parse_authorityKeyIdentifier() is made available externally
[strongswan.git] / src / libstrongswan / crypto / x509.h
1 /**
2 * @file x509.h
3 *
4 * @brief Interface of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
10 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
11 * Copyright (C) 2002 Mario Strasser
12 * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
13 * Copyright (C) 2006 Martin Willi, Andreas Steffen
14 *
15 * Hochschule fuer Technik Rapperswil
16 *
17 * This program is free software; you can redistribute it and/or modify it
18 * under the terms of the GNU General Public License as published by the
19 * Free Software Foundation; either version 2 of the License, or (at your
20 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
21 *
22 * This program is distributed in the hope that it will be useful, but
23 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 * for more details.
26 */
27
28 #ifndef X509_H_
29 #define X509_H_
30
31 typedef struct x509_t x509_t;
32
33 #include <library.h>
34 #include <crypto/rsa/rsa_public_key.h>
35 #include <crypto/certinfo.h>
36 #include <utils/identification.h>
37 #include <utils/iterator.h>
38
39 /* authority flags */
40
41 #define AUTH_NONE 0x00 /* no authorities */
42 #define AUTH_CA 0x01 /* certification authority */
43 #define AUTH_AA 0x02 /* authorization authority */
44 #define AUTH_OCSP 0x04 /* ocsp signing authority */
45
46 /**
47 * @brief X.509 certificate.
48 *
49 * @b Constructors:
50 * - x509_create_from_chunk()
51 * - x509_create_from_file()
52 *
53 * @ingroup crypto
54 */
55 struct x509_t {
56
57 /**
58 * @brief Set trusted public key life.
59 *
60 * @param this calling object
61 * @param until time until public key is trusted
62 */
63 void (*set_until) (x509_t *this, time_t until);
64
65 /**
66 * @brief Get trusted public key life.
67 *
68 * @param this calling object
69 * @return time until public key is trusted
70 */
71 time_t (*get_until) (const x509_t *this);
72
73 /**
74 * @brief Set the certificate status
75 *
76 * @param this calling object
77 * @param status certificate status
78 */
79 void (*set_status) (x509_t *this, cert_status_t status);
80
81 /**
82 * @brief Get the certificate status
83 *
84 * @param this calling object
85 * @return certificate status
86 */
87 cert_status_t (*get_status) (const x509_t *this);
88
89 /**
90 * @brief Add authority flags
91 *
92 * @param this calling object
93 * @param flag flags to be added
94 */
95 void (*add_authority_flags) (x509_t *this, u_int flags);
96
97 /**
98 * @brief Get authority flags
99 *
100 * @param this calling object
101 * @return authority flags
102 */
103 u_int (*get_authority_flags) (x509_t *this);
104
105 /**
106 * @brief Check a specific authority flag
107 *
108 * @param this calling object
109 * @param flag flag to be checked
110 * @return TRUE if flag is present
111 */
112 bool (*has_authority_flag) (x509_t *this, u_int flag);
113
114 /**
115 * @brief Get the DER-encoded X.509 certificate body
116 *
117 * @param this calling object
118 * @return DER-encoded X.509 certificate
119 */
120 chunk_t (*get_certificate) (const x509_t *this);
121
122 /**
123 * @brief Get the RSA public key from the certificate.
124 *
125 * @param this calling object
126 * @return public_key
127 */
128 rsa_public_key_t *(*get_public_key) (const x509_t *this);
129
130 /**
131 * @brief Get serial number from the certificate.
132 *
133 * @param this calling object
134 * @return serialNumber
135 */
136 chunk_t (*get_serialNumber) (const x509_t *this);
137
138 /**
139 * @brief Get subjectKeyID from the certificate.
140 *
141 * @param this calling object
142 * @return subjectKeyID
143 */
144 chunk_t (*get_subjectKeyID) (const x509_t *this);
145
146 /**
147 * @brief Get keyid from the certificate's public key.
148 *
149 * @param this calling object
150 * @return keyid
151 */
152 chunk_t (*get_keyid) (const x509_t *this);
153
154 /**
155 * @brief Get the certificate issuer's ID.
156 *
157 * The resulting ID is always a identification_t
158 * of type ID_DER_ASN1_DN.
