added PSK support
[strongswan.git] / src / charon / config / credentials / credential_store.h
1 /**
2 * @file credential_store.h
3 *
4 * @brief Interface credential_store_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef CREDENTIAL_STORE_H_
25 #define CREDENTIAL_STORE_H_
26
27 #include <types.h>
28 #include <crypto/x509.h>
29 #include <crypto/rsa/rsa_private_key.h>
30 #include <crypto/rsa/rsa_public_key.h>
31 #include <utils/identification.h>
32 #include <utils/logger.h>
33
34
35 typedef struct credential_store_t credential_store_t;
36
37 /**
38 * @brief The interface for a credential_store backend.
39 *
40 * @b Constructors:
41 * - stroke_create()
42 *
43 * @ingroup config
44 */
45 struct credential_store_t {
46
47 /**
48 * @brief Returns the secret shared by two specific IDs.
49 *
50 * The returned chunk must be destroyed by the caller after usage.
51 *
52 * @param this calling object
53 * @param my_id my ID identifiying the secret.
54 * @param other_id peer ID identifying the secret.
55 * @param[out] secret the pre-shared secret will be written there.
56 * @return
57 * - NOT_FOUND if no preshared secrets for specific ID could be found
58 * - SUCCESS
59 *
60 */
61 status_t (*get_shared_key) (credential_store_t *this, identification_t *my_id, identification_t *other_id, chunk_t *shared_key);
62
63 /**
64 * @brief Returns the RSA public key of a specific ID.
65 *
66 * @param this calling object
67 * @param id identification_t object identifiying the key.
68 * @return public key, or NULL if not found
69 */
70 rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
71
72 /**
73 * @brief Returns the RSA public key of a specific ID if is trusted
74 *
75 * @param this calling object
76 * @param id identification_t object identifiying the key.
77 * @return public key, or NULL if not found or not trusted
78 */
79 rsa_public_key_t* (*get_trusted_public_key) (credential_store_t *this, identification_t *id);
80
81 /**
82 * @brief Returns the RSA private key belonging to an RSA public key
83 *
84 * The returned rsa_private_key_t must be destroyed by the caller after usage.
85 *
86 * @param this calling object
87 * @param pubkey public key
88 * @return private key, or NULL if not found
89 */
90 rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
91
92 /**
93 * @brief Is there a matching RSA private key belonging to an RSA public key?
94 *
95 * @param this calling object
96 * @param pubkey public key
97 * @return TRUE if matching private key was found
98 */
99 bool (*has_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
100
101 /**
102 * @brief Returns the certificate of a specific ID.
103 *
104 * @param this calling object
105 * @param id identification_t object identifiying the key.
106 * @return certificate, or NULL if not found
107 */
108 x509_t* (*get_certificate) (credential_store_t *this, identification_t *id);
109
110 /**
111 * @brief Verify an X.509 certificate up to trust anchor including revocation checks
112 *
113 * @param this calling object
114 * @param cert certificate to be verified
115 * @param found found a certificate copy in the credential store
116 * @return TRUE if trusted
117 */
118 bool (*verify) (credential_store_t *this, x509_t *cert, bool *found);
119
120 /**
121 * @brief If an end certificate does not already exists in the credential store then add it.
122 *
123 * @param this calling object
124 * @param cert certificate to be added
125 * @return pointer to the added or already existing certificate
126 */
127 x509_t* (*add_end_certificate) (credential_store_t *this, x509_t *cert);
128
129 /**
130 * @brief If a ca certificate does not already exists in the credential store then add it.
131 *
132 * @param this calling object
133 * @param cert ca certificate to be added
134 * @return pointer to the added or already existing certificate
135 */
136 x509_t* (*add_ca_certificate) (credential_store_t *this, x509_t *cert);
137
138 /**
139 * @brief Lists all certificates kept in the local credential store.
140 *
141 * @param this calling object
142 * @param logger logger to be used
143 * @param utc log dates either in UTC or local time
144 */
145 void (*log_certificates) (credential_store_t *this, logger_t *logger, bool utc);
146
147 /**
148 * @brief Lists all CA certificates kept in the local credential store.
149 *
150 * @param this calling object
151 * @param logger logger to be used
152 * @param utc log dates either in UTC or local time
153 */
154 void (*log_ca_certificates) (credential_store_t *this, logger_t *logger, bool utc);
155
156 /**
157 * @brief Lists all CRLs kept in the local credential store.
158 *
159 * @param this calling object
160 * @param logger logger to be used
161 * @param utc log dates either in UTC or local time
162 */
163 void (*log_crls) (credential_store_t *this, logger_t *logger, bool utc);
164
165 /**
166 * @brief Loads trusted CA certificates from a default directory.
167 *
168 * Certificates in both DER and PEM format are accepted
169 *
170 * @param this calling object
171 * @param path directory to load certificates from
172 */
173 void (*load_ca_certificates) (credential_store_t *this);
174
175 /**
176 * @brief Loads CRLs from a default directory.
177 *
178 * Certificates in both DER and PEM format are accepted
179 *
180 * @param this calling object
181 * @param path directory to load crls from
182 */
183 void (*load_crls) (credential_store_t *this);
184
185 /**
186 * @brief Loads secrets in ipsec.secrets
187 *
188 * Currently, all RSA private key files must be in unencrypted form
189 * either in DER or PEM format.
190 *
191 * @param this calling object
192 */
193 void (*load_secrets) (credential_store_t *this);
194
195 /**
196 * @brief Destroys a credential_store_t object.
197 *
198 * @param this calling object
199 */
200 void (*destroy) (credential_store_t *this);
201 };
202
203 /**
204 * @brief Creates a credential_store_t instance.
205 *
206 * @param strict enforce a strict crl policy
207 * @return credential store instance.
208 *
209 * @ingroup config
210 */
211 credential_store_t *credential_store_create(bool strict);
212
213
214 #endif /*CREDENTIAL_STORE_H_*/