Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 899ede2880
Branches Tags
ydb
/
contrib
/
restricted
/
aws
/
s2n
/
api
/
unstable
/
crl.h

crl.h 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245 
  1. /*
    2. 

  2. * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
    3. 

  3. *
    4. 

  4. * Licensed under the Apache License, Version 2.0 (the "License").
    5. 

  5. * You may not use this file except in compliance with the License.
    6. 

  6. * A copy of the License is located at
    7. 

  7. *
    8. 

  8. *  http://aws.amazon.com/apache2.0
    9. 

  9. *
    10. 

  10. * or in the "license" file accompanying this file. This file is distributed
    11. 

  11. * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
    12. 

  12. * express or implied. See the License for the specific language governing
    13. 

  13. * permissions and limitations under the License.
    14. 

  14. */
    15. 

  15. 

  16. #pragma once
    17. 

  17. 

  18. #include <s2n.h>
    19. 

  19. 

  20. /**
    21. 

  21.  * @file crl.h
    22. 

  22.  *
    23. 

  23.  * The following APIs enable applications to determine if a received certificate has been revoked by its CA, via
    24. 

  24.  * Certificate Revocation Lists (CRLs). Please see the CRL Validation section in the usage guide for more information.
    25. 

  25.  *
    26. 

  26.  * The CRL APIs are currently considered unstable, since they have been recently added to s2n-tls. After gaining more
    27. 

  27.  * confidence in the correctness and usability of these APIs, they will be made stable.
    28. 

  28.  *
    29. 

  29.  */
    30. 

  30. 

  31. struct s2n_crl_lookup;
    32. 

  32. 

  33. /**
    34. 

  34.  * A callback which can be implemented to provide s2n-tls with CRLs to use for CRL validation.
    35. 

  35.  *
    36. 

  36.  * This callback is triggered once for each certificate received during the handshake. To provide s2n-tls with a CRL for
    37. 

  37.  * the certificate, use `s2n_crl_lookup_set()`. To ignore the certificate and not provide a CRL, use
    38. 

  38.  * `s2n_crl_lookup_ignore()`.
    39. 

  39.  *
    40. 

  40.  * This callback can be synchronous or asynchronous. For asynchronous behavior, return success without calling
    41. 

  41.  * `s2n_crl_lookup_set()` or `s2n_crl_lookup_ignore()`. `s2n_negotiate()` will return S2N_BLOCKED_ON_APPLICATION_INPUT
    42. 

  42.  * until one of these functions is called for each invoked callback.
    43. 

  43.  *
    44. 

  44.  * @param lookup The CRL lookup for the given certificate.
    45. 

  45.  * @param context Context for the callback function.
    46. 

  46.  * @returns 0 on success, -1 on failure.
    47. 

  47.  */
    48. 

  48. typedef int (*s2n_crl_lookup_callback)(struct s2n_crl_lookup *lookup, void *context);
    49. 

  49. 

  50. /**
    51. 

  51.  * Set a callback to provide CRLs to use for CRL validation.
    52. 

  52.  *
    53. 

  53.  * @param config A pointer to the connection config
    54. 

  54.  * @param s2n_crl_lookup_callback The function to be called for each received certificate.
    55. 

  55.  * @param context Context to be passed to the callback function.
    56. 

  56.  * @return S2N_SUCCESS on success, S2N_FAILURE on failure
    57. 

  57.  */
    58. 

  58. S2N_API int s2n_config_set_crl_lookup_cb(struct s2n_config *config, s2n_crl_lookup_callback callback, void *context);
    59. 

  59. 

  60. /**
    61. 

  61.  * Allocates a new `s2n_crl` struct.
    62. 

  62.  *
    63. 

  63.  * Use `s2n_crl_load_pem()` to load the struct with a CRL pem.
    64. 

  64.  *
    65. 

  65.  * The allocated struct must be freed with `s2n_crl_free()`.
    66. 

  66.  *
    67. 

  67.  * @return A pointer to the allocated `s2n_crl` struct.
    68. 

