224 lines
5.7 KiB
C
224 lines
5.7 KiB
C
/*
|
|
* Copyright (C) 2007-2008 Martin Willi
|
|
* HSR Hochschule fuer Technik Rapperswil
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*/
|
|
|
|
/**
|
|
* @defgroup x509 x509
|
|
* @{ @ingroup certificates
|
|
*/
|
|
|
|
#ifndef X509_H_
|
|
#define X509_H_
|
|
|
|
#include <collections/enumerator.h>
|
|
#include <credentials/certificates/certificate.h>
|
|
|
|
/* constraints are currently restricted to the range 0..127 */
|
|
#define X509_NO_CONSTRAINT 255
|
|
|
|
typedef struct x509_t x509_t;
|
|
typedef struct x509_cert_policy_t x509_cert_policy_t;
|
|
typedef struct x509_policy_mapping_t x509_policy_mapping_t;
|
|
typedef struct x509_cdp_t x509_cdp_t;
|
|
typedef enum x509_flag_t x509_flag_t;
|
|
typedef enum x509_constraint_t x509_constraint_t;
|
|
|
|
/**
|
|
* X.509 certificate flags.
|
|
*/
|
|
enum x509_flag_t {
|
|
/** cert has no constraints */
|
|
X509_NONE = 0,
|
|
/** cert has CA constraint */
|
|
X509_CA = (1<<0),
|
|
/** cert has AA constraint */
|
|
X509_AA = (1<<1),
|
|
/** cert has OCSP signer constraint */
|
|
X509_OCSP_SIGNER = (1<<2),
|
|
/** cert has either CA, AA or OCSP constraint */
|
|
X509_ANY = X509_CA | X509_AA | X509_OCSP_SIGNER,
|
|
/** cert has serverAuth key usage */
|
|
X509_SERVER_AUTH = (1<<3),
|
|
/** cert has clientAuth key usage */
|
|
X509_CLIENT_AUTH = (1<<4),
|
|
/** cert is self-signed */
|
|
X509_SELF_SIGNED = (1<<5),
|
|
/** cert has an ipAddrBlocks extension */
|
|
X509_IP_ADDR_BLOCKS = (1<<6),
|
|
/** cert has CRL sign key usage */
|
|
X509_CRL_SIGN = (1<<7),
|
|
/** cert has iKEIntermediate key usage */
|
|
X509_IKE_INTERMEDIATE = (1<<8),
|
|
/** cert has Microsoft Smartcard Logon usage */
|
|
X509_MS_SMARTCARD_LOGON = (1<<9),
|
|
/** cert either lacks keyUsage bits, or includes either digitalSignature
|
|
* or nonRepudiation as per RFC 4945, section 5.1.3.2. */
|
|
X509_IKE_COMPLIANT = (1<<10),
|
|
};
|
|
|
|
extern enum_name_t *x509_flag_names;
|
|
|
|
/**
|
|
* Different numerical X.509 constraints.
|
|
*/
|
|
enum x509_constraint_t {
|
|
/** pathLenConstraint basicConstraints */
|
|
X509_PATH_LEN,
|
|
/** inhibitPolicyMapping policyConstraint */
|
|
X509_INHIBIT_POLICY_MAPPING,
|
|
/** requireExplicitPolicy policyConstraint */
|
|
X509_REQUIRE_EXPLICIT_POLICY,
|
|
/** inhibitAnyPolicy constraint */
|
|
X509_INHIBIT_ANY_POLICY,
|
|
};
|
|
|
|
/**
|
|
* X.509 certPolicy extension.
