src/libstrongswan/credentials/certificates/certificate.h

   1 /*
   2  * Copyright (C) 2007-2008 Martin Willi
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 /**
  17  * @defgroup certificate certificate
  18  * @{ @ingroup certificates
  19  */
  20
  21 #ifndef CERTIFICATE_H_
  22 #define CERTIFICATE_H_
  23
  24 typedef struct certificate_t certificate_t;
  25 typedef enum certificate_type_t certificate_type_t;
  26 typedef enum cert_validation_t cert_validation_t;
  27
  28 #include <library.h>
  29 #include <utils/identification.h>
  30 #include <credentials/keys/public_key.h>
  31
  32 /**
  33  * Kind of a certificate_t
  34  */
  35 enum certificate_type_t {
  36         /** just any certificate */
  37         CERT_ANY,
  38         /** X.509 certificate */
  39         CERT_X509,
  40         /** X.509 certificate revocation list */
  41         CERT_X509_CRL,
  42         /** X.509 online certificate status protocol request */
  43         CERT_X509_OCSP_REQUEST,
  44         /** X.509 online certificate status protocol response */
  45         CERT_X509_OCSP_RESPONSE,
  46         /** X.509 attribute certificate */
  47         CERT_X509_AC,
  48         /** PKCS#10 certificate request */
  49         CERT_PKCS10_REQUEST,
  50         /** trusted, preinstalled public key */
  51         CERT_TRUSTED_PUBKEY,
  52         /** PGP certificate */
  53         CERT_GPG,
  54         /** Pluto cert_t (not a certificate_t), either x509 or PGP */
  55         CERT_PLUTO_CERT,
  56         /** Pluto x509acert_t (not a certificate_t), attribute certificate */
  57         CERT_PLUTO_AC,
  58         /** Pluto x509crl_t (not a certificate_t), certificate revocation list */
  59         CERT_PLUTO_CRL,
  60 };
  61
  62 /**
  63  * Enum names for certificate_type_t
  64  */
  65 extern enum_name_t *certificate_type_names;
  66
  67 /**
  68  * Result of a certificate validation.
  69  *
  70  * Order of values is relevant, sorted from good to bad.
  71  */
  72 enum cert_validation_t {
  73         /** certificate has been validated successfully */
  74         VALIDATION_GOOD = 0,
  75         /** validation has been skipped due to missing validation information */
  76         VALIDATION_SKIPPED,
  77         /** certificate has been validated, but check based on stale information */
  78         VALIDATION_STALE,
  79         /** validation failed due to a processing error */
  80         VALIDATION_FAILED,
  81         /** certificate has been revoked */
  82         VALIDATION_REVOKED,
  83 };
  84
  85 /**
  86  * Enum names for cert_validation_t
  87  */
  88 extern enum_name_t *cert_validation_names;
  89
  90 /**
  91  * An abstract certificate.
  92  *
  93  * A certificate designs a subject-issuer relationship. It may have an
  94  * associated public key.
  95  */
  96 struct certificate_t {
  97
  98         /**
  99          * Get the type of the certificate.
 100          *
 101          * @return                      certificate type
 102          */
 103         certificate_type_t (*get_type)(certificate_t *this);
 104
 105         /**
 106          * Get the primary subject to which this certificate belongs.
 107          *
 108          * @return                      subject identity
 109          */
 110         identification_t* (*get_subject)(certificate_t *this);
 111
 112         /**
 113          * Check if certificate contains a subject ID.
 114          *
 115          * A certificate may contain additional subject identifiers, which are
 116          * not returned by get_subject (e.g. subjectAltNames)
 117          *
 118          * @param subject       subject identity
 119          * @return                      matching value of best match
 120          */
 121         id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
 122
 123         /**
 124          * Get the issuer which signed this certificate.
 125          *
 126          * @return                      issuer identity
 127          */
 128         identification_t* (*get_issuer)(certificate_t *this);
 129
 130         /**
 131          * Check if certificate contains an issuer ID.
 132          *
 133          * A certificate may contain additional issuer identifiers, which are
 134          * not returned by get_issuer (e.g. issuerAltNames)
 135          *
 136          * @param subject       isser identity
 137          * @return                      matching value of best match
 138          */
 139         id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
 140
 141         /**
 142          * Check if this certificate is issued and signed by a specific issuer.
 143          *
 144          * @param issuer        issuer's certificate
 145          * @return                      TRUE if certificate issued by issuer and trusted
 146          */
 147         bool (*issued_by)(certificate_t *this, certificate_t *issuer);
 148
 149         /**
 150          * Get the public key associated to this certificate.
 151          *
 152          * @return                      newly referenced public_key, NULL if none available
 153          */
 154         public_key_t* (*get_public_key)(certificate_t *this);
 155
 156         /**
 157          * Check the lifetime of the certificate.
 158          *
 159          * @param when                  check validity at a certain time (NULL for now)
 160          * @param not_before    receives certificates start of lifetime
 161          * @param not_after             receives certificates end of lifetime
 162          * @return                              TRUE if when between not_after and not_before
 163          */
 164         bool (*get_validity)(certificate_t *this, time_t *when,
 165                                                  time_t *not_before, time_t *not_after);
 166
 167         /**
 168          * Is this newer than that?
 169          *
 170          * @return                      TRUE if newer, FALSE otherwise
 171          */
 172         bool (*is_newer)(certificate_t *this, certificate_t *that);
 173
 174         /**
 175          * Get the certificate in an encoded form.
 176          *
 177          * @return                              allocated chunk of encoded cert
 178          */
 179         chunk_t (*get_encoding)(certificate_t *this);
 180
 181         /**
 182          * Check if two certificates are equal.
 183          *
 184          * @param other                 certificate to compair against this
 185          * @return                              TRUE if certificates are equal
 186          */
 187         bool (*equals)(certificate_t *this, certificate_t *other);
 188
 189         /**
 190          * Get a new reference to the certificate.
 191          *
 192          * @return                      this, with an increased refcount
 193          */
 194         certificate_t* (*get_ref)(certificate_t *this);
 195
 196         /**
 197          * Destroy a certificate.
 198          */
 199         void (*destroy)(certificate_t *this);
 200 };
 201
 202 #endif /** CERTIFICATE_H_ @}*/