Added support for inhibitAnyPolicy constraint to x509 plugin
[strongswan.git] / src / libstrongswan / credentials / certificates / x509.h
1 /*
2 * Copyright (C) 2007-2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup x509 x509
18 * @{ @ingroup certificates
19 */
20
21 #ifndef X509_H_
22 #define X509_H_
23
24 #include <utils/enumerator.h>
25 #include <credentials/certificates/certificate.h>
26
27 #define X509_NO_CONSTRAINT -1
28
29 typedef struct x509_t x509_t;
30 typedef struct x509_cert_policy_t x509_cert_policy_t;
31 typedef struct x509_policy_mapping_t x509_policy_mapping_t;
32 typedef struct x509_cdp_t x509_cdp_t;
33 typedef enum x509_flag_t x509_flag_t;
34 typedef enum x509_constraint_t x509_constraint_t;
35
36 /**
37 * X.509 certificate flags.
38 */
39 enum x509_flag_t {
40 /** cert has no constraints */
41 X509_NONE = 0,
42 /** cert has CA constraint */
43 X509_CA = (1<<0),
44 /** cert has AA constraint */
45 X509_AA = (1<<1),
46 /** cert has OCSP signer constraint */
47 X509_OCSP_SIGNER = (1<<2),
48 /** cert has serverAuth key usage */
49 X509_SERVER_AUTH = (1<<3),
50 /** cert has clientAuth key usage */
51 X509_CLIENT_AUTH = (1<<4),
52 /** cert is self-signed */
53 X509_SELF_SIGNED = (1<<5),
54 /** cert has an ipAddrBlocks extension */
55 X509_IP_ADDR_BLOCKS = (1<<6),
56 /** cert has CRL sign key usage */
57 X509_CRL_SIGN = (1<<7),
58 };
59
60 /**
61 * Different numerical X.509 constraints.
62 */
63 enum x509_constraint_t {
64 /** pathLenConstraint basicConstraints */
65 X509_PATH_LEN,
66 /** inhibitPolicyMapping policyConstraint */
67 X509_INHIBIT_POLICY_MAPPING,
68 /** requireExplicitPolicy policyConstraint */
69 X509_REQUIRE_EXPLICIT_POLICY,
70 /** inhibitAnyPolicy constraint */
71 X509_INHIBIT_ANY_POLICY,
72 };
73
74 /**
75 * X.509 certPolicy extension.
76 */
77 struct x509_cert_policy_t {
78 /** OID of certPolicy */
79 chunk_t oid;
80 /** Certification Practice Statement URI qualifier */
81 char *cps_uri;
82 /** UserNotice Text qualifier */
83 char *unotice_text;
84 };
85
86 /**
87 * X.509 policyMapping extension
88 */
89 struct x509_policy_mapping_t {
90 /** OID of issuerDomainPolicy */
91 chunk_t issuer;
92 /** OID of subjectDomainPolicy */
93 chunk_t subject;
94 };
95
96 /**
97 * X.509 CRL distributionPoint
98 */
99 struct x509_cdp_t {
100 /** CDP URI, as string */
101 char *uri;
102 /** CRL issuer */
103 identification_t *issuer;
104 };
105
106 /**
107 * X.509 certificate interface.
108 *
109 * This interface adds additional methods to the certificate_t type to
110 * allow further operations on these certificates.
111 */
112 struct x509_t {
113
114 /**
115 * Implements certificate_t.
116 */
117 certificate_t interface;
118
119 /**
120 * Get the flags set for this certificate.
121 *
122 * @return set of flags
123 */
124 x509_flag_t (*get_flags)(x509_t *this);
125
126 /**
127 * Get the certificate serial number.
128 *
129 * @return chunk pointing to internal serial number
130 */
131 chunk_t (*get_serial)(x509_t *this);
132
133 /**
134 * Get the the subjectKeyIdentifier.
135 *
136 * @return subjectKeyIdentifier as chunk_t, internal data
137 */
138 chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
139
140 /**
141 * Get the the authorityKeyIdentifier.
142 *
143 * @return authKeyIdentifier as chunk_t, internal data
144 */
145 chunk_t (*get_authKeyIdentifier)(x509_t *this);
146
147 /**
148 * Get a numerical X.509 constraint.
149 *
150 * @param type type of constraint to get
151 * @return constraint, X509_NO_CONSTRAINT if none found
152 */
153 int (*get_constraint)(x509_t *this, x509_constraint_t type);
154
155 /**
156 * Create an enumerator over all subjectAltNames.
157 *
158 * @return enumerator over subjectAltNames as identification_t*
159 */
160 enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
161
162 /**
163 * Create an enumerator over all CRL URIs and CRL Issuers.
164 *
165 * @return enumerator over x509_cdp_t
166 */
167 enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
168
169 /**
170 * Create an enumerator over all OCSP URIs.
171 *
172 * @return enumerator over URIs as char*
173 */
174 enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
175
176 /**
177 * Create an enumerator over all ipAddrBlocks.
178 *
179 * @return enumerator over ipAddrBlocks as traffic_selector_t*
180 */
181 enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
182
183 /**
184 * Create an enumerator over name constraints.
185 *
186 * @param perm TRUE for permitted, FALSE for excluded subtrees
187 * @return enumerator over subtrees as identification_t
188 */
189 enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
190
191 /**
192 * Create an enumerator over certificate policies.
193 *
194 * @return enumerator over x509_cert_policy_t
195 */
196 enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
197
198 /**
199 * Create an enumerator over policy mappings.
200 *
201 * @return enumerator over x509_policy_mapping
202 */
203 enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
204
205
206 };
207
208 #endif /** X509_H_ @}*/