src/libstrongswan/crypto/x509.h

   1 /**
   2  * @file x509.h
   3  *
   4  * @brief Interface of x509_t.
   5  *
   6  */
   7
   8 /*
   9  * Copyright (C) 2006 Martin Willi, Andreas Steffen
  10  * Hochschule fuer Technik Rapperswil
  11  *
  12  * This program is free software; you can redistribute it and/or modify it
  13  * under the terms of the GNU General Public License as published by the
  14  * Free Software Foundation; either version 2 of the License, or (at your
  15  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  16  *
  17  * This program is distributed in the hope that it will be useful, but
  18  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  19  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  20  * for more details.
  21  */
  22
  23 #ifndef X509_H_
  24 #define X509_H_
  25
  26 typedef struct x509_t x509_t;
  27
  28 #include <library.h>
  29 #include <crypto/rsa/rsa_public_key.h>
  30 #include <crypto/certinfo.h>
  31 #include <utils/identification.h>
  32 #include <utils/iterator.h>
  33
  34 /**
  35  * @brief X.509 certificate.
  36  *
  37  * @b Constructors:
  38  *  - x509_create_from_chunk()
  39  *  - x509_create_from_file()
  40  *
  41  * @todo more code cleanup needed!
  42  * @todo fix unimplemented functions...
  43  * @todo handle memory management
  44  *
  45  * @ingroup transforms
  46  */
  47 struct x509_t {
  48
  49         /**
  50          * @brief Set trusted public key life.
  51          *
  52          * @param this                          calling object
  53          * @param until                         time until public key is trusted
  54          */
  55         void (*set_until) (x509_t *this, time_t until);
  56
  57         /**
  58          * @brief Get trusted public key life.
  59          *
  60          * @param this                          calling object
  61          * @return                                      time until public key is trusted
  62          */
  63         time_t (*get_until) (const x509_t *this);
  64
  65         /**
  66          * @brief Set the certificate status
  67          *
  68          * @param this                          calling object
  69          * @param status                        certificate status
  70          */
  71         void (*set_status) (x509_t *this, cert_status_t status);
  72
  73         /**
  74          * @brief Get the certificate status
  75          *
  76          * @param this                          calling object
  77          * @return                                      certificate status
  78          */
  79         cert_status_t (*get_status) (const x509_t *this);
  80
  81         /**
  82          * @brief Get the DER-encoded X.509 certificate body
  83          *
  84          * @param this                          calling object
  85          * @return                                      DER-encoded X.509 certificate
  86          */
  87         chunk_t (*get_certificate) (const x509_t *this);
  88
  89         /**
  90          * @brief Get the RSA public key from the certificate.
  91          *
  92          * @param this                          calling object
  93          * @return                                      public_key
  94          */
  95         rsa_public_key_t *(*get_public_key) (const x509_t *this);
  96
  97         /**
  98          * @brief Get serial number from the certificate.
  99          *
 100          * @param this                          calling object
 101          * @return                                      serialNumber
 102          */
 103         chunk_t (*get_serialNumber) (const x509_t *this);
 104
 105         /**
 106          * @brief Get subjectKeyID from the certificate.
 107          *
 108          * @param this                          calling object
 109          * @return                                      subjectKeyID
 110          */
 111         chunk_t (*get_subjectKeyID) (const x509_t *this);
 112
 113         /**
 114          * @brief Get keyid from the certificate's public key.
 115          *
 116          * @param this                          calling object
 117          * @return                                      keyid
 118          */
 119         chunk_t (*get_keyid) (const x509_t *this);
 120
 121         /**
 122          * @brief Get the certificate issuer's ID.
 123          *
 124          * The resulting ID is always a identification_t
 125          * of type ID_DER_ASN1_DN.
 126          *
 127          * @param this                          calling object
 128          * @return                                      issuers ID
 129          */
 130         identification_t *(*get_issuer) (const x509_t *this);
 131
 132         /**
 133          * @brief Get the subjectDistinguisheName.
 134          *
 135          * The resulting ID is always a identification_t
 136          * of type ID_DER_ASN1_DN.
 137          *
 138          * @param this                          calling object
 139          * @return                                      subjects ID
 140          */
 141         identification_t *(*get_subject) (const x509_t *this);
 142
 143         /**
 144          * @brief Create an iterator for the crlDistributionPoints.
 145          *
 146          * @param this                          calling object
 147          * @return                                      iterator for crlDistributionPoints
 148          */
 149         iterator_t *(*create_crluri_iterator) (const x509_t *this);
 150
 151         /**
 152          * @brief Create an iterator for the ocspAccessLocations.
 153          *
 154          * @param this                          calling object
 155          * @return                                      iterator for ocspAccessLocations
 156          */
 157         iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
 158
 159         /**
 160          * @brief Check if a certificate is trustworthy
 161          *
 162          * @param this                  calling object
 163          * @param signer                signer's RSA public key
 164          */
 165         bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
 166
 167         /**
 168          * @brief Compare two certificates.
 169          *
 170          * Comparison is done via the certificates signature.
 171          *
 172          * @param this                  first cert for compare
 173          * @param other                 second cert for compare
 174          * @return                              TRUE if signature is equal
 175          */
 176         bool (*equals) (const x509_t *this, const x509_t *that);
 177
 178         /**
 179          * @brief Checks if the certificate contains a subjectAltName equal to id.
 180          *
 181          * @param this                  certificate being examined
 182          * @param id                    id which is being compared to the subjectAltNames
 183          * @return                              TRUE if a match is found
 184          */
 185         bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
 186
 187         /**
 188          * @brief Checks if the subject of the other cert is the issuer of this cert.
 189          *
 190          * @param this                  certificate
 191          * @param issuer                potential issuer certificate
 192          * @return                              TRUE if issuer is found
 193          */
 194         bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
 195
 196         /**
 197          * @brief Checks the validity interval of the certificate
 198          *
 199          * @param this                  certificate being examined
 200          * @param until                 until = min(until, notAfter)
 201          * @return                              NULL if the certificate is valid
 202          */
 203         err_t (*is_valid) (const x509_t *this, time_t *until);
 204
 205         /**
 206          * @brief Returns the CA basic constraints flag
 207          *
 208          * @param this                  certificate being examined
 209          * @return                              TRUE if the CA flag is set
 210          */
 211         bool (*is_ca) (const x509_t *this);
 212
 213         /**
 214          * @brief Checks if the certificate is self-signed (subject equals issuer)
 215          *
 216          * @param this                  certificate being examined
 217          * @return                              TRUE if self-signed
 218          */
 219         bool (*is_self_signed) (const x509_t *this);
 220
 221         /**
 222          * @brief Destroys the certificate.
 223          *
 224          * @param this                  certificate to destroy
 225          */
 226         void (*destroy) (x509_t *this);
 227 };
 228
 229 /**
 230  * @brief Read a x509 certificate from a DER encoded blob.
 231  *
 232  * @param chunk         chunk containing DER encoded data
 233  * @return                      created x509_t certificate, or NULL if inv\ 1lid.
 234  *
 235  * @ingroup transforms
 236  */
 237 x509_t *x509_create_from_chunk(chunk_t chunk);
 238
 239 /**
 240  * @brief Read a x509 certificate from a DER encoded file.
 241  *
 242  * @param filename      file containing DER encoded data
 243  * @param label         label describing kind of certificate
 244  * @return                      created x509_t certificate, or NULL if invalid.
 245  *
 246  * @ingroup transforms
 247  */
 248 x509_t *x509_create_from_file(const char *filename, const char *label);
 249
 250 #endif /* X509_H_ */