1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
/*
* Copyright (C) 2008 Tobias Brunner
* Copyright (C) 2007 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup auth_info auth_info
* @{ @ingroup ccredentials
*/
#ifndef AUTH_INFO_H_
#define AUTH_INFO_H_
#include <utils/enumerator.h>
typedef struct auth_info_t auth_info_t;
typedef enum auth_item_t auth_item_t;
/**
* Authentication/Authorization process helper item.
*
* For the authentication process, further information may be needed. These
* items are defined as auth_item_t and have a AUTHN prefix.
* The authentication process returns important data for the authorization
* process, these items are defined with a AUTHZ prefix.
* Authentication uses AUTHN items and creates AUTHZ items during authentication,
* authorization reads AUTHZ values to give out privileges.
*
* +---+ +---------------------+
* | A | | A |
* | u | | u +-----------+ |
* | t | | t | Required | |
* | h | | h | auth_info | |
* | e | | o +-----------+ |
* | n | | r | |
* +-----------+ | t | | i | |
* | Provided | | i | | z V |
* | auth_info |--| c |-------------| a ----> match? ----|------->
* +-----------+ | a | | t |
* | t | | i |
* | i | | o |
* | o | | n |
* | n | | |
* +---+ +---------------------+
*/
enum auth_item_t {
/*
* items provided to authentication process
*/
/** authentication class to use, value is auth_class_t* */
AUTHN_AUTH_CLASS,
/** EAP method to request from peer, value is eap_type_t* */
AUTHN_EAP_TYPE,
/** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
AUTHN_EAP_VENDOR,
/** EAP identity to use within EAP-Identity exchange */
AUTHN_EAP_IDENTITY,
/** CA certificate to use for authentication, value is certificate_t* */
AUTHN_CA_CERT,
/** Keyid of a CA certificate to use, value is identification_t* */
AUTHN_CA_CERT_KEYID,
/** subject DN of a CA certificate to use, value is identification_t* */
AUTHN_CA_CERT_NAME,
/** intermediate certificate, value is certificate_t* */
AUTHN_IM_CERT,
/** certificate for trustchain verification, value is certificate_t* */
AUTHN_SUBJECT_CERT,
/** intermediate certificate supplied as hash and url */
AUTHN_IM_HASH_URL,
/** end-entity certificate supplied as hash and url */
AUTHN_SUBJECT_HASH_URL,
/*
* item provided to authorization process
*/
/** subject has been authenticated by public key, value is public_key_t* */
AUTHZ_PUBKEY,
/** subject has ben authenticated using preshared secrets, value is shared_key_t* */
AUTHZ_PSK,
/** subject has been authenticated using EAP, value is eap_type_t* */
AUTHZ_EAP,
/** certificate authority, value is certificate_t* */
AUTHZ_CA_CERT,
/** subject DN of a certificate authority, value is identification_t* */
AUTHZ_CA_CERT_NAME,
/** intermediate certificate in trustchain, value is certificate_t* */
AUTHZ_IM_CERT,
/** subject certificate, value is certificate_t* */
AUTHZ_SUBJECT_CERT,
/** result of a CRL validation, value is cert_validation_t */
AUTHZ_CRL_VALIDATION,
/** result of a OCSP validation, value is cert_validation_t */
AUTHZ_OCSP_VALIDATION,
/** subject is in attribute certificate group, value is identification_t* */
AUTHZ_AC_GROUP,
};
/**
* enum name for auth_item_t.
*/
extern enum_name_t *auth_item_names;
/**
* The auth_info class contains auth_item_t's used for AA.
*
* A auth_info allows the separation of authentication and authorization.
*/
struct auth_info_t {
/**
* Add an item to the set.
*
* @param type auth_info type
* @param value associated value to auth_info type, if any
*/
void (*add_item)(auth_info_t *this, auth_item_t type, void *value);
/**
* Get an item.
*
* @param type auth_info type to get
* @param value pointer to a pointer receiving item
* @return bool if item has been found
*/
bool (*get_item)(auth_info_t *this, auth_item_t type, void **value);
/**
* Replace an item.
*
* @param type new auth_info type
* @param value pointer to the new value
*/
void (*replace_item)(enumerator_t *this, auth_item_t type, void *value);
/**
* Create an enumerator over all items.
*
* @return enumerator over (auth_item_t type, void *value)
*/
enumerator_t* (*create_item_enumerator)(auth_info_t *this);
/**
* Check if this fulfills a set of required constraints.
*
* @param constraints required authorization infos
* @return TRUE if this complies with constraints
*/
bool (*complies)(auth_info_t *this, auth_info_t *constraints);
/**
* Merge items from other into this.
*
* Items do not get cloned, but moved from other to this.
*
* @param other items to read for merge
*/
void (*merge)(auth_info_t *this, auth_info_t *other);
/**
* Check two auth_infos for equality.
*
* @param other other item to compaire against this
* @return TRUE if auth infos identical
*/
bool (*equals)(auth_info_t *this, auth_info_t *other);
/**
* Destroy a auth_info instance with all associated values.
*/
void (*destroy)(auth_info_t *this);
};
/**
* Create a auth_info instance.
*/
auth_info_t *auth_info_create();
#endif /* AUTH_INFO_H_ @}*/
|