summaryrefslogtreecommitdiff
path: root/src/libstrongswan/credentials/certificates
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials/certificates')
-rw-r--r--src/libstrongswan/credentials/certificates/ac.h24
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.c7
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.h42
-rw-r--r--src/libstrongswan/credentials/certificates/crl.c2
-rw-r--r--src/libstrongswan/credentials/certificates/crl.h28
-rw-r--r--src/libstrongswan/credentials/certificates/ocsp_response.h10
-rw-r--r--src/libstrongswan/credentials/certificates/pgp_certificate.h46
-rw-r--r--src/libstrongswan/credentials/certificates/pkcs10.h57
-rw-r--r--src/libstrongswan/credentials/certificates/x509.c6
-rw-r--r--src/libstrongswan/credentials/certificates/x509.h56
10 files changed, 216 insertions, 62 deletions
diff --git a/src/libstrongswan/credentials/certificates/ac.h b/src/libstrongswan/credentials/certificates/ac.h
index fb99b4756..fef7f8c65 100644
--- a/src/libstrongswan/credentials/certificates/ac.h
+++ b/src/libstrongswan/credentials/certificates/ac.h
@@ -1,9 +1,7 @@
/*
- * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
- * Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2008 Andreas Steffen
+ * Copyright (C) 2002-2009 Andreas Steffen
*
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -26,6 +24,7 @@
#include <library.h>
#include <credentials/certificates/certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
typedef struct ac_t ac_t;
@@ -41,14 +40,14 @@ struct ac_t {
* Implements the certificate_t interface
*/
certificate_t certificate;
-
+
/**
* Get the attribute certificate's serial number.
*
* @return chunk pointing to serialNumber
*/
chunk_t (*get_serial)(ac_t *this);
-
+
/**
* Get the serial number of the holder certificate.
*
@@ -64,11 +63,18 @@ struct ac_t {
identification_t* (*get_holderIssuer)(ac_t *this);
/**
- * Get the thauthorityKeyIdentifier.
+ * Get the authorityKeyIdentifier.
+ *
+ * @return authKeyIdentifier as chunk_t, to internal data
+ */
+ chunk_t (*get_authKeyIdentifier)(ac_t *this);
+
+ /**
+ * Get the group memberships as a list of IETF attributes
*
- * @return authKeyIdentifier as identification_t*
+ * @return object containing a list of IETF attributes
*/
- identification_t* (*get_authKeyIdentifier)(ac_t *this);
+ ietf_attributes_t* (*get_groups)(ac_t *this);
/**
* @brief Checks if two attribute certificates belong to the same holder
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 041e2f1db..156d12358 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -17,16 +17,19 @@
#include <credentials/certificates/x509.h>
-ENUM(certificate_type_names, CERT_ANY, CERT_PGP,
+ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL,
"ANY",
"X509",
"X509_CRL",
"X509_OCSP_REQUEST",
"X509_OCSP_RESPONSE",
"X509_AC",
- "X509_CHAIN",
"TRUSTED_PUBKEY",
+ "PKCS10_REQUEST",
"PGP",
+ "PLUTO_CERT",
+ "PLUTO_AC",
+ "PLUTO_CRL",
);
ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 81fce5508..a4f9aa3e0 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -47,8 +47,14 @@ enum certificate_type_t {
CERT_X509_AC,
/** trusted, preinstalled public key */
CERT_TRUSTED_PUBKEY,
+ /** PKCS#10 certificate request */
+ CERT_PKCS10_REQUEST,
/** PGP certificate */
- CERT_PGP,
+ CERT_GPG,
+ /** Pluto cert_t (not a certificate_t), either x509 or PGP */
+ CERT_PLUTO_CERT,
+ /** Pluto x509crl_t (not a certificate_t), certificate revocation list */
+ CERT_PLUTO_CRL,
};
/**
@@ -82,7 +88,7 @@ extern enum_name_t *cert_validation_names;
/**
* An abstract certificate.
*
- * A certificate designs a subject-issuer relationship. It may have an
+ * A certificate designs a subject-issuer relationship. It may have an
* associated public key.
*/
struct certificate_t {
@@ -90,7 +96,7 @@ struct certificate_t {
/**
* Get the type of the certificate.
