UDIF: Universal Digital Identification Framework 1.0.0.0a (A1)
A quantum-secure cryptographic identification
capability.h File Reference

UDIF capability token management. More...

#include "udif.h"

Go to the source code of this file.

Data Structures

struct  udif_capability
 Capability token. More...

Macros

#define UDIF_CAPABILITY_POLICY_SIZE   4U
#define UDIF_CAPABILITY_ENCODED_SIZE
 The capability structure encoded size.
#define UDIF_CAPABILITY_SIGNED_SIZE
 The capability structure signed size.

Typedefs

typedef UDIF_EXPORT_API struct udif_capability udif_capability
typedef UDIF_EXPORT_API enum udif_capability_id udif_capability_id
typedef UDIF_EXPORT_API enum udif_capability_verbs udif_capability_verbs
typedef UDIF_EXPORT_API enum udif_capability_scopes udif_capability_scopes

Enumerations

enum  udif_capability_id {
  udif_capability_issue_certificate = 0x00U , udif_capability_revoke_certificate = 0x01U , udif_capability_issue_token = 0x02U , udif_capability_validate_token = 0x03U ,
  udif_capability_register_issuer = 0x04U , udif_capability_rotate_keys = 0x05U , udif_capability_directory_query = 0x06U , udif_capability_audit_logging_access = 0x07U ,
  udif_capability_admin = 0x08U
}
 Canonical capability identifiers (bit positions map to the mask). More...
enum  udif_capability_verbs {
  udif_capability_query_exist = 0U , udif_capability_query_owner_binding = 1U , udif_capability_query_attr_bucket = 2U , udif_capability_prove_membership = 3U ,
  udif_capability_forward_query = 4U , udif_capability_admin_enroll = 5U , udif_capability_admin_suspend = 6U , udif_capability_admin_resume = 7U ,
  udif_capability_admin_revoke = 8U , udif_capability_admin_branch_create = 9U , udif_capability_admin_branch_retire = 10U , udif_capability_registry_commit = 11U ,
  udif_capability_tx_create = 12U , udif_capability_tx_accept = 13U , udif_capability_logging_anchor_send = 14U , udif_capability_logging_anchor_verify = 15U ,
  udif_capability_treaty_negotiate = 16U , udif_capability_treaty_query_exec = 17U , udif_capability_treaty_query_origin = 18U , udif_capability_telemetry_export = 19U ,
  udif_capability_error_report = 20U
}
 Capability permission verbs (bit positions) More...
enum  udif_capability_scopes { udif_scope_local = 0U , udif_scope_intra_domain = 1U , udif_scope_treaty = 2U }
 Capability scope flags. More...

Functions

UDIF_EXPORT_API bool udif_capability_allows_scope (const udif_capability *capability, uint32_t scope)
 Check if capability allows a scope.
UDIF_EXPORT_API bool udif_capability_allows_verb (const udif_capability *capability, uint32_t verb)
 Check if capability allows a verb.
UDIF_EXPORT_API void udif_capability_clear (udif_capability *capability)
 Clear a capability.
UDIF_EXPORT_API udif_errors udif_capability_create (udif_capability *capability, uint32_t verbsbitmap, uint32_t scopebitmap, const uint8_t *issuedto, const uint8_t *issuedby, uint64_t validto, uint32_t policy, const uint8_t *issuerkey)
 Create a capability token.
UDIF_EXPORT_API udif_errors udif_capability_compute_digest (uint8_t *digest, const udif_capability *capability)
 Compute object digest.
UDIF_EXPORT_API udif_errors udif_capability_deserialize (udif_capability *capability, const uint8_t *input, size_t inplen)
 Deserialize a capability.
UDIF_EXPORT_API bool udif_capability_grants_permission (const udif_capability *capability, uint32_t verb, uint32_t scope, uint64_t ctime)
 Check if capability grants permission.
UDIF_EXPORT_API bool udif_capability_is_expired (const udif_capability *capability, uint64_t ctime)
 Check if capability is expired.
UDIF_EXPORT_API udif_errors udif_capability_serialize (uint8_t *output, size_t outlen, const udif_capability *capability)
 Serialize a capability.
UDIF_EXPORT_API bool udif_capability_verify (const udif_capability *capability, const uint8_t *issuerkey)
 Verify a capability token.

