summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-07-09 21:02:41 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-07-09 21:02:41 +0000
commitdb67c87db3c9089ea8d2e14f617bf3d9e2af261f (patch)
tree665c0caea83d34c11c1517c4c57137bb58cba6fb /src/libstrongswan/credentials
parent1c088a8b6237ec67f63c23f97a0f2dc4e99af869 (diff)
downloadvyos-strongswan-db67c87db3c9089ea8d2e14f617bf3d9e2af261f.tar.gz
vyos-strongswan-db67c87db3c9089ea8d2e14f617bf3d9e2af261f.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.2.4)
Diffstat (limited to 'src/libstrongswan/credentials')
-rw-r--r--src/libstrongswan/credentials/builder.c38
-rw-r--r--src/libstrongswan/credentials/builder.h115
-rw-r--r--src/libstrongswan/credentials/certificates/ac.h86
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.c41
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.h192
-rw-r--r--src/libstrongswan/credentials/certificates/crl.c31
-rw-r--r--src/libstrongswan/credentials/certificates/crl.h88
-rw-r--r--src/libstrongswan/credentials/certificates/ocsp_request.h41
-rw-r--r--src/libstrongswan/credentials/certificates/ocsp_response.c29
-rw-r--r--src/libstrongswan/credentials/certificates/ocsp_response.h84
-rw-r--r--src/libstrongswan/credentials/certificates/x509.c26
-rw-r--r--src/libstrongswan/credentials/certificates/x509.h107
-rw-r--r--src/libstrongswan/credentials/credential_factory.c312
-rw-r--r--src/libstrongswan/credentials/credential_factory.h105
-rw-r--r--src/libstrongswan/credentials/keys/private_key.c19
-rw-r--r--src/libstrongswan/credentials/keys/private_key.h114
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c37
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h155
-rw-r--r--src/libstrongswan/credentials/keys/shared_key.c111
-rw-r--r--src/libstrongswan/credentials/keys/shared_key.h95
20 files changed, 1826 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
new file mode 100644
index 000000000..c13a8a860
--- /dev/null
+++ b/src/libstrongswan/credentials/builder.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "builder.h"
+
+ENUM(builder_part_names, BUILD_BLOB_ASN1_DER, BUILD_END,
+ "BUILD_FROM_FILE",
+ "BUILD_BLOB_ASN1_DER",
+ "BUILD_BLOB_ASN1_PEM",
+ "BUILD_KEY_SIZE",
+ "BUILD_SIGNING_KEY",
+ "BUILD_SIGNING_CERT",
+ "BUILD_PUBLIC_KEY",
+ "BUILD_SUBJECT",
+ "BUILD_SUBJECT_ALTNAME",
+ "BUILD_ISSUER",
+ "BUILD_ISSUER_ALTNAME",
+ "BUILD_NOT_BEFORE_TIME",
+ "BUILD_NOT_AFTER_TIME",
+ "BUILD_SERIAL",
+ "BUILD_IETF_GROUP_ATTR",
+ "BUILD_CA_CERT",
+ "BUILD_CERT",
+ "BUILD_X509_FLAG",
+ "BUILD_END",
+);
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
new file mode 100644
index 000000000..22c106b7a
--- /dev/null
+++ b/src/libstrongswan/credentials/builder.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup builder builder
+ * @{ @ingroup credentials
+ */
+
+#ifndef BUILDER_H_
+#define BUILDER_H_
+
+typedef struct builder_t builder_t;
+typedef enum builder_part_t builder_part_t;
+
+/**
+ * Constructor function which creates a new builder instance.
+ *
+ * @param subtype constructor specific subtype, e.g. certificate_type_t
+ * @return builder to construct a instance of type
+ */
+typedef builder_t* (*builder_constructor_t)(int subtype);
+
+#include <library.h>
+
+/**
+ * Parts to build credentials from.
+ */
+enum builder_part_t {
+ /** path to a file containing an ASN1 blob, char* */
+ BUILD_FROM_FILE,
+ /** DER encoded ASN1 blob, chunk_t */
+ BUILD_BLOB_ASN1_DER,
+ /** PEM encoded ASN1 blob, null terminated char* */
+ BUILD_BLOB_ASN1_PEM,
+ /** key size in bits, as used for key generation, u_int */
+ BUILD_KEY_SIZE,
+ /** private key to use for signing, private_key_t* */
+ BUILD_SIGNING_KEY,
+ /** certificate used for signing, certificate_t* */
+ BUILD_SIGNING_CERT,
+ /** public key to include, public_key_t* */
+ BUILD_PUBLIC_KEY,
+ /** subject for e.g. certificates, identification_t* */
+ BUILD_SUBJECT,
+ /** additional subject name, identification_t* */
+ BUILD_SUBJECT_ALTNAME,
+ /** issuer for e.g. certificates, identification_t* */
+ BUILD_ISSUER,
+ /** additional issuer name, identification_t* */
+ BUILD_ISSUER_ALTNAME,
+ /** notBefore, time_t* */
+ BUILD_NOT_BEFORE_TIME,
+ /** notAfter, time_t* */
+ BUILD_NOT_AFTER_TIME,
+ /** a serial number in binary form, chunk_t */
+ BUILD_SERIAL,
+ /** a comma-separated list of ietf group attributes, char* */
+ BUILD_IETF_GROUP_ATTR,
+ /** a ca certificate, certificate_t* */
+ BUILD_CA_CERT,
+ /** a certificate, certificate_t* */
+ BUILD_CERT,
+ /** enforce an additional X509 flag, x509_flag_t */
+ BUILD_X509_FLAG,
+ /** end of variable argument builder list */
+ BUILD_END,
+};
+
+/**
+ * enum names for build_part_t
+ */
+extern enum_name_t *builder_part_names;
+
+/**
+ * Credential construction API.
