TLS security policy configuration. More...

#include <tls_policy.h>

Collaboration diagram for kcenon::pacs::security::tls_policy:

Public Member Functions
Policy Properties
tls_profile	profile () const noexcept

std::string_view	profile_name () const noexcept

uint16_t	min_protocol_version () const noexcept

uint16_t	max_protocol_version () const noexcept

bool	non_downgrading () const noexcept

const cipher_suite_spec &	cipher_suites () const noexcept

const certificate_constraints &	cert_constraints () const noexcept

Validation
bool	is_version_allowed (uint16_t version) const noexcept
	Check if a TLS version is allowed by this policy.

bool	is_rsa_key_acceptable (uint16_t bits) const noexcept
	Check if an RSA key size meets minimum requirements.

bool	is_ecdsa_key_acceptable (uint16_t bits) const noexcept
	Check if an ECDSA curve size meets minimum requirements.

std::string_view	tls13_ciphersuites () const noexcept
	Get the TLS 1.3 cipher suites string for OpenSSL.

std::string_view	tls12_ciphersuites () const noexcept
	Get the TLS 1.2 cipher suites string for OpenSSL.

Static Public Member Functions
static tls_policy	bcp195_basic_profile ()
	Create a BCP 195 basic profile policy.

static tls_policy	bcp195_non_downgrading_profile ()
	Create a BCP 195 non-downgrading profile policy.

static tls_policy	bcp195_extended_profile ()
	Create an extended profile (TLS 1.3 only)

static tls_policy	from_profile (tls_profile profile)
	Create a policy from a named profile.

Static Public Attributes
Predefined Cipher Suite Strings
static constexpr std::string_view	kTls13Required
	TLS 1.3 required cipher suites (BCP 195)

static constexpr std::string_view	kTls13Strict
	TLS 1.3 strict cipher suites (extended profile)

static constexpr std::string_view	kTls12Recommended
	TLS 1.2 BCP 195 recommended cipher suites.

Protocol Version Constants
static constexpr uint16_t	kTls10Version = 0x0301
	OpenSSL TLS version constants for reference.

static constexpr uint16_t	kTls11Version = 0x0302

static constexpr uint16_t	kTls12Version = 0x0303

static constexpr uint16_t	kTls13Version = 0x0304

Private Member Functions
	tls_policy (tls_profile prof, uint16_t min_ver, uint16_t max_ver, bool non_downgrade, cipher_suite_spec ciphers, certificate_constraints certs)

Private Attributes
tls_profile	profile_

uint16_t	min_version_

uint16_t	max_version_

bool	non_downgrading_

cipher_suite_spec	ciphers_

certificate_constraints	cert_constraints_

Detailed Description

TLS security policy configuration.

Encapsulates all TLS settings for a given security profile. Use the factory methods to create standard profiles.

Definition at line 93 of file tls_policy.h.

Constructor & Destructor Documentation

◆ tls_policy()

kcenon::pacs::security::tls_policy::tls_policy	(	tls_profile	prof,
		uint16_t	min_ver,
		uint16_t	max_ver,
		bool	non_downgrade,
		cipher_suite_spec	ciphers,
		certificate_constraints	certs )

private

Definition at line 39 of file tls_policy.cpp.

    : profile_(prof),
      min_version_(min_ver),
      max_version_(max_ver),
      non_downgrading_(non_downgrade),
      ciphers_(std::move(ciphers)),
      cert_constraints_(std::move(certs)) {}

Member Function Documentation

◆ bcp195_basic_profile()

tls_policy kcenon::pacs::security::tls_policy::bcp195_basic_profile ( )

staticnodiscard

Create a BCP 195 basic profile policy.

Minimum TLS 1.2
Standard BCP 195 cipher suites
RSA >= 2048, ECDSA >= P-256

Definition at line 53 of file tls_policy.cpp.

