824a4e170e8ef6f36016b7349627875aaa423f7f
[strongswan.git] / src / libstrongswan / crypto / x509.h
1 /**
2 * @file x509.h
3 *
4 * @brief Interface of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi, Andreas Steffen
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef X509_H_
24 #define X509_H_
25
26 typedef struct x509_t x509_t;
27
28 #include <library.h>
29 #include <crypto/rsa/rsa_public_key.h>
30 #include <crypto/certinfo.h>
31 #include <utils/identification.h>
32 #include <utils/iterator.h>
33
34 /**
35 * @brief X.509 certificate.
36 *
37 * @b Constructors:
38 * - x509_create_from_chunk()
39 * - x509_create_from_file()
40 *
41 * @todo more code cleanup needed!
42 * @todo fix unimplemented functions...
43 * @todo handle memory management
44 *
45 * @ingroup transforms
46 */
47 struct x509_t {
48
49 /**
50 * @brief Set trusted public key life.
51 *
52 * @param this calling object
53 * @param until time until public key is trusted
54 */
55 void (*set_until) (x509_t *this, time_t until);
56
57 /**
58 * @brief Get trusted public key life.
59 *
60 * @param this calling object
61 * @return time until public key is trusted
62 */
63 time_t (*get_until) (const x509_t *this);
64
65 /**
66 * @brief Set the certificate status
67 *
68 * @param this calling object
69 * @param status certificate status
70 */
71 void (*set_status) (x509_t *this, cert_status_t status);
72
73 /**
74 * @brief Get the certificate status
75 *
76 * @param this calling object
77 * @return certificate status
78 */
79 cert_status_t (*get_status) (const x509_t *this);
80
81 /**
82 * @brief Get the DER-encoded X.509 certificate body
83 *
84 * @param this calling object
85 * @return DER-encoded X.509 certificate
86 */
87 chunk_t (*get_certificate) (const x509_t *this);
88
89 /**
90 * @brief Get the RSA public key from the certificate.
91 *
92 * @param this calling object
93 * @return public_key
94 */
95 rsa_public_key_t *(*get_public_key) (const x509_t *this);
96
97 /**
98 * @brief Get serial number from the certificate.
99 *
100 * @param this calling object
101 * @return serialNumber
102 */
103 chunk_t (*get_serialNumber) (const x509_t *this);
104
105 /**
106 * @brief Get subjectKeyID from the certificate.
107 *
108 * @param this calling object
109 * @return subjectKeyID
110 */
111 chunk_t (*get_subjectKeyID) (const x509_t *this);
112
113 /**
114 * @brief Get keyid from the certificate's public key.
115 *
116 * @param this calling object
117 * @return keyid
118 */
119 chunk_t (*get_keyid) (const x509_t *this);
120
121 /**
122 * @brief Get the certificate issuer's ID.
123 *
124 * The resulting ID is always a identification_t
125 * of type ID_DER_ASN1_DN.
126 *
127 * @param this calling object
128 * @return issuers ID
129 */
130 identification_t *(*get_issuer) (const x509_t *this);
131
132 /**
133 * @brief Get the subjectDistinguisheName.
134 *
135 * The resulting ID is always a identification_t
136 * of type ID_DER_ASN1_DN.
137 *
138 * @param this calling object
139 * @return subjects ID
140 */
141 identification_t *(*get_subject) (const x509_t *this);
142
143 /**
144 * @brief Create an iterator for the crlDistributionPoints.
145 *
146 * @param this calling object
147 * @return iterator for crlDistributionPoints
148 */
149 iterator_t *(*create_crluri_iterator) (const x509_t *this);
150
151 /**
152 * @brief Check if a certificate is trustworthy
153 *
154 * @param this calling object
155 * @param signer signer's RSA public key
156 */
157 bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
158
159 /**
160 * @brief Compare two certificates.
161 *
162 * Comparison is done via the certificates signature.
163 *
164 * @param this first cert for compare
165 * @param other second cert for compare
166 * @return TRUE if signature is equal
167 */
168 bool (*equals) (const x509_t *this, const x509_t *that);
169
170 /**
171 * @brief Checks if the certificate contains a subjectAltName equal to id.
172 *
173 * @param this certificate being examined
174 * @param id id which is being compared to the subjectAltNames
175 * @return TRUE if a match is found
176 */
177 bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
178
179 /**
180 * @brief Checks if the subject of the other cert is the issuer of this cert.
181 *
182 * @param this certificate
183 * @param issuer potential issuer certificate
184 * @return TRUE if issuer is found
185 */
186 bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
187
188 /**
189 * @brief Checks the validity interval of the certificate
190 *
191 * @param this certificate being examined
192 * @param until until = min(until, notAfter)
193 * @return NULL if the certificate is valid
194 */
195 err_t (*is_valid) (const x509_t *this, time_t *until);
196
197 /**
198 * @brief Returns the CA basic constraints flag
199 *
200 * @param this certificate being examined
201 * @return TRUE if the CA flag is set
202 */
203 bool (*is_ca) (const x509_t *this);
204
205 /**
206 * @brief Checks if the certificate is self-signed (subject equals issuer)
207 *
208 * @param this certificate being examined
209 * @return TRUE if self-signed
210 */
211 bool (*is_self_signed) (const x509_t *this);
212
213 /**
214 * @brief Destroys the certificate.
215 *
216 * @param this certificate to destroy
217 */
218 void (*destroy) (x509_t *this);
219 };
220
221 /**
222 * @brief Read a x509 certificate from a DER encoded blob.
223 *
224 * @param chunk chunk containing DER encoded data
225 * @return created x509_t certificate, or NULL if inv\ 1lid.
226 *
227 * @ingroup transforms
228 */
229 x509_t *x509_create_from_chunk(chunk_t chunk);
230
231 /**
232 * @brief Read a x509 certificate from a DER encoded file.
233 *
234 * @param filename file containing DER encoded data
235 * @param label label describing kind of certificate
236 * @return created x509_t certificate, or NULL if invalid.
237 *
238 * @ingroup transforms
239 */
240 x509_t *x509_create_from_file(const char *filename, const char *label);
241
242 #endif /* X509_H_ */