File: cert_authorities.h

package info (click to toggle)
aws-crt-python 0.28.4%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 78,428 kB
  • sloc: ansic: 437,955; python: 27,657; makefile: 5,855; sh: 4,289; ruby: 208; java: 82; perl: 73; cpp: 25; xml: 11
file content (117 lines) | stat: -rw-r--r-- 4,586 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
/*
 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * A copy of the License is located at
 *
 *  http://aws.amazon.com/apache2.0
 *
 * or in the "license" file accompanying this file. This file is distributed
 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */

/**
 * @file cert_authorities.h
 *
 * This contains unstable APIs for selecting a client-sent certificate in
 * response to the CertificateRequest message, and the necessary server-side
 * work to support that selection (currently, just certificate_authorities).
 *
 * See also https://github.com/aws/s2n-tls/issues/5330. Please comment there if
 * you're using the feature and report back on your experience.
 */

#pragma once

#include <s2n.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>

struct s2n_certificate_request;
struct s2n_certificate_authority_list;

/**
 * Get the certificate_authorities list from the certificate request.
 *
 * @returns The list, with a lifetime equivalent to the s2n_certificate_request.
 * This points into the certificate request (it is not a copy of the list).
 * Can be null if the list is not available.
 */
S2N_API struct s2n_certificate_authority_list *s2n_certificate_request_get_ca_list(struct s2n_certificate_request *request);

/**
 * Sets the certificate chain to return in response to the certificate request.
 *
 * @param chain must outlive the connection being served.
 *
 * @warning It is not recommended to free or modify the `chain`. It must
 * outlive this connection.
 *
 * @returns S2N_SUCCESS on success. S2N_FAILURE on failure
 */
S2N_API int s2n_certificate_request_set_certificate(struct s2n_certificate_request *request, struct s2n_cert_chain_and_key *chain);

/**
 * Checks whether the offered list has a next entry.
 *
 * @param list A pointer to the certificate authority list being read.
 * @returns bool If true, there is a next entry.
 */
S2N_API bool s2n_certificate_authority_list_has_next(struct s2n_certificate_authority_list *list);

/**
 * Obtains the next entry in the certificate authority list.
 *
 * The lifetime of the name is bound to the lifetime of the list (in other
 * words, it must not be used past the certificate request callback).
 *
 * The name contains the bytes sent by the server. This should be a DER-encoded
 * DistinguishedName, but s2n-tls does not currently strictly enforce the
 * contents of the parsed name.
 *
 * See https://tools.ietf.org/rfc/rfc8446#section-4.2.4.
 *
 * @param list A pointer to the list being read.
 * @param name An out-pointer to the next name in the list.
 * @param length An out-pointer which is initialized to the length of the next name.
 *
 * @returns S2N_SUCCESS on success. S2N_FAILURE on failure
 */
S2N_API int s2n_certificate_authority_list_next(struct s2n_certificate_authority_list *list, uint8_t **name, uint16_t *length);

/**
 * Returns the certificate authority list to its original state.
 *
 * When `s2n_certificate_authority_list_reread` is called, the list is reset to the beginning.
 *
 * @param list The list to re-read.
 */
S2N_API int s2n_certificate_authority_list_reread(struct s2n_certificate_authority_list *list);

/* CertificateRequest callback.
 *
 * @param conn The connection object for the in-progress connection.
 * @param ctx A pointer to a user defined context provided in s2n_config_set_cert_request_callback.
 * @param request CertificateRequest, containing metadata about the incoming
 * request and a setter for the certificate to use.
 * @returns S2N_SUCCESS on success. S2N_FAILURE on failure
 */
typedef int (*s2n_cert_request_callback)(struct s2n_connection *conn, void *ctx, struct s2n_certificate_request *request);

/* Allows the caller to set a callback function that will be called after
 * CertificateRequest message is parsed.
 *
 * This is currently only called on the client side.
 *
 * @param config A pointer to the s2n_config object.
 * @param cert_req_callback The callback to be invoked.
 * @param ctx A pointer to a user defined context to be sent to `cert_req_callback`.
 * @returns S2N_SUCCESS on success. S2N_FAILURE on failure.
 */
S2N_API int s2n_config_set_cert_request_callback(struct s2n_config *config, s2n_cert_request_callback cert_req_callback, void *ctx);