//tabstop=4 //*********************************************************************** // ORBAsec SL3 // ---------------------------------------------------------------------- // Copyright (C) 2001 Adiron, LLC. // All rights reserved. // ---------------------------------------------------------------------- // $Id$ //*********************************************************************** // // Marked modifications Copyright (C) 2002, 2003, 2004 ObjectSecurity Ltd. // #ifndef _SL3TLS_IDL_ #define _SL3TLS_IDL_ #include #include //#include //#include //#include #include #include //#include #pragma prefix "adiron.com" module SL3TLS { // begin of ObjectSecurity removal // const SL3CM::MechanismId MID_TLS = "TLS"; /** * This is the only acquisition mechanism for acquiring TLS * Transport Credentials. */ // const SL3CM::AcquisitionMethod AQM_TLSArgs = "TLSArgs"; // end of ObjectSecurity removal /** * Implementers may create their own local version of * this interface to verify chains of X509 Certificates. */ local interface TLSX509IdentityVerifier { /** * This operation is called by the security service at the * TLS Transport Credentials creation phase to add certificates * as trusted entities directed by other TLS options. */ void add_trusted_authority( in SL3PM::X509IdentityStatement auth ); /** * This operation is called by the security service to determine * if the peer is allowed to be anonymous. This means that the * peer has not delivered a certificate and did not authenticate * itself. */ boolean is_anonymous_allowed(); /** * This operation is called by the security service at the * transport authentication phase, when the peer certificate * needs to be verified. The X509IdentityStatement will contain * a sequence of encoded X509 Certificates, which may be empty. */ boolean verify( in SL3PM::X509IdentityStatement ident ); }; /** * The TLS KeyStore Acquisition Builder extends the TCPIP * Builder. This is because the same TCPIP Acquisition Arguments * apply to TLS, as TCPIP sits underneath TLS. */ /// /// kcg: TLSKeyStore* constructs don't fit well with OpenSSL API usage /// and so I've added OpenSSLConfig* constructs (below) /// local interface TLSKeyStoreArgBuilder : SL3TCPIP::TCPIPArgBuilder { /** * This operation adds a X509 Certificate Chain Identity Verifier * argument to the acquisition arguments. * * @param verifier The locally defined interface that will verify * the certificate chain. */ void addTLSX509IdentityVerifier( in TLSX509IdentityVerifier verifier ); /** * This operation is used when there is a password on * the keystore. * * @param keystore This argument contains the URL of the * keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param storepass This is the password that protects the * key store. * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSKeyStoreWithStorePass( in string keystore, in string storetype, in string storepass, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation is used when there is no password on * the keystore. This approach should only be used in * cases where the integrity of the keystore is not an issue. * * @param keystore This argument contains the URL of the * keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSKeyStoreNoStorePass( in string keystore, in string storetype, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation is used when there is a password on * the keystore. * * @param keystore This argument contains the octet * sequence containing the keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param storepass This is the password that protects the * key store. * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSEncodedKeyStoreWithStorePass( in CORBA::OctetSeq keystore, in string storetype, in string storepass, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation is used when there is no password on * the keystore. This approach should only be used in * cases where the integrity of the keystore is not an issue. * * @param keystore This argument contains the octet * sequence containing the keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSEncodedKeyStoreNoStorePass( in CORBA::OctetSeq keystore, in string storetype, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); }; /** * This acquisition mechanism specifies getting TLS credential * information from a Java KeyStore file. The Argument Factory * and Builder inherit the TCPIP. * The arguments used in TCPIP apply * in setting up TCPIP sockets, because TCPIP lies * below SSL/TLS. *

* If the TCPIPInitiatorOptions and/or TCPIPAcceptorOptions * arguments are present, then they are followed, otherwise * defaults for TCPIP are used. *

* The Arguments should have one of * TLSKeyStoreWithStorePass or TLSKeyStoreNoStorePass. If * neither of them is specified, the resulting Credentials will * run in TLS anonymously. * */ // begin of ObjectSecurity removal // const SL3CM::AcquisitionMethod // AQM_TLSKeyStoreArgs = "TLSKeyStoreArgs"; // end of ObjectSecurity removal // begin of ObjectSecurity addition /** * Implementation of this interface is used by the security service * during the decision if SL3CSI/CSIv2 enabled server can accept * request sent from plain TLS client, i.e. accept based on transport * security credentials */ local interface TLSX509IdentityProcessor { /** * This operation is called by the security service * to find out if supplied principal is allowed * to make a request on a target -- if it is, it returns * TRUE, if not, it returns FALSE */ boolean verify_identity(in SL3PM::Principal ident); }; local interface OpenSSLConfigArgBuilder : SL3TCPIP::TCPIPArgBuilder { void add_tls_acceptor_options(in string ca, in string cert, in string key); void add_tls_acceptor_options_with_passphrase (in string ca, in string cert, in string key, in string passphrase); void add_tls_initiator_options(in string ca, in string cert, in string key); void add_tls_initiator_options_with_passphrase (in string ca, in string cert, in string key, in string passphrase); void add_tls_anonymous_initiator_options(in string ca); void add_initiator_cipher(in string cipher); void add_acceptor_cipher(in string cipher); void add_initiator_verify_depth(in long depth); void add_acceptor_verify_depth(in long depth); void add_initiator_identity_verifier(in TLSX509IdentityVerifier verifier); void add_acceptor_identity_verifier(in TLSX509IdentityVerifier verifier); }; // end of ObjectSecurity addition /** * This object allows to create the Builder for use with TLS * and a Java KeyStore. */ // begin of ObjectSecurity removal // local interface ArgumentFactory : SL3TCPIP::ArgumentFactory { /** * This operation creates a TLS KeyStore Arg Builder * object. */ // begin of ObjectSecurity change // kcg change // TLSKeyStoreArgBuilder createTLSKeyStoreArgBuilder( // in TransportSecurity::CredentialsUsage usage // ); /** * This operation creates a Tagged Argument containing * a reference to a X509 Certificate Chain Verifier */ // kcg change // SL3AQArgs::Argument createTLSX509IdentityVerifier( // in TLSX509IdentityVerifier verifier // ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that is protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ // kcg change // SL3AQArgs::Argument createTLSKeyStoreWithStorePass( // in string keystore, // in string storetype, // in string storepass, // in string keyalias, // in string keypass, // in CORBA::StringSeq trusted_cert_names // ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that may be protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ // kcg change // SL3AQArgs::Argument createTLSKeyStoreNoStorePass( // in string keystore, // in string storetype, // in string keyalias, // in string keypass, // in CORBA::StringSeq trusted_cert_names // ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that is protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ // kcg change // SL3AQArgs::Argument createTLSEncodedKeyStoreWithStorePass( // in CORBA::OctetSeq keystore, // in string storetype, // in string storepass, // in string keyalias, // in string keypass, // in CORBA::StringSeq trusted_cert_names // ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that may be protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ // kcg change // SL3AQArgs::Argument createTLSEncodedKeyStoreNoStorePass( // in CORBA::OctetSeq keystore, // in string storetype, // in string keyalias, // in string keypass, // in CORBA::StringSeq trusted_cert_names // ); // end of ObjectSecurity change // }; // end of ObjectSecurity removal }; #endif