udif.h File Reference

UDIF Common Definitions and Protocol Configuration. More...

#include "udifcommon.h"
#include "sha3.h"
#include "socketbase.h"
#include "dilithium.h"
#include "kyber.h"
#include "rcs.h"

Go to the source code of this file.

Data Structures
struct	udif_capability_mask
	Fixed-size capability bitset (issuer-/role-scoped). Capability bits; bit positions map to udif_capability_id. More...
struct	udif_claim
	A typed claim with deterministic canonical encoding. More...
struct	udif_claim_anchor
	Anchor (e.g., Merkle root) binding a claim set to an identity. Anchor/merkle root over canonical claim set. More...
struct	udif_claim_set
	A collection of claims bound to an identity by an anchor. More...
struct	udif_encoded_blob
	Generic encoded object buffer (for decode/encode APIs). More...
struct	udif_identity_id
	Subject identity identifier (opaque, canonicalized). Subject identifier bytes. More...
struct	udif_issuer_domain_code
	Issuer domain/controller identifier. Issuer domain code (ASCII or compact code) More...
struct	udif_kem_keypair
	KEM key pair. More...
struct	udif_namespace_code
	Namespace partition identifier. Namespace code (ASCII or compact code) More...
struct	udif_permission_mask
	Fixed-size permission bitset (subject-/resource-scoped). Permission bits; bit positions map to udif_permission_class. More...
struct	udif_policy_hash
	Policy identifier (hash of canonical policy). SHA3/SHAKE hash of policy document. More...
struct	udif_signature_keypair
	The UDIF asymmetric signature scheme key container. More...
struct	udif_time_window
	A validity interval expressed in UTC seconds. More...
struct	udif_token_header
	Common header for UDIF tokens (capability/attestation/session). More...
struct	udif_token
	Serialized token container with optional envelope protection. More...
struct	udif_valid_time
	The certificate expiration time structure. More...
struct	udif_identity_record
	Core identity record bound to a namespace and issuer. More...