+ *
+ * The builder allows the construction of credentials in a generic and
+ * flexible way.
+ */
+struct builder_t {
+
+ /**
+ * Add a part to the construct.
+ *
+ * Any added parts get owned by the builder/construct, so clone/refcount
+ * them if needed.
+ *
+ * @param part kind of part
+ * @param ... part specific variable argument
+ */
+ void (*add)(builder_t *this, builder_part_t part, ...);
+
+ /**
+ * Build the construct with all supplied parts.
+ *
+ * Once build() is called, the builder gets destroyed.
+ *
+ * @return specific interface, as requested with constructor.
+ */
+ void* (*build)(builder_t *this);
+};
+
+#endif /* BUILDER_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
new file mode 100644
index 000000000..4e33390bb
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2003 Martin Berner, Lukas Suter
+ * Copyright (C) 2002-2008 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: ac.h 3300 2007-10-12 21:53:18Z andreas $
+ */
+
+/**
+ * @defgroup ac ac
+ * @{ @ingroup certificates
+ */
+
+#ifndef AC_H_
+#define AC_H_
+
+#include <library.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct ac_t ac_t;
+
+/**
+ * X.509 attribute certificate interface.
+ *
+ * This interface adds additional methods to the certificate_t type to
+ * allow further operations on these certificates.
+ */
+struct ac_t {
+
+ /**
+ * Implements the certificate_t interface
+ */
+ certificate_t certificate;
+
+ /**
+ * Get the attribute certificate's serial number.
+ *
+ * @return chunk pointing to serialNumber
+ */
+ chunk_t (*get_serial)(ac_t *this);
+
+ /**
+ * Get the serial number of the holder certificate.
+ *
+ * @return chunk pointing to serialNumber
+ */
+ chunk_t (*get_holderSerial)(ac_t *this);
+
+ /**
+ * Get the issuer of the holder certificate.
+ *
+ * @return holderIssuer as identification_t*
+ */
+ identification_t* (*get_holderIssuer)(ac_t *this);
+
+ /**
+ * Get the thauthorityKeyIdentifier.
+ *
+ * @return authKeyIdentifier as identification_t*
+ */
+ identification_t* (*get_authKeyIdentifier)(ac_t *this);
+
+ /**
+ * @brief Checks if two attribute certificates belong to the same holder
+ *
+ * @param this calling attribute certificate
+ * @param that other attribute certificate
+ * @return TRUE if same holder
+ */
+ bool (*equals_holder) (ac_t *this, ac_t *other);
+};
+
+#endif /* AC_H_ @}*/
+
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
new file mode 100644
index 000000000..c5bc9a68d
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: certificate.c 3664 2008-03-26 15:21:50Z martin $
+ */
+
+#include "certificate.h"
+
+#include <credentials/certificates/x509.h>
+
+ENUM(certificate_type_names, CERT_ANY, CERT_PGP,
+ "ANY",
+ "X509",
+ "X509_CRL",
+ "X509_OCSP_REQUEST",
+ "X509_OCSP_RESPONSE",
+ "X509_AC",
+ "X509_CHAIN",
+ "TRUSTED_PUBKEY",
+ "PGP",
+);
+
+ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_SKIPPED,
+ "VALIDATION_GOOD",
+ "VALIDATION_STALE",
+ "VALIDATION_REVOKED",
+ "VALIDATION_FAILED",
+ "VALIDATION_SKIPPED",
+);
+
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
new file mode 100644
index 000000000..14f4de389
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup certificate certificate
+ * @{ @ingroup certificates
+ */
+
+#ifndef CERTIFICATE_H_
+#define CERTIFICATE_H_
+
+typedef struct certificate_t certificate_t;
+typedef enum certificate_type_t certificate_type_t;
+typedef enum cert_validation_t cert_validation_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <credentials/keys/public_key.h>
+
+/**
+ * Kind of a certificate_t
+ */
+enum certificate_type_t {
+ /** just any certificate */
+ CERT_ANY,
+ /** X.509 certificate */
+ CERT_X509,
+ /** X.509 certificate revocation list */
+ CERT_X509_CRL,
+ /** X.509 online certificate status protocol request */
+ CERT_X509_OCSP_REQUEST,
+ /** X.509 online certificate status protocol response */
+ CERT_X509_OCSP_RESPONSE,
+ /** X.509 attribute certificate */
+ CERT_X509_AC,
+ /** trusted, preinstalled public key */
+ CERT_TRUSTED_PUBKEY,
+ /** PGP certificate */
+ CERT_PGP,
+};
+
+/**
+ * Enum names for certificate_type_t
+ */
+extern enum_name_t *certificate_type_names;
+
+/**
+ * Result of a certificate validation.
+ */
+enum cert_validation_t {
+ /** certificate has been validated successfully */
+ VALIDATION_GOOD,
+ /** certificate has been validated, but check based on stale information */
+ VALIDATION_STALE,
+ /** certificate has been revoked */
+ VALIDATION_REVOKED,
+ /** validation failed due to a processing error */
+ VALIDATION_FAILED,
+ /** validation has been skipped due to missing validation information */
+ VALIDATION_SKIPPED,
+};
+
+/**
+ * Enum names for cert_validation_t
+ */
+extern enum_name_t *cert_validation_names;
+
+/**
+ * An abstract certificate.
+ *
+ * A certificate designs a subject-issuer relationship. It may have an
+ * associated public key.
+ */
+struct certificate_t {
+
+ /**
+ * Get the type of the certificate.
+ *
+ * @return certifcate type
+ */
+ certificate_type_t (*get_type)(certificate_t *this);
+
+ /**
+ * Get the primary subject to which this certificate belongs.
