Moved credential manager to libstrongswan
[strongswan.git] / src / libstrongswan / credentials / credential_manager.h
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup credential_manager credential_manager
18 * @{ @ingroup credentials
19 */
20
21 #ifndef CREDENTIAL_MANAGER_H_
22 #define CREDENTIAL_MANAGER_H_
23
24 typedef struct credential_manager_t credential_manager_t;
25
26 #include <utils/identification.h>
27 #include <utils/enumerator.h>
28 #include <credentials/auth_cfg.h>
29 #include <credentials/credential_set.h>
30 #include <credentials/keys/private_key.h>
31 #include <credentials/keys/shared_key.h>
32 #include <credentials/certificates/certificate.h>
33
34 /**
35 * Manages credentials using credential_sets.
36 *
37 * The credential manager is the entry point of the credential framework. It
38 * uses so called "sets" to access credentials in a modular fashion, these
39 * are implemented through the credential_set_t interface.
40 * The manager additionally does trust chain verification and trust status
41 * chaching. A set may call the managers methods if it needs credentials itself,
42 * the manager uses recursive locking.
43 *
44 * @verbatim
45
46 +-------+ +----------------+
47 | A | | | +------------------+
48 | u | -----> | | ------> | +------------------+
49 | t | | credential- | | | +------------------+
50 | h | -----> | manager | ------> +--| | credential- | => IPC
51 | e | | | +--| sets |
52 | n | +--> | | ------> +------------------+
53 | t | | | | |
54 | i | | | | |
55 | c | | +----------------+ |
56 | a | | |
57 | t | +----------------------------------------------+
58 | o | may be recursive
59 | r |
60 +-------+
61
62 @endverbatim
63 *
64 * The credential manager uses rwlocks for performance reasons, credential
65 * sets must be fully thread save.
66 */
67 struct credential_manager_t {
68
69 /**
70 * Create an enumerator over all certificates.
71 *
72 * @param cert kind of certificate
73 * @param key kind of key in certificate
74 * @param id subject this certificate belongs to
75 * @param trusted TRUE to list trusted certificates only
76 * @return enumerator over the certificates
77 */
78 enumerator_t *(*create_cert_enumerator)(credential_manager_t *this,
79 certificate_type_t cert, key_type_t key,
80 identification_t *id, bool trusted);
81 /**
82 * Create an enumerator over all shared keys.
83 *
84 * The enumerator enumerates over:
85 * shared_key_t*, id_match_t me, id_match_t other
86 * But must accepts values for the id_matches.
87 *
88 * @param type kind of requested shared key
89 * @param first first subject between key is shared
90 * @param second second subject between key is shared
91 * @return enumerator over shared keys
92 */
93 enumerator_t *(*create_shared_enumerator)(credential_manager_t *this,
94 shared_key_type_t type,
95 identification_t *first, identification_t *second);
96 /**
97 * Create an enumerator over all Certificate Distribution Points.
98 *
99 * @param type kind of certificate the point distributes
100 * @param id identification of the distributed certificate
101 * @return enumerator of CDPs as char*
102 */
103 enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this,
104 certificate_type_t type, identification_t *id);
105 /**
106 * Get a trusted or untrusted certificate.
107 *
108 * @param cert kind of certificate
109 * @param key kind of key in certificate
110 * @param id subject this certificate belongs to
111 * @param trusted TRUE to get a trusted certificate only
112 * @return certificate, if found, NULL otherwise
113 */
114 certificate_t *(*get_cert)(credential_manager_t *this,
115 certificate_type_t cert, key_type_t key,
116 identification_t *id, bool trusted);
117 /**
118 * Get the best matching shared key for two IDs.
119 *
120 * @param type kind of requested shared key
121 * @param me own identity
122 * @param other peers identity
123 * @return shared_key_t, NULL if none found
124 */
125 shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
126 identification_t *me, identification_t *other);
127 /**
128 * Get a private key to create a signature.
129 *
130 * The get_private() method gets a secret private key identified by either
131 * the keyid itself or an id the key belongs to.
132 * The auth parameter contains additional information, such as receipients
133 * trusted CA certs. Auth gets filled with subject and CA certificates
134 * needed to validate a created signature.
135 *
136 * @param type type of the key to get
137 * @param id identification the key belongs to
138 * @param auth auth config, including trusted CA certificates
139 * @return private_key_t, NULL if none found
140 */
141 private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
142 identification_t *id, auth_cfg_t *auth);
143
144 /**
145 * Create an enumerator over trusted public keys.
146 *
147 * This method gets a an enumerator over trusted public keys to verify a
148 * signature created by id. The auth parameter contains additional
149 * authentication infos, e.g. peer and intermediate certificates.
150 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
151 * where the auth config helper contains rules for constraint checks.
152 *
153 * @param type type of the key to get
154 * @param id owner of the key, signer of the signature
155 * @param auth authentication infos
156 * @return enumerator
157 */
158 enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
159 key_type_t type, identification_t *id, auth_cfg_t *auth);
160
161 /**
162 * Cache a certificate by invoking cache_cert() on all registerd sets.
163 *
164 * @param cert certificate to cache
165 */
166 void (*cache_cert)(credential_manager_t *this, certificate_t *cert);
167
168 /**
169 * Flush the certificate cache.
170 *
171 * Only the managers local cache is flushed, but not the sets cache filled
172 * by the cache_cert() method.
173 *
174 * @param type type of certificate to flush, or CERT_ANY
175 */
176 void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
177
178 /**
179 * Register a credential set to the manager.
180 *
181 * @param set set to register
182 */
183 void (*add_set)(credential_manager_t *this, credential_set_t *set);
184
185 /**
186 * Unregister a credential set from the manager.
187 *
188 * @param set set to unregister
189 */
190 void (*remove_set)(credential_manager_t *this, credential_set_t *set);
191
192 /**
193 * Destroy a credential_manager instance.
194 */
195 void (*destroy)(credential_manager_t *this);
196 };
197
198 /**
199 * Create a credential_manager instance.
200 */
201 credential_manager_t *credential_manager_create();
202
203 #endif /** CREDENTIAL_MANAGER_H_ @}*/