *id); |
---|
39 | |
---|
40 | // get the DN of the subject |
---|
41 | // caller must free the returned string |
---|
42 | char *creddy_id_subject(creddy_id_t *id); |
---|
43 | |
---|
44 | // get the validity period of the cert |
---|
45 | void creddy_id_validity(creddy_id_t *id, time_t *not_before, time_t *not_after); |
---|
46 | |
---|
47 | // default filename for the cert: ${CN}_ID.pem |
---|
48 | // caller must free the returned string |
---|
49 | char *creddy_id_cert_filename(creddy_id_t *id); |
---|
50 | |
---|
51 | // write the cert fo an open file pointer |
---|
52 | void creddy_id_write_cert(creddy_id_t *id, FILE *out); |
---|
53 | |
---|
54 | // default filename for the private key: ${CN}_key.pem |
---|
55 | // caller must free the return value |
---|
56 | char *creddy_id_privkey_filename(creddy_id_t *id); |
---|
57 | |
---|
58 | // write the private key to a file |
---|
59 | // it is recommended that you open this file mode 0600 |
---|
60 | // returns false if there's no private key loaded |
---|
61 | int creddy_id_write_privkey(creddy_id_t *id, FILE *out); |
---|
62 | |
---|
63 | // get a chunk representing the cert |
---|
64 | // you must free the ptr of the chunk when done |
---|
65 | abac_chunk_t creddy_id_cert_chunk(creddy_id_t *id); |
---|
66 | |
---|
67 | // dup an ID (increases its refcount) |
---|
68 | creddy_id_t *creddy_id_dup(creddy_id_t *id); |
---|
69 | |
---|
70 | // destroy the id |
---|
71 | // decreases refcount and destroys when it hits 0 |
---|
72 | void creddy_id_free(creddy_id_t *id); |
---|
73 | |
---|
74 | /** |
---|
75 | * Attribute cert |
---|
76 | */ |
---|
77 | typedef struct _creddy_attribute_t creddy_attribute_t; |
---|
78 | |
---|
79 | // |
---|
80 | // Here's the skinny: |
---|
81 | // Attribute cert objects don't contain an actual cert until they're baked. |
---|
82 | // First you construct the object using creddy_attribute_create, then you add |
---|
83 | // subjects to it using creddy_attribute_{principal,role,linking_role}. |
---|
84 | // Finally you bake it. Once you've done that, you can access the DER encoding |
---|
85 | // or write it to a file. |
---|
86 | // |
---|
87 | |
---|
88 | // create an attribute cert |
---|
89 | // validity is in days |
---|
90 | // returns one of CREDDY_SUCCESS or CREDDY_ATTRIBUTE_* (see top) |
---|
91 | int creddy_attribute_create(creddy_attribute_t **attr, creddy_id_t *issuer, char *role, int validity); |
---|
92 | |
---|
93 | // add a principal subject to the cert |
---|
94 | int creddy_attribute_principal(creddy_attribute_t *attr, char *keyid); |
---|
95 | |
---|
96 | // add a role subject |
---|
97 | int creddy_attribute_role(creddy_attribute_t *attr, char *keyid, char *role); |
---|
98 | |
---|
99 | // add a linking role subject |
---|
100 | int creddy_attribute_linking_role(creddy_attribute_t *attr, char *keyid, char *role, char *linked); |
---|
101 | |
---|
102 | // create the attribute cert once all the subjects have been added |
---|
103 | // can return 0 if there are no subjects or there's a problem building the cert |
---|
104 | int creddy_attribute_bake(creddy_attribute_t *attr); |
---|
105 | |
---|
106 | // returns true iff the cert's been baked |
---|
107 | int creddy_attribute_baked(creddy_attribute_t *attr); |
---|
108 | |
---|
109 | // write the cert to a file. returns 0 if the cert hasn't been baked |
---|
110 | int creddy_attribute_write(creddy_attribute_t *attr, FILE *out); |
---|
111 | |
---|
112 | // get the DER-encoded cert |
---|
113 | // returns 0 if the cert isn't baked |
---|
114 | int creddy_attribute_cert_chunk(creddy_attribute_t *attr, abac_chunk_t *chunk); |
---|
115 | |
---|
116 | // destroy the cert |
---|
117 | void creddy_attribute_free(creddy_attribute_t *attr); |
---|
118 | |
---|
119 | #endif /* __LIBCREDDY_H__ */ |
---|