f8db8bd4b30ebb451ab30d4ac1083af101972c06
[strongswan.git] / src / charon / config / credentials / credential_store.h
1 /**
2 * @file credential_store.h
3 *
4 * @brief Interface credential_store_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef CREDENTIAL_STORE_H_
25 #define CREDENTIAL_STORE_H_
26
27 #include <types.h>
28 #include <crypto/x509.h>
29 #include <crypto/rsa/rsa_private_key.h>
30 #include <crypto/rsa/rsa_public_key.h>
31 #include <utils/identification.h>
32 #include <utils/logger.h>
33
34
35 typedef struct credential_store_t credential_store_t;
36
37 /**
38 * @brief The interface for a credential_store backend.
39 *
40 * @b Constructors:
41 * - stroke_create()
42 *
43 * @ingroup config
44 */
45 struct credential_store_t {
46
47 /**
48 * @brief Returns the preshared secret of a specific ID.
49 *
50 * The returned chunk must be destroyed by the caller after usage.
51 *
52 * @param this calling object
53 * @param id identification_t object identifiying the secret.
54 * @param[out] preshared_secret the preshared secret will be written there.
55 * @return
56 * - NOT_FOUND if no preshared secrets for specific ID could be found
57 * - SUCCESS
58 *
59 * @todo We should use two IDs to query shared secrets, since we want to use different
60 * keys for different peers...
61 */
62 status_t (*get_shared_secret) (credential_store_t *this, identification_t *id, chunk_t *secret);
63
64 /**
65 * @brief Returns the RSA public key of a specific ID.
66 *
67 * @param this calling object
68 * @param id identification_t object identifiying the key.
69 * @return public key, or NULL if not found
70 */
71 rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
72
73 /**
74 * @brief Returns the RSA public key of a specific ID if is trusted
75 *
76 * @param this calling object
77 * @param id identification_t object identifiying the key.
78 * @return public key, or NULL if not found or not trusted
79 */
80 rsa_public_key_t* (*get_trusted_public_key) (credential_store_t *this, identification_t *id);
81
82 /**
83 * @brief Returns the RSA private key belonging to an RSA public key
84 *
85 * The returned rsa_private_key_t must be destroyed by the caller after usage.
86 *
87 * @param this calling object
88 * @param pubkey public key
89 * @return private key, or NULL if not found
90 */
91 rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
92
93 /**
94 * @brief Is there a matching RSA private key belonging to an RSA public key?
95 *
96 * @param this calling object
97 * @param pubkey public key
98 * @return TRUE if matching private key was found
99 */
100 bool (*has_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
101
102 /**
103 * @brief Returns the certificate of a specific ID.
104 *
105 * @param this calling object
106 * @param id identification_t object identifiying the key.
107 * @return certificate, or NULL if not found
108 */
109 x509_t* (*get_certificate) (credential_store_t *this, identification_t *id);
110
111 /**
112 * @brief Verify an X.509 certificate up to trust anchor including revocation checks
113 *
114 * @param this calling object
115 * @param cert certificate to be verified
116 * @param found found a certificate copy in the credential store
117 * @return TRUE if trusted
118 */
119 bool (*verify) (credential_store_t *this, x509_t *cert, bool *found);
120
121 /**
122 * @brief If an end certificate does not already exists in the credential store then add it.
123 *
124 * @param this calling object
125 * @param cert certificate to be added
126 * @return pointer to the added or already existing certificate
127 */
128 x509_t* (*add_end_certificate) (credential_store_t *this, x509_t *cert);
129
130 /**
131 * @brief If a ca certificate does not already exists in the credential store then add it.
132 *
133 * @param this calling object
134 * @param cert ca certificate to be added
135 * @return pointer to the added or already existing certificate
136 */
137 x509_t* (*add_ca_certificate) (credential_store_t *this, x509_t *cert);
138
139 /**
140 * @brief Lists all certificates kept in the local credential store.
141 *
142 * @param this calling object
143 * @param logger logger to be used
144 * @param utc log dates either in UTC or local time
145 */
146 void (*log_certificates) (credential_store_t *this, logger_t *logger, bool utc);
147
148 /**
149 * @brief Lists all CA certificates kept in the local credential store.
150 *
151 * @param this calling object
152 * @param logger logger to be used
153 * @param utc log dates either in UTC or local time
154 */
155 void (*log_ca_certificates) (credential_store_t *this, logger_t *logger, bool utc);
156
157 /**
158 * @brief Lists all CRLs kept in the local credential store.
159 *
160 * @param this calling object
161 * @param logger logger to be used
162 * @param utc log dates either in UTC or local time
163 */
164 void (*log_crls) (credential_store_t *this, logger_t *logger, bool utc);
165
166 /**
167 * @brief Loads trusted CA certificates from a default directory.
168 *
169 * Certificates in both DER and PEM format are accepted
170 *
171 * @param this calling object
172 * @param path directory to load certificates from
173 */
174 void (*load_ca_certificates) (credential_store_t *this);
175
176 /**
177 * @brief Loads CRLs from a default directory.
178 *
179 * Certificates in both DER and PEM format are accepted
180 *
181 * @param this calling object
182 * @param path directory to load crls from
183 */
184 void (*load_crls) (credential_store_t *this);
185
186 /**
187 * @brief Loads RSA private keys defined in ipsec.secrets
188 *
189 * Currently, all keys must be unencrypted in either DER or PEM format.
190 * Other formats are ignored. Further, a certificate for the specific private
191 * key must already be loaded to get the ID from.
192 *
193 * @param this calling object
194 */
195 void (*load_private_keys) (credential_store_t *this);
196
197 /**
198 * @brief Destroys a credential_store_t object.
199 *
200 * @param this calling object
201 */
202 void (*destroy) (credential_store_t *this);
203 };
204
205 /**
206 * @brief Creates a credential_store_t instance.
207 *
208 * @param strict enforce a strict crl policy
209 * @return credential store instance.
210 *
211 * @ingroup config
212 */
213 credential_store_t *credential_store_create(bool strict);
214
215
216 #endif /*CREDENTIAL_STORE_H_*/