*
- * @return certifcate type
+ * @return certificate type
*/
certificate_type_t (*get_type)(certificate_t *this);
@@ -100,7 +106,7 @@ struct certificate_t {
* @return subject identity
*/
identification_t* (*get_subject)(certificate_t *this);
-
+
/**
* Check if certificate contains a subject ID.
*
@@ -111,14 +117,14 @@ struct certificate_t {
* @return matching value of best match
*/
id_match_t (*has_subject)(certificate_t *this, identification_t *subject);
-
+
/**
* Get the issuer which signed this certificate.
*
* @return issuer identity
*/
identification_t* (*get_issuer)(certificate_t *this);
-
+
/**
* Check if certificate contains an issuer ID.
*
@@ -129,7 +135,7 @@ struct certificate_t {
* @return matching value of best match
*/
id_match_t (*has_issuer)(certificate_t *this, identification_t *issuer);
-
+
/**
* Check if this certificate is issued and signed by a specific issuer.
*
@@ -137,14 +143,14 @@ struct certificate_t {
* @return TRUE if certificate issued by issuer and trusted
*/
bool (*issued_by)(certificate_t *this, certificate_t *issuer);
-
+
/**
* Get the public key associated to this certificate.
*
* @return newly referenced public_key, NULL if none available
*/
public_key_t* (*get_public_key)(certificate_t *this);
-
+
/**
* Check the lifetime of the certificate.
*
@@ -155,21 +161,21 @@ struct certificate_t {
*/
bool (*get_validity)(certificate_t *this, time_t *when,
time_t *not_before, time_t *not_after);
-
+
/**
* Is this newer than that?
*
* @return TRUE if newer, FALSE otherwise
*/
bool (*is_newer)(certificate_t *this, certificate_t *that);
-
+
/**
* Get the certificate in an encoded form.
*
* @return allocated chunk of encoded cert
*/
chunk_t (*get_encoding)(certificate_t *this);
-
+
/**
* Check if two certificates are equal.
*
@@ -177,18 +183,18 @@ struct certificate_t {
* @return TRUE if certificates are equal
*/
bool (*equals)(certificate_t *this, certificate_t *other);
-
+
/**
* Get a new reference to the certificate.
*
- * @return this, with an increased refcount
+ * @return this, with an increased refcount
*/
certificate_t* (*get_ref)(certificate_t *this);
-
+
/**
- * Destroy a certificate.
- */
- void (*destroy)(certificate_t *this);
+ * Destroy a certificate.
+ */
+ void (*destroy)(certificate_t *this);
};
#endif /** CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c
index 0d6654075..085ad16cc 100644
--- a/src/libstrongswan/credentials/certificates/crl.c
+++ b/src/libstrongswan/credentials/certificates/crl.c
@@ -16,7 +16,7 @@
#include "crl.h"
-ENUM(crl_reason_names, CRL_UNSPECIFIED, CRL_REMOVE_FROM_CRL,
+ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL,
"unspecified",
"key compromise",
"ca compromise",
diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h
index 3fef0d710..4b612390c 100644
--- a/src/libstrongswan/credentials/certificates/crl.h
+++ b/src/libstrongswan/credentials/certificates/crl.h
@@ -32,14 +32,14 @@ typedef enum crl_reason_t crl_reason_t;
* RFC 2459 CRL reason codes
*/
enum crl_reason_t {
- CRL_UNSPECIFIED = 0,
- CRL_KEY_COMPROMISE = 1,
- CRL_CA_COMPROMISE = 2,
- CRL_AFFILIATION_CHANGED = 3,
- CRL_SUPERSEDED = 4,
- CRL_CESSATION_OF_OPERATON = 5,
- CRL_CERTIFICATE_HOLD = 6,
- CRL_REMOVE_FROM_CRL = 8,
+ CRL_REASON_UNSPECIFIED = 0,
+ CRL_REASON_KEY_COMPROMISE = 1,
+ CRL_REASON_CA_COMPROMISE = 2,
+ CRL_REASON_AFFILIATION_CHANGED = 3,
+ CRL_REASON_SUPERSEDED = 4,
+ CRL_REASON_CESSATION_OF_OPERATON = 5,
+ CRL_REASON_CERTIFICATE_HOLD = 6,
+ CRL_REASON_REMOVE_FROM_CRL = 8,
};
/**
@@ -56,21 +56,21 @@ struct crl_t {
* Implements (parts of) the certificate_t interface
*/
certificate_t certificate;
-
+
/**
* Get the CRL serial number.
