diff options
Diffstat (limited to 'TAO/orbsvcs/orbsvcs/SL3TLS.idl')
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SL3TLS.idl | 350 |
1 files changed, 0 insertions, 350 deletions
diff --git a/TAO/orbsvcs/orbsvcs/SL3TLS.idl b/TAO/orbsvcs/orbsvcs/SL3TLS.idl deleted file mode 100644 index c5701351e11..00000000000 --- a/TAO/orbsvcs/orbsvcs/SL3TLS.idl +++ /dev/null @@ -1,350 +0,0 @@ -//tabstop=4 -//*********************************************************************** -// ORBAsec SL3 -// ---------------------------------------------------------------------- -// Copyright (C) 2001 Adiron, LLC. -// All rights reserved. -// ---------------------------------------------------------------------- -// $Id$ -//*********************************************************************** -#ifndef _SL3TLS_IDL_ -#define _SL3TLS_IDL_ -#include <orb.idl> -#include <SL3/SecurityLevel3.idl> -#include <SL3/TransportSecurity.idl> -#include <SL3/SL3AQArgs.idl> -#include <SL3/SL3TCPIP.idl> - -#pragma prefix "adiron.com" - -module SL3TLS { - const TransportSecurity::MechanismId MID_TLS = "TLS"; - - /** - * This is the only acquisition mechanism for acquiring TLS - * Transport Credentials. - */ - const TransportSecurity::AcquisitionMethod AQM_TLSArgs = "TLSArgs"; - - /** - * Implementers may create their own local version of - * this interface to verify chains of X509 Certificates. - */ - local interface TLSX509IdentityVerifier { - - /** - * This operation is called by the security service at the - * TLS Transport Credentials creation phase to add certificates - * as trusted entities directed by other TLS options. - */ - void add_trusted_authority( - in SecurityLevel3::X509IdentityStatement auth - ); - - /** - * This operation is called by the security service to determine - * if the peer is allowed to be anonymous. This means that the - * peer has not delivered a certificate and did not authenticate - * itself. - */ - boolean is_anonymous_allowed(); - - /** - * This operation is called by the security service at the - * transport authentication phase, when the peer certificate - * needs to be verified. The X509IdentityStatement will contain - * a sequence of encoded X509 Certificates, which may be empty. - */ - boolean verify( - in SecurityLevel3::X509IdentityStatement ident - ); - }; - - /** - * The TLS KeyStore Acquisition Builder extends the TCPIP - * Builder. This is because the same TCPIP Acquisition Arguments - * apply to TLS, as TCPIP sits underneath TLS. - */ - local interface TLSKeyStoreArgBuilder : SL3TCPIP::TCPIPArgBuilder { - - /** - * This operation adds a X509 Certificate Chain Identity Verifier - * argument to the acquisition arguments. - * - * @param verifier The locally defined interface that will verify - * the certificate chain. - */ - void addTLSX509IdentityVerifier( - in TLSX509IdentityVerifier verifier - ); - - /** - * This operation is used when there is a password on - * the keystore. - * - * @param keystore This argument contains the URL of the - * keystore. - * @param storetype This argument contains the type of the - * keystore. Currently, one of "IAIKKeyStore" - * or "jks". - * @param storepass This is the password that protects the - * key store. - * @param keyalias This argument contains the alias of a private - * key in the keystore. If this argument is - * an empty string, then the credentials will - * be considered anonymous. - * @param keypass This argument contains the password that - * unlocks the private key named by the keyalias. - * @param trusted_cert_names - * This argument contains the alias of certificates - * in the key store that are considered trusted - * to verify certificates of the peer during - * authentication. A empty string sequence signifies - * that the default chain verifier will accept - * chains ending in any trusted certificate - * entry found in the keystore. - * <p> - * Note: On the default TLSX509IdentityVerifier, anonymous - * communication is always allowed. - */ - void addTLSKeyStoreWithStorePass( - in string keystore, - in string storetype, - in string storepass, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - /** - * This operation is used when there is no password on - * the keystore. This approach should only be used in - * cases where the integrity of the keystore is not an issue. - * - * @param keystore This argument contains the URL of the - * keystore. - * @param storetype This argument contains the type of the - * keystore. Currently, one of "IAIKKeyStore" - * or "jks". - * @param keyalias This argument contains the alias of a private - * key in the keystore. If this argument is - * an empty string, then the credentials will - * be considered anonymous. - * @param keypass This argument contains the password that - * unlocks the private key named by the keyalias. - * @param trusted_cert_names - * This argument contains the alias of certificates - * in the key store that are considered trusted - * to verify certificates of the peer during - * authentication. A empty string sequence signifies - * that the default chain verifier will accept - * chains ending in any trusted certificate - * entry found in the keystore. - * <p> - * Note: On the default TLSX509IdentityVerifier, anonymous - * communication is always allowed. - */ - void addTLSKeyStoreNoStorePass( - in string keystore, - in string storetype, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - /** - * This operation is used when there is a password on - * the keystore. - * - * @param keystore This argument contains the octet - * sequence containing the keystore. - * @param storetype This argument contains the type of the - * keystore. Currently, one of "IAIKKeyStore" - * or "jks". - * @param