diff options
Diffstat (limited to 'src/lib/asiolink/common_tls.h')
-rw-r--r-- | src/lib/asiolink/common_tls.h | 183 |
1 files changed, 183 insertions, 0 deletions
diff --git a/src/lib/asiolink/common_tls.h b/src/lib/asiolink/common_tls.h new file mode 100644 index 0000000..b119760 --- /dev/null +++ b/src/lib/asiolink/common_tls.h @@ -0,0 +1,183 @@ +// Copyright (C) 2021 Internet Systems Consortium, Inc. ("ISC") +// +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Do not include this header directly: use crypto_tls.h instead. + +#ifndef COMMON_TLS_H +#define COMMON_TLS_H + +/// @file common_tls.h Common TLS API. + +// Verify that this file was not directly included. +#ifndef CRYPTO_TLS_H +#error crypto_tls.h must be included in place of common_tls.h +#endif + +#include <cryptolink/cryptolink.h> + +#include <boost/noncopyable.hpp> +#include <boost/shared_ptr.hpp> + +#include <netinet/in.h> +#include <sys/socket.h> + +namespace isc { +namespace asiolink { + +/// @brief Client and server roles. +enum TlsRole { CLIENT, SERVER }; + +/// @brief Forward declaration of backend TLS context. +class TlsContext; + +/// @brief The type of shared pointers to TlsContext objects. +typedef boost::shared_ptr<TlsContext> TlsContextPtr; + +/// @brief TLS context base class. +class TlsContextBase : private boost::noncopyable { +public: + /// @brief Destructor. + virtual ~TlsContextBase() { } + + /// @brief Create a fresh context. + /// + /// @param role The TLS role client or server. + explicit TlsContextBase(TlsRole role) : role_(role) { } + + /// @brief Returns the role. + TlsRole getRole() const { + return (role_); + } + + /// @note No need for a role set method. + + /// @brief Configure. + /// + /// @param context The TLS context to configure. + /// @param role The TLS role client or server. + /// @param ca_file The certificate file or directory name. + /// @param cert_file The certificate file name. + /// @param key_file The private key file name. + /// @param cert_required True if peer certificates are required, + /// false if they are optional. This is a server specific parameter. + /// @throw isc::BadValue on error. + static void configure(TlsContextPtr& context, + TlsRole role, + const std::string& ca_file, + const std::string& cert_file, + const std::string& key_file, + bool cert_required = true); + + /// @brief Get the peer certificate requirement mode. + /// + /// @return True if peer certificates are required, false if they + /// are optional. + virtual bool getCertRequired() const = 0; + +protected: + /// @brief Set the peer certificate requirement mode. + /// + /// @param cert_required True if peer certificates are required, + /// false if they are optional. + /// @throw isc::BadValue when cert_required is set to false for a client. + virtual void setCertRequired(bool cert_required) = 0; + + /// @brief Load the trust anchor aka certification authority. + /// + /// @param ca_file The certificate file name. + /// @throw isc::cryptolink::LibraryError on various errors as + /// file not found, bad format, etc. + virtual void loadCaFile(const std::string& ca_file) = 0; + + /// @brief Load the trust anchor aka certification authority. + /// + /// @param ca_path The certificate directory name. + /// @throw isc::cryptolink::LibraryError on various errors as + /// file not found, bad format, etc. + virtual void loadCaPath(const std::string& ca_path) = 0; + + /// @brief Load the certificate file. + /// + /// @param cert_file The certificate file name. + /// @throw isc::cryptolink::LibraryError on various errors as + /// file not found, bad format, etc. + virtual void loadCertFile(const std::string& cert_file) = 0; + + /// @brief Load the private key from a file. + /// + /// @param key_file The private key file name. + /// @throw isc::cryptolink::LibraryError on various errors as + /// file not found, bad format, etc. + virtual void loadKeyFile(const std::string& key_file) = 0; + +public: + /// @brief The role i.e. client or server. + TlsRole role_; +}; + +/// @brief TLS stream base class. +/// +/// @tparam Callback The type of callbacks. +/// @tparam TlsStreamImpl The type of underlying TLS streams. +template <typename Callback, typename TlsStreamImpl> +class TlsStreamBase : public TlsStreamImpl { +public: + + /// @brief Constructor. + /// + /// @param service I/O Service object used to manage the stream. + /// @param context Pointer to the TLS context. + /// @note The caller must not provide a null pointer to the TLS context. + TlsStreamBase(IOService& service, TlsContextPtr context); + + /// @brief Destructor. + virtual ~TlsStreamBase() { } + + /// @brief Returns the role. + TlsRole getRole() const { + return (role_); + } + + /// @brief TLS Handshake. + /// + /// @param callback Callback object. + virtual void handshake(Callback& callback) = 0; + + /// @brief TLS shutdown. + /// + /// @param callback Callback object. + virtual void shutdown(Callback& callback) = 0; + + /// @brief Return the commonName part of the subjectName of + /// the peer certificate. + /// + /// First commonName when there are more than one, in UTF-8. + /// RFC 3280 provides as a commonName example "Susan Housley", + /// to idea to give access to this come from the Role Based + /// Access Control experiment. + /// + /// @return The commonName part of the subjectName or the empty string. + virtual std::string getSubject() = 0; + + /// @brief Return the commonName part of the issuerName of + /// the peer certificate. + /// + /// First commonName when there are more than one, in UTF-8. + /// The issuerName is the subjectName of the signing certificate + /// (the issue in PKIX terms). The idea is to encode a group as + /// members of an intermediate certification authority. + /// + /// @return The commonName part of the issuerName or the empty string. + virtual std::string getIssuer() = 0; + + /// @brief The role i.e. client or server. + TlsRole role_; +}; + +} // namespace asiolink +} // namespace isc + +#endif // COMMON_TLS_H |