projects / strongswan.git / blob
? search:


acdd3a954a858d45b00e1f28185a660eaeae13de
[strongswan.git] / src / libstrongswan / crypto / x509.h
1 /**
2 * @file x509.h
3 *
4 * @brief Interface of x509_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
10 * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
11 * Copyright (C) 2002 Mario Strasser
12 * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
13 * Copyright (C) 2006 Martin Willi, Andreas Steffen
14 *
15 * Hochschule fuer Technik Rapperswil
16 *
17 * This program is free software; you can redistribute it and/or modify it
18 * under the terms of the GNU General Public License as published by the
19 * Free Software Foundation; either version 2 of the License, or (at your
20 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
21 *
22 * This program is distributed in the hope that it will be useful, but
23 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
25 * for more details.
26 */
27
28 #ifndef X509_H_
29 #define X509_H_
30
31 typedef struct x509_t x509_t;
32
33 #include <library.h>
34 #include <crypto/rsa/rsa_public_key.h>
35 #include <crypto/certinfo.h>
36 #include <utils/identification.h>
37 #include <utils/iterator.h>
38 #include <utils/linked_list.h>
39
40 /* authority flags */
41
42 #define AUTH_NONE 0x00 /* no authorities */
43 #define AUTH_CA 0x01 /* certification authority */
44 #define AUTH_AA 0x02 /* authorization authority */
45 #define AUTH_OCSP 0x04 /* ocsp signing authority */
46
47 /**
48 * @brief X.509 certificate.
49 *
50 * @b Constructors:
51 * - x509_create_from_chunk()
52 * - x509_create_from_file()
53 *
54 * @ingroup crypto
55 */
56 struct x509_t {
57
58 /**
59 * @brief Set trusted public key life.
60 *
61 * @param this calling object
62 * @param until time until public key is trusted
63 */
64 void (*set_until) (x509_t *this, time_t until);
65
66 /**
67 * @brief Get trusted public key life.
68 *
69 * @param this calling object
70 * @return time until public key is trusted
71 */
72 time_t (*get_until) (const x509_t *this);
73
74 /**
75 * @brief Set the certificate status
76 *
77 * @param this calling object
78 * @param status certificate status
79 */
80 void (*set_status) (x509_t *this, cert_status_t status);
81
82 /**
83 * @brief Get the certificate status
84 *
85 * @param this calling object
86 * @return certificate status
87 */
88 cert_status_t (*get_status) (const x509_t *this);
89
90 /**
91 * @brief Add authority flags
92 *
93 * @param this calling object
94 * @param flag flags to be added
95 */
96 void (*add_authority_flags) (x509_t *this, u_int flags);
97
98 /**
99 * @brief Get authority flags
100 *
101 * @param this calling object
102 * @return authority flags
103 */
104 u_int (*get_authority_flags) (x509_t *this);
105
106 /**
107 * @brief Check a specific authority flag
108 *
109 * @param this calling object
110 * @param flag flag to be checked
111 * @return TRUE if flag is present
112 */
113 bool (*has_authority_flag) (x509_t *this, u_int flag);
114
115 /**
116 * @brief Get the DER-encoded X.509 certificate body
117 *
118 * @param this calling object
119 * @return DER-encoded X.509 certificate
120 */
121 chunk_t (*get_certificate) (const x509_t *this);
122
123 /**
124 * @brief Get the RSA public key from the certificate.
125 *
126 * @param this calling object
127 * @return public_key
128 */
129 rsa_public_key_t *(*get_public_key) (const x509_t *this);
130
131 /**
132 * @brief Get serial number from the certificate.
133 *
134 * @param this calling object
135 * @return serialNumber
136 */
137 chunk_t (*get_serialNumber) (const x509_t *this);
138
139 /**
140 * @brief Get subjectKeyID from the certificate.
141 *
142 * @param this calling object
143 * @return subjectKeyID
144 */
145 chunk_t (*get_subjectKeyID) (const x509_t *this);
146
147 /**
148 * @brief Get keyid from the certificate's public key.
149 *
150 * @param this calling object
151 * @return keyid
152 */
153 chunk_t (*get_keyid) (const x509_t *this);
154
155 /**
156 * @brief Get the certificate issuer's ID.
157 *
158 * The resulting ID is always a identification_t
159 * of type ID_DER_ASN1_DN.
160 *
161 * @param this calling object
162 * @return issuers ID
163 */
164 identification_t *(*get_issuer) (const x509_t *this);
165
166 /**
167 * @brief Get the subjectDistinguisheName.