storepass This is the password that protects the - * key store. - * @param keyalias This argument contains the alias of a private - * key in the keystore. If this argument is - * an empty string, then the credentials will - * be considered anonymous. - * @param keypass This argument contains the password that - * unlocks the private key named by the keyalias. - * @param trusted_cert_names - * This argument contains the alias of certificates - * in the key store that are considered trusted - * to verify certificates of the peer during - * authentication. A empty string sequence signifies - * that the default chain verifier will accept - * chains ending in any trusted certificate - * entry found in the keystore. - * <p> - * Note: On the default TLSX509IdentityVerifier, anonymous - * communication is always allowed. - */ - void addTLSEncodedKeyStoreWithStorePass( - in CORBA::OctetSeq keystore, - in string storetype, - in string storepass, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - /** - * This operation is used when there is no password on - * the keystore. This approach should only be used in - * cases where the integrity of the keystore is not an issue. - * - * @param keystore This argument contains the octet - * sequence containing the keystore. - * @param storetype This argument contains the type of the - * keystore. Currently, one of "IAIKKeyStore" - * or "jks". - * @param keyalias This argument contains the alias of a private - * key in the keystore. If this argument is - * an empty string, then the credentials will - * be considered anonymous. - * @param keypass This argument contains the password that - * unlocks the private key named by the keyalias. - * @param trusted_cert_names - * This argument contains the alias of certificates - * in the key store that are considered trusted - * to verify certificates of the peer during - * authentication. A empty string sequence signifies - * that the default chain verifier will accept - * chains ending in any trusted certificate - * entry found in the keystore. - * <p> - * Note: On the default TLSX509IdentityVerifier, anonymous - * communication is always allowed. - */ - void addTLSEncodedKeyStoreNoStorePass( - in CORBA::OctetSeq keystore, - in string storetype, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - }; - - /** - * This acquisition mechanism specifies getting TLS credential - * information from a Java KeyStore file. The Argument Factory - * and Builder inherit the TCPIP. - * The arguments used in TCPIP apply - * in setting up TCPIP sockets, because TCPIP lies - * below SSL/TLS. - * <p> - * If the TCPIPInitiatorOptions and/or TCPIPAcceptorOptions - * arguments are present, then they are followed, otherwise - * defaults for TCPIP are used. - * <p> - * The Arguments should have one of - * TLSKeyStoreWithStorePass or TLSKeyStoreNoStorePass. If - * neither of them is specified, the resulting Credentials will - * run in TLS anonymously. - * - */ - const TransportSecurity::AcquisitionMethod - AQM_TLSKeyStoreArgs = "TLSKeyStoreArgs"; - - /** - * This object allows to create the Builder for use with TLS - * and a Java KeyStore. - */ - local interface ArgumentFactory : SL3TCPIP::ArgumentFactory { - - /** - * This operation creates a TLS KeyStore Arg Builder - * object. - */ - TLSKeyStoreArgBuilder createTLSKeyStoreArgBuilder( - in TransportSecurity::CredentialsUsage usage - ); - - /** - * This operation creates a Tagged Argument containing - * a reference to a X509 Certificate Chain Verifier - */ - SL3AQArgs::Argument createTLSX509IdentityVerifier( - in TLSX509IdentityVerifier verifier - ); - - /** - * This operation creates a Tagged Argument containing - * the following information for acquiring credentials - * from a Java KeyStore that is protected with a password. - * <p> - * For a description of the arguments, please see the - * corresponding operation in the TLSKeyStoreArgBuilder. - * - * @see TLSKeyStoreArgBuilder - */ - SL3AQArgs::Argument createTLSKeyStoreWithStorePass( - in string keystore, - in string storetype, - in string storepass, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - /** - * This operation creates a Tagged Argument containing - * the following information for acquiring credentials - * from a Java KeyStore that may be protected with a password. - * <p> - * For a description of the arguments, please see the - * corresponding operation in the TLSKeyStoreArgBuilder. - * - * @see TLSKeyStoreArgBuilder - */ - SL3AQArgs::Argument createTLSKeyStoreNoStorePass( - in string keystore, - in string storetype, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - /** - * This operation creates a Tagged Argument containing - * the following information for acquiring credentials - * from a Java KeyStore that is protected with a password. - * <p> - * For a description of the arguments, please see the - * corresponding operation in the TLSKeyStoreArgBuilder. - * - * @see TLSKeyStoreArgBuilder - */ - SL3AQArgs::Argument createTLSEncodedKeyStoreWithStorePass( - in CORBA::OctetSeq keystore, - in string storetype, - in string storepass, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - /** - * This operation creates a Tagged Argument containing - * the following information for acquiring credentials - * from a Java KeyStore that may be protected with a password. - * <p> - * For a description of the arguments, please see the - * corresponding operation in the TLSKeyStoreArgBuilder. - * - * @see TLSKeyStoreArgBuilder - */ - SL3AQArgs::Argument createTLSEncodedKeyStoreNoStorePass( - in CORBA::OctetSeq keystore, - in string storetype, - in string keyalias, - in string keypass, - in CORBA::StringSeq trusted_cert_names - ); - - }; - -}; -#endif |