/*
* Copyright (C) 2007-2008 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup x509 x509
* @{ @ingroup certificates
*/
#ifndef X509_H_
#define X509_H_
#include <collections/enumerator.h>
#include <credentials/certificates/certificate.h>
/* constraints are currently restricted to the range 0..127 */
#define X509_NO_CONSTRAINT 255
typedef struct x509_t x509_t;
typedef struct x509_cert_policy_t x509_cert_policy_t;
typedef struct x509_policy_mapping_t x509_policy_mapping_t;
typedef struct x509_cdp_t x509_cdp_t;
typedef enum x509_flag_t x509_flag_t;
typedef enum x509_constraint_t x509_constraint_t;
/**
* X.509 certificate flags.
*/
enum x509_flag_t {
/** cert has no constraints */
X509_NONE = 0,
/** cert has CA constraint */
X509_CA = (1<<0),
/** cert has AA constraint */
X509_AA = (1<<1),
/** cert has OCSP signer constraint */
X509_OCSP_SIGNER = (1<<2),
/** cert has either CA, AA or OCSP constraint */
X509_ANY = X509_CA | X509_AA | X509_OCSP_SIGNER,
/** cert has serverAuth key usage */
X509_SERVER_AUTH = (1<<3),
/** cert has clientAuth key usage */
X509_CLIENT_AUTH = (1<<4),
/** cert is self-signed */
X509_SELF_SIGNED = (1<<5),
/** cert has an ipAddrBlocks extension */
X509_IP_ADDR_BLOCKS = (1<<6),
/** cert has CRL sign key usage */
X509_CRL_SIGN = (1<<7),
/** cert has iKEIntermediate key usage */
X509_IKE_INTERMEDIATE = (1<<8),
/** cert has Microsoft Smartcard Logon usage */
X509_MS_SMARTCARD_LOGON = (1<<9),
/** cert either lacks keyUsage bits, or includes either digitalSignature
* or nonRepudiation as per RFC 4945, section 5.1.3.2. */
X509_IKE_COMPLIANT = (1<<10),
};
extern enum_name_t *x509_flag_names;
/**
* Different numerical X.509 constraints.
*/
enum x509_constraint_t {
/** pathLenConstraint basicConstraints */
X509_PATH_LEN,
/** inhibitPolicyMapping policyConstraint */
X509_INHIBIT_POLICY_MAPPING,
/** requireExplicitPolicy policyConstraint */
X509_REQUIRE_EXPLICIT_POLICY,
/** inhibitAnyPolicy constraint */
X509_INHIBIT_ANY_POLICY,
};
/**
* X.509 certPolicy extension.
*/
struct x509_cert_policy_t {
/** Certification Practice Statement URI qualifier */
char *cps_uri;
/** UserNotice Text qualifier */
char *unotice_text;
/** OID of certPolicy */
chunk_t oid;
};
/**
* X.509 policyMapping extension
*/
struct x509_policy_mapping_t {
/** OID of issuerDomainPolicy */
chunk_t issuer;
/** OID of subjectDomainPolicy */
chunk_t subject;
};
/**
* X.509 CRL distributionPoint
*/
struct x509_cdp_t {
/** CDP URI, as string */
char *uri;
/** CRL issuer */
identification_t *issuer;
};
/**
* X.509 certificate interface.
*
* This interface adds additional methods to the certificate_t type to
* allow further operations on these certificates.
*/
struct x509_t {
/**
* Implements certificate_t.
*/
certificate_t interface;
/**
* Get the flags set for this certificate.
*
* @return set of flags
*/
x509_flag_t (*get_flags)(x509_t *this);
/**
* Get the certificate serial number.
*
* @return chunk pointing to internal serial number
*/
chunk_t (*get_serial)(x509_t *this);
/**
* Get the the subjectKeyIdentifier.
*
* @return subjectKeyIdentifier as chunk_t, internal data
*/
chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
/**
* Get the the authorityKeyIdentifier.
*
* @return authKeyIdentifier as chunk_t, internal data
*/
chunk_t (*get_authKeyIdentifier)(x509_t *this);
/**
* Get a numerical X.509 constraint.
*
* @param type type of constraint to get
* @return constraint, X509_NO_CONSTRAINT if none found
*/
u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
/**
* Create an enumerator over all subjectAltNames.
*
* @return enumerator over subjectAltNames as identification_t*
*/
enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
/**
* Create an enumerator over all CRL URIs and CRL Issuers.
*
* @return enumerator over x509_cdp_t
*/
enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
/**
* Create an enumerator over all OCSP URIs.
*
* @return enumerator over URIs as char*
*/
enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
/**
* Create an enumerator over all ipAddrBlocks.
*
* @return enumerator over ipAddrBlocks as traffic_selector_t*
*/
enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
/**
* Create an enumerator over name constraints.
*
* @param perm TRUE for permitted, FALSE for excluded subtrees
* @return enumerator over subtrees as identification_t
*/
enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
/**
* Create an enumerator over certificate policies.
*
* @return enumerator over x509_cert_policy_t
*/
enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
/**
* Create an enumerator over policy mappings.
*
* @return enumerator over x509_policy_mapping
*/
enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
};
/**
* Destroy an x509_cdp_t instance.
*/
void x509_cdp_destroy(x509_cdp_t *this);
#endif /** X509_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to x509.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / credentials / certificates