+ *
+ * @return subject identity
+ */
+ identification_t* (*get_subject)(certificate_t *this);
+
+ /**
+ * Check if certificate contains a subject ID.
+ *
+ * A certificate may contain additional subject identifiers, which are
+ * not returned by get_subject (e.g. subjectAltNames)
+ *
+ * @param subject subject identity
+ * @return matching value of best match
+ */
+ id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
+
+ /**
+ * Get the issuer which signed this certificate.
+ *
+ * @return issuer identity
+ */
+ identification_t* (*get_issuer)(certificate_t *this);
+
+ /**
+ * Check if certificate contains an issuer ID.
+ *
+ * A certificate may contain additional issuer identifiers, which are
+ * not returned by get_issuer (e.g. issuerAltNames)
+ *
+ * @param subject isser identity
+ * @return matching value of best match
+ */
+ id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
+
+ /**
+ * Check if this certificate is issued and signed by a specific issuer.
+ *
+ * @param issuer issuer's certificate
+ * @return TRUE if certificate issued by issuer and trusted
+ */
+ bool (*issued_by)(certificate_t *this, certificate_t *issuer);
+
+ /**
+ * Get the public key associated to this certificate.
+ *
+ * @return newly referenced public_key, NULL if none available
+ */
+ public_key_t* (*get_public_key)(certificate_t *this);
+
+ /**
+ * Check the lifetime of the certificate.
+ *
+ * @param when check validity at a certain time (NULL for now)
+ * @param not_before receives certificates start of lifetime
+ * @param not_after receives certificates end of lifetime
+ * @return TRUE if when between not_after and not_before
+ */
+ bool (*get_validity)(certificate_t *this, time_t *when,
+ time_t *not_before, time_t *not_after);
+
+ /**
+ * Is this newer than that?
+ *
+ * @return TRUE if newer, FALSE otherwise
+ */
+ bool (*is_newer)(certificate_t *this, certificate_t *that);
+
+ /**
+ * Get the certificate in an encoded form.
+ *
+ * @return allocated chunk of encoded cert
+ */
+ chunk_t (*get_encoding)(certificate_t *this);
+
+ /**
+ * Check if two certificates are equal.
+ *
+ * @param other certificate to compair against this
+ * @return TRUE if certificates are equal
+ */
+ bool (*equals)(certificate_t *this, certificate_t *other);
+
+ /**
+ * Get a new reference to the certificate.
+ *
+ * @return this, with an increased refcount
+ */
+ certificate_t* (*get_ref)(certificate_t *this);
+
+ /**
+ * Destroy a certificate.
+ */
+ void (*destroy)(certificate_t *this);
+};
+
+#endif /* CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
new file mode 100644
index 000000000..1fdc095c1
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: crl.c 3656 2008-03-25 22:28:27Z andreas $
+ */
+
+#include "crl.h"
+
+ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL,
+ "unspecified",
+ "key compromise",
+ "ca compromise",
+ "affiliation changed",
+ "superseded",
+ "cessation of operation",
+ "certificate hold",
+ "reason #7",
+ "remove from crl",
+);
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
new file mode 100644
index 000000000..f1fb70efd
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: crl.h 3656 2008-03-25 22:28:27Z andreas $
+ */
+
+/**
+ * @defgroup crl crl
+ * @{ @ingroup certificates
+ */
+
+#ifndef CRL_H_
+#define CRL_H_
+
+typedef struct crl_t crl_t;
+typedef enum crl_reason_t crl_reason_t;
+
+#include <library.h>
+#include <credentials/certificates/certificate.h>
+
+/**
+ * RFC 2459 CRL reason codes
+ */
+enum crl_reason_t {
+ CRL_UNSPECIFIED = 0,
+ CRL_KEY_COMPROMISE = 1,
+ CRL_CA_COMPROMISE = 2,
+ CRL_AFFILIATION_CHANGED = 3,
+ CRL_SUPERSEDED = 4,
+ CRL_CESSATION_OF_OPERATON = 5,
+ CRL_CERTIFICATE_HOLD = 6,
+ CRL_REMOVE_FROM_CRL = 8,
+};
+
+/**
+ * enum names for crl_reason_t
+ */
+extern enum_name_t *crl_reason_names;
+
+/**
+ * X509 certificate revocation list (CRL) interface definition.
+ */
+struct crl_t {
+
+ /**
+ * Implements (parts of) the certificate_t interface
+ */
+ certificate_t certificate;
+
+ /**
+ * Get the CRL serial number.
+ *
+ * @return chunk pointing to internal crlNumber
+ */
+ chunk_t (*get_serial)(crl_t *this);
+
+ /**
+ * Get the the authorityKeyIdentifier.
+ *
+ * @return authKeyIdentifier as identification_t*
+ */
+ identification_t* (*get_authKeyIdentifier)(crl_t *this);
+
+ /**
+ * Create an enumerator over all revoked certificates.
+ *
+ * The enumerator takes 3 pointer arguments:
+ * chunk_t serial, time_t revocation_date, crl_reason_t reason
+ *
+ * @return enumerator over revoked certificates.
+ */
+ enumerator_t* (*create_enumerator)(crl_t *this);
+
+};
+
+#endif /* CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_request.h b/src/libstrongswan/credentials/certificates/ocsp_request.h
new file mode 100644
index 000000000..377eabd23
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/ocsp_request.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup ocsp_request ocsp_request
+ * @{ @ingroup certificates
+ */
+
+#ifndef OCSP_REQUEST_H_
+#define OCSP_REQUEST_H_
+
+#include <credentials/certificates/certificate.h>
+
+typedef struct ocsp_request_t ocsp_request_t;
+
+/**
+ * OCSP request message.
