removed %Q, %Y, %W, %U printf handlers
[strongswan.git] / src / libstrongswan / crypto / x509.h
1 /**
2 * @file x509.h
3 *
4 * @brief Interface of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi, Andreas Steffen
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef X509_H_
24 #define X509_H_
25
26 typedef struct x509_t x509_t;
27
28 #include <library.h>
29 #include <crypto/rsa/rsa_public_key.h>
30 #include <crypto/certinfo.h>
31 #include <utils/identification.h>
32 #include <utils/iterator.h>
33
34 /* authority flags */
35
36 #define AUTH_NONE 0x00 /* no authorities */
37 #define AUTH_CA 0x01 /* certification authority */
38 #define AUTH_AA 0x02 /* authorization authority */
39 #define AUTH_OCSP 0x04 /* ocsp signing authority */
40
41 /**
42 * @brief X.509 certificate.
43 *
44 * @b Constructors:
45 * - x509_create_from_chunk()
46 * - x509_create_from_file()
47 *
48 * @todo more code cleanup needed!
49 * @todo fix unimplemented functions...
50 * @todo handle memory management
51 *
52 * @ingroup transforms
53 */
54 struct x509_t {
55
56 /**
57 * @brief Set trusted public key life.
58 *
59 * @param this calling object
60 * @param until time until public key is trusted
61 */
62 void (*set_until) (x509_t *this, time_t until);
63
64 /**
65 * @brief Get trusted public key life.
66 *
67 * @param this calling object
68 * @return time until public key is trusted
69 */
70 time_t (*get_until) (const x509_t *this);
71
72 /**
73 * @brief Set the certificate status
74 *
75 * @param this calling object
76 * @param status certificate status
77 */
78 void (*set_status) (x509_t *this, cert_status_t status);
79
80 /**
81 * @brief Get the certificate status
82 *
83 * @param this calling object
84 * @return certificate status
85 */
86 cert_status_t (*get_status) (const x509_t *this);
87
88 /**
89 * @brief Add authority flags
90 *
91 * @param this calling object
92 * @param flag flags to be added
93 */
94 void (*add_authority_flags) (x509_t *this, u_int flags);
95
96 /**
97 * @brief Get authority flags
98 *
99 * @param this calling object
100 * @return authority flags
101 */
102 u_int (*get_authority_flags) (x509_t *this);
103
104 /**
105 * @brief Check a specific authority flag
106 *
107 * @param this calling object
108 * @param flag flag to be checked
109 * @return TRUE if flag is present
110 */
111 bool (*has_authority_flag) (x509_t *this, u_int flag);
112
113 /**
114 * @brief Get the DER-encoded X.509 certificate body
115 *
116 * @param this calling object
117 * @return DER-encoded X.509 certificate
118 */
119 chunk_t (*get_certificate) (const x509_t *this);
120
121 /**
122 * @brief Get the RSA public key from the certificate.
123 *
124 * @param this calling object
125 * @return public_key
126 */
127 rsa_public_key_t *(*get_public_key) (const x509_t *this);
128
129 /**
130 * @brief Get serial number from the certificate.
131 *
132 * @param this calling object
133 * @return serialNumber
134 */
135 chunk_t (*get_serialNumber) (const x509_t *this);
136
137 /**
138 * @brief Get subjectKeyID from the certificate.
139 *
140 * @param this calling object
141 * @return subjectKeyID
142 */
143 chunk_t (*get_subjectKeyID) (const x509_t *this);
144
145 /**
146 * @brief Get keyid from the certificate's public key.
147 *
148 * @param this calling object
149 * @return keyid
150 */
151 chunk_t (*get_keyid) (const x509_t *this);
152
153 /**
154 * @brief Get the certificate issuer's ID.
155 *
156 * The resulting ID is always a identification_t
157 * of type ID_DER_ASN1_DN.
