diff options
Diffstat (limited to 'src/libstrongswan/credentials/certificates')
10 files changed, 216 insertions, 62 deletions
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h index fb99b4756..fef7f8c65 100644 --- a/src/libstrongswan/credentials/certificates/ac.h +++ b/src/libstrongswan/credentials/certificates/ac.h @@ -1,9 +1,7 @@ /* - * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2003 Martin Berner, Lukas Suter - * Copyright (C) 2002-2008 Andreas Steffen + * Copyright (C) 2002-2009 Andreas Steffen * - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -26,6 +24,7 @@ #include <library.h> #include <credentials/certificates/certificate.h> +#include <credentials/ietf_attributes/ietf_attributes.h> typedef struct ac_t ac_t; @@ -41,14 +40,14 @@ struct ac_t { * Implements the certificate_t interface */ certificate_t certificate; - + /** * Get the attribute certificate's serial number. * * @return chunk pointing to serialNumber */ chunk_t (*get_serial)(ac_t *this); - + /** * Get the serial number of the holder certificate. * @@ -64,11 +63,18 @@ struct ac_t { identification_t* (*get_holderIssuer)(ac_t *this); /** - * Get the thauthorityKeyIdentifier. + * Get the authorityKeyIdentifier. + * + * @return authKeyIdentifier as chunk_t, to internal data + */ + chunk_t (*get_authKeyIdentifier)(ac_t *this); + + /** + * Get the group memberships as a list of IETF attributes * - * @return authKeyIdentifier as identification_t* + * @return object containing a list of IETF attributes */ - identification_t* (*get_authKeyIdentifier)(ac_t *this); + ietf_attributes_t* (*get_groups)(ac_t *this); /** * @brief Checks if two attribute certificates belong to the same holder diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 041e2f1db..156d12358 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -17,16 +17,19 @@ #include <credentials/certificates/x509.h> -ENUM(certificate_type_names, CERT_ANY, CERT_PGP, +ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL, "ANY", "X509", "X509_CRL", "X509_OCSP_REQUEST", "X509_OCSP_RESPONSE", "X509_AC", - "X509_CHAIN", "TRUSTED_PUBKEY", + "PKCS10_REQUEST", "PGP", + "PLUTO_CERT", + "PLUTO_AC", + "PLUTO_CRL", ); ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index 81fce5508..a4f9aa3e0 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -47,8 +47,14 @@ enum certificate_type_t { CERT_X509_AC, /** trusted, preinstalled public key */ CERT_TRUSTED_PUBKEY, + /** PKCS#10 certificate request */ + CERT_PKCS10_REQUEST, /** PGP certificate */ - CERT_PGP, + CERT_GPG, + /** Pluto cert_t (not a certificate_t), either x509 or PGP */ + CERT_PLUTO_CERT, + /** Pluto x509crl_t (not a certificate_t), certificate revocation list */ + CERT_PLUTO_CRL, }; /** @@ -82,7 +88,7 @@ extern enum_name_t *cert_validation_names; /** * An abstract certificate. * - * A certificate designs a subject-issuer relationship. It may have an + * A certificate designs a subject-issuer relationship. It may have an * associated public key. */ struct certificate_t { @@ -90,7 +96,7 @@ struct certificate_t { /** * Get the type of the certificate. * - * @return certifcate type + * @return certificate type */ certificate_type_t (*get_type)(certificate_t *this); @@ -100,7 +106,7 @@ struct certificate_t { * @return subject identity */ identification_t* (*get_subject)(certificate_t *this); - + /** * Check if certificate contains a subject ID. * @@ -111,14 +117,14 @@ struct certificate_t { * @return matching value of best match */ id_match_t (*has_subject)(certificate_t *this, identification_t *subject); - + /** * Get the issuer which signed this certificate. * * @return issuer identity */ identification_t* (*get_issuer)(certificate_t *this); - + /** * Check if certificate contains an issuer ID. * @@ -129,7 +135,7 @@ struct certificate_t { * @return matching value of best match */ id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer); - + /** * Check if this certificate is issued and signed by a specific issuer. * @@ -137,14 +143,14 @@ struct certificate_t { * @return TRUE if certificate issued by issuer and trusted */ bool (*issued_by)(certificate_t *this, certificate_t *issuer); - + /** * Get the public key associated to this certificate. * * @return newly referenced public_key, NULL if none available */ public_key_t* (*get_public_key)(certificate_t *this); - + /** * Check the lifetime of the certificate. * @@ -155,21 +161,21 @@ struct certificate_t { */ bool (*get_validity)(certificate_t *this, time_t *when, time_t *not_before, time_t *not_after); - + /** * Is this newer than