Detailed Description

UDIF capability token management.

This module implements capability-based access control for UDIF. Capabilities are unforgeable tokens that grant specific permissions to entities. They use KMAC-256 for authentication.

Capabilities define:

  • Verbs: What operations are allowed
  • Scopes: Where operations can be performed
  • Subject: Who holds the capability
  • Issuer: Who granted the capability
  • Validity: When the capability expires

Macro Definition Documentation

◆ UDIF_CAPABILITY_ENCODED_SIZE

#define UDIF_CAPABILITY_ENCODED_SIZE
Value:
(UDIF_CRYPTO_HASH_SIZE + \
UDIF_CRYPTO_MAC_SIZE + \
UDIF_SERIAL_NUMBER_SIZE + \
UDIF_SERIAL_NUMBER_SIZE + \
UDIF_CAPABILITY_BITMAP_SIZE + \
UDIF_VALID_TIME_SIZE + \
UDIF_CAPABILITY_BITMAP_SIZE + \
UDIF_CAPABILITY_POLICY_SIZE)
UDIF_CAPABILITY_BITMAP_SIZE
#define UDIF_CAPABILITY_BITMAP_SIZE
Capability bitmap size in bytes (64-bit)
Definition udif.h:415
UDIF_SERIAL_NUMBER_SIZE
#define UDIF_SERIAL_NUMBER_SIZE
The serial number field length.
Definition udif.h:519
UDIF_CRYPTO_HASH_SIZE
#define UDIF_CRYPTO_HASH_SIZE
The size of the certificate hash in bytes.
Definition udif.h:439
UDIF_CRYPTO_MAC_SIZE
#define UDIF_CRYPTO_MAC_SIZE
The MAC function output byte size.
Definition udif.h:452

The capability structure encoded size.

◆ UDIF_CAPABILITY_SIGNED_SIZE

#define UDIF_CAPABILITY_SIGNED_SIZE
Value:
(UDIF_SERIAL_NUMBER_SIZE + \
UDIF_SERIAL_NUMBER_SIZE + \
UDIF_CAPABILITY_BITMAP_SIZE + \
UDIF_VALID_TIME_SIZE + \
UDIF_CAPABILITY_BITMAP_SIZE + \
UDIF_CAPABILITY_POLICY_SIZE)

The capability structure signed size.

Enumeration Type Documentation

◆ udif_capability_id

enum udif_capability_id

Canonical capability identifiers (bit positions map to the mask).

NO_DOCUMENT

Enumerator
udif_capability_issue_certificate 

Issue subordinate certificates

udif_capability_revoke_certificate 

Revoke certificates

udif_capability_issue_token 

Issue capability/attestation tokens

udif_capability_validate_token 

Validate tokens and claims

udif_capability_register_issuer 

Register issuer domain codes

udif_capability_rotate_keys 

Rotate root/issuer keys

udif_capability_directory_query 

Query directory / discovery

udif_capability_audit_logging_access 

Access audit logs

udif_capability_admin 

Administrative override

◆ udif_capability_scopes

enum udif_capability_scopes

Capability scope flags.

Enumerator
udif_scope_local 

Local only

udif_scope_intra_domain 

Intra-domain

udif_scope_treaty 

Cross-domain treaty

◆ udif_capability_verbs

enum udif_capability_verbs

Capability permission verbs (bit positions)

Enumerator
udif_capability_query_exist 

Query existence

udif_capability_query_owner_binding 

Query owner binding

udif_capability_query_attr_bucket 

Query attribute bucket

udif_capability_prove_membership 

Prove membership

udif_capability_forward_query 

Forward query

udif_capability_admin_enroll 

Enroll entity

udif_capability_admin_suspend 

Suspend entity

udif_capability_admin_resume 

Resume entity

udif_capability_admin_revoke 

Revoke entity

udif_capability_admin_branch_create 

Create branch

udif_capability_admin_branch_retire 

Retire branch

udif_capability_registry_commit 

Commit registry

udif_capability_tx_create 

Create transaction

udif_capability_tx_accept 

Accept transaction

udif_capability_logging_anchor_send 

Send anchor

udif_capability_logging_anchor_verify 

Verify anchor

udif_capability_treaty_negotiate 

Negotiate treaty

udif_capability_treaty_query_exec 

Execute treaty query

udif_capability_treaty_query_origin 

Originate treaty query

udif_capability_telemetry_export 

Export telemetry

udif_capability_error_report 

Report error

Function Documentation

◆ udif_capability_allows_scope()

UDIF_EXPORT_API bool udif_capability_allows_scope ( const udif_capability * capability,
uint32_t scope )

Check if capability allows a scope.