                                            {
    return {tls_profile::bcp195_basic,
            kTls12Version,
            kTls13Version,
            true,
            {std::string(kTls13Required), std::string(kTls12Recommended)},
            {2048, 256, 5, true}};
}

References kcenon::pacs::security::bcp195_basic, kTls12Recommended, kTls12Version, kTls13Required, and kTls13Version.

Referenced by from_profile().

Here is the caller graph for this function:

◆ bcp195_extended_profile()

tls_policy kcenon::pacs::security::tls_policy::bcp195_extended_profile ( )

staticnodiscard

Create an extended profile (TLS 1.3 only)

TLS 1.3 only
Strictest cipher suites
RSA >= 3072, ECDSA >= P-256

Definition at line 71 of file tls_policy.cpp.

                                               {
    return {tls_profile::bcp195_extended,
            kTls13Version,
            kTls13Version,
            true,
            {std::string(kTls13Strict), ""},
            {3072, 256, 4, true}};
}

References kcenon::pacs::security::bcp195_extended, kTls13Strict, and kTls13Version.

Referenced by from_profile().

Here is the caller graph for this function:

◆ bcp195_non_downgrading_profile()

tls_policy kcenon::pacs::security::tls_policy::bcp195_non_downgrading_profile ( )

staticnodiscard

Create a BCP 195 non-downgrading profile policy.

Minimum TLS 1.2, prefers TLS 1.3
No protocol downgrade allowed
Only BCP 195-compliant cipher suites
RSA >= 2048, ECDSA >= P-256

This is the recommended DICOM PS3.15 profile.

Definition at line 62 of file tls_policy.cpp.

                                                      {
    return {tls_profile::bcp195_non_downgrading,
            kTls12Version,
            kTls13Version,
            true,
            {std::string(kTls13Required), std::string(kTls12Recommended)},
            {2048, 256, 5, true}};
}

References kcenon::pacs::security::bcp195_non_downgrading, kTls12Recommended, kTls12Version, kTls13Required, and kTls13Version.

Referenced by from_profile().

Here is the caller graph for this function:

◆ cert_constraints()

const certificate_constraints & kcenon::pacs::security::tls_policy::cert_constraints ( ) const

nodiscardnoexcept

Definition at line 120 of file tls_policy.cpp.

                                                                           {
    return cert_constraints_;
}

References cert_constraints_.

◆ cipher_suites()

const cipher_suite_spec & kcenon::pacs::security::tls_policy::cipher_suites ( ) const

nodiscardnoexcept

Definition at line 116 of file tls_policy.cpp.

                                                                  {
    return ciphers_;
}

References ciphers_.

◆ from_profile()

tls_policy kcenon::pacs::security::tls_policy::from_profile ( tls_profile profile )

staticnodiscard

Create a policy from a named profile.

Definition at line 80 of file tls_policy.cpp.

                                                       {
    switch (profile) {
        case tls_profile::bcp195_basic:
            return bcp195_basic_profile();
        case tls_profile::bcp195_non_downgrading:
            return bcp195_non_downgrading_profile();
        case tls_profile::bcp195_extended:
            return bcp195_extended_profile();
    }
    return bcp195_non_downgrading_profile();
}

References kcenon::pacs::security::bcp195_basic, bcp195_basic_profile(), kcenon::pacs::security::bcp195_extended, bcp195_extended_profile(), kcenon::pacs::security::bcp195_non_downgrading, bcp195_non_downgrading_profile(), and profile().

Here is the call graph for this function:

◆ is_ecdsa_key_acceptable()

bool kcenon::pacs::security::tls_policy::is_ecdsa_key_acceptable ( uint16_t bits ) const

nodiscardnoexcept

Check if an ECDSA curve size meets minimum requirements.

Parameters

bits	ECDSA curve size in bits

Definition at line 136 of file tls_policy.cpp.

                                                                     {
    return bits >= cert_constraints_.min_ecdsa_curve_bits;
}

◆ is_rsa_key_acceptable()

bool kcenon::pacs::security::tls_policy::is_rsa_key_acceptable ( uint16_t bits ) const

nodiscardnoexcept

Check if an RSA key size meets minimum requirements.

