replaced get_rsa_private_key() by rsa_signature() in order restrict the distribution...
[strongswan.git] / src / libstrongswan / credential_store.h
1 /**
2 * @file credential_store.h
3 *
4 * @brief Interface credential_store_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef CREDENTIAL_STORE_H_
25 #define CREDENTIAL_STORE_H_
26
27 typedef struct credential_store_t credential_store_t;
28
29 #include <library.h>
30 #include <crypto/x509.h>
31 #include <crypto/ca.h>
32 #include <crypto/rsa/rsa_private_key.h>
33 #include <crypto/rsa/rsa_public_key.h>
34 #include <utils/identification.h>
35
36
37 /**
38 * @brief The interface for a credential_store backend.
39 *
40 * @b Constructors:
41 * - stroke_create()
42 *
43 * @ingroup config
44 */
45 struct credential_store_t {
46
47 /**
48 * @brief Returns the secret shared by two specific IDs.
49 *
50 * The returned chunk must be destroyed by the caller after usage.
51 *
52 * @param this calling object
53 * @param my_id my ID identifiying the secret.
54 * @param other_id peer ID identifying the secret.
55 * @param[out] secret the pre-shared secret will be written there.
56 * @return
57 * - NOT_FOUND if no preshared secrets for specific ID could be found
58 * - SUCCESS
59 *
60 */
61 status_t (*get_shared_key) (credential_store_t *this, identification_t *my_id,
62 identification_t *other_id, chunk_t *shared_key);
63
64 /**
65 * @brief Returns the EAP secret for two specified IDs.
66 *
67 * The returned chunk must be destroyed by the caller after usage.
68 *
69 * @param this calling object
70 * @param my_id my ID identifiying the secret.
71 * @param other_id peer ID identifying the secret.
72 * @param[out] eap_key the EAP secret will be written here
73 * @return
74 * - NOT_FOUND if no preshared secrets for specific ID could be found
75 * - SUCCESS
76 *
77 */
78 status_t (*get_eap_key) (credential_store_t *this, identification_t *my_id,
79 identification_t *other_id, chunk_t *eap_key);
80
81 /**
82 * @brief Returns the RSA public key of a specific ID.
83 *
84 * @param this calling object
85 * @param id identification_t object identifiying the key.
86 * @return public key, or NULL if not found
87 */
88 rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
89
90 /**
91 * @brief Is there a matching RSA private key belonging to an RSA public key?
92 *
93 * @param this calling object
94 * @param pubkey public key
95 * @return TRUE if matching private key was found
96 */
97 bool (*has_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
98
99 /**
100 * @brief Returns the certificate of a specific ID.
101 *
102 * @param this calling object
103 * @param id identification_t object identifiying the cert.
104 * @return certificate, or NULL if not found
105 */
106 x509_t* (*get_certificate) (credential_store_t *this, identification_t *id);
107
108 /**
109 * @brief Returns the auth certificate of a specific subject distinguished name.
110 *
111 * @param this calling object
112 * @param auth_flags set of allowed authority types
113 * @param id identification_t object identifiying the cacert.
114 * @return certificate, or NULL if not found
115 */
116 x509_t* (*get_auth_certificate) (credential_store_t *this, u_int auth_flags, identification_t *id);
117
118 /**
119 * @brief Returns the ca certificate of a specific keyID.
120 *
121 * @param this calling object
122 * @param keyid identification_t object identifiying the cacert.
123 * @return certificate, or NULL if not found
124 */
125 x509_t* (*get_ca_certificate_by_keyid) (credential_store_t *this, chunk_t keyid);
126
127 /**
128 * @brief Returns the issuing ca of a given certificate.
129 *
130 * @param this calling object
131 * @param cert certificate for which issuer ca info is required
132 * @return ca info, or NULL if not found
133 */
134 ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert);
135
136 /**
137 * @brief RSA private key belonging to an RSA public key
138 *
139 *
140 * @param this calling object
141 * @param pubkey public key used to find the matching private key
142 * @param hash_algorithm hash algorithm to be used for signature
143 * @param data data block to be signed
144 * @param signature signature to be returned
145 * @return status of the signature process - SUCCESS if successful
146 */
147 status_t (*rsa_signature) (credential_store_t *this, rsa_public_key_t *pubkey, hash_algorithm_t hash_algorithm,
148 chunk_t data, chunk_t *signature);
149
150 /**
151 * @brief Verify an RSA signature given the ID of the signer
152 *
153 * @param this calling object
154 * @param hash hash value to be verified.
155 * @param sig signature to be verified.
156 * @param id identification_t object identifiying the signer.
157 * @param issuer_p issuer of the signer's certificate (if not self-signed).