Macros
#define	UDIF_CONFIG_DILITHIUM_KYBER
#define	UDIF_USE_RCS_ENCRYPTION
	If the RCS encryption option is chosen SKDP uses the more modern RCS stream cipher with KMAC/QMAC authentication. The default symmetric cipher/authenticator is AES-256/GCM (GMAC Counter Mode) NIST standardized per SP800-38a.
#define	udif_cipher_state   qsc_rcs_state
#define	udif_cipher_dispose   qsc_rcs_dispose
#define	udif_cipher_initialize   qsc_rcs_initialize
#define	udif_cipher_keyparams   qsc_rcs_keyparams
#define	udif_cipher_set_associated   qsc_rcs_set_associated
#define	udif_cipher_transform   qsc_rcs_transform
#define	udif_cipher_generate_keypair   qsc_kyber_generate_keypair
	UDIF function mapping macros.
#define	udif_cipher_decapsulate   qsc_kyber_decapsulate
	Decapsulate a shared-secret with the asymmetric cipher.
#define	udif_cipher_encapsulate   qsc_kyber_encapsulate
	Encapsulate a shared-secret with the asymmetric cipher.
#define	udif_signature_generate_keypair   qsc_dilithium_generate_keypair
	Generate an asymmetric signature key-pair.
#define	udif_signature_sign   qsc_dilithium_sign
	Sign a message with the asymmetric signature scheme.
#define	udif_signature_verify   qsc_dilithium_verify
	Verify a message with the asymmetric signature scheme.
#define	UDIF_ASYMMETRIC_CIPHERTEXT_SIZE   (QSC_KYBER_CIPHERTEXT_SIZE)
	The byte size of the asymmetric cipher-text array.
#define	UDIF_ASYMMETRIC_PRIVATE_KEY_SIZE   (QSC_KYBER_PRIVATEKEY_SIZE)
	The byte size of the asymmetric cipher private-key array.
#define	UDIF_ASYMMETRIC_PUBLIC_KEY_SIZE   (QSC_KYBER_PUBLICKEY_SIZE)
	The byte size of the asymmetric cipher public-key array.
#define	UDIF_ASYMMETRIC_SIGNATURE_SIZE   (QSC_DILITHIUM_SIGNATURE_SIZE)
	The byte size of the asymmetric signature array.
#define	UDIF_ASYMMETRIC_SIGNING_KEY_SIZE   (QSC_DILITHIUM_PRIVATEKEY_SIZE)
	The byte size of the asymmetric signature signing-key array.
#define	UDIF_ASYMMETRIC_VERIFICATION_KEY_SIZE   (QSC_DILITHIUM_PUBLICKEY_SIZE)
	The byte size of the asymmetric signature verification-key array.
#define	UDIF_CAPABILITY_BITMAP_SIZE   8U
	Capability bitmap size in bytes (64-bit)
#define	UDIF_CAPABILITY_MASK_SIZE   8U
	The size of a capability mask in hex characters.
#define	UDIF_CAPABILITY_TOKEN_MAX_SIZE   2048U
	The maximum size of a serialized capability token.
#define	UDIF_CLAIM_ANCHOR_SIZE   32U
	The size of a claim anchor or merkle root in bytes.
#define	UDIF_CRYPTO_HASH_SIZE   32U
	The size of the certificate hash in bytes.
#define	UDIF_CRYPTO_KEY_SIZE   32U
	The byte length of the symmetric cipher key.
#define	UDIF_CRYPTO_MAC_SIZE   32U
	The MAC function output byte size.
#define	UDIF_CRYPTO_NONCE_SIZE   32U
	The byte length of the symmetric cipher nonce.
#define	UDIF_IDENTITY_ID_SIZE   32U
	The size of a subject identity identifier in bytes.
#define	UDIF_ISSUER_DOMAIN_CODE_SIZE   8U
	The size of an issuer domain code (unique identifier).
#define	UDIF_NAMESPACE_CODE_SIZE   8U
	The size of a namespace code (short string or numeric).
#define	UDIF_PERMISSION_MASK_SIZE   8U
	The size of a permission mask in bytes.
#define	UDIF_POLICY_HASH_SIZE   32U
	The size of a policy identifier hash in bytes.
#define	UDIF_POLICY_VERB_SIZE   4U
	The size of a policy verb in bytes.
#define	UDIF_PROTOCOL_SET_SIZE   41U
	The size of the protocol configuration string.
#define	UDIF_ROLE_SIZE   1U
	The UDIF role parameter size.
#define	UDIF_CERT_SERIAL_SIZE   16U
	The certificate serial number field length in bytes.
#define	UDIF_OBJECT_SERIAL_SIZE   32U
	The object serial number field length in bytes.
#define	UDIF_QUERY_ID_SIZE   16U
	The query identifier field length in bytes.
#define	UDIF_TX_ID_SIZE   UDIF_CRYPTO_HASH_SIZE
	The transaction identifier field length in bytes.
#define	UDIF_SERIAL_NUMBER_SIZE   UDIF_CERT_SERIAL_SIZE
	The certificate serial number field length.
#define	UDIF_REGISTRY_LEAF_FLAGS_SIZE   4U
	The registry leaf flags field length in bytes.
#define	UDIF_REGISTRY_LEAF_ENCODED_SIZE
	The canonical registry leaf encoding length in bytes.
#define	UDIF_SIGNED_HASH_SIZE   (UDIF_ASYMMETRIC_SIGNATURE_SIZE + UDIF_CRYPTO_HASH_SIZE)
	The combined size of a signature and hash.
#define	UDIF_SUITEID_SIZE   1U
	The UDIF suite id parameter size.
#define	UDIF_TIME_WINDOW_SECONDS   60U
	The query time window seconds.
#define	UDIF_VALID_TIME_SIZE   8U
#define	UDIF_VALID_TIME_STRUCTURE_SIZE   16U
	The certificate expiration date length.
#define	UDIF_POLICY_NONE   (UINT64_C(0))
	Empty UDIF policy mask.
#define	UDIF_POLICY_DEFAULT_DENY   (UINT64_C(1) << 0)
	Enforces default-deny authorization semantics.
#define	UDIF_POLICY_REQUIRE_SUITE_MATCH   (UINT64_C(1) << 1)
	Requires all communicating parties to use the same UDIF suite.
#define	UDIF_POLICY_REQUIRE_CANONICAL_ENCODING   (UINT64_C(1) << 2)
	Requires strict UDIF canonical binary encoding.
#define	UDIF_POLICY_REQUIRE_PARENT_SIGNATURE   (UINT64_C(1) << 3)
	Requires non-root certificates to verify against the issuer key.
#define	UDIF_POLICY_REQUIRE_REVOCATION_CHECK   (UINT64_C(1) << 4)
	Requires revocation and suspension state checking.
#define	UDIF_POLICY_REQUIRE_CAPABILITY_INTERSECT   (UINT64_C(1) << 5)
	Requires capability intersection before authorization.
#define	UDIF_POLICY_REQUIRE_POLICY_EPOCH_MATCH   (UINT64_C(1) << 6)
	Requires policy epoch consistency during validation.
#define	UDIF_POLICY_REQUIRE_MEMBERSHIP_LOG   (UINT64_C(1) << 7)
	Requires membership events to be logged.
#define	UDIF_POLICY_REQUIRE_TRANSACTION_LOG   (UINT64_C(1) << 8)
	Requires object and transfer events to be logged.
#define	UDIF_POLICY_REQUIRE_REGISTRY_COMMIT   (UINT64_C(1) << 9)
	Requires registry roots to be committed.
#define	UDIF_POLICY_REQUIRE_ANCHORING   (UINT64_C(1) << 10)
	Requires periodic upstream Anchor Records.
#define	UDIF_POLICY_REQUIRE_ANCHOR_SEQUENCE   (UINT64_C(1) << 11)
	Requires monotonic Anchor Record sequencing.
#define	UDIF_POLICY_REQUIRE_MINIMAL_DISCLOSURE   (UINT64_C(1) << 12)
	Requires minimal-disclosure query responses.
#define	UDIF_POLICY_REQUIRE_AUDIT_COUNTERS   (UINT64_C(1) << 13)
	Requires auditable operational counters where applicable.
#define	UDIF_POLICY_REQUIRE_TIME_WINDOW   (UINT64_C(1) << 14)
	Requires protocol timestamp acceptance windows.
#define	UDIF_POLICY_REQUIRE_SEQUENCE_CHECK   (UINT64_C(1) << 15)
	Requires strict transport sequence checking.
#define	UDIF_POLICY_REQUIRE_EPOCH_CHECK   (UINT64_C(1) << 16)
	Requires session and policy epoch validation.
#define	UDIF_POLICY_REQUIRE_AEAD_AAD_HEADER   (UINT64_C(1) << 17)
	Requires authenticated transport headers.
#define	UDIF_POLICY_REQUIRE_RATCHET_REKEY   (UINT64_C(1) << 18)
	Requires periodic ratchet rekeying where applicable.
#define	UDIF_POLICY_FORBID_RUNTIME_NEGOTIATION   (UINT64_C(1) << 19)
	Forbids runtime cryptographic suite negotiation.
#define	UDIF_POLICY_FORBID_ADMIN_OBJECT_OWNERSHIP   (UINT64_C(1) << 20)
	Forbids Roots, BCs, and GCs from owning objects.
#define	UDIF_POLICY_FORBID_CLIENT_ADMIN   (UINT64_C(1) << 21)
	Forbids User Agents from administrative authority.
#define	UDIF_POLICY_FORBID_CLIENT_LATERAL_QUERY   (UINT64_C(1) << 22)
	Forbids direct lateral User Agent interaction.
#define	UDIF_POLICY_FORBID_IMPLICIT_TREATY_RIGHTS   (UINT64_C(1) << 23)
	Forbids implicit cross-domain treaty authority.
#define	UDIF_POLICY_REQUIRE_TREATY_SCOPE_CHECK   (UINT64_C(1) << 24)
	Requires treaty-scope validation.
#define	UDIF_POLICY_ALLOW_TREATY_NEGOTIATION   (UINT64_C(1) << 25)
	Allows authorized treaty negotiation.
#define	UDIF_POLICY_ALLOW_TREATY_QUERY_ORIGIN   (UINT64_C(1) << 26)
	Allows treaty-scoped query origination.
#define	UDIF_POLICY_ALLOW_TREATY_QUERY_EXEC   (UINT64_C(1) << 27)
	Allows execution of incoming treaty-scoped queries.
#define	UDIF_POLICY_ALLOW_TELEMETRY_EXPORT   (UINT64_C(1) << 28)
	Allows export of bounded operational telemetry.
#define	UDIF_POLICY_ALLOW_ERROR_REPORTING   (UINT64_C(1) << 29)
	Allows signed operational error reporting.
#define	UDIF_POLICY_ALLOW_PROFILE_HOOKS   (UINT64_C(1) << 30)
	Allows non-canonical profile policy hooks.
#define	UDIF_POLICY_REQUIRE_PROFILE_HOOK_AUDIT   (UINT64_C(1) << 31)
	Requires audit records for profile hook decisions.
#define	UDIF_POLICY_RESERVED_CORE_MASK   (UINT64_C(0x0000FFFF00000000))
	Reserved policy bits for future UDIF core policy assignments.
#define	UDIF_POLICY_RESERVED_PROFILE_MASK   (UINT64_C(0xFFFF000000000000))
	Reserved policy bits for implementation or deployment profiles.
#define	UDIF_POLICY_BASELINE_SECURITY_MASK
	Mandatory baseline policy bits for all UDIF certificates.
#define	UDIF_POLICY_TRANSPORT_SECURITY_MASK
	Mandatory transport-session policy bits.
#define	UDIF_POLICY_LOGGING_MASK
	Mandatory logging and audit policy bits.
#define	UDIF_POLICY_ADMIN_SEPARATION_MASK
	Policy bits enforcing administrative role separation.
#define	UDIF_POLICY_TREATY_BASE_MASK
	Policy bits enforcing treaty containment.
#define	UDIF_POLICY_TREATY_ENABLE_MASK
	Optional treaty enablement policy bits.
#define	UDIF_POLICY_PROFILE_HOOK_MASK
	Optional profile hook policy bits.
#define	UDIF_POLICY_DEFINED_CORE_MASK
	Mask of all UDIF implementation-defined core policy bits.
#define	UDIF_ROOT_POLICY_DEFAULT
	Default policy mask for a UDIF Root certificate.
#define	UDIF_BC_POLICY_DEFAULT
	Default policy mask for a UDIF Branch Controller certificate.
#define	UDIF_GC_POLICY_DEFAULT
	Default policy mask for a UDIF Group Controller certificate.
#define	UDIF_CLIENT_POLICY_DEFAULT
	Default policy mask for a UDIF client or User Agent certificate.