168 *
169 * The resulting ID is always a identification_t
170 * of type ID_DER_ASN1_DN.
171 *
172 * @param this calling object
173 * @return subjects ID
174 */
175 identification_t *(*get_subject) (const x509_t *this);
176
177 /**
178 * @brief Create an iterator for the crlDistributionPoints.
179 *
180 * @param this calling object
181 * @return iterator for crlDistributionPoints
182 */
183 iterator_t *(*create_crluri_iterator) (const x509_t *this);
184
185 /**
186 * @brief Create an iterator for the ocspAccessLocations.
187 *
188 * @param this calling object
189 * @return iterator for ocspAccessLocations
190 */
191 iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
192
193 /**
194 * @brief Check if a certificate is trustworthy
195 *
196 * @param this calling object
197 * @param signer signer's RSA public key
198 */
199 bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
200
201 /**
202 * @brief Compare two certificates.
203 *
204 * Comparison is done via the certificates signature.
205 *
206 * @param this first cert for compare
207 * @param other second cert for compare
208 * @return TRUE if signature is equal
209 */
210 bool (*equals) (const x509_t *this, const x509_t *that);
211
212 /**
213 * @brief Checks if the certificate contains a subjectAltName equal to id.
214 *
215 * @param this certificate being examined
216 * @param id id which is being compared to the subjectAltNames
217 * @return TRUE if a match is found
218 */
219 bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
220
221 /**
222 * @brief Checks if the subject of the other cert is the issuer of this cert.
223 *
224 * @param this certificate
225 * @param issuer potential issuer certificate
226 * @return TRUE if issuer is found
227 */
228 bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
229
230 /**
231 * @brief Checks the validity interval of the certificate
232 *
233 * @param this certificate being examined
234 * @param until until = min(until, notAfter)
235 * @return NULL if the certificate is valid
236 */
237 err_t (*is_valid) (const x509_t *this, time_t *until);
238
239 /**
240 * @brief Returns the CA basic constraints flag
241 *
242 * @param this certificate being examined
243 * @return TRUE if the CA flag is set
244 */
245 bool (*is_ca) (const x509_t *this);
246
247 /**
248 * @brief Returns the OCSPSigner extended key usage flag
249 *
250 * @param this certificate being examined
251 * @return TRUE if the OCSPSigner flag is set
252 */
253 bool (*is_ocsp_signer) (const x509_t *this);
254
255 /**
256 * @brief Checks if the certificate is self-signed (subject equals issuer)
257 *
258 * @param this certificate being examined
259 * @return TRUE if self-signed
260 */
261 bool (*is_self_signed) (const x509_t *this);
262
263 /**
264 * @brief Log the certificate info to out.
265 *
266 * @param this calling object
267 * @param out stream to write to
268 * @param utc TRUE for UTC times, FALSE for local time
269 */
270 void (*list)(x509_t *this, FILE *out, bool utc);
271
272 /**
273 * @brief Destroys the certificate.
274 *
275 * @param this certificate to destroy
276 */
277 void (*destroy) (x509_t *this);
278 };
279
280 /**
281 * @brief Read a x509 certificate from a DER encoded blob.
282 *
283 * @param chunk chunk containing DER encoded data
284 * @return created x509_t certificate, or NULL if inv\ 1lid.
285 *
286 * @ingroup crypto
287 */
288 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
289
290 /**
291 * @brief Read a x509 certificate from a DER encoded file.
292 *
293 * @param filename file containing DER encoded data
294 * @param label label describing kind of certificate
295 * @return created x509_t certificate, or NULL if invalid.
296 *
297 * @ingroup crypto
298 */
299 x509_t *x509_create_from_file(const char *filename, const char *label);
300
301 /**
302 * @brief Parses a DER encoded authorityKeyIdentifier
303 *
304 * @param blob blob containing DER encoded data
305 * @param level0 indicates the current parsing level
306 * @param authKeyID assigns the authorityKeyIdentifier
307 * @param authKeySerialNumber assigns the authKeySerialNumber
308 *
309 * @ingroup crypto
310 */
311 void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
312
313 /**
314 * @brief Parses DER encoded generalNames
315 *
316 * @param blob blob containing DER encoded data
317 * @param level0 indicates the current parsing level
318 * @param implicit implicit coding is used
319 * @param list linked list of decoded generalNames
320 *
321 * @ingroup crypto
322 */
323 void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list);
324
325 #endif /* X509_H_ */
strongSwan - IPsec VPN