+ */
+struct ocsp_request_t {
+
+ /**
+ * Implements certificiate_t interface
+ */
+ certificate_t interface;
+};
+
+#endif /* OCSP_REQUEST_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.c b/src/libstrongswan/credentials/certificates/ocsp_response.c
new file mode 100644
index 000000000..02e12f761
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "ocsp_response.h"
+
+ENUM(ocsp_status_names, OCSP_SUCCESSFUL, OCSP_UNAUTHORIZED,
+ "successful",
+ "malformed request",
+ "internal error",
+ "try later",
+ "status #4",
+ "signature required",
+ "unauthorized"
+);
+
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
new file mode 100644
index 000000000..416f712f3
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup ocsp_response ocsp_response
+ * @{ @ingroup certificates
+ */
+
+#ifndef OCSP_RESPONSE_H_
+#define OCSP_RESPONSE_H_
+
+#include <credentials/certificates/x509.h>
+#include <credentials/certificates/crl.h>
+
+typedef struct ocsp_response_t ocsp_response_t;
+typedef enum ocsp_status_t ocsp_status_t;
+
+/**
+ * OCSP response status
+ */
+enum ocsp_status_t {
+ OCSP_SUCCESSFUL = 0,
+ OCSP_MALFORMEDREQUEST = 1,
+ OCSP_INTERNALERROR = 2,
+ OCSP_TRYLATER = 3,
+ OCSP_SIGREQUIRED = 5,
+ OCSP_UNAUTHORIZED = 6,
+};
+
+/**
+ * enum names for ocsp_status_t
+ */
+extern enum_name_t *ocsp_status_names;
+
+/**
+ * OCSP response message.
+ */
+struct ocsp_response_t {
+
+ /**
+ * Implements certificiate_t interface
+ */
+ certificate_t certificate;
+
+ /**
+ * Check the status of a certificate by this OCSP response.
+ *
+ * @param subject certificate to check status
+ * @param issuer issuer certificate of subject
+ * @param revocation_time receives time of revocation, if revoked
+ * @param revocation_reason receives reason of revocation, if revoked
+ * @param this_update creation time of revocation list
+ * @param next_update exptected time of next revocation list
+ * @return certificate revocation status
+ */
+ cert_validation_t (*get_status)(ocsp_response_t *this,
+ x509_t *subject, x509_t *issuer,
+ time_t *revocation_time,
+ crl_reason_t *revocation_reason,
+ time_t *this_update, time_t *next_update);
+
+ /**
+ * Create an enumerator over the contained certificates.
+ *
+ * @return enumerator over certificate_t*
+ */
+ enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
+};
+
+#endif /* OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
new file mode 100644
index 000000000..15d223e3e
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509.c 3656 2008-03-25 22:28:27Z andreas $
+ */
+
+#include "x509.h"
+
+ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED,
+ "X509_CA",
+ "X509_AA",
+ "X509_OCSP_SIGNER",
+ "X509_SELF_SIGNED",
+);
+
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
new file mode 100644
index 000000000..737dcdc67
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: x509.h 3656 2008-03-25 22:28:27Z andreas $
+ */
+
+/**
+ * @defgroup x509 x509
+ * @{ @ingroup certificates
+ */
+
+#ifndef X509_H_
+#define X509_H_
+
+#include <utils/enumerator.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct x509_t x509_t;
+typedef enum x509_flag_t x509_flag_t;
+
+/**
+ * X.509 certificate flags.
+ */
+enum x509_flag_t {
+ /** cert has CA constraint */
+ X509_CA = (1<<0),
+ /** cert has AA constraint */
+ X509_AA = (1<<1),
+ /** cert has OCSP signer constraint */
+ X509_OCSP_SIGNER = (1<<2),
+ /** cert is self-signed */
+ X509_SELF_SIGNED = (1<<3),
+};
+
+/**
+ * enum names for x509 flags
+ */
+extern enum_name_t *x509_flag_names;
+
+/**
+ * X.509 certificate interface.
+ *
+ * This interface adds additional methods to the certificate_t type to
+ * allow further operations on these certificates.
+ */
+struct x509_t {
+
+ /**
+ * Implements certificate_t.
+ */
+ certificate_t interface;
+
+ /**
+ * Get the flags set for this certificate.
+ *
+ * @return set of flags
+ */
+ x509_flag_t (*get_flags)(x509_t *this);
+
+ /**
+ * Get the certificate serial number.
+ *
+ * @return chunk pointing to internal serial number
+ */
+ chunk_t (*get_serial)(x509_t *this);
+
+ /**
+ * Get the the authorityKeyIdentifier.
+ *
+ * @return authKeyIdentifier as identification_t*
+ */
+ identification_t* (*get_authKeyIdentifier)(x509_t *this);
+
+ /**
+ * Create an enumerator over all subjectAltNames.
+ *
+ * @return enumerator over subjectAltNames as identification_t*
+ */
+ enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
+
+ /**
+ * Create an enumerator over all CRL URIs.
+ *
+ * @return enumerator over URIs as char*
+ */
+ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
+
+ /**
+ * Create an enumerator over all OCSP URIs.
+ *
+ * @return enumerator over URIs as char*
+ */
+ enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
+};
+
+#endif /* X509_H_ @}*/
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
new file mode 100644
index 000000000..52ee2060d
--- /dev/null
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: credential_factory.c 4059 2008-06-11 14:10:02Z martin $
+ */
+
+#include "credential_factory.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <utils/mutex.h>
+#include <credentials/certificates/x509.h>
+
+ENUM(credential_type_names, CRED_PRIVATE_KEY, CRED_CERTIFICATE,
+ "CRED_PRIVATE_KEY",
+ "CRED_PUBLIC_KEY",
+ "CRED_CERTIFICATE",
+);
+
+typedef struct private_credential_factory_t private_credential_factory_t;
+
+/**
+ * private data of credential_factory
+ */
+struct private_credential_factory_t {
+
+ /**
+ * public functions
+ */
+ credential_factory_t public;
+
+ /**
+ * list with entry_t
+ */
+ linked_list_t *constructors;
+
+ /**
+ * mutex to lock access to modules
+ */
+ mutex_t *mutex;
+};
+
+typedef struct entry_t entry_t;
+struct entry_t {
+ /** kind of credential builder */
+ credential_type_t type;
+ /** subtype of credential, e.g. certificate_type_t */
+ int subtype;
+ /** builder construction function */
+ builder_constructor_t constructor;
+};
+
+/**
+ * Implementation of credential_factory_t.create_builder.