Typedefs
typedef enum udif_claim_type	udif_claim_type
typedef enum udif_configuration_sets	udif_configuration_sets
typedef enum udif_errors	udif_errors
typedef enum udif_error_capability	udif_error_capability
typedef enum udif_error_claims	udif_error_claims
typedef enum udif_error_encoding	udif_error_encoding
typedef enum udif_error_identity	udif_error_identity
typedef enum udif_error_policy	udif_error_policy
typedef enum udif_logging_event_codes	udif_logging_event_codes
typedef enum udif_permission_class	udif_permission_class
typedef enum udif_policy_decision	udif_policy_decision
typedef enum udif_roles	udif_roles
typedef enum udif_time_validation	udif_time_validation
typedef enum udif_token_type	udif_token_type
typedef enum udif_status	udif_status
typedef enum udif_verify_policy	udif_verify_policy
typedef enum udif_version_sets	udif_version_sets
typedef UDIF_EXPORT_API struct udif_capability_mask	udif_capability_mask
typedef UDIF_EXPORT_API struct udif_claim	udif_claim
typedef UDIF_EXPORT_API struct udif_claim_anchor	udif_claim_anchor
typedef UDIF_EXPORT_API struct udif_claim_set	udif_claim_set
typedef UDIF_EXPORT_API struct udif_encoded_blob	udif_encoded_blob
typedef UDIF_EXPORT_API struct udif_identity_id	udif_identity_id
typedef UDIF_EXPORT_API struct udif_issuer_domain_code	udif_issuer_domain_code
typedef UDIF_EXPORT_API struct udif_kem_keypair	udif_kem_keypair
typedef UDIF_EXPORT_API struct udif_namespace_code	udif_namespace_code
typedef UDIF_EXPORT_API struct udif_permission_mask	udif_permission_mask
typedef UDIF_EXPORT_API struct udif_policy_hash	udif_policy_hash
typedef UDIF_EXPORT_API struct udif_signature_keypair	udif_signature_keypair
typedef UDIF_EXPORT_API struct udif_time_window	udif_time_window
typedef UDIF_EXPORT_API struct udif_token_header	udif_token_header
typedef UDIF_EXPORT_API struct udif_token	udif_token
typedef UDIF_EXPORT_API struct udif_valid_time	udif_valid_time
typedef UDIF_EXPORT_API struct udif_identity_record	udif_identity_record

Enumerations
enum	udif_claim_type {   udif_claim_unknown = 0U , udif_claim_commodity_id = 1U , udif_claim_biometric_hash = 2U , udif_claim_institution_id = 3U ,   udif_claim_public_key = 4U , udif_claim_age_over = 5U , udif_claim_citizenship = 6U , udif_claim_residency = 7U ,   udif_claim_membership_id = 8U , udif_claim_contact_email = 9U , udif_claim_contact_phone = 10U , udif_claim_address = 11U ,   udif_claim_custom = 12U }
	Claim type identifiers (deterministic canonicalization required). More...
enum	udif_configuration_sets {   udif_configuration_set_none = 0x00U , udif_configuration_set_dilithium1_kyber1_rcs256_shake256 = 0x01U , udif_configuration_set_dilithium3_kyber3_rcs256_shake256 = 0x02U , udif_configuration_set_dilithium5_kyber5_rcs256_shake256 = 0x03U ,   udif_configuration_set_dilithium5_kyber6_rcs512_shake256 = 0x04U , udif_configuration_set_sphincsplus1_mceliece1_rcs256_shake256 = 0x05U , udif_configuration_set_sphincsplus3_mceliece3_rcs256_shake256 = 0x06U , udif_configuration_set_sphincsplus5_mceliece5_rcs256_shake256 = 0x07U ,   udif_configuration_set_sphincsplus5_mceliece6_rcs256_shake256 = 0x08U , udif_configuration_set_sphincsplus5_mceliece7_rcs256_shake256 = 0x09U }
	The UDIF algorithm configuration sets. More...
enum	udif_errors {   udif_error_none = 0U , udif_error_invalid_input = 1U , udif_error_invalid_state = 2U , udif_error_auth_failure = 3U ,   udif_error_certificate_expired = 4U , udif_error_certificate_revoked = 5U , udif_error_capability_revoked = 6U , udif_error_invalid_sequence = 7U ,   udif_error_time_window = 8U , udif_error_epoch_mismatch = 9U , udif_error_suite_mismatch = 10U , udif_error_decode_failure = 11U ,   udif_error_encode_failure = 12U , udif_error_signature_invalid = 13U , udif_error_mac_invalid = 14U , udif_error_not_authorized = 15U ,   udif_error_object_not_found = 16U , udif_error_registry_full = 17U , udif_error_logging_failure = 18U , udif_error_anchor_invalid = 19U ,   udif_error_treaty_invalid = 20U , udif_error_invalid_request = 21U , udif_error_internal = 22U , udif_error_file_create_failed = 23U ,   udif_error_file_not_found = 24U , udif_error_invalid_parameter = 25U }
	UDIF error codes. More...
enum	udif_error_capability { udif_ecap_none = 0U , udif_ecap_denied = 1U , udif_ecap_mask_empty = 2U , udif_ecap_mask_conflict = 3U }
	Capability/permission evaluation errors. More...
enum	udif_error_claims {   udif_ecl_none = 0U , udif_ecl_type_unknown = 1U , udif_ecl_encoding_bad = 2U , udif_ecl_canonical_fail = 3U ,   udif_ecl_anchor_bad = 4U , udif_ecl_value_invalid = 5U }
	Claim/claim-set error codes. More...
enum	udif_error_encoding {   udif_eenc_none = 0U , udif_eenc_overflow = 1U , udif_eenc_underflow = 2U , udif_eenc_format = 3U ,   udif_eenc_unsupported = 4U }
	Encoding/decoding errors for UDIF objects. More...
enum	udif_error_identity {   udif_eid_none = 0U , udif_eid_namespace_bad = 1U , udif_eid_issuer_bad = 2U , udif_eid_subject_bad = 3U ,   udif_eid_mask_invalid = 4U , udif_eid_anchor_mismatch = 5U , udif_eid_sig_invalid = 6U , udif_eid_expired = 7U ,   udif_eid_future = 8U }
	Identity-specific error codes. More...
enum	udif_error_policy { udif_epol_none = 0U , udif_epol_not_found = 1U , udif_epol_hash_mismatch = 2U , udif_epol_indeterminate = 3U }
	Policy evaluation/lookup errors. More...
enum	udif_logging_event_codes {   udif_event_enroll = 1U , udif_event_suspend = 2U , udif_event_resume = 3U , udif_event_revoke = 4U ,   udif_event_capability_grant = 5U , udif_event_capability_revoke = 6U , udif_event_registry_commit = 7U , udif_event_branch_create = 8U ,   udif_event_branch_suspend = 9U , udif_event_branch_revoke = 10U , udif_event_object_create = 11U , udif_event_object_transfer = 12U ,   udif_event_object_update = 13U , udif_event_object_destroy = 14U }
	Membership and transaction log event codes. More...
enum	udif_permission_class {   udif_perm_read_claims = 0U , udif_perm_write_claims = 1U , udif_perm_read_certs = 2U , udif_perm_write_certs = 3U ,   udif_perm_manage_policy = 4U , udif_perm_manage_caps = 5U , udif_perm_delegate = 6U , udif_perm_export_identity = 7U ,   udif_perm_import_identity = 8U }
	Permission classes whose bits populate the permission mask. More...
enum	udif_policy_decision { udif_policy_permit = 0U , udif_policy_deny = 1U , udif_policy_indeterminate = 2U , udif_policy_not_applicable = 3U }
	Policy evaluation outcome. More...
enum	udif_roles {   udif_role_none = 0U , udif_role_root = 1U , udif_role_ugc = 2U , udif_role_ubc = 3U ,   udif_role_uor = 4U , udif_role_client = 5U , udif_role_audit = 6U , udif_role_revoked = 7U ,   udif_role_any = 8U }
	UDIF entity roles. More...
enum	udif_time_validation { udif_time_valid = 0U , udif_time_future = 1U , udif_time_expired = 2U , udif_time_skew_exceeds = 3U }
	Results of time/validity-window checks. More...
enum	udif_token_type { udif_token_none = 0U , udif_token_capability = 1U , udif_token_attestation = 2U , udif_token_session = 3U }
	Token families issued/validated within UDIF. More...
enum	udif_status {   udif_status_success = 0U , udif_status_invalid_argument = 1U , udif_status_not_found = 2U , udif_status_already_exists = 3U ,   udif_status_out_of_memory = 4U , udif_status_buffer_too_small = 5U , udif_status_not_supported = 6U , udif_status_internal_error = 7U }
	Generic status codes for UDIF operations. More...
enum	udif_verify_policy { udif_verify_strict = 0U , udif_verify_lenient = 1U }
	Verification strictness for identity/cert/claim checks. More...
enum	udif_version_sets { udif_version_set_none = 0x00U , udif_version_set_one_zero = 0x01U }
	The UDIF version sets. More...