  68.  */
    69. 

  69. S2N_API struct s2n_crl *s2n_crl_new(void);
    70. 

  70. 

  71. /**
    72. 

  72.  * Loads a CRL with pem data.
    73. 

  73.  *
    74. 

  74.  * @param crl The CRL to load with the PEM data.
    75. 

  75.  * @param pem The PEM data to load `crl` with.
    76. 

  76.  * @param len The length of the pem data.
    77. 

  77.  * @return S2N_SUCCESS on success, S2N_FAILURE on error.
    78. 

  78.  */
    79. 

  79. S2N_API int s2n_crl_load_pem(struct s2n_crl *crl, uint8_t *pem, size_t len);
    80. 

  80. 

  81. /**
    82. 

  82.  * Frees a CRL.
    83. 

  83.  *
    84. 

  84.  * Frees an allocated `s2n_crl` and sets `crl` to NULL.
    85. 

  85.  *
    86. 

  86.  * @param crl The CRL to free.
    87. 

  87.  * @return S2N_SUCCESS on success, S2N_FAILURE on error.
    88. 

  88.  */
    89. 

  89. S2N_API int s2n_crl_free(struct s2n_crl **crl);
    90. 

  90. 

  91. /**
    92. 

  92.  * Retrieves the issuer hash of a CRL.
    93. 

  93.  *
    94. 

  94.  * This function can be used to find the CRL associated with a certificate received in the s2n_crl_lookup callback. The
    95. 

  95.  * hash value, `hash`, corresponds with the issuer hash of a certificate, retrieved via
    96. 

  96.  * `s2n_crl_lookup_get_cert_issuer_hash()`.
    97. 

  97.  *
    98. 

  98.  * @param crl The CRL to obtain the hash value of.
    99. 

  99.  * @param hash A pointer that will be set to the hash value.
    100. 

  100.  * @return S2N_SUCCESS on success. S2N_FAILURE on failure
    101. 

  101.  */
    102. 

  102. S2N_API int s2n_crl_get_issuer_hash(struct s2n_crl *crl, uint64_t *hash);
    103. 

  103. 

  104. /**
    105. 

  105.  * Determines if the CRL is currently active.
    106. 

  106.  *
    107. 

  107.  * CRLs contain a thisUpdate field, which specifies the date at which the CRL becomes valid. This function can be called
    108. 

  108.  * to check thisUpdate relative to the current time. If the thisUpdate date is in the past, the CRL is considered
    109. 

  109.  * active.
    110. 

  110.  *
    111. 

  111.  * @param crl The CRL to validate.
    112. 

  112.  * @return S2N_SUCCESS if `crl` is active, S2N_FAILURE if `crl` is not active, or the active status cannot be determined.
    113. 

  113.  */
    114. 

  114. S2N_API int s2n_crl_validate_active(struct s2n_crl *crl);
    115. 

  115. 

  116. /**
    117. 

  117.  * Determines if the CRL has expired.
    118. 

  118.  *
    119. 

  119.  * CRLs contain a nextUpdate field, which specifies the date at which the CRL becomes expired. This function can be
    120. 

  120.  * called to check nextUpdate relative to the current time. If the nextUpdate date is in the future, the CRL has not
    121. 

  121.  * expired.
    122. 

  122.  *
    123. 

  123.  * If the CRL does not contain a thisUpdate field, the CRL is assumed to never expire.
    124. 

  124.  *
    125. 

  125.  * @param crl The CRL to validate.
    126. 

  126.  * @return S2N_SUCCESS if `crl` has not expired, S2N_FAILURE if `crl` has expired, or the expiration status cannot be determined.
    127. 

  127.  */
    128. 

  128. S2N_API int s2n_crl_validate_not_expired(struct s2n_crl *crl);
    129. 

  129. 

  130. /**
    131. 

  131.  * Retrieves the issuer hash of the certificate.
    132. 

  132.  *
    133. 