+ */
+static builder_t* create_builder(private_credential_factory_t *this,
+ credential_type_t type, int subtype)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ builder_t *builder = NULL;
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->constructors->create_enumerator(this->constructors);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->type == type && entry->subtype == subtype)
+ {
+ builder = entry->constructor(subtype);
+ if (builder)
+ {
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+ return builder;
+}
+
+/**
+ * Implementation of credential_factory_t.add_builder_constructor.
+ */
+static void add_builder(private_credential_factory_t *this,
+ credential_type_t type, int subtype,
+ builder_constructor_t constructor)
+{
+ entry_t *entry = malloc_thing(entry_t);
+
+ entry->type = type;
+ entry->subtype = subtype;
+ entry->constructor = constructor;
+ this->mutex->lock(this->mutex);
+ this->constructors->insert_last(this->constructors, entry);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of credential_factory_t.remove_builder.
+ */
+static void remove_builder(private_credential_factory_t *this,
+ builder_constructor_t constructor)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->constructors->create_enumerator(this->constructors);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->constructor == constructor)
+ {
+ this->constructors->remove_at(this->constructors, enumerator);
+ free(entry);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of credential_factory_t.create.
+ */
+static void* create(private_credential_factory_t *this, credential_type_t type,
+ int subtype, ...)
+{
+ builder_t *builder;
+ builder_part_t part;
+ va_list args;
+
+ builder = create_builder(this, type, subtype);
+ if (builder)
+ {
+ va_start(args, subtype);
+ while (TRUE)
+ {
+ part = va_arg(args, builder_part_t);
+
+ switch (part)
+ {
+ case BUILD_END:
+ break;
+ case BUILD_BLOB_ASN1_DER:
+ case BUILD_SERIAL:
+ builder->add(builder, part, va_arg(args, chunk_t));
+ continue;
+ case BUILD_X509_FLAG:
+ builder->add(builder, part, va_arg(args, x509_flag_t));
+ continue;
+ case BUILD_KEY_SIZE:
+ builder->add(builder, part, va_arg(args, u_int));
+ continue;
+ case BUILD_NOT_BEFORE_TIME:
+ case BUILD_NOT_AFTER_TIME:
+ builder->add(builder, part, va_arg(args, time_t));
+ continue;
+ case BUILD_BLOB_ASN1_PEM:
+ case BUILD_FROM_FILE:
+ case BUILD_SIGNING_KEY:
+ case BUILD_PUBLIC_KEY:
+ case BUILD_SUBJECT:
+ case BUILD_SUBJECT_ALTNAME:
+ case BUILD_ISSUER:
+ case BUILD_ISSUER_ALTNAME:
+ case BUILD_SIGNING_CERT:
+ case BUILD_CA_CERT:
+ case BUILD_CERT:
+ case BUILD_IETF_GROUP_ATTR:
+ builder->add(builder, part, va_arg(args, void*));
+ continue;
+ default:
+ DBG1("builder part %N not supported by factory",
+ builder_part_names, part);
+ break;
+ }
+ break;
+ }
+ va_end(args);
+
+ return builder->build(builder);
+ }
+ else
+ {
+ DBG1("failed to create a builder for credential type %N,"
+ " subtype (%d)", credential_type_names, type, subtype);
+ }
+
+ /** shredder all data on failure */
+ va_start(args, subtype);
+ while (TRUE)
+ {
+ part = va_arg(args, builder_part_t);
+
+ switch (part)
+ {
+ case BUILD_END:
+ break;
+ case BUILD_BLOB_ASN1_DER:
+ {
+ chunk_t chunk = va_arg(args, chunk_t);
+ free(chunk.ptr);
+ continue;
+ }
+ case BUILD_SERIAL:
+ {
+ va_arg(args, chunk_t);
+ continue;
+ }
+ case BUILD_X509_FLAG:
+ {
+ va_arg(args, x509_flag_t);
+ continue;
+ }
+ case BUILD_KEY_SIZE:
+ {
+ va_arg(args, u_int);
+ continue;
+ }
+ case BUILD_NOT_BEFORE_TIME:
+ case BUILD_NOT_AFTER_TIME:
+ {
+ va_arg(args, time_t);
+ continue;
+ }
+ case BUILD_SIGNING_KEY:
+ {
+ private_key_t *private = va_arg(args, private_key_t*);
+ private->destroy(private);
+ continue;
+ }
+ case BUILD_PUBLIC_KEY:
+ {
+ public_key_t *public = va_arg(args, public_key_t*);
+ public->destroy(public);
+ continue;
+ }
+ case BUILD_SUBJECT:
+ case BUILD_SUBJECT_ALTNAME:
+ case BUILD_ISSUER:
+ case BUILD_ISSUER_ALTNAME:
+ {
+ identification_t *id = va_arg(args, identification_t*);
+ id->destroy(id);
+ continue;
+ }
+ case BUILD_SIGNING_CERT:
+ case BUILD_CA_CERT:
+ case BUILD_CERT:
+ {
+ certificate_t *cert = va_arg(args, certificate_t*);
+ cert->destroy(cert);
+ continue;
+ }
+ case BUILD_BLOB_ASN1_PEM:
+ case BUILD_FROM_FILE:
+ case BUILD_IETF_GROUP_ATTR:
+ {
+ va_arg(args, void*);
+ continue;
+ }
+ default:
+ DBG1("builder part %N not supported by factory",
+ builder_part_names, part);
+ continue;
+ }
+ break;
+ }
+ va_end(args);
+ return NULL;
+}
+
+/**
+ * Implementation of credential_factory_t.destroy
+ */
+static void destroy(private_credential_factory_t *this)
+{
+ this->constructors->destroy_function(this->constructors, free);
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+credential_factory_t *credential_factory_create()
+{
+ private_credential_factory_t *this = malloc_thing(private_credential_factory_t);
+
