Made some useful methods in the credential manager public

2 files changed, 70 insertions, 15 deletions

diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index 709c5e26a..8df232b30 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -375,11 +375,8 @@ METHOD(credential_manager_t, get_shared, shared_key_t*,
 	return found;
 }
 
-/**
- * add a credential set to the thread local list
- */
-static void add_local_set(private_credential_manager_t *this,
-						  credential_set_t *set)
+METHOD(credential_manager_t, add_local_set, void,
+	private_credential_manager_t *this, credential_set_t *set)
 {
 	linked_list_t *sets;
 
@@ -392,11 +389,8 @@ static void add_local_set(private_credential_manager_t *this,
 	sets->insert_last(sets, set);
 }
 
-/**
- * remove a credential set from the thread local list
- */
-static void remove_local_set(private_credential_manager_t *this,
-							 credential_set_t *set)
+METHOD(credential_manager_t, remove_local_set, void,
+	private_credential_manager_t *this, credential_set_t *set)
 {
 	linked_list_t *sets;
 
@@ -1265,11 +1259,9 @@ METHOD(enumerator_t, trusted_destroy, void,
 	free(this);
 }
 
-/**
- * create an enumerator over trusted certificates and their trustchain
- */
-static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this,
-					key_type_t type, identification_t *id, bool online)
+METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*,
+	private_credential_manager_t *this, key_type_t type,
+	identification_t *id, bool online)
 {
 	trusted_enumerator_t *enumerator;
 
@@ -1539,6 +1531,13 @@ METHOD(credential_manager_t, flush_cache, void,
 	this->cache->flush(this->cache, type);
 }
 
+METHOD(credential_manager_t, issued_by, bool,
+	private_credential_manager_t *this, certificate_t *subject,
+	certificate_t *issuer)
+{
+	return this->cache->issued_by(this->cache, subject, issuer);
+}
+
 METHOD(credential_manager_t, add_set, void,
 	private_credential_manager_t *this, credential_set_t *set)
 {
@@ -1601,11 +1600,15 @@ credential_manager_t *credential_manager_create()
 			.get_cert = _get_cert,
 			.get_shared = _get_shared,
 			.get_private = _get_private,
+			.create_trusted_enumerator = _create_trusted_enumerator,
 			.create_public_enumerator = _create_public_enumerator,
 			.flush_cache = _flush_cache,
 			.cache_cert = _cache_cert,
+			.issued_by = _issued_by,
 			.add_set = _add_set,
 			.remove_set = _remove_set,
+			.add_local_set = _add_local_set,
+			.remove_local_set = _remove_local_set,
 			.add_validator = _add_validator,
 			.remove_validator = _remove_validator,
 			.destroy = _destroy,
diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h
index ed0c3fabf..04269cfbf 100644
--- a/src/libstrongswan/credentials/credential_manager.h
+++ b/src/libstrongswan/credentials/credential_manager.h
@@ -143,6 +143,24 @@ struct credential_manager_t {
 								  identification_t *id, auth_cfg_t *auth);
 
 	/**
+	 * Create an enumerator over trusted certificates.
+	 *
+	 * This method creates an enumerator over trusted certificates. The auth
+	 * parameter (if given) recevies the trustchain used to validate
+	 * the certificate. The resulting enumerator enumerates over
+	 * certificate_t*, auth_cfg_t*.
+	 * If online is set, revocations are checked online for the whole
+	 * trustchain.
+	 *
+	 * @param type		type of the key we want a certificate for
+	 * @param id		subject of the certificate
+	 * @param online	whether revocations should be checked online
+	 * @return			enumerator
+	 */
+	enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this,
+					key_type_t type, identification_t *id, bool online);
+
+	/**
 	 * Create an enumerator over trusted public keys.
 	 *
 	 * This method gets a an enumerator over trusted public keys to verify a
@@ -150,6 +168,8 @@ struct credential_manager_t {
 	 * authentication infos, e.g. peer and intermediate certificates.
 	 * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
 	 * where the auth config helper contains rules for constraint checks.
+	 * This function is very similar to create_trusted_enumerator(), but
+	 * gets public keys directly.
 	 *
 	 * @param type		type of the key to get
 	 * @param id		owner of the key, signer of the signature
@@ -177,6 +197,19 @@ struct credential_manager_t {
 	void (*flush_cache)(credential_manager_t *this, certificate_type_t type);
 
 	/**
+	 * Check if a given subject certificate is issued by an issuer certificate.
+	 *
+	 * This operation does signature verification, but uses the credential
+	 * managers cache for to speed up the operation.
+	 *
+	 * @param subject	subject certificate to check
+	 * @param issuer	issuer certificate that potentially has signed subject
+	 * @return			TRUE if issuer signed subject
+	 */
+	bool (*issued_by)(credential_manager_t *this,
+					  certificate_t *subject, certificate_t *issuer);
+
+	/**
 	 * Register a credential set to the manager.
 	 *
 	 * @param set		set to register
@@ -191,6 +224,25 @@ struct credential_manager_t {
 	void (*remove_set)(credential_manager_t *this, credential_set_t *set);
 
 	/**
+	 * Register a thread local credential set to the manager.
+	 *
+	 * To add a credential set for the current trustchain verification
+	 * operation, sets may be added for the calling thread only. This
+	 * does not require a write lock and is therefore a much less expensive
+	 * operation.
+	 *
+	 * @param set		set to register
+	 */
+	void (*add_local_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
+	 * Unregister a thread local credential set from the manager.
+	 *
+	 * @param set		set to unregister
+	 */
+	void (*remove_local_set)(credential_manager_t *this, credential_set_t *set);
+
+	/**
 	 * Register a certificate validator to the manager.
 	 *
 	 * @param vdtr		validator to register