summaryrefslogtreecommitdiff
path: root/TAO/orbsvcs/orbsvcs/SL3TLS.idl
diff options
context:
space:
mode:
Diffstat (limited to 'TAO/orbsvcs/orbsvcs/SL3TLS.idl')
-rw-r--r--TAO/orbsvcs/orbsvcs/SL3TLS.idl350
1 files changed, 350 insertions, 0 deletions
diff --git a/TAO/orbsvcs/orbsvcs/SL3TLS.idl b/TAO/orbsvcs/orbsvcs/SL3TLS.idl
new file mode 100644
index 00000000000..c5701351e11
--- /dev/null
+++ b/TAO/orbsvcs/orbsvcs/SL3TLS.idl
@@ -0,0 +1,350 @@
+//tabstop=4
+//***********************************************************************
+// ORBAsec SL3
+// ----------------------------------------------------------------------
+// Copyright (C) 2001 Adiron, LLC.
+// All rights reserved.
+// ----------------------------------------------------------------------
+// $Id$
+//***********************************************************************
+#ifndef _SL3TLS_IDL_
+#define _SL3TLS_IDL_
+#include <orb.idl>
+#include <SL3/SecurityLevel3.idl>
+#include <SL3/TransportSecurity.idl>
+#include <SL3/SL3AQArgs.idl>
+#include <SL3/SL3TCPIP.idl>
+
+#pragma prefix "adiron.com"
+
+module SL3TLS {
+ const TransportSecurity::MechanismId MID_TLS = "TLS";
+
+ /**
+ * This is the only acquisition mechanism for acquiring TLS
+ * Transport Credentials.
+ */
+ const TransportSecurity::AcquisitionMethod AQM_TLSArgs = "TLSArgs";
+
+ /**
+ * Implementers may create their own local version of
+ * this interface to verify chains of X509 Certificates.
+ */
+ local interface TLSX509IdentityVerifier {
+
+ /**
+ * This operation is called by the security service at the
+ * TLS Transport Credentials creation phase to add certificates
+ * as trusted entities directed by other TLS options.
+ */
+ void add_trusted_authority(
+ in SecurityLevel3::X509IdentityStatement auth
+ );
+
+ /**
+ * This operation is called by the security service to determine
+ * if the peer is allowed to be anonymous. This means that the
+ * peer has not delivered a certificate and did not authenticate
+ * itself.
+ */
+ boolean is_anonymous_allowed();
+
+ /**
+ * This operation is called by the security service at the
+ * transport authentication phase, when the peer certificate
+ * needs to be verified. The X509IdentityStatement will contain
+ * a sequence of encoded X509 Certificates, which may be empty.
+ */
+ boolean verify(
+ in SecurityLevel3::X509IdentityStatement ident
+ );
+ };
+
+ /**
+ * The TLS KeyStore Acquisition Builder extends the TCPIP
+ * Builder. This is because the same TCPIP Acquisition Arguments
+ * apply to TLS, as TCPIP sits underneath TLS.
+ */
+ local interface TLSKeyStoreArgBuilder : SL3TCPIP::TCPIPArgBuilder {
+
+ /**
+ * This operation adds a X509 Certificate Chain Identity Verifier
+ * argument to the acquisition arguments.
+ *
+ * @param verifier The locally defined interface that will verify
+ * the certificate chain.
+ */
+ void addTLSX509IdentityVerifier(
+ in TLSX509IdentityVerifier verifier
+ );
+
+ /**
+ * This operation is used when there is a password on
+ * the keystore.
+ *
+ * @param keystore This argument contains the URL of the
+ * keystore.
+ * @param storetype This argument contains the type of the
+ * keystore. Currently, one of "IAIKKeyStore"
+ * or "jks".
+ * @param storepass This is the password that protects the
+ * key store.
+ * @param keyalias This argument contains the alias of a private
+ * key in the keystore. If this argument is
+ * an empty string, then the credentials will
+ * be considered anonymous.
