support of crlcheckinterval=0 to disable IKEv2 CRL fetching
[strongswan.git] / src / libstrongswan / crypto / ca.h
1 /**
2 * @file ca.h
3 *
4 * @brief Interface of ca_info_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2007 Andreas Steffen
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef CA_H_
24 #define CA_H_
25
26 typedef struct ca_info_t ca_info_t;
27
28 #include <library.h>
29 #include <chunk.h>
30
31 #include <credential_store.h>
32
33 #include "x509.h"
34 #include "crl.h"
35
36 /**
37 * @brief X.509 certification authority information record
38 *
39 * @b Constructors:
40 * - ca_info_create()
41 *
42 * @ingroup transforms
43 */
44 struct ca_info_t {
45
46 /**
47 * @brief Compare two ca info records
48 *
49 * Comparison is done via the keyid of the ca certificate
50 *
51 * @param this first ca info object
52 * @param that second ca info objct
53 * @return TRUE if a match is found
54 */
55 bool (*equals) (const ca_info_t *this, const ca_info_t* that);
56
57 /**
58 * @brief If the ca info record has the same name then release the name and URIs
59 *
60 * @param this ca info object
61 * @return TRUE if a match is found
62 */
63 bool (*equals_name_release_info) (ca_info_t *this, const char *name);
64
65 /**
66 * @brief Checks if a certificate was issued by this ca
67 *
68 * @param this ca info object
69 * @param cert certificate to be checked
70 * @return TRUE if the issuing ca has been found
71 */
72 bool (*is_cert_issuer) (ca_info_t *this, const x509_t *cert);
73
74 /**
75 * @brief Checks if a crl was issued by this ca
76 *
77 * @param this ca info object
78 * @param crl crl to be checked
79 * @return TRUE if the issuing ca has been found
80 */
81 bool (*is_crl_issuer) (ca_info_t *this, const crl_t *crl);
82
83 /**
84 * @brief Merges info from a secondary ca info object
85 *
86 * @param this primary ca info object
87 * @param that secondary ca info object
88 */
89 void (*add_info) (ca_info_t *this, const ca_info_t *that);
90
91 /**
92 * @brief Adds a new or replaces an obsoleted CRL
93 *
94 * @param this ca info object
95 * @param crl crl to be added
96 */
97 void (*add_crl) (ca_info_t *this, crl_t *crl);
98
99 /**
100 * @brief Does the CA have a CRL?
101 *
102 * @param this ca info object
103 * @return TRUE if crl is available
104 */
105 bool (*has_crl) (ca_info_t *this);
106
107 /**
108 * @brief Does the CA have OCSP certinfos?
109 *
110 * @param this ca info object
111 * @return TRUE if there are any certinfos
112 */
113 bool (*has_certinfos) (ca_info_t *this);
114
115 /**
116 * @brief List the CRL onto the console
117 *
118 * @param this ca info object
119 * @param out output stream
120 * @param utc TRUE - utc
121 FALSE - local time
122 */
123 void (*list_crl) (ca_info_t *this, FILE *out, bool utc);
124
125 /**
126 * @brief List the OCSP certinfos onto the console
127 *
128 * @param this ca info object
129 * @param out output stream
130 * @param utc TRUE - utc
131 FALSE - local time
132 */
133 void (*list_certinfos) (ca_info_t *this, FILE *out, bool utc);
134
135 /**
136 * @brief Adds a CRL URI to a list
137 *
138 * @param this ca info object
139 * @param uri crl uri to be added
140 */
141 void (*add_crluri) (ca_info_t *this, chunk_t uri);
142
143 /**
144 * @brief Adds a OCSP URI to a list
145 *
146 * @param this ca info object
147 * @param uri ocsp uri to be added
148 */
149 void (*add_ocspuri) (ca_info_t *this, chunk_t uri);
150
151 /**
152 * @brief Get the ca certificate
153 *
154 * @param this ca info object
155 * @return ca certificate
156 */
157 x509_t* (*get_certificate) (ca_info_t *this);
158
159 /**
160 * @brief Verify the status of a certificate by CRL
161 *
162 * @param this ca info object
163 * @param certinfo detailed certificate status information
164 * @return certificate status
165 */
166 cert_status_t (*verify_by_crl) (ca_info_t* this, certinfo_t* certinfo);
167
168 /**
169 * @brief Verify the status of a certificate by OCSP
170 *
171 * @param this ca info object
172 * @param certinfo detailed certificate status information
173 * @param credentials credential store needed for trust path verification
174 * @return certificate status
175 */
176 cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, credential_store_t* credentials);
177
178 /**
179 * @brief Purge the OCSP certinfos of a ca info record
180 *
181 * @param this ca info object
182 */
183 void (*purge_ocsp) (ca_info_t *this);
184
185 /**
186 * @brief Destroys a ca info record
187 *
188 * @param this ca info to destroy
189 */
190 void (*destroy) (ca_info_t *this);
191 };
192
193 /**
194 * @brief Create a ca info record
195 *
196 * @param interval crl_check_interval to be set in seconds
197 *
198 * @ingroup crypto
199 */
200 void ca_info_set_crlcheckinterval(u_int interval);
201
202 /**
203 * @brief Create a ca info record
204 *
205 * @param name name of the ca info record
206 * @param cacert path to the ca certificate
207 * @return created ca_info_t, or NULL if invalid.
208 *
209 * @ingroup crypto
210 */
211 ca_info_t *ca_info_create(const char *name, x509_t *cacert);
212
213 #endif /* CA_H_ */