158 * @return status of the verification - SUCCESS if successful
159 */
160 status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id,
161 ca_info_t **issuer_p);
162
163 /**
164 * @brief Verify an X.509 certificate up to trust anchor without any status checks
165 *
166 * @param this calling object
167 * @param label label characterizing the certificate to be verified
168 * @param cert certificate to be verified
169 * @return TRUE if trusted
170 */
171 bool (*is_trusted) (credential_store_t *this, const char *label, x509_t *cert);
172
173 /**
174 * @brief Verify an X.509 certificate up to trust anchor including status checks
175 *
176 * @param this calling object
177 * @param cert certificate to be verified
178 * @param found found a certificate copy in the credential store
179 * @return TRUE if valid, trusted, and current status is good
180 */
181 bool (*verify) (credential_store_t *this, x509_t *cert, bool *found);
182
183 /**
184 * @brief If an end certificate does not already exists in the credential store then add it.
185 *
186 * @param this calling object
187 * @param cert certificate to be added
188 * @return pointer to the added or already existing certificate
189 */
190 x509_t* (*add_end_certificate) (credential_store_t *this, x509_t *cert);
191
192 /**
193 * @brief If an authority certificate does not already exists in the credential store then add it.
194 *
195 * @param this calling object
196 * @param cert authority certificate to be added
197 * @param auth_flag authority flags to add to the certificate
198 * @return pointer to the added or already existing certificate
199 */
200 x509_t* (*add_auth_certificate) (credential_store_t *this, x509_t *cert, u_int auth_flag);
201
202 /**
203 * @brief If a ca info record does not already exists in the credential store then add it.
204 *
205 * @param this calling object
206 * @param ca_info ca info record to be added
207 * @return pointer to the added or already existing ca_info_t record
208 */
209 ca_info_t* (*add_ca_info) (credential_store_t *this, ca_info_t *ca_info);
210
211 /**
212 * @brief Release a ca info record with a given name.
213 *
214 * @param this calling object
215 * @param name name of the ca info record to be released
216 * @return
217 * - SUCCESS, or
218 * - NOT_FOUND
219 */
220 status_t (*release_ca_info) (credential_store_t *this, const char *name);
221
222 /**
223 * @brief Create an iterator over all end certificates.
224 *
225 * @param this calling object
226 * @return iterator
227 */
228 iterator_t* (*create_cert_iterator) (credential_store_t *this);
229
230 /**
231 * @brief Create an iterator over all authority certificates.
232 *
233 * @param this calling object
234 * @return iterator
235 */
236 iterator_t* (*create_auth_cert_iterator) (credential_store_t *this);
237
238 /**
239 * @brief Create an iterator over all CA info records
240 *
241 * @param this calling object
242 * @return iterator
243 */
244 iterator_t* (*create_cainfo_iterator) (credential_store_t *this);
245
246 /**
247 * @brief Create an iterator over all attribute certificates.
248 *
249 * @param this calling object
250 * @return iterator
251 */
252 iterator_t* (*create_acert_iterator) (credential_store_t *this);
253
254 /**
255 * @brief Loads ca certificates from a default directory.
256 *
257 * Certificates in both DER and PEM format are accepted
258 *
259 * @param this calling object
260 */
261 void (*load_ca_certificates) (credential_store_t *this);
262
263 /**
264 * @brief Loads authorization authority certificates from a default directory.
265 *
266 * Certificates in both DER and PEM format are accepted
267 *
268 * @param this calling object
269 */
270 void (*load_aa_certificates) (credential_store_t *this);
271
272 /**
273 * @brief Loads attribute certificates from a default directory.
274 *
275 * Certificates in both DER and PEM format are accepted
276 *
277 * @param this calling object
278 */
279 void (*load_attr_certificates) (credential_store_t *this);
280
281 /**
282 * @brief Loads ocsp certificates from a default directory.
283 *
284 * Certificates in both DER and PEM format are accepted
285 *
286 * @param this calling object
287 */
288 void (*load_ocsp_certificates) (credential_store_t *this);
289
290 /**
291 * @brief Loads CRLs from a default directory.
292 *
293 * Certificates in both DER and PEM format are accepted
294 *
295 * @param this calling object
296 * @param path directory to load crls from
297 */
298 void (*load_crls) (credential_store_t *this);
299
300 /**
301 * @brief Loads secrets in ipsec.secrets
302 *
303 * RSA private key files can be either in DER or PEM format
304 * Optional encryption with a passphrase supported
305 *
306 * @param this calling object
307 * @param reload are the secrets to be reloaded
308 */
309 void (*load_secrets) (credential_store_t *this, bool reload);
310
311 /**
312 * @brief Destroys a credential_store_t object.
313 *
314 * @param this calling object
315 */
316 void (*destroy) (credential_store_t *this);
317 };
318
319 /**
320 * @brief Creates a credential_store_t instance.
321 *
322 * @param strict enforce a strict crl policy
323 * @return credential store instance.
324 *
325 * @ingroup config
326 */
327 credential_store_t *credential_store_create(bool strict);
328
329
330 #endif /*CREDENTIAL_STORE_H_*/