testing: Start charon before Apache in tnc/tnccs-20-pdp-pt-tls
[strongswan.git] / src / libstrongswan / credentials / credential_manager.h
1 /*
2 * Copyright (C) 2015 Tobias Brunner
3 * Copyright (C) 2007-2009 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup credential_manager credential_manager
19 * @{ @ingroup credentials
20 */
21
22 #ifndef CREDENTIAL_MANAGER_H_
23 #define CREDENTIAL_MANAGER_H_
24
25 typedef struct credential_manager_t credential_manager_t;
26 typedef enum credential_hook_type_t credential_hook_type_t;
27
28 #include <utils/identification.h>
29 #include <collections/enumerator.h>
30 #include <credentials/auth_cfg.h>
31 #include <credentials/credential_set.h>
32 #include <credentials/keys/private_key.h>
33 #include <credentials/keys/shared_key.h>
34 #include <credentials/certificates/certificate.h>
35 #include <credentials/cert_validator.h>
36
37 /**
38 * Type of a credential hook error/event.
39 */
40 enum credential_hook_type_t {
41 /** The certificate has expired (or is not yet valid) */
42 CRED_HOOK_EXPIRED,
43 /** The certificate has been revoked */
44 CRED_HOOK_REVOKED,
45 /** Checking certificate revocation failed. This does not necessarily mean
46 * the certificate is rejected, just that revocation checking failed. */
47 CRED_HOOK_VALIDATION_FAILED,
48 /** No trusted issuer certificate has been found for this certificate */
49 CRED_HOOK_NO_ISSUER,
50 /** Encountered a self-signed (root) certificate, but it is not trusted */
51 CRED_HOOK_UNTRUSTED_ROOT,
52 /** Maximum trust chain length exceeded for certificate */
53 CRED_HOOK_EXCEEDED_PATH_LEN,
54 /** The certificate violates some other kind of policy and gets rejected */
55 CRED_HOOK_POLICY_VIOLATION,
56 };
57
58 /**
59 * Hook function to invoke on certificate validation errors.
60 *
61 * @param data user data supplied during hook registration
62 * @param type type of validation error/event
63 * @param cert associated certificate
64 */
65 typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
66 certificate_t *cert);
67
68 /**
69 * Manages credentials using credential_sets.
70 *
71 * The credential manager is the entry point of the credential framework. It
72 * uses so called "sets" to access credentials in a modular fashion. These
73 * are implemented through the credential_set_t interface.
74 * The manager additionally does trust chain verification and trust status
75 * caching. A set may call the managers methods if it needs credentials itself.
76 * The manager uses recursive locking.
77 *
78 * @verbatim
79
80 +-------+ +----------------+
81 | A | | | +------------------+
82 | u | -----> | | ------> | +------------------+
83 | t | | credential- | | | +------------------+
84 | h | -----> | manager | ------> +--| | credential- | => IPC
85 | e | | | +--| sets |
86 | n | +--> | | ------> +------------------+
87 | t | | | | |
88 | i | | | | |
89 | c | | +----------------+ |
90 | a | | |
91 | t | +----------------------------------------------+
92 | o | may be recursive
93 | r |
94 +-------+
95
96 @endverbatim
97 *
98 * The credential manager uses rwlocks for performance reasons. Credential
99 * sets must be fully thread-safe.
100 */
101 struct credential_manager_t {
102
103 /**
104 * Create an enumerator over all certificates.
105 *
106 * @param cert kind of certificate
107 * @param key kind of key in certificate
108 * @param id subject this certificate belongs to
109 * @param trusted TRUE to list trusted certificates only
110 * @return enumerator over the certificates
111 */
112 enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
113 certificate_type_t cert, key_type_t key,
114 identification_t *id, bool trusted);
115 /**
116 * Create an enumerator over all shared keys.
117 *
118 * The enumerator enumerates over:
119 * shared_key_t*, id_match_t me, id_match_t other
120 * But must accept values for the id_matches.
121 *
122 * @param type kind of requested shared key
123 * @param first first subject between key is shared
124 * @param second second subject between key is shared
125 * @return enumerator over (shared_key_t*,id_match_t,id_match_t)
126 */
127 enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
128 shared_key_type_t type,
129 identification_t *first, identification_t *second);
130 /**
131 * Create an enumerator over all Certificate Distribution Points.
132 *
133 * @param type kind of certificate the point distributes
134 * @param id identification of the distributed certificate
135 * @return enumerator of CDPs as char*
136 */
137 enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
138 certificate_type_t type, identification_t *id);
139 /**
140 * Get a trusted or untrusted certificate.
141 *
142 * @param cert kind of certificate
143 * @param key kind of key in certificate
144 * @param id subject this certificate belongs to
145 * @param trusted TRUE to get a trusted certificate only
146 * @return certificate, if found, NULL otherwise
147 */
148 certificate_t *(*get_cert)(credential_manager_t *this,
149 certificate_type_t cert, key_type_t key,
150 identification_t *id, bool trusted);
151 /**
152 * Get the best matching shared key for two IDs.
153 *
154 * @param type kind of requested shared key
155 * @param me own identity
156 * @param other peer identity
157 * @return shared_key_t, NULL if none found
158 */
159 shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
160 identification_t *me, identification_t *other);
161 /**
162 * Get a private key to create a signature.
