1 files changed, 54 insertions, 0 deletions

diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index 73c585734..445ea3f9c 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -22,6 +22,7 @@
 #define CREDENTIAL_MANAGER_H_
 
 typedef struct credential_manager_t credential_manager_t;
+typedef enum credential_hook_type_t credential_hook_type_t;
 
 #include <utils/identification.h>
 #include <collections/enumerator.h>
@@ -33,6 +34,37 @@ typedef struct credential_manager_t credential_manager_t;
 #include <credentials/cert_validator.h>
 
 /**
+ * Type of a credential hook error/event.
+ */
+enum credential_hook_type_t {
+	/** The certificate has expired (or is not yet valid) */
+	CRED_HOOK_EXPIRED,
+	/** The certificate has been revoked */
+	CRED_HOOK_REVOKED,
+	/** Checking certificate revocation failed. This does not necessarily mean
+	 *  the certificate is rejected, just that revocation checking failed. */
+	CRED_HOOK_VALIDATION_FAILED,
+	/** No trusted issuer certificate has been found for this certificate */
+	CRED_HOOK_NO_ISSUER,
+	/** Encountered a self-signed (root) certificate, but it is not trusted */
+	CRED_HOOK_UNTRUSTED_ROOT,
+	/** Maximum trust chain length exceeded for certificate */
+	CRED_HOOK_EXCEEDED_PATH_LEN,
+	/** The certificate violates some other kind of policy and gets rejected */
+	CRED_HOOK_POLICY_VIOLATION,
+};
+
+/**
+ * Hook function to invoke on certificate validation errors.
+ *
+ * @param data			user data supplied during hook registration
+ * @param type			type of validation error/event
+ * @param cert			associated certificate
+ */
+typedef void (*credential_hook_t)(void *data, credential_hook_type_t type,
+								  certificate_t *cert);
+
+/**
  * Manages credentials using credential_sets.
  *
  * The credential manager is the entry point of the credential framework. It
@@ -263,6 +295,28 @@ struct credential_manager_t {
 	void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr);
 
 	/**
+	 * Set a hook to call on certain credential validation errors.
+	 *
+	 * @param hook		hook to register, NULL to unregister
+	 * @param data		data to pass to hook
+	 */
+	void (*set_hook)(credential_manager_t *this, credential_hook_t hook,
+					 void *data);
+
+	/**
+	 * Call the registered credential hook, if any.
+	 *
+	 * While hooks are usually called by the credential manager itself, some
+	 * validator plugins might raise hooks as well if they consider certificates
+	 * invalid.
+	 *
+	 * @param type		type of the event
+	 * @param cert		associated certificate
+	 */
+	void (*call_hook)(credential_manager_t *this, credential_hook_type_t type,
+					  certificate_t *cert);
+
+	/**
 	 * Destroy a credential_manager instance.
 	 */
 	void (*destroy)(credential_manager_t *this);