1 files changed, 44 insertions, 12 deletions
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index eedab78f7..172bd9696 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,6 +24,9 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
+#define X509_NO_PATH_LEN_CONSTRAINT		-1
+#define X509_MAX_PATH_LEN				 7
+
 typedef struct x509_t x509_t;
 typedef enum x509_flag_t x509_flag_t;
 
@@ -31,14 +34,22 @@ typedef enum x509_flag_t x509_flag_t;
  * X.509 certificate flags.
  */
 enum x509_flag_t {
+	/** cert has no constraints */
+	X509_NONE =				0,
 	/** cert has CA constraint */
-	X509_CA = 			(1<<0),
+	X509_CA = 				(1<<0),
 	/** cert has AA constraint */
-	X509_AA = 			(1<<1),
+	X509_AA = 				(1<<1),
 	/** cert has OCSP signer constraint */
-	X509_OCSP_SIGNER = 	(1<<2),
+	X509_OCSP_SIGNER = 		(1<<2),
+	/** cert has serverAuth key usage */
+	X509_SERVER_AUTH = 		(1<<3),
+	/** cert has clientAuth key usage */
+	X509_CLIENT_AUTH =		(1<<4),
 	/** cert is self-signed */
-	X509_SELF_SIGNED =  (1<<3),
+	X509_SELF_SIGNED =		(1<<5),
+	/** cert has an ipAddrBlocks extension */
+	X509_IP_ADDR_BLOCKS =	(1<<6),
 };
 
 /**
@@ -58,48 +69,69 @@ struct x509_t {
 	 * Implements certificate_t.
 	 */
 	certificate_t interface;
-	
+
 	/**
 	 * Get the flags set for this certificate.
 	 *
 	 * @return			set of flags
 	 */
 	x509_flag_t (*get_flags)(x509_t *this);
-	
+
 	/**
 	 * Get the certificate serial number.
 	 *
 	 * @return			chunk pointing to internal serial number
 	 */
 	chunk_t (*get_serial)(x509_t *this);
-	
+
+	/**
+	 * Get the the subjectKeyIdentifier.
+	 *
+	 * @return			subjectKeyIdentifier as chunk_t, internal data
+	 */
+	chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
+
 	/**
 	 * Get the the authorityKeyIdentifier.
 	 *
-	 * @return			authKeyIdentifier as identification_t*
+	 * @return			authKeyIdentifier as chunk_t, internal data
 	 */
-	identification_t* (*get_authKeyIdentifier)(x509_t *this);
-	
+	chunk_t (*get_authKeyIdentifier)(x509_t *this);
+
+	/**
+	 * Get an optional path length constraint.
+	 *
+	 * @return			pathLenConstraint, -1 if no constraint exists
+	 */
+	int (*get_pathLenConstraint)(x509_t *this);
+
 	/**
 	 * Create an enumerator over all subjectAltNames.
 	 *
 	 * @return			enumerator over subjectAltNames as identification_t*
 	 */
 	enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
-	
+
 	/**
 	 * Create an enumerator over all CRL URIs.
 	 *
 	 * @return			enumerator over URIs as char*
 	 */
 	enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
-	
+
 	/**
 	 * Create an enumerator over all OCSP URIs.
 	 *
 	 * @return			enumerator over URIs as char*
 	 */
 	enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
+
+	/**
+	 * Create an enumerator over all ipAddrBlocks.
+	 *
+	 * @return			enumerator over ipAddrBlocks as traffic_selector_t*
+	 */
+	enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
 };
 
 #endif /** X509_H_ @}*/