/* * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ /** * @defgroup auth_info auth_info * @{ @ingroup ccredentials */ #ifndef AUTH_INFO_H_ #define AUTH_INFO_H_ #include typedef struct auth_info_t auth_info_t; typedef enum auth_item_t auth_item_t; /** * Authentication/Authorization process helper item. * * For the authentication process, further information may be needed. These * items are defined as auth_item_t and have a AUTHN prefix. * The authentication process returns important data for the authorization * process, these items are defined with a AUTHZ prefix. * Authentication uses AUTHN items and creates AUTHZ items during authentication, * authorization reads AUTHZ values to give out privileges. * * +---+ +---------------------+ * | A | | A | * | u | | u +-----------+ | * | t | | t | Required | | * | h | | h | auth_info | | * | e | | o +-----------+ | * | n | | r | | * +-----------+ | t | | i | | * | Provided | | i | | z V | * | auth_info |--| c |-------------| a ----> match? ----|-------> * +-----------+ | a | | t | * | t | | i | * | i | | o | * | o | | n | * | n | | | * +---+ +---------------------+ */ enum auth_item_t { /* * items provided to authentication process */ /** authentication class to use, value is auth_class_t* */ AUTHN_AUTH_CLASS, /** EAP method to request from peer, value is eap_type_t* */ AUTHN_EAP_TYPE, /** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */ AUTHN_EAP_VENDOR, /** EAP identity to use within EAP-Identity exchange */ AUTHN_EAP_IDENTITY, /** CA certificate to use for authentication, value is certificate_t* */ AUTHN_CA_CERT, /** Keyid of a CA certificate to use, value is identification_t* */ AUTHN_CA_CERT_KEYID, /** subject DN of a CA certificate to use, value is identification_t* */ AUTHN_CA_CERT_NAME, /** intermediate certificate, value is certificate_t* */ AUTHN_IM_CERT, /** certificate for trustchain verification, value is certificate_t* */ AUTHN_SUBJECT_CERT, /** intermediate certificate supplied as hash and url */ AUTHN_IM_HASH_URL, /** end-entity certificate supplied as hash and url */ AUTHN_SUBJECT_HASH_URL, /* * item provided to authorization process */ /** subject has been authenticated by public key, value is public_key_t* */ AUTHZ_PUBKEY, /** subject has ben authenticated using preshared secrets, value is shared_key_t* */ AUTHZ_PSK, /** subject has been authenticated using EAP, value is eap_type_t* */ AUTHZ_EAP, /** certificate authority, value is certificate_t* */ AUTHZ_CA_CERT, /** subject DN of a certificate authority, value is identification_t* */ AUTHZ_CA_CERT_NAME, /** intermediate certificate in trustchain, value is certificate_t* */ AUTHZ_IM_CERT, /** subject certificate, value is certificate_t* */ AUTHZ_SUBJECT_CERT, /** result of a CRL validation, value is cert_validation_t */ AUTHZ_CRL_VALIDATION, /** result of a OCSP validation, value is cert_validation_t */ AUTHZ_OCSP_VALIDATION, /** subject is in attribute certificate group, value is identification_t* */ AUTHZ_AC_GROUP, }; /** * enum name for auth_item_t. */ extern enum_name_t *auth_item_names; /** * The auth_info class contains auth_item_t's used for AA. * * A auth_info allows the separation of authentication and authorization. */ struct auth_info_t { /** * Add an item to the set. * * @param type auth_info type * @param value associated value to auth_info type, if any */ void (*add_item)(auth_info_t *this, auth_item_t type, void *value); /** * Get an item. * * @param type auth_info type to get * @param value pointer to a pointer receiving item * @return bool if item has been found */ bool (*get_item)(auth_info_t *this, auth_item_t type, void **value); /** * Replace an item. * * @param type new auth_info type * @param value pointer to the new value */ void (*replace_item)(enumerator_t *this, auth_item_t type, void *value); /** * Create an enumerator over all items. * * @return enumerator over (auth_item_t type, void *value) */ enumerator_t* (*create_item_enumerator)(auth_info_t *this); /** * Check if this fulfills a set of required constraints. * * @param constraints required authorization infos * @return TRUE if this complies with constraints */ bool (*complies)(auth_info_t *this, auth_info_t *constraints); /** * Merge items from other into this. * * Items do not get cloned, but moved from other to this. * * @param other items to read for merge */ void (*merge)(auth_info_t *this, auth_info_t *other); /** * Purge all items in auth_info. */ void (*purge)(auth_info_t *this); /** * Check two auth_infos for equality. * * @param other other item to compaire against this * @return TRUE if auth infos identical */ bool (*equals)(auth_info_t *this, auth_info_t *other); /** * Destroy a auth_info instance with all associated values. */ void (*destroy)(auth_info_t *this); }; /** * Create a auth_info instance. */ auth_info_t *auth_info_create(); #endif /** AUTH_INFO_H_ @}*/