Seastar
High performance C++ framework for concurrent servers
Public Member Functions | List of all members
seastar::tls::certificate_credentials Class Reference

Detailed Description

Holds certificates and keys.

Typically, credentials are shared for multiple client/server sessions. Changes to the credentials object will affect all sessions instantiated with it. You should probably set it up once, before starting client/server connections.

#include <seastar/net/tls.hh>

Inheritance diagram for seastar::tls::certificate_credentials:
seastar::tls::abstract_credentials seastar::tls::server_credentials

Public Member Functions

 certificate_credentials (certificate_credentials &&) noexcept
 
certificate_credentialsoperator= (certificate_credentials &&) noexcept
 
 certificate_credentials (const certificate_credentials &)=delete
 
certificate_credentialsoperator= (const certificate_credentials &)=delete
 
void set_x509_trust (const blob &, x509_crt_format) override
 
void set_x509_crl (const blob &, x509_crt_format) override
 
void set_x509_key (const blob &cert, const blob &key, x509_crt_format) override
 
void set_simple_pkcs12 (const blob &, x509_crt_format, const sstring &password) override
 
future set_system_trust ()
 
void set_priority_string (const sstring &)
 
void set_dn_verification_callback (dn_callback)
 
virtual future set_x509_trust_file (const sstring &cafile, x509_crt_format)
 
virtual future set_x509_crl_file (const sstring &crlfile, x509_crt_format)
 
virtual future set_x509_key_file (const sstring &cf, const sstring &kf, x509_crt_format)
 
virtual future set_simple_pkcs12_file (const sstring &pkcs12file, x509_crt_format, const sstring &password)
 

Member Function Documentation

◆ set_dn_verification_callback()

void seastar::tls::certificate_credentials::set_dn_verification_callback ( dn_callback  )

Register a callback for receiving Distinguished Name (DN) information during the TLS handshake, extracted from the certificate as sent by the peer.

The callback is not invoked in case the peer did not send a certificate. (This could e.g. happen when we are the server, and a client connects while client_auth is not set to REQUIRE.)

If, based upon the extracted DN information, you want to abort the handshake, then simply throw an exception (e.g., from the callback) like verification_error.

Registering this callback does not bypass the 'standard' certificate verification procedure; instead it merely extracts the DN information from the peer certificate (i.e., the 'leaf' certificate from the chain of certificates sent by the peer) and allows for extra checks.

To keep the API simple, you can unregister the callback by means of registering an empty callback, i.e. dn_callback{}

The callback prototype is documented in the dn_callback typedef.

◆ set_priority_string()

void seastar::tls::certificate_credentials::set_priority_string ( const sstring &  )

TLS handshake priority string. See gnutls docs and syntax at https://gnutls.org/manual/html_node/Priority-Strings.html

Allows specifying order and allowance for handshake alg.

◆ set_system_trust()

future seastar::tls::certificate_credentials::set_system_trust ( )

Loads default system cert trust file into this object.

The documentation for this class was generated from the following file:
Generated by doxygen 1.9.1