Functions
UDIF_EXPORT_API bool	udif_suite_is_valid (uint8_t suiteid)
	Check if the suite id valid.
UDIF_EXPORT_API const char *	udif_error_to_string (udif_errors error)
	Convert an error to a string.
UDIF_EXPORT_API const char *	udif_role_to_string (udif_roles role)
	Convert a role to its string name.

Detailed Description

UDIF Common Definitions and Protocol Configuration.

This header defines the common constants, macros, enumerations, structures, and function prototypes for the Anonymous Encrypted Relay Network (UDIF). It provides configuration for the cryptographic parameter sets, certificate handling, network protocol operations, and socket communication required to implement the UDIF protocol.

The UDIF protocol leverages a combination of asymmetric cipher and signature schemes from the QSC library. The parameter sets can be configured in the QSC library's common.h file. For maximum security, the McEliece/SPHINCS+ parameter set is recommended; for a balance of performance and security, the Dilithium/Kyber parameter set is advised.

Key components defined in this header include:

• Function Mapping Macros: Aliases that map UDIF high-level cryptographic operations (key generation, encapsulation/decapsulation, signing, and verification) to the corresponding functions in the QSC library, based on the selected configuration.
• Modifiable Constants: Preprocessor definitions that enable or disable protocol features (e.g., client-to-client encrypted tunneling, master fragment key cycling, IPv6 networking, and extended session security).
• Parameter Macros: Definitions for key sizes, certificate field sizes, network settings, and timing values that ensure consistency across the UDIF protocol implementation.
• Enumerations: Enumerated types for UDIF configuration sets, network designations, network and protocol error codes, and version sets.
• Structures: Data structures representing various certificates (ADC, APS, ROOT), connection and keep alive states, network packets, and cryptographic key pairs. These structures are central to protocol operations such as certificate management and secure message exchange.
• Static Constants: Predefined strings for certificate header/footer information and network designation labels.
• Public API Functions: Prototypes for functions handling connection management, packet encryption/decryption, packet serialization/deserialization, and error string conversion.

Note

When using the McEliece/SPHINCS+ configuration in Visual Studio, it is recommended to increase the maximum stack size (for example, to 200KB) to accommodate the larger key sizes.

Test

Although this header does not directly implement test routines, it underpins multiple test modules that validate:

• The correct mapping of UDIF high-level function calls to the underlying QSC library routines.
• The consistency and accuracy of defined constants (e.g., key sizes, certificate sizes, network parameters).
• The proper serialization/deserialization of packet headers and full packets (via udif_packet_header_serialize and udif_stream_to_packet).
• The correct conversion of error codes to descriptive strings (using udif_network_error_to_string and udif_protocol_error_to_string).

These tests collectively ensure the robustness, consistency, and security of the UDIF protocol configuration.

Macro Definition Documentation

UDIF_BC_POLICY_DEFAULT

#define UDIF_BC_POLICY_DEFAULT

Value:

    (UDIF_POLICY_BASELINE_SECURITY_MASK | \
     UDIF_POLICY_TRANSPORT_SECURITY_MASK | \
     UDIF_POLICY_REQUIRE_RATCHET_REKEY | \
     UDIF_POLICY_REQUIRE_MEMBERSHIP_LOG | \
     UDIF_POLICY_REQUIRE_ANCHORING | \
     UDIF_POLICY_REQUIRE_ANCHOR_SEQUENCE | \
     UDIF_POLICY_REQUIRE_AUDIT_COUNTERS | \
     UDIF_POLICY_ADMIN_SEPARATION_MASK | \
     UDIF_POLICY_TREATY_BASE_MASK | \
     UDIF_POLICY_ALLOW_TELEMETRY_EXPORT | \
     UDIF_POLICY_ALLOW_ERROR_REPORTING)

Default policy mask for a UDIF Branch Controller certificate.

The Branch Controller policy enforces default-deny authorization, parent signature validation, revocation checking, canonical encoding, capability intersection, membership logging, anchoring, anchor sequence validation, transport security, administrative separation, and treaty containment.

This default is suitable for a Branch Controller operating in branch-admin mode. Treaty enablement remains excluded unless explicitly granted.

udif_cipher_generate_keypair

#define udif_cipher_generate_keypair   qsc_kyber_generate_keypair

UDIF function mapping macros.

These macros alias the high-level UDIF cryptographic operations to the corresponding QSC library functions. The mapping depends on the selected parameter set. For instance, if UDIF_CONFIG_SPHINCS_MCELIECE is defined, then the UDIF cipher and signature functions map to the McEliece/SPHINCS+ routines. Alternatively, if UDIF_CONFIG_DILITHIUM_KYBER is defined, the corresponding Dilithium/Kyber routines are used.

Generate an asymmetric cipher key-pair

UDIF_CLIENT_POLICY_DEFAULT

#define UDIF_CLIENT_POLICY_DEFAULT

Value:

    (UDIF_POLICY_BASELINE_SECURITY_MASK | \
     UDIF_POLICY_TRANSPORT_SECURITY_MASK | \
     UDIF_POLICY_REQUIRE_TRANSACTION_LOG | \
     UDIF_POLICY_REQUIRE_REGISTRY_COMMIT | \
     UDIF_POLICY_FORBID_CLIENT_ADMIN | \
     UDIF_POLICY_FORBID_CLIENT_LATERAL_QUERY | \
     UDIF_POLICY_ALLOW_ERROR_REPORTING)

Default policy mask for a UDIF client or User Agent certificate.

The client policy enforces end-entity constraints. It requires default-deny authorization, canonical encoding, revocation checking, capability intersection, minimal disclosure, registry commitment, transaction logging, transport validation, and prohibition of administrative and lateral interaction.

A client may own objects and initiate or accept transactions subject to capability and registry checks, but it must not enroll, suspend, revoke, forward, or administer other entities.