158 *
159 * @param this calling object
160 * @return issuers ID
161 */
162 identification_t *(*get_issuer) (const x509_t *this);
163
164 /**
165 * @brief Get the subjectDistinguisheName.
166 *
167 * The resulting ID is always a identification_t
168 * of type ID_DER_ASN1_DN.
169 *
170 * @param this calling object
171 * @return subjects ID
172 */
173 identification_t *(*get_subject) (const x509_t *this);
174
175 /**
176 * @brief Create an iterator for the crlDistributionPoints.
177 *
178 * @param this calling object
179 * @return iterator for crlDistributionPoints
180 */
181 iterator_t *(*create_crluri_iterator) (const x509_t *this);
182
183 /**
184 * @brief Create an iterator for the ocspAccessLocations.
185 *
186 * @param this calling object
187 * @return iterator for ocspAccessLocations
188 */
189 iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
190
191 /**
192 * @brief Check if a certificate is trustworthy
193 *
194 * @param this calling object
195 * @param signer signer's RSA public key
196 */
197 bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
198
199 /**
200 * @brief Compare two certificates.
201 *
202 * Comparison is done via the certificates signature.
203 *
204 * @param this first cert for compare
205 * @param other second cert for compare
206 * @return TRUE if signature is equal
207 */
208 bool (*equals) (const x509_t *this, const x509_t *that);
209
210 /**
211 * @brief Checks if the certificate contains a subjectAltName equal to id.
212 *
213 * @param this certificate being examined
214 * @param id id which is being compared to the subjectAltNames
215 * @return TRUE if a match is found
216 */
217 bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
218
219 /**
220 * @brief Checks if the subject of the other cert is the issuer of this cert.
221 *
222 * @param this certificate
223 * @param issuer potential issuer certificate
224 * @return TRUE if issuer is found
225 */
226 bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
227
228 /**
229 * @brief Checks the validity interval of the certificate
230 *
231 * @param this certificate being examined
232 * @param until until = min(until, notAfter)
233 * @return NULL if the certificate is valid
234 */
235 err_t (*is_valid) (const x509_t *this, time_t *until);
236
237 /**
238 * @brief Returns the CA basic constraints flag
239 *
240 * @param this certificate being examined
241 * @return TRUE if the CA flag is set
242 */
243 bool (*is_ca) (const x509_t *this);
244
245 /**
246 * @brief Returns the OCSPSigner extended key usage flag
247 *
248 * @param this certificate being examined
249 * @return TRUE if the OCSPSigner flag is set
250 */
251 bool (*is_ocsp_signer) (const x509_t *this);
252
253 /**
254 * @brief Checks if the certificate is self-signed (subject equals issuer)
255 *
256 * @param this certificate being examined
257 * @return TRUE if self-signed
258 */
259 bool (*is_self_signed) (const x509_t *this);
260
261 /**
262 * @brief Log the certificate info to out.
263 *
264 * @param this calling object
265 * @param out stream to write to
266 * @param utc TRUE for UTC times, FALSE for local time
267 */
268 void (*list)(x509_t *this, FILE *out, bool utc);
269
270 /**
271 * @brief Destroys the certificate.
272 *
273 * @param this certificate to destroy
274 */
275 void (*destroy) (x509_t *this);
276 };
277
278 /**
279 * @brief Read a x509 certificate from a DER encoded blob.
280 *
281 * @param chunk chunk containing DER encoded data
282 * @return created x509_t certificate, or NULL if inv\ 1lid.
283 *
284 * @ingroup transforms
285 */
286 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
287
288 /**
289 * @brief Read a x509 certificate from a DER encoded file.
290 *
291 * @param filename file containing DER encoded data
292 * @param label label describing kind of certificate
293 * @return created x509_t certificate, or NULL if invalid.
294 *
295 * @ingroup transforms
296 */
297 x509_t *x509_create_from_file(const char *filename, const char *label);
298
299 #endif /* X509_H_ */