Parameters

bits	RSA key size in bits

Definition at line 132 of file tls_policy.cpp.

                                                                   {
    return bits >= cert_constraints_.min_rsa_key_bits;
}

◆ is_version_allowed()

bool kcenon::pacs::security::tls_policy::is_version_allowed ( uint16_t version ) const

nodiscardnoexcept

Check if a TLS version is allowed by this policy.

Parameters

version OpenSSL version constant (e.g., TLS1_2_VERSION)

Definition at line 128 of file tls_policy.cpp.

                                                                   {
    return version >= min_version_ && version <= max_version_;
}

◆ max_protocol_version()

uint16_t kcenon::pacs::security::tls_policy::max_protocol_version ( ) const

nodiscardnoexcept

Definition at line 108 of file tls_policy.cpp.

                                                         {
    return max_version_;
}

References max_version_.

◆ min_protocol_version()

uint16_t kcenon::pacs::security::tls_policy::min_protocol_version ( ) const

nodiscardnoexcept

Definition at line 104 of file tls_policy.cpp.

                                                         {
    return min_version_;
}

References min_version_.

◆ non_downgrading()

bool kcenon::pacs::security::tls_policy::non_downgrading ( ) const

nodiscardnoexcept

Definition at line 112 of file tls_policy.cpp.

                                                {
    return non_downgrading_;
}

References non_downgrading_.

◆ profile()

tls_profile kcenon::pacs::security::tls_policy::profile ( ) const

nodiscardnoexcept

Definition at line 96 of file tls_policy.cpp.

                                               {
    return profile_;
}

References profile_.

Referenced by from_profile().

Here is the caller graph for this function:

◆ profile_name()

std::string_view kcenon::pacs::security::tls_policy::profile_name ( ) const

nodiscardnoexcept

Definition at line 100 of file tls_policy.cpp.

                                                       {
    return to_string(profile_);
}

References profile_, and kcenon::pacs::security::to_string().

Here is the call graph for this function:

◆ tls12_ciphersuites()

std::string_view kcenon::pacs::security::tls_policy::tls12_ciphersuites ( ) const

nodiscardnoexcept

Get the TLS 1.2 cipher suites string for OpenSSL.

Definition at line 144 of file tls_policy.cpp.

                                                             {
    return ciphers_.tls12_ciphers;
}

References ciphers_, and kcenon::pacs::security::cipher_suite_spec::tls12_ciphers.

◆ tls13_ciphersuites()

std::string_view kcenon::pacs::security::tls_policy::tls13_ciphersuites ( ) const

nodiscardnoexcept

Get the TLS 1.3 cipher suites string for OpenSSL.

Definition at line 140 of file tls_policy.cpp.

                                                             {
    return ciphers_.tls13_ciphers;
}

References ciphers_, and kcenon::pacs::security::cipher_suite_spec::tls13_ciphers.

Member Data Documentation

◆ cert_constraints_

certificate_constraints kcenon::pacs::security::tls_policy::cert_constraints_

private

Definition at line 225 of file tls_policy.h.

Referenced by cert_constraints().

◆ ciphers_

cipher_suite_spec kcenon::pacs::security::tls_policy::ciphers_

private

Definition at line 224 of file tls_policy.h.

Referenced by cipher_suites(), tls12_ciphersuites(), and tls13_ciphersuites().

◆ kTls10Version

uint16_t kcenon::pacs::security::tls_policy::kTls10Version = 0x0301

staticconstexpr

OpenSSL TLS version constants for reference.

Definition at line 208 of file tls_policy.h.

◆ kTls11Version

uint16_t kcenon::pacs::security::tls_policy::kTls11Version = 0x0302

staticconstexpr

Definition at line 209 of file tls_policy.h.