UDIF_GC_POLICY_DEFAULT

#define UDIF_GC_POLICY_DEFAULT

Value:

    (UDIF_POLICY_BASELINE_SECURITY_MASK | \
     UDIF_POLICY_TRANSPORT_SECURITY_MASK | \
     UDIF_POLICY_REQUIRE_MEMBERSHIP_LOG | \
     UDIF_POLICY_REQUIRE_TRANSACTION_LOG | \
     UDIF_POLICY_REQUIRE_REGISTRY_COMMIT | \
     UDIF_POLICY_REQUIRE_ANCHORING | \
     UDIF_POLICY_REQUIRE_ANCHOR_SEQUENCE | \
     UDIF_POLICY_REQUIRE_AUDIT_COUNTERS | \
     UDIF_POLICY_FORBID_ADMIN_OBJECT_OWNERSHIP | \
     UDIF_POLICY_FORBID_IMPLICIT_TREATY_RIGHTS | \
     UDIF_POLICY_REQUIRE_TREATY_SCOPE_CHECK | \
     UDIF_POLICY_ALLOW_TELEMETRY_EXPORT | \
     UDIF_POLICY_ALLOW_ERROR_REPORTING)

Default policy mask for a UDIF Group Controller certificate.

The Group Controller policy enforces user lifecycle logging, registry commitment, transaction logging, upstream anchoring, capability intersection, minimal disclosure, transport validation, treaty containment, and the rule that administrative controllers do not own objects.

The Group Controller is the primary enforcement point for User Agent operations, but it must not receive branch-creation policy unless acting under a separate branch-admin certificate.

UDIF_POLICY_ADMIN_SEPARATION_MASK

#define UDIF_POLICY_ADMIN_SEPARATION_MASK

Value:

    (UDIF_POLICY_FORBID_ADMIN_OBJECT_OWNERSHIP | \
     UDIF_POLICY_FORBID_CLIENT_ADMIN | \
     UDIF_POLICY_FORBID_CLIENT_LATERAL_QUERY)

Policy bits enforcing administrative role separation.

This mask prevents administrative controllers from owning objects and prevents clients from acting as administrative authorities.

UDIF_POLICY_ALLOW_ERROR_REPORTING

#define UDIF_POLICY_ALLOW_ERROR_REPORTING   (UINT64_C(1) << 29)

Allows signed operational error reporting.

Permits nodes to create signed error reports and append them to the relevant operational, membership, or audit log.

UDIF_POLICY_ALLOW_PROFILE_HOOKS

#define UDIF_POLICY_ALLOW_PROFILE_HOOKS   (UINT64_C(1) << 30)

Allows non-canonical profile policy hooks.

Permits deployment-specific policy hooks for predicates, retention, jurisdictional restrictions, consent, delegation, or profile-defined checks. Hooks must not change canonical encodings or weaken default-deny behavior.

UDIF_POLICY_ALLOW_TELEMETRY_EXPORT

#define UDIF_POLICY_ALLOW_TELEMETRY_EXPORT   (UINT64_C(1) << 28)

Allows export of bounded operational telemetry.

Permits export of non-identifying counters and operational status values. This policy must not permit raw identifiers, attributes, registry entries, or transaction contents to be exported.

UDIF_POLICY_ALLOW_TREATY_NEGOTIATION

#define UDIF_POLICY_ALLOW_TREATY_NEGOTIATION   (UINT64_C(1) << 25)

Allows authorized treaty negotiation.

Permits a suitably authorized Branch Controller or designated controller to negotiate and sign treaty records. This policy bit does not by itself grant treaty capability bits.

UDIF_POLICY_ALLOW_TREATY_QUERY_EXEC

#define UDIF_POLICY_ALLOW_TREATY_QUERY_EXEC   (UINT64_C(1) << 27)

Allows execution of incoming treaty-scoped queries.

Permits processing of treaty queries received from a peer domain when the holder also has the required treaty capability and the treaty permits the predicate.

UDIF_POLICY_ALLOW_TREATY_QUERY_ORIGIN

#define UDIF_POLICY_ALLOW_TREATY_QUERY_ORIGIN   (UINT64_C(1) << 26)

Allows treaty-scoped query origination.

Permits treaty query origination when the holder also has the required treaty capability and a valid treaty permits the requested predicate.

UDIF_POLICY_BASELINE_SECURITY_MASK

#define UDIF_POLICY_BASELINE_SECURITY_MASK

Value:

    (UDIF_POLICY_DEFAULT_DENY | \
     UDIF_POLICY_REQUIRE_SUITE_MATCH | \
     UDIF_POLICY_REQUIRE_CANONICAL_ENCODING | \
     UDIF_POLICY_REQUIRE_PARENT_SIGNATURE | \
     UDIF_POLICY_REQUIRE_REVOCATION_CHECK | \
     UDIF_POLICY_REQUIRE_CAPABILITY_INTERSECT | \
     UDIF_POLICY_REQUIRE_POLICY_EPOCH_MATCH | \
     UDIF_POLICY_REQUIRE_MINIMAL_DISCLOSURE | \
     UDIF_POLICY_FORBID_RUNTIME_NEGOTIATION)

Mandatory baseline policy bits for all UDIF certificates.

This mask covers default denial, suite matching, canonical encoding, signature verification, revocation checking, capability intersection, policy epoch validation, minimal disclosure, and runtime negotiation prohibition.

UDIF_POLICY_DEFAULT_DENY

#define UDIF_POLICY_DEFAULT_DENY   (UINT64_C(1) << 0)

Enforces default-deny authorization semantics.

Requires all operations to be denied unless explicitly permitted by the intersection of the caller certificate, capability bitmap, local policy, and any applicable treaty or profile rule.

UDIF_POLICY_DEFINED_CORE_MASK

#define UDIF_POLICY_DEFINED_CORE_MASK

Value:

    (UDIF_POLICY_BASELINE_SECURITY_MASK | \
     UDIF_POLICY_TRANSPORT_SECURITY_MASK | \
     UDIF_POLICY_LOGGING_MASK | \
     UDIF_POLICY_ADMIN_SEPARATION_MASK | \
     UDIF_POLICY_TREATY_BASE_MASK | \
     UDIF_POLICY_TREATY_ENABLE_MASK | \
     UDIF_POLICY_ALLOW_TELEMETRY_EXPORT | \
     UDIF_POLICY_ALLOW_ERROR_REPORTING | \
     UDIF_POLICY_PROFILE_HOOK_MASK | \
     UDIF_POLICY_REQUIRE_RATCHET_REKEY)

Mask of all UDIF implementation-defined core policy bits.

UDIF_POLICY_FORBID_ADMIN_OBJECT_OWNERSHIP

#define UDIF_POLICY_FORBID_ADMIN_OBJECT_OWNERSHIP   (UINT64_C(1) << 20)

Forbids Roots, BCs, and GCs from owning objects.

Enforces the UDIF separation between administration and ownership. Objects must be owned by User Agents, not by administrative controllers.

UDIF_POLICY_FORBID_CLIENT_ADMIN

#define UDIF_POLICY_FORBID_CLIENT_ADMIN   (UINT64_C(1) << 21)

Forbids User Agents from administrative authority.

Prevents clients and User Agents from enrolling, suspending, resuming, revoking, or creating subordinate certificates or branches.

UDIF_POLICY_FORBID_CLIENT_LATERAL_QUERY

#define UDIF_POLICY_FORBID_CLIENT_LATERAL_QUERY   (UINT64_C(1) << 22)

Forbids direct lateral User Agent interaction.

Requires User Agent interaction with other users, registries, or domains to be mediated by the assigned Group Controller.

