lib/src/main/java/io/v/v23/security/package-info.java - release.java - Git at Google

 // Copyright 2015 The Vanadium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 /**
  * Package security defines types and utilities associated with security.
  * <p><ul>
  *   <li>Concept: <a href="https://github.com/vanadium/docs/blob/master/concepts/security.md">https://github.com/vanadium/docs/blob/master/concepts/security.md</a></li>
  *   <li>Tutorial: (forthcoming)</li>
  * </ul><p>
  * The primitives and APIs defined in this package enable bi-directional,
  * end-to-end authentication between communicating parties; authorization based
  * on that authentication; and secrecy and integrity of all communication.
  * <p>
  * <strong>Overview</strong>
  * <p>
  * The Vanadium security model is centered around the concepts of principals
  * and blessings.
  * <p>
  * A principal in the Vanadium framework is a public and private key pair.
  * Every RPC is executed on behalf of a principal.
  * <p>
  * A blessing is a binding of a human-readable name to a principal, valid under
  * some caveats, given by another principal. A principal can have multiple
  * blessings bound to it. For instance, a television principal may have a
  * blessing from the manufacturer (e.g., {@code popularcorp/products/tv}) as well as
  * from the owner (e.g., {@code alice/devices/hometv}). Principals are authorized for
  * operations based on the blessings bound to them.
  * <p>
  * A principal can "bless" another principal by binding an extension of one of
  * its own blessings to the other principal. This enables delegation of
  * authority. For example, a principal with the blessing
  * {@code "johndoe"} can delegate to his phone by blessing the phone as
  * {@code "johndoe/phone"}, which in-turn can delegate to the headset by blessing it as
  * {@code "johndoe/phone/headset"}.
  * <p>
  * Caveats can be added to a blessing in order to restrict the contexts in which
  * it can be used. Amongst other things, caveats can restrict the duration of use and
  * the set of peers that can be communicated with using a blessing.
  * <p>
  * <strong>Navigating the interfaces</strong>
  * <p>
  * We recommend the following order in order to introduce yourself to the API:
  * <p><ul>
  *   <li>{@link io.v.v23.security.VPrincipal}</li>
  *   <li>{@link io.v.v23.security.Blessings}</li>
  *   <li>{@link io.v.v23.security.BlessingStore}</li>
  *   <li>{@link io.v.v23.security.BlessingRoots}</li>
  *   <li>{@link io.v.v23.security.VSecurity}</li>
  * </ul>
  * <p>
  * <strong>Examples</strong>
  * <p>
  * A principal can decide to name itself anything it wants:
  * <p><blockquote><pre>
  *  // (in process A)
  *  VPrincipal p1 = VSecurity.newPrincipal();
  *  Blessings alice := p1.blessSelf("alice");
  * </pre></blockquote><p>
  * This {@code alice} blessing can be presented to to another principal (typically a
  * remote process), but that other principal will not recognize this "self-proclaimed" authority:
  * <p><blockquote><pre>
  *  // (in process B)
  *  // context = current context
  *  // call = current security state
  *  VPrincipal p2 = VSecurity.newPrincipal();
  *  String[] names = VSecurity.getRemoteBlessingNames(ctx, call);
  *  System.out.println(Arrays.toString(names));  // Will print {@code ""}
  * </pre></blockquote><p>
  * However, {@code p2} can decide to trust the roots of the {@code "alice"} blessing and then it
  * will be able to recognize her delegates as well:
  * <p><blockquote><pre>
  *  // (in process B)
  *  VSecurity.addToRoots(p2, call.remoteBlessings());
  *  String[] names = VSecurity.getRemoteBlessingNames(ctx, call);
  *  System.out.println(Arrays.toString(names));  // Will print {@code "alice"}
  * </pre></blockquote><p>
  * Furthermore, {@code p2} can seek a blessing from {@code "alice"}:
  * <p><blockquote><pre>
  *  // (in process A)
  *  // call = call under which p2 is seeking a blessing from alice, call.localPrincipal() = p1
  *  ECPublicKey key2 = call.remoteBlessings().publicKey();
  *  Caveat onlyFor10Minutes = VSecurity.newExpiryCaveat(DateTime.now().plus(10000));
  *  Blessings aliceFriend = p1.bless(key2, alice, "friend", onlyFor10Minutes);
  *  sendBlessingToProcessB(aliceFriend);
  * </pre></blockquote><p>
  * {@code p2} can then add this blessing to its store such that this blessing will be
  * presented to {@code p1} anytime {@code p2} communicates with it in the future:
  * <p><blockquote><pre>
  *  // (in process B)
  *  p2.blessingStore().set(aliceFriend, new BlessingPattern("alice"));
  * </pre></blockquote><p>
  * {@code p2} can also choose to present multiple blessings to some servers:
  *  <p><blockquote><pre>
  *  // (in process B)
  *  Blessings charlieFriend = receiveBlessingFromSomewhere();
  *  Blessings union = VSecurity.unionOfBlessings(aliceFriend, charlieFriend);
  *  p2.blessingStore().set(union, new BlessingPattern("alice/mom"));
  * </pre></blockquote><p>
  * Thus, when communicating with a server that presents the blessing {@code "alice/mom"},
  * {@code p2} will declare that he is both "alice's friend" and "charlie's friend" and
  * the server may authorize actions based on this fact.
  * <p>
  * {@code p2} may also choose that it wants to present these two blessings when acting
  * as a "server", (i.e., when it does not know who the peer is):
  * <p><blockquote><pre>
  * // (in process B)
  * Blessings default = VSecurity.unionOfBlessings(aliceFriend, charlieFriend);
  * p2.blessingStore().SetDefault(default);
  * </pre></blockquote><p>
  */
 package io.v.v23.security;
	// Copyright 2015 The Vanadium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	/**
	* Package security defines types and utilities associated with security.