+ this->public.create = (void*(*)(credential_factory_t*, credential_type_t type, int subtype, ...))create;
+ this->public.create_builder = (builder_t*(*)(credential_factory_t*, credential_type_t type, int subtype))create_builder;
+ this->public.add_builder = (void(*)(credential_factory_t*,credential_type_t type, int subtype, builder_constructor_t constructor))add_builder;
+ this->public.remove_builder = (void(*)(credential_factory_t*,builder_constructor_t constructor))remove_builder;
+ this->public.destroy = (void(*)(credential_factory_t*))destroy;
+
+ this->constructors = linked_list_create();
+
+ this->mutex = mutex_create(MUTEX_RECURSIVE);
+
+ return &this->public;
+}
+
diff --git a/src/libstrongswan/credentials/credential_factory.h b/src/libstrongswan/credentials/credential_factory.h
new file mode 100644
index 000000000..873cf8ab2
--- /dev/null
+++ b/src/libstrongswan/credentials/credential_factory.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup credential_factory credential_factory
+ * @{ @ingroup credentials
+ */
+
+#ifndef CREDENTIAL_FACTORY_H_
+#define CREDENTIAL_FACTORY_H_
+
+typedef struct credential_factory_t credential_factory_t;
+typedef enum credential_type_t credential_type_t;
+
+#include <credentials/keys/private_key.h>
+#include <credentials/keys/public_key.h>
+#include <credentials/certificates/certificate.h>
+#include <credentials/builder.h>
+
+/**
+ * Kind of credential.
+ */
+enum credential_type_t {
+ /** private key, implemented in private_key_t */
+ CRED_PRIVATE_KEY,
+ /** public key, implemented in public_key_t */
+ CRED_PUBLIC_KEY,
+ /** certificates, implemented in certificate_t */
+ CRED_CERTIFICATE,
+};
+
+/**
+ * enum names for credential_type_t
+ */
+extern enum_name_t *credential_type_names;
+
+/**
+ * Manages credential construction functions and creates instances.
+ */
+struct credential_factory_t {
+
+ /**
+ * Create a credential using a list of builder_part_t's.
+ *
+ * The variable argument list takes builder_part_t types followed
+ * by the type specific value. The list must be terminated using BUILD_END.
+ *
+ * @param type credential type to build
+ * @param subtype subtype specific for type of the credential
+ * @param ... build_part_t arguments, BUILD_END terminated.
+ * @return type specific credential, NULL if failed
+ */
+ void* (*create)(credential_factory_t *this, credential_type_t type,
+ int subtype, ...);
+
+ /**
+ * Create a builder instance to build credentials.
+ *
+ * @param type type of credentials the builder creates
+ * @param subtype type specific subtype, such as certificate_type_t
+ * @return builder instance
+ */
+ builder_t* (*create_builder)(credential_factory_t *this,
+ credential_type_t type, int subtype);
+ /**
+ * Register a builder_t constructor function.
+ *
+ * @param type type of credential the builder creates
+ * @param constructor builder constructor function to register
+ */
+ void (*add_builder)(credential_factory_t *this,
+ credential_type_t type, int subtype,
+ builder_constructor_t constructor);
+ /**
+ * Unregister a builder_t constructor function.
+ *
+ * @param constructor constructor function to unregister.
+ */
+ void (*remove_builder)(credential_factory_t *this,
+ builder_constructor_t constructor);
+
+ /**
+ * Destroy a credential_factory instance.
+ */
+ void (*destroy)(credential_factory_t *this);
+};
+
+/**
+ * Create a credential_factory instance.
+ */
+credential_factory_t *credential_factory_create();
+
+#endif /* CREDENTIAL_FACTORY_H_ @}*/
diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c
new file mode 100644
index 000000000..018cab1c0
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/private_key.c
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: private_key.c 3488 2008-02-21 15:10:02Z martin $
+ */
+
+#include "private_key.h"
+
diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h
new file mode 100644
index 000000000..c28988309
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/private_key.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: private_key.h 3620 2008-03-19 14:21:56Z martin $
+ */
+
+/**
+ * @defgroup private_key private_key
+ * @{ @ingroup keys
+ */
+
+#ifndef PRIVATE_KEY_H_
+#define PRIVATE_KEY_H_
+
+typedef struct private_key_t private_key_t;
+
+#include <utils/identification.h>
+#include <credentials/keys/public_key.h>
+
+/**
+ * Abstract private key interface.
+ */
+struct private_key_t {
+
+ /**
+ * Get the key type.
+ *
+ * @return type of the key
+ */
+ key_type_t (*get_type)(private_key_t *this);
+
+ /**
+ * Create a signature over a chunk of data.
+ *
+ * @param scheme signature scheme to use
+ * @param data chunk of data to sign
+ * @param signature where to allocate created signature
+ * @return TRUE if signature created
+ */
+ bool (*sign)(private_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t *signature);
+ /**
+ * Decrypt a chunk of data.