UDIF_POLICY_FORBID_IMPLICIT_TREATY_RIGHTS

#define UDIF_POLICY_FORBID_IMPLICIT_TREATY_RIGHTS   (UINT64_C(1) << 23)

Forbids implicit cross-domain treaty authority.

Requires treaty rights to be explicitly granted by certificate capability, local policy, and a valid treaty record. No domain may infer treaty rights from ordinary branch or group status.

UDIF_POLICY_FORBID_RUNTIME_NEGOTIATION

#define UDIF_POLICY_FORBID_RUNTIME_NEGOTIATION   (UINT64_C(1) << 19)

Forbids runtime cryptographic suite negotiation.

Requires all cryptographic algorithms and suite identifiers to be fixed by the compiled UDIF domain profile.

UDIF_POLICY_LOGGING_MASK

#define UDIF_POLICY_LOGGING_MASK

Value:

    (UDIF_POLICY_REQUIRE_MEMBERSHIP_LOG | \
     UDIF_POLICY_REQUIRE_TRANSACTION_LOG | \
     UDIF_POLICY_REQUIRE_REGISTRY_COMMIT | \
     UDIF_POLICY_REQUIRE_ANCHORING | \
     UDIF_POLICY_REQUIRE_ANCHOR_SEQUENCE | \
     UDIF_POLICY_REQUIRE_AUDIT_COUNTERS)

Mandatory logging and audit policy bits.

This mask covers membership logs, transaction logs, registry commits, anchoring, anchor sequencing, and audit counters.

UDIF_POLICY_NONE

#define UDIF_POLICY_NONE   (UINT64_C(0))

Empty UDIF policy mask.

Represents the absence of policy permissions or constraints. In UDIF this value is not permissive; it is interpreted together with default-deny semantics and therefore grants no policy relaxation.

UDIF_POLICY_PROFILE_HOOK_MASK

#define UDIF_POLICY_PROFILE_HOOK_MASK

Value:

    (UDIF_POLICY_ALLOW_PROFILE_HOOKS | \
     UDIF_POLICY_REQUIRE_PROFILE_HOOK_AUDIT)

Optional profile hook policy bits.

This mask enables non-canonical policy hooks and requires their decisions to be auditable under the active policy epoch.

UDIF_POLICY_REQUIRE_AEAD_AAD_HEADER

#define UDIF_POLICY_REQUIRE_AEAD_AAD_HEADER   (UINT64_C(1) << 17)

Requires authenticated transport headers.

Requires UDIF transport headers to be authenticated as AEAD associated data, including flags, sequence, timestamp, epoch, and suite identifier.

UDIF_POLICY_REQUIRE_ANCHOR_SEQUENCE

#define UDIF_POLICY_REQUIRE_ANCHOR_SEQUENCE   (UINT64_C(1) << 11)

Requires monotonic Anchor Record sequencing.

Requires each child Anchor Record sequence to start at zero and increment monotonically by one, rejecting rollback, replay, or skipped anchor states.

UDIF_POLICY_REQUIRE_ANCHORING

#define UDIF_POLICY_REQUIRE_ANCHORING   (UINT64_C(1) << 10)

Requires periodic upstream Anchor Records.

Requires Branch Controllers and Group Controllers to periodically submit signed Anchor Records to their parent authority.

UDIF_POLICY_REQUIRE_AUDIT_COUNTERS

#define UDIF_POLICY_REQUIRE_AUDIT_COUNTERS   (UINT64_C(1) << 13)

Requires auditable operational counters where applicable.

Requires anchor, membership, transaction, registry, and treaty operations to maintain counters sufficient for audit and rollback detection.

UDIF_POLICY_REQUIRE_CANONICAL_ENCODING

#define UDIF_POLICY_REQUIRE_CANONICAL_ENCODING   (UINT64_C(1) << 2)

Requires strict UDIF canonical binary encoding.

Requires fixed field order, little-endian integer encoding, exact structure sizes, and rejection of malformed, truncated, overlong, or ambiguously encoded records.

UDIF_POLICY_REQUIRE_CAPABILITY_INTERSECT

#define UDIF_POLICY_REQUIRE_CAPABILITY_INTERSECT   (UINT64_C(1) << 5)

Requires capability intersection before authorization.

Requires authorization to be computed by intersecting requested operation rights with the holder certificate bitmap, issued capability tokens, parent constraints, local policy, and treaty scope where applicable.

UDIF_POLICY_REQUIRE_EPOCH_CHECK

#define UDIF_POLICY_REQUIRE_EPOCH_CHECK   (UINT64_C(1) << 16)

Requires session and policy epoch validation.

Requires protocol messages, ratchet states, and policy-governed records to be evaluated under the expected epoch value.

UDIF_POLICY_REQUIRE_MEMBERSHIP_LOG

#define UDIF_POLICY_REQUIRE_MEMBERSHIP_LOG   (UINT64_C(1) << 7)

Requires membership events to be logged.

Requires enrollment, suspension, resumption, revocation, capability grants, capability revocations, registry commits, and branch lifecycle events to be written to the membership log.

UDIF_POLICY_REQUIRE_MINIMAL_DISCLOSURE

#define UDIF_POLICY_REQUIRE_MINIMAL_DISCLOSURE   (UINT64_C(1) << 12)

Requires minimal-disclosure query responses.

Requires query processing to return only authorized predicate results, digest proofs, or Boolean responses, and forbids disclosure of unrelated raw identifiers, attributes, registry contents, or object data.

UDIF_POLICY_REQUIRE_PARENT_SIGNATURE

#define UDIF_POLICY_REQUIRE_PARENT_SIGNATURE   (UINT64_C(1) << 3)

Requires non-root certificates to verify against the issuer key.

Enforces parent-signed certificate issuance. The only exception is the Root trust anchor, where issuer_serial equals serial and trust is established out of band.

UDIF_POLICY_REQUIRE_POLICY_EPOCH_MATCH

#define UDIF_POLICY_REQUIRE_POLICY_EPOCH_MATCH   (UINT64_C(1) << 6)

Requires policy epoch consistency during validation.

Requires certificate, capability, anchor, and profile decisions to be evaluated under the active policy_epoch. Epoch changes must be explicit and auditable.

UDIF_POLICY_REQUIRE_PROFILE_HOOK_AUDIT

#define UDIF_POLICY_REQUIRE_PROFILE_HOOK_AUDIT   (UINT64_C(1) << 31)

Requires audit records for profile hook decisions.

Requires profile hook decisions affecting authorization, query execution, treaty forwarding, or disclosure to be logged or accounted for under the active policy_epoch.

UDIF_POLICY_REQUIRE_RATCHET_REKEY

#define UDIF_POLICY_REQUIRE_RATCHET_REKEY   (UINT64_C(1) << 18)

Requires periodic ratchet rekeying where applicable.

Requires long-lived controller-to-controller tunnels to perform configured asymmetric rekeying and epoch transition.

UDIF_POLICY_REQUIRE_REGISTRY_COMMIT

#define UDIF_POLICY_REQUIRE_REGISTRY_COMMIT   (UINT64_C(1) << 9)

Requires registry roots to be committed.

Requires User Agent registry roots, or group-level aggregates of registry roots, to be committed through the applicable membership or registry ledger.

UDIF_POLICY_REQUIRE_REVOCATION_CHECK

#define UDIF_POLICY_REQUIRE_REVOCATION_CHECK   (UINT64_C(1) << 4)

Requires revocation and suspension state checking.

Requires certificates and capabilities to be checked against local and upstream revocation or suspension state before use.

