src/libstrongswan/credentials/certificates/x509.h

   1 /*
   2  * Copyright (C) 2007-2008 Martin Willi
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 /**
  17  * @defgroup x509 x509
  18  * @{ @ingroup certificates
  19  */
  20
  21 #ifndef X509_H_
  22 #define X509_H_
  23
  24 #include <collections/enumerator.h>
  25 #include <credentials/certificates/certificate.h>
  26
  27 /* constraints are currently restricted to the range 0..127 */
  28 #define X509_NO_CONSTRAINT      255
  29
  30 typedef struct x509_t x509_t;
  31 typedef struct x509_cert_policy_t x509_cert_policy_t;
  32 typedef struct x509_policy_mapping_t x509_policy_mapping_t;
  33 typedef struct x509_cdp_t x509_cdp_t;
  34 typedef enum x509_flag_t x509_flag_t;
  35 typedef enum x509_constraint_t x509_constraint_t;
  36
  37 /**
  38  * X.509 certificate flags.
  39  */
  40 enum x509_flag_t {
  41         /** cert has no constraints */
  42         X509_NONE =                    0,
  43         /** cert has CA constraint */
  44         X509_CA =                 (1<<0),
  45         /** cert has AA constraint */
  46         X509_AA =                 (1<<1),
  47         /** cert has OCSP signer constraint */
  48         X509_OCSP_SIGNER =        (1<<2),
  49         /** cert has serverAuth key usage */
  50         X509_SERVER_AUTH =        (1<<3),
  51         /** cert has clientAuth key usage */
  52         X509_CLIENT_AUTH =        (1<<4),
  53         /** cert is self-signed */
  54         X509_SELF_SIGNED =        (1<<5),
  55         /** cert has an ipAddrBlocks extension */
  56         X509_IP_ADDR_BLOCKS =     (1<<6),
  57         /** cert has CRL sign key usage */
  58         X509_CRL_SIGN =           (1<<7),
  59         /** cert has iKEIntermediate key usage */
  60         X509_IKE_INTERMEDIATE =   (1<<8),
  61         /** cert has Microsoft Smartcard Logon usage */
  62         X509_MS_SMARTCARD_LOGON = (1<<9),
  63 };
  64
  65 /**
  66  * Different numerical X.509 constraints.
  67  */
  68 enum x509_constraint_t {
  69         /** pathLenConstraint basicConstraints */
  70         X509_PATH_LEN,
  71         /** inhibitPolicyMapping policyConstraint */
  72         X509_INHIBIT_POLICY_MAPPING,
  73         /** requireExplicitPolicy policyConstraint */
  74         X509_REQUIRE_EXPLICIT_POLICY,
  75         /** inhibitAnyPolicy constraint */
  76         X509_INHIBIT_ANY_POLICY,
  77 };
  78
  79 /**
  80  * X.509 certPolicy extension.
  81  */
  82 struct x509_cert_policy_t {
  83         /** Certification Practice Statement URI qualifier */
  84         char *cps_uri;
  85         /** UserNotice Text qualifier */
  86         char *unotice_text;
  87         /** OID of certPolicy */
  88         chunk_t oid;
  89 };
  90
  91 /**
  92  * X.509 policyMapping extension
  93  */
  94 struct x509_policy_mapping_t {
  95         /** OID of issuerDomainPolicy */
  96         chunk_t issuer;
  97         /** OID of subjectDomainPolicy */
  98         chunk_t subject;
  99 };
 100
 101 /**
 102  * X.509 CRL distributionPoint
 103  */
 104 struct x509_cdp_t {
 105         /** CDP URI, as string */
 106         char *uri;
 107         /** CRL issuer */
 108         identification_t *issuer;
 109 };
 110
 111 /**
 112  * X.509 certificate interface.
 113  *
 114  * This interface adds additional methods to the certificate_t type to
 115  * allow further operations on these certificates.
 116  */
 117 struct x509_t {
 118
 119         /**
 120          * Implements certificate_t.
 121          */
 122         certificate_t interface;
 123
 124         /**
 125          * Get the flags set for this certificate.
 126          *
 127          * @return                      set of flags
 128          */
 129         x509_flag_t (*get_flags)(x509_t *this);
 130
 131         /**
 132          * Get the certificate serial number.
 133          *
 134          * @return                      chunk pointing to internal serial number
 135          */
 136         chunk_t (*get_serial)(x509_t *this);
 137
 138         /**
 139          * Get the the subjectKeyIdentifier.
 140          *
 141          * @return                      subjectKeyIdentifier as chunk_t, internal data
 142          */
 143         chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
 144
 145         /**
 146          * Get the the authorityKeyIdentifier.
 147          *
 148          * @return                      authKeyIdentifier as chunk_t, internal data
 149          */
 150         chunk_t (*get_authKeyIdentifier)(x509_t *this);
 151
 152         /**
 153          * Get a numerical X.509 constraint.
 154          *
 155          * @param type          type of constraint to get
 156          * @return                      constraint, X509_NO_CONSTRAINT if none found
 157          */
 158         u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 159
 160         /**
 161          * Create an enumerator over all subjectAltNames.
 162          *
 163          * @return                      enumerator over subjectAltNames as identification_t*
 164          */
 165         enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
 166
 167         /**
 168          * Create an enumerator over all CRL URIs and CRL Issuers.
 169          *
 170          * @return                      enumerator over x509_cdp_t
 171          */
 172         enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
 173
 174         /**
 175          * Create an enumerator over all OCSP URIs.
 176          *
 177          * @return                      enumerator over URIs as char*
 178          */
 179         enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
 180
 181         /**
 182          * Create an enumerator over all ipAddrBlocks.
 183          *
 184          * @return                      enumerator over ipAddrBlocks as traffic_selector_t*
 185          */
 186         enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
 187
 188         /**
 189          * Create an enumerator over name constraints.
 190          *
 191          * @param perm          TRUE for permitted, FALSE for excluded subtrees
 192          * @return                      enumerator over subtrees as identification_t
 193          */
 194         enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
 195
 196         /**
 197          * Create an enumerator over certificate policies.
 198          *
 199          * @return                      enumerator over x509_cert_policy_t
 200          */
 201         enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
 202
 203         /**
 204          * Create an enumerator over policy mappings.
 205          *
 206          * @return                      enumerator over x509_policy_mapping
 207          */
 208         enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
 209
 210
 211 };
 212
 213 #endif /** X509_H_ @}*/