Add a generic interface for crypto containers and a more specific PKCS#7 interface

src/libstrongswan/Makefile.am

@@ -16,6 +16,7 @@ credentials/cred_encoding.c credentials/keys/private_key.c \
 credentials/keys/public_key.c credentials/keys/shared_key.c \
 credentials/certificates/certificate.c credentials/certificates/crl.c \
 credentials/certificates/ocsp_response.c \
+credentials/containers/container.c \
 credentials/ietf_attributes/ietf_attributes.c credentials/credential_manager.c \
 credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \
 credentials/sets/cert_cache.c credentials/sets/mem_cred.c \
@@ -54,6 +55,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \
 credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \
 credentials/certificates/ocsp_response.h \
 credentials/certificates/pgp_certificate.h \
+credentials/containers/container.h credentials/containers/pkcs7.h \
 credentials/ietf_attributes/ietf_attributes.h \
 credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \
 credentials/sets/ocsp_response_wrapper.h credentials/sets/cert_cache.h \

src/libstrongswan/credentials/containers/container.c

@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "container.h"
+
+ENUM(container_type_names, CONTAINER_PKCS7_DATA, CONTAINER_PKCS7_ENVELOPED_DATA,
+	"PKCS7",
+	"PKCS7_DATA",
+	"PKCS7_SIGNED_DATA",
+	"PKCS7_ENVELOPED_DATA",
+);

src/libstrongswan/credentials/containers/container.h

@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup container container
+ * @{ @ingroup containers
+ */
+
+#ifndef CONTAINER_H_
+#define CONTAINER_H_
+
+typedef struct container_t container_t;
+typedef enum container_type_t container_type_t;
+
+#include <utils/chunk.h>
+#include <collections/enumerator.h>
+
+/**
+ * Type of the container.
+ */
+enum container_type_t {
+	/* Any kind of PKCS7/CMS container */
+	CONTAINER_PKCS7,
+	/* PKCS7/CMS plain "data" */
+	CONTAINER_PKCS7_DATA,
+	/* PKCS7/CMS "signed-data" */
+	CONTAINER_PKCS7_SIGNED_DATA,
+	/* PKCS7/CMS "enveloped-data" */
+	CONTAINER_PKCS7_ENVELOPED_DATA,
+};
+
+/**
+ * Enum names for container_type_t
+ */
+extern enum_name_t *container_type_names;
+
+/**
+ * Generic interface for cryptographic containers.
+ */
+struct container_t {
+
+	/**
+	 * Get the type of the container.
+	 *
+	 * @return		container type
+	 */
+	container_type_t (*get_type)(container_t *this);
+
+	/**
+	 * Create an enumerator over trustchains for valid container signatures.
+	 *
+	 * @return		enumerator over auth_cfg_t*
+	 */
+	enumerator_t* (*create_signature_enumerator)(container_t *this);
+
+	/**
+	 * Get signed/decrypted data wrapped in this container.
+	 *
+	 * This function does not verify any associated signatures, use
+	 * create_signature_enumerator() to verify them.
+	 *
+	 * @param data	allocated data wrapped in this container
+	 * @return		TRUE if data decrypted successfully
+	 */
+	bool (*get_data)(container_t *this, chunk_t *data);
+
+	/**
+	 * Get the encoding of the full signed/encrypted container.
+	 *
+	 * @param data	allocated container encoding
+	 * @return		TRUE if encodign successful
+	 */
+	bool (*get_encoding)(container_t *this, chunk_t *encoding);
+
+	/**
+	 * Destroy a container_t.
+	 */
+	void (*destroy)(container_t *this);
+};
+
+#endif /** CONTAINER_H_ @}*/

src/libstrongswan/credentials/containers/pkcs7.h

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pkcs7 pkcs7
+ * @{ @ingroup containers
+ */
+
+#ifndef PKCS7_H_
+#define PKCS7_H_
+
+#include <credentials/containers/container.h>
+
+typedef struct pkcs7_t pkcs7_t;
+
+/**
+ * PKCS#7/CMS container type.
+ */
+struct pkcs7_t {
+
+	/**
+	 * Implements container_t.
+	 */
+	container_t container;
+};
+
+#endif /** PKCS7_H_ @}*/

src/libstrongswan/credentials/credential_factory.c

@@ -22,12 +22,13 @@
 #include <threading/thread_value.h>
 #include <threading/rwlock.h>
 #include <credentials/certificates/x509.h>
+#include <credentials/containers/container.h>
 
-ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CONTAINER,
 	"CRED_PRIVATE_KEY",
 	"CRED_PUBLIC_KEY",
 	"CRED_CERTIFICATE",
-	"CRED_PLUTO_CERT",
+	"CRED_CONTAINER",
 );
 
 typedef struct private_credential_factory_t private_credential_factory_t;
@@ -139,11 +140,21 @@ METHOD(credential_factory_t, create, void*,
 
 	if (!construct && !level)
 	{
-		enum_name_t *names = key_type_names;
+		enum_name_t *names;
 
-		if (type == CRED_CERTIFICATE)
+		switch (type)
 		{
-			names = certificate_type_names;
+			case CRED_CERTIFICATE:
+				names = certificate_type_names;
+				break;
+			case CRED_CONTAINER:
+				names = container_type_names;
+				break;
+			case CRED_PRIVATE_KEY:
+			case CRED_PUBLIC_KEY:
+			default:
+				names = key_type_names;
+				break;
 		}
 		DBG1(DBG_LIB, "building %N - %N failed, tried %d builders",
 			 credential_type_names, type, names, subtype, failures);

src/libstrongswan/credentials/credential_factory.h

@@ -28,6 +28,9 @@ typedef enum credential_type_t credential_type_t;
 
 /**
  * Kind of credential.
+ *
+ * While crypto containers are not really credentials, we still use the
+ * credential factory and builders create them.
  */
 enum credential_type_t {
 	/** private key, implemented in private_key_t */
@@ -36,6 +39,8 @@ enum credential_type_t {
 	CRED_PUBLIC_KEY,
 	/** certificates, implemented in certificate_t */
 	CRED_CERTIFICATE,
+	/** crypto container, implemented in container_t */
+	CRED_CONTAINER,
 };
 
 /**