159 *
160 * @param this calling object
161 * @return issuers ID
162 */
163 identification_t *(*get_issuer) (const x509_t *this);
164
165 /**
166 * @brief Get the subjectDistinguisheName.
167 *
168 * The resulting ID is always a identification_t
169 * of type ID_DER_ASN1_DN.
170 *
171 * @param this calling object
172 * @return subjects ID
173 */
174 identification_t *(*get_subject) (const x509_t *this);
175
176 /**
177 * @brief Create an iterator for the crlDistributionPoints.
178 *
179 * @param this calling object
180 * @return iterator for crlDistributionPoints
181 */
182 iterator_t *(*create_crluri_iterator) (const x509_t *this);
183
184 /**
185 * @brief Create an iterator for the ocspAccessLocations.
186 *
187 * @param this calling object
188 * @return iterator for ocspAccessLocations
189 */
190 iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
191
192 /**
193 * @brief Check if a certificate is trustworthy
194 *
195 * @param this calling object
196 * @param signer signer's RSA public key
197 */
198 bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
199
200 /**
201 * @brief Compare two certificates.
202 *
203 * Comparison is done via the certificates signature.
204 *
205 * @param this first cert for compare
206 * @param other second cert for compare
207 * @return TRUE if signature is equal
208 */
209 bool (*equals) (const x509_t *this, const x509_t *that);
210
211 /**
212 * @brief Checks if the certificate contains a subjectAltName equal to id.
213 *
214 * @param this certificate being examined
215 * @param id id which is being compared to the subjectAltNames
216 * @return TRUE if a match is found
217 */
218 bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
219
220 /**
221 * @brief Checks if the subject of the other cert is the issuer of this cert.
222 *
223 * @param this certificate
224 * @param issuer potential issuer certificate
225 * @return TRUE if issuer is found
226 */
227 bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
228
229 /**
230 * @brief Checks the validity interval of the certificate
231 *
232 * @param this certificate being examined
233 * @param until until = min(until, notAfter)
234 * @return NULL if the certificate is valid
235 */
236 err_t (*is_valid) (const x509_t *this, time_t *until);
237
238 /**
239 * @brief Returns the CA basic constraints flag
240 *
241 * @param this certificate being examined
242 * @return TRUE if the CA flag is set
243 */
244 bool (*is_ca) (const x509_t *this);
245
246 /**
247 * @brief Returns the OCSPSigner extended key usage flag
248 *
249 * @param this certificate being examined
250 * @return TRUE if the OCSPSigner flag is set
251 */
252 bool (*is_ocsp_signer) (const x509_t *this);
253
254 /**
255 * @brief Checks if the certificate is self-signed (subject equals issuer)
256 *
257 * @param this certificate being examined
258 * @return TRUE if self-signed
259 */
260 bool (*is_self_signed) (const x509_t *this);
261
262 /**
263 * @brief Log the certificate info to out.
264 *
265 * @param this calling object
266 * @param out stream to write to
267 * @param utc TRUE for UTC times, FALSE for local time
268 */
269 void (*list)(x509_t *this, FILE *out, bool utc);
270
271 /**
272 * @brief Destroys the certificate.
273 *
274 * @param this certificate to destroy
275 */
276 void (*destroy) (x509_t *this);
277 };
278
279 /**
280 * @brief Read a x509 certificate from a DER encoded blob.
281 *
282 * @param chunk chunk containing DER encoded data
283 * @return created x509_t certificate, or NULL if inv\ 1lid.
284 *
285 * @ingroup crypto
286 */
287 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
288
289 /**
290 * @brief Read a x509 certificate from a DER encoded file.
291 *
292 * @param filename file containing DER encoded data
293 * @param label label describing kind of certificate
294 * @return created x509_t certificate, or NULL if invalid.
295 *
296 * @ingroup crypto
297 */
298 x509_t *x509_create_from_file(const char *filename, const char *label);
299
300 /**
301 * @brief Parses a DER encoded authorityKeyIdentifier
302 *
303 * @param blob blob containing DER encoded data
304 * @param level0 indicates the current parsing level
305 * @param authKeyID assigns the authorityKeyIdentifier
306 * @param authKeySerialNumber assigns the authKeySerialNumber
307 *
308 * @ingroup crypto
309 */
310 void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
311
312 #endif /* X509_H_ */