added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
[strongswan.git] / src / libstrongswan / crypto / x509.h
1 /**
2 * @file x509.h
3 *
4 * @brief Interface of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi, Andreas Steffen
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef X509_H_
24 #define X509_H_
25
26 typedef struct x509_t x509_t;
27
28 #include <library.h>
29 #include <crypto/rsa/rsa_public_key.h>
30 #include <crypto/certinfo.h>
31 #include <utils/identification.h>
32 #include <utils/iterator.h>
33
34 /* authority flags */
35
36 #define AUTH_NONE 0x00 /* no authorities */
37 #define AUTH_CA 0x01 /* certification authority */
38 #define AUTH_AA 0x02 /* authorization authority */
39 #define AUTH_OCSP 0x04 /* ocsp signing authority */
40
41 /**
42 * @brief X.509 certificate.
43 *
44 * @b Constructors:
45 * - x509_create_from_chunk()
46 * - x509_create_from_file()
47 *
48 * @todo more code cleanup needed!
49 * @todo fix unimplemented functions...
50 * @todo handle memory management
51 *
52 * @ingroup transforms
53 */
54 struct x509_t {
55
56 /**
57 * @brief Set trusted public key life.
58 *
59 * @param this calling object
60 * @param until time until public key is trusted
61 */
62 void (*set_until) (x509_t *this, time_t until);
63
64 /**
65 * @brief Get trusted public key life.
66 *
67 * @param this calling object
68 * @return time until public key is trusted
69 */
70 time_t (*get_until) (const x509_t *this);
71
72 /**
73 * @brief Set the certificate status
74 *
75 * @param this calling object
76 * @param status certificate status
77 */
78 void (*set_status) (x509_t *this, cert_status_t status);
79
80 /**
81 * @brief Get the certificate status
82 *
83 * @param this calling object
84 * @return certificate status
85 */
86 cert_status_t (*get_status) (const x509_t *this);
87
88 /**
89 * @brief Get the DER-encoded X.509 certificate body
90 *
91 * @param this calling object
92 * @return DER-encoded X.509 certificate
93 */
94 chunk_t (*get_certificate) (const x509_t *this);
95
96 /**
97 * @brief Get the RSA public key from the certificate.
98 *
99 * @param this calling object
100 * @return public_key
101 */
102 rsa_public_key_t *(*get_public_key) (const x509_t *this);
103
104 /**
105 * @brief Get serial number from the certificate.
106 *
107 * @param this calling object
108 * @return serialNumber
109 */
110 chunk_t (*get_serialNumber) (const x509_t *this);
111
112 /**
113 * @brief Get subjectKeyID from the certificate.
114 *
115 * @param this calling object
116 * @return subjectKeyID
117 */
118 chunk_t (*get_subjectKeyID) (const x509_t *this);
119
120 /**
121 * @brief Get keyid from the certificate's public key.
122 *
123 * @param this calling object
124 * @return keyid
125 */
126 chunk_t (*get_keyid) (const x509_t *this);
127
128 /**
129 * @brief Get the certificate issuer's ID.
130 *
131 * The resulting ID is always a identification_t
132 * of type ID_DER_ASN1_DN.
133 *
134 * @param this calling object
135 * @return issuers ID
136 */
137 identification_t *(*get_issuer) (const x509_t *this);
138
139 /**
140 * @brief Get the subjectDistinguisheName.
141 *
142 * The resulting ID is always a identification_t
143 * of type ID_DER_ASN1_DN.
144 *
145 * @param this calling object
146 * @return subjects ID
147 */
148 identification_t *(*get_subject) (const x509_t *this);
149
150 /**
151 * @brief Create an iterator for the crlDistributionPoints.
152 *
153 * @param this calling object
154 * @return iterator for crlDistributionPoints
155 */
156 iterator_t *(*create_crluri_iterator) (const x509_t *this);
157
158 /**
159 * @brief Create an iterator for the ocspAccessLocations.
160 *
161 * @param this calling object
162 * @return iterator for ocspAccessLocations
163 */
164 iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
165
166 /**
167 * @brief Check if a certificate is trustworthy
168 *
169 * @param this calling object
170 * @param signer signer's RSA public key
171 */
172 bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
173
174 /**
175 * @brief Compare two certificates.
176 *
177 * Comparison is done via the certificates signature.
178 *
179 * @param this first cert for compare
180 * @param other second cert for compare
181 * @return TRUE if signature is equal
182 */
183 bool (*equals) (const x509_t *this, const x509_t *that);
184
185 /**
186 * @brief Checks if the certificate contains a subjectAltName equal to id.
187 *
188 * @param this certificate being examined
189 * @param id id which is being compared to the subjectAltNames
190 * @return TRUE if a match is found
191 */
192 bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
193
194 /**
195 * @brief Checks if the subject of the other cert is the issuer of this cert.
196 *
197 * @param this certificate
198 * @param issuer potential issuer certificate
199 * @return TRUE if issuer is found
200 */
201 bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
202
203 /**
204 * @brief Checks the validity interval of the certificate
205 *
206 * @param this certificate being examined
207 * @param until until = min(until, notAfter)
208 * @return NULL if the certificate is valid
209 */
210 err_t (*is_valid) (const x509_t *this, time_t *until);
211
212 /**
213 * @brief Returns the CA basic constraints flag
214 *
215 * @param this certificate being examined
216 * @return TRUE if the CA flag is set
217 */
218 bool (*is_ca) (const x509_t *this);
219
220 /**
221 * @brief Returns the OCSPSigner extended key usage flag
222 *
223 * @param this certificate being examined
224 * @return TRUE if the OCSPSigner flag is set
225 */
226 bool (*is_ocsp_signer) (const x509_t *this);
227
228 /**
229 * @brief Checks if the certificate is self-signed (subject equals issuer)
230 *
231 * @param this certificate being examined
232 * @return TRUE if self-signed
233 */
234 bool (*is_self_signed) (const x509_t *this);
235
236 /**
237 * @brief Destroys the certificate.
238 *
239 * @param this certificate to destroy
240 */
241 void (*destroy) (x509_t *this);
242 };
243
244 /**
245 * @brief Read a x509 certificate from a DER encoded blob.
246 *
247 * @param chunk chunk containing DER encoded data
248 * @return created x509_t certificate, or NULL if inv\ 1lid.
249 *
250 * @ingroup transforms
251 */
252 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
253
254 /**
255 * @brief Read a x509 certificate from a DER encoded file.
256 *
257 * @param filename file containing DER encoded data
258 * @param label label describing kind of certificate
259 * @return created x509_t certificate, or NULL if invalid.
260 *
261 * @ingroup transforms
262 */
263 x509_t *x509_create_from_file(const char *filename, const char *label);
264
265 #endif /* X509_H_ */