*
* @return chunk pointing to internal crlNumber
*/
chunk_t (*get_serial)(crl_t *this);
-
+
/**
* Get the the authorityKeyIdentifier.
*
- * @return authKeyIdentifier as identification_t*
+ * @return authKeyIdentifier chunk, point to internal data
*/
- identification_t* (*get_authKeyIdentifier)(crl_t *this);
-
+ chunk_t (*get_authKeyIdentifier)(crl_t *this);
+
/**
* Create an enumerator over all revoked certificates.
*
@@ -80,7 +80,7 @@ struct crl_t {
* @return enumerator over revoked certificates.
*/
enumerator_t* (*create_enumerator)(crl_t *this);
-
+
};
#endif /** CRL_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h
index a70f3eee4..157577458 100644
--- a/src/libstrongswan/credentials/certificates/ocsp_response.h
+++ b/src/libstrongswan/credentials/certificates/ocsp_response.h
@@ -28,7 +28,7 @@ typedef struct ocsp_response_t ocsp_response_t;
typedef enum ocsp_status_t ocsp_status_t;
/**
- * OCSP response status
+ * OCSP response status
*/
enum ocsp_status_t {
OCSP_SUCCESSFUL = 0,
@@ -53,7 +53,7 @@ struct ocsp_response_t {
* Implements certificiate_t interface
*/
certificate_t certificate;
-
+
/**
* Check the status of a certificate by this OCSP response.
*
@@ -65,18 +65,18 @@ struct ocsp_response_t {
* @param next_update exptected time of next revocation list
* @return certificate revocation status
*/
- cert_validation_t (*get_status)(ocsp_response_t *this,
+ cert_validation_t (*get_status)(ocsp_response_t *this,
x509_t *subject, x509_t *issuer,
time_t *revocation_time,
crl_reason_t *revocation_reason,
time_t *this_update, time_t *next_update);
-
+
/**
* Create an enumerator over the contained certificates.
*
* @return enumerator over certificate_t*
*/
- enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
+ enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this);
};
#endif /** OCSP_RESPONSE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/pgp_certificate.h b/src/libstrongswan/credentials/certificates/pgp_certificate.h
new file mode 100644
index 000000000..94a31e14d
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/pgp_certificate.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pgp_certificate pgp_certificate
+ * @{ @ingroup certificates
+ */
+
+#ifndef PGP_CERTIFICATE_H_
+#define PGP_CERTIFICATE_H_
+
+#include <credentials/certificates/certificate.h>
+
+typedef struct pgp_certificate_t pgp_certificate_t;
+
+/**
+ * PGP certificate interface.
+ */
+struct pgp_certificate_t {
+
+ /**
+ * Implements certificate_t.
+ */
+ certificate_t interface;
+
+ /**
+ * Get the v3 or v4 fingerprint of the PGP public key
+ *
+ * @return fingerprint as chunk_t, internal data
+ */
+ chunk_t (*get_fingerprint)(pgp_certificate_t *this);
+};
+
+#endif /** PGP_CERTIFICATE_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/pkcs10.h b/src/libstrongswan/credentials/certificates/pkcs10.h
new file mode 100644
index 000000000..9a4979757
--- /dev/null
+++ b/src/libstrongswan/credentials/certificates/pkcs10.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2009 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup req req
+ * @{ @ingroup certificates
+ */
+
+#ifndef PKCS10_H_
+#define PKCS10_H_
+
+#include <utils/enumerator.h>
+#include <credentials/certificates/certificate.h>
+
+typedef struct pkcs10_t pkcs10_t;
+
+/**
+ * PKCS#10 certificate request interface.
+ *
+ * This interface adds additional methods to the certificate_t type to
+ * allow further operations on a certificate request.
+ */
+struct pkcs10_t {
+
+ /**
+ * Implements certificate_t.
+ */
+ certificate_t interface;
+
+ /**
+ * Get the challenge password
+ *
+ * @return challenge password as a chunk_t
+ */
+ chunk_t (*get_challengePassword)(pkcs10_t *this);
+
+ /**
+ * Get.
