source: doc/creddy_API @ 34d3b43

rt2
Last change on this file since 34d3b43 was ac79e33, checked in by Ted Faber <faber@…>, 13 years ago

API changes for rt2

  • Property mode set to 100644
File size: 5.4 KB
Line 
1C++ API
2
3(see bottom for notes on C, Perl, and Python)
4
5see doc/API for notes on abac_chunk_t
6
7Creddy::ID
8    ID(char *filename)
9        load an ID cert from a file
10        Will throw an exception if the cert cannot be loaded
11
12    ID(char *cn, int validity)
13        generates a new ID with the supplied CN and validity period
14        - CN must be alphanumeric and begin with a letter
15        - validity must be at least one second
16        Will throw an exception if either of the above is violated
17
18    void load_privkey(char *filename)
19        loads the private key associated with the cert
20        will throw an exception if the key cannot be loaded
21
22    char *keyid()
23        returns the SHA1 keyid of the cert
24
25    char *cert_filename()
26        returns a suggested filename for the generated ID cert, namely:
27            ${CN}_id.pem
28
29    char *privkey_filename()
30        returns a suggested filename for the private key of the ID cert:
31            ${CN}_key.pem
32
33    void write_cert(FILE *out)
34        writes a PEM-encoded cert to the file handle
35
36    void write_cert(string& out)
37        writes a PEM-encoded cert to a file named out
38
39    void write_cert(char *out)
40        writes a PEM-encoded cert to a file named out
41
42    void write_privkey(FILE *out)
43        writes a PEM-encoded private key to the file handle
44        throws an exception if no private key is loaded
45
46    void write_privkey(string& out)
47        writes a PEM-encoded private key to a file named out
48        throws an exception if no private key is loaded
49
50    void write_privkey(char *out)
51        writes a PEM-encoded private key a file named out
52        throws an exception if no private key is loaded
53
54    abac_chunk_t cert_chunk()
55        returns a DER-encoded binary representation of the X.509 ID cert
56        associated with this ID.
57        can be passed to libabac's Context::load_id_chunk()
58
59    In languages where swig is confused by overloading, the write_* functions
60        are replaced with (for example) write_cert(FILE *) and
61        write_cert_name(char*) to remove the ambiguity.  perl and python
62        use these names, and perl uses only the write_cert_name() forms.
63
64Creddy::Attribute
65
66    N.B., The way you use this class is by instantiating the object, adding
67    subjects to it, and then baking it. Only once it's baked can you access the
68    X.509 cert. Once it's been baked you can no longer add subjects to it.
69
70    Attribute(ID &issuer, char *role, int validity)
71        Create an object to be signed by the given issuer with the given role
72        and validity period
73        An exception will be thrown if:
74            - the issuer has no private key
75            - the role name is invalid (must be alphanumeric)
76            - the validity period is invalid (must be >= 1 second)
77
78    Attribute(ID &issuer, char *oset, int validity, true)
79        Create an object to be signed by the given issuer that defines
80        the given oset.  It is otherwise the same as the above constructor.
81
82    (The following three methods will throw an exception if the certificate has
83    been baked. They return false if there's an invalid principal or role name.)
84
85    bool principal(char *keyid)
86        Add a principal subject
87
88    bool role(char *keyid, char *role)
89        Add a role subject
90
91    bool linking_role(char *keyid, char *role, char *linked)
92        Add a linking role subject
93
94    bool objec(char *keyid)
95        Add an object to an oset - use only on an oset Attribute
96
97    bool oset(char *keyid, char *role)
98        Add an oset to an oset - use only on an oset Attribute
99
100    bool linking_oset(char *keyid, char *role, char *linked)
101        Add a linking oset (an oset from another principal) to an oset - use
102        only on an oset Attribute
103
104    bool bake()
105        Generate the cert. Call this after you've added subjects to your cert.
106        This returns false if there are no subjects
107        This will throw an exception if the cert's already been baked.
108
109    bool baked()
110        Returns true iff the cert has been baked.
111
112    void write(FILE *out)
113        Write the DER-encoded X.509 attribute cert to the open file handle
114        Throws an exception if the cert isn't baked
115
116    void write(string& out)
117        Write the DER-encoded X.509 attribute cert to a file named out
118        Throws an exception if the cert isn't baked
119
120    void write(char *out)
121        Write the DER-encoded X.509 attribute cert to a file named out
122        Throws an exception if the cert isn't baked
123
124    abac_chunk_t cert_chunk()
125        returns a DER-encoded binary representation of the X.509 attribute
126        cert associated with this cert
127        Throws an exception if the cert isn't baked
128        the chunk can be passed to libabac's Context::load_attribute_chunk()
129
130
131    The overloaded write member functions are exported to perl and python
132    in ways analogous to the overloaded functions in the ID class above.
133
134C API
135
136(Mostly cut/pasted from ABAC)
137
138The C API is nearly identical to the C++ API. Due to lack of namespaces,
139all function names are preceeded by creddy_. Furthermore, the parameter
140representing the object must be passed explicitly.
141
142Due to a lack of exceptions, the C API uses return values for functions
143which can fail. See creddy.h for more details:
144
145Example:
146
147    C++:    id.load_privkey("test_key.pem");
148    C:      ret = creddy_id_load_privkey(id, "test_key.pem");
149
150Perl/Python:
151
152The API is identical to C++. Native types are used instead of C types, but this
153should be seamless to a user of the library.
Note: See TracBrowser for help on using the repository browser.