◆ kTls12Recommended

std::string_view kcenon::pacs::security::tls_policy::kTls12Recommended

staticconstexpr

Initial value:

=
        "ECDHE-ECDSA-AES256-GCM-SHA384:"
        "ECDHE-RSA-AES256-GCM-SHA384:"
        "ECDHE-ECDSA-CHACHA20-POLY1305:"
        "ECDHE-RSA-CHACHA20-POLY1305:"
        "ECDHE-ECDSA-AES128-GCM-SHA256:"
        "ECDHE-RSA-AES128-GCM-SHA256"

TLS 1.2 BCP 195 recommended cipher suites.

Definition at line 194 of file tls_policy.h.

Referenced by bcp195_basic_profile(), and bcp195_non_downgrading_profile().

◆ kTls12Version

uint16_t kcenon::pacs::security::tls_policy::kTls12Version = 0x0303

staticconstexpr

Definition at line 210 of file tls_policy.h.

Referenced by bcp195_basic_profile(), and bcp195_non_downgrading_profile().

◆ kTls13Required

std::string_view kcenon::pacs::security::tls_policy::kTls13Required

staticconstexpr

Initial value:

=
        "TLS_AES_256_GCM_SHA384:"
        "TLS_AES_128_GCM_SHA256:"
        "TLS_CHACHA20_POLY1305_SHA256"

TLS 1.3 required cipher suites (BCP 195)

Definition at line 183 of file tls_policy.h.

Referenced by bcp195_basic_profile(), and bcp195_non_downgrading_profile().

◆ kTls13Strict

std::string_view kcenon::pacs::security::tls_policy::kTls13Strict

staticconstexpr

Initial value:

=
        "TLS_AES_256_GCM_SHA384:"
        "TLS_CHACHA20_POLY1305_SHA256"

TLS 1.3 strict cipher suites (extended profile)

Definition at line 189 of file tls_policy.h.

Referenced by bcp195_extended_profile().

◆ kTls13Version

uint16_t kcenon::pacs::security::tls_policy::kTls13Version = 0x0304

staticconstexpr

Definition at line 211 of file tls_policy.h.

Referenced by bcp195_basic_profile(), bcp195_extended_profile(), and bcp195_non_downgrading_profile().

◆ max_version_

uint16_t kcenon::pacs::security::tls_policy::max_version_

private

Definition at line 222 of file tls_policy.h.

Referenced by max_protocol_version().

◆ min_version_

uint16_t kcenon::pacs::security::tls_policy::min_version_

private

Definition at line 221 of file tls_policy.h.

Referenced by min_protocol_version().

◆ non_downgrading_

bool kcenon::pacs::security::tls_policy::non_downgrading_

private

Definition at line 223 of file tls_policy.h.

Referenced by non_downgrading().

◆ profile_

tls_profile kcenon::pacs::security::tls_policy::profile_

private

Definition at line 220 of file tls_policy.h.

Referenced by profile(), and profile_name().

The documentation for this class was generated from the following files:

include/kcenon/pacs/security/tls_policy.h
src/security/tls_policy.cpp

Public Member Functions

Static Public Member Functions

Static Public Attributes

Private Member Functions

Private Attributes

Detailed Description

Constructor & Destructor Documentation

◆ tls_policy()

Member Function Documentation

◆ bcp195_basic_profile()

◆ bcp195_extended_profile()

◆ bcp195_non_downgrading_profile()

◆ cert_constraints()

◆ cipher_suites()

◆ from_profile()

◆ is_ecdsa_key_acceptable()

◆ is_rsa_key_acceptable()

◆ is_version_allowed()

◆ max_protocol_version()

◆ min_protocol_version()

◆ non_downgrading()

◆ profile()

◆ profile_name()

◆ tls12_ciphersuites()

◆ tls13_ciphersuites()

Member Data Documentation

◆ cert_constraints_

◆ ciphers_

◆ kTls10Version

◆ kTls11Version

◆ kTls12Recommended

◆ kTls12Version

◆ kTls13Required

◆ kTls13Strict

◆ kTls13Version

◆ max_version_

◆ min_version_

◆ non_downgrading_

◆ profile_