+ *
+ * @return enumerator over subjectAltNames as identification_t*
+ */
+ enumerator_t* (*create_subjectAltName_enumerator)(pkcs10_t *this);
+};
+
+#endif /** PKCS10_H_ @}*/
diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c
index 5d53f0c68..66dc192c1 100644
--- a/src/libstrongswan/credentials/certificates/x509.c
+++ b/src/libstrongswan/credentials/certificates/x509.c
@@ -15,10 +15,14 @@
#include "x509.h"
-ENUM(x509_flag_names, X509_CA, X509_SELF_SIGNED,
+ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS,
+ "X509_NONE",
"X509_CA",
"X509_AA",
"X509_OCSP_SIGNER",
+ "X509_SERVER_AUTH",
+ "X509_CLIENT_AUTH",
"X509_SELF_SIGNED",
+ "X509_IP_ADDR_BLOCKS",
);
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index eedab78f7..172bd9696 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,6 +24,9 @@
#include <utils/enumerator.h>
#include <credentials/certificates/certificate.h>
+#define X509_NO_PATH_LEN_CONSTRAINT -1
+#define X509_MAX_PATH_LEN 7
+
typedef struct x509_t x509_t;
typedef enum x509_flag_t x509_flag_t;
@@ -31,14 +34,22 @@ typedef enum x509_flag_t x509_flag_t;
* X.509 certificate flags.
*/
enum x509_flag_t {
+ /** cert has no constraints */
+ X509_NONE = 0,
/** cert has CA constraint */
- X509_CA = (1<<0),
+ X509_CA = (1<<0),
/** cert has AA constraint */
- X509_AA = (1<<1),
+ X509_AA = (1<<1),
/** cert has OCSP signer constraint */
- X509_OCSP_SIGNER = (1<<2),
+ X509_OCSP_SIGNER = (1<<2),
+ /** cert has serverAuth key usage */
+ X509_SERVER_AUTH = (1<<3),
+ /** cert has clientAuth key usage */
+ X509_CLIENT_AUTH = (1<<4),
/** cert is self-signed */
- X509_SELF_SIGNED = (1<<3),
+ X509_SELF_SIGNED = (1<<5),
+ /** cert has an ipAddrBlocks extension */
+ X509_IP_ADDR_BLOCKS = (1<<6),
};
/**
@@ -58,48 +69,69 @@ struct x509_t {
* Implements certificate_t.
*/
certificate_t interface;
-
+
/**
* Get the flags set for this certificate.
*
* @return set of flags
*/
x509_flag_t (*get_flags)(x509_t *this);
-
+
/**
* Get the certificate serial number.
*
* @return chunk pointing to internal serial number
*/
chunk_t (*get_serial)(x509_t *this);
-
+
+ /**
+ * Get the the subjectKeyIdentifier.
+ *
+ * @return subjectKeyIdentifier as chunk_t, internal data
+ */
+ chunk_t (*get_subjectKeyIdentifier)(x509_t *this);
+
/**
* Get the the authorityKeyIdentifier.
*
- * @return authKeyIdentifier as identification_t*
+ * @return authKeyIdentifier as chunk_t, internal data
*/
- identification_t* (*get_authKeyIdentifier)(x509_t *this);
-
+ chunk_t (*get_authKeyIdentifier)(x509_t *this);
+
+ /**
+ * Get an optional path length constraint.
+ *
+ * @return pathLenConstraint, -1 if no constraint exists
+ */
+ int (*get_pathLenConstraint)(x509_t *this);
+
/**
* Create an enumerator over all subjectAltNames.
*
* @return enumerator over subjectAltNames as identification_t*
*/
enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this);
-
+
/**
* Create an enumerator over all CRL URIs.
*
* @return enumerator over URIs as char*
*/
enumerator_t* (*create_crl_uri_enumerator)(x509_t *this);
-
+
/**
* Create an enumerator over all OCSP URIs.
*
* @return enumerator over URIs as char*
*/
enumerator_t* (*create_ocsp_uri_enumerator)(x509_t *this);
+
+ /**
+ * Create an enumerator over all ipAddrBlocks.
+ *
+ * @return enumerator over ipAddrBlocks as traffic_selector_t*
+ */
+ enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this);
};
#endif /** X509_H_ @}*/