Added support for msSmartcardLogon EKU
[strongswan.git] / src / libstrongswan / credentials / certificates / x509.h
1 /*
2 * Copyright (C) 2007-2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup x509 x509
18 * @{ @ingroup certificates
19 */
20
21 #ifndef X509_H_
22 #define X509_H_
23
24 #include <collections/enumerator.h>
25 #include <credentials/certificates/certificate.h>
26
27 /* constraints are currently restricted to the range 0..127 */
28 #define X509_NO_CONSTRAINT 255
29
30 typedef struct x509_t x509_t;
31 typedef struct x509_cert_policy_t x509_cert_policy_t;
32 typedef struct x509_policy_mapping_t x509_policy_mapping_t;
33 typedef struct x509_cdp_t x509_cdp_t;
34 typedef enum x509_flag_t x509_flag_t;
35 typedef enum x509_constraint_t x509_constraint_t;
36
37 /**
38 * X.509 certificate flags.
39 */
40 enum x509_flag_t {
41 /** cert has no constraints */
42 X509_NONE = 0,
43 /** cert has CA constraint */
44 X509_CA = (1<<0),
45 /** cert has AA constraint */
46 X509_AA = (1<<1),
47 /** cert has OCSP signer constraint */
48 X509_OCSP_SIGNER = (1<<2),
49 /** cert has serverAuth key usage */
50 X509_SERVER_AUTH = (1<<3),
51 /** cert has clientAuth key usage */
52 X509_CLIENT_AUTH = (1<<4),
53 /** cert is self-signed */
54 X509_SELF_SIGNED = (1<<5),
55 /** cert has an ipAddrBlocks extension */
56 X509_IP_ADDR_BLOCKS = (1<<6),
57 /** cert has CRL sign key usage */
58 X509_CRL_SIGN = (1<<7),
59 /** cert has iKEIntermediate key usage */
60 X509_IKE_INTERMEDIATE = (1<<8),
61 /** cert has Microsoft Smartcard Logon usage */
62 X509_MS_SMARTCARD_LOGON = (1<<9),
63 };
64
65 /**
66 * Different numerical X.509 constraints.
67 */
68 enum x509_constraint_t {
69 /** pathLenConstraint basicConstraints */
70 X509_PATH_LEN,
71 /** inhibitPolicyMapping policyConstraint */
72 X509_INHIBIT_POLICY_MAPPING,
73 /** requireExplicitPolicy policyConstraint */
74 X509_REQUIRE_EXPLICIT_POLICY,
75 /** inhibitAnyPolicy constraint */
76 X509_INHIBIT_ANY_POLICY,
77 };
78
79 /**
80 * X.509 certPolicy extension.
81 */
82 struct x509_cert_policy_t {
83 /** Certification Practice Statement URI qualifier */
84 char *cps_uri;
85 /** UserNotice Text qualifier */
86 char *unotice_text;
87 /** OID of certPolicy */
88 chunk_t oid;
89 };
90
91 /**
92 * X.509 policyMapping extension
93 */
94 struct x509_policy_mapping_t {
95 /** OID of issuerDomainPolicy */
96 chunk_t issuer;
97 /** OID of subjectDomainPolicy */
98 chunk_t subject;
99 };
100
101 /**
102 * X.509 CRL distributionPoint
103 */
104 struct x509_cdp_t {
105 /** CDP URI, as string */
106 char *uri;
107 /** CRL issuer */
108 identification_t *issuer;
109 };
110
111 /**
112 * X.509 certificate interface.
113 *
114 * This interface adds additional methods to the certificate_t type to
115 * allow further operations on these certificates.
116 */
117 struct x509_t {
118
119 /**
120 * Implements certificate_t.
121 */
122 certificate_t interface;
123
124 /**
125 * Get the flags set for this certificate.
126 *
127 * @return set of flags
128 */
129 x509_flag_t (*get_flags)(x509_t *this);
130
131 /**
132 * Get the certificate serial number.
133 *
134 * @return chunk pointing to internal serial number
135 */
136 chunk_t (*get_serial)(x509_t *this);
137
138 /**
139 * Get the the subjectKeyIdentifier.
140 *
141 * @return subjectKeyIdentifier as chunk_t, internal data
142 */
143 chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
144
145 /**
146 * Get the the authorityKeyIdentifier.
147 *
148 * @return authKeyIdentifier as chunk_t, internal data
149 */
150 chunk_t (*get_authKeyIdentifier)(x509_t *this);
151
152 /**
153 * Get a numerical X.509 constraint.
154 *
155 * @param type type of constraint to get
156 * @return constraint, X509_NO_CONSTRAINT if none found
157 */
158 u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
159
160 /**
161 * Create an enumerator over all subjectAltNames.
162 *
163 * @return enumerator over subjectAltNames as identification_t*
164 */
165 enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
166
167 /**
168 * Create an enumerator over all CRL URIs and CRL Issuers.
169 *
170 * @return enumerator over x509_cdp_t
171 */
172 enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
173
174 /**
175 * Create an enumerator over all OCSP URIs.
176 *
177 * @return enumerator over URIs as char*
178 */
179 enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
180
181 /**
182 * Create an enumerator over all ipAddrBlocks.
183 *
184 * @return enumerator over ipAddrBlocks as traffic_selector_t*
185 */
186 enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
187
188 /**
189 * Create an enumerator over name constraints.
190 *
191 * @param perm TRUE for permitted, FALSE for excluded subtrees
192 * @return enumerator over subtrees as identification_t
193 */
194 enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
195
196 /**
197 * Create an enumerator over certificate policies.
198 *
199 * @return enumerator over x509_cert_policy_t
200 */
201 enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
202
203 /**
204 * Create an enumerator over policy mappings.
205 *
206 * @return enumerator over x509_policy_mapping
207 */
208 enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
209
210
211 };
212
213 #endif /** X509_H_ @}*/