| #ifndef PROTON_SSL_HPP |
| #define PROTON_SSL_HPP |
| |
| /* |
| * |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * |
| */ |
| |
| #include "./internal/export.hpp" |
| |
| #include <proton/ssl.h> |
| |
| #include <string> |
| |
| /// @file |
| /// @copybrief proton::ssl |
| |
| namespace proton { |
| |
| /// SSL information. |
| class ssl { |
| /// @cond INTERNAL |
| ssl(pn_ssl_t* s) : object_(s) {} |
| /// @endcond |
| |
| ssl() = delete; |
| |
| public: |
| /// Determines the level of peer validation. |
| enum verify_mode { |
| /// Require peer to provide a valid identifying certificate |
| VERIFY_PEER = PN_SSL_VERIFY_PEER, |
| /// Do not require a certificate or cipher authorization |
| ANONYMOUS_PEER = PN_SSL_ANONYMOUS_PEER, |
| /// Require valid certificate and matching name |
| VERIFY_PEER_NAME = PN_SSL_VERIFY_PEER_NAME |
| }; |
| |
| /// Outcome specifier for an attempted session resume. |
| enum resume_status { |
| UNKNOWN = PN_SSL_RESUME_UNKNOWN, ///< Session resume state unknown or not supported |
| NEW = PN_SSL_RESUME_NEW, ///< Session renegotiated, not resumed |
| REUSED = PN_SSL_RESUME_REUSED ///< Session resumed from previous session |
| }; |
| |
| /// @cond INTERNAL |
| |
| /// XXX C API uses cipher_name |
| /// Get the cipher name. |
| PN_CPP_EXTERN std::string cipher() const; |
| |
| /// XXX C API uses protocol_name |
| /// Get the protocol name. |
| PN_CPP_EXTERN std::string protocol() const; |
| |
| /// Get the security strength factor. |
| PN_CPP_EXTERN int ssf() const; |
| |
| /// XXX discuss, what's the meaning of "remote" here? |
| PN_CPP_EXTERN std::string remote_subject() const; |
| |
| /// XXX setters? versus connection options |
| PN_CPP_EXTERN void resume_session_id(const std::string& session_id); |
| |
| PN_CPP_EXTERN enum resume_status resume_status() const; |
| |
| /// @endcond |
| |
| private: |
| pn_ssl_t* const object_; |
| |
| /// @cond INTERNAL |
| friend class transport; |
| /// @endcond |
| }; |
| |
| /// **Unsettled API** - An SSL certificate. |
| class ssl_certificate { |
| public: |
| /// Create an SSL certificate. |
| PN_CPP_EXTERN ssl_certificate(const std::string &certdb_main); |
| |
| // XXX Document the following constructors |
| |
| /// @copydoc ssl_certificate |
| PN_CPP_EXTERN ssl_certificate(const std::string &certdb_main, const std::string &certdb_extra); |
| |
| /// @copydoc ssl_certificate |
| PN_CPP_EXTERN ssl_certificate(const std::string &certdb_main, const std::string &certdb_extra, const std::string &passwd); |
| /// @endcond |
| |
| private: |
| std::string certdb_main_; |
| std::string certdb_extra_; |
| std::string passwd_; |
| bool pw_set_; |
| |
| /// @cond INTERNAL |
| friend class ssl_client_options; |
| friend class ssl_server_options; |
| /// @endcond |
| }; |
| |
| |
| |
| /// **Unsettled API** - SSL configuration for inbound connections. |
| class ssl_server_options { |
| public: |
| /// Server SSL options based on the supplied X.509 certificate |
| /// specifier. |
| PN_CPP_EXTERN ssl_server_options(const ssl_certificate &cert); |
| |
| /// Server SSL options requiring connecting clients to provide a |
| /// client certificate. |
| PN_CPP_EXTERN ssl_server_options(const ssl_certificate &cert, const std::string &trust_db, |
| const std::string &advertise_db = std::string(), |
| enum ssl::verify_mode mode = ssl::VERIFY_PEER); |
| |
| /// Server SSL options restricted to available anonymous cipher |
| /// suites on the platform. |
| PN_CPP_EXTERN ssl_server_options(); |
| |
| PN_CPP_EXTERN ~ssl_server_options(); |
| PN_CPP_EXTERN ssl_server_options(const ssl_server_options&); |
| PN_CPP_EXTERN ssl_server_options& operator=(const ssl_server_options&); |
| |
| private: |
| class impl; |
| impl* impl_; |
| |
| /// @cond INTERNAL |
| friend class connection_options; |
| /// @endcond |
| }; |
| |
| /// **Unsettled API** - SSL configuration for outbound connections. |
| class ssl_client_options { |
| public: |
| /// Create SSL client with defaults (use system certificate trust database and require name verification) |
| PN_CPP_EXTERN ssl_client_options(); |
| |
| /// Create SSL client with unusual verification policy (but default certificate trust database) |
| PN_CPP_EXTERN ssl_client_options(enum ssl::verify_mode); |
| |
| /// Create SSL client specifying the certificate trust database. |
| PN_CPP_EXTERN ssl_client_options(const std::string &trust_db, |
| enum ssl::verify_mode = ssl::VERIFY_PEER_NAME); |
| |
| /// Create SSL client with a client certificate. |
| PN_CPP_EXTERN ssl_client_options(const ssl_certificate&, const std::string &trust_db, |
| enum ssl::verify_mode = ssl::VERIFY_PEER_NAME); |
| |
| PN_CPP_EXTERN ~ssl_client_options(); |
| PN_CPP_EXTERN ssl_client_options(const ssl_client_options&); |
| PN_CPP_EXTERN ssl_client_options& operator=(const ssl_client_options&); |
| |
| private: |
| class impl; |
| impl* impl_; |
| |
| /// @cond INTERNAL |
| friend class connection_options; |
| /// @endcond |
| }; |
| |
| } // proton |
| |
| #endif // PROTON_SSL_HPP |