that? * * @return TRUE if newer, FALSE otherwise */ bool (*is_newer)(certificate_t *this, certificate_t *that); - + /** * Get the certificate in an encoded form. * * @return allocated chunk of encoded cert */ chunk_t (*get_encoding)(certificate_t *this); - + /** * Check if two certificates are equal. * @@ -177,18 +183,18 @@ struct certificate_t { * @return TRUE if certificates are equal */ bool (*equals)(certificate_t *this, certificate_t *other); - + /** * Get a new reference to the certificate. * - * @return this, with an increased refcount + * @return this, with an increased refcount */ certificate_t* (*get_ref)(certificate_t *this); - + /** - * Destroy a certificate. - */ - void (*destroy)(certificate_t *this); + * Destroy a certificate. + */ + void (*destroy)(certificate_t *this); }; #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c index 0d6654075..085ad16cc 100644 --- a/src/libstrongswan/credentials/certificates/crl.c +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -16,7 +16,7 @@ #include "crl.h" -ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL, +ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", "ca compromise", diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 3fef0d710..4b612390c 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -32,14 +32,14 @@ typedef enum crl_reason_t crl_reason_t; * RFC 2459 CRL reason codes */ enum crl_reason_t { - CRL_UNSPECIFIED = 0, - CRL_KEY_COMPROMISE = 1, - CRL_CA_COMPROMISE = 2, - CRL_AFFILIATION_CHANGED = 3, - CRL_SUPERSEDED = 4, - CRL_CESSATION_OF_OPERATON = 5, - CRL_CERTIFICATE_HOLD = 6, - CRL_REMOVE_FROM_CRL = 8, + CRL_REASON_UNSPECIFIED = 0, + CRL_REASON_KEY_COMPROMISE = 1, + CRL_REASON_CA_COMPROMISE = 2, + CRL_REASON_AFFILIATION_CHANGED = 3, + CRL_REASON_SUPERSEDED = 4, + CRL_REASON_CESSATION_OF_OPERATON = 5, + CRL_REASON_CERTIFICATE_HOLD = 6, + CRL_REASON_REMOVE_FROM_CRL = 8, }; /** @@ -56,21 +56,21 @@ struct crl_t { * Implements (parts of) the certificate_t interface */ certificate_t certificate; - + /** * Get the CRL serial number. * * @return chunk pointing to internal crlNumber */ chunk_t (*get_serial)(crl_t *this); - + /** * Get the the authorityKeyIdentifier. * - * @return authKeyIdentifier as identification_t* + * @return authKeyIdentifier chunk, point to internal data */ - identification_t* (*get_authKeyIdentifier)(crl_t *this); - + chunk_t (*get_authKeyIdentifier)(crl_t *this); + /** * Create an enumerator over all revoked certificates. * @@ -80,7 +80,7 @@ struct crl_t { * @return enumerator over revoked certificates. */ enumerator_t* (*create_enumerator)(crl_t *this); - + }; #endif /** CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h index a70f3eee4..157577458 100644 --- a/src/libstrongswan/credentials/certificates/ocsp_response.h +++ b/src/libstrongswan/credentials/certificates/ocsp_response.h @@ -28,7 +28,7 @@ typedef struct ocsp_response_t ocsp_response_t; typedef enum ocsp_status_t ocsp_status_t; /** - * OCSP response status + * OCSP response status */ enum ocsp_status_t { OCSP_SUCCESSFUL = 0, @@ -53,7 +53,7 @@ struct ocsp_response_t { * Implements certificiate_t interface */ certificate_t certificate; - + /** * Check the status of a certificate by this OCSP response. * @@ -65,18 +65,18 @@ struct ocsp_response_t { * @param next_update exptected time of next revocation list * @return certificate revocation status */ - cert_validation_t (*get_status)(ocsp_response_t *this, + cert_validation_t (*get_status)(ocsp_response_t *this, x509_t *subject, x509_t *issuer, time_t *revocation_time, crl_reason_t *revocation_reason, time_t *this_update, time_t *next_update); - + /** * Create an enumerator over the contained certificates. * * @return enumerator over certificate_t* */ - enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this); + enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this); }; #endif /** OCSP_RESPONSE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/pgp_certificate.h b/src/libstrongswan/credentials/certificates/pgp_certificate.h new file mode 100644 index 000000000..94a31e14d --- /dev/null +++ b/src/libstrongswan/credentials/certificates/pgp_certificate.h @@ -0,0 +1,46 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pgp_certificate pgp_certificate + * @{ @ingroup certificates + */ + +#ifndef PGP_CERTIFICATE_H_ +#define PGP_CERTIFICATE_H_ + +#include <credentials/certificates/certificate.h> + +typedef struct pgp_certificate_t pgp_certificate_t; + +/** + * PGP certificate interface. + */ +struct pgp_certificate_t { + + /** + * Implements certificate_t. + */ + certificate_t interface; + + /** + * Get the v3 or v4 fingerprint of the PGP public key + * + * @return fingerprint as chunk_t, internal data + */ + chunk_t (*get_fingerprint)(pgp_certificate_t *this); +}; + +#endif /** PGP_CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h new file mode 100644 index 000000000..9a4979757 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/pkcs10.