added support of OCSP accessLocations
[strongswan.git] / src / libstrongswan / crypto / x509.h
1 /**
2 * @file x509.h
3 *
4 * @brief Interface of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi, Andreas Steffen
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef X509_H_
24 #define X509_H_
25
26 typedef struct x509_t x509_t;
27
28 #include <library.h>
29 #include <crypto/rsa/rsa_public_key.h>
30 #include <crypto/certinfo.h>
31 #include <utils/identification.h>
32 #include <utils/iterator.h>
33
34 /**
35 * @brief X.509 certificate.
36 *
37 * @b Constructors:
38 * - x509_create_from_chunk()
39 * - x509_create_from_file()
40 *
41 * @todo more code cleanup needed!
42 * @todo fix unimplemented functions...
43 * @todo handle memory management
44 *
45 * @ingroup transforms
46 */
47 struct x509_t {
48
49 /**
50 * @brief Set trusted public key life.
51 *
52 * @param this calling object
53 * @param until time until public key is trusted
54 */
55 void (*set_until) (x509_t *this, time_t until);
56
57 /**
58 * @brief Get trusted public key life.
59 *
60 * @param this calling object
61 * @return time until public key is trusted
62 */
63 time_t (*get_until) (const x509_t *this);
64
65 /**
66 * @brief Set the certificate status
67 *
68 * @param this calling object
69 * @param status certificate status
70 */
71 void (*set_status) (x509_t *this, cert_status_t status);
72
73 /**
74 * @brief Get the certificate status
75 *
76 * @param this calling object
77 * @return certificate status
78 */
79 cert_status_t (*get_status) (const x509_t *this);
80
81 /**
82 * @brief Get the DER-encoded X.509 certificate body
83 *
84 * @param this calling object
85 * @return DER-encoded X.509 certificate
86 */
87 chunk_t (*get_certificate) (const x509_t *this);
88
89 /**
90 * @brief Get the RSA public key from the certificate.
91 *
92 * @param this calling object
93 * @return public_key
94 */
95 rsa_public_key_t *(*get_public_key) (const x509_t *this);
96
97 /**
98 * @brief Get serial number from the certificate.
99 *
100 * @param this calling object
101 * @return serialNumber
102 */
103 chunk_t (*get_serialNumber) (const x509_t *this);
104
105 /**
106 * @brief Get subjectKeyID from the certificate.
107 *
108 * @param this calling object
109 * @return subjectKeyID
110 */
111 chunk_t (*get_subjectKeyID) (const x509_t *this);
112
113 /**
114 * @brief Get keyid from the certificate's public key.
115 *
116 * @param this calling object
117 * @return keyid
118 */
119 chunk_t (*get_keyid) (const x509_t *this);
120
121 /**
122 * @brief Get the certificate issuer's ID.
123 *
124 * The resulting ID is always a identification_t
125 * of type ID_DER_ASN1_DN.
126 *
127 * @param this calling object
128 * @return issuers ID
129 */
130 identification_t *(*get_issuer) (const x509_t *this);
131
132 /**
133 * @brief Get the subjectDistinguisheName.
134 *
135 * The resulting ID is always a identification_t
136 * of type ID_DER_ASN1_DN.
137 *
138 * @param this calling object
139 * @return subjects ID
140 */
141 identification_t *(*get_subject) (const x509_t *this);
142
143 /**
144 * @brief Create an iterator for the crlDistributionPoints.
145 *
146 * @param this calling object
147 * @return iterator for crlDistributionPoints
148 */
149 iterator_t *(*create_crluri_iterator) (const x509_t *this);
150
151 /**
152 * @brief Create an iterator for the ocspAccessLocations.
153 *
154 * @param this calling object
155 * @return iterator for ocspAccessLocations
156 */
157 iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
158
159 /**
160 * @brief Check if a certificate is trustworthy
161 *
162 * @param this calling object
163 * @param signer signer's RSA public key
164 */
165 bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
166
167 /**
168 * @brief Compare two certificates.
169 *
170 * Comparison is done via the certificates signature.
171 *
172 * @param this first cert for compare
173 * @param other second cert for compare
174 * @return TRUE if signature is equal
175 */
176 bool (*equals) (const x509_t *this, const x509_t *that);
177
178 /**
179 * @brief Checks if the certificate contains a subjectAltName equal to id.
180 *
181 * @param this certificate being examined
182 * @param id id which is being compared to the subjectAltNames
183 * @return TRUE if a match is found
184 */
185 bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
186
187 /**
188 * @brief Checks if the subject of the other cert is the issuer of this cert.
189 *
190 * @param this certificate
191 * @param issuer potential issuer certificate
192 * @return TRUE if issuer is found
193 */
194 bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
195
196 /**
197 * @brief Checks the validity interval of the certificate
198 *
199 * @param this certificate being examined
200 * @param until until = min(until, notAfter)
201 * @return NULL if the certificate is valid
202 */
203 err_t (*is_valid) (const x509_t *this, time_t *until);
204
205 /**
206 * @brief Returns the CA basic constraints flag
207 *
208 * @param this certificate being examined
209 * @return TRUE if the CA flag is set
210 */
211 bool (*is_ca) (const x509_t *this);
212
213 /**
214 * @brief Checks if the certificate is self-signed (subject equals issuer)
215 *
216 * @param this certificate being examined
217 * @return TRUE if self-signed
218 */
219 bool (*is_self_signed) (const x509_t *this);
220
221 /**
222 * @brief Destroys the certificate.
223 *
224 * @param this certificate to destroy
225 */
226 void (*destroy) (x509_t *this);
227 };
228
229 /**
230 * @brief Read a x509 certificate from a DER encoded blob.
231 *
232 * @param chunk chunk containing DER encoded data
233 * @return created x509_t certificate, or NULL if inv\ 1lid.
234 *
235 * @ingroup transforms
236 */
237 x509_t *x509_create_from_chunk(chunk_t chunk);
238
239 /**
240 * @brief Read a x509 certificate from a DER encoded file.
241 *
242 * @param filename file containing DER encoded data
243 * @param label label describing kind of certificate
244 * @return created x509_t certificate, or NULL if invalid.
245 *
246 * @ingroup transforms
247 */
248 x509_t *x509_create_from_file(const char *filename, const char *label);
249
250 #endif /* X509_H_ */