UDIF_POLICY_REQUIRE_SEQUENCE_CHECK

#define UDIF_POLICY_REQUIRE_SEQUENCE_CHECK   (UINT64_C(1) << 15)

Requires strict transport sequence checking.

Requires message sequence numbers to be strictly monotonic within each session epoch. Missing, repeated, or reordered records must fail validation.

UDIF_POLICY_REQUIRE_SUITE_MATCH

#define UDIF_POLICY_REQUIRE_SUITE_MATCH   (UINT64_C(1) << 1)

Requires all communicating parties to use the same UDIF suite.

Enforces the compile-time suite model. Certificates, sessions, anchors, and protocol messages using a mismatched suite identifier must be rejected.

UDIF_POLICY_REQUIRE_TIME_WINDOW

#define UDIF_POLICY_REQUIRE_TIME_WINDOW   (UINT64_C(1) << 14)

Requires protocol timestamp acceptance windows.

Requires transport and control messages to be rejected when their timestamp falls outside the configured acceptance window.

UDIF_POLICY_REQUIRE_TRANSACTION_LOG

#define UDIF_POLICY_REQUIRE_TRANSACTION_LOG   (UINT64_C(1) << 8)

Requires object and transfer events to be logged.

Requires object creation, update, transfer, suspension, destruction, and treaty-scoped transaction evidence to be written to the transaction log.

UDIF_POLICY_REQUIRE_TREATY_SCOPE_CHECK

#define UDIF_POLICY_REQUIRE_TREATY_SCOPE_CHECK   (UINT64_C(1) << 24)

Requires treaty-scope validation.

Requires treaty queries and proofs to be constrained by peer identity, predicate family, allowed scope, policy epoch, and capability intersection.

UDIF_POLICY_RESERVED_CORE_MASK

#define UDIF_POLICY_RESERVED_CORE_MASK   (UINT64_C(0x0000FFFF00000000))

Reserved policy bits for future UDIF core policy assignments.

Bits 32 through 47 are reserved for future core policy definitions. They must be zero unless assigned by a later UDIF core revision.

UDIF_POLICY_RESERVED_PROFILE_MASK

#define UDIF_POLICY_RESERVED_PROFILE_MASK   (UINT64_C(0xFFFF000000000000))

Reserved policy bits for implementation or deployment profiles.

Bits 48 through 63 are reserved for jurisdictional, institutional, regulatory, or application-specific policy profiles.

UDIF_POLICY_TRANSPORT_SECURITY_MASK

#define UDIF_POLICY_TRANSPORT_SECURITY_MASK

Value:

    (UDIF_POLICY_REQUIRE_TIME_WINDOW | \
     UDIF_POLICY_REQUIRE_SEQUENCE_CHECK | \
     UDIF_POLICY_REQUIRE_EPOCH_CHECK | \
     UDIF_POLICY_REQUIRE_AEAD_AAD_HEADER)

Mandatory transport-session policy bits.

This mask covers timestamp windows, sequence validation, epoch validation, authenticated headers, and ratchet rekeying where applicable.

UDIF_POLICY_TREATY_BASE_MASK

#define UDIF_POLICY_TREATY_BASE_MASK

Value:

    (UDIF_POLICY_FORBID_IMPLICIT_TREATY_RIGHTS | \
     UDIF_POLICY_REQUIRE_TREATY_SCOPE_CHECK)

Policy bits enforcing treaty containment.

This mask forbids implicit treaty authority and requires explicit treaty scope checks before cross-domain operation.

UDIF_POLICY_TREATY_ENABLE_MASK

#define UDIF_POLICY_TREATY_ENABLE_MASK

Value:

    (UDIF_POLICY_ALLOW_TREATY_NEGOTIATION | \
     UDIF_POLICY_ALLOW_TREATY_QUERY_ORIGIN | \
     UDIF_POLICY_ALLOW_TREATY_QUERY_EXEC)

Optional treaty enablement policy bits.

This mask enables treaty negotiation, treaty query origination, and treaty query execution. It must be applied only where parent policy and certificate capabilities explicitly allow cross-domain operation.

UDIF_REGISTRY_LEAF_ENCODED_SIZE

#define UDIF_REGISTRY_LEAF_ENCODED_SIZE

Value:

    (UDIF_CRYPTO_HASH_SIZE + \
    UDIF_CRYPTO_HASH_SIZE + \
    UDIF_OBJECT_SERIAL_SIZE + \
    UDIF_REGISTRY_LEAF_FLAGS_SIZE + \
    UDIF_VALID_TIME_SIZE)

The canonical registry leaf encoding length in bytes.

UDIF_ROOT_POLICY_DEFAULT

#define UDIF_ROOT_POLICY_DEFAULT

Value:

    (UDIF_POLICY_BASELINE_SECURITY_MASK | \
     UDIF_POLICY_LOGGING_MASK | \
     UDIF_POLICY_ADMIN_SEPARATION_MASK | \
     UDIF_POLICY_TREATY_BASE_MASK | \
     UDIF_POLICY_ALLOW_TELEMETRY_EXPORT | \
     UDIF_POLICY_ALLOW_ERROR_REPORTING)

Default policy mask for a UDIF Root certificate.

The Root policy defines the baseline rules for the domain. It enforces the canonical suite, canonical encoding, revocation model, policy epoch model, default-deny authorization, strict administrative separation, and anchoring requirements for subordinate controllers.

The Root default excludes ordinary treaty execution by default. Treaty enablement should be added explicitly through deployment policy if the Root is intended to authorize treaty-capable controllers.

UDIF_SERIAL_NUMBER_SIZE

#define UDIF_SERIAL_NUMBER_SIZE   UDIF_CERT_SERIAL_SIZE

The certificate serial number field length.

This compatibility alias is retained for certificate and entity serials. Object serials MUST use UDIF_OBJECT_SERIAL_SIZE.

Enumeration Type Documentation

udif_claim_type

enum udif_claim_type

Claim type identifiers (deterministic canonicalization required).

Enumerator
udif_claim_unknown	Unspecified claim type
udif_claim_commodity_id	Commodity/asset identifier
udif_claim_biometric_hash	Biometric template hash
udif_claim_institution_id	Institutional ID / account
udif_claim_public_key	Subjects public key / fingerprint
udif_claim_age_over	Age threshold proof (boolean)
udif_claim_citizenship	Country citizenship assertion
udif_claim_residency	Residency assertion
udif_claim_membership_id	Membership/affiliation identifier
udif_claim_contact_email	Email address (validated form)
udif_claim_contact_phone	Phone (E.164 normalized)
udif_claim_address	Postal/civic address (normalized)
udif_claim_custom	Implementation-specific/custom

udif_configuration_sets

enum udif_configuration_sets

The UDIF algorithm configuration sets.

Enumerator
udif_configuration_set_none	No algorithm identifier is set
udif_configuration_set_dilithium1_kyber1_rcs256_shake256	The Dilithium-S1/Kyber-S1/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_dilithium3_kyber3_rcs256_shake256	The Dilithium-S3/Kyber-S3/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_dilithium5_kyber5_rcs256_shake256	The Dilithium-S5/Kyber-S5/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_dilithium5_kyber6_rcs512_shake256	The Dilithium-S5/Kyber-S6/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_sphincsplus1_mceliece1_rcs256_shake256	The SPHINCS+-S1/McEliece-S1/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_sphincsplus3_mceliece3_rcs256_shake256	The SPHINCS+-S3/McEliece-S3/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_sphincsplus5_mceliece5_rcs256_shake256	The SPHINCS+-S5/McEliece-S5/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_sphincsplus5_mceliece6_rcs256_shake256	The SPHINCS+-S6/McEliece-S6/RCS-256/SHAKE-256 algorithm set
udif_configuration_set_sphincsplus5_mceliece7_rcs256_shake256	The SPHINCS+-S7/McEliece-S7/RCS-256/SHAKE-256 algorithm set

udif_error_capability

enum udif_error_capability

Capability/permission evaluation errors.