  133.  * The CRL lookup callback is triggered once for each received certificate. This function is used to get the issuer hash
    134. 

  134.  * of this certificate. The hash value, `hash`, corresponds with the issuer hash of the CRL, retrieved via
    135. 

  135.  * `s2n_crl_get_issuer_hash()`.
    136. 

  136.  *
    137. 

  137.  * @param lookup The CRL lookup for the given certificate.
    138. 

  138.  * @param hash A pointer that will be set to the hash value.
    139. 

  139.  * @return S2N_SUCCESS on success, S2N_FAILURE on failure.
    140. 

  140.  */
    141. 

  141. S2N_API int s2n_crl_lookup_get_cert_issuer_hash(struct s2n_crl_lookup *lookup, uint64_t *hash);
    142. 

  142. 

  143. /**
    144. 

  144.  * Provide s2n-tls with a CRL from the CRL lookup callback.
    145. 

  145.  *
    146. 

  146.  * A return function for `s2n_crl_lookup_cb`. This function should be used from within the CRL lookup callback to
    147. 

  147.  * provide s2n-tls with a CRL for the given certificate. The provided CRL will be included in the list of CRLs to use
    148. 

  148.  * when validating the certificate chain.
    149. 

  149.  *
    150. 

  150.  * To skip providing a CRL from the callback, use `s2n_crl_lookup_ignore()`.
    151. 

  151.  *
    152. 

  152.  * @param lookup The CRL lookup for the given certificate.
    153. 

  153.  * @param crl The CRL to include in the list of CRLs used to validate the certificate chain.
    154. 

  154.  * @return S2N_SUCCESS on success, S2N_FAILURE on failure.
    155. 

  155.  */
    156. 

  156. S2N_API int s2n_crl_lookup_set(struct s2n_crl_lookup *lookup, struct s2n_crl *crl);
    157. 

  157. 

  158. /**
    159. 

  159.  * Skip providing a CRL from the CRL lookup callback.
    160. 

  160.  *
    161. 

  161.  * A return function for `s2n_crl_lookup_cb`. This function should be used from within the CRL lookup callback to ignore
    162. 

  162.  * the certificate, and skip providing s2n-tls with a CRL.
    163. 

  163.  *
    164. 

  164.  * If a certificate is ignored, and is ultimately included in the chain of trust, certificate chain validation will
    165. 

  165.  * fail with a S2N_ERR_CRL_LOOKUP_FAILED error. However, if the certificate is extraneous and not included in the chain
    166. 

  166.  * of trust, validation is able to proceed.
    167. 

  167.  *
    168. 

  168.  * @param lookup The CRL lookup for the given certificate.
    169. 

  169.  * @return S2N_SUCCESS on success, S2N_FAILURE on failure.
    170. 

  170.  */
    171. 

  171. S2N_API int s2n_crl_lookup_ignore(struct s2n_crl_lookup *lookup);
    172. 

  172. 

  173. struct s2n_cert_validation_info;
    174. 

  174. 

  175. /**
    176. 

  176.  * A callback which can be implemented to perform additional validation on received certificates.
    177. 

  177.  *
    178. 

  178.  * The cert validation callback is invoked after receiving and validating the peer's certificate chain. The callback
    179. 

  179.  * can be used by clients to validate server certificates, or by servers to validate client certificates in the case of
    180. 

  180.  * mutual auth. Note that any validation performed by applications in the callback is in addition to the certificate
    181. 

  181.  * validation already performed by s2n-tls.
    182. 

  182.  *
    183. 

  183.  * Applications can use either of the following APIs from within the callback to retrieve the peer's certificate chain
    184. 

  184.  * and perform validation before proceeding with the handshake:
    185. 

  185.  *  - `s2n_connection_get_peer_cert_chain()`
    186. 

  186.  *  - `s2n_connection_get_client_cert_chain()`
    187. 

  187.  *
    188. 

  188.  * If the validation performed in the callback is successful, `s2n_cert_validation_accept()` MUST be called to allow
    189. 