	* <p><ul>
	* <li>Concept: <a href="https://github.com/vanadium/docs/blob/master/concepts/security.md">https://github.com/vanadium/docs/blob/master/concepts/security.md</a></li>
	* <li>Tutorial: (forthcoming)</li>
	* </ul><p>
	* The primitives and APIs defined in this package enable bi-directional,
	* end-to-end authentication between communicating parties; authorization based
	* on that authentication; and secrecy and integrity of all communication.
	* <p>
	* <strong>Overview</strong>
	* <p>
	* The Vanadium security model is centered around the concepts of principals
	* and blessings.
	* <p>
	* A principal in the Vanadium framework is a public and private key pair.
	* Every RPC is executed on behalf of a principal.
	* <p>
	* A blessing is a binding of a human-readable name to a principal, valid under
	* some caveats, given by another principal. A principal can have multiple
	* blessings bound to it. For instance, a television principal may have a
	* blessing from the manufacturer (e.g., {@code popularcorp/products/tv}) as well as
	* from the owner (e.g., {@code alice/devices/hometv}). Principals are authorized for
	* operations based on the blessings bound to them.
	* <p>
	* A principal can "bless" another principal by binding an extension of one of
	* its own blessings to the other principal. This enables delegation of
	* authority. For example, a principal with the blessing
	* {@code "johndoe"} can delegate to his phone by blessing the phone as
	* {@code "johndoe/phone"}, which in-turn can delegate to the headset by blessing it as
	* {@code "johndoe/phone/headset"}.
	* <p>
	* Caveats can be added to a blessing in order to restrict the contexts in which
	* it can be used. Amongst other things, caveats can restrict the duration of use and
	* the set of peers that can be communicated with using a blessing.
	* <p>
	* <strong>Navigating the interfaces</strong>
	* <p>
	* We recommend the following order in order to introduce yourself to the API:
	* <p><ul>
	* <li>{@link io.v.v23.security.VPrincipal}</li>
	* <li>{@link io.v.v23.security.Blessings}</li>
	* <li>{@link io.v.v23.security.BlessingStore}</li>
	* <li>{@link io.v.v23.security.BlessingRoots}</li>
	* <li>{@link io.v.v23.security.VSecurity}</li>
	* </ul>
	* <p>
	* <strong>Examples</strong>
	* <p>
	* A principal can decide to name itself anything it wants:
	* <p><blockquote><pre>
	* // (in process A)
	* VPrincipal p1 = VSecurity.newPrincipal();
	* Blessings alice := p1.blessSelf("alice");
	* </pre></blockquote><p>
	* This {@code alice} blessing can be presented to to another principal (typically a
	* remote process), but that other principal will not recognize this "self-proclaimed" authority:
	* <p><blockquote><pre>
	* // (in process B)
	* // context = current context
	* // call = current security state
	* VPrincipal p2 = VSecurity.newPrincipal();
	* String[] names = VSecurity.getRemoteBlessingNames(ctx, call);
	* System.out.println(Arrays.toString(names)); // Will print {@code ""}
	* </pre></blockquote><p>
	* However, {@code p2} can decide to trust the roots of the {@code "alice"} blessing and then it
	* will be able to recognize her delegates as well:
	* <p><blockquote><pre>
	* // (in process B)
	* VSecurity.addToRoots(p2, call.remoteBlessings());
	* String[] names = VSecurity.getRemoteBlessingNames(ctx, call);
	* System.out.println(Arrays.toString(names)); // Will print {@code "alice"}
	* </pre></blockquote><p>
	* Furthermore, {@code p2} can seek a blessing from {@code "alice"}:
	* <p><blockquote><pre>
	* // (in process A)
	* // call = call under which p2 is seeking a blessing from alice, call.localPrincipal() = p1
	* ECPublicKey key2 = call.remoteBlessings().publicKey();
	* Caveat onlyFor10Minutes = VSecurity.newExpiryCaveat(DateTime.now().plus(10000));
	* Blessings aliceFriend = p1.bless(key2, alice, "friend", onlyFor10Minutes);
	* sendBlessingToProcessB(aliceFriend);
	* </pre></blockquote><p>
	* {@code p2} can then add this blessing to its store such that this blessing will be
	* presented to {@code p1} anytime {@code p2} communicates with it in the future:
	* <p><blockquote><pre>
	* // (in process B)
	* p2.blessingStore().set(aliceFriend, new BlessingPattern("alice"));
	* </pre></blockquote><p>
	* {@code p2} can also choose to present multiple blessings to some servers:
	* <p><blockquote><pre>
	* // (in process B)
	* Blessings charlieFriend = receiveBlessingFromSomewhere();
	* Blessings union = VSecurity.unionOfBlessings(aliceFriend, charlieFriend);
	* p2.blessingStore().set(union, new BlessingPattern("alice/mom"));
	* </pre></blockquote><p>
	* Thus, when communicating with a server that presents the blessing {@code "alice/mom"},
	* {@code p2} will declare that he is both "alice's friend" and "charlie's friend" and
	* the server may authorize actions based on this fact.
	* <p>
	* {@code p2} may also choose that it wants to present these two blessings when acting
	* as a "server", (i.e., when it does not know who the peer is):
	* <p><blockquote><pre>
	* // (in process B)
	* Blessings default = VSecurity.unionOfBlessings(aliceFriend, charlieFriend);
	* p2.blessingStore().SetDefault(default);
	* </pre></blockquote><p>
	*/
	package io.v.v23.security;