+ *
+ * @param crypto chunk containing encrypted data
+ * @param plain where to allocate decrypted data
+ * @return TRUE if data decrypted and plaintext allocated
+ */
+ bool (*decrypt)(private_key_t *this, chunk_t crypto, chunk_t *plain);
+
+ /**
+ * Get the strength of the key in bytes.
+ *
+ * @return strength of the key in bytes
+ */
+ size_t (*get_keysize) (private_key_t *this);
+
+ /**
+ * Get a unique key identifier, such as a hash over the public key.
+ *
+ * @param type type of the key ID to get
+ * @return unique ID of the key as identification_t, or NULL
+ */
+ identification_t* (*get_id) (private_key_t *this, id_type_t type);
+
+ /**
+ * Get the public part from the private key.
+ *
+ * @return public key
+ */
+ public_key_t* (*get_public_key)(private_key_t *this);
+
+ /**
+ * Check if a private key belongs to a public key.
+ *
+ * @param public public key
+ * @return TRUE, if keys belong together
+ */
+ bool (*belongs_to) (private_key_t *this, public_key_t *public);
+
+ /**
+ * Get an encoded form of the private key.
+ *
+ * @todo Do we need a encoding type specification?
+ *
+ * @return allocated chunk containing encoded private key
+ */
+ chunk_t (*get_encoding)(private_key_t *this);
+
+ /**
+ * Increase the refcount to this private key.
+ *
+ * @return this, with an increased refcount
+ */
+ private_key_t* (*get_ref)(private_key_t *this);
+
+ /**
+ * Decrease refcount, destroy private_key if no more references.
+ */
+ void (*destroy)(private_key_t *this);
+};
+
+#endif /* PRIVATE_KEY_H_ @} */
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
new file mode 100644
index 000000000..80b9f03c3
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: public_key.c 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+#include "public_key.h"
+
+ENUM(key_type_names, KEY_RSA, KEY_ECDSA,
+ "RSA",
+ "ECDSA"
+);
+
+ENUM(signature_scheme_names, SIGN_DEFAULT, SIGN_ECDSA_521,
+ "DEFAULT",
+ "RSA_EMSA_PKCS1_MD5",
+ "RSA_EMSA_PKCS1_SHA1",
+ "RSA_EMSA_PKCS1_SHA256",
+ "RSA_EMSA_PKCS1_SHA384",
+ "RSA_EMSA_PKCS1_SHA512",
+ "ECDSA_WITH_SHA1",
+ "ECDSA-256",
+ "ECDSA-384",
+ "ECDSA-521",
+);
+
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
new file mode 100644
index 000000000..62dbe4303
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: public_key.h 4051 2008-06-10 09:08:27Z tobias $
+ */
+
+/**
+ * @defgroup public_key public_key
+ * @{ @ingroup keys
+ */
+
+#ifndef PUBLIC_KEY_H_
+#define PUBLIC_KEY_H_
+
+typedef struct public_key_t public_key_t;
+typedef enum key_type_t key_type_t;
+typedef enum key_id_type_t key_id_type_t;
+typedef enum signature_scheme_t signature_scheme_t;
+
+#include <library.h>
+#include <utils/identification.h>
+
+/**
+ * Type of a key pair, the used crypto system
+ */
+enum key_type_t {
+ /** key type wildcard */
+ KEY_ANY,
+ /** RSA crypto system as in PKCS#1 */
+ KEY_RSA,
+ /** ECDSA as in ANSI X9.62 */
+ KEY_ECDSA,
+ /** DSS, ElGamal, ... */
+};
+
+/**
+ * Enum names for key_type_t
+ */
+extern enum_name_t *key_type_names;
+
+/**
+ * Signature scheme for signature creation
+ *
+ * EMSA-PKCS1 signatures are from the PKCS#1 standard. They include
+ * the ASN1-OID of the used hash algorithm.
+ */
+enum signature_scheme_t {
+ /** default scheme of that underlying crypto system */
+ SIGN_DEFAULT,
+ /** EMSA-PKCS1 with MD5 */
+ SIGN_RSA_EMSA_PKCS1_MD5,
+ /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA1 as hash. */
+ SIGN_RSA_EMSA_PKCS1_SHA1,
+ /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA256 as hash. */
+ SIGN_RSA_EMSA_PKCS1_SHA256,
+ /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA384 as hash. */
+ SIGN_RSA_EMSA_PKCS1_SHA384,
+ /** EMSA-PKCS1 signature as in PKCS#1 standard using SHA512 as hash. */
+ SIGN_RSA_EMSA_PKCS1_SHA512,
+ /** ECDSA using SHA-1 as hash. */
+ SIGN_ECDSA_WITH_SHA1,
+ /** ECDSA with SHA-256 on the P-256 curve as in RFC 4754 */
+ SIGN_ECDSA_256,
+ /** ECDSA with SHA-384 on the P-384 curve as in RFC 4754 */
+ SIGN_ECDSA_384,
+ /** ECDSA with SHA-512 on the P-521 curve as in RFC 4754 */
+ SIGN_ECDSA_521,
+};
+
+/**
+ * Enum names for signature_scheme_t
+ */
+extern enum_name_t *signature_scheme_names;
+
+/**
+ * Abstract interface of a public key.
+ */
+struct public_key_t {
+
+ /**
+ * Get the key type.
+ *
+ * @return type of the key
+ */
+ key_type_t (*get_type)(public_key_t *this);
+
+ /**
+ * Verifies a signature against a chunk of data.
+ *
+ * @param scheme signature scheme to use for verification, may be default
+ * @param data data to check signature against
+ * @param signature signature to check
+ * @return TRUE if signature matches
+ */
+ bool (*verify)(public_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t signature);
+
+ /**
+ * Encrypt a chunk of data.