  189.  * `s2n_negotiate()` to continue the handshake. If the validation is unsuccessful, `s2n_cert_validation_reject()`
    190. 

  190.  * MUST be called, which will cause `s2n_negotiate()` to error. The behavior of `s2n_negotiate()` is undefined if
    191. 

  191.  * neither `s2n_cert_validation_accept()` or `s2n_cert_validation_reject()` are called.
    192. 

  192.  *
    193. 

  193.  * The `info` parameter is passed to the callback in order to call APIs specific to the cert validation callback, like
    194. 

  194.  * `s2n_cert_validation_accept()` and `s2n_cert_validation_reject()`. The `info` argument is only valid for the
    195. 

  195.  * lifetime of the callback, and must not be used after the callback has finished.
    196. 

  196.  *
    197. 

  197.  * After calling `s2n_cert_validation_reject()`, `s2n_negotiate()` will fail with a protocol error indicating that
    198. 

  198.  * the cert has been rejected from the callback. If more information regarding an application's custom validation
    199. 

  199.  * failure is required, consider adding an error code field to the custom connection context. See
    200. 

  200.  * `s2n_connection_set_ctx()` and `s2n_connection_get_ctx()` for how to set and retrieve custom connection contexts.
    201. 

  201.  *
    202. 

  202.  * @param conn The connection object from which the callback was invoked.
    203. 

  203.  * @param info The cert validation info object used to call cert validation APIs.
    204. 

  204.  * @param context Application data provided to the callback function via `s2n_config_set_cert_validation_cb()`.
    205. 

  205.  * @returns 0 on success, -1 on failure.
    206. 

  206.  */
    207. 

  207. typedef int (*s2n_cert_validation_callback)(struct s2n_connection *conn, struct s2n_cert_validation_info *info,
    208. 

  208.         void *context);
    209. 

  209. 

  210. /**
    211. 

  211.  * Sets a callback to perform additional validation on received certificates.
    212. 

  212.  *
    213. 

  213.  * @param config The associated connection config.
    214. 

  214.  * @param callback The cert validation callback to set.
    215. 

  215.  * @param context Optional application data passed to the callback function.
    216. 

  216.  * @returns S2N_SUCCESS on success, S2N_FAILURE on failure.
    217. 

  217.  */
    218. 

  218. S2N_API int s2n_config_set_cert_validation_cb(struct s2n_config *config, s2n_cert_validation_callback callback,
    219. 

  219.         void *context);
    220. 

  220. 

  221. /**
    222. 

  222.  * Indicates that the validation performed in the cert validation callback was successful.
    223. 

  223.  *
    224. 

  224.  * `s2n_cert_validation_accept()` should be called from within the cert validation callback to allow `s2n_negotiate()`
    225. 

  225.  * to continue the handshake.
    226. 

  226.  *
    227. 

  227.  * This function must not be called outside of the cert validation callback.
    228. 

  228.  *
    229. 

  229.  * @param info The cert validation info object for the associated callback.
    230. 

  230.  * @returns S2N_SUCCESS on success, S2N_FAILURE on failure.
    231. 

  231.  */
    232. 

  232. S2N_API int s2n_cert_validation_accept(struct s2n_cert_validation_info *info);
    233. 

  233. 

  234. /**
    235. 

  235.  * Indicates that the validation performed in the cert validation callback was unsuccessful.
    236. 

  236.  *
    237. 

  237.  * `s2n_cert_validation_reject()` should be called from within the cert validation callback to cause `s2n_negotiate()`
    238. 

  238.  * to error.
    239. 

  239.  *
    240. 

  240.  * This function must not be called outside of the cert validation callback.
    241. 

  241.  *
    242. 

  242.  * @param info The cert validation info object for the associated callback.
    243. 

  243.  * @returns S2N_SUCCESS on success, S2N_FAILURE on failure.
    244. 

  244.  */
    245. 

  245. S2N_API int s2n_cert_validation_reject(struct s2n_cert_validation_info *info);
    246.