+ * @param keypass This argument contains the password that
+ * unlocks the private key named by the keyalias.
+ * @param trusted_cert_names
+ * This argument contains the alias of certificates
+ * in the key store that are considered trusted
+ * to verify certificates of the peer during
+ * authentication. A empty string sequence signifies
+ * that the default chain verifier will accept
+ * chains ending in any trusted certificate
+ * entry found in the keystore.
+ * <p>
+ * Note: On the default TLSX509IdentityVerifier, anonymous
+ * communication is always allowed.
+ */
+ void addTLSKeyStoreWithStorePass(
+ in string keystore,
+ in string storetype,
+ in string storepass,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ /**
+ * This operation is used when there is no password on
+ * the keystore. This approach should only be used in
+ * cases where the integrity of the keystore is not an issue.
+ *
+ * @param keystore This argument contains the URL of the
+ * keystore.
+ * @param storetype This argument contains the type of the
+ * keystore. Currently, one of "IAIKKeyStore"
+ * or "jks".
+ * @param keyalias This argument contains the alias of a private
+ * key in the keystore. If this argument is
+ * an empty string, then the credentials will
+ * be considered anonymous.
+ * @param keypass This argument contains the password that
+ * unlocks the private key named by the keyalias.
+ * @param trusted_cert_names
+ * This argument contains the alias of certificates
+ * in the key store that are considered trusted
+ * to verify certificates of the peer during
+ * authentication. A empty string sequence signifies
+ * that the default chain verifier will accept
+ * chains ending in any trusted certificate
+ * entry found in the keystore.
+ * <p>
+ * Note: On the default TLSX509IdentityVerifier, anonymous
+ * communication is always allowed.
+ */
+ void addTLSKeyStoreNoStorePass(
+ in string keystore,
+ in string storetype,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ /**
+ * This operation is used when there is a password on
+ * the keystore.
+ *
+ * @param keystore This argument contains the octet
+ * sequence containing the keystore.
+ * @param storetype This argument contains the type of the
+ * keystore. Currently, one of "IAIKKeyStore"
+ * or "jks".
+ * @param storepass This is the password that protects the
+ * key store.
+ * @param keyalias This argument contains the alias of a private
+ * key in the keystore. If this argument is
+ * an empty string, then the credentials will
+ * be considered anonymous.
+ * @param keypass This argument contains the password that
+ * unlocks the private key named by the keyalias.
+ * @param trusted_cert_names
+ * This argument contains the alias of certificates
+ * in the key store that are considered trusted
+ * to verify certificates of the peer during
+ * authentication. A empty string sequence signifies
+ * that the default chain verifier will accept
+ * chains ending in any trusted certificate
+ * entry found in the keystore.
+ * <p>
+ * Note: On the default TLSX509IdentityVerifier, anonymous
+ * communication is always allowed.
+ */
+ void addTLSEncodedKeyStoreWithStorePass(
+ in CORBA::OctetSeq keystore,
+ in string storetype,
+ in string storepass,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ /**
+ * This operation is used when there is no password on
+ * the keystore. This approach should only be used in
+ * cases where the integrity of the keystore is not an issue.
+ *
+ * @param keystore This argument contains the octet
+ * sequence containing the keystore.
+ * @param storetype This argument contains the type of the
+ * keystore. Currently, one of "IAIKKeyStore"
+ * or "jks".
+ * @param keyalias This argument contains the alias of a private
+ * key in the keystore. If this argument is
+ * an empty string, then the credentials will
+ * be considered anonymous.
+ * @param keypass This argument contains the password that
+ * unlocks the private key named by the keyalias.
+ * @param trusted_cert_names
+ * This argument contains the alias of certificates
+ * in the key store that are considered trusted
+ * to verify certificates of the peer during
+ * authentication. A empty string sequence signifies
+ * that the default chain verifier will accept
+ * chains ending in any trusted certificate
+ * entry found in the keystore.
+ * <p>
+ * Note: On the default TLSX509IdentityVerifier, anonymous
+ * communication is always allowed.