163 *
164 * The get_private() method gets a secret private key identified by either
165 * the keyid itself or an id the key belongs to.
166 * The auth parameter contains additional information, such as recipients
167 * trusted CA certs. Auth gets filled with subject and CA certificates
168 * needed to validate a created signature.
169 *
170 * @param type type of the key to get
171 * @param id identification the key belongs to
172 * @param auth auth config, including trusted CA certificates
173 * @return private_key_t, NULL if none found
174 */
175 private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
176 identification_t *id, auth_cfg_t *auth);
177
178 /**
179 * Create an enumerator over trusted certificates.
180 *
181 * This method creates an enumerator over trusted certificates. The auth
182 * parameter (if given) receives the trustchain used to validate
183 * the certificate. The resulting enumerator enumerates over
184 * certificate_t*, auth_cfg_t*.
185 * If online is set, revocations are checked online for the whole
186 * trustchain.
187 *
188 * @param type type of the key we want a certificate for
189 * @param id subject of the certificate
190 * @param online whether revocations should be checked online
191 * @return enumerator
192 */
193 enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this,
194 key_type_t type, identification_t *id, bool online);
195
196 /**
197 * Create an enumerator over trusted public keys.
198 *
199 * This method creates an enumerator over trusted public keys to verify a
200 * signature created by id. The auth parameter contains additional
201 * authentication infos, e.g. peer and intermediate certificates.
202 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
203 * where the auth config helper contains rules for constraint checks.
204 * This function is very similar to create_trusted_enumerator(), but
205 * gets public keys directly.
206 * If online is set, revocations are checked online for the whole
207 * trustchain.
208 *
209 * @param type type of the key to get
210 * @param id owner of the key, signer of the signature
211 * @param auth authentication infos
212 * @param online whether revocations should be checked online
213 * @return enumerator
214 */
215 enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
216 key_type_t type, identification_t *id, auth_cfg_t *auth,
217 bool online);
218
219 /**
220 * Cache a certificate by invoking cache_cert() on all registered sets.
221 *
222 * @param cert certificate to cache
223 */
224 void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
225
226 /**
227 * Flush the certificate cache.
228 *
229 * Only the managers local cache is flushed, but not the sets cache filled
230 * by the cache_cert() method.
231 *
232 * @param type type of certificate to flush, or CERT_ANY
233 */
234 void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
235
236 /**
237 * Check if a given subject certificate is issued by an issuer certificate.
238 *
239 * This operation does signature verification using the credential
240 * manager's cache to speed up the operation.
241 *
242 * @param subject subject certificate to check
243 * @param issuer issuer certificate that potentially has signed subject
244 * @param scheme receives used signature scheme, if given
245 * @return TRUE if issuer signed subject
246 */
247 bool (*issued_by)(credential_manager_t *this,
248 certificate_t *subject, certificate_t *issuer,
249 signature_scheme_t *scheme);
250
251 /**
252 * Register a credential set to the manager.
253 *
254 * @param set set to register
255 */
256 void (*add_set)(credential_manager_t *this, credential_set_t *set);
257
258 /**
259 * Unregister a credential set from the manager.
260 *
261 * @param set set to unregister
262 */
263 void (*remove_set)(credential_manager_t *this, credential_set_t *set);
264
265 /**
266 * Register a thread local credential set to the manager.
267 *
268 * To add a credential set for the current trustchain verification
269 * operation, sets may be added for the calling thread only. This
270 * does not require a write lock and is therefore a much cheaper
271 * operation.
272 * The exclusive option allows to disable all other credential sets
273 * until the set is deregistered.
274 *
275 * @param set set to register
276 * @param exclusive TRUE to disable all other sets for this thread
277 */
278 void (*add_local_set)(credential_manager_t *this, credential_set_t *set,
279 bool exclusive);
280
281 /**
282 * Unregister a thread local credential set from the manager.
283 *
284 * @param set set to unregister
285 */
286 void (*remove_local_set)(credential_manager_t *this, credential_set_t *set);
287
288 /**
289 * Register a certificate validator to the manager.
290 *
291 * @param vdtr validator to register
292 */
293 void (*add_validator)(credential_manager_t *this, cert_validator_t *vdtr);
294
295 /**
296 * Remove a certificate validator from the manager.
297 *
298 * @param vdtr validator to unregister
299 */
300 void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
301
302 /**
303 * Set a hook to call on certain credential validation errors.
304 *
305 * @param hook hook to register, NULL to unregister
306 * @param data data to pass to hook
307 */
308 void (*set_hook)(credential_manager_t *this, credential_hook_t hook,
309 void *data);
310
311 /**
312 * Call the registered credential hook, if any.
313 *
314 * While hooks are usually called by the credential manager itself, some
315 * validator plugins might raise hooks as well if they consider certificates
316 * invalid.
317 *
318 * @param type type of the event
319 * @param cert associated certificate
320 */
321 void (*call_hook)(credential_manager_t *this, credential_hook_type_t type,
322 certificate_t *cert);
323
324 /**
325 * Destroy a credential_manager instance.
326 */
327 void (*destroy)(credential_manager_t *this);
328 };
329
330 /**
331 * Create a credential_manager instance.
332 */
333 credential_manager_t *credential_manager_create();
334
335 #endif /** CREDENTIAL_MANAGER_H_ @}*/