1 files changed, 28 insertions, 15 deletions
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
index dcbe43f52..62b6ad2d5 100755
--- a/src/libstrongswan/credential_store.h
+++ b/src/libstrongswan/credential_store.h
@@ -88,17 +88,6 @@ struct credential_store_t {
 	rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
 	
 	/**
-	 * @brief Returns the RSA private key belonging to an RSA public key
-	 * 
-	 * The returned rsa_private_key_t must be destroyed by the caller after usage.
-	 * 
-	 * @param this					calling object
-	 * @param pubkey				public key 
-	 * @return						private key, or NULL if not found
-	 */	
-	rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
-
-	/**
 	 * @brief Is there a matching RSA private key belonging to an RSA public key?
 	 * 
 	 * @param this					calling object
@@ -145,6 +134,20 @@ struct credential_store_t {
 	ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert);
 
 	/**
+	 * @brief  RSA private key belonging to an RSA public key
+	 * 
+	 * 
+	 * @param this					calling object
+	 * @param pubkey				public key used to find the matching private key
+	 * @param hash_algorithm		hash algorithm to be used for signature
+	 * @param data					data block to be signed
+	 * @param signature				signature to be returned
+	 * @return						status of the signature process - SUCCESS if successful
+	 */	
+	status_t (*rsa_signature) (credential_store_t *this, rsa_public_key_t *pubkey, hash_algorithm_t hash_algorithm,
+							   chunk_t data, chunk_t *signature);
+
+	/**
 	 * @brief Verify an RSA signature given the ID of the signer
 	 * 
 	 * @param this					calling object
@@ -154,7 +157,8 @@ struct credential_store_t {
 	 * @param issuer_p				issuer of the signer's certificate (if not self-signed).
 	 * @return						status of the verification - SUCCESS if successful
 	 */
-	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p);
+	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id,
+								  ca_info_t **issuer_p);
 	
 	/**
 	 * @brief Verify an X.509 certificate up to trust anchor without any status checks
@@ -240,6 +244,14 @@ struct credential_store_t {
 	iterator_t* (*create_cainfo_iterator) (credential_store_t *this);
 
 	/**
+	 * @brief Create an iterator over all attribute certificates.
+	 *
+	 * @param this		calling object
+	 * @return 			iterator
+	 */
+	iterator_t* (*create_acert_iterator) (credential_store_t *this);
+
+	/**
 	 * @brief Loads ca certificates from a default directory.
 	 *
 	 * Certificates in both DER and PEM format are accepted
@@ -288,12 +300,13 @@ struct credential_store_t {
 	/**
 	 * @brief Loads secrets in ipsec.secrets
 	 * 
-	 * Currently, all RSA private key files must be in unencrypted form
-     * either in DER or PEM format.
+	 * RSA private key files can be either in DER or PEM format
+     * Optional encryption with a passphrase supported
 	 * 
 	 * @param this		calling object
+	 * @param reload	are the secrets to be reloaded
 	 */
-	void (*load_secrets) (credential_store_t *this);
+	void (*load_secrets) (credential_store_t *this, bool reload);
 
 	/**
 	 * @brief Destroys a credential_store_t object.