+ */
+ void addTLSEncodedKeyStoreNoStorePass(
+ in CORBA::OctetSeq keystore,
+ in string storetype,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+ };
+
+ /**
+ * This acquisition mechanism specifies getting TLS credential
+ * information from a Java KeyStore file. The Argument Factory
+ * and Builder inherit the TCPIP.
+ * The arguments used in TCPIP apply
+ * in setting up TCPIP sockets, because TCPIP lies
+ * below SSL/TLS.
+ * <p>
+ * If the TCPIPInitiatorOptions and/or TCPIPAcceptorOptions
+ * arguments are present, then they are followed, otherwise
+ * defaults for TCPIP are used.
+ * <p>
+ * The Arguments should have one of
+ * TLSKeyStoreWithStorePass or TLSKeyStoreNoStorePass. If
+ * neither of them is specified, the resulting Credentials will
+ * run in TLS anonymously.
+ *
+ */
+ const TransportSecurity::AcquisitionMethod
+ AQM_TLSKeyStoreArgs = "TLSKeyStoreArgs";
+
+ /**
+ * This object allows to create the Builder for use with TLS
+ * and a Java KeyStore.
+ */
+ local interface ArgumentFactory : SL3TCPIP::ArgumentFactory {
+
+ /**
+ * This operation creates a TLS KeyStore Arg Builder
+ * object.
+ */
+ TLSKeyStoreArgBuilder createTLSKeyStoreArgBuilder(
+ in TransportSecurity::CredentialsUsage usage
+ );
+
+ /**
+ * This operation creates a Tagged Argument containing
+ * a reference to a X509 Certificate Chain Verifier
+ */
+ SL3AQArgs::Argument createTLSX509IdentityVerifier(
+ in TLSX509IdentityVerifier verifier
+ );
+
+ /**
+ * This operation creates a Tagged Argument containing
+ * the following information for acquiring credentials
+ * from a Java KeyStore that is protected with a password.
+ * <p>
+ * For a description of the arguments, please see the
+ * corresponding operation in the TLSKeyStoreArgBuilder.
+ *
+ * @see TLSKeyStoreArgBuilder
+ */
+ SL3AQArgs::Argument createTLSKeyStoreWithStorePass(
+ in string keystore,
+ in string storetype,
+ in string storepass,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ /**
+ * This operation creates a Tagged Argument containing
+ * the following information for acquiring credentials
+ * from a Java KeyStore that may be protected with a password.
+ * <p>
+ * For a description of the arguments, please see the
+ * corresponding operation in the TLSKeyStoreArgBuilder.
+ *
+ * @see TLSKeyStoreArgBuilder
+ */
+ SL3AQArgs::Argument createTLSKeyStoreNoStorePass(
+ in string keystore,
+ in string storetype,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ /**
+ * This operation creates a Tagged Argument containing
+ * the following information for acquiring credentials
+ * from a Java KeyStore that is protected with a password.
+ * <p>
+ * For a description of the arguments, please see the
+ * corresponding operation in the TLSKeyStoreArgBuilder.
+ *
+ * @see TLSKeyStoreArgBuilder
+ */
+ SL3AQArgs::Argument createTLSEncodedKeyStoreWithStorePass(
+ in CORBA::OctetSeq keystore,
+ in string storetype,
+ in string storepass,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ /**
+ * This operation creates a Tagged Argument containing
+ * the following information for acquiring credentials
+ * from a Java KeyStore that may be protected with a password.
+ * <p>
+ * For a description of the arguments, please see the
+ * corresponding operation in the TLSKeyStoreArgBuilder.
+ *
+ * @see TLSKeyStoreArgBuilder
+ */
+ SL3AQArgs::Argument createTLSEncodedKeyStoreNoStorePass(
+ in CORBA::OctetSeq keystore,
+ in string storetype,
+ in string keyalias,
+ in string keypass,
+ in CORBA::StringSeq trusted_cert_names
+ );
+
+ };
+
+};
+#endif
View Lorry Controller Status