|
|
*/
|
|
struct x509_cert_policy_t {
|
|
/** Certification Practice Statement URI qualifier */
|
|
char *cps_uri;
|
|
/** UserNotice Text qualifier */
|
|
char *unotice_text;
|
|
/** OID of certPolicy */
|
|
chunk_t oid;
|
|
};
|
|
|
|
/**
|
|
* X.509 policyMapping extension
|
|
*/
|
|
struct x509_policy_mapping_t {
|
|
/** OID of issuerDomainPolicy */
|
|
chunk_t issuer;
|
|
/** OID of subjectDomainPolicy */
|
|
chunk_t subject;
|
|
};
|
|
|
|
/**
|
|
* X.509 CRL distributionPoint
|
|
*/
|
|
struct x509_cdp_t {
|
|
/** CDP URI, as string */
|
|
char *uri;
|
|
/** CRL issuer */
|
|
identification_t *issuer;
|
|
};
|
|
|
|
/**
|
|
* X.509 certificate interface.
|
|
*
|
|
* This interface adds additional methods to the certificate_t type to
|
|
* allow further operations on these certificates.
|
|
*/
|
|
struct x509_t {
|
|
|
|
/**
|
|
* Implements certificate_t.
|
|
*/
|
|
certificate_t interface;
|
|
|
|
/**
|
|
* Get the flags set for this certificate.
|
|
*
|
|
* @return set of flags
|
|
*/
|
|
x509_flag_t (*get_flags)(x509_t *this);
|
|
|
|
/**
|
|
* Get the certificate serial number.
|
|
*
|
|
* @return chunk pointing to internal serial number
|
|
*/
|
|
chunk_t (*get_serial)(x509_t *this);
|
|
|
|
/**
|
|
* Get the the subjectKeyIdentifier.
|
|
*
|
|
* @return subjectKeyIdentifier as chunk_t, internal data
|
|
*/
|
|
chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
|
|
|
|
/**
|
|
* Get the the authorityKeyIdentifier.
|
|
*
|
|
* @return authKeyIdentifier as chunk_t, internal data
|
|
*/
|
|
chunk_t (*get_authKeyIdentifier)(x509_t *this);
|
|
|
|
/**
|
|
* Get a numerical X.509 constraint.
|
|
*
|
|
* @param type type of constraint to get
|
|
* @return constraint, X509_NO_CONSTRAINT if none found
|
|
*/
|
|
u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
|
|
|
|
/**
|
|
* Create an enumerator over all subjectAltNames.
|
|
*
|
|
* @return enumerator over subjectAltNames as identification_t*
|
|
*/
|
|
enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
|
|
|
|
/**
|
|
* Create an enumerator over all CRL URIs and CRL Issuers.
|
|
*
|
|
* @return enumerator over x509_cdp_t
|
|
*/
|
|
enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
|
|
|
|
/**
|
|
* Create an enumerator over all OCSP URIs.
|
|
*
|
|
* @return enumerator over URIs as char*
|
|
*/
|
|
enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
|
|
|
|
/**
|
|
* Create an enumerator over all ipAddrBlocks.
|
|
*
|
|
* @return enumerator over ipAddrBlocks as traffic_selector_t*
|
|
*/
|
|
enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
|
|
|
|
/**
|
|
* Create an enumerator over name constraints.
|
|
*
|
|
* @param perm TRUE for permitted, FALSE for excluded subtrees
|
|
* @return enumerator over subtrees as identification_t
|
|
*/
|
|
enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm);
|
|
|
|
/**
|
|
* Create an enumerator over certificate policies.
|
|
*
|
|
* @return enumerator over x509_cert_policy_t
|
|
*/
|
|
enumerator_t* (*create_cert_policy_enumerator)(x509_t *this);
|
|
|
|
/**
|
|
* Create an enumerator over policy mappings.
|
|
*
|
|
* @return enumerator over x509_policy_mapping
|
|
*/
|
|
enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this);
|
|
};
|
|
|
|
/**
|
|
* Destroy an x509_cdp_t instance.
|
|
*/
|
|
void x509_cdp_destroy(x509_cdp_t *this);
|
|
|
|
#endif /** X509_H_ @}*/
|