Enumerator
udif_ecap_none	No error
udif_ecap_denied	Capability denied by policy
udif_ecap_mask_empty	Empty/zero capability mask
udif_ecap_mask_conflict	Conflicting capability bits

udif_error_claims

enum udif_error_claims

Claim/claim-set error codes.

Enumerator
udif_ecl_none	No error
udif_ecl_type_unknown	Unknown claim type
udif_ecl_encoding_bad	Bad/unsupported encoding
udif_ecl_canonical_fail	Canonicalization failed
udif_ecl_anchor_bad	Anchor/merkle root mismatch
udif_ecl_value_invalid	Claim value invalid/out of range

udif_error_encoding

enum udif_error_encoding

Encoding/decoding errors for UDIF objects.

Enumerator
udif_eenc_none	No error
udif_eenc_overflow	Buffer overflow/size mismatch
udif_eenc_underflow	Buffer underflow/truncation
udif_eenc_format	Bad format/version
udif_eenc_unsupported	Unsupported encoding

udif_error_identity

enum udif_error_identity

Identity-specific error codes.

Enumerator
udif_eid_none	No error
udif_eid_namespace_bad	Invalid namespace code
udif_eid_issuer_bad	Invalid issuer domain code
udif_eid_subject_bad	Invalid subject identifier
udif_eid_mask_invalid	Capability/permission mask invalid
udif_eid_anchor_mismatch	Claim anchor does not match claims
udif_eid_sig_invalid	Signature verification failed
udif_eid_expired	Identity validity expired
udif_eid_future	Identity not yet valid

udif_error_policy

enum udif_error_policy

Policy evaluation/lookup errors.

Enumerator
udif_epol_none	No error
udif_epol_not_found	Policy not found
udif_epol_hash_mismatch	Policy hash mismatch
udif_epol_indeterminate	Evaluation indeterminate

udif_errors

enum udif_errors

UDIF error codes.

Enumerator
udif_error_none	No error
udif_error_invalid_input	Invalid input parameter
udif_error_invalid_state	Invalid state
udif_error_auth_failure	Authentication failed
udif_error_certificate_expired	Certificate expired
udif_error_certificate_revoked	Certificate revoked
udif_error_capability_revoked	Capability revoked
udif_error_invalid_sequence	Invalid sequence number
udif_error_time_window	Time window exceeded
udif_error_epoch_mismatch	Epoch mismatch
udif_error_suite_mismatch	Suite mismatch
udif_error_decode_failure	Decode failure
udif_error_encode_failure	Encode failure
udif_error_signature_invalid	Invalid signature
udif_error_mac_invalid	Invalid MAC
udif_error_not_authorized	Not authorized
udif_error_object_not_found	Object not found
udif_error_registry_full	Registry full
udif_error_logging_failure	Log operation failed
udif_error_anchor_invalid	Invalid anchor record
udif_error_treaty_invalid	Invalid treaty
udif_error_invalid_request	Invalid request
udif_error_internal	Internal error
udif_error_file_create_failed	File creation failed
udif_error_file_not_found	File not found
udif_error_invalid_parameter	Invalid parameter

udif_logging_event_codes

enum udif_logging_event_codes

Membership and transaction log event codes.

Enumerator
udif_event_enroll	Entity enrollment
udif_event_suspend	Entity suspension
udif_event_resume	Entity resumption
udif_event_revoke	Entity revocation
udif_event_capability_grant	Capability grant
udif_event_capability_revoke	Capability revocation
udif_event_registry_commit	Registry commit
udif_event_branch_create	Branch creation
udif_event_branch_suspend	Branch suspension
udif_event_branch_revoke	Branch revocation
udif_event_object_create	Object creation
udif_event_object_transfer	Object transfer
udif_event_object_update	Object update
udif_event_object_destroy	Object destruction

udif_permission_class

enum udif_permission_class

Permission classes whose bits populate the permission mask.

Enumerator
udif_perm_read_claims	Read subject claims
udif_perm_write_claims	Write/update subject claims
udif_perm_read_certs	Read certificates/CRLs
udif_perm_write_certs	Create/update certificates/CRLs
udif_perm_manage_policy	Manage policy/validation parameters
udif_perm_manage_caps	Grant/revoke capabilities
udif_perm_delegate	Delegate permission subsets
udif_perm_export_identity	Export identities/tokens
udif_perm_import_identity	Import identities/tokens

udif_policy_decision

enum udif_policy_decision

Policy evaluation outcome.

Enumerator
udif_policy_permit	Permit
udif_policy_deny	Deny
udif_policy_indeterminate	Evaluation failed (error)
udif_policy_not_applicable	No matching rule

udif_roles

enum udif_roles

UDIF entity roles.

Enumerator
udif_role_none	No role specified
udif_role_root	Root authority
udif_role_ugc	Group controller
udif_role_ubc	Branch controller
udif_role_uor	Object registry
udif_role_client	Client role
udif_role_audit	Auditor role
udif_role_revoked	Authority revoked for this entity
udif_role_any	Entity has any priveledge

udif_status

enum udif_status

Generic status codes for UDIF operations.

Enumerator
udif_status_success	Operation succeeded
udif_status_invalid_argument	Bad input parameter(s)
udif_status_not_found	Object not found
udif_status_already_exists	Duplicate object
udif_status_out_of_memory	Allocation failed
udif_status_buffer_too_small	Output buffer too small
udif_status_not_supported	Feature not supported
udif_status_internal_error	Internal/unknown error

udif_time_validation

enum udif_time_validation

Results of time/validity-window checks.

Enumerator
udif_time_valid	Within window
udif_time_future	Not yet valid
udif_time_expired	Expired
udif_time_skew_exceeds	Exceeds allowed clock skew

udif_token_type

enum udif_token_type

Token families issued/validated within UDIF.

Enumerator
udif_token_none	Not a token
udif_token_capability	Capability token (authZ)
udif_token_attestation	Attestation token (statement + signature)
udif_token_session	Session/resumption ticket (envelope optional)

udif_verify_policy

enum udif_verify_policy

Verification strictness for identity/cert/claim checks.

Enumerator
udif_verify_strict	All checks required (fail-closed)
udif_verify_lenient	Allow missing non-critical fields (fail-open subset)

udif_version_sets

enum udif_version_sets

The UDIF version sets.

Enumerator
udif_version_set_none	No version identifier is set
udif_version_set_one_zero	The 1.0 version identifier

Function Documentation

udif_error_to_string()

UDIF_EXPORT_API const char * udif_error_to_string

(

udif_errors

error

)

Convert an error to a string.

Parameters

error

The error enumerator.

Returns

Returns the errors string representation.

udif_role_to_string()

UDIF_EXPORT_API const char * udif_role_to_string

(

udif_roles

role

)

Convert a role to its string name.

Parameters

role	The role enumerator.

Returns

Returns a constant string naming the role, or NULL if unknown.

udif_suite_is_valid()

UDIF_EXPORT_API bool udif_suite_is_valid

(

uint8_t

suiteid

)

Check if the suite id valid.

Parameters

suiteid

The suite id.

Returns

Returns true if the suite id is valid.