Tests if a specific operation scope is granted.

Parameters
capability[const] The capability
scopeThe scope to check
Returns
Returns true if allowed

◆ udif_capability_allows_verb()

UDIF_EXPORT_API bool udif_capability_allows_verb ( const udif_capability * capability,
uint32_t verb )

Check if capability allows a verb.

Tests if a specific operation verb is granted.

Parameters
capability[const] The capability
verbThe verb to check (bit position)
Returns
Returns true if allowed

◆ udif_capability_clear()

UDIF_EXPORT_API void udif_capability_clear ( udif_capability * capability)

Clear a capability.

Zeros out a capability structure.

Parameters
capabilityThe capability to clear

◆ udif_capability_compute_digest()

UDIF_EXPORT_API udif_errors udif_capability_compute_digest ( uint8_t * digest,
const udif_capability * capability )

Compute object digest.

Computes the canonical digest for an object, does not include the signature and hash.

Parameters
digestThe output digest (32 bytes)
capabilityThe output capability structure
Returns
Returns udif_error_none on success

◆ udif_capability_create()

UDIF_EXPORT_API udif_errors udif_capability_create ( udif_capability * capability,
uint32_t verbsbitmap,
uint32_t scopebitmap,
const uint8_t * issuedto,
const uint8_t * issuedby,
uint64_t validto,
uint32_t policy,
const uint8_t * issuerkey )

Create a capability token.

Creates a new capability token authenticated with KMAC-256.

Parameters
capabilityThe output capability structure
verbsbitmapThe allowed operation verbs
scopebitmapThe allowed operation scopes
issuedto[const] The recipient serial (16 bytes)
issuedby[const] The issuer serial (16 bytes)
validtoThe expiration time (UTC seconds)
policyThe policy version number
issuerkey[const] The issuer's MAC key
Returns
Returns udif_error_none on success

◆ udif_capability_deserialize()

UDIF_EXPORT_API udif_errors udif_capability_deserialize ( udif_capability * capability,
const uint8_t * input,
size_t inplen )

Deserialize a capability.

Decodes a capability from canonical TLV format.

Parameters
capabilityThe output capability structure
input[const] The input buffer
inplenThe input buffer length
Returns
Returns udif_error_none on success

◆ udif_capability_grants_permission()

UDIF_EXPORT_API bool udif_capability_grants_permission ( const udif_capability * capability,
uint32_t verb,
uint32_t scope,
uint64_t ctime )

Check if capability grants permission.

Comprehensive check: verb, scope, and expiration.

Parameters
capability[const] The capability
verbThe required verb
scopeThe required scope
ctimeThe current time
Returns
Returns true if permission granted

◆ udif_capability_is_expired()

UDIF_EXPORT_API bool udif_capability_is_expired ( const udif_capability * capability,
uint64_t ctime )

Check if capability is expired.

Tests if a capability has expired.

Parameters
capability[const] The capability
ctimeThe current time (UTC seconds)
Returns
Returns true if expired

◆ udif_capability_serialize()

UDIF_EXPORT_API udif_errors udif_capability_serialize ( uint8_t * output,
size_t outlen,
const udif_capability * capability )

Serialize a capability.

Encodes a capability to canonical TLV format.

Parameters
outputThe output buffer
outlenThe output buffer LENGTH
capability[const] The capability to serialize
Returns
Returns udif_error_none on success

◆ udif_capability_verify()

UDIF_EXPORT_API bool udif_capability_verify ( const udif_capability * capability,
const uint8_t * issuerkey )

Verify a capability token.

Verifies the KMAC authentication tag on a capability.

Parameters
capability[const] The capability to verify
issuerkey[const] The issuer's MAC key
Returns
Returns true if valid