+ *
+ * @param crypto chunk containing plaintext data
+ * @param plain where to allocate encrypted data
+ * @return TRUE if data successfully encrypted
+ */
+ bool (*encrypt)(public_key_t *this, chunk_t crypto, chunk_t *plain);
+
+ /**
+ * Get the strength of the key in bytes.
+ *
+ * @return strength of the key in bytes
+ */
+ size_t (*get_keysize) (public_key_t *this);
+
+ /**
+ * Get a unique key identifier, such as a hash over the key.
+ *
+ * @param type type of the key ID to get
+ * @return unique ID of the key as identification_t, or NULL
+ */
+ identification_t* (*get_id) (public_key_t *this, id_type_t type);
+
+ /**
+ * Get an encoded form of the key.
+ *
+ * @todo Do we need a encoding type specification?
+ *
+ * @return allocated chunk containing encoded key
+ */
+ chunk_t (*get_encoding)(public_key_t *this);
+
+ /**
+ * Increase the refcount of the key.
+ *
+ * @return this with an increased refcount
+ */
+ public_key_t* (*get_ref)(public_key_t *this);
+
+ /**
+ * Destroy a public_key instance.
+ */
+ void (*destroy)(public_key_t *this);
+};
+
+#endif /* PUBLIC_KEY_H_ @} */
diff --git a/src/libstrongswan/credentials/keys/shared_key.c b/src/libstrongswan/credentials/keys/shared_key.c
new file mode 100644
index 000000000..f55b52c3a
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/shared_key.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: shared_key.c 3600 2008-03-14 15:11:29Z martin $
+ */
+
+#include "shared_key.h"
+
+ENUM(shared_key_type_names, SHARED_ANY, SHARED_PIN,
+ "ANY",
+ "IKE",
+ "EAP",
+ "PRIVATE_KEY_PASS",
+ "PIN",
+);
+
+typedef struct private_shared_key_t private_shared_key_t;
+
+/**
+ * private data of shared_key
+ */
+struct private_shared_key_t {
+
+ /**
+ * public functions
+ */
+ shared_key_t public;
+
+ /**
+ * type of this shared key
+ */
+ shared_key_type_t type;
+
+ /**
+ * associated shared key data
+ */
+ chunk_t key;
+
+ /**
+ * reference counter
+ */
+ refcount_t ref;
+};
+
+/**
+ * Implements shared_key_t.get_type
+ */
+static shared_key_type_t get_type(private_shared_key_t *this)
+{
+ return this->type;
+}
+
+/**
+ * Implements shared_key_t.get_key
+ */
+static chunk_t get_key(private_shared_key_t *this)
+{
+ return this->key;
+}
+
+/**
+ * Implements shared_key_t.get_ref
+ */
+static shared_key_t* get_ref(private_shared_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public;
+}
+
+/**
+ * Implementation of shared_key_t.destroy
+ */
+static void destroy(private_shared_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ free(this->key.ptr);
+ free(this);
+ }
+}
+
+/*
+ * see header file
+ */
+shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key)
+{
+ private_shared_key_t *this = malloc_thing(private_shared_key_t);
+
+ this->public.get_type = (shared_key_type_t (*)(shared_key_t *this))get_type;
+ this->public.get_key = (chunk_t (*)(shared_key_t *this))get_key;
+ this->public.get_ref = (shared_key_t* (*)(shared_key_t *this))get_ref;
+ this->public.destroy = (void(*)(shared_key_t*))destroy;
+
+ this->type = type;
+ this->key = key;
+ this->ref = 1;
+
+ return &this->public;
+}
+
diff --git a/src/libstrongswan/credentials/keys/shared_key.h b/src/libstrongswan/credentials/keys/shared_key.h
new file mode 100644
index 000000000..ceb1309b7
--- /dev/null
+++ b/src/libstrongswan/credentials/keys/shared_key.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup shared_key shared_key
+ * @{ @ingroup keys
+ */
+
+#ifndef SHARED_KEY_H_
+#define SHARED_KEY_H_
+
+#include <utils/enumerator.h>
+#include <utils/identification.h>
+
+typedef struct shared_key_t shared_key_t;
+typedef enum shared_key_type_t shared_key_type_t;
+
+/**
+ * Type of a shared key.
+ */
+enum shared_key_type_t {
+ /** wildcard for all keys */
+ SHARED_ANY,
+ /** PSK for IKE authentication */
+ SHARED_IKE,
+ /** key for a EAP authentication method */
+ SHARED_EAP,
+ /** key to decrypt encrypted private keys */
+ SHARED_PRIVATE_KEY_PASS,
+ /** PIN to unlock a smartcard */
+ SHARED_PIN,
+};
+
+/**
+ * enum names for shared_key_type_t
+ */
+extern enum_name_t *shared_key_type_names;
+
+/**
+ * A symmetric key shared between multiple owners.
+ *
+ * This class is not thread save, do not add owners while others might be
+ * reading.
+ */
+struct shared_key_t {
+
+ /**
+ * Get the kind of this key.
+ *
+ * @return type of the key
+ */
+ shared_key_type_t (*get_type)(shared_key_t *this);
+
+ /**
+ * Get the shared key data.
+ *
+ * @return chunk pointing to the internal key
+ */
+ chunk_t (*get_key)(shared_key_t *this);
+
+ /**
+ * Increase refcount of the key.
+ *
+ * @return this with an increased refcount
+ */
+ shared_key_t* (*get_ref)(shared_key_t *this);
+
+ /**
+ * Destroy a shared_key instance if all references are gone.
+ */
+ void (*destroy)(shared_key_t *this);
+};
+
+/**
+ * A simple private key implementation
+ *
+ * @param type type of the shared key
+ * @param key key data, gets owned by instance
+ * @return simple shared key instance
+ */
+shared_key_t *shared_key_create(shared_key_type_t type, chunk_t key);
+
+#endif /** SHARED_KEY_H_ @} */