Return to certificate.h CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / credentials / certificates |
1.1 misho 1: /* 1.1.1.2 ! misho 2: * Copyright (C) 2020 Tobias Brunner 1.1 misho 3: * Copyright (C) 2007-2008 Martin Willi 4: * HSR Hochschule fuer Technik Rapperswil 5: * 6: * This program is free software; you can redistribute it and/or modify it 7: * under the terms of the GNU General Public License as published by the 8: * Free Software Foundation; either version 2 of the License, or (at your 9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 10: * 11: * This program is distributed in the hope that it will be useful, but 12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14: * for more details. 15: */ 16: 17: /** 18: * @defgroup certificate certificate 19: * @{ @ingroup certificates 20: */ 21: 22: #ifndef CERTIFICATE_H_ 23: #define CERTIFICATE_H_ 24: 25: typedef struct certificate_t certificate_t; 26: typedef enum certificate_type_t certificate_type_t; 27: typedef enum cert_validation_t cert_validation_t; 28: 29: #include <utils/identification.h> 30: #include <credentials/keys/public_key.h> 31: #include <credentials/keys/signature_params.h> 32: #include <credentials/cred_encoding.h> 33: 34: /** 35: * Kind of a certificate_t 36: */ 37: enum certificate_type_t { 38: /** just any certificate */ 39: CERT_ANY, 40: /** X.509 certificate */ 41: CERT_X509, 42: /** X.509 certificate revocation list */ 43: CERT_X509_CRL, 44: /** X.509 online certificate status protocol request */ 45: CERT_X509_OCSP_REQUEST, 46: /** X.509 online certificate status protocol response */ 47: CERT_X509_OCSP_RESPONSE, 48: /** X.509 attribute certificate */ 49: CERT_X509_AC, 50: /** trusted, preinstalled public key */ 51: CERT_TRUSTED_PUBKEY, 52: /** PKCS#10 certificate request */ 53: CERT_PKCS10_REQUEST, 54: /** PGP certificate */ 55: CERT_GPG, 56: }; 57: 58: /** 59: * Enum names for certificate_type_t 60: */ 61: extern enum_name_t *certificate_type_names; 62: 63: /** 64: * Result of a certificate validation. 65: * 66: * Order of values is relevant, sorted from good to bad. 67: */ 68: enum cert_validation_t { 69: /** certificate has been validated successfully */ 70: VALIDATION_GOOD = 0, 71: /** validation has been skipped due to missing validation information */ 72: VALIDATION_SKIPPED, 73: /** certificate has been validated, but check based on stale information */ 74: VALIDATION_STALE, 75: /** validation failed due to a processing error */ 76: VALIDATION_FAILED, 77: /** certificate is on hold (i.e. temporary revocation) */ 78: VALIDATION_ON_HOLD, 79: /** certificate has been revoked */ 80: VALIDATION_REVOKED, 81: }; 82: 83: /** 84: * Enum names for cert_validation_t 85: */ 86: extern enum_name_t *cert_validation_names; 87: 88: /** 89: * An abstract certificate. 90: * 91: * A certificate designs a subject-issuer relationship. It may have an 92: * associated public key. 93: */ 94: struct certificate_t { 95: 96: /** 97: * Get the type of the certificate. 98: * 99: * @return certificate type 100: */ 101: certificate_type_t (*get_type)(certificate_t *this); 102: 103: /** 104: * Get the primary subject to which this certificate belongs. 105: * 106: * @return subject identity 107: */ 108: identification_t* (*get_subject)(certificate_t *this); 109: 110: /** 111: * Check if certificate contains a subject ID. 112: * 113: * A certificate may contain additional subject identifiers, which are 114: * not returned by get_subject (e.g. subjectAltNames) 115: * 116: * @param subject subject identity 117: * @return matching value of best match 118: */ 119: id_match_t (*has_subject)(certificate_t *this, identification_t *subject); 120: 121: /** 122: * Get the issuer which signed this certificate. 123: * 124: * @return issuer identity 125: */ 126: identification_t* (*get_issuer)(certificate_t *this); 127: 128: /** 129: * Check if certificate contains an issuer ID. 130: * 131: * A certificate may contain additional issuer identifiers, which are 132: * not returned by get_issuer (e.g. issuerAltNames) 133: * 134: * @param subject issuer identity 135: * @return matching value of best match 136: */ 137: id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer); 138: 139: /** 140: * Check if this certificate is issued and signed by a specific issuer. 141: * 142: * @param issuer issuer's certificate 143: * @param scheme receives used signature scheme and parameters, if 144: * given (allocated) 145: * @return TRUE if certificate issued by issuer and trusted 146: */ 147: bool (*issued_by)(certificate_t *this, certificate_t *issuer, 148: signature_params_t **scheme); 149: 150: /** 151: * Get the public key associated to this certificate. 152: * 153: * @return newly referenced public_key, NULL if none available 154: */ 155: public_key_t* (*get_public_key)(certificate_t *this); 156: 157: /** 158: * Check the lifetime of the certificate. 159: * 160: * @param when check validity at a certain time (NULL for now) 161: * @param not_before receives certificates start of lifetime 162: * @param not_after receives certificates end of lifetime 163: * @return TRUE if when between not_after and not_before 164: */ 165: bool (*get_validity)(certificate_t *this, time_t *when, 166: time_t *not_before, time_t *not_after); 167: 168: /** 169: * Get the certificate in an encoded form as a chunk. 170: * 171: * @param type type of the encoding, one of CERT_* 172: * @param encoding encoding of the key, allocated 173: * @return TRUE if encoding supported 174: */ 175: bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type, 176: chunk_t *encoding); 177: 178: /** 179: * Check if two certificates are equal. 180: * 181: * @param other certificate to compare against this 182: * @return TRUE if certificates are equal 183: */ 184: bool (*equals)(certificate_t *this, certificate_t *other); 185: 186: /** 187: * Get a new reference to the certificate. 188: * 189: * @return this, with an increased refcount 190: */ 191: certificate_t* (*get_ref)(certificate_t *this); 192: 193: /** 194: * Destroy a certificate. 195: */ 196: void (*destroy)(certificate_t *this); 197: }; 198: 199: /** 200: * Generic check if a given certificate is newer than another. 201: * 202: * @param cert certificate 203: * @param other certificate to compare to 204: * @return TRUE if this newer than other 205: */ 206: bool certificate_is_newer(certificate_t *cert, certificate_t *other); 207: 1.1.1.2 ! misho 208: /** ! 209: * Check if the given certificate matches the given type, key type and identity, ! 210: * all of which are optional. ! 211: * ! 212: * Note that the identity may also be a public key fingerprint. ! 213: * ! 214: * @param cert certificate ! 215: * @param type certificate type to match, or CERT_ANY ! 216: * @param key key type to match, or KEY_ANY ! 217: * @param id identity to match, or NULL ! 218: */ ! 219: bool certificate_matches(certificate_t *cert, certificate_type_t type, ! 220: key_type_t key, identification_t *id); ! 221: 1.1 misho 222: #endif /** CERTIFICATE_H_ @}*/