Support TLS client authentication Extended Key Usage in x509 generation
[strongswan.git] / src / libstrongswan / credentials / certificates / x509.h
1 /*
2 * Copyright (C) 2007-2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup x509 x509
18 * @{ @ingroup certificates
19 */
20
21 #ifndef X509_H_
22 #define X509_H_
23
24 #include <utils/enumerator.h>
25 #include <credentials/certificates/certificate.h>
26
27 #define X509_NO_PATH_LEN_CONSTRAINT -1
28 #define X509_MAX_PATH_LEN 7
29
30 typedef struct x509_t x509_t;
31 typedef enum x509_flag_t x509_flag_t;
32
33 /**
34 * X.509 certificate flags.
35 */
36 enum x509_flag_t {
37 /** cert has no constraints */
38 X509_NONE = 0,
39 /** cert has CA constraint */
40 X509_CA = (1<<0),
41 /** cert has AA constraint */
42 X509_AA = (1<<1),
43 /** cert has OCSP signer constraint */
44 X509_OCSP_SIGNER = (1<<2),
45 /** cert has serverAuth key usage */
46 X509_SERVER_AUTH = (1<<3),
47 /** cert has clientAuth key usage */
48 X509_CLIENT_AUTH = (1<<4),
49 /** cert is self-signed */
50 X509_SELF_SIGNED = (1<<5),
51 /** cert has an ipAddrBlocks extension */
52 X509_IP_ADDR_BLOCKS = (1<<6),
53 };
54
55 /**
56 * enum names for x509 flags
57 */
58 extern enum_name_t *x509_flag_names;
59
60 /**
61 * X.509 certificate interface.
62 *
63 * This interface adds additional methods to the certificate_t type to
64 * allow further operations on these certificates.
65 */
66 struct x509_t {
67
68 /**
69 * Implements certificate_t.
70 */
71 certificate_t interface;
72
73 /**
74 * Get the flags set for this certificate.
75 *
76 * @return set of flags
77 */
78 x509_flag_t (*get_flags)(x509_t *this);
79
80 /**
81 * Get the certificate serial number.
82 *
83 * @return chunk pointing to internal serial number
84 */
85 chunk_t (*get_serial)(x509_t *this);
86
87 /**
88 * Get the the subjectKeyIdentifier.
89 *
90 * @return subjectKeyIdentifier as chunk_t, internal data
91 */
92 chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
93
94 /**
95 * Get the the authorityKeyIdentifier.
96 *
97 * @return authKeyIdentifier as chunk_t, internal data
98 */
99 chunk_t (*get_authKeyIdentifier)(x509_t *this);
100
101 /**
102 * Get an optional path length constraint.
103 *
104 * @return pathLenConstraint, -1 if no constraint exists
105 */
106 int (*get_pathLenConstraint)(x509_t *this);
107
108 /**
109 * Create an enumerator over all subjectAltNames.
110 *
111 * @return enumerator over subjectAltNames as identification_t*
112 */
113 enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
114
115 /**
116 * Create an enumerator over all CRL URIs.
117 *
118 * @return enumerator over URIs as char*
119 */
120 enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
121
122 /**
123 * Create an enumerator over all OCSP URIs.
124 *
125 * @return enumerator over URIs as char*
126 */
127 enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
128
129 /**
130 * Create an enumerator over all ipAddrBlocks.
131 *
132 * @return enumerator over ipAddrBlocks as traffic_selector_t*
133 */
134 enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
135 };
136
137 #endif /** X509_H_ @}*/