Made some useful methods in the credential manager public
authorMartin Willi <martin@revosec.ch>
Mon, 5 Jul 2010 13:24:19 +0000 (15:24 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 13 Jul 2010 08:26:07 +0000 (10:26 +0200)
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/credentials/credential_manager.h

index 709c5e2..8df232b 100644 (file)
@@ -375,11 +375,8 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
        return found;
 }
 
-/**
- * add a credential set to the thread local list
- */
-static void add_local_set(private_credential_manager_t *this,
-                                                 credential_set_t *set)
+METHOD(credential_manager_t, add_local_set, void,
+       private_credential_manager_t *this, credential_set_t *set)
 {
        linked_list_t *sets;
 
@@ -392,11 +389,8 @@ static void add_local_set(private_credential_manager_t *this,
        sets->insert_last(sets, set);
 }
 
-/**
- * remove a credential set from the thread local list
- */
-static void remove_local_set(private_credential_manager_t *this,
-                                                        credential_set_t *set)
+METHOD(credential_manager_t, remove_local_set, void,
+       private_credential_manager_t *this, credential_set_t *set)
 {
        linked_list_t *sets;
 
@@ -1265,11 +1259,9 @@ METHOD(enumerator_t, trusted_destroy, void,
        free(this);
 }
 
-/**
- * create an enumerator over trusted certificates and their trustchain
- */
-static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
-                                       key_type_t type, identification_t *id, bool online)
+METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*,
+       private_credential_manager_t *this, key_type_t type,
+       identification_t *id, bool online)
 {
        trusted_enumerator_t *enumerator;
 
@@ -1539,6 +1531,13 @@ METHOD(credential_manager_t, flush_cache, void,
        this->cache->flush(this->cache, type);
 }
 
+METHOD(credential_manager_t, issued_by, bool,
+       private_credential_manager_t *this, certificate_t *subject,
+       certificate_t *issuer)
+{
+       return this->cache->issued_by(this->cache, subject, issuer);
+}
+
 METHOD(credential_manager_t, add_set, void,
        private_credential_manager_t *this, credential_set_t *set)
 {
@@ -1601,11 +1600,15 @@ credential_manager_t *credential_manager_create()
                        .get_cert = _get_cert,
                        .get_shared = _get_shared,
                        .get_private = _get_private,
+                       .create_trusted_enumerator = _create_trusted_enumerator,
                        .create_public_enumerator = _create_public_enumerator,
                        .flush_cache = _flush_cache,
                        .cache_cert = _cache_cert,
+                       .issued_by = _issued_by,
                        .add_set = _add_set,
                        .remove_set = _remove_set,
+                       .add_local_set = _add_local_set,
+                       .remove_local_set = _remove_local_set,
                        .add_validator = _add_validator,
                        .remove_validator = _remove_validator,
                        .destroy = _destroy,
index ed0c3fa..04269cf 100644 (file)
@@ -143,6 +143,24 @@ struct credential_manager_t {
                                                                  identification_t *id, auth_cfg_t *auth);
 
        /**
+        * Create an enumerator over trusted certificates.
+        *
+        * This method creates an enumerator over trusted certificates. The auth
+        * parameter (if given) recevies the trustchain used to validate
+        * the certificate. The resulting enumerator enumerates over
+        * certificate_t*, auth_cfg_t*.
+        * If online is set, revocations are checked online for the whole
+        * trustchain.
+        *
+        * @param type          type of the key we want a certificate for
+        * @param id            subject of the certificate
+        * @param online        whether revocations should be checked online
+        * @return                      enumerator
+        */
+       enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this,
+                                       key_type_t type, identification_t *id, bool online);
+
+       /**
         * Create an enumerator over trusted public keys.
         *
         * This method gets a an enumerator over trusted public keys to verify a
@@ -150,6 +168,8 @@ struct credential_manager_t {
         * authentication infos, e.g. peer and intermediate certificates.
         * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
         * where the auth config helper contains rules for constraint checks.
+        * This function is very similar to create_trusted_enumerator(), but
+        * gets public keys directly.
         *
         * @param type          type of the key to get
         * @param id            owner of the key, signer of the signature
@@ -177,6 +197,19 @@ struct credential_manager_t {
        void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
 
        /**
+        * Check if a given subject certificate is issued by an issuer certificate.
+        *
+        * This operation does signature verification, but uses the credential
+        * managers cache for to speed up the operation.
+        *
+        * @param subject       subject certificate to check
+        * @param issuer        issuer certificate that potentially has signed subject
+        * @return                      TRUE if issuer signed subject
+        */
+       bool (*issued_by)(credential_manager_t *this,
+                                         certificate_t *subject, certificate_t *issuer);
+
+       /**
         * Register a credential set to the manager.
         *
         * @param set           set to register
@@ -191,6 +224,25 @@ struct credential_manager_t {
        void (*remove_set)(credential_manager_t *this, credential_set_t *set);
 
        /**
+        * Register a thread local credential set to the manager.
+        *
+        * To add a credential set for the current trustchain verification
+        * operation, sets may be added for the calling thread only. This
+        * does not require a write lock and is therefore a much less expensive
+        * operation.
+        *
+        * @param set           set to register
+        */
+       void (*add_local_set)(credential_manager_t *this, credential_set_t *set);
+
+       /**
+        * Unregister a thread local credential set from the manager.
+        *
+        * @param set           set to unregister
+        */
+       void (*remove_local_set)(credential_manager_t *this, credential_set_t *set);
+
+       /**
         * Register a certificate validator to the manager.
         *
         * @param vdtr          validator to register