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2009 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup req req + * @{ @ingroup certificates + */ + +#ifndef PKCS10_H_ +#define PKCS10_H_ + +#include <utils/enumerator.h> +#include <credentials/certificates/certificate.h> + +typedef struct pkcs10_t pkcs10_t; + +/** + * PKCS#10 certificate request interface. + * + * This interface adds additional methods to the certificate_t type to + * allow further operations on a certificate request. + */ +struct pkcs10_t { + + /** + * Implements certificate_t. + */ + certificate_t interface; + + /** + * Get the challenge password + * + * @return challenge password as a chunk_t + */ + chunk_t (*get_challengePassword)(pkcs10_t *this); + + /** + * Get. + * + * @return enumerator over subjectAltNames as identification_t* + */ + enumerator_t* (*create_subjectAltName_enumerator)(pkcs10_t *this); +}; + +#endif /** PKCS10_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c index 5d53f0c68..66dc192c1 100644 --- a/src/libstrongswan/credentials/certificates/x509.c +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -15,10 +15,14 @@ #include "x509.h" -ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED, +ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS, + "X509_NONE", "X509_CA", "X509_AA", "X509_OCSP_SIGNER", + "X509_SERVER_AUTH", + "X509_CLIENT_AUTH", "X509_SELF_SIGNED", + "X509_IP_ADDR_BLOCKS", ); diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index eedab78f7..172bd9696 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,6 +24,9 @@ #include <utils/enumerator.h> #include <credentials/certificates/certificate.h> +#define X509_NO_PATH_LEN_CONSTRAINT -1 +#define X509_MAX_PATH_LEN 7 + typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; @@ -31,14 +34,22 @@ typedef enum x509_flag_t x509_flag_t; * X.509 certificate flags. */ enum x509_flag_t { + /** cert has no constraints */ + X509_NONE = 0, /** cert has CA constraint */ - X509_CA = (1<<0), + X509_CA = (1<<0), /** cert has AA constraint */ - X509_AA = (1<<1), + X509_AA = (1<<1), /** cert has OCSP signer constraint */ - X509_OCSP_SIGNER = (1<<2), + X509_OCSP_SIGNER = (1<<2), + /** cert has serverAuth key usage */ + X509_SERVER_AUTH = (1<<3), + /** cert has clientAuth key usage */ + X509_CLIENT_AUTH = (1<<4), /** cert is self-signed */ - X509_SELF_SIGNED = (1<<3), + X509_SELF_SIGNED = (1<<5), + /** cert has an ipAddrBlocks extension */ + X509_IP_ADDR_BLOCKS = (1<<6), }; /** @@ -58,48 +69,69 @@ struct x509_t { * Implements certificate_t. */ certificate_t interface; - + /** * Get the flags set for this certificate. * * @return set of flags */ x509_flag_t (*get_flags)(x509_t *this); - + /** * Get the certificate serial number. * * @return chunk pointing to internal serial number */ chunk_t (*get_serial)(x509_t *this); - + + /** + * Get the the subjectKeyIdentifier. + * + * @return subjectKeyIdentifier as chunk_t, internal data + */ + chunk_t (*get_subjectKeyIdentifier)(x509_t *this); + /** * Get the the authorityKeyIdentifier. * - * @return authKeyIdentifier as identification_t* + * @return authKeyIdentifier as chunk_t, internal data */ - identification_t* (*get_authKeyIdentifier)(x509_t *this); - + chunk_t (*get_authKeyIdentifier)(x509_t *this); + + /** + * Get an optional path length constraint. + * + * @return pathLenConstraint, -1 if no constraint exists + */ + int (*get_pathLenConstraint)(x509_t *this); + /** * Create an enumerator over all subjectAltNames. * * @return enumerator over subjectAltNames as identification_t* */ enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); - + /** * Create an enumerator over all CRL URIs. * * @return enumerator over URIs as char* */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); - + /** * Create an enumerator over all OCSP URIs. * * @return enumerator over URIs as char* */ enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this); + + /** + * Create an enumerator over all ipAddrBlocks. + * + * @return enumerator over ipAddrBlocks as traffic_selector_t* + */ + enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); }; #endif /** X509_H_ @}*/ |