//tabstop=4 //*********************************************************************** // ORBAsec SL3 // ---------------------------------------------------------------------- // Copyright (C) 2001 Adiron, LLC. // All rights reserved. // ---------------------------------------------------------------------- // $Id$ //*********************************************************************** #ifndef _SL3TLS_IDL_ #define _SL3TLS_IDL_ #include #include #include #include #include #pragma prefix "adiron.com" module SL3TLS { const TransportSecurity::MechanismId MID_TLS = "TLS"; /** * This is the only acquisition mechanism for acquiring TLS * Transport Credentials. */ const TransportSecurity::AcquisitionMethod AQM_TLSArgs = "TLSArgs"; /** * Implementers may create their own local version of * this interface to verify chains of X509 Certificates. */ local interface TLSX509IdentityVerifier { /** * This operation is called by the security service at the * TLS Transport Credentials creation phase to add certificates * as trusted entities directed by other TLS options. */ void add_trusted_authority( in SecurityLevel3::X509IdentityStatement auth ); /** * This operation is called by the security service to determine * if the peer is allowed to be anonymous. This means that the * peer has not delivered a certificate and did not authenticate * itself. */ boolean is_anonymous_allowed(); /** * This operation is called by the security service at the * transport authentication phase, when the peer certificate * needs to be verified. The X509IdentityStatement will contain * a sequence of encoded X509 Certificates, which may be empty. */ boolean verify( in SecurityLevel3::X509IdentityStatement ident ); }; /** * The TLS KeyStore Acquisition Builder extends the TCPIP * Builder. This is because the same TCPIP Acquisition Arguments * apply to TLS, as TCPIP sits underneath TLS. */ local interface TLSKeyStoreArgBuilder : SL3TCPIP::TCPIPArgBuilder { /** * This operation adds a X509 Certificate Chain Identity Verifier * argument to the acquisition arguments. * * @param verifier The locally defined interface that will verify * the certificate chain. */ void addTLSX509IdentityVerifier( in TLSX509IdentityVerifier verifier ); /** * This operation is used when there is a password on * the keystore. * * @param keystore This argument contains the URL of the * keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param storepass This is the password that protects the * key store. * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSKeyStoreWithStorePass( in string keystore, in string storetype, in string storepass, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation is used when there is no password on * the keystore. This approach should only be used in * cases where the integrity of the keystore is not an issue. * * @param keystore This argument contains the URL of the * keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSKeyStoreNoStorePass( in string keystore, in string storetype, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation is used when there is a password on * the keystore. * * @param keystore This argument contains the octet * sequence containing the keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param storepass This is the password that protects the * key store. * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSEncodedKeyStoreWithStorePass( in CORBA::OctetSeq keystore, in string storetype, in string storepass, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation is used when there is no password on * the keystore. This approach should only be used in * cases where the integrity of the keystore is not an issue. * * @param keystore This argument contains the octet * sequence containing the keystore. * @param storetype This argument contains the type of the * keystore. Currently, one of "IAIKKeyStore" * or "jks". * @param keyalias This argument contains the alias of a private * key in the keystore. If this argument is * an empty string, then the credentials will * be considered anonymous. * @param keypass This argument contains the password that * unlocks the private key named by the keyalias. * @param trusted_cert_names * This argument contains the alias of certificates * in the key store that are considered trusted * to verify certificates of the peer during * authentication. A empty string sequence signifies * that the default chain verifier will accept * chains ending in any trusted certificate * entry found in the keystore. *

* Note: On the default TLSX509IdentityVerifier, anonymous * communication is always allowed. */ void addTLSEncodedKeyStoreNoStorePass( in CORBA::OctetSeq keystore, in string storetype, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); }; /** * This acquisition mechanism specifies getting TLS credential * information from a Java KeyStore file. The Argument Factory * and Builder inherit the TCPIP. * The arguments used in TCPIP apply * in setting up TCPIP sockets, because TCPIP lies * below SSL/TLS. *

* If the TCPIPInitiatorOptions and/or TCPIPAcceptorOptions * arguments are present, then they are followed, otherwise * defaults for TCPIP are used. *

* The Arguments should have one of * TLSKeyStoreWithStorePass or TLSKeyStoreNoStorePass. If * neither of them is specified, the resulting Credentials will * run in TLS anonymously. * */ const TransportSecurity::AcquisitionMethod AQM_TLSKeyStoreArgs = "TLSKeyStoreArgs"; /** * This object allows to create the Builder for use with TLS * and a Java KeyStore. */ local interface ArgumentFactory : SL3TCPIP::ArgumentFactory { /** * This operation creates a TLS KeyStore Arg Builder * object. */ TLSKeyStoreArgBuilder createTLSKeyStoreArgBuilder( in TransportSecurity::CredentialsUsage usage ); /** * This operation creates a Tagged Argument containing * a reference to a X509 Certificate Chain Verifier */ SL3AQArgs::Argument createTLSX509IdentityVerifier( in TLSX509IdentityVerifier verifier ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that is protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ SL3AQArgs::Argument createTLSKeyStoreWithStorePass( in string keystore, in string storetype, in string storepass, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that may be protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ SL3AQArgs::Argument createTLSKeyStoreNoStorePass( in string keystore, in string storetype, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that is protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ SL3AQArgs::Argument createTLSEncodedKeyStoreWithStorePass( in CORBA::OctetSeq keystore, in string storetype, in string storepass, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); /** * This operation creates a Tagged Argument containing * the following information for acquiring credentials * from a Java KeyStore that may be protected with a password. *

* For a description of the arguments, please see the * corresponding operation in the TLSKeyStoreArgBuilder. * * @see TLSKeyStoreArgBuilder */ SL3AQArgs::Argument createTLSEncodedKeyStoreNoStorePass( in CORBA::OctetSeq keystore, in string storetype, in string keyalias, in string keypass, in CORBA::StringSeq trusted_cert_names ); }; }; #endif